Warning: Permanently added '10.128.0.120' (ECDSA) to the list of known hosts. executing program executing program [ 48.940371] ================================================================== [ 48.947759] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 48.954839] Write of size 4 at addr ffff8801d01ae948 by task syz-executor183/2060 [ 48.962432] [ 48.964040] CPU: 0 PID: 2060 Comm: syz-executor183 Not tainted 4.9.151+ #12 [ 48.971109] ffff8801db607950 ffffffff81b46e21 0000000000000001 ffffea0007406b80 [ 48.979100] ffff8801d01ae948 0000000000000004 ffffffff82601b3e ffff8801db607988 [ 48.987100] ffffffff81502195 0000000000000001 ffff8801d01ae948 ffff8801d01ae948 [ 48.995094] Call Trace: [ 48.997650] [ 48.999786] [] dump_stack+0xc1/0x120 [ 49.005259] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.011920] [] print_address_description+0x6f/0x238 [ 49.018568] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.025126] [] kasan_report.cold+0x8c/0x2ba [ 49.031074] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 49.037532] [] __asan_report_store4_noabort+0x17/0x20 [ 49.044454] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.050867] [] nf_iterate+0x12e/0x310 [ 49.056297] [] nf_hook_slow+0x114/0x1f0 [ 49.061898] [] ? nf_iterate+0x310/0x310 [ 49.067498] [] ip_rcv+0xb79/0xf90 [ 49.072579] [] ? ip_rcv+0x8be/0xf90 [ 49.077829] [] ? ip_local_deliver+0x4d0/0x4d0 [ 49.083947] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 49.090682] [] ? ip_local_deliver+0x4d0/0x4d0 [ 49.096811] [] __netif_receive_skb_core+0x1156/0x2990 [ 49.103735] [] ? dev_loopback_xmit+0x430/0x430 [ 49.109946] [] ? trace_hardirqs_on_caller+0x260/0x5a0 [ 49.116765] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.123556] [] ? check_preemption_disabled+0x3c/0x200 [ 49.130382] [] ? process_backlog+0x190/0x610 [ 49.136429] [] __netif_receive_skb+0x58/0x1c0 [ 49.142618] [] process_backlog+0x1e8/0x610 [ 49.148491] [] ? process_backlog+0x190/0x610 [ 49.154633] [] ? trace_hardirqs_on+0x10/0x10 [ 49.160673] [] net_rx_action+0x3aa/0xdd0 [ 49.166380] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 49.174236] [] __do_softirq+0x22d/0x964 [ 49.179835] [] do_softirq_own_stack+0x1c/0x30 [ 49.185949] [ 49.187988] [] do_softirq.part.0+0x62/0x70 [ 49.193865] [] do_softirq+0x18/0x20 [ 49.199115] [] netif_rx_ni+0xbe/0x310 [ 49.204538] [] tun_get_user+0xcd2/0x2430 [ 49.210220] [] ? tun_select_queue+0x400/0x400 [ 49.216338] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.223156] [] tun_chr_write_iter+0xda/0x190 [ 49.229199] [] do_iter_readv_writev+0x3d9/0x4b0 [ 49.235493] [] ? vfs_iter_write+0x460/0x460 [ 49.241442] [] ? selinux_file_permission+0x85/0x470 [ 49.248090] [] ? security_file_permission+0x8f/0x1f0 [ 49.254822] [] ? rw_verify_area+0xea/0x2b0 [ 49.260680] [] do_readv_writev+0x2ed/0x7a0 [ 49.266537] [] ? vfs_write+0x520/0x520 [ 49.272047] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 49.278865] [] ? do_signal+0x4b9/0x1920 [ 49.284462] [] ? setup_sigcontext+0x7d0/0x7d0 [ 49.290589] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.297321] [] vfs_writev+0x89/0xc0 [ 49.302577] [] do_writev+0xe9/0x260 [ 49.307930] [] ? vfs_writev+0xc0/0xc0 [ 49.313359] [] ? SyS_readv+0x30/0x30 [ 49.318696] [] SyS_writev+0x28/0x30 [ 49.323947] [] do_syscall_64+0x1ad/0x570 [ 49.329636] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.336534] [ 49.338133] Allocated by task 2060: [ 49.341737] save_stack_trace+0x16/0x20 [ 49.345694] kasan_kmalloc.part.0+0x62/0xf0 [ 49.349991] kasan_kmalloc+0xb7/0xd0 [ 49.353681] kasan_slab_alloc+0xf/0x20 [ 49.357543] kmem_cache_alloc+0xd5/0x2b0 [ 49.361583] __alloc_skb+0xe7/0x5e0 [ 49.365183] alloc_skb_with_frags+0xb0/0x4f0 [ 49.369567] sock_alloc_send_pskb+0x5ec/0x760 [ 49.374043] tun_get_user+0x53b/0x2430 [ 49.377905] tun_chr_write_iter+0xda/0x190 [ 49.382112] do_iter_readv_writev+0x3d9/0x4b0 [ 49.386581] do_readv_writev+0x2ed/0x7a0 [ 49.390623] vfs_writev+0x89/0xc0 [ 49.394125] do_writev+0xe9/0x260 [ 49.397561] SyS_writev+0x28/0x30 [ 49.400988] do_syscall_64+0x1ad/0x570 [ 49.404859] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.409929] [ 49.411529] Freed by task 2060: [ 49.414787] save_stack_trace+0x16/0x20 [ 49.418735] kasan_slab_free+0xb0/0x190 [ 49.422682] kmem_cache_free+0xbe/0x310 [ 49.426630] kfree_skbmem+0x9f/0x100 [ 49.430322] kfree_skb+0xd4/0x350 [ 49.433761] ip_defrag+0x620/0x3bc0 [ 49.437363] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 49.442028] nf_iterate+0x12e/0x310 [ 49.445635] nf_hook_slow+0x114/0x1f0 [ 49.449411] ip_rcv+0xb79/0xf90 [ 