Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts. 2021/04/23 17:27:52 fuzzer started 2021/04/23 17:27:53 dialing manager at 10.128.0.169:34587 2021/04/23 17:27:53 syscalls: 1690 2021/04/23 17:27:53 code coverage: enabled 2021/04/23 17:27:53 comparison tracing: enabled 2021/04/23 17:27:53 extra coverage: enabled 2021/04/23 17:27:53 setuid sandbox: enabled 2021/04/23 17:27:53 namespace sandbox: enabled 2021/04/23 17:27:53 Android sandbox: /sys/fs/selinux/policy does not exist 2021/04/23 17:27:53 fault injection: enabled 2021/04/23 17:27:53 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/04/23 17:27:53 net packet injection: enabled 2021/04/23 17:27:53 net device setup: enabled 2021/04/23 17:27:53 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/04/23 17:27:53 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/04/23 17:27:53 USB emulation: enabled 2021/04/23 17:27:53 hci packet injection: enabled 2021/04/23 17:27:53 wifi device emulation: enabled 2021/04/23 17:27:53 802.15.4 emulation: enabled 2021/04/23 17:27:53 fetching corpus: 0, signal 0/2000 (executing program) syzkaller login: [ 67.096745][ C0] ================================================================== [ 67.101983][ T8417] BUG: unable to handle page fault for address: ffffea0003ffff88 [ 67.105069][ C0] BUG: KASAN: use-after-free in skb_try_coalesce+0x1334/0x1440 [ 67.112783][ T8417] #PF: supervisor read access in kernel mode [ 67.120323][ C0] Write of size 4 at addr ffff888026f78008 by task syz-fuzzer/8415 [ 67.126280][ T8417] #PF: error_code(0x0000) - not-present page [ 67.134144][ C0] [ 67.134155][ C0] CPU: 0 PID: 8415 Comm: syz-fuzzer Not tainted 5.12.0-rc7-syzkaller #0 [ 67.140100][ T8417] PGD 13fff8067 P4D 13fff8067 [ 67.142417][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.150710][ T8417] PUD 13fff7067 PMD 0 [ 67.155449][ C0] Call Trace: [ 67.165478][ T8417] [ 67.165485][ T8417] Oops: 0000 [#1] PREEMPT SMP KASAN [ 67.169539][ C0] dump_stack+0x141/0x1d7 [ 67.172814][ T8417] CPU: 1 PID: 8417 Comm: systemd-udevd Not tainted 5.12.0-rc7-syzkaller #0 [ 67.175126][ C0] ? skb_try_coalesce+0x1334/0x1440 [ 67.180302][ T8417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.184618][ C0] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 67.193181][ T8417] RIP: 0010:qlist_free_all+0x85/0xc0 [ 67.198362][ C0] ? skb_try_coalesce+0x1334/0x1440 [ 67.208405][ T8417] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 2a 52 7b ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 67.215400][ C0] ? skb_try_coalesce+0x1334/0x1440 [ 67.220658][ T8417] RSP: 0018:ffffc900019b7be0 EFLAGS: 00010282 [ 67.225838][ C0] kasan_report.cold+0x7c/0xd8 [ 67.245418][ T8417] [ 67.245424][ T8417] RAX: ffffea0003ffff80 RBX: ffff8880198c2200 RCX: 0000000000000000 [ 67.250594][ C0] ? __sanitizer_cov_trace_cmp8+0x61/0x70 [ 67.256648][ T8417] RDX: ffff888019811c40 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 67.261383][ C0] ? skb_try_coalesce+0x1334/0x1440 [ 67.263688][ T8417] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 