[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Started OpenBSD Secure Shell server.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.177' (ECDSA) to the list of known hosts.
2021/05/03 18:39:51 fuzzer started
2021/05/03 18:39:52 dialing manager at 10.128.0.169:34381
2021/05/03 18:39:52 syscalls: 3586
2021/05/03 18:39:52 code coverage: enabled
2021/05/03 18:39:52 comparison tracing: enabled
2021/05/03 18:39:52 extra coverage: enabled
2021/05/03 18:39:52 setuid sandbox: enabled
2021/05/03 18:39:52 namespace sandbox: enabled
2021/05/03 18:39:52 Android sandbox: /sys/fs/selinux/policy does not exist
2021/05/03 18:39:52 fault injection: enabled
2021/05/03 18:39:52 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2021/05/03 18:39:52 net packet injection: enabled
2021/05/03 18:39:52 net device setup: enabled
2021/05/03 18:39:52 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2021/05/03 18:39:52 devlink PCI setup: PCI device 0000:00:10.0 is not available
2021/05/03 18:39:52 USB emulation: enabled
2021/05/03 18:39:52 hci packet injection: enabled
2021/05/03 18:39:52 wifi device emulation: enabled
2021/05/03 18:39:52 802.15.4 emulation: enabled
2021/05/03 18:39:52 fetching corpus: 0, signal 0/2000 (executing program)
syzkaller login: [   72.168457][ T8468] general protection fault, probably for non-canonical address 0xdffffc3c1ffffd43: 0000 [#1] PREEMPT SMP KASAN
[   72.180206][ T8468] KASAN: probably user-memory-access in range [0x000001e0ffffea18-0x000001e0ffffea1f]
[   72.189762][ T8468] CPU: 0 PID: 8468 Comm: systemd-sysctl Not tainted 5.12.0-rc8-next-20210423-syzkaller #0
[   72.199675][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.209836][ T8468] RIP: 0010:tomoyo_check_acl+0xac/0x450
[   72.215451][ T8468] Code: 00 0f 85 69 03 00 00 49 8b 5d 00 49 39 dd 0f 84 fa 01 00 00 e8 45 46 de fd 48 8d 7b 18 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 28 38 d0 7f 08 84 c0 0f 85 f7 02 00 00 44 0f b6 73 18 31
[   72.235066][ T8468] RSP: 0018:ffffc9000169fbf0 EFLAGS: 00010246
[   72.241155][ T8468] RAX: 0000003c1ffffd43 RBX: 000001e0ffffea00 RCX: 0000000000000000
[   72.249145][ T8468] RDX: 0000000000000000 RSI: ffffffff8396b32b RDI: 000001e0ffffea18
[   72.257136][ T8468] RBP: dffffc0000000000 R08: 00000000b9036c7a R09: 0000000000000000
[   72.265140][ T8468] R10: ffffffff8396b3d8 R11: 0000000000000000 R12: ffffc9000169fcb8
[   72.273116][ T8468] R13: ffff888016354590 R14: 0000000000000002 R15: 0000000000000000
[   72.281106][ T8468] FS:  00007f75496b68c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   72.290054][ T8468] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   72.296639][ T8468] CR2: 00007f75493c0571 CR3: 0000000015537000 CR4: 00000000001506f0
[   72.304617][ T8468] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   72.312647][ T8468] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   72.320630][ T8468] Call Trace:
[   72.323911][ T8468]  ? tomoyo_check_path2_acl+0x2f0/0x2f0
[   72.329476][ T8468]  tomoyo_path_number_perm+0x32a/0x590
[   72.334930][ T8468]  ? tomoyo_execute_permission+0x4a0/0x4a0
[   72.340751][ T8468]  ? __lock_acquire+0x16a7/0x5230
[   72.345798][ T8468]  ? find_held_lock+0x2d/0x110
[   72.350554][ T8468]  ? __context_tracking_exit+0xb8/0xe0
[   72.356037][ T8468]  security_file_ioctl+0x50/0xb0
[   72.360998][ T8468]  __x64_sys_ioctl+0xb3/0x200
[   72.365691][ T8468]  do_syscall_64+0x3a/0xb0
[   72.370132][ T8468]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.376048][ T8468] RIP: 0033:0x7f7548da680a
[   72.380478][ T8468] Code: ff e9 62 fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 53 49 89 f0 48 63 ff be 01 54 00 00 b8 10 00 00 00 48 83 ec 30 48 89 e2 0f 05 <48> 3d 00 f0 ff ff 77 6e 85 c0 89 c3 75 5c 8b 04 24 8b 54 24 0c 4c
[   72.400104][ T8468] RSP: 002b:00007fffa8358ca0 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   72.408537][ T8468] RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007f7548da680a
