[[0;32m  OK  [0m] Started Getty on tty4.
[[0;32m  OK  [0m] Started Getty on tty3.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
2021/04/25 03:33:16 fuzzer started
2021/04/25 03:33:17 dialing manager at 10.128.0.169:43581
2021/04/25 03:33:17 syscalls: 3560
2021/04/25 03:33:17 code coverage: enabled
2021/04/25 03:33:17 comparison tracing: enabled
2021/04/25 03:33:17 extra coverage: enabled
2021/04/25 03:33:17 setuid sandbox: enabled
2021/04/25 03:33:17 namespace sandbox: enabled
2021/04/25 03:33:17 Android sandbox: /sys/fs/selinux/policy does not exist
2021/04/25 03:33:17 fault injection: enabled
2021/04/25 03:33:17 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2021/04/25 03:33:17 net packet injection: enabled
2021/04/25 03:33:17 net device setup: enabled
2021/04/25 03:33:17 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2021/04/25 03:33:17 devlink PCI setup: PCI device 0000:00:10.0 is not available
2021/04/25 03:33:17 USB emulation: enabled
2021/04/25 03:33:17 hci packet injection: enabled
2021/04/25 03:33:17 wifi device emulation: enabled
2021/04/25 03:33:17 802.15.4 emulation: enabled
2021/04/25 03:33:17 fetching corpus: 0, signal 0/2000 (executing program)
syzkaller login: [   69.812720][    C1] ==================================================================
[   69.813799][ T8475] BUG: unable to handle page fault for address: ffffea0003ffff88
[   69.821302][    C1] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440
[   69.829176][ T8475] #PF: supervisor read access in kernel mode
[   69.836800][    C1] Write of size 4 at addr ffff88801cb20008 by task syz-fuzzer/8459
[   69.843094][ T8475] #PF: error_code(0x0000) - not-present page
[   69.851105][    C1] 
[   69.851114][    C1] CPU: 1 PID: 8459 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0
[   69.857080][ T8475] PGD 13fff8067 
[   69.859542][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.869371][ T8475] P4D 13fff8067 
[   69.872920][    C1] Call Trace:
[   69.872935][    C1]  dump_stack+0x141/0x1d7
[   69.883064][ T8475] PUD 13fff7067 
[   69.886621][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   69.890025][ T8475] PMD 0 
[   69.894345][    C1]  print_address_description.constprop.0.cold+0x5b/0x2f8
[   69.897893][ T8475] 
[   69.897901][ T8475] Oops: 0000 [#1] PREEMPT SMP KASAN
[   69.903221][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   69.906069][ T8475] CPU: 0 PID: 8475 Comm: ifupdown-hotplu Not tainted 5.12.0-rc8-next-20210423-syzkaller #0
[   69.913409][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   69.915742][ T8475] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.920933][    C1]  kasan_report.cold+0x7c/0xd8
[   69.926211][ T8475] RIP: 0010:qlist_free_all+0x85/0xc0
[   69.936622][    C1]  ? __sanitizer_cov_trace_cmp8+0x51/0x70
[   69.941999][ T8475] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[   69.952110][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   69.957004][ T8475] RSP: 0018:ffffc900016afc88 EFLAGS: 00010282
[   69.962671][    C1]  skb_try_coalesce+0x1335/0x1440
[   69.968672][ T8475] 
[   69.968681][ T8475] RAX: ffffea0003ffff80 RBX: ffff88801ca95500 RCX: 0000000000000000
[   69.988606][    C1]  tcp_try_coalesce+0x393/0x920
[   69.993806][ T8475] RDX: ffff888025589c80 RSI: ffff8880ffffea00 RDI: 0000000000000003
[   69.999867][    C1]  ? mark_held_locks+0x9f/0xe0
[   70.005054][ T8475] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[   70.007378][    C1]  ? tcp_urg.part.0+0x2d0/0x2d0
[   70.015519][ T8475] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000
[   70.020582][    C1]  ? ktime_get+0x38a/0x470
[   70.028924][ T8475] R13: ffffc900016afcc0 R14: ffffea0000000000 R15: ffff8880ffffea00
[   70.033949][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   70.042079][ T8475] FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   70.047362][    C1]  tcp_queue_rcv+0x8a/0x6e0
[   70.055551][ T8475] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.060119][    C1]  tcp_rcv_established+0x1756/0x1eb0
[   70.068287][ T8475] CR2: ffffea0003ffff88 CR3: 0000000012fbf000 CR4: 00000000001506f0
