[ OK ] Started Getty on tty2. Starting Load/Save RF Kill Switch Status... [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts. 2021/05/02 06:36:16 fuzzer started 2021/05/02 06:36:17 dialing manager at 10.128.0.169:44661 2021/05/02 06:36:17 syscalls: 3571 2021/05/02 06:36:17 code coverage: enabled 2021/05/02 06:36:17 comparison tracing: enabled 2021/05/02 06:36:17 extra coverage: enabled 2021/05/02 06:36:17 setuid sandbox: enabled 2021/05/02 06:36:17 namespace sandbox: enabled 2021/05/02 06:36:17 Android sandbox: /sys/fs/selinux/policy does not exist 2021/05/02 06:36:17 fault injection: enabled 2021/05/02 06:36:17 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2021/05/02 06:36:17 net packet injection: enabled 2021/05/02 06:36:17 net device setup: enabled 2021/05/02 06:36:17 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2021/05/02 06:36:17 devlink PCI setup: PCI device 0000:00:10.0 is not available 2021/05/02 06:36:17 USB emulation: enabled 2021/05/02 06:36:17 hci packet injection: enabled 2021/05/02 06:36:17 wifi device emulation: enabled 2021/05/02 06:36:17 802.15.4 emulation: enabled 2021/05/02 06:36:17 fetching corpus: 0, signal 0/2000 (executing program) 2021/05/02 06:36:17 fetching corpus: 50, signal 44348/48120 (executing program) 2021/05/02 06:36:17 fetching corpus: 100, signal 81948/87312 (executing program) 2021/05/02 06:36:17 fetching corpus: 150, signal 104188/111086 (executing program) 2021/05/02 06:36:18 fetching corpus: 200, signal 122277/130679 (executing program) 2021/05/02 06:36:18 fetching corpus: 250, signal 140512/150317 (executing program) 2021/05/02 06:36:18 fetching corpus: 300, signal 156986/168083 (executing program) 2021/05/02 06:36:18 fetching corpus: 350, signal 169410/181850 (executing program) 2021/05/02 06:36:18 fetching corpus: 400, signal 181828/195545 (executing program) 2021/05/02 06:36:18 fetching corpus: 450, signal 201500/216200 (executing program) 2021/05/02 06:36:19 fetching corpus: 500, signal 211231/227106 (executing program) syzkaller login: [ 74.759211][ T8435] ================================================================== [ 74.767575][ T8435] BUG: KASAN: use-after-free in __skb_datagram_iter+0x6b8/0x770 [ 74.775252][ T8435] Read of size 4 at addr ffff88802eca0004 by task syz-fuzzer/8435 [ 74.783318][ T8435] [ 74.785637][ T8435] CPU: 1 PID: 8435 Comm: syz-fuzzer Not tainted 5.12.0-rc8-next-20210423-syzkaller #0 [ 74.795177][ T8435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.805258][ T8435] Call Trace: [ 74.808543][ T8435] dump_stack+0x141/0x1d7 [ 74.812889][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 74.818166][ T8435] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 74.825224][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 74.830539][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 74.835847][ T8435] kasan_report.cold+0x7c/0xd8 [ 74.841614][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 74.846929][ T8435] __skb_datagram_iter+0x6b8/0x770 [ 74.852089][ T8435] ? zerocopy_sg_from_iter+0x110/0x110 [ 74.857938][ T8435] skb_copy_datagram_iter+0x40/0x50 [ 74.863172][ T8435] tcp_recvmsg_locked+0x1048/0x22f0 [ 74.868432][ T8435] ? tcp_splice_read+0x8b0/0x8b0 [ 74.873500][ T8435] ? mark_held_locks+0x9f/0xe0 [ 74.878314][ T8435] ? __local_bh_enable_ip+0xa0/0x120 [ 74.883628][ T8435] tcp_recvmsg+0x134/0x550 [ 74.888090][ T8435] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 74.893492][ T8435] ? aa_sk_perm+0x311/0xab0 [ 74.898207][ T8435] inet_recvmsg+0x11b/0x5e0 [ 74.902749][ T8435] ? inet_sendpage+0x140/0x140 [ 74.907536][ T8435] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.913803][ T8435] ? security_socket_recvmsg+0x8f/0xc0 [ 74.919291][ T8435] sock_read_iter+0x33c/0x470 [ 74.924349][ T8435] ? ____sys_recvmsg+0x600/0x600 [ 74.929316][ T8435] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.935586][ T8435] ? fsnotify+0xa58/0x1060 [ 74.940030][ T8435] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.946312][ T8435] new_sync_read+0x5b7/0x6e0 [ 74.950938][ T8435] ? ksys_lseek+0x1b0/0x1b0 [ 74.955498][ T8435] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 74.961637][ T8435] vfs_read+0x35c/0x570 [ 74.965917][ T8435] ksys_read+0x1ee/0x250 [ 74.972190][ T8435] ? vfs_write+0xa40/0xa40 [ 74.976732][ T8435] ? syscall_enter_from_user_mode+0x27/0x70 [ 74.982658][ T8435] do_syscall_64+0x3a/0xb0 [ 74.987109][ T8435] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.993017][ T8435] RIP: 0033:0x4af19b [ 74.996940][ T8435] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 75.016675][ T8435] RSP: 002b:000000c0000a3828 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 [ 75.025126][ T8435] RAX: ffffffffffffffda RBX: 000000c00001e800 RCX: 00000000004af19b [ 75.033110][ T8435] RDX: 0000000000001000 RSI: 000000c000220000 RDI: 0000000000000006 [ 75.041092][ T8435] RBP: 000000c0000a3878 R08: 0000000000000001 R09: 0000000000000002 [ 75.049088][ T8435] R10: 0000000000004cab R11: 0000000000000212 R12: 0000000000004ca7 [ 75.057090][ T8435] R13: 0000000000000400 R14: 0000000000000002 R15: 0000000000000002 [ 75.065103][ T8435] [ 75.067429][ T8435] The buggy address belongs to the page: [ 75.073052][ T8435] page:ffffea0000bb2800 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x2eca0 [ 75.083476][ T8435] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.090615][ T8435] raw: 00fff00000000000 ffffea0000bb1e08 ffff88813fffb978 0000000000000000 [ 75.099212][ T8435] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 75.107800][ T8435] page dumped because: kasan: bad access detected [ 75.114211][ T8435] [ 75.116540][ T8435] Memory state around the buggy address: [ 75.122329][ T8435] ffff88802ec9ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.130405][ T8435] ffff88802ec9ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.138507][ T8435] >ffff88802eca0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.146851][ T8435] ^ [ 75.150930][ T8435] ffff88802eca0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.159012][ T8435] ffff88802eca0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.167097][ T8435] ================================================================== [ 75.175164][ T8435] Disabling lock debugging due to kernel taint [ 75.182861][ T8435] Kernel panic - not syncing: panic_on_warn set ... [ 75.189549][ T8435] CPU: 1 PID: 8435 Comm: syz-fuzzer Tainted: G B 5.12.0-rc8-next-20210423-syzkaller #0 [ 75.200521][ T8435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.210763][ T8435] Call Trace: [ 75.214068][ T8435] dump_stack+0x141/0x1d7 [ 75.218408][ T8435] panic+0x306/0x73d [ 75.222317][ T8435] ? __warn_printk+0xf3/0xf3 [ 75.227002][ T8435] ? preempt_schedule_common+0x59/0xc0 [ 75.232470][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 75.237775][ T8435] ? preempt_schedule_thunk+0x16/0x18 [ 75.243154][ T8435] ? trace_hardirqs_on+0x38/0x1c0 [ 75.248183][ T8435] ? trace_hardirqs_on+0x51/0x1c0 [ 75.253214][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 75.258504][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 75.263895][ T8435] end_report.cold+0x5a/0x5a [ 75.268507][ T8435] kasan_report.cold+0x6a/0xd8 [ 75.273287][ T8435] ? __skb_datagram_iter+0x6b8/0x770 [ 75.278582][ T8435] __skb_datagram_iter+0x6b8/0x770 [ 75.283704][ T8435] ? zerocopy_sg_from_iter+0x110/0x110 [ 75.289176][ T8435] skb_copy_datagram_iter+0x40/0x50 [ 75.294383][ T8435] tcp_recvmsg_locked+0x1048/0x22f0 [ 75.299603][ T8435] ? tcp_splice_read+0x8b0/0x8b0 [ 75.304571][ T8435] ? mark_held_locks+0x9f/0xe0 [ 75.309374][ T8435] ? __local_bh_enable_ip+0xa0/0x120 [ 75.314676][ T8435] tcp_recvmsg+0x134/0x550 [ 75.319113][ T8435] ? tcp_recvmsg_locked+0x22f0/0x22f0 [ 75.324517][ T8435] ? aa_sk_perm+0x311/0xab0 [ 75.329042][ T8435] inet_recvmsg+0x11b/0x5e0 [ 75.333572][ T8435] ? inet_sendpage+0x140/0x140 [ 75.338354][ T8435] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 75.344616][ T8435] ? security_socket_recvmsg+0x8f/0xc0 [ 75.350273][ T8435] sock_read_iter+0x33c/0x470 [ 75.354964][ T8435] ? ____sys_recvmsg+0x600/0x600 [ 75.359925][ T8435] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 75.366352][ T8435] ? fsnotify+0xa58/0x1060 [ 75.370777][ T8435] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 75.377661][ T8435] new_sync_read+0x5b7/0x6e0 [ 75.382262][ T8435] ? ksys_lseek+0x1b0/0x1b0 [ 75.386777][ T8435] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.392779][ T8435] vfs_read+0x35c/0x570 [ 75.396949][ T8435] ksys_read+0x1ee/0x250 [ 75.401197][ T8435] ? vfs_write+0xa40/0xa40 [ 75.405619][ T8435] ? syscall_enter_from_user_mode+0x27/0x70 [ 75.411606][ T8435] do_syscall_64+0x3a/0xb0 [ 75.416036][ T8435] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.421955][ T8435] RIP: 0033:0x4af19b [ 75.425867][ T8435] Code: fb ff eb bd e8 a6 b6 fb ff e9 61 ff ff ff cc e8 9b 82 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 75.448713][ T8435] RSP: 002b:000000c0000a3828 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 [ 75.457141][ T8435] RAX: ffffffffffffffda RBX: 000000c00001e800 RCX: 00000000004af19b [ 75.465120][ T8435] RDX: 0000000000001000 RSI: 000000c000220000 RDI: 0000000000000006 [ 75.473300][ T8435] RBP: 000000c0000a3878 R08: 0000000000000001 R09: 0000000000000002 [ 75.481376][ T8435] R10: 0000000000004cab R11: 0000000000000212 R12: 0000000000004ca7 [ 75.489363][ T8435] R13: 0000000000000400 R14: 0000000000000002 R15: 0000000000000002 [ 75.497818][ T8435] Kernel Offset: disabled [ 75.502269][ T8435] Rebooting in 86400 seconds..