Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 51.292816] ================================================================== [ 51.293902] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 51.294893] Write of size 4 at addr ffff8801ceb19d08 by task syz-executor450/2071 [ 51.295961] [ 51.296203] CPU: 1 PID: 2071 Comm: syz-executor450 Not tainted 4.9.153+ #18 [ 51.297275] ffff8801db707950 ffffffff81b47491 0000000000000001 ffffea00073ac640 [ 51.298566] ffff8801ceb19d08 0000000000000004 ffffffff826026fe ffff8801db707988 [ 51.299984] ffffffff81502615 0000000000000001 ffff8801ceb19d08 ffff8801ceb19d08 [ 51.301192] Call Trace: [ 51.301551] [ 51.301870] [] dump_stack+0xc1/0x120 [ 51.302659] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 51.303552] [] print_address_description+0x6f/0x238 [ 51.304478] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 51.305383] [] kasan_report.cold+0x8c/0x2ba [ 51.306209] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 51.307218] [] __asan_report_store4_noabort+0x17/0x20 [ 51.308280] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 51.309193] [] nf_iterate+0x12e/0x310 [ 51.310019] [] nf_hook_slow+0x114/0x1f0 [ 51.310804] [] ? nf_iterate+0x310/0x310 [ 51.311708] [] ip_rcv+0xb79/0xf90 [ 51.312460] [] ? ip_rcv+0x8be/0xf90 [ 51.314573] [] ? ip_local_deliver+0x4d0/0x4d0 [ 51.320698] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 51.327423] [] ? ip_local_deliver+0x4d0/0x4d0 [ 51.333544] [] __netif_receive_skb_core+0x1156/0x2990 [ 51.340355] [] ? dev_loopback_xmit+0x430/0x430 [ 51.346566] [] ? find_busiest_group+0x6320/0x6320 [ 51.353041] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.359771] [] ? check_preemption_disabled+0x3c/0x200 [ 51.366592] [] ? process_backlog+0x190/0x610 [ 51.372621] [] __netif_receive_skb+0x58/0x1c0 [ 51.378738] [] process_backlog+0x1e8/0x610 [ 51.384600] [] ? process_backlog+0x190/0x610 [ 51.390629] [] ? trace_hardirqs_on+0x10/0x10 [ 51.396663] [] net_rx_action+0x3aa/0xdd0 [ 51.402346] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 51.410204] [] __do_softirq+0x22d/0x964 [ 51.415804] [] do_softirq_own_stack+0x1c/0x30 [ 51.421915] [ 51.423956] [] do_softirq.part.0+0x62/0x70 [ 51.429831] [] do_softirq+0x18/0x20 [ 51.435080] [] netif_rx_ni+0xbe/0x310 [ 51.440505] [] tun_get_user+0xcd2/0x2430 [ 51.446244] [] ? tun_select_queue+0x400/0x400 [ 51.452373] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.459097] [] tun_chr_write_iter+0xda/0x190 [ 51.465136] [] do_iter_readv_writev+0x3d9/0x4b0 [ 51.471429] [] ? vfs_iter_write+0x460/0x460 [ 51.477381] [] ? selinux_file_permission+0x85/0x470 [ 51.484021] [] ? security_file_permission+0x8f/0x1f0 [ 51.490745] [] ? rw_verify_area+0xea/0x2b0 [ 51.496610] [] do_readv_writev+0x2ed/0x7a0 [ 51.502466] [] ? vfs_write+0x520/0x520 [ 51.507973] [] ? __lru_cache_add+0x186/0x250 [ 51.514011] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 51.520656] [] ? _raw_spin_unlock+0x2d/0x50 [ 51.526624] [] ? handle_mm_fault+0x54a/0x2380 [ 51.532745] [] ? vm_insert_page+0x840/0x840 [ 