Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. executing program executing program [ 38.927140] ================================================================== [ 38.934558] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.941636] Write of size 4 at addr ffff8801cf36dd08 by task syz-executor371/2050 [ 38.949342] [ 38.950950] CPU: 0 PID: 2050 Comm: syz-executor371 Not tainted 4.9.151+ #12 [ 38.958028] ffff8801db607950 ffffffff81b46e21 0000000000000001 ffffea00073cdb40 [ 38.966208] ffff8801cf36dd08 0000000000000004 ffffffff82601b3e ffff8801db607988 [ 38.974194] ffffffff81502195 0000000000000001 ffff8801cf36dd08 ffff8801cf36dd08 [ 38.982235] Call Trace: [ 38.984793] [ 38.986835] [] dump_stack+0xc1/0x120 [ 38.992205] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.998774] [] print_address_description+0x6f/0x238 [ 39.005411] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 39.012088] [] kasan_report.cold+0x8c/0x2ba [ 39.018202] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 39.024699] [] __asan_report_store4_noabort+0x17/0x20 [ 39.031539] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 39.037938] [] nf_iterate+0x12e/0x310 [ 39.043364] [] nf_hook_slow+0x114/0x1f0 [ 39.048965] [] ? nf_iterate+0x310/0x310 [ 39.054695] [] ip_rcv+0xb79/0xf90 [ 39.059894] [] ? ip_rcv+0x8be/0xf90 [ 39.065381] [] ? ip_local_deliver+0x4d0/0x4d0 [ 39.071516] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 39.078373] [] ? ip_local_deliver+0x4d0/0x4d0 [ 39.084534] [] __netif_receive_skb_core+0x1156/0x2990 [ 39.091511] [] ? dev_loopback_xmit+0x430/0x430 [ 39.097748] [] ? find_busiest_group+0x6320/0x6320 [ 39.104243] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.111102] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.117910] [] ? check_preemption_disabled+0x3c/0x200 [ 39.124827] [] ? process_backlog+0x190/0x610 [ 39.130868] [] __netif_receive_skb+0x58/0x1c0 [ 39.136984] [] process_backlog+0x1e8/0x610 [ 39.142850] [] ? process_backlog+0x190/0x610 [ 39.148911] [] ? trace_hardirqs_on+0x10/0x10 [ 39.154974] [] net_rx_action+0x3aa/0xdd0 [ 39.160757] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 39.168617] [] __do_softirq+0x22d/0x964 [ 39.174218] [] do_softirq_own_stack+0x1c/0x30 [ 39.180596] [ 39.182636] [] do_softirq.part.0+0x62/0x70 [ 39.188529] [] do_softirq+0x18/0x20 [ 39.193804] [] netif_rx_ni+0xbe/0x310 [ 39.199229] [] tun_get_user+0xcd2/0x2430 [ 39.205016] [] ? tun_select_queue+0x400/0x400 [ 39.211148] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.217872] [] tun_chr_write_iter+0xda/0x190 [ 39.223903] [] do_iter_readv_writev+0x3d9/0x4b0 [ 39.230203] [] ? vfs_iter_write+0x460/0x460 [ 39.236149] [] ? selinux_file_permission+0x85/0x470 [ 39.242789] [] ? security_file_permission+0x8f/0x1f0 [ 39.249514] [] ? rw_verify_area+0xea/0x2b0 [ 39.255371] [] do_readv_writev+0x2ed/0x7a0 [ 39.261442] [] ? vfs_write+0x520/0x520 [ 39.266956] [] ? __lru_cache_add+0x186/0x250 [ 39.272989] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 39.279636] [] ? _raw_spin_unlock+0x2d/0x50 [ 39.285584] [] ? handle_mm_fault+0x54a/0x2380 [ 39.291708] [] ? vm_insert_page+0x840/0x840 [ 39.297655] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.304400] [] vfs_writev+0x89/0xc0 [ 39.309649] [] do_writev+0xe9/0x260 [ 39.314901] [] ? vfs_writev+0xc0/0xc0 [ 39.320334] [] ? SyS_readv+0x30/0x30 [ 39.325809] [] SyS_writev+0x28/0x30 [ 39.331064] [] do_syscall_64+0x1ad/0x570 [ 39.336767] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.343671] [ 39.345286] Allocated by task 2050: [ 39.348894] save_stack_trace+0x16/0x20 [ 39.352855] kasan_kmalloc.part.0+0x62/0xf0 [ 39.357166] kasan_kmalloc+0xb7/0xd0 [ 39.360906] kasan_slab_alloc+0xf/0x20 [ 39.364799] kmem_cache_alloc+0xd5/0x2b0 [ 39.368907] __alloc_skb+0xe7/0x5e0 [ 39.372523] alloc_skb_with_frags+0xb0/0x4f0 [ 39.376958] sock_alloc_send_pskb+0x5ec/0x760 [ 39.381428] tun_get_user+0x53b/0x2430 [ 39.385296] tun_chr_write_iter+0xda/0x190 [ 39.389604] do_iter_readv_writev+0x3d9/0x4b0 [ 39.394099] do_readv_writev+0x2ed/0x7a0 [ 39.398134] vfs_writev+0x89/0xc0 [ 39.401566] do_writev+0xe9/0x260 [ 39.404992] SyS_writev+0x28/0x30 [ 39.408418] do_syscall_64+0x1ad/0x570 [ 39.412283] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.417355] [ 39.418957] Freed by task 2050: [ 39.422218] save_stack_trace+0x16/0x20 [ 39.426166] kasan_slab_free+0xb0/0x190 [ 39.430238] kmem_cache_free+0xbe/0x310 [ 39.434197] kfree_skbmem+0x9f/0x100 [ 39.437892] kfree_skb+0xd4/0x350 [ 39.441331] ip_defrag+0x620/0x3bc0 [ 39.444936] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 39.449497] nf_iterate+0x12e/0x310 [ 39.453101] nf_hook_slow+0x114/0x1f0 [ 39.456879] ip_rcv+0xb79/0xf90 [ 39.460137] __netif_receive_skb_core+0x1156/0x2990 [ 39.465129] __netif_receive_skb+0x58/0x1c0 [ 39.469424] process_backlog+0x1e8/0x610 [ 39.473457] net_rx_action+0x3aa/0xdd0 [ 39.477487] __do_softirq+0x22d/0x964 [ 39.481258] [ 39.482863] The buggy address belongs to the object at ffff8801cf36dc80 [ 39.482863] which belongs to the cache skbuff_head_cache of size 224 [ 39.496011] The buggy address is located 136 bytes inside of [ 39.496011] 224-byte region [ffff8801cf36dc80, ffff8801cf36dd60) [ 39.507852] The buggy address belongs to the page: [ 39.512752] page:ffffea00073cdb40 count:1 mapcount:0 mapping: (null) index:0x0 [ 39.520984] flags: 0x4000000000000080(slab) [ 39.525273] page dumped because: kasan: bad access detected [ 39.530958] [ 39.532567] Memory state around the buggy address: [ 39.537473] ffff8801cf36dc00: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 39.544844] ffff8801cf36dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.552188] >ffff8801cf36dd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 39.559523] ^ [ 39.563126] ffff8801cf36dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.570459] ffff8801cf36de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.577805] ================================================================== [ 39.585190] Disabling lock debugging due to kernel taint [ 39.590666] Kernel panic - not syncing: panic_on_warn set ... [ 39.590666] [ 39.598065] CPU: 0 PID: 2050 Comm: syz-executor371 Tainted: G B 4.9.151+ #12 [ 39.606350] ffff8801db607890 ffffffff81b46e21 ffff8801db607900 ffffffff82e43922 [ 