[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   63.278909][   T26] audit: type=1800 audit(1559288588.983:25): pid=8782 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   63.315569][   T26] audit: type=1800 audit(1559288588.983:26): pid=8782 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   63.362132][   T26] audit: type=1800 audit(1559288588.993:27): pid=8782 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   73.391330][ T8939] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
[   73.457100][ T8949] ==================================================================
[   73.465311][ T8949] BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10
[   73.472501][ T8949] Read of size 2 at addr ffff88808af6840c by task syz-executor842/8949
[   73.480764][ T8949] 
[   73.483086][ T8949] CPU: 1 PID: 8949 Comm: syz-executor842 Not tainted 5.2.0-rc2+ #14
[   73.491042][ T8949] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.501088][ T8949] Call Trace:
[   73.504368][ T8949]  dump_stack+0x172/0x1f0
[   73.508701][ T8949]  ? napi_gro_frags+0xc6f/0xd10
[   73.513543][ T8949]  print_address_description.cold+0x7c/0x20d
[   73.519516][ T8949]  ? napi_gro_frags+0xc6f/0xd10
[   73.524356][ T8949]  ? napi_gro_frags+0xc6f/0xd10
[   73.529220][ T8949]  __kasan_report.cold+0x1b/0x40
[   73.534147][ T8949]  ? memset+0x10/0x40
[   73.538136][ T8949]  ? napi_gro_frags+0xc6f/0xd10
[   73.542993][ T8949]  kasan_report+0x12/0x20
[   73.547327][ T8949]  __asan_report_load_n_noabort+0xf/0x20
[   73.552963][ T8949]  napi_gro_frags+0xc6f/0xd10
[   73.557633][ T8949]  tun_get_user+0x2f3c/0x3ff0
[   73.562310][ T8949]  ? tun_device_event+0xee0/0xee0
[   73.567322][ T8949]  ? tun_get+0x171/0x290
[   73.571571][ T8949]  ? lock_downgrade+0x880/0x880
[   73.576422][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.582671][ T8949]  ? kasan_check_read+0x11/0x20
[   73.587524][ T8949]  tun_chr_write_iter+0xbd/0x156
[   73.592454][ T8949]  do_iter_readv_writev+0x5f8/0x8f0
[   73.597649][ T8949]  ? no_seek_end_llseek_size+0x70/0x70
[   73.603121][ T8949]  ? apparmor_file_permission+0x25/0x30
[   73.608680][ T8949]  ? rw_verify_area+0x126/0x360
[   73.613528][ T8949]  do_iter_write+0x184/0x610
[   73.618107][ T8949]  ? dup_iter+0x260/0x260
[   73.622456][ T8949]  vfs_writev+0x1b3/0x2f0
[   73.626781][ T8949]  ? vfs_iter_write+0xb0/0xb0
[   73.631455][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.637723][ T8949]  ? __handle_mm_fault+0x7cb/0x3eb0
[   73.642920][ T8949]  ? __do_page_fault+0x623/0xda0
[   73.647873][ T8949]  ? __do_page_fault+0x623/0xda0
[   73.652809][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.659044][ T8949]  ? __fget_light+0x1a9/0x230
[   73.663719][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   73.669976][ T8949]  do_writev+0x15b/0x330
[   73.674210][ T8949]  ? vfs_writev+0x2f0/0x2f0
[   73.678703][ T8949]  ? do_syscall_64+0x26/0x680
[   73.683366][ T8949]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   73.689429][ T8949]  ? do_syscall_64+0x26/0x680
[   73.694099][ T8949]  __x64_sys_writev+0x75/0xb0
[   73.698768][ T8949]  do_syscall_64+0xfd/0x680
[   73.703269][ T8949]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   73.709152][ T8949] RIP: 0033:0x441cd0
[   73.713035][ T8949] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   73.732634][ T8949] RSP: 002b:00007ffc3b177348 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   73.741037][ T8949] RAX: ffffffffffffffda RBX: 00007ffc3b177370 RCX: 0000000000441cd0
[   73.748995][ T8949] RDX: 0000000000000003 RSI: 00007ffc3b177390 RDI: 00000000000000f0
[   73.756952][ T8949] RBP: 00007ffc3b177390 R08: 00007ffc3b1773c0 R09: 0000000000000003
[   73.764918][ T8949] R10: 0000000000000d77 R11: 0000000000000246 R12: 0000000000011ee2
[   73.772881][ T8949] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   73.780850][ T8949] 
[   73.783159][ T8949] The buggy address belongs to the page:
[   73.788773][ T8949] page:ffffea00022bda00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   73.798135][ T8949] flags: 0x1fffc0000000000()
[   73.802717][ T8949] raw: 01fffc0000000000 ffffea000230c408 ffff88812fffc878 0000000000000000
[   73.811292][ T8949] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   73.819874][ T8949] page dumped because: kasan: bad access detected
[   73.826269][ T8949] 
[   73.828578][ T8949] Memory state around the buggy address:
[   73.834231][ T8949]  ffff88808af68300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.842285][ T8949]  ffff88808af68380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.850342][ T8949] >ffff88808af68400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.858411][ T8949]                       ^
[   73.862726][ T8949]  ffff88808af68480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.870781][ T8949]  ffff88808af68500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.878829][ T8949] ==================================================================
[   73.886885][ T8949] Disabling lock debugging due to kernel taint
[   73.893076][ T8949] Kernel panic - not syncing: panic_on_warn set ...
