[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   66.809164][   T26] audit: type=1800 audit(1559150190.860:25): pid=8884 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   66.870564][   T26] audit: type=1800 audit(1559150190.860:26): pid=8884 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   66.939571][   T26] audit: type=1800 audit(1559150190.870:27): pid=8884 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   78.652283][ T9037] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
[   78.718951][ T9047] ==================================================================
[   78.727387][ T9047] BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10
[   78.734677][ T9047] Read of size 2 at addr ffff8880997e840c by task syz-executor796/9047
[   78.742935][ T9047] 
[   78.745283][ T9047] CPU: 1 PID: 9047 Comm: syz-executor796 Not tainted 5.2.0-rc2+ #12
[   78.753332][ T9047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   78.763403][ T9047] Call Trace:
[   78.766782][ T9047]  dump_stack+0x172/0x1f0
[   78.771109][ T9047]  ? napi_gro_frags+0xc6f/0xd10
[   78.775962][ T9047]  print_address_description.cold+0x7c/0x20d
[   78.781954][ T9047]  ? napi_gro_frags+0xc6f/0xd10
[   78.787184][ T9047]  ? napi_gro_frags+0xc6f/0xd10
[   78.792130][ T9047]  __kasan_report.cold+0x1b/0x40
[   78.797098][ T9047]  ? __kasan_slab_free+0x140/0x150
[   78.802233][ T9047]  ? napi_gro_frags+0xc6f/0xd10
[   78.807094][ T9047]  kasan_report+0x12/0x20
[   78.811443][ T9047]  __asan_report_load_n_noabort+0xf/0x20
[   78.817095][ T9047]  napi_gro_frags+0xc6f/0xd10
[   78.824054][ T9047]  tun_get_user+0x2f3c/0x3ff0
[   78.828991][ T9047]  ? tun_device_event+0xee0/0xee0
[   78.834038][ T9047]  ? tun_get+0x171/0x290
[   78.838392][ T9047]  ? lock_downgrade+0x880/0x880
[   78.843337][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   78.849614][ T9047]  ? kasan_check_read+0x11/0x20
[   78.854488][ T9047]  tun_chr_write_iter+0xbd/0x156
[   78.859426][ T9047]  do_iter_readv_writev+0x5f8/0x8f0
[   78.864654][ T9047]  ? no_seek_end_llseek_size+0x70/0x70
[   78.870112][ T9047]  ? rw_copy_check_uvector+0x2a6/0x330
[   78.875627][ T9047]  ? rw_verify_area+0x126/0x360
[   78.880477][ T9047]  do_iter_write+0x184/0x610
[   78.885059][ T9047]  ? dup_iter+0x260/0x260
[   78.889385][ T9047]  vfs_writev+0x1b3/0x2f0
[   78.893717][ T9047]  ? vfs_iter_write+0xb0/0xb0
[   78.898831][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   78.905079][ T9047]  ? __handle_mm_fault+0x7cb/0x3eb0
[   78.910284][ T9047]  ? __do_page_fault+0x623/0xda0
[   78.917559][ T9047]  ? __do_page_fault+0x623/0xda0
[   78.922503][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   78.928741][ T9047]  ? __fget_light+0x1a9/0x230
[   78.933501][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   78.939996][ T9047]  do_writev+0x15b/0x330
[   78.944248][ T9047]  ? vfs_writev+0x2f0/0x2f0
[   78.948766][ T9047]  ? do_syscall_64+0x26/0x680
[   78.953567][ T9047]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   78.959831][ T9047]  ? do_syscall_64+0x26/0x680
[   78.964523][ T9047]  __x64_sys_writev+0x75/0xb0
[   78.969193][ T9047]  do_syscall_64+0xfd/0x680
[   78.973786][ T9047]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   78.979667][ T9047] RIP: 0033:0x441cd0
[   78.983549][ T9047] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   79.003333][ T9047] RSP: 002b:00007ffcbd7fa568 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   79.011745][ T9047] RAX: ffffffffffffffda RBX: 00007ffcbd7fa590 RCX: 0000000000441cd0
[   79.019840][ T9047] RDX: 0000000000000003 RSI: 00007ffcbd7fa5b0 RDI: 00000000000000f0
[   79.028535][ T9047] RBP: 00007ffcbd7fa5b0 R08: 00007ffcbd7fa5e0 R09: 0000000000000003
[   79.036622][ T9047] R10: 0000000000000d77 R11: 0000000000000246 R12: 000000000001336d
[   79.044593][ T9047] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   79.052596][ T9047] 
[   79.054927][ T9047] The buggy address belongs to the page:
[   79.060548][ T9047] page:ffffea000265fa00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   79.069921][ T9047] flags: 0x1fffc0000000000()
[   79.074503][ T9047] raw: 01fffc0000000000 ffffea000226aa08 ffff88812fffc878 0000000000000000
[   79.083076][ T9047] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   79.091643][ T9047] page dumped because: kasan: bad access detected
[   79.098044][ T9047] 
[   79.100359][ T9047] Memory state around the buggy address:
[   79.105971][ T9047]  ffff8880997e8300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   79.114021][ T9047]  ffff8880997e8380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   79.122082][ T9047] >ffff8880997e8400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   79.130150][ T9047]                       ^
[   79.134472][ T9047]  ffff8880997e8480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   79.142544][ T9047]  ffff8880997e8500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   79.150596][ T9047] ==================================================================
[   79.158665][ T9047] Disabling lock debugging due to kernel taint
[   79.164860][ T9047] Kernel panic - not syncing: panic_on_warn set ...
