Starting Permit User Sessions... [ OK ] Started Daily apt download activities. [ OK ] Started Daily apt upgrade and clean activities. Starting OpenBSD Secure Shell server... [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Reached target Timers. [ OK ] Started System Logging Service. [ OK ] Started Permit User Sessions. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. Starting Load/Save RF Kill Switch Status... [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.133' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 77.297505][ T8436] ================================================================== [ 77.305806][ T8436] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 [ 77.313862][ T8436] Read of size 2 at addr ffff88801bd40c0b by task syz-executor628/8436 [ 77.322085][ T8436] [ 77.324461][ T8436] CPU: 1 PID: 8436 Comm: syz-executor628 Not tainted 5.12.0-rc4-syzkaller #0 [ 77.333222][ T8436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.343277][ T8436] Call Trace: [ 77.346576][ T8436] dump_stack+0x141/0x1d7 [ 77.351056][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 77.356694][ T8436] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 77.363785][ T8436] ? llc_sysctl_exit+0x60/0x60 [ 77.368548][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 77.374175][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 77.379815][ T8436] kasan_report.cold+0x7c/0xd8 [ 77.384599][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 77.390268][ T8436] ? llc_sysctl_exit+0x60/0x60 [ 77.395064][ T8436] eth_header_parse_protocol+0xdc/0xe0 [ 77.400630][ T8436] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 77.406999][ T8436] ? tpacket_destruct_skb+0x860/0x860 [ 77.412391][ T8436] packet_sendmsg+0x233c/0x5300 [ 77.417283][ T8436] ? aa_sk_perm+0x31b/0xab0 [ 77.421851][ T8436] ? packet_create+0xac0/0xac0 [ 77.426605][ T8436] ? aa_af_perm+0x230/0x230 [ 77.431107][ T8436] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 77.437367][ T8436] ? packet_create+0xac0/0xac0 [ 77.442123][ T8436] sock_sendmsg+0xcf/0x120 [ 77.446549][ T8436] sock_no_sendpage+0xf3/0x130 [ 77.451371][ T8436] ? sk_page_frag_refill+0x1d0/0x1d0 [ 77.456674][ T8436] ? lock_release+0x720/0x720 [ 77.461363][ T8436] ? find_held_lock+0x2d/0x110 [ 77.466128][ T8436] kernel_sendpage.part.0+0x1ab/0x350 [ 77.471515][ T8436] sock_sendpage+0xe5/0x140 [ 77.476016][ T8436] ? __sock_recv_ts_and_drops+0x430/0x430 [ 77.481730][ T8436] pipe_to_sendpage+0x2ad/0x380 [ 77.486600][ T8436] ? propagate_umount+0x19f0/0x19f0 [ 77.491794][ T8436] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 77.498030][ T8436] ? splice_from_pipe_next.part.0+0x167/0x520 [ 77.504097][ T8436] __splice_from_pipe+0x43e/0x8a0 [ 77.509121][ T8436] ? propagate_umount+0x19f0/0x19f0 [ 77.514318][ T8436] generic_splice_sendpage+0xd4/0x140 [ 77.519686][ T8436] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 77.524794][ T8436] ? security_file_permission+0x248/0x560 [ 77.530528][ T8436] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 77.535633][ T8436] do_splice+0xb7e/0x1940 [ 77.539976][ T8436] ? find_held_lock+0x2d/0x110 [ 77.544737][ T8436] ? splice_file_to_pipe+0x120/0x120 [ 77.550032][ T8436] ? find_held_lock+0x2d/0x110 [ 77.554794][ T8436] __do_splice+0x134/0x250 [ 77.559205][ T8436] ? do_splice+0x1940/0x1940 [ 77.563795][ T8436] __x64_sys_splice+0x198/0x250 [ 77.568650][ T8436] do_syscall_64+0x2d/0x70 [ 77.573095][ T8436] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.578994][ T8436] RIP: 0033:0x445959 [ 77.582902][ T8436] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 77.602502][ T8436] RSP: 002b:00007f3682a052f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 77.610934][ T8436] RAX: ffffffffffffffda RBX: 00000000004ca458 RCX: 0000000000445959 [ 77.618897][ T8436] RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000003 [ 