[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. 2021/05/04 02:11:08 fuzzer started 2021/05/04 02:11:08 dialing manager at 10.128.0.169:34381 2021/05/04 02:11:08 syscalls: 3586 2021/05/04 02:11:08 code coverage: enabled 2021/05/04 02:11:08 comparison tracing: enabled 2021/05/04 02:11:08 extra coverage: enabled 2021/05/04 02:11:08 setuid sandbox: enabled 2021/05/04 02:11:08 namespace sandbox: enabled 2021/05/04 02:11:08 Android sandbox: /sys/fs/selinux/policy does not exist 2021/05/04 02:11:08 fault injection: enabled 2021/05/04 02:11:08 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/05/04 02:11:08 net packet injection: enabled 2021/05/04 02:11:08 net device setup: enabled 2021/05/04 02:11:08 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/05/04 02:11:08 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/05/04 02:11:08 USB emulation: enabled 2021/05/04 02:11:08 hci packet injection: enabled 2021/05/04 02:11:08 wifi device emulation: enabled 2021/05/04 02:11:08 802.15.4 emulation: enabled 2021/05/04 02:11:08 fetching corpus: 0, signal 0/2000 (executing program) 2021/05/04 02:11:09 fetching corpus: 50, signal 59776/63361 (executing program) 2021/05/04 02:11:09 fetching corpus: 100, signal 94392/99448 (executing program) 2021/05/04 02:11:09 fetching corpus: 150, signal 109041/115604 (executing program) 2021/05/04 02:11:10 fetching corpus: 200, signal 128680/136546 (executing program) syzkaller login: [ 71.230794][ T3258] ieee802154 phy0 wpan0: encryption failed: -22 [ 71.237218][ T3258] ieee802154 phy1 wpan1: encryption failed: -22 2021/05/04 02:11:10 fetching corpus: 250, signal 145494/154559 (executing program) 2021/05/04 02:11:10 fetching corpus: 300, signal 158033/168333 (executing program) 2021/05/04 02:11:11 fetching corpus: 350, signal 169528/181005 (executing program) 2021/05/04 02:11:11 fetching corpus: 400, signal 181220/193828 (executing program) 2021/05/04 02:11:11 fetching corpus: 450, signal 191873/205533 (executing program) 2021/05/04 02:11:12 fetching corpus: 500, signal 210582/224963 (executing program) 2021/05/04 02:11:12 fetching corpus: 550, signal 222185/237386 (executing program) 2021/05/04 02:11:12 fetching corpus: 600, signal 232663/248715 (executing program) 2021/05/04 02:11:13 fetching corpus: 650, signal 239673/256639 (executing program) 2021/05/04 02:11:13 fetching corpus: 700, signal 247101/264941 (executing program) 2021/05/04 02:11:13 fetching corpus: 750, signal 253510/272163 (executing program) 2021/05/04 02:11:14 fetching corpus: 800, signal 262236/281630 (executing program) 2021/05/04 02:11:14 fetching corpus: 850, signal 269458/289566 (executing program) 2021/05/04 02:11:15 fetching corpus: 900, signal 275926/296780 (executing program) 2021/05/04 02:11:15 fetching corpus: 950, signal 283433/304913 (executing program) 2021/05/04 02:11:15 fetching corpus: 1000, signal 293289/315204 (executing program) 2021/05/04 02:11:16 fetching corpus: 1050, signal 299577/322078 (executing program) 2021/05/04 02:11:16 fetching corpus: 1100, signal 306312/329321 (executing program) 2021/05/04 02:11:16 fetching corpus: 1150, signal 311321/334896 (executing program) 2021/05/04 02:11:17 fetching corpus: 1200, signal 316272/340419 (executing program) 2021/05/04 02:11:17 fetching corpus: 1250, signal 319276/344099 (executing program) 2021/05/04 02:11:17 fetching corpus: 1300, signal 324482/349854 (executing program) 2021/05/04 02:11:18 fetching corpus: 1350, signal 327831/353894 (executing program) 2021/05/04 02:11:18 fetching corpus: 1400, signal 332758/359302 (executing program) 2021/05/04 02:11:18 fetching corpus: 1450, signal 337111/364131 (executing program) 2021/05/04 02:11:19 fetching corpus: 1500, signal 340237/367855 (executing program) 2021/05/04 02:11:19 fetching corpus: 1550, signal 344129/372186 (executing program) 2021/05/04 02:11:19 fetching corpus: 1600, signal 348116/376629 (executing program) 2021/05/04 02:11:20 fetching corpus: 1650, signal 350716/379820 (executing program) 2021/05/04 02:11:20 fetching corpus: 1700, signal 354497/384064 (executing program) 2021/05/04 02:11:20 fetching