2021/05/03 18:39:52 fetching corpus: 50, signal 55362/58965 (executing program)
[   72.416525][ T8468] RDX: 00007fffa8358ca0 RSI: 0000000000005401 RDI: 0000000000000002
[   72.424542][ T8468] RBP: 0000000000000007 R08: 00007fffa8358ce0 R09: 000000000000000a
[   72.432540][ T8468] R10: fffffffffffff70a R11: 0000000000000206 R12: 0000000000000005
[   72.440535][ T8468] R13: 00007fffa8358ea8 R14: 0000000000000000 R15: 0000000000000000
[   72.448523][ T8468] Modules linked in:
[   72.464363][ T8468] ---[ end trace 75bd6e536c854705 ]---
[   72.465222][    C1] ==================================================================
[   72.469952][ T8468] RIP: 0010:tomoyo_check_acl+0xac/0x450
[   72.477908][    C1] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440
[   72.477945][    C1] Write of size 4 at addr ffff888034bc0008 by task syz-fuzzer/8455
[   72.477968][    C1] 
[   72.485380][ T8468] Code: 00 0f 85 69 03 00 00 49 8b 5d 00 49 39 dd 0f 84 fa 01 00 00 e8 45 46 de fd 48 8d 7b 18 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 28 38 d0 7f 08 84 c0 0f 85 f7 02 00 00 44 0f b6 73 18 31
[   72.491103][    C1] CPU: 1 PID: 8455 Comm: syz-fuzzer Tainted: G      D           5.12.0-rc8-next-20210423-syzkaller #0
[   72.499770][ T8468] RSP: 0018:ffffc9000169fbf0 EFLAGS: 00010246
[   72.501333][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.501350][    C1] Call Trace:
[   72.501362][    C1]  dump_stack+0x141/0x1d7
[   72.522270][ T8468] 
[   72.531854][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   72.531892][    C1]  print_address_description.constprop.0.cold+0x5b/0x2f8
[   72.538910][ T8468] RAX: 0000003c1ffffd43 RBX: 000001e0ffffea00 RCX: 0000000000000000
[   72.547987][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   72.548023][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   72.552265][ T8468] RDX: 0000000000000000 RSI: ffffffff8396b32b RDI: 000001e0ffffea18
[   72.555612][    C1]  kasan_report.cold+0x7c/0xd8
[   72.555647][    C1]  ? __sanitizer_cov_trace_cmp8+0x51/0x70
[   72.558895][ T8468] RBP: dffffc0000000000 R08: 00000000b9036c7a R09: 0000000000000000
[   72.563143][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   72.570846][ T8468] R10: ffffffff8396b3d8 R11: 0000000000000000 R12: ffffc9000169fcb8
[   72.578115][    C1]  skb_try_coalesce+0x1335/0x1440
[   72.578160][    C1]  tcp_try_coalesce+0x393/0x920
[   72.584299][ T8468] R13: ffff888016354590 R14: 0000000000000002 R15: 0000000000000000
[   72.588519][    C1]  ? tcp_urg.part.0+0x2d0/0x2d0
[   72.588555][    C1]  ? rcu_read_lock_sched_held+0xd/0x70
[   72.597507][ T8468] FS:  00007f75496b68c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   72.601266][    C1]  ? lock_release+0x522/0x720
[   72.607718][ T8468] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   72.614948][    C1]  ? ktime_get+0x38a/0x470
[   72.614981][    C1]  ? trace_hardirqs_on+0x5b/0x1c0
[   72.621159][ T8468] CR2: 00007f7897f7f000 CR3: 0000000015537000 CR4: 00000000001506f0
[   72.628126][    C1]  tcp_queue_rcv+0x8a/0x6e0
[   72.628165][    C1]  tcp_rcv_established+0x1756/0x1eb0
[   72.634103][ T8468] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   72.638016][    C1]  ? tcp_data_queue+0x4b10/0x4b10
[   72.638045][    C1]  ? do_raw_spin_lock+0x120/0x2b0
[   72.647238][ T8468] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   72.650847][    C1]  tcp_v4_do_rcv+0x5d1/0x870
[   72.657091][ T8468] Kernel panic - not syncing: Fatal exception
[   72.665236][    C1]  tcp_v4_rcv+0x3298/0x3950
[   72.744533][    C1]  ? tcp_v4_early_demux+0x8f0/0x8f0
[   72.749732][    C1]  ? lock_release+0x720/0x720
[   72.754425][    C1]  ? nf_hook.constprop.0+0x3e8/0x650
[   72.759710][    C1]  ? ip_protocol_deliver_rcu+0xa20/0xa20
[   72.765345][    C1]  ip_protocol_deliver_rcu+0xa7/0xa20
[   72.770718][    C1]  ip_local_deliver_finish+0x20a/0x370
[   72.776180][    C1]  ip_local_deliver+0x1b3/0x200
