[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.79' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 70.258736][ T8392] ================================================================== [ 70.267099][ T8392] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 [ 70.275149][ T8392] Read of size 2 at addr ffff88801a5ec80b by task syz-executor961/8392 [ 70.283408][ T8392] [ 70.285746][ T8392] CPU: 0 PID: 8392 Comm: syz-executor961 Not tainted 5.12.0-rc4-syzkaller #0 [ 70.294519][ T8392] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.304591][ T8392] Call Trace: [ 70.307883][ T8392] dump_stack+0x141/0x1d7 [ 70.312256][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.317915][ T8392] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 70.324968][ T8392] ? llc_sysctl_exit+0x60/0x60 [ 70.329759][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.335415][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.341176][ T8392] kasan_report.cold+0x7c/0xd8 [ 70.345933][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.351554][ T8392] ? llc_sysctl_exit+0x60/0x60 [ 70.356306][ T8392] eth_header_parse_protocol+0xdc/0xe0 [ 70.361787][ T8392] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 70.368108][ T8392] ? tpacket_destruct_skb+0x860/0x860 [ 70.373492][ T8392] packet_sendmsg+0x233c/0x5300 [ 70.378360][ T8392] ? aa_sk_perm+0x31b/0xab0 [ 70.382856][ T8392] ? packet_create+0xac0/0xac0 [ 70.387619][ T8392] ? aa_af_perm+0x230/0x230 [ 70.392116][ T8392] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.398351][ T8392] ? packet_create+0xac0/0xac0 [ 70.403124][ T8392] sock_sendmsg+0xcf/0x120 [ 70.407531][ T8392] sock_no_sendpage+0xf3/0x130 [ 70.412286][ T8392] ? sk_page_frag_refill+0x1d0/0x1d0 [ 70.417581][ T8392] ? lock_release+0x720/0x720 [ 70.422264][ T8392] ? find_held_lock+0x2d/0x110 [ 70.427033][ T8392] kernel_sendpage.part.0+0x1ab/0x350 [ 70.432399][ T8392] sock_sendpage+0xe5/0x140 [ 70.436918][ T8392] ? __sock_recv_ts_and_drops+0x430/0x430 [ 70.442626][ T8392] pipe_to_sendpage+0x2ad/0x380 [ 70.447467][ T8392] ? propagate_umount+0x19f0/0x19f0 [ 70.452653][ T8392] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.458881][ T8392] ? splice_from_pipe_next.part.0+0x167/0x520 [ 70.464949][ T8392] __splice_from_pipe+0x43e/0x8a0 [ 70.469966][ T8392] ? propagate_umount+0x19f0/0x19f0 [ 70.475177][ T8392] generic_splice_sendpage+0xd4/0x140 [ 70.480538][ T8392] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 70.485641][ T8392] ? security_file_permission+0x248/0x560 [ 70.491352][ T8392] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 70.496468][ T8392] do_splice+0xb7e/0x1940 [ 70.500849][ T8392] ? find_held_lock+0x2d/0x110 [ 70.505601][ T8392] ? splice_file_to_pipe+0x120/0x120 [ 70.510891][ T8392] ? find_held_lock+0x2d/0x110 [ 70.515645][ T8392] __do_splice+0x134/0x250 [ 70.520052][ T8392] ? do_splice+0x1940/0x1940 [ 70.524635][ T8392] __x64_sys_splice+0x198/0x250 [ 70.529492][ T8392] do_syscall_64+0x2d/0x70 [ 70.533919][ T8392] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.539820][ T8392] RIP: 0033:0x4453e9 [ 70.543880][ T8392] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 70.563479][ T8392] RSP: 002b:00007fa8ce9222f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 70.572013][ T8392] RAX: ffffffffffffffda RBX: 00000000004ca458 RCX: 00000000004453e9 [ 70.580065][ T8392] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 