[   70.073784][    C1]  ? tcp_data_queue+0x4b10/0x4b10
[   70.083145][ T8475] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.087646][    C1]  ? do_raw_spin_lock+0x120/0x2b0
[   70.094473][ T8475] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.100142][    C1]  tcp_v4_do_rcv+0x5d1/0x870
[   70.108668][ T8475] Call Trace:
[   70.108682][ T8475]  kasan_quarantine_reduce+0x180/0x200
[   70.114058][    C1]  tcp_v4_rcv+0x3298/0x3950
[   70.122026][ T8475]  __kasan_slab_alloc+0x8e/0xa0
[   70.127289][    C1]  ? tcp_v4_early_demux+0x8f0/0x8f0
[   70.135551][ T8475]  kmem_cache_alloc+0x219/0x3a0
[   70.140658][    C1]  ? lock_release+0x720/0x720
[   70.144069][ T8475]  getname_flags.part.0+0x50/0x4f0
[   70.149914][    C1]  ip_protocol_deliver_rcu+0xa7/0xa20
[   70.154413][ T8475]  getname+0x8e/0xd0
[   70.159394][    C1]  ip_local_deliver_finish+0x20a/0x370
[   70.164926][ T8475]  do_sys_openat2+0xf5/0x420
[   70.169824][    C1]  ip_local_deliver+0x1b3/0x200
[   70.174491][ T8475]  ? build_open_flags+0x6f0/0x6f0
[   70.181390][    C1]  ip_sublist_rcv_finish+0x9a/0x2c0
[   70.186895][ T8475]  ? __context_tracking_exit+0xb8/0xe0
[   70.190923][    C1]  ip_list_rcv_finish.constprop.0+0x51e/0x6e0
[   70.196380][ T8475]  __x64_sys_open+0x119/0x1c0
[   70.200963][    C1]  ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80
[   70.205940][ T8475]  ? do_sys_open+0x140/0x140
[   70.210958][    C1]  ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0
[   70.216424][ T8475]  ? __secure_computing+0x104/0x360
[   70.222103][    C1]  ? ip_rcv_core+0x867/0xcb0
[   70.228509][ T8475]  do_syscall_64+0x3a/0xb0
[   70.233316][    C1]  ip_list_rcv+0x34e/0x490
[   70.239813][ T8475]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   70.244938][    C1]  ? ip_rcv+0xd0/0xd0
[   70.251557][ T8475] RIP: 0033:0x7f8a06a771b7
[   70.256920][    C1]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   70.261625][ T8475] Code: f3 c3 90 f7 d8 89 05 88 bf 20 00 b8 ff ff ff ff c3 66 90 c7 05 76 bf 20 00 16 00 00 00 b8 ff ff ff ff c3 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8d 0d 59 bf 20 00 f7 d8 89 01 48 83
[   70.266038][    C1]  ? find_held_lock+0x2d/0x110
[   70.270442][ T8475] RSP: 002b:00007ffc274732e8 EFLAGS: 00000246
[   70.276655][    C1]  ? ip_rcv+0xd0/0xd0
[   70.280647][ T8475]  ORIG_RAX: 0000000000000002
[   70.285151][    C1]  __netif_receive_skb_list_core+0x549/0x8e0
[   70.291280][ T8475] RAX: ffffffffffffffda RBX: 00007ffc274733d0 RCX: 00007f8a06a771b7
[   70.311662][    C1]  ? process_backlog+0x6c0/0x6c0
[   70.316440][ T8475] RDX: 00007f8a06c83170 RSI: 0000000000080000 RDI: 00007f8a06c83d68
[   70.322507][    C1]  ? ktime_get_with_offset+0x3f2/0x500
[   70.326612][ T8475] RBP: 00007ffc27473340 R08: 0000000000000000 R09: 00007ffc274733bf
[   70.331290][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   70.337353][ T8475] R10: 00007ffc274733d0 R11: 0000000000000246 R12: 00007f8a06c83170
[   70.345468][    C1]  netif_receive_skb_list_internal+0x75e/0xd80
[   70.350514][ T8475] R13: 0000000000000000 R14: 00007ffc274733bf R15: 0000000000000000
[   70.358709][    C1]  ? __netif_receive_skb_list_core+0x8e0/0x8e0
[   70.364173][ T8475] Modules linked in:
[   70.372277][    C1]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   70.377647][ T8475] 
[   70.377660][ T8475] CR2: ffffea0003ffff88
[   70.386021][    C1]  ? detach_buf_split+0x599/0x7b0
[   70.392316][ T8475] ---[ end trace 38b7662da3586fef ]---
[   70.400620][    C1]  ? __sanitizer_cov_trace_cmp2+0x22/0x80
[   70.406790][ T8475] RIP: 0010:qlist_free_all+0x85/0xc0
[   70.410846][    C1]  napi_complete_done+0x1f1/0x880
[   70.417256][ T8475] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[   70.419682][    C1]  virtnet_poll+0xbeb/0x1180
[   70.424021][ T8475] RSP: 0018:ffffc900016afc88 EFLAGS: 00010282
[   70.429050][    C1]  ? receive_buf+0x6250/0x6250
[   70.434500][ T8475] 
[   70.434509][ T8475] RAX: ffffea0003ffff80 RBX: ffff88801ca95500 RCX: 0000000000000000
[   70.440227][    C1]  __napi_poll+0xaf/0x440
[   70.445583][ T8475] RDX: ffff888025589c80 RSI: ffff8880ffffea00 RDI: 0000000000000003
