[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 63.572491][ T27] audit: type=1800 audit(1576796755.824:25): pid=9052 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 63.602033][ T27] audit: type=1800 audit(1576796755.824:26): pid=9052 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 63.645195][ T27] audit: type=1800 audit(1576796755.824:27): pid=9052 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 74.774411][ T9208] IPVS: ftp: loaded support on port[0] = 21 [ 74.872091][ C0] hrtimer: interrupt took 26648 ns [ 75.046719][ T9208] ================================================================== [ 75.055087][ T9208] BUG: KASAN: use-after-free in eth_type_trans+0x6ce/0x760 [ 75.062405][ T9208] Read of size 8 at addr ffff88808abf0040 by task syz-executor315/9208 [ 75.070621][ T9208] [ 75.072942][ T9208] CPU: 0 PID: 9208 Comm: syz-executor315 Not tainted 5.5.0-rc2-syzkaller #0 [ 75.081592][ T9208] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.091629][ T9208] Call Trace: [ 75.094919][ T9208] dump_stack+0x197/0x210 [ 75.099472][ T9208] ? eth_type_trans+0x6ce/0x760 [ 75.104310][ T9208] print_address_description.constprop.0.cold+0xd4/0x30b [ 75.111312][ T9208] ? eth_type_trans+0x6ce/0x760 [ 75.116150][ T9208] ? eth_type_trans+0x6ce/0x760 [ 75.121042][ T9208] __kasan_report.cold+0x1b/0x41 [ 75.126054][ T9208] ? eth_type_trans+0x6ce/0x760 [ 75.130890][ T9208] kasan_report+0x12/0x20 [ 75.135271][ T9208] __asan_report_load8_noabort+0x14/0x20 [ 75.140941][ T9208] eth_type_trans+0x6ce/0x760 [ 75.145608][ T9208] ? eth_gro_receive+0x890/0x890 [ 75.150615][ T9208] ? napi_gro_frags+0x373/0xd00 [ 75.155454][ T9208] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 75.161335][ T9208] napi_gro_frags+0x8c2/0xd00 [ 75.166044][ T9208] tun_get_user+0x2e7f/0x3fc0 [ 75.170732][ T9208] ? __kasan_check_read+0x11/0x20 [ 75.175743][ T9208] ? aa_file_perm+0x825/0x15f0 [ 75.180585][ T9208] ? tun_build_skb.isra.0+0x1470/0x1470 [ 75.186147][ T9208] ? rcu_read_lock_held+0x9c/0xb0 [ 75.191156][ T9208] ? __kasan_check_read+0x11/0x20 [ 75.196170][ T9208] tun_chr_write_iter+0xbd/0x156 [ 75.201391][ T9208] do_iter_readv_writev+0x5f8/0x8f0 [ 75.206577][ T9208] ? no_seek_end_llseek_size+0x70/0x70 [ 75.212042][ T9208] ? rw_verify_area+0x126/0x360 [ 75.216978][ T9208] do_iter_write+0x184/0x610 [ 75.221558][ T9208] vfs_writev+0x1b3/0x2f0 [ 75.225875][ T9208] ? vfs_iter_write+0xb0/0xb0 [ 75.230536][ T9208] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.236772][ T9208] ? __do_sys_perf_event_open+0xe1/0x2c70 [ 75.242494][ T9208] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.248810][ T9208] ? __fget_light+0x1a9/0x230 [ 75.253475][ T9208] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.259702][ T9208] do_writev+0x15b/0x330 [ 75.263929][ T9208] ? vfs_writev+0x2f0/0x2f0 [ 75.268423][ T9208] ? do_syscall_64+0x26/0x790 [ 75.273088][ T9208] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.279139][ T9208] ? do_syscall_64+0x26/0x790 [ 75.283801][ T9208] __x64_sys_writev+0x75/0xb0 [ 75.288463][ T9208] do_syscall_64+0xfa/0x790 [ 75.292956][ T9208] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.298833][ T9208] RIP: 0033:0x441800 [ 75.302728][ T9208] Code: 05 48 3d 01 f0 ff ff 0f 83 fd 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 9c 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 d4 0e fc ff c3 48 83 ec 08 e8 9a 2b 00 00 [ 75.322437][ T9208] RSP: 002b:00007fff3ba99898 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 75.330851][ T9208] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441800 [ 75.338927][ T9208] RDX: 0000000000000001 RSI: 00007fff3ba998f0 RDI: 00000000000000f0 [ 75.346886][ T9208] RBP: 00007fff3ba998c0 R08: 0000000000000000 R09: 0000000000000020 [ 75.354951][ T9208] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000003 [ 75.362918][ T9208] R13: 0000000000000004 R14: 00007fff3ba99940 R15: 0000000000000000 [ 75.370891][ T9208] [ 75.373210][ T9208] The buggy address belongs to the page: [ 75.378836][ T9208] page:ffffea00022afc00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 75.387935][ T9208] raw: 00fffe0000000000 ffffea00022afc08 ffffea00022afc08 0000000000000000 [ 