77.626866][ T8436] RBP: 00000000004ca450 R08: 0000000004f44115 R09: 0000000000000000 [ 77.634828][ T8436] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca45c [ 77.642787][ T8436] R13: 000000000049a074 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 77.650761][ T8436] [ 77.653073][ T8436] Allocated by task 114: [ 77.657310][ T8436] kasan_save_stack+0x1b/0x40 [ 77.661987][ T8436] __kasan_slab_alloc+0x75/0x90 [ 77.666836][ T8436] kmem_cache_alloc_node+0x164/0x3b0 [ 77.672117][ T8436] blk_alloc_queue+0x28/0x700 [ 77.676810][ T8436] blk_mq_init_queue+0x44/0xd0 [ 77.681575][ T8436] scsi_mq_alloc_queue+0x3e/0x170 [ 77.686608][ T8436] scsi_alloc_sdev+0x7f6/0xc00 [ 77.691377][ T8436] scsi_probe_and_add_lun+0x216a/0x3520 [ 77.696927][ T8436] __scsi_scan_target+0x225/0xe40 [ 77.701944][ T8436] scsi_scan_channel+0x14b/0x1f0 [ 77.706931][ T8436] scsi_scan_host_selected+0x2e7/0x3c0 [ 77.712386][ T8436] do_scsi_scan_host+0x1e8/0x260 [ 77.717320][ T8436] do_scan_async+0x3e/0x510 [ 77.721815][ T8436] async_run_entry_fn+0xd3/0x6f0 [ 77.726746][ T8436] process_one_work+0x98d/0x1600 [ 77.731684][ T8436] worker_thread+0x64c/0x1120 [ 77.736349][ T8436] kthread+0x3b1/0x4a0 [ 77.740410][ T8436] ret_from_fork+0x1f/0x30 [ 77.744844][ T8436] [ 77.747154][ T8436] Last potentially related work creation: [ 77.752851][ T8436] kasan_save_stack+0x1b/0x40 [ 77.757543][ T8436] kasan_record_aux_stack+0xe5/0x110 [ 77.762835][ T8436] call_rcu+0xb1/0x740 [ 77.766898][ T8436] kobject_put+0x1c8/0x540 [ 77.771322][ T8436] scsi_device_dev_release_usercontext+0x5d6/0xcb0 [ 77.777822][ T8436] execute_in_process_context+0x37/0x150 [ 77.783447][ T8436] device_release+0x9f/0x240 [ 77.788055][ T8436] kobject_put+0x1c8/0x540 [ 77.792462][ T8436] put_device+0x1b/0x30 [ 77.796609][ T8436] __scsi_remove_device+0x1dd/0x3d0 [ 77.801798][ T8436] scsi_probe_and_add_lun+0x1f79/0x3520 [ 77.807336][ T8436] __scsi_scan_target+0x225/0xe40 [ 77.812355][ T8436] scsi_scan_channel+0x14b/0x1f0 [ 77.817285][ T8436] scsi_scan_host_selected+0x2e7/0x3c0 [ 77.822737][ T8436] do_scsi_scan_host+0x1e8/0x260 [ 77.827667][ T8436] do_scan_async+0x3e/0x510 [ 77.832167][ T8436] async_run_entry_fn+0xd3/0x6f0 [ 77.837098][ T8436] process_one_work+0x98d/0x1600 [ 77.842034][ T8436] worker_thread+0x64c/0x1120 [ 77.846701][ T8436] kthread+0x3b1/0x4a0 [ 77.850761][ T8436] ret_from_fork+0x1f/0x30 [ 77.855169][ T8436] [ 77.857495][ T8436] The buggy address belongs to the object at ffff88801bd40000 [ 77.857495][ T8436] which belongs to the cache request_queue of size 3432 [ 77.871806][ T8436] The buggy address is located 3083 bytes inside of [ 77.871806][ T8436] 3432-byte region [ffff88801bd40000, ffff88801bd40d68) [ 77.885241][ T8436] The buggy address belongs to the page: [ 77.890870][ T8436] page:ffffea00006f5000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801bd46f40 pfn:0x1bd40 [ 77.902342][ T8436] head:ffffea00006f5000 order:3 compound_mapcount:0 compound_pincount:0 [ 77.910675][ T8436] flags: 0xfff00000010200(slab|head) [ 77.915979][ T8436] raw: 00fff00000010200 ffffea00006f3800 0000000500000005 ffff888141277000 [ 77.924563][ T8436] raw: ffff88801bd46f40 0000000080090000 00000001ffffffff 0000000000000000 [ 77.933148][ T8436] page dumped because: kasan: bad access detected [ 77.939546][ T8436] [ 77.941872][ T8436] Memory state around the buggy address: [ 77.947489][ T8436] ffff88801bd40b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.955552][ T8436] ffff88801bd40b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.963600][ T8436] >ffff88801bd40c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.971644][ T8436] ^ [ 77.975956][ T8436] ffff88801bd40c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.984005][ T8436] ffff88801bd40d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 77.992068][ T8436] ================================================================== [ 