corpus: 1750, signal 359620/389449 (executing program) 2021/05/04 02:11:21 fetching corpus: 1800, signal 362669/392947 (executing program) 2021/05/04 02:11:21 fetching corpus: 1850, signal 366719/397308 (executing program) 2021/05/04 02:11:21 fetching corpus: 1900, signal 369998/400974 (executing program) 2021/05/04 02:11:21 fetching corpus: 1950, signal 374048/405282 (executing program) 2021/05/04 02:11:22 fetching corpus: 2000, signal 380198/411467 (executing program) 2021/05/04 02:11:22 fetching corpus: 2050, signal 383206/414839 (executing program) 2021/05/04 02:11:22 fetching corpus: 2100, signal 387246/419063 (executing program) 2021/05/04 02:11:23 fetching corpus: 2150, signal 391196/423168 (executing program) [ 84.065884][ T8413] ================================================================== [ 84.074298][ T8413] BUG: KASAN: use-after-free in __skb_datagram_iter+0x6b8/0x770 [ 84.081956][ T8413] Read of size 4 at addr ffff888031220004 by task syz-fuzzer/8413 [ 84.089755][ T8413] [ 84.092070][ T8413] CPU: 1 PID: 8413 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 84.101614][ T8413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 84.112026][ T8413] Call Trace: [ 84.115306][ T8413] dump_stack+0x141/0x1d7 [ 84.119654][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.124933][ T8413] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 84.131958][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.137241][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.142603][ T8413] kasan_report.cold+0x7c/0xd8 [ 84.147395][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.152677][ T8413] __skb_datagram_iter+0x6b8/0x770 [ 84.157788][ T8413] ? zerocopy_sg_from_iter+0x110/0x110 [ 84.163259][ T8413] skb_copy_datagram_iter+0x40/0x50 [ 84.168454][ T8413] tcp_recvmsg_locked+0x1048/0x22f0 [ 84.173660][ T8413] ? tcp_splice_read+0x8b0/0x8b0 [ 84.178617][ T8413] ? mark_held_locks+0x9f/0xe0 [ 84.183482][ T8413] ? __local_bh_enable_ip+0xa0/0x120 [ 84.188775][ T8413] tcp_recvmsg+0x134/0x550 [ 84.193191][ T8413] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 84.198566][ T8413] ? aa_sk_perm+0x311/0xab0 [ 84.203068][ T8413] inet_recvmsg+0x11b/0x5e0 [ 84.207569][ T8413] ? inet_sendpage+0x140/0x140 [ 84.212349][ T8413] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 84.218607][ T8413] ? security_socket_recvmsg+0x8f/0xc0 [ 84.224077][ T8413] sock_read_iter+0x33c/0x470 [ 84.228780][ T8413] ? ____sys_recvmsg+0x600/0x600 [ 84.233721][ T8413] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 84.239962][ T8413] ? fsnotify+0xa58/0x1060 [ 84.244374][ T8413] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 84.250616][ T8413] new_sync_read+0x5b7/0x6e0 [ 84.255205][ T8413] ? ksys_lseek+0x1b0/0x1b0 [ 84.259702][ T8413] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 84.265696][ T8413] vfs_read+0x35c/0x570 [ 84.269848][ T8413] ksys_read+0x1ee/0x250 [ 84.274094][ T8413] ? vfs_write+0xa40/0xa40 [ 84.278525][ T8413] ? syscall_enter_from_user_mode+0x27/0x70 [ 84.284439][ T8413] do_syscall_64+0x3a/0xb0 [ 84.288852][ T8413] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 84.294740][ T8413] RIP: 0033:0x4af19b [ 84.298627][ T8413] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 84.318232][ T8413] RSP: 002b:000000c000389828 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 [ 84.326642][ T8413] RAX: ffffffffffffffda RBX: 000000c00001c000 RCX: 00000000004af19b [ 84.334605][ T8413] RDX: 0000000000001000 RSI: 000000c0000c0000 RDI: 0000000000000006 [ 84.342573][ T8413] RBP: 000000c000389878 R08: 0000000000000001 R09: 0000000000000002 [ 84.350533][ T8413] R10: 000000000000001b R11: 0000000000000212 R12: 0000000000b97a20 [ 84.358493][ T8413] R13: ffffffffffffffff R14: 0000000000000008 R15: 0000000000000008 [ 84.366470][ T8413] [ 84.368780][ T8413] The buggy address belongs to the page: [ 84.374393][ T8413] page:ffffea0000c48800 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x31220 [ 84.384794][ T8413] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 84.391904][ T8413] raw: 00fff00000000000 ffffea0000ac5808 ffffea0000b0a808 