[[0;32m OK [0m] Started Getty on tty2.
[[0;32m OK [0m] Started Getty on tty1.
[[0;32m OK [0m] Started Serial Getty on ttyS0.
[[0;32m OK [0m] Reached target Login Prompts.
[[0;32m OK [0m] Started OpenBSD Secure Shell server.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.1.23' (ECDSA) to the list of known hosts.
2021/04/22 05:47:10 fuzzer started
2021/04/22 05:47:10 dialing manager at 10.128.0.169:37457
2021/04/22 05:47:10 syscalls: 1690
2021/04/22 05:47:10 code coverage: enabled
2021/04/22 05:47:10 comparison tracing: enabled
2021/04/22 05:47:10 extra coverage: enabled
2021/04/22 05:47:10 setuid sandbox: enabled
2021/04/22 05:47:10 namespace sandbox: enabled
2021/04/22 05:47:10 Android sandbox: /sys/fs/selinux/policy does not exist
2021/04/22 05:47:10 fault injection: enabled
2021/04/22 05:47:10 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2021/04/22 05:47:10 net packet injection: enabled
2021/04/22 05:47:10 net device setup: enabled
2021/04/22 05:47:10 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2021/04/22 05:47:10 devlink PCI setup: PCI device 0000:00:10.0 is not available
2021/04/22 05:47:10 USB emulation: enabled
2021/04/22 05:47:10 hci packet injection: enabled
2021/04/22 05:47:10 wifi device emulation: enabled
2021/04/22 05:47:10 802.15.4 emulation: enabled
2021/04/22 05:47:10 fetching corpus: 0, signal 0/2000 (executing program)
syzkaller login: [ 68.080445][ C0] ==================================================================
[ 68.082212][ T1] BUG: unable to handle page fault for address: ffffea0003ffff88
[ 68.089501][ C0] BUG: KASAN: use-after-free in skb_try_coalesce+0x1334/0x1440
[ 68.097215][ T1] #PF: supervisor read access in kernel mode
[ 68.104757][ C0] Write of size 4 at addr ffff8880196c8008 by task systemd-udevd/8425
[ 68.110780][ T1] #PF: error_code(0x0000) - not-present page
[ 68.119088][ C0]
[ 68.119098][ C0] CPU: 0 PID: 8425 Comm: systemd-udevd Not tainted 5.12.0-rc7-syzkaller #0
[ 68.125052][ T1] PGD 13fff8067
[ 68.127364][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 68.136034][ T1] P4D 13fff8067
[ 68.139563][ C0] Call Trace:
[ 68.139575][ C0]
[ 68.149598][ T1] PUD 13fff7067
[ 68.153141][ C0] dump_stack+0x141/0x1d7
[ 68.156401][ T1] PMD 0
[ 68.159238][ C0] ? skb_try_coalesce+0x1334/0x1440
[ 68.162761][ T1] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 68.167072][ C0] print_address_description.constprop.0.cold+0x5b/0x2f8
[ 68.169904][ T1] CPU: 1 PID: 1 Comm: systemd Not tainted 5.12.0-rc7-syzkaller #0
[ 68.175083][ C0] ? skb_try_coalesce+0x1334/0x1440
[ 68.180254][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 68.187254][ C0] ? skb_try_coalesce+0x1334/0x1440
[ 68.195038][ T1] RIP: 0010:qlist_free_all+0x85/0xc0
[ 68.200215][ C0] kasan_report.cold+0x7c/0xd8
[ 68.210258][ T1] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 2a 52 7b ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[ 68.215446][ C0] ? __sanitizer_cov_trace_cmp8+0x61/0x70
[ 68.220798][ T1] RSP: 0018:ffffc90000c67be0 EFLAGS: 00010282
[ 68.225550][ C0] ? skb_try_coalesce+0x1334/0x1440
[ 68.245146][ T1]
[ 68.245158][ T1] RAX: ffffea0003ffff80 RBX: ffff8880185cc400 RCX: 0000000000000000
[ 68.252871][ C0] skb_try_coalesce+0x1334/0x1440
[ 68.258918][ T1] RDX: ffff8880114f8000 RSI: ffff8880ffffea00 RDI: 0000000000000003
[ 68.264109][ C0] tcp_try_coalesce+0x393/0x920
[ 68.266405][ T1] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[ 68.275320][ C0] ? mark_held_locks+0x9f/0xe0
[ 68.280326][ T1] R10: ffffffff813371ca R11: 000000000000003f R12: dffffc0000000000
[ 68.288282][ C0] ? tcp_urg.part.0+0x2d0/0x2d0
[ 68.293126][ T1] R13: ffffc90000c67c18 R14: ffffea0000000000 R15: ffff8880ffffea00
