[ 43.141601] audit: type=1800 audit(1576757516.411:32): pid=7611 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 44.124331] audit: type=1800 audit(1576757517.471:33): pid=7611 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.147' (ECDSA) to the list of known hosts. syzkaller login: [ 52.470873] kauditd_printk_skb: 2 callbacks suppressed [ 52.470890] audit: type=1400 audit(1576757525.821:36): avc: denied { map } for pid=7795 comm="syz-executor446" path="/root/syz-executor446228314" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.484947] IPVS: ftp: loaded support on port[0] = 21 [ 52.529551] audit: type=1400 audit(1576757525.881:37): avc: denied { create } for pid=7796 comm="syz-executor446" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 52.554153] audit: type=1400 audit(1576757525.881:38): avc: denied { write } for pid=7796 comm="syz-executor446" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 executing program [ 52.578443] audit: type=1400 audit(1576757525.881:39): avc: denied { read } for pid=7796 comm="syz-executor446" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 52.772547] ================================================================== [ 52.780230] BUG: KASAN: use-after-free in eth_type_trans+0x6dd/0x770 [ 52.786709] Read of size 8 at addr ffff8880877f0040 by task syz-executor446/7796 [ 52.794223] [ 52.795838] CPU: 1 PID: 7796 Comm: syz-executor446 Not tainted 4.19.90-syzkaller #0 [ 52.803621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.812967] Call Trace: [ 52.815555] dump_stack+0x197/0x210 [ 52.819179] ? eth_type_trans+0x6dd/0x770 [ 52.823455] print_address_description.cold+0x7c/0x20d [ 52.828751] ? eth_type_trans+0x6dd/0x770 [ 52.832891] kasan_report.cold+0x8c/0x2ba [ 52.837050] __asan_report_load8_noabort+0x14/0x20 [ 52.841973] eth_type_trans+0x6dd/0x770 [ 52.845959] ? eth_gro_receive+0x8a0/0x8a0 [ 52.850197] ? napi_gro_frags+0x36c/0xa20 [ 52.854343] napi_gro_frags+0x6ad/0xa20 [ 52.858320] tun_get_user+0x2f08/0x4c30 [ 52.862292] ? mark_held_locks+0x100/0x100 [ 52.866535] ? tun_build_skb.isra.0+0x1a40/0x1a40 [ 52.871388] ? tun_get+0x171/0x290 [ 52.874933] ? lock_downgrade+0x880/0x880 [ 52.879069] ? kasan_check_read+0x11/0x20 [ 52.883213] tun_chr_write_iter+0xbd/0x156 [ 52.887451] do_iter_readv_writev+0x558/0x830 [ 52.891935] ? vfs_dedupe_file_range+0x6f0/0x6f0 [ 52.896684] ? security_file_permission+0x89/0x230 [ 52.901611] ? rw_verify_area+0x118/0x360 [ 52.905756] do_iter_write+0x184/0x5f0 [ 52.909637] vfs_writev+0x1b3/0x2f0 [ 52.913251] ? vfs_iter_write+0xb0/0xb0 [ 52.917237] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.922777] ? __fd_install+0x200/0x640 [ 52.926738] ? fd_install+0x4d/0x60 [ 52.930360] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.935882] ? __fget_light+0x1a9/0x230 [ 52.939844] do_writev+0x15e/0x370 [ 52.943383] ? vfs_writev+0x2f0/0x2f0 [ 52.947203] ? do_syscall_64+0x26/0x620 [ 52.951168] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.956518] ? do_syscall_64+0x26/0x620 [ 52.960480] __x64_sys_writev+0x75/0xb0 [ 52.964458] do_syscall_64+0xfd/0x620 [ 52.968260] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.973530] RIP: 0033:0x441800 [ 52.976719] Code: 05 48 3d 01 f0 ff ff 0f 83 fd 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 9c 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 d4 0e fc ff c3 48 83 ec 08 e8 9a 2b 00 00 [ 52.995612] RSP: 002b:00007ffe87059608 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 53.003313] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441800 [ 53.010571] RDX: 0000000000000001 RSI: 00007ffe87059660 RDI: 00000000000000f0 [ 53.017826] RBP: 00007ffe87059630 R08: 0000000000000000 R09: 0000000000000020 [ 53.025080] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000003 [ 53.032335] R13: 0000000000000004 R14: 