syzkaller login: [ 42.728332] audit: type=1400 audit(1576784751.806:35): avc: denied { map } for pid=7598 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 49.366198] audit: type=1400 audit(1576784758.446:36): avc: denied { map } for pid=7607 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 50.031537] collect2 (7617) used greatest stack depth: 15704 bytes left [ 50.810251] IPVS: ftp: loaded support on port[0] = 21 [ 51.462436] can: request_module (can-proto-0) failed. [ 51.476903] can: request_module (can-proto-0) failed. [ 51.487078] can: request_module (can-proto-0) failed. [ 51.702217] audit: type=1400 audit(1576784760.786:37): avc: denied { create } for pid=7607 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 [ 51.725892] audit: type=1400 audit(1576784760.786:38): avc: denied { create } for pid=7607 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 51.749510] audit: type=1400 audit(1576784760.786:39): avc: denied { create } for pid=7607 comm="syz-fuzzer" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 Warning: Permanently added '10.128.1.9' (ECDSA) to the list of known hosts. 2019/12/19 19:46:08 parsed 1 programs 2019/12/19 19:46:08 executed programs: 0 [ 59.207982] audit: type=1400 audit(1576784768.286:40): avc: denied { map } for pid=7679 comm="syz-execprog" path="/root/syzkaller-shm412649433" dev="sda1" ino=16493 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 59.245291] IPv6: ADDRCONF(NETDEV_CHANGE): nr2: link becomes ready [ 59.272072] IPv6: ADDRCONF(NETDEV_CHANGE): nr0: link becomes ready [ 59.284359] IPv6: ADDRCONF(NETDEV_CHANGE): nr4: link becomes ready [ 59.291849] IPv6: ADDRCONF(NETDEV_CHANGE): nr5: link becomes ready [ 59.295410] IPv6: ADDRCONF(NETDEV_CHANGE): nr1: link becomes ready [ 59.298163] IPv6: ADDRCONF(NETDEV_CHANGE): nr3: link becomes ready [ 59.950240] IPVS: ftp: loaded support on port[0] = 21 [ 60.282014] IPVS: ftp: loaded support on port[0] = 21 [ 60.283783] chnl_net:caif_netlink_parms(): no params data found [ 60.366023] IPVS: ftp: loaded support on port[0] = 21 [ 60.382615] chnl_net:caif_netlink_parms(): no params data found [ 60.414021] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.421015] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.428035] device bridge_slave_0 entered promiscuous mode [ 60.438035] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.444483] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.451938] device bridge_slave_1 entered promiscuous mode [ 60.479274] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 60.494019] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 60.522830] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 60.530216] team0: Port device team_slave_0 added [ 60.540322] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 60.547397] team0: Port device team_slave_1 added [ 60.563376] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.569803] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.577075] device bridge_slave_0 entered promiscuous mode [ 60.584910] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 60.593088] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.599439] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.606549] device bridge_slave_1 entered promiscuous mode [ 60.613131] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 60.638023] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 60.647144] IPVS: ftp: loaded support on port[0] = 21 [ 60.692339] device hsr_slave_0 entered promiscuous mode [ 60.750284] device hsr_slave_1 entered promiscuous mode [ 60.791623] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 60.828652] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 60.854035] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 60.862119] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 60.869101] team0: Port device team_slave_0 added [ 60.877156] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 60.884520] team0: Port device team_slave_1 added [ 60.895225] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 60.902399] chnl_net:caif_netlink_parms(): no params data found [ 60.918021] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 61.000736] IPVS: ftp: loaded support on port[0] = 21 [ 61.003477] device hsr_slave_0 entered promiscuous mode [ 61.060365] device hsr_slave_1 entered promiscuous mode [ 61.117403] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.123890] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.130977] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.137346] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.151947] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 61.189816] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 61.247718] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.254143] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.260862] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.267318] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.275846] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.284234] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.291485] device bridge_slave_0 entered promiscuous mode [ 61.314099] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.321974] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.329334] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.336293] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.344931] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.352072] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.359056] device bridge_slave_1 entered promiscuous mode [ 61.379288] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 61.396724] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 61.407899] chnl_net:caif_netlink_parms(): no params data found [ 