[ 68.301088][ C0] ? ktime_get+0x38a/0x470
[ 68.305856][ T1] FS: 00007f10760ce500(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
[ 68.313831][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 68.318666][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 68.328622][ C0] tcp_queue_rcv+0x8a/0x6e0
[ 68.333031][ T1] CR2: ffffea0003ffff88 CR3: 0000000021154000 CR4: 00000000001506e0
[ 68.342045][ C0] tcp_rcv_established+0x175e/0x1eb0
[ 68.347220][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 68.353790][ C0] ? tcp_data_queue+0x4b10/0x4b10
[ 68.358269][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 68.366242][ C0] ? do_raw_spin_lock+0x120/0x2b0
[ 68.371510][ T1] Call Trace:
[ 68.371525][ T1] kasan_quarantine_reduce+0x180/0x200
[ 68.379565][ C0] tcp_v4_do_rcv+0x5d1/0x870
[ 68.384591][ T1] __kasan_slab_alloc+0x7f/0x90
[ 68.392556][ C0] tcp_v4_rcv+0x3298/0x3950
[ 68.397562][ T1] kmem_cache_alloc+0x155/0x370
[ 68.400850][ C0] ? tcp_v4_early_demux+0x8f0/0x8f0
[ 68.406283][ T1] getname_flags.part.0+0x50/0x4f0
[ 68.410850][ C0] ? lock_release+0x720/0x720
[ 68.415707][ T1] user_path_at_empty+0xa1/0x100
[ 68.420192][ C0] ip_protocol_deliver_rcu+0x5c/0xa20
[ 68.425026][ T1] vfs_statx+0x142/0x390
[ 68.430206][ C0] ip_local_deliver_finish+0x20a/0x370
[ 68.435292][ T1] ? do_readlinkat+0x2f0/0x2f0
[ 68.439960][ C0] ip_local_deliver+0x1b3/0x200
[ 68.444874][ T1] __do_sys_newlstat+0x91/0x110
[ 68.450221][ C0] ip_sublist_rcv_finish+0x9a/0x2c0
[ 68.454458][ T1] ? __do_sys_lstat+0x110/0x110
[ 68.459892][ C0] ip_list_rcv_finish.constprop.0+0x51e/0x6e0
[ 68.464740][ T1] ? __context_tracking_exit+0xb8/0xe0
[ 68.469576][ C0] ? ip_rcv_finish_core.constprop.0+0x1e70/0x1e70
[ 68.474417][ T1] ? lock_downgrade+0x6e0/0x6e0
[ 68.479612][ C0] ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0
[ 68.484450][ T1] ? syscall_enter_from_user_mode+0x27/0x70
[ 68.490495][ C0] ? ip_rcv_core+0x867/0xcb0
[ 68.495971][ T1] ? lockdep_hardirqs_on+0x79/0x100
[ 68.502368][ C0] ip_list_rcv+0x34e/0x490
[ 68.507195][ T1] do_syscall_64+0x2d/0x70
[ 68.513421][ C0] ? ip_rcv+0xd0/0xd0
[ 68.519287][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 68.523857][ C0] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 68.529041][ T1] RIP: 0033:0x7f1074697335
[ 68.533460][ C0] ? find_held_lock+0x2d/0x110
[ 68.537858][ T1] Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89
[ 68.541837][ C0] ? ip_rcv+0xd0/0xd0
[ 68.547720][ T1] RSP: 002b:00007ffeb222d098 EFLAGS: 00000246
[ 68.553685][ C0] __netif_receive_skb_list_core+0x549/0x8e0
[ 68.558079][ T1] ORIG_RAX: 0000000000000006
[ 68.562843][ C0] ? process_backlog+0x6c0/0x6c0
[ 68.582444][ T1] RAX: ffffffffffffffda RBX: 000056544cf0c7a0 RCX: 00007f1074697335
[ 68.586421][ C0] ? ktime_get_with_offset+0x3f2/0x500
[ 68.592467][ T1] RDX: 00007ffeb222d0d0 RSI: 00007ffeb222d0d0 RDI: 000056544cf0b7a0
[ 68.598454][ C0] ? lockdep_hardirqs_on+0x79/0x100
[ 68.603111][ T1] RBP: 00007ffeb222d190 R08: 0000000000000003 R09: 0000000000001010
[ 68.608035][ C0] netif_receive_skb_list_internal+0x777/0xd70
[ 68.615997][ T1] R10: 0000000000000020 R11: 0000000000000246 R12: 000056544cf0b7a0
[ 68.621472][ C0] ? __netif_receive_skb_list_core+0x8e0/0x8e0
[ 68.629442][ T1] R13: 000056544cf0b7ac R14: 000056544cf09ef5 R15: 000056544cf09efc
[ 68.634623][ C0] ? __build_skb_around+0x23e/0x2f0
[ 68.642582][ T1] Modules linked in:
[ 68.648712][ C0] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 68.656670][ T1]
[ 68.656682][ T1] CR2: ffffea0003ffff88
[ 68.662806][ C0] ? dev_gro_receive+0x250/0x22b0
[ 68.670768][ T1] ---[ end trace aecab39dddf00035 ]---
[ 68.675965][ C0] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80
