[[0;32m  OK  [0m] Started Getty on tty4.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty3.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.221' (ECDSA) to the list of known hosts.
2021/04/25 18:28:13 fuzzer started
2021/04/25 18:28:13 dialing manager at 10.128.0.169:46633
2021/04/25 18:28:13 syscalls: 3560
2021/04/25 18:28:13 code coverage: enabled
2021/04/25 18:28:13 comparison tracing: enabled
2021/04/25 18:28:13 extra coverage: enabled
2021/04/25 18:28:13 setuid sandbox: enabled
2021/04/25 18:28:13 namespace sandbox: enabled
2021/04/25 18:28:13 Android sandbox: /sys/fs/selinux/policy does not exist
2021/04/25 18:28:13 fault injection: enabled
2021/04/25 18:28:13 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2021/04/25 18:28:13 net packet injection: enabled
2021/04/25 18:28:13 net device setup: enabled
2021/04/25 18:28:13 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2021/04/25 18:28:13 devlink PCI setup: PCI device 0000:00:10.0 is not available
2021/04/25 18:28:13 USB emulation: enabled
2021/04/25 18:28:13 hci packet injection: enabled
2021/04/25 18:28:13 wifi device emulation: enabled
2021/04/25 18:28:13 802.15.4 emulation: enabled
2021/04/25 18:28:13 fetching corpus: 0, signal 0/2000 (executing program)
syzkaller login: [   73.876747][    C1] ==================================================================
[   73.884973][ T8465] BUG: unable to handle page fault for address: ffffea0003ffff88
[   73.885027][    C1] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440
[   73.892751][ T8465] #PF: supervisor read access in kernel mode
[   73.900309][    C1] Write of size 4 at addr ffff88801a5e8008 by task syz-fuzzer/8452
[   73.906283][ T8465] #PF: error_code(0x0000) - not-present page
[   73.914164][    C1] 
[   73.914178][    C1] CPU: 1 PID: 8452 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0
[   73.920144][ T8465] PGD 13fff8067 
[   73.922464][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.932003][ T8465] P4D 13fff8067 
[   73.935550][    C1] Call Trace:
[   73.945601][ T8465] PUD 13fff7067 
[   73.949147][    C1]  dump_stack+0x141/0x1d7
[   73.952410][ T8465] PMD 0 
[   73.955947][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   73.960288][ T8465] 
[   73.960299][ T8465] Oops: 0000 [#1] PREEMPT SMP KASAN
[   73.963129][    C1]  print_address_description.constprop.0.cold+0x5b/0x2f8
[   73.968316][ T8465] CPU: 0 PID: 8465 Comm: systemd-cgroups Not tainted 5.12.0-rc8-next-20210423-syzkaller #0
[   73.970658][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   73.975830][ T8465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.982837][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   73.992802][ T8465] RIP: 0010:qlist_free_all+0x85/0xc0
[   73.998352][    C1]  kasan_report.cold+0x7c/0xd8
[   74.008405][ T8465] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[   74.013640][    C1]  ? __sanitizer_cov_trace_cmp8+0x51/0x70
[   74.018913][ T8465] RSP: 0018:ffffc9000171fa20 EFLAGS: 00010282
[   74.023671][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   74.043287][ T8465] 
[   74.043299][ T8465] RAX: ffffea0003ffff80 RBX: ffff88802fee2000 RCX: 0000000000000000
[   74.049016][    C1]  skb_try_coalesce+0x1335/0x1440
[   74.055072][ T8465] RDX: ffff888025e2b900 RSI: ffff8880ffffea00 RDI: 0000000000000003
[   74.060271][    C1]  tcp_try_coalesce+0x393/0x920
[   74.062611][ T8465] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[   74.070580][    C1]  ? mark_held_locks+0x9f/0xe0
[   74.075593][ T8465] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000
[   74.083581][    C1]  ? tcp_urg.part.0+0x2d0/0x2d0
[   74.088426][ T8465] R13: ffffc9000171fa58 R14: ffffea0000000000 R15: ffff8880ffffea00
[   74.096400][    C1]  ? ktime_get+0x38a/0x470
[   74.101155][ T8465] FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   74.109162][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   74.114010][ T8465] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.121995][    C1]  tcp_queue_rcv+0x8a/0x6e0
[   74.126404][ T8465] CR2: ffffea0003ffff88 CR3: 000000002d52d000 CR4: 00000000001506f0
[   74.135341][    C1]  tcp_rcv_established+0x1756/0x1eb0
[   74.140557][ T8465] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   74.147169][    C1]  ? tcp_data_queue+0x4b10/0x4b10
