Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. 2021/04/27 00:21:38 fuzzer started 2021/04/27 00:21:39 dialing manager at 10.128.0.169:39645 2021/04/27 00:21:39 syscalls: 3560 2021/04/27 00:21:39 code coverage: enabled 2021/04/27 00:21:39 comparison tracing: enabled 2021/04/27 00:21:39 extra coverage: enabled 2021/04/27 00:21:39 setuid sandbox: enabled 2021/04/27 00:21:39 namespace sandbox: enabled 2021/04/27 00:21:39 Android sandbox: /sys/fs/selinux/policy does not exist 2021/04/27 00:21:39 fault injection: enabled 2021/04/27 00:21:39 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/04/27 00:21:39 net packet injection: enabled 2021/04/27 00:21:39 net device setup: enabled 2021/04/27 00:21:39 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/04/27 00:21:39 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/04/27 00:21:39 USB emulation: enabled 2021/04/27 00:21:39 hci packet injection: enabled 2021/04/27 00:21:39 wifi device emulation: enabled 2021/04/27 00:21:39 802.15.4 emulation: enabled 2021/04/27 00:21:39 fetching corpus: 0, signal 0/2000 (executing program) syzkaller login: [ 68.991650][ C0] ================================================================== [ 68.995967][ T8451] BUG: unable to handle page fault for address: ffffea0003ffff88 [ 68.999937][ C0] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440 [ 69.007637][ T8451] #PF: supervisor read access in kernel mode [ 69.007650][ T8451] #PF: error_code(0x0000) - not-present page [ 69.015159][ C0] Write of size 4 at addr ffff88801d120008 by task syz-fuzzer/8445 [ 69.021114][ T8451] PGD 13fff8067 P4D 13fff8067 [ 69.027067][ C0] [ 69.027076][ C0] CPU: 0 PID: 8445 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 69.034929][ T8451] PUD 13fff7067 PMD 0 [ 69.039666][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.041971][ T8451] [ 69.041977][ T8451] Oops: 0000 [#1] PREEMPT SMP KASAN [ 69.056172][ C0] Call Trace: [ 69.060213][ T8451] CPU: 1 PID: 8451 Comm: ifupdown-hotplu Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 69.070255][ C0] dump_stack+0x141/0x1d7 [ 69.072555][ T8451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.077727][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 69.080988][ T8451] RIP: 0010:qlist_free_all+0x85/0xc0 [ 69.090932][ C0] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.095236][ T8451] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 69.105268][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 69.110437][ T8451] RSP: 0018:ffffc900016df980 EFLAGS: 00010282 [ 69.115693][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 69.122688][ T8451] [ 69.122693][ T8451] RAX: ffffea0003ffff80 RBX: ffff88801a398000 RCX: 0000000000000000 [ 69.142271][ C0] kasan_report.cold+0x7c/0xd8 [ 69.147447][ T8451] RDX: ffff888023ff1c80 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 69.153490][ C0] ? __sanitizer_cov_trace_cmp8+0x51/0x70 [ 69.158659][ T8451] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 69.160978][ C0] ? skb_try_coalesce+0x1335/0x1440 [ 69.168927][ T8451] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000 [ 69.173679][ C0] skb_try_coalesce+0x1335/0x1440 [ 69.181628][ T8451] R13: ffffc900016df9b8 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 69.187330][ C0] tcp_try_coalesce+0x393/0x920 [ 69.195356][ T8451] FS: 00007f2268bd9480(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 69.200539][ C0] ? mark_held_locks+0x9f/0xe0 [ 69.208489][ T8451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 69.213489][ C0] ? tcp_urg.part.0+0x2d0/0x2d0 [ 69.221440][ T8451] CR2: ffffea0003ffff88 CR3: 00000000151cb000 CR4: 00000000001506e0 [ 69.226261][ C0] ? ktime_get+0x38a/0x470 [ 69.235166][ T8451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 69.239922][ C0] ? lockdep_hardirqs_on+0x79/0x100 [ 69.246479][ T8451] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 69.251313][ C0] tcp_queue_rcv+0x8a/0x6e0 [ 69.260214][ T8451] Call Trace: [ 69.260224][ T8451] kasan_quarantine_reduce+0x180/0x200 [ 