[ 68.679867][ T1] RIP: 0010:qlist_free_all+0x85/0xc0
[ 68.686086][ C0] gro_normal_one+0x17f/0x260
[ 68.688394][ T1] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 2a 52 7b ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[ 68.692531][ C0] napi_gro_receive+0x156/0x6a0
[ 68.697527][ T1] RSP: 0018:ffffc90000c67be0 EFLAGS: 00010282
[ 68.702966][ C0] receive_buf+0xc23/0x6220
[ 68.709182][ T1]
[ 68.709190][ T1] RAX: ffffea0003ffff80 RBX: ffff8880185cc400 RCX: 0000000000000000
[ 68.714490][ C0] ? xdp_linearize_page+0x840/0x840
[ 68.719145][ T1] RDX: ffff8880114f8000 RSI: ffff8880ffffea00 RDI: 0000000000000003
[ 68.719162][ T1] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[ 68.738848][ C0] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 68.743692][ T1] R10: ffffffff813371ca R11: 000000000000003f R12: dffffc0000000000
[ 68.749738][ C0] ? detach_buf_split+0x599/0x7b0
[ 68.754239][ T1] R13: ffffc90000c67c18 R14: ffffea0000000000 R15: ffff8880ffffea00
[ 68.756557][ C0] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80
[ 68.764511][ T1] FS: 00007f10760ce500(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
[ 68.769691][ C0] ? virtqueue_get_buf_ctx_split+0x423/0x5f0
[ 68.777649][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 68.785616][ C0] virtnet_poll+0x568/0x10b0
[ 68.791843][ T1] CR2: ffffea0003ffff88 CR3: 0000000021154000 CR4: 00000000001506e0
[ 68.799801][ C0] ? receive_buf+0x6220/0x6220
[ 68.804795][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 68.812752][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 68.819845][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 68.828760][ C0] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 68.834731][ T1] Kernel panic - not syncing: Fatal exception
[ 68.841381][ C0] ? napi_complete_done+0x365/0x880
[ 68.896908][ C0] __napi_poll+0xaf/0x440
[ 68.901254][ C0] net_rx_action+0x801/0xb40
[ 68.905864][ C0] ? napi_threaded_poll+0x5b0/0x5b0
[ 68.911070][ C0] ? sched_clock_cpu+0x18/0x1f0
[ 68.916121][ C0] __do_softirq+0x29b/0x9f6
[ 68.920661][ C0] irq_exit_rcu+0x134/0x200
[ 68.925175][ C0] common_interrupt+0xa4/0xd0
[ 68.929872][ C0]
[ 68.932799][ C0] asm_common_interrupt+0x1e/0x40
[ 68.937832][ C0] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70
[ 68.944264][ C0] Code: 74 24 10 e8 9a cd 4d f8 48 89 ef e8 d2 83 4e f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 b3 51 42 f8 65 8b 05 7c 17 f6 76 85 c0 74 0a 5b 5d c3 e8 20 0d
[ 68.963882][ C0] RSP: 0018:ffffc900016af860 EFLAGS: 00000206
[ 68.969980][ C0] RAX: 0000000000000006 RBX: 0000000000000200 RCX: 1ffffffff1b8bb61
[ 68.977951][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
[ 68.985922][ C0] RBP: ffff888010c2aa40 R08: 0000000000000001 R09: 0000000000000001
[ 68.993925][ C0] R10: ffffffff8179e5a8 R11: 0000000000000001 R12: 0000000000000001
[ 69.001913][ C0] R13: 0000000000000010 R14: 0000000000000001 R15: 0000000000000246
[ 69.009887][ C0] ? trace_hardirqs_on+0x38/0x1c0
[ 69.014928][ C0] __wake_up_common_lock+0xde/0x130
[ 69.020140][ C0] ? __wake_up_common+0x650/0x650
[ 69.025170][ C0] ? netlink_broadcast_filtered+0x8bc/0xdc0
[ 69.031080][ C0] sock_def_readable+0x11f/0x4c0
[ 69.036027][ C0] netlink_broadcast_filtered+0x8dd/0xdc0
[ 69.041780][ C0] netlink_sendmsg+0xa3f/0xd90
[ 69.046561][ C0] ? netlink_unicast+0x7d0/0x7d0
[ 69.051600][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 69.057850][ C0] ? netlink_unicast+0x7d0/0x7d0
[ 69.062797][ C0] sock_sendmsg+0xcf/0x120
[ 69.067222][ C0] ____sys_sendmsg+0x6e8/0x810
[ 69.072002][ C0] ? kernel_sendmsg+0x50/0x50
[ 69.076680][ C0] ? do_recvmmsg+0x6d0/0x6d0
[ 69.081281][ C0] ? find_held_lock+0x2d/0x110
