[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[   60.480676][   T26] audit: type=1800 audit(1559147855.799:25): pid=8774 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   60.523637][   T26] audit: type=1800 audit(1559147855.809:26): pid=8774 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   60.553087][   T26] audit: type=1800 audit(1559147855.809:27): pid=8774 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.58' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   72.994858][ T8927] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
[   73.058675][ T8937] ==================================================================
[   73.066976][ T8937] BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10
[   73.074389][ T8937] Read of size 2 at addr ffff88808c63840c by task syz-executor351/8937
[   73.082625][ T8937] 
[   73.084946][ T8937] CPU: 1 PID: 8937 Comm: syz-executor351 Not tainted 5.2.0-rc2+ #12
[   73.093078][ T8937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.103186][ T8937] Call Trace:
[   73.106476][ T8937]  dump_stack+0x172/0x1f0
[   73.110808][ T8937]  ? napi_gro_frags+0xc6f/0xd10
[   73.115654][ T8937]  print_address_description.cold+0x7c/0x20d
[   73.121634][ T8937]  ? napi_gro_frags+0xc6f/0xd10
[   73.126493][ T8937]  ? napi_gro_frags+0xc6f/0xd10
[   73.131331][ T8937]  __kasan_report.cold+0x1b/0x40
[   73.136259][ T8937]  ? __kasan_slab_free+0x140/0x150
[   73.141527][ T8937]  ? napi_gro_frags+0xc6f/0xd10
[   73.146381][ T8937]  kasan_report+0x12/0x20
[   73.150696][ T8937]  __asan_report_load_n_noabort+0xf/0x20
[   73.156330][ T8937]  napi_gro_frags+0xc6f/0xd10
[   73.161154][ T8937]  tun_get_user+0x2f3c/0x3ff0
[   73.165835][ T8937]  ? tun_device_event+0xee0/0xee0
[   73.170921][ T8937]  ? tun_get+0x171/0x290
[   73.175189][ T8937]  ? lock_downgrade+0x880/0x880
[   73.180031][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.186271][ T8937]  ? kasan_check_read+0x11/0x20
[   73.191121][ T8937]  tun_chr_write_iter+0xbd/0x156
[   73.196054][ T8937]  do_iter_readv_writev+0x5f8/0x8f0
[   73.201241][ T8937]  ? no_seek_end_llseek_size+0x70/0x70
[   73.206763][ T8937]  ? rw_copy_check_uvector+0x2a6/0x330
[   73.212236][ T8937]  ? rw_verify_area+0x126/0x360
[   73.217079][ T8937]  do_iter_write+0x184/0x610
[   73.221667][ T8937]  ? dup_iter+0x260/0x260
[   73.225989][ T8937]  vfs_writev+0x1b3/0x2f0
[   73.230305][ T8937]  ? vfs_iter_write+0xb0/0xb0
[   73.235045][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.241285][ T8937]  ? __handle_mm_fault+0x7cb/0x3eb0
[   73.246720][ T8937]  ? __do_page_fault+0x623/0xda0
[   73.251653][ T8937]  ? __do_page_fault+0x623/0xda0
[   73.256581][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.262800][ T8937]  ? __fget_light+0x1a9/0x230
[   73.267458][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.273684][ T8937]  do_writev+0x15b/0x330
[   73.277921][ T8937]  ? vfs_writev+0x2f0/0x2f0
[   73.282412][ T8937]  ? do_syscall_64+0x26/0x680
[   73.287079][ T8937]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   73.293136][ T8937]  ? do_syscall_64+0x26/0x680
[   73.297801][ T8937]  __x64_sys_writev+0x75/0xb0
[   73.302469][ T8937]  do_syscall_64+0xfd/0x680
[   73.306960][ T8937]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   73.313014][ T8937] RIP: 0033:0x441cd0
[   73.316900][ T8937] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   73.336509][ T8937] RSP: 002b:00007fff7b4b9198 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   73.344916][ T8937] RAX: ffffffffffffffda RBX: 00007fff7b4b91c0 RCX: 0000000000441cd0
[   73.352888][ T8937] RDX: 0000000000000003 RSI: 00007fff7b4b91e0 RDI: 00000000000000f0
[   73.360857][ T8937] RBP: 00007fff7b4b91e0 R08: 00007fff7b4b9210 R09: 0000000000000003
[   73.368938][ T8937] R10: 0000000000000d77 R11: 0000000000000246 R12: 0000000000011d52
[   73.376921][ T8937] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   73.384890][ T8937] 
[   73.387202][ T8937] The buggy address belongs to the page:
[   73.392936][ T8937] page:ffffea0002318e00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   73.402336][ T8937] flags: 0x1fffc0000000000()
[   73.406921][ T8937] raw: 01fffc0000000000 ffffea0002156c08 ffff88812fffc878 0000000000000000
[   73.415684][ T8937] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   73.424328][ T8937] page dumped because: kasan: bad access detected
[   73.430781][ T8937] 
[   73.433102][ T8937] Memory state around the buggy address:
[   73.438749][ T8937]  ffff88808c638300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.446925][ T8937]  ffff88808c638380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.455134][ T8937] >ffff88808c638400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.463801][ T8937]                       ^
[   73.468328][ T8937]  ffff88808c638480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.476490][ T8937]  ffff88808c638500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.484647][ T8937] ==================================================================
[   73.492858][ T8937] Disabling lock debugging due to kernel taint
[   73.499040][ T8937] Kernel panic - not syncing: panic_on_warn set ...