61.478229] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 61.489923] IPVS: ftp: loaded support on port[0] = 21 [ 61.499280] team0: Port device team_slave_0 added [ 61.506386] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 61.514341] team0: Port device team_slave_1 added [ 61.523979] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 61.535602] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 61.584016] chnl_net:caif_netlink_parms(): no params data found [ 61.643668] device hsr_slave_0 entered promiscuous mode [ 61.681365] device hsr_slave_1 entered promiscuous mode [ 61.726700] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 61.751615] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 61.758436] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.769482] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.777260] device bridge_slave_0 entered promiscuous mode [ 61.788141] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.795710] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.805244] device bridge_slave_1 entered promiscuous mode [ 61.823342] 8021q: adding VLAN 0 to HW filter on device bond0 [ 61.835752] 8021q: adding VLAN 0 to HW filter on device bond0 [ 61.854064] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 61.878448] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 61.894582] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 61.906375] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 61.922377] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 61.930909] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 61.963618] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 61.969739] 8021q: adding VLAN 0 to HW filter on device team0 [ 61.980941] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.987317] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.995660] device bridge_slave_0 entered promiscuous mode [ 62.004784] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.011367] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.018606] device bridge_slave_1 entered promiscuous mode [ 62.030250] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 62.037377] team0: Port device team_slave_0 added [ 62.043158] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.054012] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.060609] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.098060] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 62.105558] team0: Port device team_slave_1 added [ 62.115244] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 62.122147] 8021q: adding VLAN 0 to HW filter on device team0 [ 62.128938] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 62.136401] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.144646] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.151192] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.159750] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 62.184034] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 62.191913] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 62.207884] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 62.222735] chnl_net:caif_netlink_parms(): no params data found [ 62.236792] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.244744] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.251166] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.271457] 8021q: adding VLAN 0 to HW filter on device bond0 [ 62.306446] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.314336] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.320766] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.336214] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 62.343667] team0: Port device team_slave_0 added [ 62.404004] device hsr_slave_0 entered promiscuous mode [ 62.430323] device hsr_slave_1 entered promiscuous mode [ 62.481236] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 62.488642] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 62.496521] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 62.504504] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 62.512868] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 62.520585] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 62.528167] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 62.535355] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 62.546097] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 62.553614] team0: Port device team_slave_1 added [ 62.560307] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 62.567989] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 62.575352] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 62.589395] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 62.596246] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 62.662421] device hsr_slave_0 entered promiscuous mode [ 62.710353] device hsr_slave_1 entered promiscuous mode [ 62.770565] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 62.778635] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 62.790522] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 62.822518] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 62.830523] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 62.837929] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 62.846520] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 62.854210] 8021q: adding VLAN 0 to HW filter on device team0 [ 62.863745] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 62.881823] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.888261] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.895945] device bridge_slave_0 entered promiscuous mode [ 62.903421] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.909765] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.917567] device bridge_slave_1 