67.271636][ C0] skb_try_coalesce+0x1334/0x1440 [ 67.277326][ T8417] R10: ffffffff813371ca R11: 000000000000003f R12: dffffc0000000000 [ 67.285280][ C0] tcp_try_coalesce+0x393/0x920 [ 67.290879][ T8417] R13: ffffc900019b7c18 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 67.298827][ C0] ? mark_held_locks+0x9f/0xe0 [ 67.303821][ T8417] FS: 00007f8b7e3198c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 67.311773][ C0] ? tcp_urg.part.0+0x2d0/0x2d0 [ 67.316598][ T8417] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 67.324546][ C0] ? ktime_get+0x38a/0x470 [ 67.329458][ T8417] CR2: ffffea0003ffff88 CR3: 0000000027d7a000 CR4: 00000000001506e0 [ 67.338359][ C0] ? lockdep_hardirqs_on+0x79/0x100 [ 67.343183][ T8417] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 67.349746][ C0] tcp_queue_rcv+0x8a/0x6e0 [ 67.354132][ T8417] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 67.362083][ C0] tcp_rcv_established+0x175e/0x1eb0 [ 67.367251][ T8417] Call Trace: [ 67.367262][ T8417] kasan_quarantine_reduce+0x180/0x200 [ 67.375207][ C0] ? tcp_data_queue+0x4b10/0x4b10 [ 67.379682][ T8417] __kasan_slab_alloc+0x7f/0x90 [ 67.387629][ C0] ? do_raw_spin_lock+0x120/0x2b0 [ 67.392900][ T8417] kmem_cache_alloc+0x155/0x370 [ 67.396161][ C0] tcp_v4_do_rcv+0x5d1/0x870 [ 67.401590][ T8417] getname_flags.part.0+0x50/0x4f0 [ 67.406588][ C0] tcp_v4_rcv+0x3298/0x3950 [ 67.411415][ T8417] user_path_at_empty+0xa1/0x100 [ 67.416418][ C0] ? tcp_v4_early_demux+0x8f0/0x8f0 [ 67.421239][ T8417] vfs_statx+0x142/0x390 [ 67.425799][ C0] ? lock_release+0x720/0x720 [ 67.430885][ T8417] ? do_readlinkat+0x2f0/0x2f0 [ 67.435386][ C0] ip_protocol_deliver_rcu+0x5c/0xa20 [ 67.440296][ T8417] ? __seccomp_filter+0x672/0x15e0 [ 67.445471][ C0] ip_local_deliver_finish+0x20a/0x370 [ 67.449686][ T8417] __do_sys_newlstat+0x91/0x110 [ 67.454334][ C0] ip_local_deliver+0x1b3/0x200 [ 67.459071][ T8417] ? __do_sys_lstat+0x110/0x110 [ 67.464421][ C0] ip_sublist_rcv_finish+0x9a/0x2c0 [ 67.469503][ T8417] ? __context_tracking_exit+0xb8/0xe0 [ 67.474950][ C0] ip_list_rcv_finish.constprop.0+0x51e/0x6e0 [ 67.479778][ T8417] ? __secure_computing+0x104/0x360 [ 67.484600][ C0] ? ip_rcv_finish_core.constprop.0+0x1e70/0x1e70 [ 67.489423][ T8417] ? syscall_trace_enter.constprop.0+0x94/0x260 [ 67.494598][ C0] ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0 [ 67.500031][ T8417] do_syscall_64+0x2d/0x70 [ 67.506069][ C0] ? ip_rcv_core+0x867/0xcb0 [ 67.511243][ T8417] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.517632][ C0] ip_list_rcv+0x34e/0x490 [ 67.523843][ T8417] RIP: 0033:0x7f8b7d18b335 [ 67.530142][ C0] ? ip_rcv+0xd0/0xd0 [ 67.534531][ T8417] Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89 [ 67.539096][ C0] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 67.544959][ T8417] RSP: 002b:00007ffde6f74708 EFLAGS: 00000246 [ 67.549350][ C0] ? find_held_lock+0x2d/0x110 [ 67.553737][ T8417] ORIG_RAX: 0000000000000006 [ 67.557692][ C0] ? ip_rcv+0xd0/0xd0 [ 67.577269][ T8417] RAX: ffffffffffffffda RBX: 