[ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. Warning: Permanently added '10.128.1.61' (ECDSA) to the list of known hosts. executing program [* ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (11s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ *] A start job is running for dev-ttyS0.device (12s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (13s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (13s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (14s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (15s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (15s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (16s / 1min 30s)[* ] A start [ 23.609961][ T22] audit: type=1400 audit(1616323524.780:8): avc: denied { execmem } for pid=340 comm="syz-executor196" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 job is running for dev-ttyS0.device (17s / 1min 30s)[ 23.663062][ T342] ================================================================== [ 23.671122][ T342] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xad/0xd0 [ 23.679070][ T342] Read of size 2 at addr ffff8881e90e380b by task syz-executor196/342 [ 23.687183][ T342] [ 23.689483][ T342] CPU: 0 PID: 342 Comm: syz-executor196 Not tainted 5.4.107-syzkaller-00750-g543ec4541c0e #0 [ 23.699595][ T342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.709620][ T342] Call Trace: [ 23.712881][ T342] dump_stack+0x1d8/0x24e [ 23.717183][ T342] ? gfp_pfmemalloc_allowed+0x120/0x120 [ 23.722697][ T342] ? show_regs_print_info+0x12/0x12 [ 23.727862][ T342] ? printk+0xcf/0x114 [ 23.731903][ T342] print_address_description+0x9b/0x650 [ 23.737420][ T342] ? devkmsg_release+0x11c/0x11c [ 23.742326][ T342] ? _copy_from_iter+0x84d/0xa80 [ 23.747228][ T342] ? memcpy+0x38/0x50 [ 23.751178][ T342] __kasan_report+0x182/0x260 [ 23.755912][ T342] ? eth_header_parse_protocol+0xad/0xd0 [ 23.761510][ T342] kasan_report+0x30/0x60 [ 23.765807][ T342] eth_header_parse_protocol+0xad/0xd0 [ 23.771232][ T342] ? eth_header_cache_update+0x30/0x30 [ 23.776682][ T342] virtio_net_hdr_to_skb+0x6de/0xd70 [ 23.781956][ T342] ? fanout_demux_bpf+0x230/0x230 [ 23.786967][ T342] ? skb_copy_datagram_from_iter+0x604/0x6b0 [ 23.792915][ T342] packet_sendmsg+0x483a/0x6780 [ 23.797742][ T342] ? memset+0x1f/0x40 [ 23.801691][ T342] ? selinux_socket_sendmsg+0x11f/0x340 [ 23.807215][ T342] ? selinux_socket_accept+0x5b0/0x5b0 [ 23.812652][ T342] ? compat_packet_setsockopt+0x160/0x160 [ 23.818339][ T342] ? security_socket_sendmsg+0x9d/0xb0 [ 23.823772][ T342] ? compat_packet_setsockopt+0x160/0x160 [ 23.829462][ T342] kernel_sendmsg+0xf5/0x130 [ 23.834025][ T342] sock_no_sendpage+0x143/0x1b0 [ 23.838842][ T342] ? __receive_sock+0xe0/0xe0 [ 23.843490][ T342] ? avc_has_perm_noaudit+0x37d/0x400 [ 23.848840][ T342] ? avc_has_perm_noaudit+0x30c/0x400 [ 23.854177][ T342] ? __receive_sock+0xe0/0xe0 [ 23.858816][ T342] sock_sendpage+0xd0/0x120 [ 23.863284][ T342] pipe_to_sendpage+0x23b/0x300 [ 23.868114][ T342] ? sock_fasync+0xf0/0xf0 [ 23.872496][ T342] ? generic_splice_sendpage+0x210/0x210 [ 23.878092][ T342] ? avc_has_perm+0xd2/0x270 [ 23.882647][ T342] ? avc_has_perm+0x173/0x270 [ 23.887304][ T342] __splice_from_pipe+0x2d3/0x870 [ 23.892294][ T342] ? generic_splice_sendpage+0x210/0x210 [ 23.897895][ T342] generic_splice_sendpage+0x181/0x210 [ 23.903319][ T342] ? iter_file_splice_write+0xf20/0xf20 [ 23.908834][ T342] ? security_file_permission+0x128/0x300 [ 23.914518][ T342] ? iter_file_splice_write+0xf20/0xf20 [ 23.920042][ T342] __se_sys_splice+0x7a8/0x1b00 [ 23.924859][ T342] ? check_preemption_disabled+0x154/0x330 [ 23.930631][ T342] ? debug_smp_processor_id+0x20/0x20 [ 23.935967][ T342] ? __fpregs_load_activate+0x1d7/0x3c0 [ 23.941476][ T342] ? __x64_sys_splice+0xf0/0xf0 [ 23.946345][ T342] ? finish_task_switch+0x1b9/0x550 [ 23.951514][ T342] ? __x64_sys_splice+0x1d/0xf0 [ 23.956332][ T342] do_syscall_64+0xcb/0x1e0 [ 23.960805][ T342] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 23.966664][ T342] RIP: 0033:0x444d49 [ 23.970527][ T342] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 23.990099][ T342] RSP: 002b:00007fbdfd8212f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 23.998475][ T342] RAX: ffffffffffffffda RBX: 00000000004ca458 RCX: 0000000000444d49 [ 24.006414][ T342] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 24.014354][ T342] RBP: 00000000004ca450 R08: 000000000004fee0 R09: 0000000000000000 [ 24.022295][ T342] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca45c [ 24.030234][ T342] R13: 000000000049a004 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 24.038172][ T342] [ 24.040468][ T342] Allocated by task 150: [ 24.044678][ T342] __kasan_kmalloc+0x137/0x1e0 [ 24.049414][ T342] kmem_cache_alloc+0x115/0x290 [ 24.054232][ T342] getname_flags+0xba/0x640 [ 24.058698][ T342] user_path_at_empty+0x28/0x50 [ 24.063512][ T342] do_readlinkat+0x11b/0x3b0 [ 24.068066][ T342] __x64_sys_readlinkat+0x96/0xb0 [ 24.073056][ T342] do_syscall_64+0xcb/0x1e0 [ 24.077610][ T342] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.083462][ T342] [ 24.085758][ T342] Freed by task 150: [ 24.089619][ T342] __kasan_slab_free+0x18a/0x240 [ 24.094523][ T342] slab_free_freelist_hook+0x7b/0x150 [ 24.099887][ T342] kmem_cache_free+0xb8/0x5f0 [ 24.104527][ T342] filename_lookup+0x4bb/0x6a0 [ 24.109255][ T342] do_readlinkat+0x11b/0x3b0 [ 24.113822][ T342] __x64_sys_readlinkat+0x96/0xb0 [ 24.118825][ T342] do_syscall_64+0xcb/0x1e0 [ 24.123296][ T342] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.129193][ T342] [ 24.131491][ T342] The buggy address belongs to the object at ffff8881e90e3300 [ 24.131491][ T342] which belongs to the cache names_cache of size 4096 [ 24.145594][ T342] The buggy address is located 1291 bytes inside of [ 24.145594][ T342] 4096-byte region [ffff8881e90e3300, ffff8881e90e4300) [ 24.159035][ T342] The buggy address belongs to the page: [ 24.164635][ T342] page:ffffea0007a43800 refcount:1 mapcount:0 mapping:ffff8881f5cfb680 index:0x0 compound_mapcount: 0 [ 24.175526][ T342] flags: 0x8000000000010200(slab|head) [ 24.180954][ T342] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfb680 [ 24.189509][ T342] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 24.198076][ T342] page dumped because: kasan: bad access detected [ 24.204450][ T342] [ 24.206747][ T342] Memory state around the buggy address: [ 24.212345][ T342] ffff8881e90e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.220397][ T342] ffff8881e90e3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.228427][ T342] >ffff8881e90e3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.236452][ T342] ^ [ 24.240766][ T342] ffff8881e90e3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.248792][ T342] ffff8881e90e3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.256819][ T342] ================================================================== [ 24.2648