69.264609][ C0] tcp_rcv_established+0x1756/0x1eb0 [ 69.272558][ T8451] __kasan_slab_alloc+0x8e/0xa0 [ 69.277736][ C0] ? tcp_data_queue+0x4b10/0x4b10 [ 69.285681][ T8451] __kmalloc+0x1f7/0x330 [ 69.290158][ C0] ? do_raw_spin_lock+0x120/0x2b0 [ 69.293421][ T8451] tomoyo_realpath_from_path+0xc3/0x620 [ 69.298853][ C0] tcp_v4_do_rcv+0x5d1/0x870 [ 69.304109][ T8451] ? tomoyo_profile+0x42/0x50 [ 69.308963][ C0] tcp_v4_rcv+0x3298/0x3950 [ 69.313964][ T8451] tomoyo_path_perm+0x21b/0x400 [ 69.318272][ C0] ? tcp_v4_early_demux+0x8f0/0x8f0 [ 69.323264][ T8451] ? tomoyo_path_perm+0x1c1/0x400 [ 69.328869][ C0] ? lock_release+0x720/0x720 [ 69.333434][ T8451] ? putname+0xe1/0x120 [ 69.338088][ C0] ip_protocol_deliver_rcu+0xa7/0xa20 [ 69.342561][ T8451] ? tomoyo_check_open_permission+0x380/0x380 [ 69.347387][ C0] ip_local_deliver_finish+0x20a/0x370 [ 69.352561][ T8451] ? may_linkat+0x2d0/0x2d0 [ 69.357560][ C0] ip_local_deliver+0x1b3/0x200 [ 69.362217][ T8451] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.366342][ C0] ip_sublist_rcv_finish+0x9a/0x2c0 [ 69.371683][ T8451] ? getname_flags.part.0+0x1dd/0x4f0 [ 69.377741][ C0] ip_list_rcv_finish.constprop.0+0x51e/0x6e0 [ 69.383174][ T8451] security_inode_getattr+0xcf/0x140 [ 69.387652][ C0] ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80 [ 69.392477][ T8451] vfs_statx+0x164/0x390 [ 69.398703][ C0] ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0 [ 69.403877][ T8451] ? do_readlinkat+0x2f0/0x2f0 [ 69.409225][ C0] ? ip_rcv_core+0x867/0xcb0 [ 69.415268][ T8451] __do_sys_newstat+0x91/0x110 [ 69.420527][ C0] ip_list_rcv+0x34e/0x490 [ 69.426910][ T8451] ? __do_sys_stat+0x110/0x110 [ 69.431132][ C0] ? ip_rcv+0xd0/0xd0 [ 69.437341][ T8451] ? __context_tracking_exit+0xb8/0xe0 [ 69.442083][ C0] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 69.446651][ T8451] ? __secure_computing+0x104/0x360 [ 69.451386][ C0] ? find_held_lock+0x2d/0x110 [ 69.455775][ T8451] ? syscall_trace_enter.constprop.0+0x94/0x270 [ 69.460514][ C0] ? ip_rcv+0xd0/0xd0 [ 69.464471][ T8451] do_syscall_64+0x3a/0xb0 [ 69.469908][ C0] __netif_receive_skb_list_core+0x549/0x8e0 [ 69.475861][ T8451] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.481119][ C0] ? process_backlog+0x6c0/0x6c0 [ 69.485852][ T8451] RIP: 0033:0x7f22686f6295 [ 69.492063][ C0] ? ktime_get_with_offset+0x3f2/0x500 [ 69.496031][ T8451] Code: 00 00 00 e8 5d 01 00 00 48 83 c4 18 c3 0f 1f 84 00 00 00 00 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 04 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 d1 db 2b 00 f7 d8 64 89 [ 69.500419][ C0] ? lockdep_hardirqs_on+0x79/0x100 [ 69.506370][ T8451] RSP: 002b:00007ffea4914d48 EFLAGS: 00000246 [ 69.512242][ C0] netif_receive_skb_list_internal+0x75e/0xd80 [ 69.517162][ T8451] ORIG_RAX: 0000000000000004 [ 69.517172][ T8451] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f22686f6295 [ 69.521558][ C0] ? __netif_receive_skb_list_core+0x8e0/0x8e0 [ 69.526998][ T8451] RDX: 00007ffea4914d50 RSI: 00007ffea4914d50 RDI: 00005576d61d6480 [ 69.546598][ C0] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.551771][ T8451] RBP: 00005576d61d6480 R08: 00005576d4c15320 R09: 0000000000000000 [ 69.557813][ C0] ? detach_buf_split+0x599/0x7b0 [ 69.563938][ T8451] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 69.568595][ C0] ? __sanitizer_cov_trace_cmp2+0x22/0x80 [ 69.576541][ T8451] R13: 0000000000000000 R14: 00005576d61d64d0 R15: 00005576d4c15ce4 [ 69.582670][ C0] napi_complete_done+0x1f1/0x880 [ 69.590622][ T8451] Modules linked in: [ 69.596830][ C0] virtnet_poll+0xbeb/0x1180 [ 69.604787][ T8451] [ 69.604795][ T8451] CR2: ffffea0003ffff88 [ 69.609789][ C0] ? receive_buf+0x6250/0x6250 [ 69.617740][ T8451] ---[ end trace 27ceb2ce26dbfe4a ]--- [ 69.623433][ C0] __napi_poll+0xaf/0x440 [ 69.632241][ T8451] RIP: 0010:qlist_free_all+0x85/0xc0 [ 69.637242][ C0] net_rx_action+0x801/0xb40 [ 69.641108][ T8451] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 69.645678][ C0] ? napi_threaded_poll+0x5b0/0x5b0 [ 69.647980][ T8451] RSP: 0018:ffffc900016df980 EFLAGS: 00010282 [ 69.652121][ C0] __do_softirq+0x29b/0x9fe [ 69.656852][ T8451] [ 69.656857][ T8451] RAX: ffffea0003ffff80 RBX: ffff88801a398000 RCX: 0000000000000000 [ 69.662287][ C0] __irq_exit_rcu+0x136/0x200 [ 69.666592][ T8451] RDX: ffff888023ff1c80 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 69.671850][ C0] irq_exit_rcu+0x5/0x20 [ 69.679362][ T8451] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 69.699052][ C0] common_interrupt+0x51/0xd0 [ 69.704229][ T8451] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000 [ 69.710269][ C0] ? asm_common_interrupt+0x8/0x40 [ 69.714743][ T8451] R13: ffffc900016df9b8 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 69.717051][ C0] asm_common_interrupt+0x1e/0x40 [ 69.725001][ T8451] FS: 00007f2268bd9480(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 69.729654][ C0] RIP: 0033:0x63254c [ 69.737601][ T8451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 69.741816][ C0] Code: 00 e8 d8 9d e3 ff eb c7 48 89 d9 41 d3 e8 44 89 46 18 48 29 cf 48 89 7e 20 41 c1 e9 04 4c 89 4c 24 68 0f 57 c0 0f 11 44 24 70 <48> 8b 6c 24 48 48 83 c4 50 c3 45 89 c1 41 89 c0 0f 1f 40 00 e9 3b [ 69.749764][ T8451] CR2: ffffea0003ffff88 CR3: 00000000151cb000 CR4: 00000000001506e0 [ 69.754411][ C0] RSP: 002b:000000c000391a98 EFLAGS: 00000203 [ 69.762357][ T8451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 69.767441][ C0] [ 69.767449][ C0] RAX: 000000000007f909 RBX: 0000000000000008 RCX: 0000000000000008 [ 69.775389][ T8451] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 69.780386][ C0] RDX: 000000c0005d2028 RSI: 000000c0005d2000 RDI: 000000000000000c [ 69.789288][ T8451] Kernel panic - not syncing: Fatal exception [ 69.793153][ C0] RBP: 000000c000391ae0 R08: 00000000000007f9 R09: 00000000000000cb [ 69.881430][ C0] R10: 0000000000003dcf R11: 0000000000003bf5 R12: 0000000000003dcb [ 69.889392][ C0] R13: 0000000000000080 R14: 0000000000000002 R15: 0000000000000002 [ 69.897368][ C0] [ 69.899675][ C0] Allocated by task 1: [ 69.903721][ C0] kasan_save_stack+0x1b/0x40 [ 69.908395][ C0] __kasan_slab_alloc+0x84/0xa0 [ 69.913237][ C0] kmem_cache_alloc+0x219/0x3a0 [ 69.918080][ C0] getname_flags.part.0+0x50/0x4f0 [ 69.923187][ C0] getname+0x8e/0xd0 [ 69.927080][ C0] do_sys_openat2+0xf5/0x420 [ 69.931656][ C0] __x64_sys_open+0x119/0x1c0 [ 69.936319][ C0] do_syscall_64+0x3a/0xb0 [ 69.940729][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.946614][ C0] [ 69.948922][ C0] The buggy address belongs to the object at ffff88801d120000 [ 69.948922][ C0] which belongs to the cache names_cache of size 4096 [ 69.963057][ C0] The buggy address is located 8 bytes inside of [ 69.963057][ C0] 4096-byte region [ffff88801d120000, ffff88801d121000) [ 69.976249][ C0] The buggy address belongs to the page: [ 69.981857][ C0] page:ffffea0000744800 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801d120000 pfn:0x1d120 [ 69.993297][ C0] head:ffffea0000744800 order:3 compound_mapcount:0 compound_pincount:0 [ 70.001607][ C0] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 70.009585][ C0] raw: 00fff00000010200 0000000000000000 0000000100000001 ffff8880111be280 [ 70.018159][ C0] raw: ffff88801d120000 0000000080070002 00000001ffffffff 0000000000000000 [ 70.026734][ C0] page dumped because: kasan: bad access detected [ 70.033126][ C0] [ 70.035430][ C0] Memory state around the buggy address: [ 70.041043][ C0] ffff88801d11ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.049089][ C0] ffff88801d11ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.057139][ C0] >ffff88801d120000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.065183][ C0] ^ [ 70.069494][ C0] ffff88801d120080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.077541][ C0] ffff88801d120100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.085596][ C0] ================================================================== [ 70.094159][ T8451] Kernel Offset: disabled [ 70.098474][ T8451] Rebooting in 86400 seconds..