Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. [ 39.886480] urandom_read: 1 callbacks suppressed [ 39.886483] random: sshd: uninitialized urandom read (32 bytes read) [ 39.978012] audit: type=1400 audit(1547079592.920:7): avc: denied { map } for pid=1786 comm="syz-executor832" path="/root/syz-executor832941147" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 40.820310] ================================================================== [ 40.827744] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 [ 40.834308] Write of size 4 at addr ffff8881d2a1745c by task syz-executor832/1934 [ 40.842133] [ 40.843756] CPU: 0 PID: 1934 Comm: syz-executor832 Not tainted 4.14.92+ #4 [ 40.850748] Call Trace: [ 40.853331] dump_stack+0xb9/0x10e [ 40.856868] ? ip_check_defrag+0x4f5/0x523 [ 40.861100] print_address_description+0x60/0x226 [ 40.865938] ? ip_check_defrag+0x4f5/0x523 [ 40.870156] kasan_report.cold+0x88/0x2a5 [ 40.874382] ? ip_check_defrag+0x4f5/0x523 [ 40.878598] ? ip_defrag+0x3b50/0x3b50 [ 40.882486] ? check_preemption_disabled+0x35/0x1f0 [ 40.887516] ? packet_rcv_fanout+0x4d1/0x5e0 [ 40.891929] ? fanout_demux_rollover+0x4d0/0x4d0 [ 40.896725] ? dev_queue_xmit_nit+0x6d0/0x960 [ 40.901355] ? dev_hard_start_xmit+0xa3/0x890 [ 40.905850] ? check_preemption_disabled+0x35/0x1f0 [ 40.910846] ? __dev_queue_xmit+0x11b1/0x1cd0 [ 40.915345] ? netdev_pick_tx+0x2e0/0x2e0 [ 40.919481] ? __check_object_size+0x20e/0x3b4 [ 40.924068] ? skb_copy_datagram_from_iter+0x3b5/0x5e0 [ 40.929438] ? check_preemption_disabled+0x35/0x1f0 [ 40.934434] ? check_preemption_disabled+0x35/0x1f0 [ 40.939447] ? packet_sendmsg+0x1d81/0x4ce0 [ 40.943777] ? sock_has_perm+0x1d3/0x260 [ 40.947816] ? selinux_tun_dev_create+0xb0/0xb0 [ 40.952461] ? packet_lookup_frame+0x240/0x240 [ 40.957022] ? reacquire_held_locks+0xb5/0x3f0 [ 40.961593] ? release_sock+0x1b/0x1b0 [ 40.965468] ? packet_lookup_frame+0x240/0x240 [ 40.970057] ? sock_sendmsg+0xb7/0x100 [ 40.973959] ? SyS_sendto+0x1de/0x2f0 [ 40.977754] ? SyS_getpeername+0x250/0x250 [ 40.982224] ? SyS_socketpair+0x4c0/0x4c0 [ 40.986353] ? lock_downgrade+0x50b/0x5d0 [ 40.990651] ? security_file_ioctl+0x7c/0xb0 [ 40.995058] ? do_syscall_64+0x43/0x4b0 [ 40.999039] ? SyS_getpeername+0x250/0x250 [ 41.003257] ? do_syscall_64+0x19b/0x4b0 [ 41.007306] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.012781] [ 41.014407] Allocated by task 1934: [ 41.018014] kasan_kmalloc.part.0+0x4f/0xd0 [ 41.022334] kmem_cache_alloc+0xd2/0x2d0 [ 41.026375] skb_clone+0x126/0x310 [ 41.029891] dev_queue_xmit_nit+0x2f3/0x960 [ 41.034192] dev_hard_start_xmit+0xa3/0x890 [ 41.038493] __dev_queue_xmit+0x11b1/0x1cd0 [ 41.042806] [ 41.044439] Freed by task 1934: [ 41.047697] kasan_slab_free+0xb0/0x190 [ 41.051649] kmem_cache_free+0xc4/0x330 [ 41.055602] kfree_skbmem+0xa0/0x100 [ 41.059295] kfree_skb+0xcd/0x350 [ 41.062735] ip_defrag+0x5f4/0x3b50 [ 41.066338] ip_check_defrag+0x39b/0x523 [ 41.070381] packet_rcv_fanout+0x4d1/0x5e0 [ 41.074598] dev_queue_xmit_nit+0x6d0/0x960 [ 41.078892] [ 41.080501] The buggy address belongs to the object at ffff8881d2a173c0 [ 41.080501] which belongs to the