[[0;32m  OK  [0m] Started Getty on tty4.
[[0;32m  OK  [0m] Started Getty on tty3.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts.
2021/04/26 04:24:57 fuzzer started
2021/04/26 04:24:57 dialing manager at 10.128.0.169:40357
2021/04/26 04:24:57 syscalls: 3560
2021/04/26 04:24:57 code coverage: enabled
2021/04/26 04:24:57 comparison tracing: enabled
2021/04/26 04:24:57 extra coverage: enabled
2021/04/26 04:24:57 setuid sandbox: enabled
2021/04/26 04:24:57 namespace sandbox: enabled
2021/04/26 04:24:57 Android sandbox: /sys/fs/selinux/policy does not exist
2021/04/26 04:24:57 fault injection: enabled
2021/04/26 04:24:57 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2021/04/26 04:24:57 net packet injection: enabled
2021/04/26 04:24:57 net device setup: enabled
2021/04/26 04:24:57 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
2021/04/26 04:24:57 devlink PCI setup: PCI device 0000:00:10.0 is not available
2021/04/26 04:24:57 USB emulation: enabled
2021/04/26 04:24:57 hci packet injection: enabled
2021/04/26 04:24:57 wifi device emulation: enabled
2021/04/26 04:24:57 802.15.4 emulation: enabled
2021/04/26 04:24:57 fetching corpus: 0, signal 0/2000 (executing program)
syzkaller login: [   70.522887][    C1] ==================================================================
[   70.530972][ T8486] BUG: unable to handle page fault for address: ffffea0003ffff88
[   70.531142][    C1] BUG: KASAN: use-after-free in skb_try_coalesce+0x1335/0x1440
[   70.538850][ T8486] #PF: supervisor read access in kernel mode
[   70.546377][    C1] Write of size 4 at addr ffff888031268008 by task syz-fuzzer/8470
[   70.552338][ T8486] #PF: error_code(0x0000) - not-present page
[   70.560222][    C1] 
[   70.560231][    C1] CPU: 1 PID: 8470 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0
[   70.566183][ T8486] PGD 13fff8067 
[   70.568497][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.578995][ T8486] P4D 13fff8067 
[   70.582537][    C1] Call Trace:
[   70.582557][    C1]  dump_stack+0x141/0x1d7
[   70.592600][ T8486] PUD 13fff7067 
[   70.596142][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   70.600278][ T8486] PMD 0 
[   70.604587][    C1]  print_address_description.constprop.0.cold+0x5b/0x2f8
[   70.608135][ T8486] 
[   70.608146][ T8486] Oops: 0000 [#1] PREEMPT SMP KASAN
[   70.613358][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   70.616195][ T8486] CPU: 0 PID: 8486 Comm: systemd-sysctl Not tainted 5.12.0-rc8-next-20210423-syzkaller #0
[   70.623194][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   70.623226][    C1]  kasan_report.cold+0x7c/0xd8
[   70.625533][ T8486] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.630715][    C1]  ? __sanitizer_cov_trace_cmp8+0x51/0x70
[   70.635884][ T8486] RIP: 0010:qlist_free_all+0x85/0xc0
[   70.645928][    C1]  ? skb_try_coalesce+0x1335/0x1440
[   70.651126][ T8486] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[   70.655968][    C1]  skb_try_coalesce+0x1335/0x1440
[   70.666006][ T8486] RSP: 0018:ffffc900016ffa20 EFLAGS: 00010282
[   70.671727][    C1]  tcp_try_coalesce+0x393/0x920
[   70.676980][ T8486] 
[   70.676987][ T8486] RAX: ffffea0003ffff80 RBX: ffff888033a1e000 RCX: 0000000000000000
