Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.59' (ECDSA) to the list of known hosts. 2021/05/01 07:35:10 fuzzer started 2021/05/01 07:35:11 dialing manager at 10.128.0.169:44661 2021/05/01 07:35:11 syscalls: 3571 2021/05/01 07:35:11 code coverage: enabled 2021/05/01 07:35:11 comparison tracing: enabled 2021/05/01 07:35:11 extra coverage: enabled 2021/05/01 07:35:11 setuid sandbox: enabled 2021/05/01 07:35:11 namespace sandbox: enabled 2021/05/01 07:35:11 Android sandbox: /sys/fs/selinux/policy does not exist 2021/05/01 07:35:11 fault injection: enabled 2021/05/01 07:35:11 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/05/01 07:35:11 net packet injection: enabled 2021/05/01 07:35:11 net device setup: enabled 2021/05/01 07:35:11 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/05/01 07:35:11 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/05/01 07:35:11 USB emulation: enabled 2021/05/01 07:35:11 hci packet injection: enabled 2021/05/01 07:35:11 wifi device emulation: enabled 2021/05/01 07:35:11 802.15.4 emulation: enabled 2021/05/01 07:35:11 fetching corpus: 0, signal 0/2000 (executing program) syzkaller login: [ 71.635173][ T8455] ================================================================== [ 71.638717][ T8469] BUG: unable to handle page fault for address: ffffea0003ffff88 [ 71.643714][ T8455] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440 [ 71.651436][ T8469] #PF: supervisor read access in kernel mode [ 71.659142][ T8455] Write of size 4 at addr ffff88801c068008 by task syz-fuzzer/8455 [ 71.665112][ T8469] #PF: error_code(0x0000) - not-present page [ 71.673131][ T8455] [ 71.673141][ T8455] CPU: 0 PID: 8455 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 71.679251][ T8469] PGD 13fff8067 P4D 13fff8067 [ 71.681602][ T8455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.691680][ T8469] PUD 13fff7067 [ 71.696652][ T8455] Call Trace: [ 71.696666][ T8455] dump_stack+0x141/0x1d7 [ 71.706944][ T8469] PMD 0 [ 71.711100][ T8455] ? skb_try_coalesce+0x1335/0x1440 [ 71.714373][ T8469] [ 71.714382][ T8469] Oops: 0000 [#1] PREEMPT SMP KASAN [ 71.718830][ T8455] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 71.721678][ T8469] CPU: 1 PID: 8469 Comm: systemd-udevd Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 71.726865][ T8455] ? skb_try_coalesce+0x1335/0x1440 [ 71.729188][ T8469] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.734562][ T8455] ? skb_try_coalesce+0x1335/0x1440 [ 71.741784][ T8469] RIP: 0010:qlist_free_all+0x85/0xc0 [ 71.751921][ T8455] kasan_report.cold+0x7c/0xd8 [ 71.757123][ T8469] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 71.767381][ T8455] ? __sanitizer_cov_trace_cmp8+0x51/0x70 [ 71.772667][ T8469] RSP: 0018:ffffc900016dfd20 EFLAGS: 00010282 [ 71.777941][ T8455] ? skb_try_coalesce+0x1335/0x1440 [ 71.782695][ T8469] [ 71.782702][ T8469] RAX: ffffea0003ffff80 RBX: ffff888031ac7128 RCX: 0000000000000000 [ 71.802383][ T8455] skb_try_coalesce+0x1335/0x1440 [ 71.808098][ T8469] RDX: ffff88801609d580 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 71.814252][ T8455] tcp_try_coalesce+0x393/0x920 [ 71.819489][ T8469] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 71.821813][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.829972][ T8469] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000 [ 71.835109][ T8455] ? tcp_urg.part.0+0x2d0/0x2d0 [ 71.843378][ T8469] R13: ffffc900016dfd58 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 71.848258][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.856649][ T8469] FS: 00007f93b02118c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 71.862890][ T8455] ? tcp_try_rmem_schedule+0x98b/0x16d0 [ 71.870862][ T8469] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.875876][ T8455] tcp_queue_rcv+0x8a/0x6e0 [ 71.883989][ T8469] CR2: ffffea0003ffff88 CR3: 0000000013474000 CR4: 00000000001506e0 [ 71.890447][ T8455] tcp_data_queue+0x150a/0x4b10 [ 71.899547][ T8469] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 71.905092][ T8455] ? tcp_data_ready+0x540/0x540 [ 71.911753][ T8469] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 71.916382][ T8455] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 71.924357][ T8469] Call Trace: [ 71.929288][ T8455] ? ktime_get+0x30b/0x470 [ 71.937264][ T8469] kasan_quarantine_reduce+0x180/0x200 [ 71.942109][ T8455] tcp_rcv_established+0x841/0x1eb0 [ 71.950074][ T8469] __kasan_slab_alloc+0x8e/0xa0 [ 71.955788][ T8455] ? tcp_data_queue+0x4b10/0x4b10 [ 71.959178][ T8469] kmem_cache_alloc+0x152/0x3a0 [ 71.963586][ T8455] ? mark_held_locks+0x9f/0xe0 [ 71.969037][ T8469] alloc_inode+0x161/0x230 [ 71.974304][ T8455] tcp_v4_do_rcv+0x5d1/0x870 [ 71.979153][ T8469] new_inode_pseudo+0x14/0xe0 [ 71.984238][ T8455] __release_sock+0x134/0x3b0 [ 71.989088][ T8469] create_pipe_files+0x4d/0x880 [ 71.993845][ T8455] release_sock+0x54/0x1b0 [ 71.998253][ T8469] do_pipe2+0x96/0x1b0 [ 72.002839][ T8455] tcp_recvmsg+0x13f/0x550 [ 72.007589][ T8469] ? create_pipe_files+0x880/0x880 [ 72.012380][ T8455] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 72.017224][ T8469] ? __secure_computing+0x104/0x360 [ 72.021635][ T8455] ? aa_sk_perm+0x311/0xab0 [ 72.025816][ T8469] __x64_sys_pipe2+0x50/0x70 [ 72.030230][ T8455] inet_recvmsg+0x11b/0x5e0 [ 72.035413][ T8469] do_syscall_64+0x3a/0xb0 [ 72.040915][ T8455] ? inet_sendpage+0x140/0x140 [ 72.046176][ T8469] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.050946][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.055534][ T8469] RIP: 0033:0x7f93af084047 [ 72.060267][ T8455] ? security_socket_recvmsg+0x8f/0xc0 [ 72.064859][ T8469] Code: 73 01 c3 48 8b 0d 51 ce 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 25 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 ce 2b 00 f7 d8 64 89 01 48 [ 72.070057][ T8455] sock_read_iter+0x33c/0x470 [ 72.075952][ T8469] RSP: 002b:00007fffb66870d8 EFLAGS: 00000202 [ 72.082299][ T8455] ? ____sys_recvmsg+0x600/0x600 [ 72.086881][ T8469] ORIG_RAX: 0000000000000125 [ 72.092415][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.112028][ T8469] RAX: ffffffffffffffda RBX: 0000556c55d67db0 RCX: 00007f93af084047 [ 72.116700][ T8455] ? fsnotify+0xa58/0x1060 [ 72.122846][ T8469] RDX: 0000000003938700 RSI: 0000000000000800 RDI: 00007fffb6687198 [ 72.127791][ T8455] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.132461][ T8469] RBP: 00007fffb6688bf0 R08: 00007fffb6688bf0 R09: 0000000000000000 [ 72.138831][ T8455] new_sync_read+0x5b7/0x6e0 [ 72.146997][ T8469] R10: 0000556c55d66160 R11: 0000000000000202 R12: 0000556c55d66160 [ 72.151508][ T8455] ? ksys_lseek+0x1b0/0x1b0 [ 72.159901][ T8469] R13: 000000000aba9500 R14: 000000000000000b R15: 00007fffb6688bf0 [ 72.166152][ T8455] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 72.174406][ T8469] Modules linked in: [ 72.178999][ T8455] vfs_read+0x35c/0x570 [ 72.187084][ T8469] CR2: ffffea0003ffff88 [ 72.191584][ T8455] ksys_read+0x1ee/0x250 [ 72.199622][ T8469] ---[ end trace ae3187e68290ffeb ]--- [ 72.205524][ T8455] ? vfs_write+0xa40/0xa40 [ 72.209431][ T8469] RIP: 0010:qlist_free_all+0x85/0xc0 [ 72.213582][ T8455] ? syscall_enter_from_user_mode+0x27/0x70 [ 72.217817][ T8469] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49 [ 72.222055][ T8455] do_syscall_64+0x3a/0xb0 [ 72.227508][ T8469] RSP: 0018:ffffc900016dfd20 EFLAGS: 00010282 [ 72.231920][ T8455] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.237193][ T8469] [ 72.237200][ T8469] RAX: ffffea0003ffff80 RBX: ffff888031ac7128 RCX: 0000000000000000 [ 72.243090][ T8455] RIP: 0033:0x4af19b [ 72.262930][ T8469] RDX: ffff88801609d580 RSI: ffff8880ffffea00 RDI: 0000000000000003 [ 72.267347][ T8455] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 72.273554][ T8469] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e [ 72.279552][ T8455] RSP: 002b:000000c0002cd828 EFLAGS: 00000212 [ 72.281881][ T8469] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000 [ 72.289848][ T8455] ORIG_RAX: 0000000000000000 [ 72.293737][ T8469] R13: ffffc900016dfd58 R14: ffffea0000000000 R15: ffff8880ffffea00 [ 72.301702][ T8455] RAX: ffffffffffffffda RBX: 000000c00001c000 RCX: 00000000004af19b [ 72.321392][ T8469] FS: 00007f93b02118c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 72.329377][ T8455] RDX: 0000000000001000 RSI: 000000c000202000 RDI: 0000000000000006 [ 72.335548][ T8469] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.343650][ T8455] RBP: 000000c0002cd878 R08: 0000000000000001 R09: 0000000000000002 [ 72.348473][ T8469] CR2: ffffea0003ffff88 CR3: 0000000013474000 CR4: 00000000001506e0 [ 72.356784][ T8455] R10: 0000000000003efb R11: 0000000000000212 R12: 0000000000003ef7 [ 72.364757][ T8469] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 72.373815][ T8455] R13: 0000000000000400 R14: 0000000000000004 R15: 0000000000000004 [ 72.381788][ T8469] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.388518][ T8455] [ 72.396692][ T8469] Kernel panic - not syncing: Fatal exception [ 72.404675][ T8455] Allocated by task 1: [ 72.449660][ T8455] kasan_save_stack+0x1b/0x40 [ 72.454364][ T8455] __kasan_kmalloc+0x9b/0xd0 [ 72.458973][ T8455] tomoyo_realpath_from_path+0xc3/0x620 [ 72.464539][ T8455] tomoyo_path_perm+0x21b/0x400 [ 72.469923][ T8455] security_inode_getattr+0xcf/0x140 [ 72.475260][ T8455] vfs_statx+0x164/0x390 [ 72.479519][ T8455] __do_sys_newlstat+0x91/0x110 [ 72.484504][ T8455] do_syscall_64+0x3a/0xb0 [ 72.488937][ T8455] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.494844][ T8455] [ 72.497172][ T8455] The buggy address belongs to the object at ffff88801c068000 [ 72.497172][ T8455] which belongs to the cache kmalloc-4k of size 4096 [ 72.511228][ T8455] The buggy address is located 8 bytes inside of [ 72.511228][ T8455] 4096-byte region [ffff88801c068000, ffff88801c069000) [ 72.524694][ T8455] The buggy address belongs to the page: [ 72.531633][ T8455] page:ffffea0000701a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801c068000 pfn:0x1c068 [ 72.543272][ T8455] head:ffffea0000701a00 order:3 compound_mapcount:0 compound_pincount:0 [ 72.552247][ T8455] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 72.560399][ T8455] raw: 00fff00000010200 ffffea0000bebe00 0000000200000002 ffff888011042140 [ 72.568992][ T8455] raw: ffff88801c068000 0000000080040003 00000001ffffffff 0000000000000000 [ 72.577580][ T8455] page dumped because: kasan: bad access detected [ 72.584117][ T8455] [ 72.586514][ T8455] Memory state around the buggy address: [ 72.592234][ T8455] ffff88801c067f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.600475][ T8455] ffff88801c067f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.608547][ T8455] >ffff88801c068000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.616694][ T8455] ^ [ 72.621031][ T8455] ffff88801c068080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.629212][ T8455] ffff88801c068100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.637355][ T8455] ================================================================== [ 72.646296][ T8469] Kernel Offset: disabled [ 72.651040][ T8469] Rebooting in 86400 seconds..