[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.124' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.741265][ T8409] ================================================================== [ 55.750600][ T8409] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 [ 55.758986][ T8409] Read of size 2 at addr ffff888017a6200b by task syz-executor313/8409 [ 55.767234][ T8409] [ 55.769647][ T8409] CPU: 1 PID: 8409 Comm: syz-executor313 Not tainted 5.12.0-rc2-syzkaller #0 [ 55.778579][ T8409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.788816][ T8409] Call Trace: [ 55.792108][ T8409] dump_stack+0x141/0x1d7 [ 55.796461][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 55.802100][ T8409] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 55.809224][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 55.815042][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 55.820691][ T8409] kasan_report.cold+0x7c/0xd8 [ 55.825471][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 55.831119][ T8409] ? llc_sysctl_exit+0x60/0x60 [ 55.835900][ T8409] eth_header_parse_protocol+0xdc/0xe0 [ 55.841586][ T8409] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 55.847929][ T8409] ? tpacket_destruct_skb+0x860/0x860 [ 55.853494][ T8409] packet_sendmsg+0x2325/0x52b0 [ 55.860389][ T8409] ? aa_sk_perm+0x31b/0xab0 [ 55.865076][ T8409] ? packet_cached_dev_get+0x250/0x250 [ 55.870648][ T8409] ? aa_af_perm+0x230/0x230 [ 55.875354][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 55.881627][ T8409] ? packet_cached_dev_get+0x250/0x250 [ 55.887117][ T8409] sock_sendmsg+0xcf/0x120 [ 55.891562][ T8409] sock_no_sendpage+0xf3/0x130 [ 55.896333][ T8409] ? sk_page_frag_refill+0x1d0/0x1d0 [ 55.901746][ T8409] ? lock_release+0x720/0x720 [ 55.906531][ T8409] ? find_held_lock+0x2d/0x110 [ 55.911302][ T8409] kernel_sendpage.part.0+0x1ab/0x350 [ 55.916690][ T8409] sock_sendpage+0xe5/0x140 [ 55.921215][ T8409] ? __sock_recv_ts_and_drops+0x430/0x430 [ 55.926937][ T8409] pipe_to_sendpage+0x2ad/0x380 [ 55.931811][ T8409] ? propagate_umount+0x1c20/0x1c20 [ 55.937038][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 55.943289][ T8409] ? splice_from_pipe_next.part.0+0x167/0x520 [ 55.949561][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 55.956225][ T8409] __splice_from_pipe+0x43e/0x8a0 [ 55.961391][ T8409] ? propagate_umount+0x1c20/0x1c20 [ 55.966782][ T8409] generic_splice_sendpage+0xd4/0x140 [ 55.972172][ T8409] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 55.977284][ T8409] ? security_file_permission+0x248/0x560 [ 55.983371][ T8409] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 55.988665][ T8409] do_splice+0xb7e/0x1940 [ 55.992995][ T8409] ? find_held_lock+0x2d/0x110 [ 55.997762][ T8409] ? splice_file_to_pipe+0x120/0x120 [ 56.003051][ T8409] __do_splice+0x134/0x250 [ 56.007466][ T8409] ? do_splice+0x1940/0x1940 [ 56.012266][ T8409] __x64_sys_splice+0x198/0x250 [ 56.017220][ T8409] do_syscall_64+0x2d/0x70 [ 56.021724][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 56.027612][ T8409] RIP: 0033:0x4459e9 [ 56.031495][ T8409] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 56.051114][ T8409] RSP: 002b:00007f68558312e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 56.060272][ T8409] RAX: ffffffffffffffda RBX: 00000000004ca450 RCX: 00000000004459e9 [ 56.068253][ T8409] RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000004 [ 56.076408][ T8409] RBP: 00000000004ca45c R08: 