[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 37.803082][ T26] audit: type=1800 audit(1556742072.357:25): pid=7734 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 37.839464][ T26] audit: type=1800 audit(1556742072.367:26): pid=7734 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 37.868721][ T26] audit: type=1800 audit(1556742072.367:27): pid=7734 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 49.857933][ T7887] IPVS: ftp: loaded support on port[0] = 21 [ 49.898727][ T7889] ================================================================== [ 49.906947][ T7889] BUG: KASAN: slab-out-of-bounds in skb_gro_receive+0xf5f/0x10e0 [ 49.914653][ T7889] Read of size 16 at addr ffff88808893fff0 by task syz-executor612/7889 [ 49.922951][ T7889] [ 49.925270][ T7889] CPU: 0 PID: 7889 Comm: syz-executor612 Not tainted 5.1.0-rc7+ #96 [ 49.933236][ T7889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.943300][ T7889] Call Trace: [ 49.946594][ T7889] dump_stack+0x172/0x1f0 [ 49.950931][ T7889] ? skb_gro_receive+0xf5f/0x10e0 [ 49.955942][ T7889] print_address_description.cold+0x7c/0x20d [ 49.961903][ T7889] ? skb_gro_receive+0xf5f/0x10e0 [ 49.966914][ T7889] ? skb_gro_receive+0xf5f/0x10e0 [ 49.971918][ T7889] kasan_report.cold+0x1b/0x40 [ 49.976686][ T7889] ? skb_gro_receive+0xf5f/0x10e0 [ 49.981711][ T7889] __asan_report_load16_noabort+0x14/0x20 [ 49.987422][ T7889] skb_gro_receive+0xf5f/0x10e0 [ 49.992274][ T7889] udp_gro_receive+0xb61/0xfd0 [ 49.997029][ T7889] udp4_gro_receive+0x763/0xeb0 [ 50.001866][ T7889] ? udp_gro_receive+0xfd0/0xfd0 [ 50.006786][ T7889] inet_gro_receive+0xe72/0x1110 [ 50.011737][ T7889] ? inet_sk_rebuild_header+0x1c50/0x1c50 [ 50.017446][ T7889] dev_gro_receive+0x1cd0/0x23c0 [ 50.022378][ T7889] napi_gro_frags+0x36b/0xd10 [ 50.027042][ T7889] tun_get_user+0x2f24/0x3fb0 [ 50.031708][ T7889] ? tun_build_skb.isra.0+0x1300/0x1300 [ 50.037237][ T7889] ? tun_get+0x171/0x290 [ 50.041463][ T7889] ? lock_downgrade+0x880/0x880 [ 50.046292][ T7889] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.052516][ T7889] ? kasan_check_read+0x11/0x20 [ 50.057363][ T7889] tun_chr_write_iter+0xbd/0x156 [ 50.062297][ T7889] do_iter_readv_writev+0x5e1/0x8e0 [ 50.067573][ T7889] ? vfs_dedupe_file_range+0x780/0x780 [ 50.073067][ T7889] ? apparmor_file_permission+0x25/0x30 [ 50.078599][ T7889] ? rw_verify_area+0x118/0x360 [ 50.083438][ T7889] do_iter_write+0x184/0x610 [ 50.088019][ T7889] ? dup_iter+0x260/0x260 [ 50.092357][ T7889] vfs_writev+0x1b3/0x2f0 [ 50.096669][ T7889] ? vfs_iter_write+0xb0/0xb0 [ 50.101338][ T7889] ? release_sock+0x158/0x1c0 [ 50.106026][ T7889] ? __local_bh_enable_ip+0x15a/0x270 [ 50.111400][ T7889] ? release_sock+0x158/0x1c0 [ 50.116078][ T7889] ? udp_lib_setsockopt+0x494/0x9c0 [ 50.121259][ T7889] ? udp_setsockopt+0x70/0xb0 [ 50.125921][ T7889] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.132144][ T7889] ? __fget_light+0x1a9/0x230 [ 50.136808][ T7889] do_writev+0x15e/0x370 [ 50.141034][ T7889] ? vfs_writev+0x2f0/0x2f0 [ 50.145525][ T7889] ? do_syscall_64+0x26/0x610 [ 50.150189][ T7889] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.156236][ T7889] ? do_syscall_64+0x26/0x610 [ 50.160896][ T7889] __x64_sys_writev+0x75/0xb0 [ 50.165555][ T7889] do_syscall_64+0x103/0x610 [ 50.170139][ T7889] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.176008][ T7889] RIP: 0033:0x441cc0 [ 50.179894][ T7889] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00 [ 50.199474][ T7889] RSP: 002b:00007ffe8c716118 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 