[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.96' (ECDSA) to the list of known hosts. 2021/04/24 06:34:47 fuzzer started 2021/04/24 06:34:48 dialing manager at 10.128.0.169:43581 2021/04/24 06:34:48 syscalls: 3560 2021/04/24 06:34:48 code coverage: enabled 2021/04/24 06:34:48 comparison tracing: enabled 2021/04/24 06:34:48 extra coverage: enabled 2021/04/24 06:34:48 setuid sandbox: enabled 2021/04/24 06:34:48 namespace sandbox: enabled 2021/04/24 06:34:48 Android sandbox: /sys/fs/selinux/policy does not exist 2021/04/24 06:34:48 fault injection: enabled 2021/04/24 06:34:48 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/04/24 06:34:48 net packet injection: enabled 2021/04/24 06:34:48 net device setup: enabled 2021/04/24 06:34:48 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/04/24 06:34:48 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/04/24 06:34:48 USB emulation: enabled 2021/04/24 06:34:48 hci packet injection: enabled 2021/04/24 06:34:48 wifi device emulation: enabled 2021/04/24 06:34:48 802.15.4 emulation: enabled 2021/04/24 06:34:48 fetching corpus: 0, signal 0/2000 (executing program) syzkaller login: [ 71.733242][ C0] ================================================================== [ 71.737166][ T8430] BUG: unable to handle page fault for address: ffffea0003ffff88 [ 71.741525][ C0] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440 [ 71.749240][ T8430] #PF: supervisor read access in kernel mode [ 71.756768][ C0] Write of size 4 at addr ffff8880264f8008 by task syz-fuzzer/8424 [ 71.762753][ T8430] #PF: error_code(0x0000) - not-present page [ 71.770628][ C0] [ 71.770638][ C0] CPU: 0 PID: 8424 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 71.776591][ T8430] PGD 13fff8067 P4D 13fff8067 [ 71.778918][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.788438][ T8430] PUD 13fff7067 [ 71.793188][ C0] Call Trace: [ 71.803232][ T8430] PMD 0 [ 71.806781][ C0] dump_stack+0x141/0x1d7 [ 71.810037][ T8430] [ 71.810045][ T8430] Oops: 0000 [#1] PREEMPT SMP KASAN [ 71.812869][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 71.817191][ T8430] CPU: 1 PID: 8430 Comm: ifupdown-hotplu Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 71.819505][ C0] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 71.824682][ T8430] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.829867][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 71.839823][ T8430] RIP: 0010:qlist_free_all+0x85/0xc0 [ 71.846848][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 71.856918][ T8430] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 71.862106][ C0] kasan_report.cold+0x7c/0xd8 [ 71.867369][ T8430] RSP: 0018:ffffc900016df720 EFLAGS: 00010282 [ 71.872552][ C0] ? __sanitizer_cov_trace_cmp8+0x51/0x70 [ 71.892139][ T8430] [ 71.892151][ T8430] RAX: ffffea0003ffff80 RBX: ffff88801d25eea0 RCX: 0000000000000000 [ 71.896908][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 71.902953][ T8430] RDX: ffff888020018000 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 71.908658][ C0] skb_try_coalesce+0x1335/0x1440 [ 71.910966][ T8430] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 