Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 67.662810][ T8947] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 67.727761][ T8957] ================================================================== [ 67.736533][ T8957] BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 [ 67.743817][ T8957] Read of size 2 at addr ffff88809366840c by task syz-executor599/8957 [ 67.752059][ T8957] [ 67.754393][ T8957] CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32 [ 67.762351][ T8957] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.772392][ T8957] Call Trace: [ 67.775675][ T8957] dump_stack+0x172/0x1f0 [ 67.779996][ T8957] ? napi_gro_frags+0xc6f/0xd10 [ 67.784843][ T8957] print_address_description.cold+0x7c/0x20d [ 67.790849][ T8957] ? napi_gro_frags+0xc6f/0xd10 [ 67.795717][ T8957] ? napi_gro_frags+0xc6f/0xd10 [ 67.800556][ T8957] __kasan_report.cold+0x1b/0x40 [ 67.805499][ T8957] ? __kasan_slab_free+0x140/0x150 [ 67.810623][ T8957] ? napi_gro_frags+0xc6f/0xd10 [ 67.815551][ T8957] kasan_report+0x12/0x20 [ 67.819865][ T8957] __asan_report_load_n_noabort+0xf/0x20 [ 67.825479][ T8957] napi_gro_frags+0xc6f/0xd10 [ 67.830141][ T8957] tun_get_user+0x2f3c/0x3ff0 [ 67.834815][ T8957] ? tun_device_event+0xee0/0xee0 [ 67.839824][ T8957] ? tun_get+0x171/0x290 [ 67.844054][ T8957] ? lock_downgrade+0x880/0x880 [ 67.848891][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.855121][ T8957] ? kasan_check_read+0x11/0x20 [ 67.859976][ T8957] tun_chr_write_iter+0xbd/0x156 [ 67.864898][ T8957] do_iter_readv_writev+0x5f8/0x8f0 [ 67.870078][ T8957] ? no_seek_end_llseek_size+0x70/0x70 [ 67.875525][ T8957] ? apparmor_file_permission+0x25/0x30 [ 67.881060][ T8957] ? rw_verify_area+0x126/0x360 [ 67.885903][ T8957] do_iter_write+0x184/0x610 [ 67.890565][ T8957] ? dup_iter+0x260/0x260 [ 67.894909][ T8957] vfs_writev+0x1b3/0x2f0 [ 67.899226][ T8957] ? vfs_iter_write+0xb0/0xb0 [ 67.903887][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.910145][ T8957] ? __handle_mm_fault+0x7cb/0x3eb0 [ 67.915330][ T8957] ? __do_page_fault+0x623/0xda0 [ 67.920263][ T8957] ? __do_page_fault+0x623/0xda0 [ 67.925231][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.931458][ T8957] ? __fget_light+0x1a9/0x230 [ 67.936161][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.942385][ T8957] do_writev+0x15b/0x330 [ 67.946621][ T8957] ? vfs_writev+0x2f0/0x2f0 [ 67.951118][ T8957] ? do_syscall_64+0x26/0x680 [ 67.956131][ T8957] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.962454][ T8957] ? do_syscall_64+0x26/0x680 [ 67.967155][ T8957] __x64_sys_writev+0x75/0xb0 [ 67.971833][ T8957] do_syscall_64+0xfd/0x680 [ 67.976320][ T8957] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.982194][ T8957] RIP: 0033:0x441cd0 [ 67.986100][ T8957] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00 [ 68.005694][ T8957] RSP: 002b:00007ffdf43cf118 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 68.014096][ T8957] RAX: ffffffffffffffda RBX: 00007ffdf43cf140 RCX: 0000000000441cd0 [ 68.022346][ T8957] RDX: 0000000000000003 RSI: 00007ffdf43cf160 RDI: 00000000000000f0 [ 68.030340][ T8957] RBP: 00007ffdf43cf160 R08: 00007ffdf43cf190 R09: 0000000000000003 [ 68.038390][ T8957] R10: 0000000000000d77 R11: 0000000000000246 R12: 0000000000010874 [ 68.046349][ T8957] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000 [ 68.054344][ T8957] [ 68.056663][ T8957] The buggy address belongs to the page: [ 68.062456][ T8957] page:ffffea00024d9a00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 68.071808][ T8957] flags: 0x1fffc0000000000() [ 68.076404][ T8957] raw: 01fffc0000000000 ffffea00022ec808 ffff88812fffc878 0000000000000000 [ 68.084976][ T8957] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 68.093547][ T8957] page dumped because: kasan: bad access detected [ 68.099945][ T8957] [ 68.102250][ T8957] Memory state around the