0000000000000000 [ 84.400478][ T8413] raw: 0000000000000000 0000000000000005 00000000ffffff7f 0000000000000000 [ 84.409065][ T8413] page dumped because: kasan: bad access detected [ 84.415469][ T8413] [ 84.417778][ T8413] Memory state around the buggy address: [ 84.423414][ T8413] ffff88803121ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 84.431490][ T8413] ffff88803121ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 84.439541][ T8413] >ffff888031220000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 84.447586][ T8413] ^ [ 84.451641][ T8413] ffff888031220080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 84.459688][ T8413] ffff888031220100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 84.467733][ T8413] ================================================================== [ 84.481420][ T8413] Disabling lock debugging due to kernel taint [ 84.498910][ T8413] Kernel panic - not syncing: panic_on_warn set ... [ 84.505618][ T8413] CPU: 0 PID: 8413 Comm: syz-fuzzer Tainted: G B 5.12.0-rc8-next-20210423-syzkaller #0 [ 84.521075][ T8413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 84.533223][ T8413] Call Trace: [ 84.536514][ T8413] dump_stack+0x141/0x1d7 [ 84.541640][ T8413] panic+0x306/0x73d [ 84.545673][ T8413] ? __warn_printk+0xf3/0xf3 [ 84.550656][ T8413] ? preempt_schedule_common+0x59/0xc0 [ 84.556223][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.561549][ T8413] ? preempt_schedule_thunk+0x16/0x18 [ 84.567113][ T8413] ? trace_hardirqs_on+0x38/0x1c0 [ 84.572252][ T8413] ? trace_hardirqs_on+0x51/0x1c0 [ 84.577383][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.584413][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.589970][ T8413] end_report.cold+0x5a/0x5a [ 84.595062][ T8413] kasan_report.cold+0x6a/0xd8 [ 84.601129][ T8413] ? __skb_datagram_iter+0x6b8/0x770 [ 84.608464][ T8413] __skb_datagram_iter+0x6b8/0x770 [ 84.614142][ T8413] ? zerocopy_sg_from_iter+0x110/0x110 [ 84.619863][ T8413] skb_copy_datagram_iter+0x40/0x50 [ 84.625778][ T8413] tcp_recvmsg_locked+0x1048/0x22f0 [ 84.631058][ T8413] ? tcp_splice_read+0x8b0/0x8b0 [ 84.635997][ T8413] ? mark_held_locks+0x9f/0xe0 [ 84.641405][ T8413] ? __local_bh_enable_ip+0xa0/0x120 [ 84.646896][ T8413] tcp_recvmsg+0x134/0x550 [ 84.651317][ T8413] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 84.656690][ T8413] ? aa_sk_perm+0x311/0xab0 [ 84.661186][ T8413] inet_recvmsg+0x11b/0x5e0 [ 84.665850][ T8413] ? inet_sendpage+0x140/0x140 [ 84.670606][ T8413] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 84.677018][ T8413] ? security_socket_recvmsg+0x8f/0xc0 [ 84.682485][ T8413] sock_read_iter+0x33c/0x470 [ 84.687155][ T8413] ? ____sys_recvmsg+0x600/0x600 [ 84.692103][ T8413] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 84.698482][ T8413] ? fsnotify+0xa58/0x1060 [ 84.702913][ T8413] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 84.709145][ T8413] new_sync_read+0x5b7/0x6e0 [ 84.713888][ T8413] ? ksys_lseek+0x1b0/0x1b0 [ 84.718795][ T8413] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 84.725515][ T8413] vfs_read+0x35c/0x570 [ 84.730909][ T8413] ksys_read+0x1ee/0x250 [ 84.735652][ T8413] ? vfs_write+0xa40/0xa40 [ 84.740663][ T8413] ? syscall_enter_from_user_mode+0x27/0x70 [ 84.748223][ T8413] do_syscall_64+0x3a/0xb0 [ 84.756693][ T8413] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 84.762742][ T8413] RIP: 0033:0x4af19b [ 84.767198][ T8413] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 84.787876][ T8413] RSP: 002b:000000c000389828 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 [ 84.796695][ T8413] RAX: ffffffffffffffda RBX: 000000c00001c000 RCX: 00000000004af19b [ 84.805091][ T8413] RDX: 0000000000001000 RSI: 000000c0000c0000 RDI: 0000000000000006 [ 84.813048][ T8413] RBP: 000000c000389878 R08: 0000000000000001 R09: 0000000000000002 [ 84.821699][ T8413] R10: 000000000000001b R11: 0000000000000212 R12: 0000000000b97a20 [ 84.829942][ T8413] R13: ffffffffffffffff R14: 0000000000000008 R15: 0000000000000008 [ 84.840191][ T8413] Kernel Offset: disabled [ 84.845576][ T8413] Rebooting in 86400 seconds..