00007ffe870596b0 R15: 0000000000000000 [ 53.039769] [ 53.041379] The buggy address belongs to the page: [ 53.046297] page:ffffea00021dfc00 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 53.054419] flags: 0xfffe0000000000() [ 53.058206] raw: 00fffe0000000000 dead000000000100 dead000000000200 0000000000000000 [ 53.066089] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 53.073953] page dumped because: kasan: bad access detected [ 53.079655] [ 53.081262] Memory state around the buggy address: [ 53.086177] ffff8880877eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.093538] ffff8880877eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.108388] >ffff8880877f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.115746] ^ [ 53.121195] ffff8880877f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.128551] ffff8880877f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.135911] ================================================================== [ 53.143255] Disabling lock debugging due to kernel taint [ 53.148744] Kernel panic - not syncing: panic_on_warn set ... [ 53.148744] [ 53.156142] CPU: 1 PID: 7796 Comm: syz-executor446 Tainted: G B 4.19.90-syzkaller #0 [ 53.165320] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.174656] Call Trace: [ 53.177243] dump_stack+0x197/0x210 [ 53.180870] ? eth_type_trans+0x6dd/0x770 [ 53.185017] panic+0x26a/0x50e [ 53.188205] ? __warn_printk+0xf3/0xf3 [ 53.192080] ? retint_kernel+0x2d/0x2d [ 53.195972] ? trace_hardirqs_on+0x5e/0x220 [ 53.200305] ? eth_type_trans+0x6dd/0x770 [ 53.204446] kasan_end_report+0x47/0x4f [ 53.208418] kasan_report.cold+0xa9/0x2ba [ 53.212560] __asan_report_load8_noabort+0x14/0x20 [ 53.217487] eth_type_trans+0x6dd/0x770 [ 53.221443] ? eth_gro_receive+0x8a0/0x8a0 [ 53.225663] ? napi_gro_frags+0x36c/0xa20 [ 53.229814] napi_gro_frags+0x6ad/0xa20 [ 53.233789] tun_get_user+0x2f08/0x4c30 [ 53.237772] ? mark_held_locks+0x100/0x100 [ 53.242009] ? tun_build_skb.isra.0+0x1a40/0x1a40 [ 53.246840] ? tun_get+0x171/0x290 [ 53.250410] ? lock_downgrade+0x880/0x880 [ 53.254575] ? kasan_check_read+0x11/0x20 [ 53.258729] tun_chr_write_iter+0xbd/0x156 [ 53.263014] do_iter_readv_writev+0x558/0x830 [ 53.267503] ? vfs_dedupe_file_range+0x6f0/0x6f0 [ 53.272341] ? security_file_permission+0x89/0x230 [ 53.277263] ? rw_verify_area+0x118/0x360 [ 53.281409] do_iter_write+0x184/0x5f0 [ 53.285284] vfs_writev+0x1b3/0x2f0 [ 53.288916] ? vfs_iter_write+0xb0/0xb0 [ 53.292880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.298414] ? __fd_install+0x200/0x640 [ 53.302374] ? fd_install+0x4d/0x60 [ 53.306122] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.311701] ? __fget_light+0x1a9/0x230 [ 53.315690] do_writev+0x15e/0x370 [ 53.319220] ? vfs_writev+0x2f0/0x2f0 [ 53.323010] ? do_syscall_64+0x26/0x620 [ 53.326971] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.332324] ? do_syscall_64+0x26/0x620 [ 53.336316] __x64_sys_writev+0x75/0xb0 [ 53.340277] do_syscall_64+0xfd/0x620 [ 53.344077] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.349269] RIP: 0033:0x441800 [ 53.352448] Code: 05 48 3d 01 f0 ff ff 0f 83 fd 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 9c 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 d4 0e fc ff c3 48 83 ec 08 e8 9a 2b 00 00 [ 53.371341] RSP: 002b:00007ffe87059608 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 53.379128] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441800 [ 53.387104] RDX: 0000000000000001 RSI: 00007ffe87059660 RDI: 00000000000000f0 [ 53.394475] RBP: 00007ffe87059630 R08: 0000000000000000 R09: 0000000000000020 [ 53.401786] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000003 [ 53.409044] R13: 0000000000000004 R14: 00007ffe870596b0 R15: 0000000000000000 [ 53.417917] Kernel Offset: disabled [ 53.421554] Rebooting in 86400 seconds..