[ OK ] Started Getty on tty2. Starting Load/Save RF Kill Switch Status... [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. 2021/04/29 09:13:09 fuzzer started 2021/04/29 09:13:10 dialing manager at 10.128.0.169:44661 2021/04/29 09:13:10 syscalls: 3571 2021/04/29 09:13:10 code coverage: enabled 2021/04/29 09:13:10 comparison tracing: enabled 2021/04/29 09:13:10 extra coverage: enabled 2021/04/29 09:13:10 setuid sandbox: enabled 2021/04/29 09:13:10 namespace sandbox: enabled 2021/04/29 09:13:10 Android sandbox: /sys/fs/selinux/policy does not exist 2021/04/29 09:13:10 fault injection: enabled 2021/04/29 09:13:10 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/04/29 09:13:10 net packet injection: enabled 2021/04/29 09:13:10 net device setup: enabled 2021/04/29 09:13:10 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/04/29 09:13:10 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/04/29 09:13:10 USB emulation: enabled 2021/04/29 09:13:10 hci packet injection: enabled 2021/04/29 09:13:10 wifi device emulation: enabled 2021/04/29 09:13:10 802.15.4 emulation: enabled 2021/04/29 09:13:10 fetching corpus: 0, signal 0/2000 (executing program) syzkaller login: [ 73.760979][ T8460] BUG: unable to handle page fault for address: ffff88801a201000 [ 73.768766][ T8460] #PF: supervisor write access in kernel mode [ 73.774856][ T8460] #PF: error_code(0x0002) - not-present page [ 73.780853][ T8460] PGD 10c01067 P4D 10c01067 PUD 10c02067 PMD 1dd00063 PTE 800000000000404e [ 73.789447][ T8460] Oops: 0002 [#1] PREEMPT SMP KASAN [ 73.794657][ T8460] CPU: 0 PID: 8460 Comm: ifupdown-hotplu Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 73.804736][ T8460] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.815050][ T8460] RIP: 0010:clear_page_erms+0x7/0x10 [ 73.820416][ T8460] Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 aa c3 cc cc cc cc cc cc 41 57 41 56 41 55 41 54 55 53 48 89 fb [ 73.840048][ T8460] RSP: 0018:ffffc900018674a0 EFLAGS: 00010246 [ 73.846392][ T8460] RAX: 0000000000000000 RBX: 0000000000400dc0 RCX: 0000000000001000 [ 73.854520][ T8460] RDX: ffffea0000688040 RSI: ffff888000000000 RDI: ffff88801a201000 [ 73.857063][ C1] ================================================================== [ 73.862517][ T8460] RBP: ffffea0000688040 R08: 0000160000000000 R09: ffffea0000688080 [ 73.870591][ C1] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440 [ 73.878555][ T8460] R10: fffff940000d100e R11: 0000000000000000 R12: 0000000000000001 [ 73.886103][ C1] Write of size 4 at addr ffff88801de58008 by task syz-fuzzer/8452 [ 73.894064][ T8460] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88813fffb700 [ 73.901935][ C1] [ 73.901945][ C1] CPU: 1 PID: 8452 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 73.909900][ T8460] FS: 00007f6630785480(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 [ 73.912214][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.921733][ T8460] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.930649][ C1] Call Trace: [ 73.930666][ C1] dump_stack+0x141/0x1d7 [ 73.940890][ T8460] CR2: ffff88801a201000 CR3: 000000001e22f000 CR4: 00000000001506f0 [ 73.947467][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 73.950736][ T8460] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 73.955053][ C1] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 73.963009][ T8460] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 73.968212][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 