71.918927][ C0] tcp_try_coalesce+0x393/0x920 [ 71.924101][ T8430] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000 [ 71.932081][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.937087][ T8430] R13: ffffc900016df758 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 71.945051][ C0] ? tcp_urg.part.0+0x2d0/0x2d0 [ 71.949905][ T8430] FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 71.957884][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.964108][ T8430] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.972070][ C0] ? tcp_try_rmem_schedule+0x98b/0x16d0 [ 71.976911][ T8430] CR2: ffffea0003ffff88 CR3: 000000001811f000 CR4: 00000000001506e0 [ 71.985827][ C0] tcp_queue_rcv+0x8a/0x6e0 [ 71.992224][ T8430] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 71.998801][ C0] tcp_data_queue+0x150a/0x4b10 [ 72.004327][ T8430] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.012294][ C0] ? tcp_data_ready+0x540/0x540 [ 72.016777][ T8430] Call Trace: [ 72.016792][ T8430] kasan_quarantine_reduce+0x180/0x200 [ 72.024741][ C0] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 72.029684][ T8430] __kasan_slab_alloc+0x8e/0xa0 [ 72.037653][ C0] ? ktime_get+0x30b/0x470 [ 72.042500][ T8430] kmem_cache_alloc+0x219/0x3a0 [ 72.045781][ C0] tcp_rcv_established+0x841/0x1eb0 [ 72.051217][ T8430] __pmd_alloc+0xbf/0x5c0 [ 72.056936][ C0] ? tcp_data_queue+0x4b10/0x4b10 [ 72.061766][ T8430] move_page_tables+0x1814/0x23e0 [ 72.066168][ C0] ? do_raw_spin_lock+0x120/0x2b0 [ 72.071007][ T8430] ? vma_to_resize+0x560/0x560 [ 72.076205][ C0] tcp_v4_do_rcv+0x5d1/0x870 [ 72.080524][ T8430] shift_arg_pages+0x192/0x410 [ 72.085528][ C0] tcp_v4_rcv+0x3298/0x3950 [ 72.090528][ T8430] ? vma_set_page_prot+0x19c/0x250 [ 72.095544][ C0] ? tcp_v4_early_demux+0x8f0/0x8f0 [ 72.100298][ T8430] ? unregister_binfmt+0x170/0x170 [ 72.104889][ C0] ? lock_release+0x720/0x720 [ 72.109647][ T8430] ? mprotect_fixup+0x4c6/0x940 [ 72.114147][ C0] ip_protocol_deliver_rcu+0xa7/0xa20 [ 72.119236][ T8430] ? change_protection+0x20a0/0x20a0 [ 72.124425][ C0] ip_local_deliver_finish+0x20a/0x370 [ 72.129515][ T8430] ? down_write_killable_nested+0x180/0x180 [ 72.134176][ C0] ip_local_deliver+0x1b3/0x200 [ 72.139005][ T8430] ? get_random_u32+0x103/0x200 [ 72.144374][ C0] ip_sublist_rcv_finish+0x9a/0x2c0 [ 72.149639][ T8430] setup_arg_pages+0x6b0/0x840 [ 72.155082][ C0] ip_list_rcv_finish.constprop.0+0x51e/0x6e0 [ 72.160974][ T8430] ? __register_binfmt+0x220/0x220 [ 72.165821][ C0] ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80 [ 72.170650][ T8430] ? get_random_u64+0xf0/0x1f0 [ 72.175828][ C0] ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0 [ 72.180584][ T8430] load_elf_binary+0xab8/0x4b30 [ 72.186642][ C0] ? ip_rcv_core+0x867/0xcb0 [ 72.191766][ T8430] ? find_held_lock+0x2d/0x110 [ 72.198161][ C0] ip_list_rcv+0x34e/0x490 [ 72.202923][ T8430] ? elf_core_dump+0x3350/0x3350 [ 72.209143][ C0] ? ip_rcv+0xd0/0xd0 [ 72.213972][ T8430] ? do_raw_read_unlock+0x3b/0x70 [ 72.218550][ C0] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 72.223294][ T8430] ? _raw_read_unlock+0x24/0x40 [ 72.227692][ C0] ? find_held_lock+0x2d/0x110 [ 72.232624][ T8430] ? load_misc_binary+0x641/0xb30 [ 72.236585][ C0] ? ip_rcv+0xd0/0xd0 [ 72.241591][ T8430] bprm_execve+0x7ef/0x19b0 [ 72.247554][ C0] __netif_receive_skb_list_core+0x549/0x8e0 [ 72.252391][ T8430] ? open_exec+0x70/0x70 [ 72.257229][ C0] ? process_backlog+0x6c0/0x6c0 [ 72.262252][ T8430] do_execveat_common+0x621/0x7c0 [ 72.266216][ C0] ? ktime_get_with_offset+0x3f2/0x500 [ 72.270699][ T8430] ? bprm_execve+0x19b0/0x19b0 [ 72.276675][ C0] ? lockdep_hardirqs_on+0x79/0x100 [ 72.280986][ T8430] ? getname_flags.part.0+0x1dd/0x4f0 [ 72.286218][ C0] netif_receive_skb_list_internal+0x75e/0xd80 [ 72.291244][ T8430] __x64_sys_execve+0x8f/0xc0 [ 72.296691][ C0] ? __netif_receive_skb_list_core+0x8e0/0x8e0 [ 72.301452][ T8430] ? __seccomp_filter+0x1bd/0x15e0 [ 72.306632][ C0] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 72.311988][ T8430] do_syscall_64+0x3a/0xb0 [ 72.318122][ C0] ? detach_buf_split+0x599/0x7b0 [ 72.322782][ T8430] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.328920][ C0] ? __sanitizer_cov_trace_cmp2+0x22/0x80 [ 72.334018][ T8430] RIP: 0033:0x7f2a3f7ea647 [ 72.340239][ C0] napi_complete_done+0x1f1/0x880 [ 72.344657][ T8430] Code: Unable to access opcode bytes at RIP 0x7f2a3f7ea61d. [ 72.349650][ C0] virtnet_poll+0xbeb/0x1180 [ 72.355539][ T8430] RSP: 002b:00007ffefd6d87d8 EFLAGS: 00000207 [ 72.361243][ C0] ? receive_buf+0x6250/0x6250 [ 72.365633][ T8430] ORIG_RAX: 000000000000003b [ 72.370736][ C0] __napi_poll+0xaf/0x440 [ 72.378074][ T8430] RAX: ffffffffffffffda RBX: 00007ffefd6d8d20 RCX: 00007f2a3f7ea647 [ 72.382655][ C0] net_rx_action+0x801/0xb40 [ 72.388694][ T8430] RDX: 0000555dd905df30 RSI: 00007ffefd6d8d20 RDI: 00007ffefd6d9120 [ 72.393457][ C0] ? napi_threaded_poll+0x5b0/0x5b0 [ 72.399261][ T8430] RBP: 000000000000000f R08: 000000000000fefc R09: 0000000000000070 [ 72.403572][ C0] ? sched_clock_cpu+0x18/0x1f0 [ 72.411528][ T8430] R10: 0000000000000008 R11: 0000000000000207 R12: 00007ffefd6d88a0 [ 72.416108][ C0] __do_softirq+0x29b/0x9fe [ 72.424583][ T8430] R13: 0000000000000012 R14: 0000555dd905df30 R15: 00007ffefd6da2f0 [ 72.429771][ C0] __irq_exit_rcu+0x136/0x200 [ 72.437733][ T8430] Modules linked in: [ 72.442571][ C0] irq_exit_rcu+0x5/0x20 [ 72.450528][ T8430] [ 72.450543][ T8430] CR2: ffffea0003ffff88 [ 72.455016][ C0] common_interrupt+0x51/0xd0 [ 72.462983][ T8430] ---[ end trace 534a08db857fa0ae ]--- [ 72.467648][ C0] ? asm_common_interrupt+0x8/0x40 [ 72.471523][ T8430] RIP: 0010:qlist_free_all+0x85/0xc0 [ 72.475747][ C0] asm_common_interrupt+0x1e/0x40 [ 72.478324][ T8430] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 72.482465][ C0] RIP: 0033:0x4153de [ 72.487123][ T8430] RSP: 0018:ffffc900016df720 EFLAGS: 00010282 [ 72.492567][ C0] Code: cc cc cc cc cc cc cc cc cc cc cc cc 48 83 ec 30 48 89 6c 24 28 48 8d 6c 24 28 90 48 8b 44 24 38 48 ba 00 00 00 00 00 80 00 00 <48> 01 c2 48 c1 ea 1a 48 81 fa 00 00 40 00 0f 82 67 01 00 00 31 c9 [ 72.497660][ T8430] [ 72.497668][ T8430] RAX: ffffea0003ffff80 RBX: ffff88801d25eea0 RCX: 0000000000000000 [ 72.503012][ C0] RSP: 002b:000000c0004afde0 EFLAGS: 00000202 [ 72.508035][ T8430] RDX: ffff888020018000 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 