[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.177' (ECDSA) to the list of known hosts. 2021/05/03 18:39:51 fuzzer started 2021/05/03 18:39:52 dialing manager at 10.128.0.169:34381 2021/05/03 18:39:52 syscalls: 3586 2021/05/03 18:39:52 code coverage: enabled 2021/05/03 18:39:52 comparison tracing: enabled 2021/05/03 18:39:52 extra coverage: enabled 2021/05/03 18:39:52 setuid sandbox: enabled 2021/05/03 18:39:52 namespace sandbox: enabled 2021/05/03 18:39:52 Android sandbox: /sys/fs/selinux/policy does not exist 2021/05/03 18:39:52 fault injection: enabled 2021/05/03 18:39:52 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/05/03 18:39:52 net packet injection: enabled 2021/05/03 18:39:52 net device setup: enabled 2021/05/03 18:39:52 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/05/03 18:39:52 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/05/03 18:39:52 USB emulation: enabled 2021/05/03 18:39:52 hci packet injection: enabled 2021/05/03 18:39:52 wifi device emulation: enabled 2021/05/03 18:39:52 802.15.4 emulation: enabled 2021/05/03 18:39:52 fetching corpus: 0, signal 0/2000 (executing program) syzkaller login: [ 72.168457][ T8468] general protection fault, probably for non-canonical address 0xdffffc3c1ffffd43: 0000 [#1] PREEMPT SMP KASAN [ 72.180206][ T8468] KASAN: probably user-memory-access in range [0x000001e0ffffea18-0x000001e0ffffea1f] [ 72.189762][ T8468] CPU: 0 PID: 8468 Comm: systemd-sysctl Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 72.199675][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.209836][ T8468] RIP: 0010:tomoyo_check_acl+0xac/0x450 [ 72.215451][ T8468] Code: 00 0f 85 69 03 00 00 49 8b 5d 00 49 39 dd 0f 84 fa 01 00 00 e8 45 46 de fd 48 8d 7b 18 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 28 38 d0 7f 08 84 c0 0f 85 f7 02 00 00 44 0f b6 73 18 31 [ 72.235066][ T8468] RSP: 0018:ffffc9000169fbf0 EFLAGS: 00010246 [ 72.241155][ T8468] RAX: 0000003c1ffffd43 RBX: 000001e0ffffea00 RCX: 0000000000000000 [ 72.249145][ T8468] RDX: 0000000000000000 RSI: ffffffff8396b32b RDI: 000001e0ffffea18 [ 72.257136][ T8468] RBP: dffffc0000000000 R08: 00000000b9036c7a R09: 0000000000000000 [ 72.265140][ T8468] R10: ffffffff8396b3d8 R11: 0000000000000000 R12: ffffc9000169fcb8 [ 72.273116][ T8468] R13: ffff888016354590 R14: 0000000000000002 R15: 0000000000000000 [ 72.281106][ T8468] FS: 00007f75496b68c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 [ 72.290054][ T8468] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.296639][ T8468] CR2: 00007f75493c0571 CR3: 0000000015537000 CR4: 00000000001506f0 [ 72.304617][ T8468] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 72.312647][ T8468] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.320630][ T8468] Call Trace: [ 72.323911][ T8468] ? tomoyo_check_path2_acl+0x2f0/0x2f0 [ 72.329476][ T8468] tomoyo_path_number_perm+0x32a/0x590 [ 72.334930][ T8468] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 72.340751][ T8468] ? __lock_acquire+0x16a7/0x5230 [ 72.345798][ T8468] ? find_held_lock+0x2d/0x110 [ 72.350554][ T8468] ? __context_tracking_exit+0xb8/0xe0 [ 72.356037][ T8468] security_file_ioctl+0x50/0xb0 [ 72.360998][ T8468] __x64_sys_ioctl+0xb3/0x200 [ 72.365691][ T8468] do_syscall_64+0x3a/0xb0 [ 72.370132][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.376048][ T8468] RIP: 0033:0x7f7548da680a [ 72.380478][ T8468] Code: ff e9 62 fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 53 49 89 f0 48 63 ff be 01 54 00 00 b8 10 00 00 00 48 83 ec 30 48 89 e2 0f 05 <48> 3d 00 f0 ff ff 77 6e 85 c0 89 c3 75 5c 8b 04 24 8b 54 24 0c 4c [ 72.400104][ T8468] RSP: 002b:00007fffa8358ca0 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 