70.588032][ T8392] RBP: 00000000004ca450 R08: 000000000004ffe0 R09: 0000000000000000 [ 70.596013][ T8392] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca45c [ 70.603986][ T8392] R13: 000000000049a004 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 70.611973][ T8392] [ 70.614317][ T8392] Allocated by task 6408: [ 70.618626][ T8392] kasan_save_stack+0x1b/0x40 [ 70.623313][ T8392] __kasan_slab_alloc+0x75/0x90 [ 70.628150][ T8392] kmem_cache_alloc+0x155/0x370 [ 70.633005][ T8392] getname_flags.part.0+0x50/0x4f0 [ 70.638105][ T8392] user_path_at_empty+0xa1/0x100 [ 70.643044][ T8392] do_readlinkat+0xcd/0x2f0 [ 70.647534][ T8392] __x64_sys_readlinkat+0x93/0xf0 [ 70.652546][ T8392] do_syscall_64+0x2d/0x70 [ 70.656959][ T8392] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.662850][ T8392] [ 70.665192][ T8392] Freed by task 6408: [ 70.669157][ T8392] kasan_save_stack+0x1b/0x40 [ 70.673829][ T8392] kasan_set_track+0x1c/0x30 [ 70.678410][ T8392] kasan_set_free_info+0x20/0x30 [ 70.683335][ T8392] __kasan_slab_free+0xf5/0x130 [ 70.688168][ T8392] slab_free_freelist_hook+0x92/0x210 [ 70.693524][ T8392] kmem_cache_free+0x8a/0x740 [ 70.698187][ T8392] putname+0xe1/0x120 [ 70.702153][ T8392] filename_lookup+0x3b1/0x560 [ 70.706939][ T8392] do_readlinkat+0xcd/0x2f0 [ 70.711495][ T8392] __x64_sys_readlinkat+0x93/0xf0 [ 70.716563][ T8392] do_syscall_64+0x2d/0x70 [ 70.720965][ T8392] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.726845][ T8392] [ 70.729152][ T8392] The buggy address belongs to the object at ffff88801a5ec400 [ 70.729152][ T8392] which belongs to the cache names_cache of size 4096 [ 70.743273][ T8392] The buggy address is located 1035 bytes inside of [ 70.743273][ T8392] 4096-byte region [ffff88801a5ec400, ffff88801a5ed400) [ 70.756716][ T8392] The buggy address belongs to the page: [ 70.762363][ T8392] page:ffffea0000697a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a5e8 [ 70.772498][ T8392] head:ffffea0000697a00 order:3 compound_mapcount:0 compound_pincount:0 [ 70.780807][ T8392] flags: 0xfff00000010200(slab|head) [ 70.786124][ T8392] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880109bd140 [ 70.794693][ T8392] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 70.803256][ T8392] page dumped because: kasan: bad access detected [ 70.809648][ T8392] [ 70.811979][ T8392] Memory state around the buggy address: [ 70.817589][ T8392] ffff88801a5ec700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.825632][ T8392] ffff88801a5ec780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.833675][ T8392] >ffff88801a5ec800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.841730][ T8392] ^ [ 70.846039][ T8392] ffff88801a5ec880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.854085][ T8392] ffff88801a5ec900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.862127][ T8392] ================================================================== [ 70.870167][ T8392] Disabling lock debugging due to kernel taint [ 70.878373][ T8392] Kernel panic - not syncing: panic_on_warn set ... [ 70.885008][ T8392] CPU: 1 PID: 8392 Comm: syz-executor961 Tainted: G B 5.12.0-rc4-syzkaller #0 [ 70.895147][ T8392] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.905188][ T8392] Call Trace: [ 70.908463][ T8392] dump_stack+0x141/0x1d7 [ 70.912787][ T8392] panic+0x306/0x73d [ 70.916671][ T8392] ? __warn_printk+0xf3/0xf3 [ 70.921251][ T8392] ? preempt_schedule_common+0x59/0xc0 [ 70.926701][ T8392] ? llc_sysctl_exit+0x60/0x60 [ 70.931459][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.937080][ T8392] ? preempt_schedule_thunk+0x16/0x18 [ 70.942446][ T8392] ? trace_hardirqs_on+0x38/0x1c0 [ 70.947465][ T8392] ? trace_hardirqs_on+0x51/0x1c0 [ 70.952478][ T8392] ? llc_sysctl_exit+0x60/0x60 [ 70.957230][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.962852][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.968477][ T8392] end_report.cold+0x5a/0x5a [ 70.973058][ T8392] kasan_report.cold+0x6a/0xd8 [ 70.977831][ T8392] ? eth_header_parse_protocol+0xdc/0xe0 [ 70.983453][ T8392] ? llc_sysctl_exit+0x60/0x60 [ 70.988207][ T8392] eth_header_parse_protocol+0xdc/0xe0 [ 70.993657][ T8392] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 70.999980][ T8392] ? tpacket_destruct_skb+0x860/0x860 [ 71.005344][ T8392] packet_sendmsg+0x233c/0x5300 [ 71.010193][ T8392] ? aa_sk_perm+0x31b/0xab0 [ 71.014689][ T8392] ? packet_create+0xac0/0xac0 [ 71.019444][ T8392] ? aa_af_perm+0x230/0x230 [ 71.023949][ T8392] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.030185][ T8392] ? packet_create+0xac0/0xac0 [ 71.034939][ T8392] sock_sendmsg+0xcf/0x120 [ 71.039346][ T8392] sock_no_sendpage+0xf3/0x130 [ 71.044124][ T8392] ? sk_page_frag_refill+0x1d0/0x1d0 [ 71.049402][ T8392] ? lock_release+0x720/0x720 [ 71.054073][ T8392] ? find_held_lock+0x2d/0x110 [ 71.058825][ T8392] kernel_sendpage.part.0+0x1ab/0x350 [ 71.064191][ T8392] sock_sendpage+0xe5/0x140 [ 71.068687][ T8392] ? __sock_recv_ts_and_drops+0x430/0x430 [ 71.074402][ T8392] pipe_to_sendpage+0x2ad/0x380 [ 71.079247][ T8392] ? propagate_umount+0x19f0/0x19f0 [ 71.084436][ T8392] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.090669][ T8392] ? splice_from_pipe_next.part.0+0x167/0x520 [ 71.096727][ T8392] __splice_from_pipe+0x43e/0x8a0 [ 71.101760][ T8392] ? propagate_umount+0x19f0/0x19f0 [ 71.106949][ T8392] generic_splice_sendpage+0xd4/0x140 [ 71.112421][ T8392] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 71.117523][ T8392] ? security_file_permission+0x248/0x560 [ 71.123234][ T8392] ? __do_sys_vmsplice+0x9d0/0x9d0 [ 71.128334][ T8392] do_splice+0xb7e/0x1940 [ 71.132656][ T8392] ? find_held_lock+0x2d/0x110 [ 71.137437][ T8392] ? splice_file_to_pipe+0x120/0x120 [ 71.142714][ T8392] ? find_held_lock+0x2d/0x110 [ 71.147485][ T8392] __do_splice+0x134/0x250 [ 71.151894][ T8392] ? do_splice+0x1940/0x1940 [ 71.156532][ T8392] __x64_sys_splice+0x198/0x250 [ 71.161374][ T8392] do_syscall_64+0x2d/0x70 [ 71.165878][ T8392] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.171764][ T8392] RIP: 0033:0x4453e9 [ 71.175643][ T8392] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 71.195238][ T8392] RSP: 002b:00007fa8ce9222f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 71.203639][ T8392] RAX: ffffffffffffffda RBX: 00000000004ca458 RCX: 00000000004453e9 [ 71.211597][ T8392] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 71.219557][ T8392] RBP: 00000000004ca450 R08: 000000000004ffe0 R09: 0000000000000000 [ 71.227515][ T8392] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca45c [ 71.235483][ T8392] R13: 000000000049a004 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 71.244326][ T8392] Kernel Offset: disabled [ 71.248719][ T8392] Rebooting in 86400 seconds..