[   74.151665][ T8465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   74.159638][    C1]  ? do_raw_spin_lock+0x120/0x2b0
[   74.164913][ T8465] Call Trace:
[   74.164933][ T8465]  kasan_quarantine_reduce+0x180/0x200
[   74.172894][    C1]  tcp_v4_do_rcv+0x5d1/0x870
[   74.177913][ T8465]  __kasan_slab_alloc+0x8e/0xa0
[   74.185897][    C1]  tcp_v4_rcv+0x3298/0x3950
[   74.190957][ T8465]  __kmalloc+0x1f7/0x330
[   74.194277][    C1]  ? tcp_v4_early_demux+0x8f0/0x8f0
[   74.199729][ T8465]  tomoyo_realpath_from_path+0xc3/0x620
[   74.204334][    C1]  ? lock_release+0x720/0x720
[   74.209283][ T8465]  ? tomoyo_profile+0x42/0x50
[   74.213942][    C1]  ip_protocol_deliver_rcu+0xa7/0xa20
[   74.218192][ T8465]  tomoyo_path_perm+0x21b/0x400
[   74.223391][    C1]  ip_local_deliver_finish+0x20a/0x370
[   74.228941][ T8465]  ? tomoyo_path_perm+0x1c1/0x400
[   74.233803][    C1]  ip_local_deliver+0x1b3/0x200
[   74.239199][ T8465]  ? tomoyo_check_open_permission+0x380/0x380
[   74.244565][    C1]  ip_sublist_rcv_finish+0x9a/0x2c0
[   74.249413][ T8465]  ? lock_chain_count+0x20/0x20
[   74.254869][    C1]  ip_list_rcv_finish.constprop.0+0x51e/0x6e0
[   74.259898][ T8465]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   74.264759][    C1]  ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80
[   74.270840][ T8465]  security_inode_getattr+0xcf/0x140
[   74.276041][    C1]  ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0
[   74.280916][ T8465]  vfs_fstat+0x43/0xb0
[   74.287007][    C1]  ? ip_rcv_core+0x867/0xcb0
[   74.293026][ T8465]  __do_sys_newfstat+0x81/0x100
[   74.299456][    C1]  ip_list_rcv+0x34e/0x490
[   74.304747][ T8465]  ? __do_sys_fstat+0x100/0x100
[   74.311002][    C1]  ? ip_rcv+0xd0/0xd0
[   74.315068][ T8465]  ? __context_tracking_exit+0xb8/0xe0
[   74.319663][    C1]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   74.324512][ T8465]  ? lock_downgrade+0x6e0/0x6e0
[   74.328929][    C1]  ? find_held_lock+0x2d/0x110
[   74.333776][ T8465]  ? lock_downgrade+0x6e0/0x6e0
[   74.337750][    C1]  ? ip_rcv+0xd0/0xd0
[   74.343214][ T8465]  ? syscall_enter_from_user_mode+0x27/0x70
[   74.349215][    C1]  __netif_receive_skb_list_core+0x549/0x8e0
[   74.354062][ T8465]  ? lockdep_hardirqs_on+0x79/0x100
[   74.358830][    C1]  ? process_backlog+0x6c0/0x6c0
[   74.363679][ T8465]  do_syscall_64+0x3a/0xb0
[   74.367655][    C1]  ? ktime_get_with_offset+0x3f2/0x500
[   74.373566][ T8465]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   74.379568][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   74.384772][ T8465] RIP: 0033:0x7fdd77c3f142
[   74.389717][    C1]  netif_receive_skb_list_internal+0x75e/0xd80
[   74.394128][ T8465] Code: b8 ff ff ff ff c3 66 90 c7 05 f6 bf 20 00 16 00 00 00 b8 ff ff ff ff c3 83 ff 01 77 2b 48 63 fe b8 05 00 00 00 48 89 d6 0f 05 <48> 3d 00 f0 ff ff 77 06 f3 c3 0f 1f 40 00 f7 d8 89 05 c8 bf 20 00
[   74.399586][    C1]  ? __netif_receive_skb_list_core+0x8e0/0x8e0
[   74.405466][ T8465] RSP: 002b:00007ffec5596688 EFLAGS: 00000246
[   74.410665][    C1]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   74.415097][ T8465]  ORIG_RAX: 0000000000000005
[   74.421266][    C1]  ? detach_buf_split+0x599/0x7b0
[   74.440872][ T8465] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd77c3f142
[   74.447024][    C1]  ? __sanitizer_cov_trace_cmp2+0x22/0x80
[   74.453081][ T8465] RDX: 00007ffec5596710 RSI: 00007ffec5596710 RDI: 0000000000000000
[   74.459315][    C1]  napi_complete_done+0x1f1/0x880
[   74.463987][ T8465] RBP: 00007ffec55967d0 R08: 00007fdd77e43398 R09: 00007fdd77e47000
[   74.469013][    C1]  virtnet_poll+0xbeb/0x1180
[   74.476989][ T8465] R10: 00007ffec5596870 R11: 0000000000000246 R12: 00007fdd77e47000
[   74.482745][    C1]  ? receive_buf+0x6250/0x6250
[   74.490717][ T8465] R13: 0000000000000000 R14: 00007fdd77e4a040 R15: 00007ffec5596870
[   74.495925][    C1]  __napi_poll+0xaf/0x440
[   74.503917][ T8465] Modules linked in:
[   74.508588][    C1]  net_rx_action+0x801/0xb40
[   74.516647][ T8465] 
[   74.516664][ T8465] CR2: ffffea0003ffff88
[   74.521416][    C1]  ? napi_threaded_poll+0x5b0/0x5b0
[   74.529399][ T8465] ---[ end trace 636e80c2dddb3044 ]---
[   74.533722][    C1]  ? sched_clock_cpu+0x18/0x1f0
[   74.537623][ T8465] RIP: 0010:qlist_free_all+0x85/0xc0
[   74.542217][    C1]  __do_softirq+0x29b/0x9fe