000000000004ffe0 R09: 0000000000000000 [ 56.084636][ T8409] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049a074 [ 56.093414][ T8409] R13: 65732f636f72702f R14: 6d32cc5e8ead0600 R15: 00000000004ca458 [ 56.101391][ T8409] [ 56.103705][ T8409] Allocated by task 8340: [ 56.108105][ T8409] kasan_save_stack+0x1b/0x40 [ 56.112802][ T8409] __kasan_kmalloc+0x99/0xc0 [ 56.117486][ T8409] tomoyo_init_log+0x18a/0x1ee0 [ 56.122351][ T8409] tomoyo_supervisor+0x34d/0xf00 [ 56.127382][ T8409] tomoyo_path_permission+0x270/0x3a0 [ 56.132832][ T8409] tomoyo_path_perm+0x2f0/0x400 [ 56.137794][ T8409] security_inode_getattr+0xcf/0x140 [ 56.143088][ T8409] vfs_statx+0x164/0x390 [ 56.147427][ T8409] __do_sys_newlstat+0x91/0x110 [ 56.153292][ T8409] do_syscall_64+0x2d/0x70 [ 56.157825][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 56.163730][ T8409] [ 56.166044][ T8409] Freed by task 8340: [ 56.170028][ T8409] kasan_save_stack+0x1b/0x40 [ 56.174717][ T8409] kasan_set_track+0x1c/0x30 [ 56.179297][ T8409] kasan_set_free_info+0x20/0x30 [ 56.184242][ T8409] __kasan_slab_free+0xf5/0x130 [ 56.189085][ T8409] slab_free_freelist_hook+0x92/0x210 [ 56.194451][ T8409] kfree+0xe5/0x7f0 [ 56.198290][ T8409] tomoyo_init_log+0x14f7/0x1ee0 [ 56.203226][ T8409] tomoyo_supervisor+0x34d/0xf00 [ 56.208160][ T8409] tomoyo_path_permission+0x270/0x3a0 [ 56.213530][ T8409] tomoyo_path_perm+0x2f0/0x400 [ 56.218379][ T8409] security_inode_getattr+0xcf/0x140 [ 56.223764][ T8409] vfs_statx+0x164/0x390 [ 56.228007][ T8409] __do_sys_newlstat+0x91/0x110 [ 56.232855][ T8409] do_syscall_64+0x2d/0x70 [ 56.237273][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 56.243166][ T8409] [ 56.245481][ T8409] The buggy address belongs to the object at ffff888017a62000 [ 56.245481][ T8409] which belongs to the cache kmalloc-4k of size 4096 [ 56.259705][ T8409] The buggy address is located 11 bytes inside of [ 56.259705][ T8409] 4096-byte region [ffff888017a62000, ffff888017a63000) [ 56.273069][ T8409] The buggy address belongs to the page: [ 56.278689][ T8409] page:000000006c756991 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17a60 [ 56.289008][ T8409] head:000000006c756991 order:3 compound_mapcount:0 compound_pincount:0 [ 56.297437][ T8409] flags: 0xfff00000010200(slab|head) [ 56.302814][ T8409] raw: 00fff00000010200 0000000000000000 0000000400000001 ffff888010842140 [ 56.311480][ T8409] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 56.320138][ T8409] page dumped because: kasan: bad access detected [ 56.326556][ T8409] [ 56.328885][ T8409] Memory state around the buggy address: [ 56.334502][ T8409] ffff888017a61f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.342555][ T8409] ffff888017a61f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.350604][ T8409] >ffff888017a62000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.358650][ T8409] ^ [ 56.362980][ T8409] ffff888017a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.371030][ T8409] ffff888017a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.379081][ T8409] ================================================================== [ 56.387131][ T8409] Disabling lock debugging due to kernel taint [ 56.395566][ T8409] Kernel panic - not syncing: panic_on_warn set ... [ 56.402183][ T8409] CPU: 1 PID: 8409 Comm: syz-executor313 Tainted: G B 5.12.0-rc2-syzkaller #0 [ 56.412342][ T8409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.422401][ T8409] Call Trace: [ 56.425674][ T8409] dump_stack+0x141/0x1d7 [ 56.429997][ T8409] panic+0x306/0x73d [ 56.433880][ T8409] ? __warn_printk+0xf3/0xf3 [ 56.438646][ T8409] ? preempt_schedule_common+0x59/0xc0 [ 56.444357][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 56.450001][ T8409] ? preempt_schedule_thunk+0x16/0x18 [ 56.455481][ T8409] ? trace_hardirqs_on+0x38/0x1c0 [ 56.460497][ T8409] ? trace_hardirqs_on+0x51/0x1c0 [ 56.465515][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 56.471229][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 56.476860][ T8409] end_report.cold+0x5a/0x5a [ 56.481463][ T8409] kasan_report.cold+0x6a/0xd8 [ 56.486220][ T8409] ? eth_header_parse_protocol+0xdc/0xe0 [ 56.491844][ T8409] ? llc_sysctl_exit+0x60/0x60 [ 56.496601][ T8409] eth_header_parse_protocol+0xdc/0xe0 [ 56.502057][ T8409] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 56.508650][ T8409] ? tpacket_destruct_skb+0x860/0x860 [ 56.514117][ T8409] packet_sendmsg+0x2325/0x52b0 [ 56.518980][ T8409] ? aa_sk_perm+0x31b/0xab0 [ 56.523480][ T8409] ? packet_cached_dev_get+0x250/0x250 [ 56.529457][ T8409] ? aa_af_perm+0x230/0x230 [ 56.533969][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 56.540237][ T8409] ? packet_cached_dev_get+0x250/0x250 [ 56.545704][ T8409] sock_sendmsg+0xcf/0x120 [ 56.550117][ T8409] sock_no_sendpage+0xf3/0x130 [ 56.554879][ T8409] ? sk_page_frag_refill+0x1d0/0x1d0 [ 56.560186][ T8409] ? lock_release+0x720/0x720 [ 56.564861][ T8409] ? find_held_lock+0x2d/0x110 [ 56.569621][ T8409] kernel_sendpage.part.0+0x1ab/0x350 [ 56.574993][ T8409] sock_sendpage+0xe5/0x140 [ 56.579492][ T8409] ? __sock_recv_ts_and_drops+0x430/0x430 [ 56.585204][ T8409] pipe_to_sendpage+0x2ad/0x380 [ 56.590050][ T8409] ? propagate_umount+0x1c20/0x1c20 [ 56.595244][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 56.601659][ T8409] ? splice_from_pipe_next.part.0+0x167/0x520 [ 56.608188][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 56.614618][ T8409] __splice_from_pipe+0x43e/0x8a0 [ 56.619661][ T8409] ? propagate_umount+0x1c20/0x1c20 [ 56.624878][ T8409] generic_splice_sendpage+0xd4/0x140 [ 56.630264][ T8409] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 56.635743][ T8409] ? security_file_permission+0x248/0x560 [ 56.641484][ T8409] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 56.646616][ T8409] do_splice+0xb7e/0x1940 [ 56.651064][ T8409] ? find_held_lock+0x2d/0x110 [ 56.655836][ T8409] ? splice_file_to_pipe+0x120/0x120 [ 56.661667][ T8409] __do_splice+0x134/0x250 [ 56.666713][ T8409] ? do_splice+0x1940/0x1940 [ 56.671396][ T8409] __x64_sys_splice+0x198/0x250 [ 56.676266][ T8409] do_syscall_64+0x2d/0x70 [ 56.680864][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 56.686762][ T8409] RIP: 0033:0x4459e9 [ 56.690674][ T8409] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 56.710370][ T8409] RSP: 002b:00007f68558312e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 56.718876][ T8409] RAX: ffffffffffffffda RBX: 00000000004ca450 RCX: 00000000004459e9 [ 56.727304][ T8409] RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000004 [ 56.735556][ T8409] RBP: 00000000004ca45c R08: 000000000004ffe0 R09: 0000000000000000 [ 56.743561][ T8409] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049a074 [ 56.752523][ T8409] R13: 65732f636f72702f R14: 6d32cc5e8ead0600 R15: 00000000004ca458 [ 56.768843][ T8409] Kernel Offset: disabled [ 56.773613][ T8409] Rebooting in 86400 seconds..