Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program executing program [ 36.551372] ================================================================== [ 36.558852] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.565926] Write of size 4 at addr ffff8801d1c95808 by task syz-executor400/2063 [ 36.573548] [ 36.575165] CPU: 0 PID: 2063 Comm: syz-executor400 Not tainted 4.9.149+ #5 [ 36.582161] ffff8801db607950 ffffffff81b47f01 0000000000000001 ffffea0007472540 [ 36.590199] ffff8801d1c95808 0000000000000004 ffffffff826026be ffff8801db607988 [ 36.598219] ffffffff815020d5 0000000000000001 ffff8801d1c95808 ffff8801d1c95808 [ 36.606526] Call Trace: [ 36.609100] [ 36.611186] [] dump_stack+0xc1/0x120 [ 36.616551] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.623126] [] print_address_description+0x6f/0x238 [ 36.629784] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.636338] [] kasan_report.cold+0x8c/0x2ba [ 36.642288] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 36.648671] [] __asan_report_store4_noabort+0x17/0x20 [ 36.655590] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.661973] [] nf_iterate+0x12e/0x310 [ 36.667397] [] nf_hook_slow+0x114/0x1f0 [ 36.673013] [] ? nf_iterate+0x310/0x310 [ 36.678633] [] ip_rcv+0xb79/0xf90 [ 36.683733] [] ? ip_rcv+0x8be/0xf90 [ 36.688995] [] ? ip_local_deliver+0x4d0/0x4d0 [ 36.695121] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 36.701857] [] ? ip_local_deliver+0x4d0/0x4d0 [ 36.707992] [] __netif_receive_skb_core+0x1156/0x2990 [ 36.714916] [] ? dev_loopback_xmit+0x430/0x430 [ 36.721434] [] ? find_busiest_group+0x6320/0x6320 [ 36.727931] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.734767] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.741523] [] ? check_preemption_disabled+0x3c/0x200 [ 36.748347] [] ? process_backlog+0x190/0x610 [ 36.754491] [] __netif_receive_skb+0x58/0x1c0 [ 36.760627] [] process_backlog+0x1e8/0x610 [ 36.766604] [] ? process_backlog+0x190/0x610 [ 36.772790] [] ? trace_hardirqs_on+0x10/0x10 [ 36.778916] [] net_rx_action+0x3aa/0xdd0 [ 36.784613] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 36.792477] [] __do_softirq+0x22d/0x964 [ 36.798091] [] do_softirq_own_stack+0x1c/0x30 [ 36.804254] [ 36.806303] [] do_softirq.part.0+0x62/0x70 [ 36.812205] [] do_softirq+0x18/0x20 [ 36.817463] [] netif_rx_ni+0xbe/0x310 [ 36.822894] [] tun_get_user+0xcd2/0x2430 [ 36.828580] [] ? tun_select_queue+0x400/0x400 [ 36.834839] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.841592] [] tun_chr_write_iter+0xda/0x190 [ 36.847633] [] do_iter_readv_writev+0x3d9/0x4b0 [ 36.853931] [] ? vfs_iter_write+0x460/0x460 [ 36.859881] [] ? selinux_file_permission+0x85/0x470 [ 36.866525] [] ? security_file_permission+0x8f/0x1f0 [ 36.873258] [] ? rw_verify_area+0xea/0x2b0 [ 36.879119] [] do_readv_writev+0x2ed/0x7a0 [ 36.884998] [] ? vfs_write+0x520/0x520 [ 36.890534] [] ? __lru_cache_add+0x186/0x250 [ 36.896570] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 36.903273] [] ? _raw_spin_unlock+0x2d/0x50 [ 36.909419] [] ? handle_mm_fault+0x54a/0x2380 [ 36.915547] [] ? vm_insert_page+0x840/0x840 [ 