[   79.171480][ T9047] CPU: 1 PID: 9047 Comm: syz-executor796 Tainted: G    B             5.2.0-rc2+ #12
[   79.180830][ T9047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   79.190887][ T9047] Call Trace:
[   79.194177][ T9047]  dump_stack+0x172/0x1f0
[   79.198612][ T9047]  panic+0x2cb/0x744
[   79.202525][ T9047]  ? __warn_printk+0xf3/0xf3
[   79.207119][ T9047]  ? trace_hardirqs_on+0x5e/0x220
[   79.212162][ T9047]  ? trace_hardirqs_on+0x5e/0x220
[   79.217182][ T9047]  ? napi_gro_frags+0xc6f/0xd10
[   79.222023][ T9047]  end_report+0x47/0x4f
[   79.226691][ T9047]  ? napi_gro_frags+0xc6f/0xd10
[   79.231665][ T9047]  __kasan_report.cold+0xe/0x40
[   79.236725][ T9047]  ? __kasan_slab_free+0x140/0x150
[   79.243416][ T9047]  ? napi_gro_frags+0xc6f/0xd10
[   79.249867][ T9047]  kasan_report+0x12/0x20
[   79.254197][ T9047]  __asan_report_load_n_noabort+0xf/0x20
[   79.259869][ T9047]  napi_gro_frags+0xc6f/0xd10
[   79.264543][ T9047]  tun_get_user+0x2f3c/0x3ff0
[   79.269254][ T9047]  ? tun_device_event+0xee0/0xee0
[   79.274291][ T9047]  ? tun_get+0x171/0x290
[   79.278525][ T9047]  ? lock_downgrade+0x880/0x880
[   79.283376][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   79.289610][ T9047]  ? kasan_check_read+0x11/0x20
[   79.294489][ T9047]  tun_chr_write_iter+0xbd/0x156
[   79.299424][ T9047]  do_iter_readv_writev+0x5f8/0x8f0
[   79.304616][ T9047]  ? no_seek_end_llseek_size+0x70/0x70
[   79.310080][ T9047]  ? rw_copy_check_uvector+0x2a6/0x330
[   79.315525][ T9047]  ? rw_verify_area+0x126/0x360
[   79.320896][ T9047]  do_iter_write+0x184/0x610
[   79.325504][ T9047]  ? dup_iter+0x260/0x260
[   79.329823][ T9047]  vfs_writev+0x1b3/0x2f0
[   79.334139][ T9047]  ? vfs_iter_write+0xb0/0xb0
[   79.338809][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   79.345071][ T9047]  ? __handle_mm_fault+0x7cb/0x3eb0
[   79.350279][ T9047]  ? __do_page_fault+0x623/0xda0
[   79.355221][ T9047]  ? __do_page_fault+0x623/0xda0
[   79.360178][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   79.366462][ T9047]  ? __fget_light+0x1a9/0x230
[   79.371167][ T9047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   79.377602][ T9047]  do_writev+0x15b/0x330
[   79.381854][ T9047]  ? vfs_writev+0x2f0/0x2f0
[   79.386363][ T9047]  ? do_syscall_64+0x26/0x680
[   79.391032][ T9047]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   79.397117][ T9047]  ? do_syscall_64+0x26/0x680
[   79.401791][ T9047]  __x64_sys_writev+0x75/0xb0
[   79.406480][ T9047]  do_syscall_64+0xfd/0x680
[   79.410975][ T9047]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   79.417035][ T9047] RIP: 0033:0x441cd0
[   79.421308][ T9047] Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 41 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
[   79.440912][ T9047] RSP: 002b:00007ffcbd7fa568 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[   79.449310][ T9047] RAX: ffffffffffffffda RBX: 00007ffcbd7fa590 RCX: 0000000000441cd0
[   79.457276][ T9047] RDX: 0000000000000003 RSI: 00007ffcbd7fa5b0 RDI: 00000000000000f0
[   79.465241][ T9047] RBP: 00007ffcbd7fa5b0 R08: 00007ffcbd7fa5e0 R09: 0000000000000003
[   79.473199][ T9047] R10: 0000000000000d77 R11: 0000000000000246 R12: 000000000001336d
[   79.481298][ T9047] R13: 0000000000402b60 R14: 0000000000000000 R15: 0000000000000000
[   79.490188][ T9047] Kernel Offset: disabled
[   79.494570][ T9047] Rebooting in 86400 seconds..