================================================================== BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:283 Read of size 2 at addr ffff8880179c840b by task syz-executor.5/19274 CPU: 0 PID: 19274 Comm: syz-executor.5 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:283 dev_parse_header_protocol include/linux/netdevice.h:3264 [inline] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 include/linux/virtio_net.h:83 packet_snd net/packet/af_packet.c:2994 [inline] packet_sendmsg+0x233c/0x5300 net/packet/af_packet.c:3031 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9f2b167188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007fff13c3d69f R14: 00007f9f2b167300 R15: 0000000000022000 Allocated by task 1: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] __kasan_slab_alloc+0x75/0x90 mm/kasan/common.c:460 kasan_slab_alloc include/linux/kasan.h:223 [inline] slab_post_alloc_hook mm/slab.h:516 [inline] slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x155/0x370 mm/slub.c:2920 mempool_init_node+0x2e6/0x590 mm/mempool.c:200 mempool_init+0x38/0x50 mm/mempool.c:229 mempool_init_slab_pool include/linux/mempool.h:62 [inline] biovec_init_pool block/bio.c:1517 [inline] bioset_init+0x418/0x890 block/bio.c:1586 do_one_initcall+0x103/0x650 init/main.c:1226 do_initcall_level init/main.c:1299 [inline] do_initcalls init/main.c:1315 [inline] do_basic_setup init/main.c:1335 [inline] kernel_init_freeable+0x63e/0x6c2 init/main.c:1537 kernel_init+0xd/0x1b8 init/main.c:1424 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at ffff8880179c8000 which belongs to the cache biovec-max of size 4096 The buggy address is located 1035 bytes inside of 4096-byte region [ffff8880179c8000, ffff8880179c9000) The buggy address belongs to the page: page:ffffea00005e7200 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880179cd500 pfn:0x179c8 head:ffffea00005e7200 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 ffffea000188d600 0000000200000002 ffff88814070ec80 raw: ffff8880179cd500 0000000080070005 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880179c8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880179c8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880179c8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880179c8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880179c8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================