78.000110][ T8436] Disabling lock debugging due to kernel taint [ 78.006477][ T8436] Kernel panic - not syncing: panic_on_warn set ... [ 78.013085][ T8436] CPU: 0 PID: 8436 Comm: syz-executor628 Tainted: G B 5.12.0-rc4-syzkaller #0 [ 78.023238][ T8436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.033308][ T8436] Call Trace: [ 78.036598][ T8436] dump_stack+0x141/0x1d7 [ 78.040953][ T8436] panic+0x306/0x73d [ 78.044870][ T8436] ? __warn_printk+0xf3/0xf3 [ 78.049497][ T8436] ? preempt_schedule_common+0x59/0xc0 [ 78.054981][ T8436] ? llc_sysctl_exit+0x60/0x60 [ 78.059779][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 78.065437][ T8436] ? preempt_schedule_thunk+0x16/0x18 [ 78.070833][ T8436] ? trace_hardirqs_on+0x38/0x1c0 [ 78.075906][ T8436] ? trace_hardirqs_on+0x51/0x1c0 [ 78.080957][ T8436] ? llc_sysctl_exit+0x60/0x60 [ 78.085744][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 78.091404][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 78.097063][ T8436] end_report.cold+0x5a/0x5a [ 78.101679][ T8436] kasan_report.cold+0x6a/0xd8 [ 78.106471][ T8436] ? eth_header_parse_protocol+0xdc/0xe0 [ 78.112133][ T8436] ? llc_sysctl_exit+0x60/0x60 [ 78.116925][ T8436] eth_header_parse_protocol+0xdc/0xe0 [ 78.122412][ T8436] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 78.128767][ T8436] ? tpacket_destruct_skb+0x860/0x860 [ 78.134140][ T8436] packet_sendmsg+0x233c/0x5300 [ 78.138983][ T8436] ? aa_sk_perm+0x31b/0xab0 [ 78.143479][ T8436] ? packet_create+0xac0/0xac0 [ 78.148241][ T8436] ? aa_af_perm+0x230/0x230 [ 78.152749][ T8436] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.158978][ T8436] ? packet_create+0xac0/0xac0 [ 78.163744][ T8436] sock_sendmsg+0xcf/0x120 [ 78.168150][ T8436] sock_no_sendpage+0xf3/0x130 [ 78.172898][ T8436] ? sk_page_frag_refill+0x1d0/0x1d0 [ 78.178168][ T8436] ? lock_release+0x720/0x720 [ 78.182830][ T8436] ? find_held_lock+0x2d/0x110 [ 78.187609][ T8436] kernel_sendpage.part.0+0x1ab/0x350 [ 78.192996][ T8436] sock_sendpage+0xe5/0x140 [ 78.197519][ T8436] ? __sock_recv_ts_and_drops+0x430/0x430 [ 78.203226][ T8436] pipe_to_sendpage+0x2ad/0x380 [ 78.208064][ T8436] ? propagate_umount+0x19f0/0x19f0 [ 78.213247][ T8436] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.219475][ T8436] ? splice_from_pipe_next.part.0+0x167/0x520 [ 78.225543][ T8436] __splice_from_pipe+0x43e/0x8a0 [ 78.230555][ T8436] ? propagate_umount+0x19f0/0x19f0 [ 78.235740][ T8436] generic_splice_sendpage+0xd4/0x140 [ 78.241101][ T8436] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 78.246233][ T8436] ? security_file_permission+0x248/0x560 [ 78.251939][ T8436] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 78.257055][ T8436] do_splice+0xb7e/0x1940 [ 78.261374][ T8436] ? find_held_lock+0x2d/0x110 [ 78.266125][ T8436] ? splice_file_to_pipe+0x120/0x120 [ 78.271415][ T8436] ? find_held_lock+0x2d/0x110 [ 78.276177][ T8436] __do_splice+0x134/0x250 [ 78.280604][ T8436] ? do_splice+0x1940/0x1940 [ 78.285188][ T8436] __x64_sys_splice+0x198/0x250 [ 78.290029][ T8436] do_syscall_64+0x2d/0x70 [ 78.294433][ T8436] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.300317][ T8436] RIP: 0033:0x445959 [ 78.304210][ T8436] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.323802][ T8436] RSP: 002b:00007f3682a052f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 78.332201][ T8436] RAX: ffffffffffffffda RBX: 00000000004ca458 RCX: 0000000000445959 [ 78.340160][ T8436] RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000003 [ 78.348116][ T8436] RBP: 00000000004ca450 R08: 0000000004f44115 R09: 0000000000000000 [ 78.356073][ T8436] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca45c [ 78.364041][ T8436] R13: 000000000049a074 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 78.372608][ T8436] Kernel Offset: disabled [ 78.376928][ T8436] Rebooting in 86400 seconds..