================================================================== BUG: KASAN: slab-out-of-bounds in eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282 Read of size 2 at addr ffff88801e5cb80b by task syz-executor.4/21678 CPU: 1 PID: 21678 Comm: syz-executor.4 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282 dev_parse_header_protocol include/linux/netdevice.h:3179 [inline] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 include/linux/virtio_net.h:83 packet_snd net/packet/af_packet.c:2994 [inline] packet_sendmsg+0x2325/0x52b0 net/packet/af_packet.c:3031 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sock_write_iter+0x289/0x3c0 net/socket.c:1001 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x796/0xa30 fs/read_write.c:605 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8a67829188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 RDX: 0000000000000122 RSI: 0000000020000240 RDI: 0000000000000003 RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007ffca903c54f R14: 00007f8a67829300 R15: 0000000000022000 Allocated by task 1: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] __kasan_slab_alloc+0x73/0x90 mm/kasan/common.c:460 kasan_slab_alloc include/linux/kasan.h:223 [inline] slab_post_alloc_hook mm/slab.h:516 [inline] slab_alloc mm/slab.c:3325 [inline] kmem_cache_alloc+0x1c8/0x500 mm/slab.c:3502 kmem_cache_zalloc include/linux/slab.h:674 [inline] __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:626 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:688 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985 sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317 sysfs_merge_group+0x198/0x320 fs/sysfs/group.c:343 dpm_sysfs_add+0x23e/0x290 drivers/base/power/sysfs.c:707 device_add+0xa83/0x1db0 drivers/base/core.c:3199 usb_hub_create_port_device+0x3ad/0xd50 drivers/usb/core/port.c:564 hub_configure drivers/usb/core/hub.c:1648 [inline] hub_probe.cold+0x24a7/0x2aa1 drivers/usb/core/hub.c:1882 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 really_probe+0x291/0xe60 drivers/base/dd.c:557 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:743 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:849 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 __device_attach+0x228/0x4a0 drivers/base/dd.c:917 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 device_add+0xbdb/0x1db0 drivers/base/core.c:3242 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2164 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 really_probe+0x291/0xe60 drivers/base/dd.c:557 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:743 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:849 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 __device_attach+0x228/0x4a0 drivers/base/dd.c:917 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 device_add+0xbdb/0x1db0 drivers/base/core.c:3242 usb_new_device.cold+0x721/0x1058 drivers/usb/core/hub.c:2555 register_root_hub drivers/usb/core/hcd.c:1010 [inline] usb_add_hcd.cold+0x1382/0x178c drivers/usb/core/hcd.c:2805 vhci_hcd_probe+0x1c9/0x3a0 drivers/usb/usbip/vhci_hcd.c:1373 platform_probe+0xfc/0x1f0 drivers/base/platform.c:1448 really_probe+0x291/0xe60 drivers/base/dd.c:557 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:743 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:849 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 __device_attach+0x228/0x4a0 drivers/base/dd.c:917 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 device_add+0xbdb/0x1db0 drivers/base/core.c:3242 platform_device_add+0x363/0x820 drivers/base/platform.c:749 vhci_hcd_init+0x341/0x485 drivers/usb/usbip/vhci_hcd.c:1543 do_one_initcall+0x103/0x650 init/main.c:1226 do_initcall_level init/main.c:1299 [inline] do_initcalls init/main.c:1315 [inline] do_basic_setup init/main.c:1335 [inline] kernel_init_freeable+0x63e/0x6c2 init/main.c:1537 kernel_init+0xd/0x1b8 init/main.c:1424 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at ffff88801e5cb740 which belongs to the cache kernfs_node_cache of size 168 The buggy address is located 35 bytes to the right of 168-byte region [ffff88801e5cb740, ffff88801e5cb7e8) The buggy address belongs to the page: page:ffffea00007972c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e5cb flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0000797248 ffffea0000797348 ffff888140508200 raw: 0000000000000000 ffff88801e5cb000 0000000100000011 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801e5cb700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff88801e5cb780: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc >ffff88801e5cb800: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88801e5cb880: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff88801e5cb900: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================