================================================================== BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282 Read of size 2 at addr ffff888017a6200b by task syz-executor313/8409 CPU: 1 PID: 8409 Comm: syz-executor313 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282 dev_parse_header_protocol include/linux/netdevice.h:3177 [inline] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 include/linux/virtio_net.h:83 packet_snd net/packet/af_packet.c:2994 [inline] packet_sendmsg+0x2325/0x52b0 net/packet/af_packet.c:3031 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sock_no_sendpage+0xf3/0x130 net/core/sock.c:2860 kernel_sendpage.part.0+0x1ab/0x350 net/socket.c:3631 kernel_sendpage net/socket.c:3628 [inline] sock_sendpage+0xe5/0x140 net/socket.c:947 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] do_splice+0xb7e/0x1940 fs/splice.c:1079 __do_splice+0x134/0x250 fs/splice.c:1144 __do_sys_splice fs/splice.c:1350 [inline] __se_sys_splice fs/splice.c:1332 [inline] __x64_sys_splice+0x198/0x250 fs/splice.c:1332 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4459e9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f68558312e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00000000004ca450 RCX: 00000000004459e9 RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000004ca45c R08: 000000000004ffe0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049a074 R13: 65732f636f72702f R14: 6d32cc5e8ead0600 R15: 00000000004ca458 Allocated by task 8340: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] ____kasan_kmalloc mm/kasan/common.c:465 [inline] __kasan_kmalloc+0x99/0xc0 mm/kasan/common.c:515 kmalloc include/linux/slab.h:554 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x18a/0x1ee0 security/tomoyo/audit.c:255 tomoyo_supervisor+0x34d/0xf00 security/tomoyo/common.c:2097 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573 tomoyo_path_perm+0x2f0/0x400 security/tomoyo/file.c:838 security_inode_getattr+0xcf/0x140 security/security.c:1288 vfs_getattr fs/stat.c:131 [inline] vfs_statx+0x164/0x390 fs/stat.c:199 vfs_fstatat fs/stat.c:217 [inline] vfs_lstat include/linux/fs.h:3240 [inline] __do_sys_newlstat+0x91/0x110 fs/stat.c:372 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 8340: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xf5/0x130 mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x92/0x210 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kfree+0xe5/0x7f0 mm/slub.c:4213 tomoyo_init_log+0x14f7/0x1ee0 security/tomoyo/audit.c:294 tomoyo_supervisor+0x34d/0xf00 security/tomoyo/common.c:2097 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573 tomoyo_path_perm+0x2f0/0x400 security/tomoyo/file.c:838 security_inode_getattr+0xcf/0x140 security/security.c:1288 vfs_getattr fs/stat.c:131 [inline] vfs_statx+0x164/0x390 fs/stat.c:199 vfs_fstatat fs/stat.c:217 [inline] vfs_lstat include/linux/fs.h:3240 [inline] __do_sys_newlstat+0x91/0x110 fs/stat.c:372 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888017a62000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 11 bytes inside of 4096-byte region [ffff888017a62000, ffff888017a63000) The buggy address belongs to the page: page:000000006c756991 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17a60 head:000000006c756991 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 0000000000000000 0000000400000001 ffff888010842140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888017a61f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888017a61f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888017a62000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888017a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888017a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================