[   70.450830][    C1]  net_rx_action+0x801/0xb40
[   70.470437][ T8475] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[   70.475389][    C1]  ? napi_threaded_poll+0x5b0/0x5b0
[   70.481530][ T8475] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000
[   70.486561][    C1]  ? sched_clock_cpu+0x18/0x1f0
[   70.488904][ T8475] R13: ffffc900016afcc0 R14: ffffea0000000000 R15: ffff8880ffffea00
[   70.497104][    C1]  __do_softirq+0x29b/0x9fe
[   70.501702][ T8475] FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   70.509730][    C1]  __irq_exit_rcu+0x136/0x200
[   70.514320][ T8475] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.522510][    C1]  irq_exit_rcu+0x5/0x20
[   70.527792][ T8475] CR2: ffffea0003ffff88 CR3: 0000000012fbf000 CR4: 00000000001506f0
[   70.535757][    C1]  common_interrupt+0x51/0xd0
[   70.540612][ T8475] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.548796][    C1]  ? asm_common_interrupt+0x8/0x40
[   70.553298][ T8475] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.563010][    C1]  asm_common_interrupt+0x1e/0x40
[   70.567961][ T8475] Kernel panic - not syncing: Fatal exception
[   70.574744][    C1] RIP: 0033:0x7fff783e59ad
[   70.630006][    C1] Code: e0 89 c2 81 e2 83 08 00 00 0f 84 b5 00 00 00 4c 63 d7 49 c1 e2 04 4d 01 ca 45 8b 19 41 f6 c3 01 0f 85 8d 00 00 00 41 8b 41 04 <83> f8 01 75 6f 0f 01 f9 66 90 48 c1 e2 20 48 09 c2 48 85 d2 78 63
[   70.650156][    C1] RSP: 002b:000000c00003ded0 EFLAGS: 00000246
[   70.656250][    C1] RAX: 0000000000000001 RBX: 000000c00002e000 RCX: 0000000000000001
[   70.664364][    C1] RDX: 0000000000000002 RSI: 000000c00003df00 RDI: 0000000000000001
[   70.672619][    C1] RBP: 000000c00003def0 R08: 000000000000075d R09: 00007fff783e1080
[   70.680758][    C1] R10: 00007fff783e1090 R11: 000000000000341e R12: 000000000043b6a0
[   70.689096][    C1] R13: 0000000000000000 R14: 00000000009473c8 R15: 0000000000000000
[   70.697193][    C1] 
[   70.699532][    C1] Allocated by task 1:
[   70.703799][    C1]  kasan_save_stack+0x1b/0x40
[   70.708506][    C1]  __kasan_slab_alloc+0x84/0xa0
[   70.713529][    C1]  kmem_cache_alloc+0x219/0x3a0
[   70.718402][    C1]  getname_flags.part.0+0x50/0x4f0
[   70.723620][    C1]  user_path_at_empty+0xa1/0x100
[   70.728653][    C1]  vfs_statx+0x142/0x390
[   70.733000][    C1]  __do_sys_newlstat+0x91/0x110
[   70.739219][    C1]  do_syscall_64+0x3a/0xb0
[   70.744017][    C1]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   70.750485][    C1] 
[   70.752823][    C1] The buggy address belongs to the object at ffff88801cb20000
[   70.752823][    C1]  which belongs to the cache names_cache of size 4096
[   70.767238][    C1] The buggy address is located 8 bytes inside of
[   70.767238][    C1]  4096-byte region [ffff88801cb20000, ffff88801cb21000)
[   70.780690][    C1] The buggy address belongs to the page:
[   70.786477][    C1] page:ffffea000072c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801cb20000 pfn:0x1cb20
[   70.798197][    C1] head:ffffea000072c800 order:3 compound_mapcount:0 compound_pincount:0
[   70.806538][    C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   70.814858][    C1] raw: 00fff00000010200 ffffea0000731400 0000000300000003 ffff8880111be280
[   70.823624][    C1] raw: ffff88801cb20000 0000000080070006 00000001ffffffff 0000000000000000
[   70.832622][    C1] page dumped because: kasan: bad access detected
[   70.839411][    C1] 
[   70.841771][    C1] Memory state around the buggy address:
[   70.847700][    C1]  ffff88801cb1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.855994][    C1]  ffff88801cb1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.864192][    C1] >ffff88801cb20000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.872457][    C1]                       ^
[   70.877657][    C1]  ffff88801cb20080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.886116][    C1]  ffff88801cb20100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.894644][    C1] ==================================================================
[   70.903661][ T8475] Kernel Offset: disabled
[   70.908854][ T8475] Rebooting in 86400 seconds..