Warning: Permanently added '10.128.0.159' (ECDSA) to the list of known hosts. [ 36.395498] urandom_read: 1 callbacks suppressed [ 36.395502] random: sshd: uninitialized urandom read (32 bytes read) [ 36.498364] audit: type=1400 audit(1548537158.423:7): avc: denied { map } for pid=1785 comm="syz-executor575" path="/root/syz-executor575291498" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 36.753074] ================================================================== [ 36.760654] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 [ 36.767298] Read of size 8 at addr ffff8881d39fa790 by task syz-executor575/1788 [ 36.774801] [ 36.776406] CPU: 1 PID: 1788 Comm: syz-executor575 Not tainted 4.14.96+ #19 [ 36.783601] Call Trace: [ 36.786179] dump_stack+0xb9/0x10e [ 36.789700] ? ip_local_deliver+0x43d/0x450 [ 36.794006] print_address_description+0x60/0x226 [ 36.798832] ? ip_local_deliver+0x43d/0x450 [ 36.803129] kasan_report.cold+0x88/0x2a5 [ 36.807256] ? ip_local_deliver+0x43d/0x450 [ 36.811553] ? ip_call_ra_chain+0x540/0x540 [ 36.815851] ? __lock_acquire+0x56a/0x3fa0 [ 36.820063] ? ip_options_compile+0x65b/0x1360 [ 36.824752] ? ip_rcv+0x99f/0xf7a [ 36.828196] ? ip_rcv_finish+0x5c9/0x1490 [ 36.832329] ? ip_rcv+0x9e2/0xf7a [ 36.835773] ? ip_local_deliver+0x450/0x450 [ 36.840196] ? __lock_acquire+0x56a/0x3fa0 [ 36.844440] ? check_preemption_disabled+0x35/0x1f0 [ 36.849440] ? ip_local_deliver+0x450/0x450 [ 36.853748] ? __netif_receive_skb_core+0x1364/0x2c60 [ 36.858933] ? trace_hardirqs_on+0x10/0x10 [ 36.863152] ? flush_backlog+0x580/0x580 [ 36.867198] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 36.872378] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 36.877686] ? lock_acquire+0x10f/0x380 [ 36.881638] ? __netif_receive_skb+0x55/0x1f0 [ 36.886105] ? __netif_receive_skb+0x55/0x1f0 [ 36.890573] ? netif_receive_skb_internal+0xec/0x5c0 [ 36.895704] ? dev_cpu_dead+0x810/0x810 [ 36.899667] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 36.905174] ? rcu_read_lock_sched_held+0x10a/0x130 [ 36.910260] ? tun_rx_batched.isra.0+0x45d/0x730 [ 36.915006] ? __skb_get_hash_symmetric+0x255/0x620 [ 36.920127] ? tun_chr_read_iter+0x1c0/0x1c0 [ 36.924518] ? tun_get_user+0xc07/0x3790 [ 36.928561] ? __local_bh_enable_ip+0x65/0xc0 [ 36.933034] ? tun_get_user+0xd95/0x3790 [ 36.937077] ? tun_rx_batched.isra.0+0x730/0x730 [ 36.941812] ? debug_mutex_add_waiter+0x60/0x150 [ 36.946579] ? mark_held_locks+0xa6/0xf0 [ 36.950630] ? get_page_from_freelist+0x85e/0x1d60 [ 36.955651] ? preempt_count_add+0xb8/0x180 [ 36.959969] ? __tun_get+0x11c/0x220 [ 36.963663] ? check_preemption_disabled+0x35/0x1f0 [ 36.968675] ? tun_chr_write_iter+0xcf/0x180 [ 36.973076] ? do_iter_readv_writev+0x379/0x580 [ 36.977725] ? clone_verify_area+0x1e0/0x1e0 [ 36.982111] ? avc_policy_seqno+0x5/0x10 [ 36.986152] ? security_file_permission+0x88/0x1e0 [ 36.991070] ? do_iter_write+0x152/0x550 [ 36.995112] ? lock_downgrade+0x5d0/0x5d0 [ 36.999246] ? vfs_writev+0x146/0x2d0 [ 37.003032] ? vfs_iter_write+0xa0/0xa0 [ 37.006989] ? __handle_mm_fault+0x6c5/0x2640 [ 37.011477] ? __fsnotify_inode_delete+0x20/0x20 [ 37.016234] ? __do_page_fault+0x48e/0xb80 [ 37.020496] ? lock_downgrade+0x5d0/0x5d0 [ 37.024631] ? check_preemption_disabled+0x35/0x1f0 [ 37.029653] ? do_writev+0xc9/0x240 [ 37.033272] ? vfs_writev+0x2d0/0x2d0 [ 37.037073] ? do_syscall_64+0x43/0x4b0 [ 37.041026] ? SyS_readv+0x30/0x30 [ 37.044549] ? do_syscall_64+0x19b/0x4b0 [ 37.048638] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.053988] [ 37.055590] Allocated by task 1788: [ 37.059196] kasan_kmalloc.part.0+0x4f/0xd0 [ 37.063864] kmem_cache_alloc+0xd2/0x2d0 [ 37.067903] __build_skb+0x2e/0x2d0 [ 37.071528] build_skb+0x1a/0x1f0 [ 37.075062] tun_get_user+0x248b/0x3790 [ 37.079018] tun_chr_write_iter+0xcf/0x180 [ 37.083231] do_iter_readv_writev+0x379/0x580 [ 37.087699] do_iter_write+0x152/0x550 [ 37.091564] vfs_writev+0x146/0x2d0 [ 37.095173] do_writev+0xc9/0x240 [ 37.098602] do_syscall_64+0x19b/0x4b0 [ 37.102472] [ 37.104077] Freed by task 1788: [ 37.107394] kasan_slab_free+0xb0/0x190 [ 37.111374] kmem_cache_free+0xc4/0x330 [ 