Starting OpenBSD Secure Shell server... Starting Permit User Sessions... [ OK ] Started Permit User Sessions. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. executing program [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ *] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ 19.921030][ T22] audit: type=1400 audit(1617151036.441:8): avc: denied { execmem } for pid=341 comm="syz-executor319" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 19.953757][ T343] ================================================================== [ 19.961854][ T343] BUG: KASAN: slab-out-of-bounds in eth_header_parse_protocol+0xad/0xd0 [ 19.970183][ T343] Read of size 2 at addr ffff8881e97c600b by task syz-executor319/343 [ 19.978308][ T343] [ 19.980637][ T343] CPU: 1 PID: 343 Comm: syz-executor319 Not tainted 5.4.108-syzkaller-00848-g4a75e4d41639 #0 [ 19.990847][ T343] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.000902][ T343] Call Trace: [ 20.004186][ T343] dump_stack+0x1d8/0x24e [ 20.008514][ T343] ? gfp_pfmemalloc_allowed+0x120/0x120 [ 20.014043][ T343] ? vmacache_find+0x205/0x4b0 [ 20.018801][ T343] ? show_regs_print_info+0x12/0x12 [ 20.023979][ T343] ? printk+0xcf/0x114 [ 20.028046][ T343] print_address_description+0x9b/0x650 [ 20.033696][ T343] ? devkmsg_release+0x11c/0x11c [ 20.038617][ T343] ? page_fault+0x2f/0x40 [ 20.043014][ T343] __kasan_report+0x182/0x260 [ 20.047679][ T343] ? eth_header_parse_protocol+0xad/0xd0 [ 20.053447][ T343] kasan_report+0x30/0x60 [ 20.057782][ T343] eth_header_parse_protocol+0xad/0xd0 [ 20.063263][ T343] ? eth_header_cache_update+0x30/0x30 [ 20.068721][ T343] virtio_net_hdr_to_skb+0x6de/0xd70 [ 20.075119][ T343] ? fanout_demux_bpf+0x230/0x230 [ 20.080137][ T343] ? skb_copy_datagram_from_iter+0x604/0x6b0 [ 20.086098][ T343] packet_sendmsg+0x483a/0x6780 [ 20.091064][ T343] ? debug_smp_processor_id+0x20/0x20 [ 20.097330][ T343] ? debug_smp_processor_id+0x20/0x20 [ 20.102721][ T343] ? avc_has_perm_noaudit+0x30c/0x400 [ 20.108103][ T343] ? avc_denied+0x1c0/0x1c0 [ 20.112674][ T343] ? memset+0x1f/0x40 [ 20.116659][ T343] ? selinux_socket_sendmsg+0x11f/0x340 [ 20.122204][ T343] ? selinux_socket_accept+0x5b0/0x5b0 [ 20.127717][ T343] ? compat_packet_setsockopt+0x160/0x160 [ 20.133452][ T343] ? stack_trace_save+0x120/0x1f0 [ 20.138482][ T343] ? security_socket_sendmsg+0x9d/0xb0 [ 20.143940][ T343] ? compat_packet_setsockopt+0x160/0x160 [ 20.149664][ T343] sock_write_iter+0x330/0x450 [ 20.154414][ T343] ? sock_read_iter+0x430/0x430 [ 20.159265][ T343] ? __kasan_kmalloc+0x1a3/0x1e0 [ 20.164204][ T343] ? security_file_permission+0x128/0x300 [ 20.169924][ T343] aio_write+0x47b/0x610 [ 20.174171][ T343] ? aio_read+0x500/0x500 [ 20.178515][ T343] ? fget_many+0x20/0x20 [ 20.182760][ T343] ? io_submit_one+0x163/0x2300 [ 20.187612][ T343] io_submit_one+0xa59/0x2300 [ 20.192284][ T343] ? lookup_ioctx+0x460/0x460 [ 20.197046][ T343] ? __se_sys_io_submit+0xa9/0x3d0 [ 20.202177][ T343] ? lookup_ioctx+0x273/0x460 [ 20.206970][ T343] __se_sys_io_submit+0x189/0x3d0 [ 20.211979][ T343] ? __x64_sys_io_submit+0x80/0x80 [ 20.217075][ T343] ? security_file_ioctl+0x9d/0xb0 [ 20.222188][ T343] do_syscall_64+0xcb/0x1e0 [ 20.226674][ T343] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.232543][ T343] RIP: 0033:0x440579 [ 20.236451][ T343] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 20.256034][ T343] RSP: 002b:00007ffdd057ef78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 [ 20.264448][ T343] RAX: ffffffffffffffda RBX: 00007ffdd057efa0 RCX: 0000000000440579 [ 20.272559][ T343] RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007f54b85a8000 [ 20.280646][ T343] RBP: 0000000000000003 R08: bb1414acd057efa7 R09: bb1414acd057efa7 [ 20.288606][ T343] R10: bb1414acd057efa7 R11: 0000000000000246 R12: 0000000000000000 [ 20.296586][ T343] R13: 00007ffdd057ef90 R14: 00007ffdd057ef88 R15: 00007ffdd057ef84 [ 20.304556][ T343] [ 20.306866][ T343] Allocated by task 339: [ 20.311114][ T343] __kasan_kmalloc+0x137/0x1e0 [ 20.315877][ T343] __kmalloc_track_caller+0x13a/0x2e0 [ 20.321238][ T343] __alloc_skb+0xaf/0x4d0 [ 20.325816][ T343] netlink_dump+0x203/0x12d0 [ 20.330390][ T343] netlink_recvmsg+0x6bb/0x11a0 [ 20.335233][ T343] __sys_recvmsg+0x563/0x800 [ 20.339818][ T343] do_syscall_64+0xcb/0x1e0 [ 20.344316][ T343] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.350190][ T343] [ 20.352494][ T343] Freed by task 339: [ 20.356368][ T343] __kasan_slab_free+0x18a/0x240 [ 20.361287][ T343] slab_free_freelist_hook+0x7b/0x150 [ 20.366650][ T343] kfree+0xe0/0x660 [ 20.370604][ T343] __kfree_skb+0x55/0x170 [ 20.374919][ T343] skb_free_datagram+0x24/0xd0 [ 20.379655][ T343] netlink_recvmsg+0x619/0x11a0 [ 20.384493][ T343] __sys_recvmsg+0x563/0x800 [ 20.389058][ T343] do_syscall_64+0xcb/0x1e0 [ 20.393765][ T343] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.399634][ T343] [ 20.401966][ T343] The buggy address belongs to the object at ffff8881e97c4000 [ 20.401966][ T343] which belongs to the cache kmalloc-8k of size 8192 [ 20.416017][ T343] The buggy address is located 11 bytes to the right of [ 20.416017][ T343] 8192-byte region [ffff8881e97c4000, ffff8881e97c6000) [ 20.429790][ T343] The buggy address belongs to the page: [ 20.435531][ T343] page:ffffea0007a5f000 refcount:1 mapcount:0 mapping:ffff8881f5c0c500 index:0x0 compound_mapcount: 0 [ 20.446439][ T343] flags: 0x8000000000010200(slab|head) [ 20.451875][ T343] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5c0c500 [ 20.460484][ T343] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 20.469056][ T343] page dumped because: kasan: bad access detected [ 20.475549][ T343] [ 20.477917][ T343] Memory state around the buggy address: [ 20.483560][ T343] ffff8881e97c5f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.491636][ T343] ffff8881e97c5f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.499766][ T343] >ffff8881e97c6000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.507821][ T343] ^ [ 20.512144][ T343] ffff8881e97c6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.520197][ T343] ffff8881e97c6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.528248][ T343] ================================================================== [ 20.536295][ T343] Disabling lock debugging due to kernel taint [ ***] A start job is running for dev-ttyS0.device (13s / 1min 30s)