================================================================== BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:283 Read of size 2 at addr ffff88802b93600b by task syz-executor.2/17025 CPU: 1 PID: 17025 Comm: syz-executor.2 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:283 dev_parse_header_protocol include/linux/netdevice.h:3264 [inline] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 include/linux/virtio_net.h:83 packet_snd net/packet/af_packet.c:2994 [inline] packet_sendmsg+0x233c/0x5300 net/packet/af_packet.c:3031 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sock_write_iter+0x289/0x3c0 net/socket.c:1001 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x796/0xa30 fs/read_write.c:605 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f615df69188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 RDX: 000000000000fdef RSI: 0000000020000100 RDI: 0000000000000003 RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007ffc5e2a3c9f R14: 00007f615df69300 R15: 0000000000022000 Allocated by task 10114: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] ____kasan_kmalloc mm/kasan/common.c:465 [inline] __kasan_kmalloc+0x99/0xc0 mm/kasan/common.c:515 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:684 [inline] rxrpc_alloc_peer+0x8d/0x3c0 net/rxrpc/peer_object.c:217 rxrpc_service_prealloc_one+0xce2/0x1430 net/rxrpc/call_accept.c:73 rxrpc_kernel_charge_accept+0xd4/0x120 net/rxrpc/call_accept.c:487 afs_charge_preallocation+0xba/0x2d0 fs/afs/rxrpc.c:768 afs_open_socket+0x294/0x360 fs/afs/rxrpc.c:92 afs_net_init+0xac9/0xeb0 fs/afs/main.c:126 ops_init+0xaf/0x470 net/core/net_namespace.c:140 setup_net+0x40f/0xa30 net/core/net_namespace.c:333 copy_net_ns+0x31e/0x760 net/core/net_namespace.c:474 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:226 ksys_unshare+0x445/0x8e0 kernel/fork.c:2998 __do_sys_unshare kernel/fork.c:3066 [inline] __se_sys_unshare kernel/fork.c:3064 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3064 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88802b936000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 11 bytes inside of 512-byte region [ffff88802b936000, ffff88802b936200) The buggy address belongs to the page: page:ffffea0000ae4d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802b934400 pfn:0x2b934 head:ffffea0000ae4d00 order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 ffffea00006ffc08 ffffea0000a72e08 ffff888010841c80 raw: ffff88802b934400 0000000000100001 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88802b935f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802b935f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88802b936000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802b936080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802b936100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================