[   70.682165][    C1]  ? mark_held_locks+0x9f/0xe0
[   70.701753][ T8486] RDX: ffff888015e9d580 RSI: ffff8880ffffea00 RDI: 0000000000000003
[   70.706799][    C1]  ? tcp_urg.part.0+0x2d0/0x2d0
[   70.712845][ T8486] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[   70.717678][    C1]  ? ktime_get+0x38a/0x470
[   70.719982][ T8486] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000
[   70.727935][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   70.732675][ T8486] R13: ffffc900016ffa58 R14: ffffea0000000000 R15: ffff8880ffffea00
[   70.740632][    C1]  tcp_queue_rcv+0x8a/0x6e0
[   70.745453][ T8486] FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   70.753408][    C1]  tcp_rcv_established+0x1756/0x1eb0
[   70.757799][ T8486] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.765752][    C1]  ? tcp_data_queue+0x4b10/0x4b10
[   70.770926][ T8486] CR2: ffffea0003ffff88 CR3: 00000000169ef000 CR4: 00000000001506f0
[   70.778875][    C1]  ? do_raw_spin_lock+0x120/0x2b0
[   70.783354][ T8486] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.792288][    C1]  tcp_v4_do_rcv+0x5d1/0x870
[   70.797647][ T8486] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.804229][    C1]  tcp_v4_rcv+0x3298/0x3950
[   70.809227][ T8486] Call Trace:
[   70.809244][ T8486]  kasan_quarantine_reduce+0x180/0x200
[   70.818429][    C1]  ? tcp_v4_early_demux+0x8f0/0x8f0
[   70.823436][ T8486]  __kasan_slab_alloc+0x8e/0xa0
[   70.831404][    C1]  ? lock_release+0x720/0x720
[   70.835979][ T8486]  __kmalloc+0x1f7/0x330
[   70.843940][    C1]  ip_protocol_deliver_rcu+0xa7/0xa20
[   70.848433][ T8486]  tomoyo_realpath_from_path+0xc3/0x620
[   70.851699][    C1]  ip_local_deliver_finish+0x20a/0x370
[   70.857137][ T8486]  ? tomoyo_profile+0x42/0x50
[   70.862324][    C1]  ip_local_deliver+0x1b3/0x200
[   70.867153][ T8486]  tomoyo_path_perm+0x21b/0x400
[   70.871824][    C1]  ip_sublist_rcv_finish+0x9a/0x2c0
[   70.876057][ T8486]  ? tomoyo_path_perm+0x1c1/0x400
[   70.881418][    C1]  ip_list_rcv_finish.constprop.0+0x51e/0x6e0
[   70.886944][ T8486]  ? tomoyo_check_open_permission+0x380/0x380
[   70.892389][    C1]  ? ip_rcv_finish_core.constprop.0+0x1e80/0x1e80
[   70.897044][ T8486]  ? lock_chain_count+0x20/0x20
[   70.902570][    C1]  ? ip_list_rcv_finish.constprop.0+0x6e0/0x6e0
[   70.907418][ T8486]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   70.912609][    C1]  ? ip_rcv_core+0x867/0xcb0
[   70.917623][ T8486]  security_inode_getattr+0xcf/0x140
[   70.923697][    C1]  ip_list_rcv+0x34e/0x490
[   70.929746][ T8486]  vfs_fstat+0x43/0xb0
[   70.936144][    C1]  ? ip_rcv+0xd0/0xd0
[   70.940974][ T8486]  __do_sys_newfstat+0x81/0x100
[   70.947197][    C1]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   70.953165][ T8486]  ? __do_sys_fstat+0x100/0x100
[   70.957738][    C1]  ? find_held_lock+0x2d/0x110
[   70.963002][ T8486]  ? __context_tracking_exit+0xb8/0xe0
[   70.967396][    C1]  ? ip_rcv+0xd0/0xd0
[   70.971447][ T8486]  ? __secure_computing+0x104/0x360
[   70.975409][    C1]  __netif_receive_skb_list_core+0x549/0x8e0
[   70.980240][ T8486]  ? syscall_trace_enter.constprop.0+0x94/0x270
[   70.986234][    C1]  ? process_backlog+0x6c0/0x6c0
[   70.991061][ T8486]  do_syscall_64+0x3a/0xb0