51.538691] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.545417] [] vfs_writev+0x89/0xc0 [ 51.550666] [] do_writev+0xe9/0x260 [ 51.555916] [] ? vfs_writev+0xc0/0xc0 [ 51.561343] [] ? SyS_readv+0x30/0x30 [ 51.566757] [] SyS_writev+0x28/0x30 [ 51.572020] [] do_syscall_64+0x1ad/0x570 [ 51.577708] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 51.584604] [ 51.586204] Allocated by task 2071: [ 51.589805] save_stack_trace+0x16/0x20 [ 51.593819] kasan_kmalloc.part.0+0x62/0xf0 [ 51.598119] kasan_kmalloc+0xb7/0xd0 [ 51.601811] kasan_slab_alloc+0xf/0x20 [ 51.605675] kmem_cache_alloc+0xd5/0x2b0 [ 51.609711] __alloc_skb+0xe7/0x5e0 [ 51.613309] alloc_skb_with_frags+0xb0/0x4f0 [ 51.617689] sock_alloc_send_pskb+0x5ec/0x760 [ 51.622156] tun_get_user+0x53b/0x2430 [ 51.626017] tun_chr_write_iter+0xda/0x190 [ 51.630225] do_iter_readv_writev+0x3d9/0x4b0 [ 51.634691] do_readv_writev+0x2ed/0x7a0 [ 51.638724] vfs_writev+0x89/0xc0 [ 51.642151] do_writev+0xe9/0x260 [ 51.645588] SyS_writev+0x28/0x30 [ 51.649012] do_syscall_64+0x1ad/0x570 [ 51.652873] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 51.657945] [ 51.659543] Freed by task 2071: [ 51.662801] save_stack_trace+0x16/0x20 [ 51.666746] kasan_slab_free+0xb0/0x190 [ 51.670695] kmem_cache_free+0xbe/0x310 [ 51.674639] kfree_skbmem+0x9f/0x100 [ 51.678323] kfree_skb+0xd4/0x350 [ 51.681750] ip_defrag+0x620/0x3bc0 [ 51.685352] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 51.689909] nf_iterate+0x12e/0x310 [ 51.693509] nf_hook_slow+0x114/0x1f0 [ 51.697284] ip_rcv+0xb79/0xf90 [ 51.700537] __netif_receive_skb_core+0x1156/0x2990 [ 51.705536] __netif_receive_skb+0x58/0x1c0 [ 51.709845] process_backlog+0x1e8/0x610 [ 51.713886] net_rx_action+0x3aa/0xdd0 [ 51.717752] __do_softirq+0x22d/0x964 [ 51.721528] [ 51.723143] The buggy address belongs to the object at ffff8801ceb19c80 [ 51.723143] which belongs to the cache skbuff_head_cache of size 224 [ 51.736289] The buggy address is located 136 bytes inside of [ 51.736289] 224-byte region [ffff8801ceb19c80, ffff8801ceb19d60) [ 51.748130] The buggy address belongs to the page: [ 51.753031] page:ffffea00073ac640 count:1 mapcount:0 mapping: (null) index:0x0 [ 51.761264] flags: 0x4000000000000080(slab) [ 51.765564] page dumped because: kasan: bad access detected [ 51.771246] [ 51.772844] Memory state around the buggy address: [ 51.777745] ffff8801ceb19c00: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 51.785074] ffff8801ceb19c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.792403] >ffff8801ceb19d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 51.799735] ^ [ 51.803335] ffff8801ceb19d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.810663] ffff8801ceb19e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.817992] ================================================================== [ 51.825322] Disabling lock debugging due to kernel taint [ 51.830804] Kernel panic - not syncing: panic_on_warn set ... [ 51.830804] [ 51.838146] CPU: 1 PID: 2071 Comm: syz-executor450 Tainted: G B 4.9.153+ #18 [ 51.846692] ffff8801db707890 ffffffff81b47491 ffff8801db707900 ffffffff82e4391a [ 51.854683] 