72.527625][ C0] [ 72.527638][ C0] RAX: 000000000085b9ed RBX: 0000000000000021 RCX: 0000000000040000 [ 72.531514][ T8430] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 72.537562][ C0] RDX: 0000800000000000 RSI: 000000000001d900 RDI: 0000000000000000 [ 72.557165][ T8430] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000 [ 72.559521][ C0] RBP: 000000c0004afe08 R08: 000000000085b9ed R09: 0000000000000045 [ 72.567575][ T8430] R13: ffffc900016df758 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 72.573646][ C0] R10: 000000000187aa88 R11: 0000000000000053 R12: 000000000000004b [ 72.581692][ T8430] FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 72.584023][ C0] R13: 0000000000001018 R14: 000080c000400000 R15: 000080c0003dbfff [ 72.591984][ T8430] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.599965][ C0] [ 72.607921][ T8430] CR2: 00007f2a3f7ea61d CR3: 000000001811f000 CR4: 00000000001506e0 [ 72.615886][ C0] Allocated by task 1: [ 72.623848][ T8430] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 72.632243][ C0] kasan_save_stack+0x1b/0x40 [ 72.640201][ T8430] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.649112][ C0] __kasan_slab_alloc+0x84/0xa0 [ 72.657086][ T8430] Kernel panic - not syncing: Fatal exception [ 72.663652][ C0] kmem_cache_alloc+0x219/0x3a0 [ 72.714360][ C0] getname_flags.part.0+0x50/0x4f0 [ 72.719478][ C0] getname+0x8e/0xd0 [ 72.723458][ C0] do_sys_openat2+0xf5/0x420 [ 72.728064][ C0] __x64_sys_open+0x119/0x1c0 [ 72.732736][ C0] do_syscall_64+0x3a/0xb0 [ 72.737151][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.743040][ C0] [ 72.745353][ C0] The buggy address belongs to the object at ffff8880264f8000 [ 72.745353][ C0] which belongs to the cache names_cache of size 4096 [ 72.759482][ C0] The buggy address is located 8 bytes inside of [ 72.759482][ C0] 4096-byte region [ffff8880264f8000, ffff8880264f9000) [ 72.772775][ C0] The buggy address belongs to the page: [ 72.778398][ C0] page:ffffea0000993e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880264f8000 pfn:0x264f8 [ 72.789855][ C0] head:ffffea0000993e00 order:3 compound_mapcount:0 compound_pincount:0 [ 72.798528][ C0] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 72.806518][ C0] raw: 00fff00000010200 0000000000000000 0000000100000001 ffff8880111be280 [ 72.815110][ C0] raw: ffff8880264f8000 0000000080070006 00000001ffffffff 0000000000000000 [ 72.823679][ C0] page dumped because: kasan: bad access detected [ 72.830094][ C0] [ 72.832405][ C0] Memory state around the buggy address: [ 72.838030][ C0] ffff8880264f7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.846084][ C0] ffff8880264f7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.854143][ C0] >ffff8880264f8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.862292][ C0] ^ [ 72.866624][ C0] ffff8880264f8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.874680][ C0] ffff8880264f8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.882748][ C0] ================================================================== [ 72.891303][ T8430] Kernel Offset: disabled [ 72.895632][ T8430] Rebooting in 86400 seconds..