[   70.995823][    C1]  ? ktime_get_with_offset+0x3f2/0x500
[   71.001265][ T8486]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   71.005228][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   71.010405][ T8486] RIP: 0033:0x7f30be188142
[   71.016374][    C1]  netif_receive_skb_list_internal+0x75e/0xd80
[   71.022592][ T8486] Code: b8 ff ff ff ff c3 66 90 c7 05 f6 bf 20 00 16 00 00 00 b8 ff ff ff ff c3 83 ff 01 77 2b 48 63 fe b8 05 00 00 00 48 89 d6 0f 05 <48> 3d 00 f0 ff ff 77 06 f3 c3 0f 1f 40 00 f7 d8 89 05 c8 bf 20 00
[   71.027945][    C1]  ? __netif_receive_skb_list_core+0x8e0/0x8e0
[   71.032336][ T8486] RSP: 002b:00007ffd8363ad68 EFLAGS: 00000246
[   71.037777][    C1]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   71.043647][ T8486]  ORIG_RAX: 0000000000000005
[   71.048839][    C1]  ? detach_buf_split+0x599/0x7b0
[   71.053231][ T8486] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f30be188142
[   71.059371][    C1]  ? __sanitizer_cov_trace_cmp2+0x22/0x80
[   71.078976][ T8486] RDX: 00007ffd8363adf0 RSI: 00007ffd8363adf0 RDI: 0000000000000003
[   71.085118][    C1]  napi_complete_done+0x1f1/0x880
[   71.091161][ T8486] RBP: 00007ffd8363aeb0 R08: 00007f30be394de0 R09: 00007f30be394170
[   71.097382][    C1]  virtnet_poll+0xbeb/0x1180
[   71.102029][ T8486] R10: 00007ffd8363af50 R11: 0000000000000246 R12: 00007f30be394170
[   71.107036][    C1]  ? receive_buf+0x6250/0x6250
[   71.114986][ T8486] R13: 0000000000000000 R14: 00007f30be393040 R15: 00007ffd8363af50
[   71.120693][    C1]  __napi_poll+0xaf/0x440
[   71.129366][ T8486] Modules linked in:
[   71.134871][    C1]  net_rx_action+0x801/0xb40
[   71.142841][ T8486] 
[   71.142858][ T8486] CR2: ffffea0003ffff88
[   71.147471][    C1]  ? napi_threaded_poll+0x5b0/0x5b0
[   71.156402][ T8486] ---[ end trace b400d531c0968649 ]---
[   71.161174][    C1]  ? sched_clock_cpu+0x18/0x1f0
[   71.169149][ T8486] RIP: 0010:qlist_free_all+0x85/0xc0
[   71.176801][    C1]  __do_softirq+0x29b/0x9fe
[   71.180706][ T8486] Code: 85 ff 74 3b 4c 89 fe 48 85 ed 48 89 ef 75 cb 48 89 f7 48 89 34 24 e8 4a 2e 7a ff 48 8b 34 24 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 9b 49
[   71.185307][    C1]  __irq_exit_rcu+0x136/0x200
[   71.187643][ T8486] RSP: 0018:ffffc900016ffa20 EFLAGS: 00010282
[   71.191806][    C1]  irq_exit_rcu+0x5/0x20
[   71.196988][ T8486] 
[   71.196998][ T8486] RAX: ffffea0003ffff80 RBX: ffff888033a1e000 RCX: 0000000000000000
[   71.202518][    C1]  common_interrupt+0x51/0xd0
[   71.207369][ T8486] RDX: ffff888015e9d580 RSI: ffff8880ffffea00 RDI: 0000000000000003
[   71.212647][    C1]  ? asm_common_interrupt+0x8/0x40
[   71.217125][ T8486] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000002e
[   71.236729][    C1]  asm_common_interrupt+0x1e/0x40
[   71.236766][    C1] RIP: 0033:0x6324af
[   71.241421][ T8486] R10: ffffffff81342fea R11: 000000000000003f R12: dffffc0000000000
[   71.247490][    C1] Code: c1 e8 09 23 82 20 08 00 00 48 39 c8 0f 83 ce 00 00 00 8b 1c 83 41 89 d9 83 e3 0f 48 39 df 73 0a 48 89 5c 24 38 e9 d2 fe ff ff <48> 85 db 75 76 44 89 46 18 48 89 7e 20 48 8b 46 10 48 89 04 24 e8
[   71.251714][ T8486] R13: ffffc900016ffa58 R14: ffffea0000000000 R15: ffff8880ffffea00
