Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 8.581357][ T22] audit: type=1400 audit(1583551600.766:10): avc: denied { watch } for pid=1802 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 8.590904][ T22] audit: type=1400 audit(1583551600.766:11): avc: denied { watch } for pid=1802 comm="restorecond" path="/etc/selinux/restorecond.conf" dev="sda1" ino=2280 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 10.503238][ T22] audit: type=1400 audit(1583551602.696:12): avc: denied { map } for pid=1867 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.207' (ECDSA) to the list of known hosts. [ 16.600511][ T22] audit: type=1400 audit(1583551608.786:13): avc: denied { map } for pid=1879 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/07 03:26:48 parsed 1 programs 2020/03/07 03:26:50 executed programs: 0 [ 18.188120][ T22] audit: type=1400 audit(1583551610.376:14): avc: denied { map } for pid=1879 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=7903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 18.219070][ T22] audit: type=1400 audit(1583551610.416:15): avc: denied { map } for pid=1879 comm="syz-execprog" path="/root/syzkaller-shm629066986" dev="sda1" ino=2233 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.240726][ T1897] cgroup1: Unknown subsys name 'perf_event' [ 18.252081][ T1897] cgroup1: Unknown subsys name 'net_cls' [ 18.254708][ T1900] cgroup1: Unknown subsys name 'perf_event' [ 18.265742][ T1904] cgroup1: Unknown subsys name 'perf_event' [ 18.267493][ T1901] cgroup1: Unknown subsys name 'perf_event' [ 18.271831][ T1904] cgroup1: Unknown subsys name 'net_cls' [ 18.278073][ T1900] cgroup1: Unknown subsys name 'net_cls' [ 18.284070][ T1906] cgroup1: Unknown subsys name 'perf_event' [ 18.291641][ T1901] cgroup1: Unknown subsys name 'net_cls' [ 18.297821][ T1906] cgroup1: Unknown subsys name 'net_cls' [ 18.301283][ T1908] cgroup1: Unknown subsys name 'perf_event' [ 18.312825][ T1908] cgroup1: Unknown subsys name 'net_cls' [ 19.308445][ T22] audit: type=1400 audit(1583551611.496:16): avc: denied { create } for pid=1900 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 19.352774][ T22] audit: type=1400 audit(1583551611.496:17): avc: denied { write } for pid=1900 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 19.388424][ T22] audit: type=1400 audit(1583551611.496:18): avc: denied { read } for pid=1900 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 22.151097][ T22] audit: type=1400 audit(1583551614.336:19): avc: denied { associate } for pid=1906 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2020/03/07 03:26:55 executed programs: 23 [ 23.662984][ T4521] ================================================================== [ 23.671094][ T4521] BUG: KASAN: use-after-free in free_netdev+0x186/0x300 [ 23.678012][ T4521] Read of size 8 at addr ffff8881d561f4f0 by task syz-executor.1/4521 [ 23.686148][ T4521] [ 23.688461][ T4521] CPU: 1 PID: 4521 Comm: syz-executor.1 Not tainted 5.4.24-syzkaller-00171-g3fe2bfe139ad #0 [ 23.698505][ T4521] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.708552][ T4521] Call Trace: [ 23.711840][ T4521] dump_stack+0x1b0/0x228 [ 23.716247][ T4521] ? show_regs_print_info+0x18/0x18 [ 23.721442][ T4521] ? vprintk_func+0x105/0x110 [ 23.726200][ T4521] ? printk+0xc0/0x109 [ 23.730378][ T4521] print_address_description+0x96/0x5d0 [ 23.735934][ T4521] ? devkmsg_release+0x127/0x127 [ 23.740873][ T4521] ? call_rcu+0x10/0x10 [ 23.745008][ T4521] __kasan_report+0x14b/0x1c0 [ 23.749671][ T4521] ? free_netdev+0x186/0x300 [ 23.754402][ T4521] kasan_report+0x26/0x50 [ 23.758798][ T4521] __asan_report_load8_noabort+0x14/0x20 [ 23.764420][ T4521] free_netdev+0x186/0x300 [ 23.768811][ T4521] netdev_run_todo+0xbc4/0xe00 [ 23.773563][ T4521] ? netdev_refcnt_read+0x1c0/0x1c0 [ 23.778755][ T4521] ? mutex_trylock+0xb0/0xb0 [ 23.783349][ T4521] ? netlink_net_capable+0x124/0x160 [ 23.788627][ T4521] rtnetlink_rcv_msg+0x963/0xc20 [ 23.793578][ T4521] ? is_bpf_text_address+0x2c8/0x2e0 [ 23.798843][ T4521] ? __kernel_text_address+0x9a/0x110 [ 23.804207][ T4521] ? rtnetlink_bind+0x80/0x80 [ 23.808866][ T4521] ? arch_stack_walk+0x98/0xe0 [ 23.813631][ T4521] ? __rcu_read_lock+0x50/0x50 [ 23.818459][ T4521] ? avc_has_perm_noaudit+0x2fc/0x3f0 [ 23.823803][ T4521] ? rhashtable_jhash2+0x1f1/0x330 [ 23.828888][ T4521] ? jhash+0x750/0x750 [ 23.832931][ T4521] ? rht_key_hashfn+0x157/0x240 [ 23.837755][ T4521] ? deferred_put_nlk_sk+0x200/0x200 [ 23.843013][ T4521] ? __alloc_skb+0x109/0x540 [ 23.847582][ T4521] ? jhash+0x750/0x750 [ 23.851636][ T4521] ? netlink_hash+0xd0/0xd0 [ 23.856113][ T4521] ? avc_has_perm+0x15f/0x260 [ 23.860762][ T4521] ? __rcu_read_lock+0x50/0x50 [ 23.865498][ T4521] netlink_rcv_skb+0x1f0/0x460 [ 23.870255][ T4521] ? rtnetlink_bind+0x80/0x80 [ 23.874905][ T4521] ? netlink_ack+0xa80/0xa80 [ 23.879467][ T4521] ? netlink_autobind+0x1c0/0x1c0 [ 23.884466][ T4521] ? __rcu_read_lock+0x50/0x50 [ 23.889203][ T4521] ? selinux_vm_enough_memory+0x160/0x160 [ 23.894905][ T4521] rtnetlink_rcv+0x1c/0x20 [ 23.899293][ T4521] netlink_unicast+0x87c/0xa20 [ 23.904032][ T4521] ? netlink_detachskb+0x60/0x60 [ 23.908943][ T4521] ? security_netlink_send+0xab/0xc0 [ 23.914199][ T4521] netlink_sendmsg+0x9a7/0xd40 [ 23.919398][ T4521] ? netlink_getsockopt+0x900/0x900 [ 23.924575][ T4521] ? security_socket_sendmsg+0xad/0xc0 [ 23.930040][ T4521] ? netlink_getsockopt+0x900/0x900 [ 23.935265][ T4521] ____sys_sendmsg+0x56f/0x860 [ 23.940012][ T4521] ? __sys_sendmsg_sock+0x2a0/0x2a0 [ 23.945185][ T4521] ? __kasan_check_write+0x14/0x20 [ 23.950278][ T4521] ? __fdget+0x17c/0x200 [ 23.954498][ T4521] __sys_sendmsg+0x26a/0x350 [ 23.959073][ T4521] ? errseq_sample+0x43/0x70 [ 23.963646][ T4521] ? ____sys_sendmsg+0x860/0x860 [ 23.968565][ T4521] ? alloc_file_pseudo+0x282/0x310 [ 23.973651][ T4521] ? alloc_empty_file_noaccount+0x80/0x80 [ 23.979383][ T4521] ? __kasan_check_read+0x11/0x20 [ 23.984409][ T4521] ? _copy_to_user+0x92/0xb0 [ 23.988998][ T4521] ? put_timespec64+0x106/0x150 [ 23.993847][ T4521] ? ktime_get_raw+0x130/0x130 [ 23.998587][ T4521] ? get_timespec64+0x1c0/0x1c0 [ 24.003419][ T4521] ? __kasan_check_read+0x11/0x20 [ 24.008417][ T4521] ? __ia32_sys_clock_settime+0x230/0x230 [ 24.014123][ T4521] __x64_sys_sendmsg+0x7f/0x90 [ 24.018861][ T4521] do_syscall_64+0xc0/0x100 [ 24.023340][ T4521] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.029205][ T4521] RIP: 0033:0x45c4a9 [ 24.033076][ T4521] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 24.052663][ T4521] RSP: 002b:00007f3128f3ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 24.061063][ T4521] RAX: ffffffffffffffda RBX: 00007f3128f3b6d4 RCX: 000000000045c4a9 [ 24.069012][ T4521] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 24.076955][ T4521] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 24.084899][ T4521] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 24.092853][ T4521] R13: 00000000000009f9 R14: 00000000004cc766 R15: 000000000076bfcc [ 24.100809][ T4521] [ 24.103118][ T4521] Allocated by task 4508: [ 24.107438][ T4521] __kasan_kmalloc+0x117/0x1b0 [ 24.112201][ T4521] kasan_kmalloc+0x9/0x10 [ 24.116646][ T4521] __kmalloc+0x102/0x310 [ 24.120884][ T4521] sk_prot_alloc+0x11c/0x2f0 [ 24.125573][ T4521] sk_alloc+0x35/0x300 [ 24.129622][ T4521] tun_chr_open+0x7b/0x4a0 [ 24.134028][ T4521] misc_open+0x3ea/0x440 [ 24.138263][ T4521] chrdev_open+0x60a/0x670 [ 24.142780][ T4521] do_dentry_open+0x8f7/0x1070 [ 24.147530][ T4521] vfs_open+0x73/0x80 [ 24.151552][ T4521] path_openat+0x1681/0x42d0 [ 24.156127][ T4521] do_filp_open+0x1f7/0x430 [ 24.160724][ T4521] do_sys_open+0x36f/0x7a0 [ 24.165143][ T4521] __x64_sys_openat+0xa2/0xb0 [ 24.169803][ T4521] do_syscall_64+0xc0/0x100 [ 24.174318][ T4521] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.180200][ T4521] [ 24.182621][ T4521] Freed by task 4506: [ 24.186694][ T4521] __kasan_slab_free+0x168/0x220 [ 24.191751][ T4521] kasan_slab_free+0xe/0x10 [ 24.196235][ T4521] kfree+0x170/0x6d0 [ 24.200137][ T4521] __sk_destruct+0x45f/0x4e0 [ 24.204721][ T4521] __sk_free+0x35d/0x430 [ 24.208944][ T4521] sk_free+0x45/0x50 [ 24.212831][ T4521] __tun_detach+0x15d0/0x1a40 [ 24.217489][ T4521] tun_chr_close+0xb8/0xd0 [ 24.221900][ T4521] __fput+0x295/0x710 [ 24.225876][ T4521] ____fput+0x15/0x20 [ 24.229853][ T4521] task_work_run+0x176/0x1a0 [ 24.234433][ T4521] prepare_exit_to_usermode+0x2d8/0x370 [ 24.239984][ T4521] syscall_return_slowpath+0x6f/0x500 [ 24.245366][ T4521] do_syscall_64+0xe8/0x100 [ 24.249865][ T4521] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.255738][ T4521] [ 24.258053][ T4521] The buggy address belongs to the object at ffff8881d561f000 [ 24.258053][ T4521] which belongs to the cache kmalloc-2k of size 2048 [ 24.272242][ T4521] The buggy address is located 1264 bytes inside of [ 24.272242][ T4521] 2048-byte region [ffff8881d561f000, ffff8881d561f800) [ 24.286127][ T4521] The buggy address belongs to the page: [ 24.291810][ T4521] page:ffffea0007558600 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0 [ 24.302987][ T4521] flags: 0x8000000000010200(slab|head) [ 24.308439][ T4521] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800 [ 24.317170][ T4521] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 24.325763][ T4521] page dumped because: kasan: bad access detected [ 24.332161][ T4521] [ 24.334469][ T4521] Memory state around the buggy address: [ 24.340090][ T4521] ffff8881d561f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.348147][ T4521] ffff8881d561f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.356308][ T4521] >ffff8881d561f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.364345][ T4521] ^ [ 24.373623][ T4521] ffff8881d561f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.381675][ T4521] ffff8881d561f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.389716][ T4521] ================================================================== [ 24.397773][ T4521] Disabling lock debugging due to kernel taint 2020/03/07 03:27:00 executed programs: 115 2020/03/07 03:27:05 executed programs: 219