75.396513][ T9208] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 75.405078][ T9208] page dumped because: kasan: bad access detected [ 75.411468][ T9208] [ 75.413780][ T9208] Memory state around the buggy address: [ 75.419400][ T9208] ffff88808abeff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.427495][ T9208] ffff88808abeff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.435547][ T9208] >ffff88808abf0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.443602][ T9208] ^ [ 75.449751][ T9208] ffff88808abf0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.457807][ T9208] ffff88808abf0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.465854][ T9208] ================================================================== [ 75.473903][ T9208] Disabling lock debugging due to kernel taint [ 75.480099][ T9208] Kernel panic - not syncing: panic_on_warn set ... [ 75.486683][ T9208] CPU: 0 PID: 9208 Comm: syz-executor315 Tainted: G B 5.5.0-rc2-syzkaller #0 [ 75.496839][ T9208] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.506877][ T9208] Call Trace: [ 75.510157][ T9208] dump_stack+0x197/0x210 [ 75.514472][ T9208] panic+0x2e3/0x75c [ 75.518371][ T9208] ? add_taint.cold+0x16/0x16 [ 75.523031][ T9208] ? retint_kernel+0x2b/0x2b [ 75.527607][ T9208] ? trace_hardirqs_on+0x5e/0x240 [ 75.532613][ T9208] ? eth_type_trans+0x6ce/0x760 [ 75.537568][ T9208] end_report+0x47/0x4f [ 75.541715][ T9208] ? eth_type_trans+0x6ce/0x760 [ 75.546553][ T9208] __kasan_report.cold+0xe/0x41 [ 75.551396][ T9208] ? eth_type_trans+0x6ce/0x760 [ 75.556230][ T9208] kasan_report+0x12/0x20 [ 75.560629][ T9208] __asan_report_load8_noabort+0x14/0x20 [ 75.566328][ T9208] eth_type_trans+0x6ce/0x760 [ 75.570996][ T9208] ? eth_gro_receive+0x890/0x890 [ 75.575939][ T9208] ? napi_gro_frags+0x373/0xd00 [ 75.580774][ T9208] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 75.586670][ T9208] napi_gro_frags+0x8c2/0xd00 [ 75.591333][ T9208] tun_get_user+0x2e7f/0x3fc0 [ 75.595994][ T9208] ? __kasan_check_read+0x11/0x20 [ 75.601005][ T9208] ? aa_file_perm+0x825/0x15f0 [ 75.605777][ T9208] ? tun_build_skb.isra.0+0x1470/0x1470 [ 75.611307][ T9208] ? rcu_read_lock_held+0x9c/0xb0 [ 75.616312][ T9208] ? __kasan_check_read+0x11/0x20 [ 75.621320][ T9208] tun_chr_write_iter+0xbd/0x156 [ 75.626240][ T9208] do_iter_readv_writev+0x5f8/0x8f0 [ 75.631422][ T9208] ? no_seek_end_llseek_size+0x70/0x70 [ 75.636866][ T9208] ? rw_verify_area+0x126/0x360 [ 75.641699][ T9208] do_iter_write+0x184/0x610 [ 75.646272][ T9208] vfs_writev+0x1b3/0x2f0 [ 75.650581][ T9208] ? vfs_iter_write+0xb0/0xb0 [ 75.655301][ T9208] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.661525][ T9208] ? __do_sys_perf_event_open+0xe1/0x2c70 [ 75.667227][ T9208] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.673450][ T9208] ? __fget_light+0x1a9/0x230 [ 75.678114][ T9208] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.684333][ T9208] do_writev+0x15b/0x330 [ 75.688558][ T9208] ? vfs_writev+0x2f0/0x2f0 [ 75.693045][ T9208] ? do_syscall_64+0x26/0x790 [ 75.697702][ T9208] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.703751][ T9208] ? do_syscall_64+0x26/0x790 [ 75.708423][ T9208] __x64_sys_writev+0x75/0xb0 [ 75.713083][ T9208] do_syscall_64+0xfa/0x790 [ 75.717581][ T9208] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.723454][ T9208] RIP: 0033:0x441800 [ 75.727332][ T9208] Code: 05 48 3d 01 f0 ff ff 0f 83 fd 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 9c 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 d4 0e fc ff c3 48 83 ec 08 e8 9a 2b 00 00 [ 75.747002][ T9208] RSP: 002b:00007fff3ba99898 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 75.755399][ T9208] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441800 [ 75.763351][ T9208] RDX: 0000000000000001 RSI: 00007fff3ba998f0 RDI: 00000000000000f0 [ 75.771331][ T9208] RBP: 00007fff3ba998c0 R08: 0000000000000000 R09: 0000000000000020 [ 75.779283][ T9208] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000003 [ 75.787232][ T9208] R13: 0000000000000004 R14: 00007fff3ba99940 R15: 0000000000000000 [ 75.796556][ T9208] Kernel Offset: disabled [ 75.800885][ T9208] Rebooting in 86400 seconds..