[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   54.699740][   T27] audit: type=1800 audit(1559295140.686:25): pid=8389 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   54.738070][   T27] audit: type=1800 audit(1559295140.686:26): pid=8389 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   54.780667][   T27] audit: type=1800 audit(1559295140.696:27): pid=8389 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   65.818620][ T8542] IPVS: ftp: loaded support on port[0] = 21
executing program
[   65.881264][ T8552] ==================================================================
[   65.889461][ T8552] BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10
[   65.896641][ T8552] Read of size 2 at addr ffff88809362840c by task syz-executor239/8552
[   65.904851][ T8552] 
[   65.907162][ T8552] CPU: 1 PID: 8552 Comm: syz-executor239 Not tainted 5.2.0-rc2+ #14
[   65.915116][ T8552] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   65.925315][ T8552] Call Trace:
[   65.928601][ T8552]  dump_stack+0x172/0x1f0
[   65.932917][ T8552]  ? napi_gro_frags+0xc6f/0xd10
[   65.937780][ T8552]  print_address_description.cold+0x7c/0x20d
[   65.943754][ T8552]  ? napi_gro_frags+0xc6f/0xd10
[   65.948601][ T8552]  ? napi_gro_frags+0xc6f/0xd10
[   65.953439][ T8552]  __kasan_report.cold+0x1b/0x40
[   65.958357][ T8552]  ? memset+0x10/0x40
[   65.962331][ T8552]  ? napi_gro_frags+0xc6f/0xd10
[   65.967171][ T8552]  kasan_report+0x12/0x20
[   65.971503][ T8552]  __asan_report_load_n_noabort+0xf/0x20
[   65.977411][ T8552]  napi_gro_frags+0xc6f/0xd10
[   65.982082][ T8552]  tun_get_user+0x2f3c/0x3ff0
[   65.986752][ T8552]  ? tun_device_event+0xee0/0xee0
[   65.991756][ T8552]  ? tun_get+0x171/0x290
[   65.995983][ T8552]  ? lock_downgrade+0x880/0x880
[   66.000826][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.007101][ T8552]  ? kasan_check_read+0x11/0x20
[   66.011956][ T8552]  tun_chr_write_iter+0xbd/0x156
[   66.016881][ T8552]  do_iter_readv_writev+0x5f8/0x8f0
[   66.022088][ T8552]  ? no_seek_end_llseek_size+0x70/0x70
[   66.027533][ T8552]  ? apparmor_file_permission+0x25/0x30
[   66.033847][ T8552]  ? rw_verify_area+0x126/0x360
[   66.038692][ T8552]  do_iter_write+0x184/0x610
[   66.043276][ T8552]  ? dup_iter+0x260/0x260
[   66.047587][ T8552]  vfs_writev+0x1b3/0x2f0
[   66.051918][ T8552]  ? vfs_iter_write+0xb0/0xb0
[   66.056578][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.062807][ T8552]  ? __handle_mm_fault+0x7cb/0x3eb0
[   66.068005][ T8552]  ? __do_page_fault+0x623/0xda0
[   66.072942][ T8552]  ? __do_page_fault+0x623/0xda0
[   66.077862][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.084086][ T8552]  ? __fget_light+0x1a9/0x230
[   66.088746][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.094971][ T8552]  do_writev+0x15b/0x330
[   66.099209][ T8552]  ? vfs_writev+0x2f0/0x2f0
[   66.103701][ T8552]  ? do_syscall_64+0x26/0x680
[   66.108456][ T8552]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   66.114509][ T8552]  ? do_syscall_64+0x26/0x680
[   66.119194][ T8552]  __x64_sys_writev+0x75/0xb0
[   66.123885][ T8552]  do_syscall_64+0xfd/0x680
[   66.128375][ T8552]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   66.134339][ T8552] RIP: 0033:0x441cd0
[   66.138221][ T8552] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   66.159037][ T8552] RSP: 002b:00007ffd0979e258 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   66.167448][ T8552] RAX: ffffffffffffffda RBX: 00007ffd0979e280 RCX: 0000000000441cd0
[   66.175408][ T8552] RDX: 0000000000000003 RSI: 00007ffd0979e2a0 RDI: 00000000000000f0
[   66.183392][ T8552] RBP: 00007ffd0979e2a0 R08: 00007ffd0979e2d0 R09: 0000000000000003
[   66.191348][ T8552] R10: 0000000000000d77 R11: 0000000000000246 R12: 000000000001013d
[   66.199299][ T8552] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   66.207267][ T8552] 
[   66.209574][ T8552] The buggy address belongs to the page:
[   66.215186][ T8552] page:ffffea00024d8a00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   66.224527][ T8552] flags: 0x1fffc0000000000()
[   66.229098][ T8552] raw: 01fffc0000000000 ffffea0002482a08 ffff88812fffc878 0000000000000000
[   66.237672][ T8552] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   66.246238][ T8552] page dumped because: kasan: bad access detected
[   66.252656][ T8552] 
[   66.254975][ T8552] Memory state around the buggy address:
[   66.268384][ T8552]  ffff888093628300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   66.276578][ T8552]  ffff888093628380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   66.284620][ T8552] >ffff888093628400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   66.292766][ T8552]                       ^
[   66.297075][ T8552]  ffff888093628480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   66.305114][ T8552]  ffff888093628500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   66.313150][ T8552] ==================================================================
[   66.321191][ T8552] Disabling lock debugging due to kernel taint
[   66.327362][ T8552] Kernel panic - not syncing: panic_on_warn set ...