00005577b0318380 RCX: 00007f8b7d18b335 [ 67.583223][ C0] __netif_receive_skb_list_core+0x549/0x8e0 [ 67.589261][ T8417] RDX: 00007ffde6f74740 RSI: 00007ffde6f74740 RDI: 00005577b0317380 [ 67.594003][ C0] ? process_backlog+0x6c0/0x6c0 [ 67.598648][ T8417] RBP: 00007ffde6f74800 R08: 00007f8b7d44a198 R09: 0000000000001010 [ 67.602618][ C0] ? ktime_get_with_offset+0x3f2/0x500 [ 67.610567][ T8417] R10: 00007f8b7d449b58 R11: 0000000000000246 R12: 00005577b0317380 [ 67.616518][ C0] ? lockdep_hardirqs_on+0x79/0x100 [ 67.624476][ T8417] R13: 00005577b03173a0 R14: 00005577b0312239 R15: 00005577b0312240 [ 67.629392][ C0] netif_receive_skb_list_internal+0x777/0xd70 [ 67.637343][ T8417] Modules linked in: [ 67.642770][ C0] ? __netif_receive_skb_list_core+0x8e0/0x8e0 [ 67.650718][ T8417] [ 67.650726][ T8417] CR2: ffffea0003ffff88 [ 67.655890][ C0] ? virtqueue_add_inbuf_ctx+0x12f/0x150 [ 67.663845][ T8417] ---[ end trace d6092fbc30bd1b1a ]--- [ 67.669964][ C0] ? virtqueue_add_inbuf_ctx+0xd5/0x150 [ 67.673834][ T8417] RIP: 0010:qlist_free_all+0x85/0xc0 [ 67.679971][ C0] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 67.682278][ T8417] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 2a 52 7b ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 67.686407][ C0] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 67.692012][ T8417] RSP: 0018:ffffc900019b7be0 EFLAGS: 00010282 [ 67.697443][ C0] ? __phys_addr+0xc4/0x140 [ 67.702961][ T8417] [ 67.702966][ T8417] RAX: ffffea0003ffff80 RBX: ffff8880198c2200 RCX: 0000000000000000 [ 67.708220][ C0] ? __sanitizer_cov_trace_cmp2+0x22/0x80 [ 67.714428][ T8417] RDX: ffff888019811c40 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 67.734005][ C0] ? virtqueue_kick_prepare+0x197/0x4b0 [ 67.740219][ T8417] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 67.746258][ C0] napi_complete_done+0x1f1/0x880 [ 67.750730][ T8417] R10: ffffffff813371ca R11: 000000000000003f R12: dffffc0000000000 [ 67.753040][ C0] virtqueue_napi_complete+0x2c/0xc0 [ 67.760984][ T8417] R13: ffffc900019b7c18 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 67.766679][ C0] virtnet_poll+0xbbb/0x10b0 [ 67.774624][ T8417] FS: 00007f8b7e3198c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 67.780144][ C0] ? receive_buf+0x6220/0x6220 [ 67.788614][ T8417] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 67.793642][ C0] ? lock_release+0x720/0x720 [ 67.801585][ T8417] CR2: ffffea0003ffff88 CR3: 0000000027d7a000 CR4: 00000000001506e0 [ 67.806841][ C0] __napi_poll+0xaf/0x440 [ 67.814789][ T8417] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 67.819363][ C0] net_rx_action+0x801/0xb40 [ 67.828272][ T8417] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 67.833024][ C0] ? napi_threaded_poll+0x5b0/0x5b0 [ 67.839581][ T8417] Kernel panic - not syncing: Fatal exception [ 67.844235][ C0] ? asm_common_interrupt+0x1e/0x40 [ 67.893434][ C0] __do_softirq+0x29b/0x9f6 [ 67.897949][ C0] irq_exit_rcu+0x134/0x200 [ 67.902444][ C0] common_interrupt+0x51/0xd0 [ 67.907113][ C0] ? asm_common_interrupt+0x8/0x40 [ 67.912220][ C0] asm_common_interrupt+0x1e/0x40 [ 67.917247][ C0] RIP: 0033:0x6310a4 [ 67.921144][ C0] Code: 66 0f 1f 44 00 00 48 39 8b 90 10 00 00 0f 84 5a 07 00 00 48 85 f6 0f 8f 51 07 00 00 48 89 5c 24 70 84 03 48 8b 83 00 11 00 00 <48> 89 1c 24 48 89 44 24 08 e8 6e 12 00 00 48 8b 44 24 10 48 8b 4c [ 67.940753][ C0] RSP: 002b:000000c0002bbb18 EFLAGS: 00000282 [ 67.946815][ C0] RAX: 000000c000398028 RBX: 000000c000398000 RCX: 0000000000001d3b [ 67.954775][ C0] RDX: 000000c000398000 RSI: 0000000000008000 RDI: 0000000000000009 [ 67.962735][ C0] RBP: 000000c0002bbb90 R08: 000000000000002b R09: 0000000000000082 [ 67.970695][ C0] R10: 0000000000001cd8 R11: 0000000000001c02 R12: 0000000000001cd4 [ 67.978656][ C0] R13: 0000000000000040 R14: 0000000000000002 R15: 0000000000000002 [ 67.986757][ C0] [ 67.989078][ C0] Allocated by task 6349: [ 67.993401][ C0] kasan_save_stack+0x1b/0x40 [ 67.998074][ C0] __kasan_kmalloc+0x99/0xc0 [ 68.002654][ C0] tomoyo_realpath_from_path+0xc3/0x620 [ 68.008249][ C0] tomoyo_path_number_perm+0x1d5/0x590 [ 68.013728][ C0] tomoyo_path_mknod+0x10d/0x190 [ 68.018673][ C0] security_path_mknod+0xf9/0x170 [ 68.023709][ C0] lookup_open.isra.0+0x475/0x13d0 [ 68.028833][ C0] path_openat+0x9b4/0x27e0 [ 68.033322][ C0] do_filp_open+0x190/0x3d0 [ 68.037813][ C0] do_sys_openat2+0x16d/0x420 [ 68.042480][ C0] __x64_sys_open+0x119/0x1c0 [ 68.047148][ C0] do_syscall_64+0x2d/0x70 [ 68.051556][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.057446][ C0] [ 68.059753][ C0] The buggy address belongs to the object at ffff888026f78000 [ 68.059753][ C0] which belongs to the cache kmalloc-4k of size 4096 [ 68.073789][ C0] The buggy address is located 8 bytes inside of [ 68.073789][ C0] 4096-byte region [ffff888026f78000, ffff888026f79000) [ 68.086959][ C0] The buggy address belongs to the page: [ 68.092571][ C0] page:ffffea00009bde00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888026f78000 pfn:0x26f78 [ 68.104008][ C0] head:ffffea00009bde00 order:3 compound_mapcount:0 compound_pincount:0 [ 68.112316][ C0] flags: 0xfff00000010200(slab|head) [ 68.117595][ C0] raw: 00fff00000010200 ffffea0000b04200 0000000300000003 ffff888010842140 [ 68.126165][ C0] raw: ffff888026f78000 0000000080040003 00000001ffffffff 0000000000000000 [ 68.134726][ C0] page dumped because: kasan: bad access detected [ 68.141116][ C0] [ 68.143434][ C0] Memory state around the buggy address: [ 68.149156][ C0] ffff888026f77f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.157225][ C0] ffff888026f77f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.165400][ C0] >ffff888026f78000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.173470][ C0] ^ [ 68.177796][ C0] ffff888026f78080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.185845][ C0] ffff888026f78100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.193886][ C0] ================================================================== [ 68.202818][ T8417] Kernel Offset: disabled [ 68.207140][ T8417] Rebooting in 86400 seconds..