72.408537][ T8468] RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007f7548da680a 2021/05/03 18:39:52 fetching corpus: 50, signal 55362/58965 (executing program) [ 72.416525][ T8468] RDX: 00007fffa8358ca0 RSI: 0000000000005401 RDI: 0000000000000002 [ 72.424542][ T8468] RBP: 0000000000000007 R08: 00007fffa8358ce0 R09: 000000000000000a [ 72.432540][ T8468] R10: fffffffffffff70a R11: 0000000000000206 R12: 0000000000000005 [ 72.440535][ T8468] R13: 00007fffa8358ea8 R14: 0000000000000000 R15: 0000000000000000 [ 72.448523][ T8468] Modules linked in: [ 72.464363][ T8468] ---[ end trace 75bd6e536c854705 ]--- [ 72.465222][ C1] ================================================================== [ 72.469952][ T8468] RIP: 0010:tomoyo_check_acl+0xac/0x450 [ 72.477908][ C1] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440 [ 72.477945][ C1] Write of size 4 at addr ffff888034bc0008 by task syz-fuzzer/8455 [ 72.477968][ C1] [ 72.485380][ T8468] Code: 00 0f 85 69 03 00 00 49 8b 5d 00 49 39 dd 0f 84 fa 01 00 00 e8 45 46 de fd 48 8d 7b 18 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 28 38 d0 7f 08 84 c0 0f 85 f7 02 00 00 44 0f b6 73 18 31 [ 72.491103][ C1] CPU: 1 PID: 8455 Comm: syz-fuzzer Tainted: G D 5.12.0-rc8-next-20210423-syzkaller #0 [ 72.499770][ T8468] RSP: 0018:ffffc9000169fbf0 EFLAGS: 00010246 [ 72.501333][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.501350][ C1] Call Trace: [ 72.501362][ C1] dump_stack+0x141/0x1d7 [ 72.522270][ T8468] [ 72.531854][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 72.531892][ C1] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 72.538910][ T8468] RAX: 0000003c1ffffd43 RBX: 000001e0ffffea00 RCX: 0000000000000000 [ 72.547987][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 72.548023][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 72.552265][ T8468] RDX: 0000000000000000 RSI: ffffffff8396b32b RDI: 000001e0ffffea18 [ 72.555612][ C1] kasan_report.cold+0x7c/0xd8 [ 72.555647][ C1] ? __sanitizer_cov_trace_cmp8+0x51/0x70 [ 72.558895][ T8468] RBP: dffffc0000000000 R08: 00000000b9036c7a R09: 0000000000000000 [ 72.563143][ C1] ? skb_try_coalesce+0x1335/0x1440 [ 72.570846][ T8468] R10: ffffffff8396b3d8 R11: 0000000000000000 R12: ffffc9000169fcb8 [ 72.578115][ C1] skb_try_coalesce+0x1335/0x1440 [ 72.578160][ C1] tcp_try_coalesce+0x393/0x920 [ 72.584299][ T8468] R13: ffff888016354590 R14: 0000000000000002 R15: 0000000000000000 [ 72.588519][ C1] ? tcp_urg.part.0+0x2d0/0x2d0 [ 72.588555][ C1] ? rcu_read_lock_sched_held+0xd/0x70 [ 72.597507][ T8468] FS: 00007f75496b68c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 [ 72.601266][ C1] ? lock_release+0x522/0x720 [ 72.607718][ T8468] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.614948][ C1] ? ktime_get+0x38a/0x470 [ 72.614981][ C1] ? trace_hardirqs_on+0x5b/0x1c0 [ 72.621159][ T8468] CR2: 00007f7897f7f000 CR3: 0000000015537000 CR4: 00000000001506f0 [ 72.628126][ C1] tcp_queue_rcv+0x8a/0x6e0 [ 72.628165][ C1] tcp_rcv_established+0x1756/0x1eb0 [ 72.634103][ T8468] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 72.638016][ C1] ? tcp_data_queue+0x4b10/0x4b10 [ 72.638045][ C1] ? do_raw_spin_lock+0x120/0x2b0 [ 72.647238][ T8468] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.650847][ C1] tcp_v4_do_rcv+0x5d1/0x870 [ 72.657091][ T8468] Kernel panic - not syncing: Fatal exception [ 72.665236][ C1] tcp_v4_rcv+0x3298/0x3950 [ 72.744533][ C1] ? tcp_v4_early_demux+0x8f0/0x8f0 [ 72.749732][ C1] ? lock_release+0x720/0x720 [ 72.754425][ C1] ? nf_hook.constprop.0+0x3e8/0x650 [ 72.759710][ C1] ? ip_protocol_deliver_rcu+0xa20/0xa20 [ 72.765345][ C1] ip_protocol_deliver_rcu+0xa7/0xa20 [ 72.770718][ C1] ip_local_deliver_finish+0x20a/0x370 [ 72.776180][ C1] ip_local_deliver+0x1b3/0x200 [ 72.781032][ C1] ip_sublist_rcv_finish+0x9a/0x2c0 [ 72.786235][ C1] ip_list_rcv_finish.constprop.0+0x51e/0x6e0 [ 72.792311][ C1] ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80 [ 72.798728][ C1] ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0 [ 72.804973][ C1] ? ip_rcv_core+0x867/0xcb0 [ 72.809579][ C1] ip_list_rcv+0x34e/0x490 [ 72.813996][ C1] ? ip_rcv+0xd0/0xd0 [ 72.817977][ C1] ? ip_rcv+0xd0/0xd0 [ 72.821956][ C1] __netif_receive_skb_list_core+0x549/0x8e0 [ 72.827936][ C1] ? lock_acquire+0x58a/0x740 [ 72.832615][ C1] ? process_backlog+0x6c0/0x6c0 [ 72.837548][ C1] ? ktime_get_with_offset+0x3f2/0x500 [ 72.843034][ C1] netif_receive_skb_list_internal+0x75e/0xd80 [ 72.849212][ C1] ? __netif_receive_skb_list_core+0x8e0/0x8e0 [ 72.855367][ C1] ? virtqueue_get_buf_ctx_split+0x423/0x5f0 [ 72.861346][ C1] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 72.867590][ C1] ? detach_buf_split+0x599/0x7b0 [ 72.872614][ C1] ? __sanitizer_cov_trace_cmp2+0x22/0x80 [ 72.878352][ C1] napi_complete_done+0x1f1/0x880 [ 72.883377][ C1] virtnet_poll+0xbeb/0x1180 [ 72.887970][ C1] ? receive_buf+0x6250/0x6250 [ 72.892733][ C1] ? rcu_read_lock_sched_held+0xd/0x70 [ 72.898191][ C1] ? lock_acquire+0x58a/0x740 [ 72.902871][ C1] __napi_poll+0xaf/0x440 [ 72.907197][ C1] net_rx_action+0x801/0xb40 [ 72.911786][ C1] ? napi_threaded_poll+0x5b0/0x5b0 [ 72.916984][ C1] ? asm_common_interrupt+0x1e/0x40 [ 72.922182][ C1] __do_softirq+0x29b/0x9fe [ 72.926685][ C1] __irq_exit_rcu+0x136/0x200 [ 72.931360][ C1] irq_exit_rcu+0x5/0x20 [ 72.935600][ C1] common_interrupt+0x51/0xd0 [ 72.940281][ C1] ? asm_common_interrupt+0x8/0x40 [ 72.945390][ C1] asm_common_interrupt+0x1e/0x40 [ 72.950413][ C1] RIP: 0033:0x63244a [ 72.954299][ C1] Code: 8b 05 0a b6 21 01 48 8b 0d 0b b6 21 01 eb a8 48 8b 44 24 28 48 8b 4c 24 40 eb 9c 44 89 c0 41 81 e0 ff 01 00 00 42 8b 5c 82 08 <41> 89 d8 83 e3 0f 48 83 fb 09 0f 86 fc 00 00 00 48 8b 9a 08 08 00 [ 72.973902][ C1] RSP: 002b:000000c0004ada98 EFLAGS: 00000206 [ 72.979967][ C1] RAX: 00000000000061aa RBX: 00000000000002a8 RCX: 000000000000000b [ 72.987945][ C1] RDX: 000000c00036a028 RSI: 000000c00036a000 RDI: 0000000000000013 [ 72.995924][ C1] RBP: 000000c0004adae0 R08: 00000000000001aa R09: 00000000000000b9 [ 73.003901][ C1] R10: 00000000000062fe R11: 0000000000005f36 R12: 00000000000062fa [ 73.011869][ C1] R13: 0000000000000100 R14: 0000000000000040 R15: 0000000000000020 [ 73.019843][ C1] [ 73.022154][ C1] The buggy address belongs to the page: [ 73.027769][ C1] page:ffffea0000d2f000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0xffff888034bc6000 pfn:0x34bc0 [ 73.039475][ C1] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 73.046585][ C1] raw: 00fff00000000000 ffffea0000d2b008 ffffea0000d40808 0000000000000000 [ 73.055163][ C1] raw: ffff888034bc6000 0000000000000005 00000000ffffff7f 0000000000000000 [ 73.063746][ C1] page dumped because: kasan: bad access detected [ 73.070141][ C1] [ 73.072453][ C1] Memory state around the buggy address: [ 73.078067][ C1] ffff888034bbff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.086117][ C1] ffff888034bbff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.094513][ C1] >ffff888034bc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.102562][ C1] ^ [ 73.106875][ C1] ffff888034bc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.114925][ C1] ffff888034bc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.122989][ C1] ================================================================== [ 73.131648][ T8468] Kernel Offset: disabled [ 73.135968][ T8468] Rebooting in 86400 seconds..