50.207960][ T7889] RAX: ffffffffffffffda RBX: 00007ffe8c716150 RCX: 0000000000441cc0 [ 50.215911][ T7889] RDX: 0000000000000001 RSI: 00007ffe8c716170 RDI: 00000000000000f0 [ 50.223863][ T7889] RBP: 0000000000000000 R08: 000000000000ffff R09: 0000000000a64668 [ 50.231836][ T7889] R10: 0000000020000040 R11: 0000000000000246 R12: 000000000000c2d9 [ 50.239793][ T7889] R13: 0000000000402b50 R14: 0000000000000000 R15: 0000000000000000 [ 50.247760][ T7889] [ 50.250069][ T7889] Allocated by task 5143: [ 50.254388][ T7889] save_stack+0x45/0xd0 [ 50.258525][ T7889] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 50.264139][ T7889] kasan_slab_alloc+0xf/0x20 [ 50.268707][ T7889] kmem_cache_alloc+0x11a/0x6f0 [ 50.273549][ T7889] mm_alloc+0x1d/0xd0 [ 50.277591][ T7889] __do_execve_file.isra.0+0xaa3/0x23f0 [ 50.283141][ T7889] __x64_sys_execve+0x8f/0xc0 [ 50.287812][ T7889] do_syscall_64+0x103/0x610 [ 50.292385][ T7889] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.298258][ T7889] [ 50.300560][ T7889] Freed by task 5351: [ 50.304519][ T7889] save_stack+0x45/0xd0 [ 50.308652][ T7889] __kasan_slab_free+0x102/0x150 [ 50.313565][ T7889] kasan_slab_free+0xe/0x10 [ 50.318046][ T7889] kmem_cache_free+0x86/0x260 [ 50.322698][ T7889] __mmdrop+0x238/0x320 [ 50.326860][ T7889] finish_task_switch+0x47b/0x780 [ 50.331869][ T7889] __schedule+0x81b/0x1cc0 [ 50.336263][ T7889] preempt_schedule_irq+0xb5/0x140 [ 50.341360][ T7889] retint_kernel+0x1b/0x2d [ 50.345770][ T7889] kmem_cache_free+0xab/0x260 [ 50.350448][ T7889] unlink_anon_vmas+0x2ba/0x870 [ 50.355277][ T7889] free_pgtables+0x1af/0x2f0 [ 50.360118][ T7889] exit_mmap+0x2d1/0x530 [ 50.364338][ T7889] mmput+0x15f/0x4c0 [ 50.368215][ T7889] flush_old_exec+0x8d9/0x1c20 [ 50.372964][ T7889] load_elf_binary+0x9bc/0x53f0 [ 50.377804][ T7889] search_binary_handler+0x17f/0x570 [ 50.383067][ T7889] __do_execve_file.isra.0+0x1394/0x23f0 [ 50.388675][ T7889] __x64_sys_execve+0x8f/0xc0 [ 50.393328][ T7889] do_syscall_64+0x103/0x610 [ 50.397942][ T7889] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.403806][ T7889] [ 50.406130][ T7889] The buggy address belongs to the object at ffff88808893f7c0 [ 50.406130][ T7889] which belongs to the cache mm_struct of size 1496 [ 50.420104][ T7889] The buggy address is located 600 bytes to the right of [ 50.420104][ T7889] 1496-byte region [ffff88808893f7c0, ffff88808893fd98) [ 50.433965][ T7889] The buggy address belongs to the page: [ 50.439598][ T7889] page:ffffea0002224f80 count:1 mapcount:0 mapping:ffff88821bc40ac0 index:0xffff88808893f7c0 compound_mapcount: 0 [ 50.451550][ T7889] flags: 0x1fffc0000010200(slab|head) [ 50.456923][ T7889] raw: 01fffc0000010200 ffffea00025b4f08 ffffea00027b9d08 ffff88821bc40ac0 [ 50.465501][ T7889] raw: ffff88808893f7c0 ffff88808893e440 0000000100000001 0000000000000000 [ 50.474062][ T7889] page dumped because: kasan: bad access detected [ 50.480457][ T7889] [ 50.482759][ T7889] Memory state around the buggy address: [ 50.488409][ T7889] ffff88808893fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.496451][ T7889] ffff88808893ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.504492][ T7889] >ffff88808893ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.512529][ T7889] ^ [ 50.520228][ T7889] ffff888088940000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.528265][ T7889] ffff888088940080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.536309][ T7889] ================================================================== [ 50.544348][ T7889] Disabling