36.921501] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.928244] [] vfs_writev+0x89/0xc0 [ 36.933594] [] do_writev+0xe9/0x260 [ 36.938849] [] ? vfs_writev+0xc0/0xc0 [ 36.944277] [] ? SyS_readv+0x30/0x30 [ 36.949725] [] SyS_writev+0x28/0x30 [ 36.954979] [] do_syscall_64+0x1ad/0x570 [ 36.960677] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 36.967789] [ 36.969397] Allocated by task 2063: [ 36.973008] save_stack_trace+0x16/0x20 [ 36.977092] kasan_kmalloc.part.0+0x62/0xf0 [ 36.981405] kasan_kmalloc+0xb7/0xd0 [ 36.985110] kasan_slab_alloc+0xf/0x20 [ 36.989222] kmem_cache_alloc+0xd5/0x2b0 [ 36.993262] __alloc_skb+0xe7/0x5e0 [ 36.996880] alloc_skb_with_frags+0xb0/0x4f0 [ 37.001432] sock_alloc_send_pskb+0x5ec/0x760 [ 37.006007] tun_get_user+0x53b/0x2430 [ 37.009871] tun_chr_write_iter+0xda/0x190 [ 37.014081] do_iter_readv_writev+0x3d9/0x4b0 [ 37.018550] do_readv_writev+0x2ed/0x7a0 [ 37.022597] vfs_writev+0x89/0xc0 [ 37.026023] do_writev+0xe9/0x260 [ 37.029452] SyS_writev+0x28/0x30 [ 37.032881] do_syscall_64+0x1ad/0x570 [ 37.036746] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.041821] [ 37.043435] Freed by task 2063: [ 37.046706] save_stack_trace+0x16/0x20 [ 37.050897] kasan_slab_free+0xb0/0x190 [ 37.054847] kmem_cache_free+0xbe/0x310 [ 37.058810] kfree_skbmem+0x9f/0x100 [ 37.062544] kfree_skb+0xd4/0x350 [ 37.066104] ip_defrag+0x620/0x3bc0 [ 37.069841] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 37.074405] nf_iterate+0x12e/0x310 [ 37.078073] nf_hook_slow+0x114/0x1f0 [ 37.082044] ip_rcv+0xb79/0xf90 [ 37.085299] __netif_receive_skb_core+0x1156/0x2990 [ 37.090292] __netif_receive_skb+0x58/0x1c0 [ 37.094596] process_backlog+0x1e8/0x610 [ 37.098642] net_rx_action+0x3aa/0xdd0 [ 37.102649] __do_softirq+0x22d/0x964 [ 37.106453] [ 37.108061] The buggy address belongs to the object at ffff8801d1c95780 [ 37.108061] which belongs to the cache skbuff_head_cache of size 224 [ 37.121217] The buggy address is located 136 bytes inside of [ 37.121217] 224-byte region [ffff8801d1c95780, ffff8801d1c95860) [ 37.133074] The buggy address belongs to the page: [ 37.137978] page:ffffea0007472540 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.146313] flags: 0x4000000000000080(slab) [ 37.150615] page dumped because: kasan: bad access detected [ 37.156295] [ 37.158056] Memory state around the buggy address: [ 37.162958] ffff8801d1c95700: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 37.170620] ffff8801d1c95780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.177960] >ffff8801d1c95800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.185292] ^ [ 37.188898] ffff8801d1c95880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.196248] ffff8801d1c95900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.203717] ================================================================== [ 37.211219] Disabling lock debugging due to kernel taint [ 37.216711] Kernel panic - not syncing: panic_on_warn set ... [ 37.216711] [ 37.224078] CPU: 0 PID: 2063 Comm: syz-executor400 Tainted: G B 4.9.149+ #5 [ 37.232279] ffff8801db607890 ffffffff81b47f01 ffff8801db607900 ffffffff82e4386a [ 37.240313] 