[   72.781032][    C1]  ip_sublist_rcv_finish+0x9a/0x2c0
[   72.786235][    C1]  ip_list_rcv_finish.constprop.0+0x51e/0x6e0
[   72.792311][    C1]  ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80
[   72.798728][    C1]  ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0
[   72.804973][    C1]  ? ip_rcv_core+0x867/0xcb0
[   72.809579][    C1]  ip_list_rcv+0x34e/0x490
[   72.813996][    C1]  ? ip_rcv+0xd0/0xd0
[   72.817977][    C1]  ? ip_rcv+0xd0/0xd0
[   72.821956][    C1]  __netif_receive_skb_list_core+0x549/0x8e0
[   72.827936][    C1]  ? lock_acquire+0x58a/0x740
[   72.832615][    C1]  ? process_backlog+0x6c0/0x6c0
[   72.837548][    C1]  ? ktime_get_with_offset+0x3f2/0x500
[   72.843034][    C1]  netif_receive_skb_list_internal+0x75e/0xd80
[   72.849212][    C1]  ? __netif_receive_skb_list_core+0x8e0/0x8e0
[   72.855367][    C1]  ? virtqueue_get_buf_ctx_split+0x423/0x5f0
[   72.861346][    C1]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   72.867590][    C1]  ? detach_buf_split+0x599/0x7b0
[   72.872614][    C1]  ? __sanitizer_cov_trace_cmp2+0x22/0x80
[   72.878352][    C1]  napi_complete_done+0x1f1/0x880
[   72.883377][    C1]  virtnet_poll+0xbeb/0x1180
[   72.887970][    C1]  ? receive_buf+0x6250/0x6250
[   72.892733][    C1]  ? rcu_read_lock_sched_held+0xd/0x70
[   72.898191][    C1]  ? lock_acquire+0x58a/0x740
[   72.902871][    C1]  __napi_poll+0xaf/0x440
[   72.907197][    C1]  net_rx_action+0x801/0xb40
[   72.911786][    C1]  ? napi_threaded_poll+0x5b0/0x5b0
[   72.916984][    C1]  ? asm_common_interrupt+0x1e/0x40
[   72.922182][    C1]  __do_softirq+0x29b/0x9fe
[   72.926685][    C1]  __irq_exit_rcu+0x136/0x200
[   72.931360][    C1]  irq_exit_rcu+0x5/0x20
[   72.935600][    C1]  common_interrupt+0x51/0xd0
[   72.940281][    C1]  ? asm_common_interrupt+0x8/0x40
[   72.945390][    C1]  asm_common_interrupt+0x1e/0x40
[   72.950413][    C1] RIP: 0033:0x63244a
[   72.954299][    C1] Code: 8b 05 0a b6 21 01 48 8b 0d 0b b6 21 01 eb a8 48 8b 44 24 28 48 8b 4c 24 40 eb 9c 44 89 c0 41 81 e0 ff 01 00 00 42 8b 5c 82 08 <41> 89 d8 83 e3 0f 48 83 fb 09 0f 86 fc 00 00 00 48 8b 9a 08 08 00
[   72.973902][    C1] RSP: 002b:000000c0004ada98 EFLAGS: 00000206
[   72.979967][    C1] RAX: 00000000000061aa RBX: 00000000000002a8 RCX: 000000000000000b
[   72.987945][    C1] RDX: 000000c00036a028 RSI: 000000c00036a000 RDI: 0000000000000013
[   72.995924][    C1] RBP: 000000c0004adae0 R08: 00000000000001aa R09: 00000000000000b9
[   73.003901][    C1] R10: 00000000000062fe R11: 0000000000005f36 R12: 00000000000062fa
[   73.011869][    C1] R13: 0000000000000100 R14: 0000000000000040 R15: 0000000000000020
[   73.019843][    C1] 
[   73.022154][    C1] The buggy address belongs to the page:
[   73.027769][    C1] page:ffffea0000d2f000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0xffff888034bc6000 pfn:0x34bc0
[   73.039475][    C1] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   73.046585][    C1] raw: 00fff00000000000 ffffea0000d2b008 ffffea0000d40808 0000000000000000
[   73.055163][    C1] raw: ffff888034bc6000 0000000000000005 00000000ffffff7f 0000000000000000
[   73.063746][    C1] page dumped because: kasan: bad access detected
[   73.070141][    C1] 
[   73.072453][    C1] Memory state around the buggy address:
[   73.078067][    C1]  ffff888034bbff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   73.086117][    C1]  ffff888034bbff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   73.094513][    C1] >ffff888034bc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.102562][    C1]                       ^
[   73.106875][    C1]  ffff888034bc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.114925][    C1]  ffff888034bc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   73.122989][    C1] ==================================================================
[   73.131648][ T8468] Kernel Offset: disabled
[   73.135968][ T8468] Rebooting in 86400 seconds..