[ 69.086068][ C0] ? do_wp_page+0xa3f/0x1aa0
[ 69.090671][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 69.095539][ C0] ? __sanitizer_cov_trace_cmp8+0x1d/0x70
[ 69.101261][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 69.107512][ C0] ___sys_sendmsg+0xf3/0x170
[ 69.112113][ C0] ? sendmsg_copy_msghdr+0x160/0x160
[ 69.117412][ C0] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 69.123405][ C0] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 69.129655][ C0] ? __seccomp_filter+0x672/0x15e0
[ 69.134775][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 69.141026][ C0] ? __fget_light+0x215/0x280
[ 69.145811][ C0] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 69.152064][ C0] __sys_sendmsg+0xe5/0x1b0
[ 69.156574][ C0] ? __sys_sendmsg_sock+0x30/0x30
[ 69.161604][ C0] ? __secure_computing+0x104/0x360
[ 69.166809][ C0] do_syscall_64+0x2d/0x70
[ 69.171232][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 69.177143][ C0] RIP: 0033:0x7f9ad9d5be67
[ 69.181556][ C0] Code: 89 02 48 c7 c0 ff ff ff ff eb d0 0f 1f 84 00 00 00 00 00 8b 05 6a b5 20 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 11 71 20 00 f7 d8 64 89 02 48
[ 69.201166][ C0] RSP: 002b:00007ffdaa0c6058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 69.209601][ C0] RAX: ffffffffffffffda RBX: 0000000000008010 RCX: 00007f9ad9d5be67
[ 69.217579][ C0] RDX: 0000000000000000 RSI: 00007ffdaa0c6070 RDI: 000000000000000e
[ 69.225555][ C0] RBP: 00007ffdaa0c6070 R08: 000055935d046854 R09: 0000000000000000
[ 69.233534][ C0] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
[ 69.241514][ C0] R13: 0000000000000105 R14: 000055935d047ea0 R15: 0000000000000000
[ 69.249504][ C0]
[ 69.251831][ C0] Allocated by task 1:
[ 69.255908][ C0] kasan_save_stack+0x1b/0x40
[ 69.260590][ C0] __kasan_kmalloc+0x99/0xc0
[ 69.265181][ C0] tomoyo_realpath_from_path+0xc3/0x620
[ 69.270727][ C0] tomoyo_path_perm+0x21b/0x400
[ 69.275582][ C0] security_inode_getattr+0xcf/0x140
[ 69.280868][ C0] vfs_statx+0x164/0x390
[ 69.285110][ C0] __do_sys_newlstat+0x91/0x110
[ 69.289978][ C0] do_syscall_64+0x2d/0x70
[ 69.294393][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 69.300309][ C0]
[ 69.302624][ C0] The buggy address belongs to the object at ffff8880196c8000
[ 69.302624][ C0] which belongs to the cache kmalloc-4k of size 4096
[ 69.316682][ C0] The buggy address is located 8 bytes inside of
[ 69.316682][ C0] 4096-byte region [ffff8880196c8000, ffff8880196c9000)
[ 69.329891][ C0] The buggy address belongs to the page:
[ 69.335513][ C0] page:ffffea000065b200 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880196c8000 pfn:0x196c8
[ 69.346980][ C0] head:ffffea000065b200 order:3 compound_mapcount:0 compound_pincount:0
[ 69.355308][ C0] flags: 0xfff00000010200(slab|head)
[ 69.360604][ C0] raw: 00fff00000010200 0000000000000000 0000000100000001 ffff888010842140
[ 69.369191][ C0] raw: ffff8880196c8000 0000000080040003 00000001ffffffff 0000000000000000
[ 69.377766][ C0] page dumped because: kasan: bad access detected
[ 69.384173][ C0]
[ 69.386491][ C0] Memory state around the buggy address:
[ 69.392129][ C0] ffff8880196c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 69.400199][ C0] ffff8880196c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 69.408260][ C0] >ffff8880196c8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.416314][ C0] ^
[ 69.420640][ C0] ffff8880196c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.428705][ C0] ffff8880196c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.436762][ C0] ==================================================================
[ 69.445319][ T1] Kernel Offset: disabled
[ 69.449647][ T1] Rebooting in 86400 seconds..