entered promiscuous mode [ 62.951057] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.958828] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.965252] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.975780] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.984314] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.990729] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.998229] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 63.042156] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 63.059046] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 63.067505] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 63.077635] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 63.093610] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 63.104574] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 63.115780] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 63.131228] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 63.138385] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 63.147042] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 63.154996] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 63.163080] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 63.200998] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 63.208133] team0: Port device team_slave_0 added [ 63.247716] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 63.265814] team0: Port device team_slave_1 added [ 63.289958] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.297029] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 63.308718] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 63.333246] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.342771] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 63.404255] device hsr_slave_0 entered promiscuous mode [ 63.440882] device hsr_slave_1 entered promiscuous mode [ 63.489119] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 63.496891] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 63.517645] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 63.524499] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.536030] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.548625] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 63.557670] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.575126] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.585686] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 63.594545] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.600961] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.608255] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 63.619601] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.649706] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 63.658218] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 63.665711] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.672998] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 63.682724] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.689089] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.704946] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.725512] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 63.742308] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 63.752974] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 63.796637] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 63.805970] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.812398] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.821689] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 63.829880] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 63.868245] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 63.876872] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 63.889688] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.896123] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.905517] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 63.913894] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 63.931865] hrtimer: interrupt took 29740 ns [ 63.984023] ================================================================== [ 63.991456] BUG: KASAN: use-after-free in eth_type_trans+0x52d/0x650 [ 63.997948] Read of size 8 at addr ffff8801013f0040 by task syz-executor.0/7765 [ 64.005386] [ 64.007013] CPU: 0 PID: 7765 Comm: syz-executor.0 Not tainted 4.14.0-rc1-syzkaller #0 [ 64.014973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.024483] Call Trace: [ 64.027078] dump_stack+0x145/0x1e1 [ 64.030741] ? arch_local_irq_restore+0x43/0x43 [ 64.035404] ? printk+0x91/0xab [ 64.038664] ? log_store.cold.31+0x22/0x22 [ 64.042899] ? eth_type_trans+0x52d/0x650 [ 64.047045] print_address_description.cold.7+0x9/0x1c9 [ 64.052394] ? eth_type_trans+0x52d/0x650 [ 64.056526] kasan_report.cold.8+0x121/0x2da [ 64.060920] __asan_report_load8_noabort+0x14/0x20 [ 64.065832] eth_type_trans+0x52d/0x650 [ 64.069788] ? eth_gro_receive+0x880/0x880 [ 64.074033] napi_gro_frags+0x62e/0xcb0 [ 64.078010] ? napi_gro_receive+0x4b0/0x4b0 [ 64.082317] ? eth_type_trans+0x650/0x650 [ 64.086452] ? rcu_is_watching+0x61/0x170 [ 64.090603] ? tun_get_user+0x2606/0x39f0 [ 64.094755] tun_get_user+0x262a/0x39f0 [ 64.098724] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 64.103359] ? futex_wait+0x4fe/0x990 [ 64.107149] ? tun_build_skb.isra.50+0x16c0/0x16c0 [ 64.112097] ? __kernel_text_address+0x70/0xc0 [ 64.116671] ? unwind_get_return_address+0x61/0xa0 [ 64.121588] ? find_held_lock+0x3a/0x1d0 [ 64.125652] ? lock_downgrade+0x830/0x830 [ 64.129781] ? lock_acquire+0x1e5/0x540 [ 64.133742] ? tun_chr_close+0x60/0x60 [ 64.137613] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 64.142183] ? debug_smp_processor_id+0x17/0x20 [ 64.146928] ? rcu_is_watching+0x61/0x170 [ 64.151073] ? __lock_is_held+0xb8/0x140 [ 64.155130] ? rcu_dynticks_eqs_exit+0x70/0x70 [ 64.159702] ? __tun_get+0x196/0x280 [ 64.163400] ? tun_chr_close+0x60/0x60 [ 64.167277] ? __lock_is_held+0xb8/0x140 [ 64.171335] tun_chr_write_iter+0xd1/0x1a0 [ 64.175552] do_iter_readv_writev+0x60c/0xbd0 [ 64.180035] ? vfs_dedupe_file_range+0x810/0x810 [ 64.184804] ? rw_verify_area+0xb8/0x2c0 [ 64.189821] do_iter_write+0x131/0x520 [ 64.193694] ? dup_iter+0x250/0x250 [ 64.197311] vfs_writev+0x16b/0x320 [ 64.200921] ? vfs_iter_write+0xb0/0xb0 [ 64.204883] ? __might_sleep+0x93/0xb0 [ 64.208756] ? __fdget_pos+0x63/0x1b0 [ 64.212539] ? _copy_to_user+0x91/0xb0 [ 64.216423] ? __fdget_raw+0x10/0x10 [ 64.220128] ? put_timespec64+0xec/0x180 [ 64.224188] ? nsecs_to_jiffies+0x20/0x20 [ 64.228327] ? SyS_futex+0xf0/0x3e7 [ 64.231948] do_writev+0xf3/0x340 [ 64.235434] ? vfs_writev+0x320/0x320 [ 64.239224] ? trace_hardirqs_on_caller+0x40c/0x580 [ 64.244229] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 64.248971] SyS_writev+0xb/0x10 [ 64.252327] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 64.257073] RIP: 0033:0x45a7d1 [ 64.260257] RSP: 002b:00007fd1743f8ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 [ 64.268010] RAX: ffffffffffffffda RBX: 0000000000207843 RCX: 000000000045a7d1 [ 64.275288] RDX: 0000000000000001 RSI: 00007fd1743f8c00 RDI: 00000000000000f0 [ 64.282674] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 64.289936] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000075bf2c [ 64.297197] R13: 00007fff3762ae1f R14: 00007fd1743f99c0 R15: 000000000075bf2c [ 64.304988] [ 64.306600] The buggy address belongs to the page: [ 64.311518] page:ffffea000404fc00 count:0 mapcount:0 mapping: (null) index:0x1 [ 64.319666] flags: 0x17ffe0000000000() [ 64.323543] raw: 017ffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 64.331522] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 64.339390] page dumped because: kasan: bad access detected [ 64.345087] [ 64.346823] Memory state around the buggy address: [ 64.351772] ffff8801013eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.359123] ffff8801013eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.366651] >ffff8801013f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.374104] ^ [ 64.379547] ffff8801013f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.386905] ffff8801013f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.395389] ================================================================== [ 64.402735] Disabling lock debugging due to kernel taint [ 64.408208] Kernel panic - not syncing: panic_on_warn set ... [ 64.408208] [ 64.415568] CPU: 0 PID: 7765 Comm: syz-executor.0 Tainted: G B 4.14.0-rc1-syzkaller #0 [ 64.424734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.434071] Call Trace: [ 64.436645] dump_stack+0x145/0x1e1 [ 64.440269] ? arch_local_irq_restore+0x43/0x43 [ 64.444929] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 64.449674] ? eth_type_trans+0x52d/0x650 [ 64.453821] panic+0x1a9/0x34e [ 64.457001] ? add_taint.cold.5+0x11/0x11 [ 64.461150] ? eth_type_trans+0x52d/0x650 [ 64.465328] kasan_end_report+0x47/0x4f [ 64.469284] kasan_report.cold.8+0x76/0x2da [ 64.473729] __asan_report_load8_noabort+0x14/0x20 [ 64.478659] eth_type_trans+0x52d/0x650 [ 64.482628] ? eth_gro_receive+0x880/0x880 [ 64.486849] napi_gro_frags+0x62e/0xcb0 [ 64.490814] ? napi_gro_receive+0x4b0/0x4b0 [ 64.495125] ? eth_type_trans+0x650/0x650 [ 64.502475] ? rcu_is_watching+0x61/0x170 [ 64.506624] ? tun_get_user+0x2606/0x39f0 [ 64.510758] tun_get_user+0x262a/0x39f0 [ 64.514727] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 64.519306] ? futex_wait+0x4fe/0x990 [ 64.523097] ? tun_build_skb.isra.50+0x16c0/0x16c0 [ 64.528021] ? __kernel_text_address+0x70/0xc0 [ 64.532596] ? unwind_get_return_address+0x61/0xa0 [ 64.537571] ? find_held_lock+0x3a/0x1d0 [ 64.541625] ? lock_downgrade+0x830/0x830 [ 64.545897] ? lock_acquire+0x1e5/0x540 [ 64.549865] ? tun_chr_close+0x60/0x60 [ 64.553760] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 64.558366] ? debug_smp_processor_id+0x17/0x20 [ 64.563017] ? rcu_is_watching+0x61/0x170 [ 64.567144] ? __lock_is_held+0xb8/0x140 [ 64.571244] ? rcu_dynticks_eqs_exit+0x70/0x70 [ 64.575805] ? __tun_get+0x196/0x280 [ 64.579655] ? tun_chr_close+0x60/0x60 [ 64.583536] ? __lock_is_held+0xb8/0x140 [ 64.587594] tun_chr_write_iter+0xd1/0x1a0 [ 64.591835] do_iter_readv_writev+0x60c/0xbd0 [ 64.596315] ? vfs_dedupe_file_range+0x810/0x810 [ 64.601052] ? rw_verify_area+0xb8/0x2c0 [ 64.605095] do_iter_write+0x131/0x520 [ 64.608972] ? dup_iter+0x250/0x250 [ 64.612579] vfs_writev+0x16b/0x320 [ 64.616187] ? vfs_iter_write+0xb0/0xb0 [ 64.620142] ? __might_sleep+0x93/0xb0 [ 64.624010] ? __fdget_pos+0x63/0x1b0 [ 64.627791] ? _copy_to_user+0x91/0xb0 [ 64.631657] ? __fdget_raw+0x10/0x10 [ 64.635363] ? put_timespec64+0xec/0x180 [ 64.639402] ? nsecs_to_jiffies+0x20/0x20 [ 64.643527] ? SyS_futex+0xf0/0x3e7 [ 64.647134] do_writev+0xf3/0x340 [ 64.650566] ? vfs_writev+0x320/0x320 [ 64.654358] ? trace_hardirqs_on_caller+0x40c/0x580 [ 64.659351] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 64.664083] SyS_writev+0xb/0x10 [ 64.667429] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 64.672175] RIP: 0033:0x45a7d1 [ 64.675354] RSP: 002b:00007fd1743f8ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 [ 64.683037] RAX: ffffffffffffffda RBX: 0000000000207843 RCX: 000000000045a7d1 [ 64.690293] RDX: 0000000000000001 RSI: 00007fd1743f8c00 RDI: 00000000000000f0 [ 64.697563] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 64.704824] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000075bf2c [ 64.712101] R13: 00007fff3762ae1f R14: 00007fd1743f99c0 R15: 000000000075bf2c [ 64.720839] Kernel Offset: disabled [ 64.724586] Rebooting in 86400 seconds..