39.614331] 00000000ffffffff 0000000000000000 ffffffff82601b3e ffff8801db607970 [ 39.622306] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 39.630316] Call Trace: [ 39.632884] [ 39.634924] [] dump_stack+0xc1/0x120 [ 39.640308] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 39.646876] [] panic+0x1d9/0x3bd [ 39.651871] [] ? add_taint.cold+0x16/0x16 [ 39.657651] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 39.664205] [] kasan_end_report+0x47/0x4f [ 39.669974] [] kasan_report.cold+0xa9/0x2ba [ 39.675920] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 39.682295] [] __asan_report_store4_noabort+0x17/0x20 [ 39.689105] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 39.695499] [] nf_iterate+0x12e/0x310 [ 39.700945] [] nf_hook_slow+0x114/0x1f0 [ 39.700952] [] ? nf_iterate+0x310/0x310 [ 39.700960] [] ip_rcv+0xb79/0xf90 [ 39.700970] [] ? ip_rcv+0x8be/0xf90 [ 39.700976] [] ? ip_local_deliver+0x4d0/0x4d0 [ 39.700983] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 39.700988] [] ? ip_local_deliver+0x4d0/0x4d0 [ 39.700995] [] __netif_receive_skb_core+0x1156/0x2990 [ 39.701001] [] ? dev_loopback_xmit+0x430/0x430 [ 39.701010] [] ? find_busiest_group+0x6320/0x6320 [ 39.701017] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.701023] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.701032] [] ? check_preemption_disabled+0x3c/0x200 [ 39.701039] [] ? process_backlog+0x190/0x610 [ 39.701045] [] __netif_receive_skb+0x58/0x1c0 [ 39.701052] [] process_backlog+0x1e8/0x610 [ 39.701058] [] ? process_backlog+0x190/0x610 [ 39.701066] [] ? trace_hardirqs_on+0x10/0x10 [ 39.701072] [] net_rx_action+0x3aa/0xdd0 [ 39.701080] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 39.701090] [] __do_softirq+0x22d/0x964 [ 39.701097] [] do_softirq_own_stack+0x1c/0x30 [ 39.701107] [ 39.701107] [] do_softirq.part.0+0x62/0x70 [ 39.701113] [] do_softirq+0x18/0x20 [ 39.701119] [] netif_rx_ni+0xbe/0x310 [ 39.701126] [] tun_get_user+0xcd2/0x2430 [ 39.701133] [] ? tun_select_queue+0x400/0x400 [ 39.701140] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.701147] [] tun_chr_write_iter+0xda/0x190 [ 39.701154] [] do_iter_readv_writev+0x3d9/0x4b0 [ 39.701160] [] ? vfs_iter_write+0x460/0x460 [ 39.701168] [] ? selinux_file_permission+0x85/0x470 [ 39.701176] [] ? security_file_permission+0x8f/0x1f0 [ 39.701192] [] ? rw_verify_area+0xea/0x2b0 [ 39.701198] [] do_readv_writev+0x2ed/0x7a0 [ 39.701210] [] ? vfs_write+0x520/0x520 [ 39.701218] [] ? __lru_cache_add+0x186/0x250 [ 39.701224] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 39.701232] [] ? _raw_spin_unlock+0x2d/0x50 [ 39.701239] [] ? handle_mm_fault+0x54a/0x2380 [ 39.701246] [] ? vm_insert_page+0x840/0x840 [ 39.701252] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.701258] [] vfs_writev+0x89/0xc0 [ 39.701264] [] do_writev+0xe9/0x260 [ 39.701270] [] ? vfs_writev+0xc0/0xc0 [ 39.701276] [] ? SyS_readv+0x30/0x30 [ 39.701282] [] SyS_writev+0x28/0x30 [ 39.701288] [] do_syscall_64+0x1ad/0x570 [ 39.701296] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.706926] Kernel Offset: disabled [ 40.003125] Rebooting in 86400 seconds..