Warning: Permanently added '10.128.0.156' (ECDSA) to the list of known hosts. 2021/05/02 09:07:42 fuzzer started 2021/05/02 09:07:43 dialing manager at 10.128.0.169:44661 2021/05/02 09:07:43 syscalls: 3571 2021/05/02 09:07:43 code coverage: enabled 2021/05/02 09:07:43 comparison tracing: enabled 2021/05/02 09:07:43 extra coverage: enabled 2021/05/02 09:07:43 setuid sandbox: enabled 2021/05/02 09:07:43 namespace sandbox: enabled 2021/05/02 09:07:43 Android sandbox: /sys/fs/selinux/policy does not exist 2021/05/02 09:07:43 fault injection: enabled 2021/05/02 09:07:43 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/05/02 09:07:43 net packet injection: enabled 2021/05/02 09:07:43 net device setup: enabled 2021/05/02 09:07:43 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/05/02 09:07:43 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/05/02 09:07:43 USB emulation: enabled 2021/05/02 09:07:43 hci packet injection: enabled 2021/05/02 09:07:43 wifi device emulation: enabled 2021/05/02 09:07:43 802.15.4 emulation: enabled 2021/05/02 09:07:43 fetching corpus: 0, signal 0/2000 (executing program) 2021/05/02 09:07:43 fetching corpus: 50, signal 51138/54880 (executing program) 2021/05/02 09:07:43 fetching corpus: 100, signal 81518/86877 (executing program) 2021/05/02 09:07:43 fetching corpus: 150, signal 100273/107229 (executing program) 2021/05/02 09:07:43 fetching corpus: 200, signal 114224/122760 (executing program) syzkaller login: [ 65.535723][ T8428] ================================================================== [ 65.543926][ T8428] BUG: KASAN: use-after-free in __skb_datagram_iter+0x6b8/0x770 [ 65.551583][ T8428] Read of size 4 at addr ffff888031378004 by task syz-fuzzer/8428 [ 65.559376][ T8428] [ 65.561692][ T8428] CPU: 1 PID: 8428 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 65.571223][ T8428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.581263][ T8428] Call Trace: [ 65.584529][ T8428] dump_stack+0x141/0x1d7 [ 65.588879][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 65.594153][ T8428] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 65.601173][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 65.606446][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 65.611715][ T8428] kasan_report.cold+0x7c/0xd8 [ 65.616471][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 65.621751][ T8428] __skb_datagram_iter+0x6b8/0x770 [ 65.626854][ T8428] ? zerocopy_sg_from_iter+0x110/0x110 [ 65.632306][ T8428] skb_copy_datagram_iter+0x40/0x50 [ 65.637493][ T8428] tcp_recvmsg_locked+0x1048/0x22f0 [ 65.642697][ T8428] ? tcp_splice_read+0x8b0/0x8b0 [ 65.647627][ T8428] ? mark_held_locks+0x9f/0xe0 [ 65.652382][ T8428] ? __local_bh_enable_ip+0xa0/0x120 [ 65.657656][ T8428] tcp_recvmsg+0x134/0x550 [ 65.662068][ T8428] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 65.667447][ T8428] ? aa_sk_perm+0x311/0xab0 [ 65.671951][ T8428] inet_recvmsg+0x11b/0x5e0 [ 65.676455][ T8428] ? inet_sendpage+0x140/0x140 [ 65.681213][ T8428] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.687467][ T8428] ? security_socket_recvmsg+0x8f/0xc0 [ 65.693019][ T8428] sock_read_iter+0x33c/0x470 [ 65.697689][ T8428] ? ____sys_recvmsg+0x600/0x600 [ 65.702630][ T8428] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.708863][ T8428] ? fsnotify+0xa58/0x1060 [ 65.713273][ T8428] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.719508][ T8428] new_sync_read+0x5b7/0x6e0 [ 65.724091][ T8428] ? ksys_lseek+0x1b0/0x1b0 [ 65.728581][ T8428] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 65.734560][ T8428] vfs_read+0x35c/0x570 [ 65.738707][ T8428] ksys_read+0x1ee/0x250 [ 65.742937][ T8428] ? vfs_write+0xa40/0xa40 [ 65.747340][ T8428] ? syscall_enter_from_user_mode+0x27/0x70 [ 65.753230][ T8428] do_syscall_64+0x3a/0xb0 [ 65.757635][ T8428] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.763517][ T8428] RIP: 0033:0x4af19b [ 65.767412][ T8428] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 65.787140][ T8428] RSP: 002b:000000c0001d9828 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 [ 65.795551][ T8428] RAX: ffffffffffffffda RBX: 000000c00001c000 RCX: 00000000004af19b [ 65.803518][ T8428] RDX: 0000000000001000 RSI: 000000c00016e000 RDI: 0000000000000006 [ 65.811476][ T8428] RBP: 000000c0001d9878 R08: 0000000000000001 R09: 0000000000000002 [ 65.819432][ T8428] R10: 0000000000004342 R11: 0000000000000212 R12: 000000000000433c [ 65.827408][ T8428] R13: 0000000000001000 R14: 0000000000000002 R15: 0000000000000002 [ 65.835402][ T8428] [ 65.837719][ T8428] Allocated by task 1: [ 65.841773][ T8428] kasan_save_stack+0x1b/0x40 [ 65.846446][ T8428] __kasan_kmalloc+0x9b/0xd0 [ 65.851035][ T8428] tomoyo_realpath_from_path+0xc3/0x620 [ 65.856591][ T8428] tomoyo_path_perm+0x21b/0x400 [ 65.861464][ T8428] security_inode_getattr+0xcf/0x140 [ 65.866742][ T8428] vfs_statx+0x164/0x390 [ 65.870994][ T8428] __do_sys_newlstat+0x91/0x110 [ 65.875836][ T8428] do_syscall_64+0x3a/0xb0 [ 65.880247][ T8428] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.886129][ T8428] [ 65.888438][ T8428] Freed by task 4174: [ 65.892398][ T8428] kasan_save_stack+0x1b/0x40 [ 65.897081][ T8428] kasan_set_track+0x1c/0x30 [ 65.901663][ T8428] kasan_set_free_info+0x20/0x30 [ 65.906601][ T8428] __kasan_slab_free+0xfb/0x130 [ 65.911455][ T8428] slab_free_freelist_hook+0xdf/0x240 [ 65.916825][ T8428] kfree+0xe5/0x7f0 [ 65.920625][ T8428] tomoyo_realpath_from_path+0x191/0x620 [ 65.926265][ T8428] tomoyo_path_perm+0x21b/0x400 [ 65.931107][ T8428] security_inode_getattr+0xcf/0x140 [ 65.936384][ T8428] vfs_statx+0x164/0x390 [ 65.940649][ T8428] __do_sys_newlstat+0x91/0x110 [ 65.945511][ T8428] do_syscall_64+0x3a/0xb0 [ 65.949920][ T8428] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.955807][ T8428] [ 65.958129][ T8428] The buggy address belongs to the object at ffff888031378000 [ 65.958129][ T8428] which belongs to the cache kmalloc-4k of size 4096 [ 65.972176][ T8428] The buggy address is located 4 bytes inside of [ 65.972176][ T8428] 4096-byte region [ffff888031378000, ffff888031379000) [ 65.985385][ T8428] The buggy address belongs to the page: [ 65.991003][ T8428] page:ffffea0000c4de00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x31378 [ 66.001135][ T8428] head:ffffea0000c4de00 order:3 compound_mapcount:0 compound_pincount:0 [ 66.009439][ T8428] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 66.017415][ T8428] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888011042140 [ 66.025985][ T8428] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 66.034548][ T8428] page dumped because: kasan: bad access detected [ 66.040951][ T8428] [ 66.043258][ T8428] Memory state around the buggy address: [ 66.048870][ T8428] ffff888031377f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.056929][ T8428] ffff888031377f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.065323][ T8428] >ffff888031378000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.073366][ T8428] ^ [ 66.077428][ T8428] ffff888031378080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.085473][ T8428] ffff888031378100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.093515][ T8428] ================================================================== [ 66.101565][ T8428] Disabling lock debugging due to kernel taint [ 66.108173][ T8428] Kernel panic - not syncing: panic_on_warn set ... [ 66.114764][ T8428] CPU: 0 PID: 8428 Comm: syz-fuzzer Tainted: G B 5.12.0-rc8-next-20210423-syzkaller #0 [ 66.125701][ T8428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.135752][ T8428] Call Trace: [ 66.139015][ T8428] dump_stack+0x141/0x1d7 [ 66.143328][ T8428] panic+0x306/0x73d [ 66.147230][ T8428] ? __warn_printk+0xf3/0xf3 [ 66.152669][ T8428] ? preempt_schedule_common+0x59/0xc0 [ 66.158200][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 66.163464][ T8428] ? preempt_schedule_thunk+0x16/0x18 [ 66.168914][ T8428] ? trace_hardirqs_on+0x38/0x1c0 [ 66.173916][ T8428] ? trace_hardirqs_on+0x51/0x1c0 [ 66.178918][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 66.184178][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 66.189479][ T8428] end_report.cold+0x5a/0x5a [ 66.194051][ T8428] kasan_report.cold+0x6a/0xd8 [ 66.198809][ T8428] ? __skb_datagram_iter+0x6b8/0x770 [ 66.204074][ T8428] __skb_datagram_iter+0x6b8/0x770 [ 66.209164][ T8428] ? zerocopy_sg_from_iter+0x110/0x110 [ 66.214603][ T8428] skb_copy_datagram_iter+0x40/0x50 [ 66.219784][ T8428] tcp_recvmsg_locked+0x1048/0x22f0 [ 66.224966][ T8428] ? tcp_splice_read+0x8b0/0x8b0 [ 66.229886][ T8428] ? mark_held_locks+0x9f/0xe0 [ 66.234648][ T8428] ? __local_bh_enable_ip+0xa0/0x120 [ 66.239929][ T8428] tcp_recvmsg+0x134/0x550 [ 66.244325][ T8428] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 66.249681][ T8428] ? aa_sk_perm+0x311/0xab0 [ 66.254180][ T8428] inet_recvmsg+0x11b/0x5e0 [ 66.258679][ T8428] ? inet_sendpage+0x140/0x140 [ 66.263526][ T8428] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.269766][ T8428] ? security_socket_recvmsg+0x8f/0xc0 [ 66.275294][ T8428] sock_read_iter+0x33c/0x470 [ 66.280048][ T8428] ? ____sys_recvmsg+0x600/0x600 [ 66.284968][ T8428] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.291192][ T8428] ? fsnotify+0xa58/0x1060 [ 66.295606][ T8428] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.301829][ T8428] new_sync_read+0x5b7/0x6e0 [ 66.306418][ T8428] ? ksys_lseek+0x1b0/0x1b0 [ 66.311028][ T8428] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 66.316991][ T8428] vfs_read+0x35c/0x570 [ 66.321125][ T8428] ksys_read+0x1ee/0x250 [ 66.325433][ T8428] ? vfs_write+0xa40/0xa40 [ 66.329843][ T8428] ? syscall_enter_from_user_mode+0x27/0x70 [ 66.335730][ T8428] do_syscall_64+0x3a/0xb0 [ 66.340125][ T8428] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 66.346010][ T8428] RIP: 0033:0x4af19b [ 66.349878][ T8428] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 66.369462][ T8428] RSP: 002b:000000c0001d9828 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 [ 66.377852][ T8428] RAX: ffffffffffffffda RBX: 000000c00001c000 RCX: 00000000004af19b [ 66.385801][ T8428] RDX: 0000000000001000 RSI: 000000c00016e000 RDI: 0000000000000006 [ 66.393749][ T8428] RBP: 000000c0001d9878 R08: 0000000000000001 R09: 0000000000000002 [ 66.401695][ T8428] R10: 0000000000004342 R11: 0000000000000212 R12: 000000000000433c [ 66.409656][ T8428] R13: 0000000000001000 R14: 0000000000000002 R15: 0000000000000002 [ 66.418174][ T8428] Kernel Offset: disabled [ 66.422480][ T8428] Rebooting in 86400 seconds..