00000000ffffffff 0000000000000001 ffffffff826026fe ffff8801db707970 [ 51.862682] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a42 ffffffff813f7081 [ 51.870684] Call Trace: [ 51.873237] [ 51.875277] [] dump_stack+0xc1/0x120 [ 51.880642] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 51.887201] [] panic+0x1d9/0x3bd [ 51.892192] [] ? add_taint.cold+0x16/0x16 [ 51.897965] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 51.904516] [] kasan_end_report+0x47/0x4f [ 51.910286] [] kasan_report.cold+0xa9/0x2ba [ 51.916233] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 51.922612] [] __asan_report_store4_noabort+0x17/0x20 [ 51.929423] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 51.935803] [] nf_iterate+0x12e/0x310 [ 51.941227] [] nf_hook_slow+0x114/0x1f0 [ 51.946826] [] ? nf_iterate+0x310/0x310 [ 51.952424] [] ip_rcv+0xb79/0xf90 [ 51.957499] [] ? ip_rcv+0x8be/0xf90 [ 51.962746] [] ? ip_local_deliver+0x4d0/0x4d0 [ 51.968864] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 51.975589] [] ? ip_local_deliver+0x4d0/0x4d0 [ 51.981708] [] __netif_receive_skb_core+0x1156/0x2990 [ 51.988522] [] ? dev_loopback_xmit+0x430/0x430 [ 51.994735] [] ? find_busiest_group+0x6320/0x6320 [ 52.001203] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 52.007928] [] ? check_preemption_disabled+0x3c/0x200 [ 52.014742] [] ? process_backlog+0x190/0x610 [ 52.020870] [] __netif_receive_skb+0x58/0x1c0 [ 52.026991] [] process_backlog+0x1e8/0x610 [ 52.032849] [] ? process_backlog+0x190/0x610 [ 52.038883] [] ? trace_hardirqs_on+0x10/0x10 [ 52.044917] [] net_rx_action+0x3aa/0xdd0 [ 52.050610] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 52.058467] [] __do_softirq+0x22d/0x964 [ 52.064066] [] do_softirq_own_stack+0x1c/0x30 [ 52.070178] [ 52.072215] [] do_softirq.part.0+0x62/0x70 [ 52.078091] [] do_softirq+0x18/0x20 [ 52.083341] [] netif_rx_ni+0xbe/0x310 [ 52.088767] [] tun_get_user+0xcd2/0x2430 [ 52.094452] [] ? tun_select_queue+0x400/0x400 [ 52.100569] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 52.107297] [] tun_chr_write_iter+0xda/0x190 [ 52.113327] [] do_iter_readv_writev+0x3d9/0x4b0 [ 52.119617] [] ? vfs_iter_write+0x460/0x460 [ 52.125565] [] ? selinux_file_permission+0x85/0x470 [ 52.132204] [] ? security_file_permission+0x8f/0x1f0 [ 52.138930] [] ? rw_verify_area+0xea/0x2b0 [ 52.144786] [] do_readv_writev+0x2ed/0x7a0 [ 52.150643] [] ? vfs_write+0x520/0x520 [ 52.156155] [] ? __lru_cache_add+0x186/0x250 [ 52.162187] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 52.168825] [] ? _raw_spin_unlock+0x2d/0x50 [ 52.174771] [] ? handle_mm_fault+0x54a/0x2380 [ 52.180890] [] ? vm_insert_page+0x840/0x840 [ 52.186838] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 52.193567] [] vfs_writev+0x89/0xc0 [ 52.198816] [] do_writev+0xe9/0x260 [ 52.204074] [] ? vfs_writev+0xc0/0xc0 [ 52.209501] [] ? SyS_readv+0x30/0x30 [ 52.214848] [] SyS_writev+0x28/0x30 [ 52.220103] [] do_syscall_64+0x1ad/0x570 [ 52.225794] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 52.233075] Kernel Offset: disabled [ 52.236682] Rebooting in 86400 seconds..