buggy address: [ 68.108129][ T8957] ffff888093668300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.116383][ T8957] ffff888093668380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.124553][ T8957] >ffff888093668400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.132606][ T8957] ^ [ 68.137008][ T8957] ffff888093668480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.145054][ T8957] ffff888093668500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.153092][ T8957] ================================================================== [ 68.161228][ T8957] Disabling lock debugging due to kernel taint [ 68.167419][ T8957] Kernel panic - not syncing: panic_on_warn set ... [ 68.174012][ T8957] CPU: 1 PID: 8957 Comm: syz-executor599 Tainted: G B 5.2.0-rc1+ #32 [ 68.183360][ T8957] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.193400][ T8957] Call Trace: [ 68.196678][ T8957] dump_stack+0x172/0x1f0 [ 68.200998][ T8957] panic+0x2cb/0x744 [ 68.204897][ T8957] ? __warn_printk+0xf3/0xf3 [ 68.209474][ T8957] ? trace_hardirqs_on+0x5e/0x220 [ 68.214481][ T8957] ? trace_hardirqs_on+0x5e/0x220 [ 68.219491][ T8957] ? napi_gro_frags+0xc6f/0xd10 [ 68.224327][ T8957] end_report+0x47/0x4f [ 68.228554][ T8957] ? napi_gro_frags+0xc6f/0xd10 [ 68.233387][ T8957] __kasan_report.cold+0xe/0x40 [ 68.238239][ T8957] ? __kasan_slab_free+0x140/0x150 [ 68.243340][ T8957] ? napi_gro_frags+0xc6f/0xd10 [ 68.248191][ T8957] kasan_report+0x12/0x20 [ 68.252505][ T8957] __asan_report_load_n_noabort+0xf/0x20 [ 68.258124][ T8957] napi_gro_frags+0xc6f/0xd10 [ 68.262783][ T8957] tun_get_user+0x2f3c/0x3ff0 [ 68.267442][ T8957] ? tun_device_event+0xee0/0xee0 [ 68.272448][ T8957] ? tun_get+0x171/0x290 [ 68.276697][ T8957] ? lock_downgrade+0x880/0x880 [ 68.282074][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.288301][ T8957] ? kasan_check_read+0x11/0x20 [ 68.293153][ T8957] tun_chr_write_iter+0xbd/0x156 [ 68.298098][ T8957] do_iter_readv_writev+0x5f8/0x8f0 [ 68.303314][ T8957] ? no_seek_end_llseek_size+0x70/0x70 [ 68.308757][ T8957] ? apparmor_file_permission+0x25/0x30 [ 68.314372][ T8957] ? rw_verify_area+0x126/0x360 [ 68.319203][ T8957] do_iter_write+0x184/0x610 [ 68.323775][ T8957] ? dup_iter+0x260/0x260 [ 68.328087][ T8957] vfs_writev+0x1b3/0x2f0 [ 68.332399][ T8957] ? vfs_iter_write+0xb0/0xb0 [ 68.337058][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.343286][ T8957] ? __handle_mm_fault+0x7cb/0x3eb0 [ 68.348472][ T8957] ? __do_page_fault+0x623/0xda0 [ 68.353391][ T8957] ? __do_page_fault+0x623/0xda0 [ 68.358316][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.364628][ T8957] ? __fget_light+0x1a9/0x230 [ 68.369296][ T8957] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.375519][ T8957] do_writev+0x15b/0x330 [ 68.379748][ T8957] ? vfs_writev+0x2f0/0x2f0 [ 68.384234][ T8957] ? do_syscall_64+0x26/0x680 [ 68.388987][ T8957] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.395738][ T8957] ? do_syscall_64+0x26/0x680 [ 68.400436][ T8957] __x64_sys_writev+0x75/0xb0 [ 68.405135][ T8957] do_syscall_64+0xfd/0x680 [ 68.409644][ T8957] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.415526][ T8957] RIP: 0033:0x441cd0 [ 68.419404][ T8957] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00 [ 68.439011][ T8957] RSP: 002b:00007ffdf43cf118 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 68.447426][ T8957] RAX: ffffffffffffffda RBX: 00007ffdf43cf140 RCX: 0000000000441cd0 [ 68.455407][ T8957] RDX: 0000000000000003 RSI: 00007ffdf43cf160 RDI: 00000000000000f0 [ 68.463392][ T8957] RBP: 00007ffdf43cf160 R08: 00007ffdf43cf190 R09: 0000000000000003 [ 68.471445][ T8957] R10: 0000000000000d77 R11: 0000000000000246 R12: 0000000000010874 [ 68.479429][ T8957] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000 [ 68.488669][ T8957] Kernel Offset: disabled [ 68.493001][ T8957] Rebooting in 86400 seconds..