Starting OpenBSD Secure Shell server... Starting Permit User Sessions... [ OK ] Started Permit User Sessions. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started OpenBSD Secure Shell server. Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts. [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ *] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ 18.891726][ T22] audit: type=1400 audit(1616016323.163:8): avc: denied { execmem } for pid=337 comm="syz-executor915" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 18.947185][ T338] bridge0: port 1(bridge_slave_0) entered blocking state [ 18.954238][ T338] bridge0: port 1(bridge_slave_0) entered disabled state [ 18.961530][ T338] device bridge_slave_0 entered promiscuous mode [ 18.968795][ T338] bridge0: port 2(bridge_slave_1) entered blocking state [ 18.976070][ T338] bridge0: port 2(bridge_slave_1) entered disabled state [ 18.983356][ T338] device bridge_slave_1 entered promiscuous mode [ 19.021477][ T338] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.028525][ T338] bridge0: port 2(bridge_slave_1) entered forwarding state [ 19.035820][ T338] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.042832][ T338] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.063020][ T67] bridge0: port 1(bridge_slave_0) entered disabled state [ 19.070767][ T67] bridge0: port 2(bridge_slave_1) entered disabled state [ 19.079435][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 19.087633][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 19.104542][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 19.112743][ T67] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.119760][ T67] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.127335][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 19.135544][ T67] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.142548][ T67] bridge0: port 2(bridge_slave_1) entered forwarding state [ 19.150847][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 19.159116][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 19.171837][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 19.182422][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 19.196029][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 19.211771][ T146] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 19.220454][ T146] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 19.234454][ T338] ================================================================== [ 19.243476][ T338] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xad/0xd0 [ 19.251422][ T338] Read of size 2 at addr ffff8881e8e0000b by task syz-executor915/338 [ 19.259638][ T338] [ 19.261942][ T338] CPU: 1 PID: 338 Comm: syz-executor915 Not tainted 5.4.106-syzkaller-00698-g3941336d0e38 #0 [ 19.272694][ T338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.282833][ T338] Call Trace: [ 19.286099][ T338] dump_stack+0x1d8/0x24e [ 19.290487][ T338] ? show_regs_print_info+0x12/0x12 [ 19.295767][ T338] ? printk+0xcf/0x114 [ 19.299970][ T338] print_address_description+0x9b/0x650 [ 19.305486][ T338] ? devkmsg_release+0x11c/0x11c [ 19.310410][ T338] __kasan_report+0x182/0x260 [ 19.315061][ T338] ? eth_header_parse_protocol+0xad/0xd0 [ 19.320678][ T338] kasan_report+0x30/0x60 [ 19.324998][ T338] eth_header_parse_protocol+0xad/0xd0 [ 19.330442][ T338] ? eth_header_cache_update+0x30/0x30 [ 19.330450][ T338] virtio_net_hdr_to_skb+0x6de/0xd70 [ 19.330462][ T338] ? fanout_demux_bpf+0x230/0x230 [ 19.346421][ T338] ? skb_copy_datagram_from_iter+0x5ce/0x6b0 [ 19.352469][ T338] ? skb_put+0x10f/0x1e0 [ 19.356757][ T338] packet_sendmsg+0x483a/0x6780 [ 19.361612][ T338] ? __rcu_read_lock+0x50/0x50 [ 19.366371][ T338] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.372751][ T338] ? __rcu_read_lock+0x50/0x50 [ 19.377512][ T338] ? _copy_to_user+0x8e/0xb0 [ 