cache skbuff_head_cache of size 224 [ 41.093660] The buggy address is located 156 bytes inside of [ 41.093660] 224-byte region [ffff8881d2a173c0, ffff8881d2a174a0) [ 41.105511] The buggy address belongs to the page: [ 41.110421] page:ffffea00074a85c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 41.118672] flags: 0x4000000000000100(slab) [ 41.122973] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 41.130832] raw: ffffea00074a33c0 0000000400000004 ffff8881dab58200 0000000000000000 [ 41.138687] page dumped because: kasan: bad access detected [ 41.144372] [ 41.145991] Memory state around the buggy address: [ 41.150912] ffff8881d2a17300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 41.158420] ffff8881d2a17380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.165758] >ffff8881d2a17400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.173106] ^ [ 41.179316] ffff8881d2a17480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 41.186832] ffff8881d2a17500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.194168] ================================================================== [ 41.201627] Disabling lock debugging due to kernel taint [ 41.207103] Kernel panic - not syncing: panic_on_warn set ... [ 41.207103] [ 41.214446] CPU: 0 PID: 1934 Comm: syz-executor832 Tainted: G B 4.14.92+ #4 [ 41.222732] Call Trace: [ 41.225300] dump_stack+0xb9/0x10e [ 41.228819] panic+0x1d9/0x3c2 [ 41.231988] ? add_taint.cold+0x16/0x16 [ 41.235945] ? ip_check_defrag+0x4f5/0x523 [ 41.240159] kasan_end_report+0x43/0x49 [ 41.244111] kasan_report.cold+0xa4/0x2a5 [ 41.248241] ? ip_check_defrag+0x4f5/0x523 [ 41.252453] ? ip_defrag+0x3b50/0x3b50 [ 41.256328] ? check_preemption_disabled+0x35/0x1f0 [ 41.261321] ? packet_rcv_fanout+0x4d1/0x5e0 [ 41.265718] ? fanout_demux_rollover+0x4d0/0x4d0 [ 41.270581] ? dev_queue_xmit_nit+0x6d0/0x960 [ 41.275056] ? dev_hard_start_xmit+0xa3/0x890 [ 41.279565] ? check_preemption_disabled+0x35/0x1f0 [ 41.284558] ? __dev_queue_xmit+0x11b1/0x1cd0 [ 41.289042] ? netdev_pick_tx+0x2e0/0x2e0 [ 41.293243] ? __check_object_size+0x20e/0x3b4 [ 41.297821] ? skb_copy_datagram_from_iter+0x3b5/0x5e0 [ 41.303086] ? check_preemption_disabled+0x35/0x1f0 [ 41.308102] ? check_preemption_disabled+0x35/0x1f0 [ 41.313120] ? packet_sendmsg+0x1d81/0x4ce0 [ 41.317424] ? sock_has_perm+0x1d3/0x260 [ 41.321463] ? selinux_tun_dev_create+0xb0/0xb0 [ 41.326242] ? packet_lookup_frame+0x240/0x240 [ 41.330803] ? reacquire_held_locks+0xb5/0x3f0 [ 41.335362] ? release_sock+0x1b/0x1b0 [ 41.339235] ? packet_lookup_frame+0x240/0x240 [ 41.343799] ? sock_sendmsg+0xb7/0x100 [ 41.347666] ? SyS_sendto+0x1de/0x2f0 [ 41.351441] ? SyS_getpeername+0x250/0x250 [ 41.355656] ? SyS_socketpair+0x4c0/0x4c0 [ 41.359779] ? lock_downgrade+0x50b/0x5d0 [ 41.363915] ? security_file_ioctl+0x7c/0xb0 [ 41.368306] ? do_syscall_64+0x43/0x4b0 [ 41.372258] ? SyS_getpeername+0x250/0x250 [ 41.376485] ? do_syscall_64+0x19b/0x4b0 [ 41.380555] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.386315] Kernel Offset: 0x2ec00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 41.397256] Rebooting in 86400 seconds..