[   66.333942][ T8552] CPU: 1 PID: 8552 Comm: syz-executor239 Tainted: G    B             5.2.0-rc2+ #14
[   66.343290][ T8552] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   66.353328][ T8552] Call Trace:
[   66.356605][ T8552]  dump_stack+0x172/0x1f0
[   66.360918][ T8552]  panic+0x2cb/0x744
[   66.364795][ T8552]  ? __warn_printk+0xf3/0xf3
[   66.369391][ T8552]  ? trace_hardirqs_on+0x5e/0x220
[   66.374410][ T8552]  ? trace_hardirqs_on+0x5e/0x220
[   66.379422][ T8552]  ? napi_gro_frags+0xc6f/0xd10
[   66.384260][ T8552]  end_report+0x47/0x4f
[   66.388399][ T8552]  ? napi_gro_frags+0xc6f/0xd10
[   66.393234][ T8552]  __kasan_report.cold+0xe/0x40
[   66.398088][ T8552]  ? memset+0x10/0x40
[   66.402055][ T8552]  ? napi_gro_frags+0xc6f/0xd10
[   66.406885][ T8552]  kasan_report+0x12/0x20
[   66.411197][ T8552]  __asan_report_load_n_noabort+0xf/0x20
[   66.416810][ T8552]  napi_gro_frags+0xc6f/0xd10
[   66.421473][ T8552]  tun_get_user+0x2f3c/0x3ff0
[   66.426134][ T8552]  ? tun_device_event+0xee0/0xee0
[   66.431142][ T8552]  ? tun_get+0x171/0x290
[   66.435367][ T8552]  ? lock_downgrade+0x880/0x880
[   66.440204][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.446442][ T8552]  ? kasan_check_read+0x11/0x20
[   66.451286][ T8552]  tun_chr_write_iter+0xbd/0x156
[   66.456218][ T8552]  do_iter_readv_writev+0x5f8/0x8f0
[   66.461408][ T8552]  ? no_seek_end_llseek_size+0x70/0x70
[   66.466842][ T8552]  ? apparmor_file_permission+0x25/0x30
[   66.472365][ T8552]  ? rw_verify_area+0x126/0x360
[   66.477220][ T8552]  do_iter_write+0x184/0x610
[   66.481802][ T8552]  ? dup_iter+0x260/0x260
[   66.486114][ T8552]  vfs_writev+0x1b3/0x2f0
[   66.490425][ T8552]  ? vfs_iter_write+0xb0/0xb0
[   66.495111][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.501346][ T8552]  ? __handle_mm_fault+0x7cb/0x3eb0
[   66.506529][ T8552]  ? __do_page_fault+0x623/0xda0
[   66.511448][ T8552]  ? __do_page_fault+0x623/0xda0
[   66.516388][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.522611][ T8552]  ? __fget_light+0x1a9/0x230
[   66.527268][ T8552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   66.533492][ T8552]  do_writev+0x15b/0x330
[   66.537829][ T8552]  ? vfs_writev+0x2f0/0x2f0
[   66.542319][ T8552]  ? do_syscall_64+0x26/0x680
[   66.547004][ T8552]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   66.553058][ T8552]  ? do_syscall_64+0x26/0x680
[   66.557719][ T8552]  __x64_sys_writev+0x75/0xb0
[   66.562382][ T8552]  do_syscall_64+0xfd/0x680
[   66.566895][ T8552]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   66.572771][ T8552] RIP: 0033:0x441cd0
[   66.576660][ T8552] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   66.596263][ T8552] RSP: 002b:00007ffd0979e258 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   66.604668][ T8552] RAX: ffffffffffffffda RBX: 00007ffd0979e280 RCX: 0000000000441cd0
[   66.612623][ T8552] RDX: 0000000000000003 RSI: 00007ffd0979e2a0 RDI: 00000000000000f0
[   66.620581][ T8552] RBP: 00007ffd0979e2a0 R08: 00007ffd0979e2d0 R09: 0000000000000003
[   66.628531][ T8552] R10: 0000000000000d77 R11: 0000000000000246 R12: 000000000001013d
[   66.636482][ T8552] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   66.645676][ T8552] Kernel Offset: disabled
[   66.650002][ T8552] Rebooting in 86400 seconds..