[   73.505704][ T8937] CPU: 1 PID: 8937 Comm: syz-executor351 Tainted: G    B             5.2.0-rc2+ #12
[   73.515171][ T8937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.525211][ T8937] Call Trace:
[   73.528491][ T8937]  dump_stack+0x172/0x1f0
[   73.532809][ T8937]  panic+0x2cb/0x744
[   73.536791][ T8937]  ? __warn_printk+0xf3/0xf3
[   73.541474][ T8937]  ? trace_hardirqs_on+0x5e/0x220
[   73.546591][ T8937]  ? trace_hardirqs_on+0x5e/0x220
[   73.551704][ T8937]  ? napi_gro_frags+0xc6f/0xd10
[   73.556538][ T8937]  end_report+0x47/0x4f
[   73.560906][ T8937]  ? napi_gro_frags+0xc6f/0xd10
[   73.566161][ T8937]  __kasan_report.cold+0xe/0x40
[   73.570998][ T8937]  ? __kasan_slab_free+0x140/0x150
[   73.576092][ T8937]  ? napi_gro_frags+0xc6f/0xd10
[   73.580926][ T8937]  kasan_report+0x12/0x20
[   73.585325][ T8937]  __asan_report_load_n_noabort+0xf/0x20
[   73.591027][ T8937]  napi_gro_frags+0xc6f/0xd10
[   73.595700][ T8937]  tun_get_user+0x2f3c/0x3ff0
[   73.600367][ T8937]  ? tun_device_event+0xee0/0xee0
[   73.605419][ T8937]  ? tun_get+0x171/0x290
[   73.609694][ T8937]  ? lock_downgrade+0x880/0x880
[   73.614538][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.620768][ T8937]  ? kasan_check_read+0x11/0x20
[   73.625615][ T8937]  tun_chr_write_iter+0xbd/0x156
[   73.630581][ T8937]  do_iter_readv_writev+0x5f8/0x8f0
[   73.635772][ T8937]  ? no_seek_end_llseek_size+0x70/0x70
[   73.641324][ T8937]  ? rw_copy_check_uvector+0x2a6/0x330
[   73.646812][ T8937]  ? rw_verify_area+0x126/0x360
[   73.651663][ T8937]  do_iter_write+0x184/0x610
[   73.656241][ T8937]  ? dup_iter+0x260/0x260
[   73.660556][ T8937]  vfs_writev+0x1b3/0x2f0
[   73.665191][ T8937]  ? vfs_iter_write+0xb0/0xb0
[   73.669864][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.676099][ T8937]  ? __handle_mm_fault+0x7cb/0x3eb0
[   73.681428][ T8937]  ? __do_page_fault+0x623/0xda0
[   73.686490][ T8937]  ? __do_page_fault+0x623/0xda0
[   73.691556][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.697780][ T8937]  ? __fget_light+0x1a9/0x230
[   73.702645][ T8937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.708873][ T8937]  do_writev+0x15b/0x330
[   73.713107][ T8937]  ? vfs_writev+0x2f0/0x2f0
[   73.717756][ T8937]  ? do_syscall_64+0x26/0x680
[   73.722425][ T8937]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   73.728531][ T8937]  ? do_syscall_64+0x26/0x680
[   73.733316][ T8937]  __x64_sys_writev+0x75/0xb0
[   73.738008][ T8937]  do_syscall_64+0xfd/0x680
[   73.742509][ T8937]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   73.748996][ T8937] RIP: 0033:0x441cd0
[   73.752927][ T8937] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   73.773557][ T8937] RSP: 002b:00007fff7b4b9198 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   73.782098][ T8937] RAX: ffffffffffffffda RBX: 00007fff7b4b91c0 RCX: 0000000000441cd0
[   73.790089][ T8937] RDX: 0000000000000003 RSI: 00007fff7b4b91e0 RDI: 00000000000000f0
[   73.798165][ T8937] RBP: 00007fff7b4b91e0 R08: 00007fff7b4b9210 R09: 0000000000000003
[   73.806284][ T8937] R10: 0000000000000d77 R11: 0000000000000246 R12: 0000000000011d52
[   73.814256][ T8937] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   73.824089][ T8937] Kernel Offset: disabled
[   73.828760][ T8937] Rebooting in 86400 seconds..