[   74.544542][ T8465] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[   74.548713][    C1]  __irq_exit_rcu+0x136/0x200
[   74.553906][ T8465] RSP: 0018:ffffc9000171fa20 EFLAGS: 00010282
[   74.559374][    C1]  irq_exit_rcu+0x5/0x20
[   74.564235][ T8465] 
[   74.564246][ T8465] RAX: ffffea0003ffff80 RBX: ffff88802fee2000 RCX: 0000000000000000
[   74.569519][    C1]  common_interrupt+0x51/0xd0
[   74.574016][ T8465] RDX: ffff888025e2b900 RSI: ffff8880ffffea00 RDI: 0000000000000003
[   74.593734][    C1]  ? asm_common_interrupt+0x8/0x40
[   74.598418][ T8465] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[   74.604494][    C1]  asm_common_interrupt+0x1e/0x40
[   74.609349][ T8465] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000
[   74.611856][    C1] RIP: 0033:0x63243b
[   74.619862][ T8465] R13: ffffc9000171fa58 R14: ffffea0000000000 R15: ffff8880ffffea00
[   74.624565][    C1] Code: 24 10 e8 08 1f dd ff 80 7c 24 18 00 74 10 48 8b 05 4a 52 21 01 48 8b 0d 4b 52 21 01 eb a8 48 8b 44 24 28 48 8b 4c 24 40 eb 9c <44> 89 c0 41 81 e0 ff 01 00 00 42 8b 5c 82 08 41 89 d8 83 e3 0f 48
[   74.632545][ T8465] FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   74.637676][    C1] RSP: 002b:000000c000479ac0 EFLAGS: 00000216
[   74.645656][ T8465] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.650680][    C1] 
[   74.650691][    C1] RAX: 000000c00044c028 RBX: 000000000000000d RCX: 000000c000083200
[   74.658653][ T8465] CR2: ffffea0003ffff88 CR3: 000000002d52d000 CR4: 00000000001506f0
[   74.662543][    C1] RDX: 000000c00044c028 RSI: 000000c00044c000 RDI: 0000000000000010
[   74.670520][ T8465] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   74.690226][    C1] RBP: 000000c000479b08 R08: 0000000000001f64 R09: 00000000000000fc
[   74.699197][ T8465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   74.705261][    C1] R10: 0000000000000434 R11: 0000000000001707 R12: ffffffffffffffff
[   74.711952][ T8465] Kernel panic - not syncing: Fatal exception
[   74.714290][    C1] R13: 0000000000002000 R14: 0000000000000004 R15: 0000000000000002
[   74.785716][    C1] 
[   74.788046][    C1] Allocated by task 6449:
[   74.792372][    C1]  kasan_save_stack+0x1b/0x40
[   74.797077][    C1]  __kasan_kmalloc+0x9b/0xd0
[   74.801695][    C1]  tomoyo_realpath_from_path+0xc3/0x620
[   74.807263][    C1]  tomoyo_path_perm+0x21b/0x400
[   74.812137][    C1]  security_inode_getattr+0xcf/0x140
[   74.817462][    C1]  vfs_fstat+0x43/0xb0
[   74.821547][    C1]  __do_sys_newfstat+0x81/0x100
[   74.826413][    C1]  do_syscall_64+0x3a/0xb0
[   74.830848][    C1]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   74.836868][    C1] 
[   74.839214][    C1] The buggy address belongs to the object at ffff88801a5e8000
[   74.839214][    C1]  which belongs to the cache kmalloc-4k of size 4096
[   74.853276][    C1] The buggy address is located 8 bytes inside of
[   74.853276][    C1]  4096-byte region [ffff88801a5e8000, ffff88801a5e9000)
[   74.866487][    C1] The buggy address belongs to the page:
[   74.872145][    C1] page:ffffea0000697a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801a5e8000 pfn:0x1a5e8
[   74.884050][    C1] head:ffffea0000697a00 order:3 compound_mapcount:0 compound_pincount:0
[   74.892405][    C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   74.900441][    C1] raw: 00fff00000010200 ffffea0005038a00 0000000300000003 ffff888011042140
[   74.909044][    C1] raw: ffff88801a5e8000 0000000080040003 00000001ffffffff 0000000000000000
[   74.917634][    C1] page dumped because: kasan: bad access detected
[   74.924077][    C1] 
[   74.926402][    C1] Memory state around the buggy address:
[   74.932043][    C1]  ffff88801a5e7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   74.940146][    C1]  ffff88801a5e7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   74.948311][    C1] >ffff88801a5e8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.956379][    C1]                       ^
[   74.960721][    C1]  ffff88801a5e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.968799][    C1]  ffff88801a5e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.976883][    C1] ==================================================================
[   74.985521][ T8465] Kernel Offset: disabled
[   74.989866][ T8465] Rebooting in 86400 seconds..