19.382101][ T338] ? sock_do_ioctl+0x31c/0x370 [[ 19.386850][ T338] ? sock_splice_read+0xf0/0xf0 [ 19.391760][ T338] ? memset+0x1f/0x40 [ 19.395764][ T338] ? selinux_socket_sendmsg+0x11f/0x340 [ 19.401296][ T338] ? selinux_socket_accept+0x5b0/0x5b0 *[0;1[ 19.406738][ T338] ? compat_packet_setsockopt+0x160/0x160 [ 19.413818][ T338] ? alloc_file+0x80/0x4d0 [ 19.418220][ T338] ? security_socket_sendmsg+0x9d/0xb0 ;31m*[ 19.423937][ T338] ? compat_packet_setsockopt+0x160/0x160 [ 19.431047][ T338] __sys_sendto+0x4f1/0x6c0 [ 19.435543][ T338] ? __ia32_sys_getpeername+0x80/0x80 [ 19.440902][ T338] ? preempt_count_add+0x66/0x130 *] A start j[ 19.445925][ T338] ? debug_smp_processor_id+0x20/0x20 [ 19.455203][ T338] ? sock_create_kern+0x40/0x40 [ 19.460041][ T338] __x64_sys_sendto+0xda/0xf0 ob is running fo[ 19.464703][ T338] do_syscall_64+0xcb/0x1e0 [ 19.470569][ T338] entry_SYSCALL_64_after_hwframe+0x44/0xa9 r dev-ttyS0.devi[ 19.476547][ T338] RIP: 0033:0x443229 [ 19.481803][ T338] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 ce (12s / 1min 3[ 19.501403][ T338] RSP: 002b:00007ffdd88701c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 19.511183][ T338] RAX: ffffffffffffffda RBX: 00007ffdd88701e8 RCX: 0000000000443229 [ 19.519144][ T338] RDX: 0000000000000040 RSI: 0000000020000140 RDI: 0000000000000003 [ 19.527099][ T338] RBP: 0000000000000003 R08: 0000000020000100 R09: 0000000000000014 [ 19.535060][ T338] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdd88701f0 [ 19.543023][ T338] R13: 00007ffdd8870210 R14: 00000000004b8018 R15: 00000000004004b8 [ 19.550983][ T338] [ 19.553297][ T338] Allocated by task 338: [ 19.557569][ T338] __kasan_kmalloc+0x137/0x1e0 0s)[ 19.562411][ T338] kmem_cache_alloc+0x115/0x290 [ 19.567511][ T338] sk_prot_alloc+0x58/0x260 [ 19.572000][ T338] sk_alloc+0x30/0x330 [ 19.576063][ T338] unix_create1+0x8e/0x530 [ 19.580536][ T338] unix_create+0x129/0x1b0 [ 19.584919][ T338] __sock_create+0x393/0x730 [ 19.589474][ T338] __sys_socket+0x133/0x370 [ 19.593942][ T338] __x64_sys_socket+0x76/0x80 [ 19.598600][ T338] do_syscall_64+0xcb/0x1e0 [ 19.603068][ T338] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.608922][ T338] [ 19.611218][ T338] Freed by task 338: [ 19.615090][ T338] __kasan_slab_free+0x18a/0x240 [ 19.619992][ T338] slab_free_freelist_hook+0x7b/0x150 [ 19.625328][ T338] kmem_cache_free+0xb8/0x5f0 [ 19.629982][ T338] __sk_destruct+0x418/0x4b0 [ 19.634548][ T338] unix_release_sock+0x8b2/0xa30 [ 19.639449][ T338] unix_release+0x4a/0x80 [ 19.643758][ T338] sock_close+0xd2/0x250 [ 19.647966][ T338] __fput+0x27d/0x6c0 [ 19.651925][ T338] task_work_run+0x186/0x1b0 [ 19.656479][ T338] prepare_exit_to_usermode+0x2b0/0x310 [ 19.661989][ T338] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.667857][ T338] [ 19.670153][ T338] The buggy address belongs to the object at ffff8881e8e00000 [ 19.670153][ T338] which belongs to the cache UNIX of size 1152 [ 19.683651][ T338] The buggy address is located 11 bytes inside of [ 19.683651][ T338] 1152-byte region [ffff8881e8e00000, ffff8881e8e00480) [ 19.696889][ T338] The buggy address belongs to the page: [ 19.702499][ T338] page:ffffea0007a38000 refcount:1 mapcount:0 mapping:ffff8881f40dfb80 index:0x0 compound_mapcount: 0 [ 19.713389][ T338] flags: 0x8000000000010200(slab|head) [ 19.718821][ T338] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f40dfb80 [ 19.727371][ T338] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 19.735929][ T338] page dumped because: kasan: bad access detected [ 19.742301][ T338] [ 19.744607][ T338] Memory state around the buggy address: [ 19.750206][ T338] ffff8881e8dfff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.758231][ T338] ffff8881e8dfff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.766265][ T338] >ffff8881e8e00000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.77