lock debugging due to kernel taint [ 50.550544][ T7889] Kernel panic - not syncing: panic_on_warn set ... [ 50.557126][ T7889] CPU: 0 PID: 7889 Comm: syz-executor612 Tainted: G B 5.1.0-rc7+ #96 [ 50.566465][ T7889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.576497][ T7889] Call Trace: [ 50.579766][ T7889] dump_stack+0x172/0x1f0 [ 50.584107][ T7889] panic+0x2cb/0x65c [ 50.587995][ T7889] ? __warn_printk+0xf3/0xf3 [ 50.592567][ T7889] ? trace_hardirqs_on+0x5e/0x230 [ 50.597566][ T7889] ? trace_hardirqs_on+0x5e/0x230 [ 50.602582][ T7889] ? skb_gro_receive+0xf5f/0x10e0 [ 50.607585][ T7889] end_report+0x47/0x4f [ 50.611717][ T7889] ? skb_gro_receive+0xf5f/0x10e0 [ 50.616717][ T7889] kasan_report.cold+0xe/0x40 [ 50.621374][ T7889] ? skb_gro_receive+0xf5f/0x10e0 [ 50.626383][ T7889] __asan_report_load16_noabort+0x14/0x20 [ 50.632089][ T7889] skb_gro_receive+0xf5f/0x10e0 [ 50.636931][ T7889] udp_gro_receive+0xb61/0xfd0 [ 50.641690][ T7889] udp4_gro_receive+0x763/0xeb0 [ 50.646534][ T7889] ? udp_gro_receive+0xfd0/0xfd0 [ 50.651445][ T7889] inet_gro_receive+0xe72/0x1110 [ 50.656383][ T7889] ? inet_sk_rebuild_header+0x1c50/0x1c50 [ 50.662080][ T7889] dev_gro_receive+0x1cd0/0x23c0 [ 50.667013][ T7889] napi_gro_frags+0x36b/0xd10 [ 50.671670][ T7889] tun_get_user+0x2f24/0x3fb0 [ 50.676326][ T7889] ? tun_build_skb.isra.0+0x1300/0x1300 [ 50.681851][ T7889] ? tun_get+0x171/0x290 [ 50.686071][ T7889] ? lock_downgrade+0x880/0x880 [ 50.690912][ T7889] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.697132][ T7889] ? kasan_check_read+0x11/0x20 [ 50.701964][ T7889] tun_chr_write_iter+0xbd/0x156 [ 50.706881][ T7889] do_iter_readv_writev+0x5e1/0x8e0 [ 50.712088][ T7889] ? vfs_dedupe_file_range+0x780/0x780 [ 50.717529][ T7889] ? apparmor_file_permission+0x25/0x30 [ 50.723051][ T7889] ? rw_verify_area+0x118/0x360 [ 50.727880][ T7889] do_iter_write+0x184/0x610 [ 50.732449][ T7889] ? dup_iter+0x260/0x260 [ 50.736756][ T7889] vfs_writev+0x1b3/0x2f0 [ 50.741063][ T7889] ? vfs_iter_write+0xb0/0xb0 [ 50.745741][ T7889] ? release_sock+0x158/0x1c0 [ 50.750402][ T7889] ? __local_bh_enable_ip+0x15a/0x270 [ 50.755753][ T7889] ? release_sock+0x158/0x1c0 [ 50.760411][ T7889] ? udp_lib_setsockopt+0x494/0x9c0 [ 50.765585][ T7889] ? udp_setsockopt+0x70/0xb0 [ 50.770268][ T7889] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.776544][ T7889] ? __fget_light+0x1a9/0x230 [ 50.781203][ T7889] do_writev+0x15e/0x370 [ 50.785420][ T7889] ? vfs_writev+0x2f0/0x2f0 [ 50.789913][ T7889] ? do_syscall_64+0x26/0x610 [ 50.794567][ T7889] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.800621][ T7889] ? do_syscall_64+0x26/0x610 [ 50.805290][ T7889] __x64_sys_writev+0x75/0xb0 [ 50.809944][ T7889] do_syscall_64+0x103/0x610 [ 50.814513][ T7889] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.820391][ T7889] RIP: 0033:0x441cc0 [ 50.824275][ T7889] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00 [ 50.843874][ T7889] RSP: 002b:00007ffe8c716118 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 50.852260][ T7889] RAX: ffffffffffffffda RBX: 00007ffe8c716150 RCX: 0000000000441cc0 [ 50.860207][ T7889] RDX: 0000000000000001 RSI: 00007ffe8c716170 RDI: 00000000000000f0 [ 50.868154][ T7889] RBP: 0000000000000000 R08: 000000000000ffff R09: 0000000000a64668 [ 50.876103][ T7889] R10: 0000000020000040 R11: 0000000000000246 R12: 000000000000c2d9 [ 50.884054][ T7889] R13: 0000000000402b50 R14: 0000000000000000 R15: 0000000000000000 [ 50.892975][ T7889] Kernel Offset: disabled [ 50.897296][ T7889] Rebooting in 86400 seconds..