00000000ffffffff 0000000000000000 ffffffff826026be ffff8801db607970 [ 37.248424] ffffffff813f727a 0000000041b58ab3 ffffffff82e35992 ffffffff813f70a1 [ 37.256555] Call Trace: [ 37.259145] [ 37.261205] [] dump_stack+0xc1/0x120 [ 37.266569] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.273131] [] panic+0x1d9/0x3bd [ 37.278273] [] ? add_taint.cold+0x16/0x16 [ 37.284197] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.290893] [] kasan_end_report+0x47/0x4f [ 37.296742] [] kasan_report.cold+0xa9/0x2ba [ 37.302696] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 37.309113] [] __asan_report_store4_noabort+0x17/0x20 [ 37.316048] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.322429] [] nf_iterate+0x12e/0x310 [ 37.327961] [] nf_hook_slow+0x114/0x1f0 [ 37.333574] [] ? nf_iterate+0x310/0x310 [ 37.339198] [] ip_rcv+0xb79/0xf90 [ 37.344280] [] ? ip_rcv+0x8be/0xf90 [ 37.349536] [] ? ip_local_deliver+0x4d0/0x4d0 [ 37.355662] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 37.362523] [] ? ip_local_deliver+0x4d0/0x4d0 [ 37.368647] [] __netif_receive_skb_core+0x1156/0x2990 [ 37.375480] [] ? dev_loopback_xmit+0x430/0x430 [ 37.381739] [] ? find_busiest_group+0x6320/0x6320 [ 37.388488] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.395237] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.402090] [] ? check_preemption_disabled+0x3c/0x200 [ 37.408912] [] ? process_backlog+0x190/0x610 [ 37.415082] [] __netif_receive_skb+0x58/0x1c0 [ 37.421224] [] process_backlog+0x1e8/0x610 [ 37.427089] [] ? process_backlog+0x190/0x610 [ 37.433241] [] ? trace_hardirqs_on+0x10/0x10 [ 37.439273] [] net_rx_action+0x3aa/0xdd0 [ 37.445044] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 37.452922] [] __do_softirq+0x22d/0x964 [ 37.458541] [] do_softirq_own_stack+0x1c/0x30 [ 37.464661] [ 37.466714] [] do_softirq.part.0+0x62/0x70 [ 37.472611] [] do_softirq+0x18/0x20 [ 37.477869] [] netif_rx_ni+0xbe/0x310 [ 37.483316] [] tun_get_user+0xcd2/0x2430 [ 37.489017] [] ? tun_select_queue+0x400/0x400 [ 37.495142] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.501892] [] tun_chr_write_iter+0xda/0x190 [ 37.507926] [] do_iter_readv_writev+0x3d9/0x4b0 [ 37.514225] [] ? vfs_iter_write+0x460/0x460 [ 37.520178] [] ? selinux_file_permission+0x85/0x470 [ 37.526940] [] ? security_file_permission+0x8f/0x1f0 [ 37.533680] [] ? rw_verify_area+0xea/0x2b0 [ 37.539547] [] do_readv_writev+0x2ed/0x7a0 [ 37.545408] [] ? vfs_write+0x520/0x520 [ 37.551035] [] ? __lru_cache_add+0x186/0x250 [ 37.557073] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 37.563716] [] ? _raw_spin_unlock+0x2d/0x50 [ 37.569786] [] ? handle_mm_fault+0x54a/0x2380 [ 37.575910] [] ? vm_insert_page+0x840/0x840 [ 37.581861] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.588594] [] vfs_writev+0x89/0xc0 [ 37.593845] [] do_writev+0xe9/0x260 [ 37.599099] [] ? vfs_writev+0xc0/0xc0 [ 37.604527] [] ? SyS_readv+0x30/0x30 [ 37.609870] [] SyS_writev+0x28/0x30 [ 37.615135] [] do_syscall_64+0x1ad/0x570 [ 37.620934] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.628183] Kernel Offset: disabled [ 37.631789] Rebooting in 86400 seconds..