[   73.899668][ T8949] CPU: 1 PID: 8949 Comm: syz-executor842 Tainted: G    B             5.2.0-rc2+ #14
[   73.909015][ T8949] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.919058][ T8949] Call Trace:
[   73.922336][ T8949]  dump_stack+0x172/0x1f0
[   73.926651][ T8949]  panic+0x2cb/0x744
[   73.930526][ T8949]  ? __warn_printk+0xf3/0xf3
[   73.935100][ T8949]  ? trace_hardirqs_on+0x5e/0x220
[   73.940109][ T8949]  ? trace_hardirqs_on+0x5e/0x220
[   73.945121][ T8949]  ? napi_gro_frags+0xc6f/0xd10
[   73.949973][ T8949]  end_report+0x47/0x4f
[   73.954123][ T8949]  ? napi_gro_frags+0xc6f/0xd10
[   73.958977][ T8949]  __kasan_report.cold+0xe/0x40
[   73.963836][ T8949]  ? memset+0x10/0x40
[   73.967805][ T8949]  ? napi_gro_frags+0xc6f/0xd10
[   73.972643][ T8949]  kasan_report+0x12/0x20
[   73.976964][ T8949]  __asan_report_load_n_noabort+0xf/0x20
[   73.982588][ T8949]  napi_gro_frags+0xc6f/0xd10
[   73.987282][ T8949]  tun_get_user+0x2f3c/0x3ff0
[   73.991969][ T8949]  ? tun_device_event+0xee0/0xee0
[   73.996977][ T8949]  ? tun_get+0x171/0x290
[   74.001209][ T8949]  ? lock_downgrade+0x880/0x880
[   74.006044][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   74.012271][ T8949]  ? kasan_check_read+0x11/0x20
[   74.017115][ T8949]  tun_chr_write_iter+0xbd/0x156
[   74.022041][ T8949]  do_iter_readv_writev+0x5f8/0x8f0
[   74.027230][ T8949]  ? no_seek_end_llseek_size+0x70/0x70
[   74.032680][ T8949]  ? apparmor_file_permission+0x25/0x30
[   74.038254][ T8949]  ? rw_verify_area+0x126/0x360
[   74.043217][ T8949]  do_iter_write+0x184/0x610
[   74.047801][ T8949]  ? dup_iter+0x260/0x260
[   74.052126][ T8949]  vfs_writev+0x1b3/0x2f0
[   74.056445][ T8949]  ? vfs_iter_write+0xb0/0xb0
[   74.061113][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   74.067357][ T8949]  ? __handle_mm_fault+0x7cb/0x3eb0
[   74.072545][ T8949]  ? __do_page_fault+0x623/0xda0
[   74.077486][ T8949]  ? __do_page_fault+0x623/0xda0
[   74.082426][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   74.088707][ T8949]  ? __fget_light+0x1a9/0x230
[   74.093380][ T8949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   74.099621][ T8949]  do_writev+0x15b/0x330
[   74.103874][ T8949]  ? vfs_writev+0x2f0/0x2f0
[   74.108367][ T8949]  ? do_syscall_64+0x26/0x680
[   74.113736][ T8949]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   74.119793][ T8949]  ? do_syscall_64+0x26/0x680
[   74.131477][ T8949]  __x64_sys_writev+0x75/0xb0
[   74.136140][ T8949]  do_syscall_64+0xfd/0x680
[   74.140629][ T8949]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   74.146502][ T8949] RIP: 0033:0x441cd0
[   74.150378][ T8949] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   74.169992][ T8949] RSP: 002b:00007ffc3b177348 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   74.178398][ T8949] RAX: ffffffffffffffda RBX: 00007ffc3b177370 RCX: 0000000000441cd0
[   74.186362][ T8949] RDX: 0000000000000003 RSI: 00007ffc3b177390 RDI: 00000000000000f0
[   74.194328][ T8949] RBP: 00007ffc3b177390 R08: 00007ffc3b1773c0 R09: 0000000000000003
[   74.202284][ T8949] R10: 0000000000000d77 R11: 0000000000000246 R12: 0000000000011ee2
[   74.210241][ T8949] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   74.219252][ T8949] Kernel Offset: disabled
[   74.223577][ T8949] Rebooting in 86400 seconds..