[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.161' (ECDSA) to the list of known hosts. 2021/05/03 08:05:17 fuzzer started 2021/05/03 08:05:18 dialing manager at 10.128.0.169:44661 2021/05/03 08:05:18 syscalls: 3571 2021/05/03 08:05:18 code coverage: enabled 2021/05/03 08:05:18 comparison tracing: enabled 2021/05/03 08:05:18 extra coverage: enabled 2021/05/03 08:05:18 setuid sandbox: enabled 2021/05/03 08:05:18 namespace sandbox: enabled 2021/05/03 08:05:18 Android sandbox: /sys/fs/selinux/policy does not exist 2021/05/03 08:05:18 fault injection: enabled 2021/05/03 08:05:18 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/05/03 08:05:18 net packet injection: enabled 2021/05/03 08:05:18 net device setup: enabled 2021/05/03 08:05:18 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/05/03 08:05:18 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/05/03 08:05:18 USB emulation: enabled 2021/05/03 08:05:18 hci packet injection: enabled 2021/05/03 08:05:18 wifi device emulation: enabled 2021/05/03 08:05:18 802.15.4 emulation: enabled 2021/05/03 08:05:18 fetching corpus: 0, signal 0/2000 (executing program) 2021/05/03 08:05:19 fetching corpus: 50, signal 60693/64374 (executing program) 2021/05/03 08:05:19 fetching corpus: 100, signal 90632/95928 (executing program) syzkaller login: [ 73.266734][ T8439] ================================================================== [ 73.274971][ T8439] BUG: KASAN: use-after-free in __skb_datagram_iter+0x6b8/0x770 [ 73.282654][ T8439] Read of size 4 at addr ffff888031068004 by task syz-fuzzer/8439 [ 73.290500][ T8439] [ 73.292843][ T8439] CPU: 1 PID: 8439 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 73.302395][ T8439] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.312464][ T8439] Call Trace: [ 73.315757][ T8439] dump_stack+0x141/0x1d7 [ 73.320120][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.325419][ T8439] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 73.332468][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.337769][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.343061][ T8439] kasan_report.cold+0x7c/0xd8 [ 73.347842][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.353258][ T8439] __skb_datagram_iter+0x6b8/0x770 [ 73.358393][ T8439] ? zerocopy_sg_from_iter+0x110/0x110 [ 73.363882][ T8439] skb_copy_datagram_iter+0x40/0x50 [ 73.369099][ T8439] tcp_recvmsg_locked+0x1048/0x22f0 [ 73.374346][ T8439] ? tcp_splice_read+0x8b0/0x8b0 [ 73.379296][ T8439] ? mark_held_locks+0x9f/0xe0 [ 73.384077][ T8439] ? __local_bh_enable_ip+0xa0/0x120 [ 73.389379][ T8439] tcp_recvmsg+0x134/0x550 [ 73.393808][ T8439] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 73.399197][ T8439] ? aa_sk_perm+0x311/0xab0 [ 73.403714][ T8439] inet_recvmsg+0x11b/0x5e0 [ 73.408229][ T8439] ? inet_sendpage+0x140/0x140 [ 73.413004][ T8439] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.419256][ T8439] ? security_socket_recvmsg+0x8f/0xc0 [ 73.424745][ T8439] sock_read_iter+0x33c/0x470 [ 73.429448][ T8439] ? ____sys_recvmsg+0x600/0x600 [ 73.434422][ T8439] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.440685][ T8439] ? fsnotify+0xa58/0x1060 [ 73.445114][ T8439] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.451460][ T8439] new_sync_read+0x5b7/0x6e0 [ 73.456067][ T8439] ? ksys_lseek+0x1b0/0x1b0 [ 73.460590][ T8439] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.466614][ T8439] vfs_read+0x35c/0x570 [ 73.470785][ T8439] ksys_read+0x1ee/0x250 [ 73.475038][ T8439] ? vfs_write+0xa40/0xa40 [ 73.479487][ T8439] ? syscall_enter_from_user_mode+0x27/0x70 [ 73.485394][ T8439] do_syscall_64+0x3a/0xb0 [ 73.489829][ T8439] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.496168][ T8439] RIP: 0033:0x4af19b [ 73.500074][ T8439] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 73.519865][ T8439] RSP: 002b:000000c0003d7828 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 [ 73.528387][ T8439] RAX: ffffffffffffffda RBX: 000000c00001c000 RCX: 00000000004af19b [ 73.536400][ T8439] RDX: 0000000000001000 RSI: 000000c0002e0000 RDI: 0000000000000006 [ 73.544380][ T8439] RBP: 000000c0003d7878 R08: 0000000000000001 R09: 0000000000000002 [ 73.552358][ T8439] R10: 0000000000007044 R11: 0000000000000212 R12: 0000000000007040 [ 73.561375][ T8439] R13: 0000000000000100 R14: 0000000000000002 R15: 0000000000000002 [ 73.569459][ T8439] [ 73.571786][ T8439] Allocated by task 1: [ 73.575870][ T8439] kasan_save_stack+0x1b/0x40 [ 73.580630][ T8439] __kasan_kmalloc+0x9b/0xd0 [ 73.585227][ T8439] tomoyo_realpath_from_path+0xc3/0x620 [ 73.590780][ T8439] tomoyo_path_perm+0x21b/0x400 [ 73.596432][ T8439] security_inode_getattr+0xcf/0x140 [ 73.601797][ T8439] vfs_statx+0x164/0x390 [ 73.606050][ T8439] __do_sys_newlstat+0x91/0x110 [ 73.610910][ T8439] do_syscall_64+0x3a/0xb0 [ 73.615336][ T8439] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.621236][ T8439] [ 73.623556][ T8439] Freed by task 16462: [ 73.627615][ T8439] kasan_save_stack+0x1b/0x40 [ 73.632305][ T8439] kasan_set_track+0x1c/0x30 [ 73.636903][ T8439] kasan_set_free_info+0x20/0x30 [ 73.641844][ T8439] __kasan_slab_free+0xfb/0x130 [ 73.646697][ T8439] slab_free_freelist_hook+0xdf/0x240 [ 73.652073][ T8439] kfree+0xe5/0x7f0 [ 73.655886][ T8439] tomoyo_realpath_from_path+0x191/0x620 [ 73.661616][ T8439] tomoyo_path_perm+0x21b/0x400 [ 73.666482][ T8439] security_inode_getattr+0xcf/0x140 [ 73.671873][ T8439] vfs_statx+0x164/0x390 [ 73.676148][ T8439] __do_sys_newlstat+0x91/0x110 [ 73.681096][ T8439] do_syscall_64+0x3a/0xb0 [ 73.685524][ T8439] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.691788][ T8439] [ 73.694121][ T8439] The buggy address belongs to the object at ffff888031068000 [ 73.694121][ T8439] which belongs to the cache kmalloc-4k of size 4096 [ 73.708178][ T8439] The buggy address is located 4 bytes inside of [ 73.708178][ T8439] 4096-byte region [ffff888031068000, ffff888031069000) [ 73.721463][ T8439] The buggy address belongs to the page: [ 73.727546][ T8439] page:ffffea0000c41a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x31068 [ 73.737705][ T8439] head:ffffea0000c41a00 order:3 compound_mapcount:0 compound_pincount:0 [ 73.746040][ T8439] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 73.754040][ T8439] raw: 00fff00000010200 ffffea0000a2d800 0000000200000002 ffff888011042140 [ 73.762645][ T8439] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 73.771228][ T8439] page dumped because: kasan: bad access detected [ 73.777636][ T8439] [ 73.779954][ T8439] Memory state around the buggy address: [ 73.785580][ T8439] ffff888031067f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.793654][ T8439] ffff888031067f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.801732][ T8439] >ffff888031068000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.809805][ T8439] ^ [ 73.813867][ T8439] ffff888031068080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.821935][ T8439] ffff888031068100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.830013][ T8439] ================================================================== [ 73.838227][ T8439] Disabling lock debugging due to kernel taint [ 73.844702][ T8439] Kernel panic - not syncing: panic_on_warn set ... [ 73.851309][ T8439] CPU: 0 PID: 8439 Comm: syz-fuzzer Tainted: G B 5.12.0-rc8-next-20210423-syzkaller #0 [ 73.858249][ T4855] ------------[ cut here ]------------ [ 73.862251][ T8439] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.862266][ T8439] Call Trace: [ 73.862275][ T8439] dump_stack+0x141/0x1d7 [ 73.862307][ T8439] panic+0x306/0x73d [ 73.867753][ T4855] kernel BUG at arch/x86/mm/physaddr.c:28! [ 73.877937][ T8439] ? __warn_printk+0xf3/0xf3 [ 73.877979][ T8439] ? preempt_schedule_common+0x59/0xc0 [ 73.878008][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.878030][ T8439] ? preempt_schedule_thunk+0x16/0x18 [ 73.878055][ T8439] ? trace_hardirqs_on+0x38/0x1c0 [ 73.878076][ T8439] ? trace_hardirqs_on+0x51/0x1c0 [ 73.882181][ T4855] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 73.885698][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.889629][ T4855] CPU: 1 PID: 4855 Comm: systemd-journal Tainted: G B 5.12.0-rc8-next-20210423-syzkaller #0 [ 73.895414][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.899992][ T4855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.905437][ T8439] end_report.cold+0x5a/0x5a [ 73.910907][ T4855] RIP: 0010:__phys_addr+0xd3/0x140 [ 73.916265][ T8439] kasan_report.cold+0x6a/0xd8 [ 73.921286][ T4855] Code: e3 44 89 e9 31 ff 48 d3 eb 48 89 de e8 a6 d1 40 00 48 85 db 75 0f e8 7c c9 40 00 4c 89 e0 5b 5d 41 5c 41 5d c3 e8 6d c9 40 00 <0f> 0b e8 66 c9 40 00 48 c7 c0 10 50 cb 8b 48 ba 00 00 00 00 00 fc [ 73.926303][ T8439] ? __skb_datagram_iter+0x6b8/0x770 [ 73.932350][ T4855] RSP: 0018:ffffc9000159fd58 EFLAGS: 00010293 [ 73.937618][ T8439] __skb_datagram_iter+0x6b8/0x770 [ 73.951997][ T4855] [ 73.952011][ T4855] RAX: 0000000000000000 RBX: 00000960ffffea00 RCX: 0000000000000000 [ 73.958237][ T8439] ? zerocopy_sg_from_iter+0x110/0x110 [ 73.968277][ T4855] RDX: ffff888029b25580 RSI: ffffffff81343003 RDI: 0000000000000003 [ 73.972859][ T8439] skb_copy_datagram_iter+0x40/0x50 [ 73.977956][ T4855] RBP: 000009617fffea00 R08: 000009617fffea00 R09: ffffffff81ba00a5 [ 73.982895][ T8439] tcp_recvmsg_locked+0x1048/0x22f0 [ 74.003267][ T4855] R10: ffffffff81342f7e R11: 000000000000003f R12: 000080e0ffffea00 [ 74.008757][ T8439] ? tcp_splice_read+0x8b0/0x8b0 [ 74.014804][ T4855] R13: ffffc9000159fdb8 R14: ffffea0000000000 R15: 00000960ffffea00 [ 74.020594][ T8439] ? mark_held_locks+0x9f/0xe0 [ 74.022903][ T4855] FS: 00007f8672af88c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 74.030862][ T8439] ? __local_bh_enable_ip+0xa0/0x120 [ 74.037279][ T4855] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.045263][ T8439] tcp_recvmsg+0x134/0x550 [ 74.050454][ T4855] CR2: 00007f866fe4c000 CR3: 0000000029e67000 CR4: 00000000001506e0 [ 74.058422][ T8439] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 74.063602][ T4855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 74.071998][ T8439] ? aa_sk_perm+0x311/0xab0 [ 74.076910][ T4855] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 74.085053][ T8439] inet_recvmsg+0x11b/0x5e0 [ 