[   71.254029][    C1] RSP: 002b:000000c000415ac0 EFLAGS: 00000206
[   71.261989][ T8486] FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[   71.266760][    C1] 
[   71.266767][    C1] RAX: 0000000000005ed0 RBX: 0000000000000003 RCX: 0000000000000007
[   71.274735][ T8486] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.279821][    C1] RDX: 000000c0004fe028 RSI: 000000c0004fe000 RDI: 000000000000000f
[   71.287870][ T8486] CR2: ffffea0003ffff88 CR3: 00000000169ef000 CR4: 00000000001506f0
[   71.292875][    C1] RBP: 000000c000415b08 R08: 0000000000005ed0 R09: 0000000000000fc3
[   71.297030][ T8486] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   71.304983][    C1] R10: 000000000000449f R11: 0000000000001259 R12: 0000000000004499
[   71.324597][ T8486] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   71.333102][    C1] R13: 0000000000001000 R14: 0000000000000002 R15: 0000000000000002
[   71.339241][ T8486] Kernel panic - not syncing: Fatal exception
[   71.348160][    C1] 
[   71.432832][    C1] Allocated by task 6459:
[   71.437162][    C1]  kasan_save_stack+0x1b/0x40
[   71.441851][    C1]  __kasan_kmalloc+0x9b/0xd0
[   71.446441][    C1]  tomoyo_realpath_from_path+0xc3/0x620
[   71.451987][    C1]  tomoyo_path_perm+0x21b/0x400
[   71.456837][    C1]  security_inode_getattr+0xcf/0x140
[   71.462121][    C1]  vfs_statx+0x164/0x390
[   71.467992][    C1]  __do_sys_newlstat+0x91/0x110
[   71.472862][    C1]  do_syscall_64+0x3a/0xb0
[   71.477575][    C1]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   71.484787][    C1] 
[   71.487106][    C1] The buggy address belongs to the object at ffff888031268000
[   71.487106][    C1]  which belongs to the cache kmalloc-4k of size 4096
[   71.501592][    C1] The buggy address is located 8 bytes inside of
[   71.501592][    C1]  4096-byte region [ffff888031268000, ffff888031269000)
[   71.514889][    C1] The buggy address belongs to the page:
[   71.520620][    C1] page:ffffea0000c49a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888031268000 pfn:0x31268
[   71.532159][    C1] head:ffffea0000c49a00 order:3 compound_mapcount:0 compound_pincount:0
[   71.540479][    C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   71.548581][    C1] raw: 00fff00000010200 ffffea00006c8c00 0000000200000002 ffff888011042140
[   71.557164][    C1] raw: ffff888031268000 0000000080040000 00000001ffffffff 0000000000000000
[   71.565845][    C1] page dumped because: kasan: bad access detected
[   71.572257][    C1] 
[   71.574574][    C1] Memory state around the buggy address:
[   71.580193][    C1]  ffff888031267f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   71.588337][    C1]  ffff888031267f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   71.596397][    C1] >ffff888031268000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.604467][    C1]                       ^
[   71.608811][    C1]  ffff888031268080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.616952][    C1]  ffff888031268100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.625003][    C1] ==================================================================
[   71.633508][ T8486] Kernel Offset: disabled
[   71.637897][ T8486] Rebooting in 86400 seconds..