Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ 19.699644][ T22] audit: type=1400 audit(1618068654.174:8): avc: denied { execmem } for pid=336 comm="syz-executor361" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 19.742591][ T338] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.750110][ T338] bridge0: port 1(bridge_slave_0) entered disabled state [ 19.757528][ T338] device bridge_slave_0 entered promiscuous mode [ 19.764553][ T338] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.771643][ T338] bridge0: port 2(bridge_slave_1) entered disabled state [ 19.778965][ T338] device bridge_slave_1 entered promiscuous mode [ 19.816715][ T338] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.823771][ T338] bridge0: port 2(bridge_slave_1) entered forwarding state [ 19.831037][ T338] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.838067][ T338] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.858436][ T67] bridge0: port 1(bridge_slave_0) entered disabled state [ 19.865710][ T67] bridge0: port 2(bridge_slave_1) entered disabled state [ 19.873388][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 19.881609][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 19.897202][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 19.905397][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.912790][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.920143][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ *[0[ 19.928481][ T12] bridge0: port 2(bridge_slave_1) entered blocking state m] A start job i[ 19.936692][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state s running for de[ 19.945865][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready v-ttyS0.device (12s / 1min 30s)[ 19.966235][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 19.974568][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 19.982580][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 19.992800][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 20.004789][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready executing program [ 20.014756][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 20.081268][ T345] ================================================================== [ 20.089368][ T345] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xad/0xd0 [ 20.097315][ T345] Read of size 2 at addr ffff8881e8be800b by task syz-executor361/345 [ 20.105428][ T345] [ 20.107763][ T345] CPU: 0 PID: 345 Comm: syz-executor361 Not tainted 5.4.110-syzkaller-00108-g2c6775a89bc1 #0 [ 20.117871][ T345] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.128042][ T345] Call Trace: [ 20.131313][ T345] dump_stack+0x1d8/0x24e [ 20.135638][ T345] ? gfp_pfmemalloc_allowed+0x120/0x120 [ 20.141171][ T345] ? show_regs_print_info+0x12/0x12 [ 20.146339][ T345] ? printk+0xcf/0x114 [ 20.150378][ T345] print_address_description+0x9b/0x650 [ 20.156012][ T345] ? devkmsg_release+0x11c/0x11c [ 20.160918][ T345] ? _copy_from_iter+0x84d/0xa80 [ 20.165823][ T345] ? memcpy+0x38/0x50 [ 20.169775][ T345] __kasan_report+0x182/0x260 [ 20.174445][ T345] ? eth_header_parse_protocol+0xad/0xd0 [ 20.180045][ T345] kasan_report+0x30/0x60 [ 20.184353][ T345] eth_header_parse_protocol+0xad/0xd0 [ 20.189786][ T345] ? eth_header_cache_update+0x30/0x30 [ 20.195213][ T345] virtio_net_hdr_to_skb+0x6de/0xd70 [ 20.200465][ T345] ? fanout_demux_bpf+0x230/0x230 [ 20.205458][ T345] ? skb_copy_datagram_from_iter+0x604/0x6b0 [ 20.211408][ T345] packet_sendmsg+0x483a/0x6780 [ 20.216231][ T345] ? memset+0x1f/0x40 [ 20.220184][ T345] ? selinux_socket_sendmsg+0x11f/0x340 [ 20.225912][ T345] ? selinux_socket_accept+0x5b0/0x5b0 [ 20.231349][ T345] ? compat_packet_setsockopt+0x160/0x160 [ 20.237048][ T345] ? security_socket_sendmsg+0x9d/0xb0 [ 20.242517][ T345] ? compat_packet_setsockopt+0x160/0x160 [ 20.248214][ T345] kernel_sendmsg+0xf5/0x130 [ 20.252818][ T345] sock_no_sendpage+0x143/0x1b0 [ 20.257640][ T345] ? __receive_sock+0xe0/0xe0 [ 20.262289][ T345] ? avc_has_perm_noaudit+0x37d/0x400 [ 20.267632][ T345] ? avc_has_perm_noaudit+0x30c/0x400 [ 20.272973][ T345] ? __receive_sock+0xe0/0xe0 [ 20.277620][ T345] sock_sendpage+0xd0/0x120 [ 20.282093][ T345] pipe_to_sendpage+0x23b/0x300 [ 20.286914][ T345] ? sock_fasync+0xf0/0xf0 [ 20.291300][ T345] ? generic_splice_sendpage+0x210/0x210 [ 20.296914][ T345] ? avc_has_perm+0xd2/0x270 [ 20.301488][ T345] ? avc_has_perm+0x173/0x270 [ 20.306133][ T345] __splice_from_pipe+0x2d3/0x870 [ 20.311126][ T345] ? generic_splice_sendpage+0x210/0x210 [ 20.316723][ T345] generic_splice_sendpage+0x181/0x210 [ 20.322150][ T345] ? iter_file_splice_write+0xf20/0xf20 [ 20.327663][ T345] ? security_file_permission+0x128/0x300 [ 20.333349][ T345] ? iter_file_splice_write+0xf20/0xf20 [ 20.338860][ T345] __se_sys_splice+0x7a8/0x1b00 [ 20.343681][ T345] ? check_preemption_disabled+0x154/0x330 [ 20.349461][ T345] ? debug_smp_processor_id+0x20/0x20 [ 20.354800][ T345] ? __fpregs_load_activate+0x1d7/0x3c0 [ 20.360311][ T345] ? __x64_sys_splice+0xf0/0xf0 [ 20.365128][ T345] ? finish_task_switch+0x1b9/0x550 [ 20.370293][ T345] ? __x64_sys_splice+0x1d/0xf0 [ 20.375110][ T345] do_syscall_64+0xcb/0x1e0 [ 20.379580][ T345] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.385441][ T345] RIP: 0033:0x449239 [ 20.389319][ T345] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 20.408891][ T345] RSP: 002b:00007f67eebe71f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 20.417269][ T345] RAX: ffffffffffffffda RBX: 00000000004cf518 RCX: 0000000000449239 [ 20.425223][ T345] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 20.433163][ T345] RBP: 00000000004cf510 R08: 000000000004ffe0 R09: 0000000000000000 [ 20.441102][ T345] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf51c [ 20.449043][ T345] R13: 00007fff3b3a358f R14: 00007f67eebe7300 R15: 0000000000022000 [ 20.456984][ T345] [ 20.459284][ T345] Allocated by task 154: [ 20.463497][ T345] __kasan_kmalloc+0x137/0x1e0 [ 20.468229][ T345] kmem_cache_alloc+0x115/0x290 [ 20.473046][ T345] getname_flags+0xba/0x640 [ 20.477515][ T345] do_sys_open+0x33e/0x7c0 [ 20.481900][ T345] do_syscall_64+0xcb/0x1e0 [ 20.486369][ T345] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.492224][ T345] [ 20.494521][ T345] Freed by task 154: [ 20.498384][ T345] __kasan_slab_free+0x18a/0x240 [ 20.503290][ T345] slab_free_freelist_hook+0x7b/0x150 [ 20.508649][ T345] kmem_cache_free+0xb8/0x5f0 [ 20.513293][ T345] do_sys_open+0x62e/0x7c0 [ 20.517685][ T345] do_syscall_64+0xcb/0x1e0 [ 20.522155][ T345] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.528011][ T345] [ 20.530325][ T345] The buggy address belongs to the object at ffff8881e8be8000 [ 20.530325][ T345] which belongs to the cache names_cache of size 4096 [ 20.544430][ T345] The buggy address is located 11 bytes inside of [ 20.544430][ T345] 4096-byte region [ffff8881e8be8000, ffff8881e8be9000) [ 20.557666][ T345] The buggy address belongs to the page: [ 20.563270][ T345] page:ffffea0007a2fa00 refcount:1 mapcount:0 mapping:ffff8881f5cfa280 index:0x0 compound_mapcount: 0 [ 20.574176][ T345] flags: 0x8000000000010200(slab|head) [ 20.574186][ T345] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfa280 [ 20.574193][ T345] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 20.574196][ T345] page dumped because: kasan: bad access detected [ 20.574198][ T345] [ 20.574200][ T345] Memory state around the buggy address: [ 20.574205][ T345] ffff8881e8be7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.574210][ T345] ffff8881e8be7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.574220][ T345] >ffff8881e8be8000: fb fb fb fb fb fb fb fb fb fb fb