74.089803][ T4855] Call Trace: [ 74.089819][ T4855] qlist_free_all+0x76/0xc0 [ 74.098716][ T8439] ? inet_sendpage+0x140/0x140 [ 74.104677][ T4855] kasan_quarantine_reduce+0x180/0x200 [ 74.111263][ T8439] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.116024][ T4855] __kasan_slab_alloc+0x8e/0xa0 [ 74.123990][ T8439] ? security_socket_recvmsg+0x8f/0xc0 [ 74.129445][ T4855] kmem_cache_alloc+0x219/0x3a0 [ 74.138023][ T8439] sock_read_iter+0x33c/0x470 [ 74.142516][ T4855] prepare_creds+0x3b/0x730 [ 74.150480][ T8439] ? ____sys_recvmsg+0x600/0x600 [ 74.154980][ T4855] do_faccessat+0x3f4/0x850 [ 74.159321][ T8439] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.163821][ T4855] ? stream_open+0x60/0x60 [ 74.168560][ T8439] ? fsnotify+0xa58/0x1060 [ 74.174185][ T4855] ? __secure_computing+0x104/0x360 [ 74.180406][ T8439] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.185252][ T4855] do_syscall_64+0x3a/0xb0 [ 74.190709][ T8439] new_sync_read+0x5b7/0x6e0 [ 74.195566][ T4855] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.200229][ T8439] ? ksys_lseek+0x1b0/0x1b0 [ 74.204743][ T4855] RIP: 0033:0x7f8671db39c7 [ 74.213158][ T8439] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 74.217655][ T4855] Code: 83 c4 08 48 3d 01 f0 ff ff 73 01 c3 48 8b 0d c8 d4 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 15 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 d4 2b 00 f7 d8 64 89 01 48 [ 74.223889][ T8439] vfs_read+0x35c/0x570 [ 74.228815][ T4855] RSP: 002b:00007ffd1b5af168 EFLAGS: 00000246 [ 74.233309][ T8439] ksys_read+0x1ee/0x250 [ 74.238486][ T4855] ORIG_RAX: 0000000000000015 [ 74.244714][ T8439] ? vfs_write+0xa40/0xa40 [ 74.249105][ T4855] RAX: ffffffffffffffda RBX: 00007ffd1b5b2190 RCX: 00007f8671db39c7 [ 74.253686][ T8439] ? syscall_enter_from_user_mode+0x27/0x70 [ 74.259570][ T4855] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000556a888989a3 [ 74.264082][ T8439] do_syscall_64+0x3a/0xb0 [ 74.268482][ T4855] RBP: 00007ffd1b5af2b0 R08: 0000556a8888e3e5 R09: 0000000000000018 [ 74.274804][ T8439] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.294496][ T4855] R10: 0000000000000069 R11: 0000000000000246 R12: 0000000000000000 [ 74.298653][ T8439] RIP: 0033:0x4af19b [ 74.304701][ T4855] R13: 0000000000000000 R14: 0000556a88ab68a0 R15: 00007ffd1b5af7a0 [ 74.309288][ T8439] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 74.313952][ T4855] Modules linked in: [ 74.318864][ T8439] RSP: 002b:000000c0003d7828 EFLAGS: 00000212 [ 74.326911][ T4855] [ 74.329731][ T4855] ---[ end trace 6c35753bcfaa1049 ]--- [ 74.332794][ T8439] ORIG_RAX: 0000000000000000 [ 74.341157][ T4855] RIP: 0010:__phys_addr+0xd3/0x140 [ 74.345422][ T8439] RAX: ffffffffffffffda RBX: 000000c00001c000 RCX: 00000000004af19b [ 74.355427][ T4855] Code: e3 44 89 e9 31 ff 48 d3 eb 48 89 de e8 a6 d1 40 00 48 85 db 75 0f e8 7c c9 40 00 4c 89 e0 5b 5d 41 5c 41 5d c3 e8 6d c9 40 00 <0f> 0b e8 66 c9 40 00 48 c7 c0 10 50 cb 8b 48 ba 00 00 00 00 00 fc [ 74.360776][ T8439] RDX: 0000000000001000 RSI: 000000c0002e0000 RDI: 0000000000000006 [ 74.360795][ T8439] RBP: 000000c0003d7878 R08: 0000000000000001 R09: 0000000000000002 [ 74.360808][ T8439] R10: 0000000000007044 R11: 0000000000000212 R12: 0000000000007040 [ 74.360821][ T8439] R13: 0000000000000100 R14: 0000000000000002 R15: 0000000000000002 [ 74.361321][ T8439] Kernel Offset: disabled [ 74.498136][ T8439] Rebooting in 86400 seconds..