73.976208][ T8460] Call Trace: [ 73.976223][ T8460] post_alloc_hook+0x175/0x200 [ 73.983249][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 73.991238][ T8460] get_page_from_freelist+0x1034/0x2bf0 [ 73.996499][ C1] kasan_report.cold+0x7c/0xd8 [ 73.999794][ T8460] ? __zone_watermark_ok+0x450/0x450 [ 74.004546][ C1] ? __sanitizer_cov_trace_cmp8+0x51/0x70 [ 74.009742][ T8460] ? prepare_alloc_pages+0x17b/0x580 [ 74.015438][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 74.020184][ T8460] __alloc_pages+0x1b2/0x500 [ 74.025678][ C1] skb_try_coalesce+0x1335/0x1440 [ 74.031395][ T8460] ? __alloc_pages_slowpath.constprop.0+0x2140/0x2140 [ 74.037271][ C1] tcp_try_coalesce+0x393/0x920 [ 74.042444][ T8460] ? find_held_lock+0x2d/0x110 [ 74.047027][ C1] ? tcp_urg.part.0+0x2d0/0x2d0 [ 74.052045][ T8460] ? lock_downgrade+0x6e0/0x6e0 [ 74.058782][ C1] ? rcu_read_lock_sched_held+0xd/0x70 [ 74.063631][ T8460] ? do_raw_spin_lock+0x120/0x2b0 [ 74.068372][ C1] ? lock_release+0x522/0x720 [ 74.073219][ T8460] alloc_pages+0x18c/0x2a0 [ 74.078064][ C1] ? ktime_get+0x38a/0x470 [ 74.083520][ T8460] __pmd_alloc+0x3b/0x5c0 [ 74.088519][ C1] ? trace_hardirqs_on+0x5b/0x1c0 [ 74.093200][ T8460] ? __pud_alloc+0xe0/0x180 [ 74.097615][ C1] tcp_queue_rcv+0x8a/0x6e0 [ 74.102028][ T8460] copy_page_range+0x2b58/0x3e50 [ 74.106349][ C1] tcp_rcv_established+0x1756/0x1eb0 [ 74.111367][ T8460] ? lock_downgrade+0x6e0/0x6e0 [ 74.115845][ C1] ? tcp_data_queue+0x4b10/0x4b10 [ 74.120347][ T8460] ? up_write+0x191/0x560 [ 74.125261][ C1] ? do_raw_spin_lock+0x120/0x2b0 [ 74.130553][ T8460] ? handle_mm_fault+0x7e0/0x7e0 [ 74.135383][ C1] tcp_v4_do_rcv+0x5d1/0x870 [ 74.140379][ T8460] ? downgrade_write+0x3a0/0x3a0 [ 74.144704][ C1] tcp_v4_rcv+0x3298/0x3950 [ 74.149700][ T8460] ? down_write_killable+0x170/0x170 [ 74.154623][ C1] ? tcp_v4_early_demux+0x8f0/0x8f0 [ 74.159190][ T8460] ? __vma_link_rb+0x553/0x710 [ 74.164117][ C1] ? lock_release+0x720/0x720 [ 74.171211][ T8460] dup_mm+0x9ed/0x1380 [ 74.176468][ C1] ? nf_hook.constprop.0+0x3e8/0x650 [ 74.181693][ T8460] ? vm_area_dup+0x2b0/0x2b0 [ 74.186430][ C1] ? ip_protocol_deliver_rcu+0xa20/0xa20 [ 74.191086][ T8460] ? __raw_spin_lock_init+0x36/0x110 [ 74.195132][ C1] ip_protocol_deliver_rcu+0xa7/0xa20 [ 74.200412][ T8460] copy_process+0x5e19/0x70e0 [ 74.205003][ C1] ip_local_deliver_finish+0x20a/0x370 [ 74.210617][ T8460] ? mark_lock+0xef/0x17b0 [ 74.215878][ C1] ip_local_deliver+0x1b3/0x200 [ 74.221247][ T8460] ? __cleanup_sighand+0xb0/0xb0 [ 74.225917][ C1] ip_sublist_rcv_finish+0x9a/0x2c0 [ 74.231875][ T8460] ? __lock_acquire+0x16a7/0x5230 [ 74.236269][ C1] ip_list_rcv_finish.constprop.0+0x51e/0x6e0 [ 74.241115][ T8460] ? kernel_clone+0x314/0xac0 [ 74.246050][ C1] ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80 [ 74.251239][ T8460] kernel_clone+0xe7/0xac0 [ 74.256255][ C1] ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0 [ 74.262390][ T8460] ? create_io_thread+0xf0/0xf0 [ 74.267059][ C1] ? ip_rcv_core+0x867/0xcb0 [ 74.273450][ T8460] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 74.277861][ C1] ip_list_rcv+0x34e/0x490 [ 74.284074][ T8460] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 74.289039][ C1] ? ip_rcv+0xd0/0xd0 [ 74.293633][ T8460] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 74.299594][ C1] ? ip_rcv+0xd0/0xd0 [ 74.303990][ T8460] ? __seccomp_filter+0x672/0x15e0 [ 74.309971][ C1] __netif_receive_skb_list_core+0x549/0x8e0 [ 74.313934][ T8460] ? seccomp_notify_ioctl+0xdc0/0xdc0 [ 74.320168][ C1] ? lock_acquire+0x58a/0x740 [ 74.324126][ T8460] ? find_held_lock+0x2d/0x110 [ 74.329243][ C1] ? process_backlog+0x6c0/0x6c0 [ 74.335465][ T8460] __do_sys_clone+0xc8/0x110 [ 74.340827][ C1] ? ktime_get_with_offset+0x3f2/0x500 [ 74.345483][ T8460] ? kernel_clone+0xac0/0xac0 [ 74.350244][ C1] netif_receive_skb_list_internal+0x75e/0xd80 [ 74.355179][ T8460] ? __secure_computing+0x104/0x360 [ 74.359764][ C1] ? __netif_receive_skb_list_core+0x8e0/0x8e0 [ 74.365291][ T8460] do_syscall_64+0x3a/0xb0 [ 74.369968][ C1] ? virtqueue_get_buf_ctx_split+0x423/0x5f0 [ 74.376199][ T8460] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.381636][ C1] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 74.387800][ T8460] RIP: 0033:0x7f663027f38b [ 74.392210][ C1] ? detach_buf_split+0x599/0x7b0 [ 74.398170][ T8460] Code: db 45 85 f6 0f 85 95 01 00 00 64 4c 8b 04 25 10 00 00 00 31 d2 4d 8d 90 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 de 00 00 00 85 c0 41 89 c5 0f 85 e5 00 00 [ 74.404061][ C1] ? __sanitizer_cov_trace_cmp2+0x22/0x80 [ 74.410275][ T8460] RSP: 002b:00007fff8e69fb30 EFLAGS: 00000246 [ 74.414676][ C1] napi_complete_done+0x1f1/0x880 [ 74.419698][ T8460] ORIG_RAX: 0000000000000038 [ 74.439311][ C1] virtnet_poll+0xbeb/0x1180 [ 74.445033][ T8460] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f663027f38b [ 74.451167][ C1] ? receive_buf+0x6250/0x6250 [ 74.456176][ T8460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 [ 74.460836][ C1] ? rcu_read_lock_sched_held+0xd/0x70 [ 74.465396][ T8460] RBP: 00007fff8e69fb60 R08: 00007f6630785480 R09: 0000000000000030 [ 74.473366][ C1] ? lock_acquire+0x58a/0x740 [ 74.478108][ T8460] R10: 00007f6630785750 R11: 0000000000000246 R12: 0000000000000000 [ 74.486086][ C1] __napi_poll+0xaf/0x440 [ 74.491522][ T8460] R13: 0000000000000000 R14: 0000000000000000 R15: 000055f2e07221a8 [ 74.499495][ C1] net_rx_action+0x801/0xb40 [ 74.504159][ T8460] Modules linked in: [ 74.512121][ C1] ? napi_threaded_poll+0x5b0/0x5b0 [ 74.516424][ T8460] [ 74.516435][ T8460] CR2: ffff88801a201000 [ 74.524379][ C1] ? sched_clock_cpu+0x18/0x1f0 [ 74.528968][ T8460] ---[ end trace 63bf41051e3aebf7 ]--- [ 74.532836][ C1] __do_softirq+0x29b/0x9fe [ 74.538097][ T8460] RIP: 0010:clear_page_erms+0x7/0x10 [ 74.540438][ C1] __irq_exit_rcu+0x136/0x200 [ 74.544582][ T8460] Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 aa c3 cc cc cc cc cc cc 41 57 41 56 41 55 41 54 55 53 48 89 fb [ 74.549453][ C1] irq_exit_rcu+0x5/0x20 [ 74.554888][ T8460] RSP: 0018:ffffc900018674a0 EFLAGS: 00010246 [ 74.560074][ C1] common_interrupt+0x51/0xd0 [ 74.565333][ T8460] [ 74.565341][ T8460] RAX: 0000000000000000 RBX: 0000000000400dc0 RCX: 0000000000001000 [ 74.570005][ C1] ? asm_common_interrupt+0x8/0x40 [ 74.589590][ T8460] RDX: ffffea0000688040 RSI: ffff888000000000 RDI: ffff88801a201000 [ 74.593816][ C1] asm_common_interrupt+0x1e/0x40 [ 74.599872][ T8460] RBP: ffffea0000688040 R08: 0000160000000000 R09: ffffea0000688080 [ 74.604553][ C1] RIP: 0033:0x46d4ee [ 74.606880][ T8460] R10: fffff940000d100e R11: 0000000000000000 R12: 0000000000000001 [ 74.614837][ C1] Code: f3 44 0f 6f 61 f0 c5 fe 6f 26 4c 01 de 48 29 c3 c5 fe 6f 06 c5 fe 6f 4e 20 c5 fe 6f 56 40 c5 fe 6f 5e 60 48 01 c6 c5 fd 7f 07 fd 7f 4f 20 c5 fd 7f 57 40 c5 fd 7f 5f 60 48 01 c7 48 29 c3 77 [ 74.620981][ T8460] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88813fffb700 [ 74.628957][ C1] RSP: 002b:000000c000397b98 EFLAGS: 00000202 [ 74.634006][ T8460] FS: 00007f6630785480(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 [ 74.641987][ C1] [ 74.641999][ C1] RAX: 0000000000000080 RBX: 0000000000007f7a RCX: 000000c0003f0000 [ 74.645880][ T8460] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.653841][ C1] RDX: 000000c0007817ba RSI: 000000c0003e8086 RDI: 000000c0007817c0 [ 74.673448][ T8460] CR2: ffff88801a201000 CR3: 000000001e22f000 CR4: 00000000001506f0 [ 74.681435][ C1] RBP: 000000c000397bc8 R08: 000000c0003e8000 R09: 0000000000008000 [ 74.687531][ T8460] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 74.696638][ C1] R10: 000000c0007817ba R11: 0000000000000006 R12: ffffffffffffffff [ 74.698986][ T8460] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 74.706963][ C1] R13: 0000000000000800 R14: 0000000000000008 R15: 0000000000000004 [ 74.713571][ T8460] Kernel panic - not syncing: Fatal exception [ 74.721565][ C1] [ 74.777907][ C1] Allocated by task 1: [ 74.781985][ C1] kasan_save_stack+0x1b/0x40 [ 74.786692][ C1] __kasan_slab_alloc+0x84/0xa0 [ 74.791567][ C1] kmem_cache_alloc+0x219/0x3a0 [ 74.796585][ C1] getname_flags.part.0+0x50/0x4f0 [ 74.801712][ C1] user_path_at_empty+0xa1/0x100 [ 74.806690][ C1] vfs_statx+0x142/0x390 [ 74.810949][ C1] __do_sys_newlstat+0x91/0x110 [ 74.815815][ C1] do_syscall_64+0x3a/0xb0 [ 74.820235][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.826133][ C1] [ 74.828449][ C1] Freed by task 1: [ 74.832169][ C1] kasan_save_stack+0x1b/0x40 [ 74.836869][ C1] kasan_set_track+0x1c/0x30 [ 74.841464][ C1] kasan_set_free_info+0x20/0x30 [ 74.846426][ C1] __kasan_slab_free+0xfb/0x130 [ 74.851288][ C1] slab_free_freelist_hook+0xdf/0x240 [ 74.856689][ C1] kmem_cache_free+0x97/0x750 [ 74.861391][ C1] putname+0xe1/0x120 [ 74.865377][ C1] filename_lookup+0x3c3/0x570 [ 74.870157][ C1] vfs_statx+0x142/0x390 [ 74.874403][ C1] __do_sys_newlstat+0x91/0x110 [ 74.879259][ C1] do_syscall_64+0x3a/0xb0 [ 74.883679][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.889575][ C1] [ 74.891887][ C1] The buggy address belongs to the object at ffff88801de58000 [ 74.891887][ C1] which belongs to the cache names_cache of size 4096 [ 74.906075][ C1] The buggy address is located 8 bytes inside of [ 74.906075][ C1] 4096-byte region [ffff88801de58000, ffff88801de59000) [ 74.919481][ C1] The buggy address belongs to the page: [ 74.925137][ C1] page:ffffea0000779600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1de58 [ 74.935311][ C1] head:ffffea0000779600 order:3 compound_mapcount:0 compound_pincount:0 [ 74.943638][ C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 74.952261][ C1] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880111be280 [ 74.960875][ C1] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 74.969451][ C1] page dumped because: kasan: bad access detected [ 74.975867][ C1] [ 74.978197][ C1] Memory state around the buggy address: [ 74.983829][ C1] ffff88801de57f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.991919][ C1] ffff88801de57f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.000008][ C1] >ffff88801de58000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.008069][ C1] ^ [ 75.012485][ C1] ffff88801de58080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.020560][ C1] ffff88801de58100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.028613][ C1] ================================================================== [ 75.037122][ T8460] Kernel Offset: disabled [ 75.041542][ T8460] Rebooting in 86400 seconds..