49.452666] __netif_receive_skb_core+0x1156/0x2990 [ 49.457655] __netif_receive_skb+0x58/0x1c0 [ 49.461952] process_backlog+0x1e8/0x610 [ 49.465987] net_rx_action+0x3aa/0xdd0 [ 49.469859] __do_softirq+0x22d/0x964 [ 49.473771] [ 49.475381] The buggy address belongs to the object at ffff8801d01ae8c0 [ 49.475381] which belongs to the cache skbuff_head_cache of size 224 [ 49.488536] The buggy address is located 136 bytes inside of [ 49.488536] 224-byte region [ffff8801d01ae8c0, ffff8801d01ae9a0) [ 49.500383] The buggy address belongs to the page: [ 49.505285] page:ffffea0007406b80 count:1 mapcount:0 mapping: (null) index:0x0 [ 49.513525] flags: 0x4000000000000080(slab) [ 49.517818] page dumped because: kasan: bad access detected [ 49.523497] [ 49.525182] Memory state around the buggy address: [ 49.530102] ffff8801d01ae800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 49.537577] ffff8801d01ae880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.544912] >ffff8801d01ae900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.552248] ^ [ 49.557935] ffff8801d01ae980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 49.565271] ffff8801d01aea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.572607] ================================================================== [ 49.579940] Disabling lock debugging due to kernel taint [ 49.585433] Kernel panic - not syncing: panic_on_warn set ... [ 49.585433] [ 49.592778] CPU: 0 PID: 2060 Comm: syz-executor183 Tainted: G B 4.9.151+ #12 [ 49.601069] ffff8801db607890 ffffffff81b46e21 ffff8801db607900 ffffffff82e43922 [ 49.609133] 00000000ffffffff 0000000000000000 ffffffff82601b3e ffff8801db607970 [ 49.617287] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 49.625275] Call Trace: [ 49.627830] [ 49.629874] [] dump_stack+0xc1/0x120 [ 49.635302] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.641863] [] panic+0x1d9/0x3bd [ 49.646856] [] ? add_taint.cold+0x16/0x16 [ 49.652629] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.659186] [] kasan_end_report+0x47/0x4f [ 49.664955] [] kasan_report.cold+0xa9/0x2ba [ 49.671015] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 49.677492] [] __asan_report_store4_noabort+0x17/0x20 [ 49.684364] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.690754] [] nf_iterate+0x12e/0x310 [ 49.696180] [] nf_hook_slow+0x114/0x1f0 [ 49.701777] [] ? nf_iterate+0x310/0x310 [ 49.707377] [] ip_rcv+0xb79/0xf90 [ 49.712454] [] ? ip_rcv+0x8be/0xf90 [ 49.717716] [] ? ip_local_deliver+0x4d0/0x4d0 [ 49.723939] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 49.730668] [] ? ip_local_deliver+0x4d0/0x4d0 [ 49.736801] [] __netif_receive_skb_core+0x1156/0x2990 [ 49.743617] [] ? dev_loopback_xmit+0x430/0x430 [ 49.749822] [] ? trace_hardirqs_on_caller+0x260/0x5a0 [ 49.756641] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.763433] [] ? check_preemption_disabled+0x3c/0x200 [ 49.770255] [] ? process_backlog+0x190/0x610 [ 49.776288] [] __netif_receive_skb+0x58/0x1c0 [ 49.782430] [] process_backlog+0x1e8/0x610 [ 49.788288] [] ? process_backlog+0x190/0x610 [ 49.794319] [] ? trace_hardirqs_on+0x10/0x10 [ 49.800355] [] net_rx_action+0x3aa/0xdd0 [ 49.806042] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 49.814036] [] __do_softirq+0x22d/0x964 [ 49.819640] [] do_softirq_own_stack+0x1c/0x30 [ 49.825757] [ 49.827798] [] do_softirq.part.0+0x62/0x70 [ 49.833673] [] do_softirq+0x18/0x20 [ 49.838923] [] netif_rx_ni+0xbe/0x310 [ 49.844346] [] tun_get_user+0xcd2/0x2430 [ 49.850135] [] ? tun_select_queue+0x400/0x400 [ 49.856262] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.862988] [] tun_chr_write_iter+0xda/0x190 [ 49.869018] [] do_iter_readv_writev+0x3d9/0x4b0 [ 49.875311] [] ? vfs_iter_write+0x460/0x460 [ 49.881324] [] ? selinux_file_permission+0x85/0x470 [ 49.887974] [] ? security_file_permission+0x8f/0x1f0 [ 49.894755] [] ? rw_verify_area+0xea/0x2b0 [ 49.900690] [] do_readv_writev+0x2ed/0x7a0 [ 49.906556] [] ? vfs_write+0x520/0x520 [ 49.912173] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 49.918989] [] ? do_signal+0x4b9/0x1920 [ 49.924587] [] ? setup_sigcontext+0x7d0/0x7d0 [ 49.930707] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.937686] [] vfs_writev+0x89/0xc0 [ 49.942936] [] do_writev+0xe9/0x260 [ 49.948191] [] ? vfs_writev+0xc0/0xc0 [ 49.953625] [] ? SyS_readv+0x30/0x30 [ 49.958962] [] SyS_writev+0x28/0x30 [ 49.964211] [] do_syscall_64+0x1ad/0x570 [ 49.969903] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.977264] Kernel Offset: disabled [ 49.980868] Rebooting in 86400 seconds..