37.115413] kfree_skbmem+0xa0/0x100 [ 37.119131] kfree_skb+0xcd/0x350 [ 37.122568] ip_defrag+0x5f4/0x3b50 [ 37.126191] ip_local_deliver+0x165/0x450 [ 37.130315] ip_rcv_finish+0x5c9/0x1490 [ 37.134278] ip_rcv+0x9e2/0xf7a [ 37.137544] __netif_receive_skb_core+0x1364/0x2c60 [ 37.142538] __netif_receive_skb+0x55/0x1f0 [ 37.146971] netif_receive_skb_internal+0xec/0x5c0 [ 37.151879] tun_rx_batched.isra.0+0x45d/0x730 [ 37.156440] tun_get_user+0xd95/0x3790 [ 37.160322] tun_chr_write_iter+0xcf/0x180 [ 37.164536] do_iter_readv_writev+0x379/0x580 [ 37.169011] do_iter_write+0x152/0x550 [ 37.172879] vfs_writev+0x146/0x2d0 [ 37.176483] do_writev+0xc9/0x240 [ 37.179909] do_syscall_64+0x19b/0x4b0 [ 37.183766] [ 37.185370] The buggy address belongs to the object at ffff8881d39fa780 [ 37.185370] which belongs to the cache skbuff_head_cache of size 224 [ 37.198530] The buggy address is located 16 bytes inside of [ 37.198530] 224-byte region [ffff8881d39fa780, ffff8881d39fa860) [ 37.210291] The buggy address belongs to the page: [ 37.215201] page:ffffea00074e7e80 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.223488] flags: 0x4000000000000100(slab) [ 37.227792] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c [ 37.235667] raw: ffffea00074c9f00 0000000400000004 ffff8881dab58200 0000000000000000 [ 37.243528] page dumped because: kasan: bad access detected [ 37.249285] [ 37.250909] Memory state around the buggy address: [ 37.255835] ffff8881d39fa680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.263175] ffff8881d39fa700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.270508] >ffff8881d39fa780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.277955] ^ [ 37.281815] ffff8881d39fa800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.289258] ffff8881d39fa880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.296626] ================================================================== [ 37.303955] Disabling lock debugging due to kernel taint [ 37.309428] Kernel panic - not syncing: panic_on_warn set ... [ 37.309428] [ 37.316830] CPU: 1 PID: 1788 Comm: syz-executor575 Tainted: G B 4.14.96+ #19 [ 37.325122] Call Trace: [ 37.327708] dump_stack+0xb9/0x10e [ 37.331230] panic+0x1d9/0x3c2 [ 37.334506] ? add_taint.cold+0x16/0x16 [ 37.338494] ? retint_kernel+0x2d/0x2d [ 37.342391] ? ip_local_deliver+0x43d/0x450 [ 37.346810] kasan_end_report+0x43/0x49 [ 37.350816] kasan_report.cold+0xa4/0x2a5 [ 37.354964] ? ip_local_deliver+0x43d/0x450 [ 37.359443] ? ip_call_ra_chain+0x540/0x540 [ 37.363743] ? __lock_acquire+0x56a/0x3fa0 [ 37.367950] ? ip_options_compile+0x65b/0x1360 [ 37.372505] ? ip_rcv+0x99f/0xf7a [ 37.375937] ? ip_rcv_finish+0x5c9/0x1490 [ 37.380073] ? ip_rcv+0x9e2/0xf7a [ 37.383631] ? ip_local_deliver+0x450/0x450 [ 37.387925] ? __lock_acquire+0x56a/0x3fa0 [ 37.392136] ? check_preemption_disabled+0x35/0x1f0 [ 37.397133] ? ip_local_deliver+0x450/0x450 [ 37.401504] ? __netif_receive_skb_core+0x1364/0x2c60 [ 37.406696] ? trace_hardirqs_on+0x10/0x10 [ 37.410921] ? flush_backlog+0x580/0x580 [ 37.414960] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.420147] ? netif_receive_skb_internal+0x3aa/0x5c0 [ 37.425308] ? lock_acquire+0x10f/0x380 [ 37.429258] ? __netif_receive_skb+0x55/0x1f0 [ 37.433725] ? __netif_receive_skb+0x55/0x1f0 [ 37.438404] ? netif_receive_skb_internal+0xec/0x5c0 [ 37.443483] ? dev_cpu_dead+0x810/0x810 [ 37.447437] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 37.452862] ? rcu_read_lock_sched_held+0x10a/0x130 [ 37.457944] ? tun_rx_batched.isra.0+0x45d/0x730 [ 37.462681] ? __skb_get_hash_symmetric+0x255/0x620 [ 37.467669] ? tun_chr_read_iter+0x1c0/0x1c0 [ 37.472068] ? tun_get_user+0xc07/0x3790 [ 37.476106] ? __local_bh_enable_ip+0x65/0xc0 [ 37.480621] ? tun_get_user+0xd95/0x3790 [ 37.484658] ? tun_rx_batched.isra.0+0x730/0x730 [ 37.489391] ? debug_mutex_add_waiter+0x60/0x150 [ 37.494132] ? mark_held_locks+0xa6/0xf0 [ 37.498263] ? get_page_from_freelist+0x85e/0x1d60 [ 37.503168] ? preempt_count_add+0xb8/0x180 [ 37.507494] ? __tun_get+0x11c/0x220 [ 37.511233] ? check_preemption_disabled+0x35/0x1f0 [ 37.516227] ? tun_chr_write_iter+0xcf/0x180 [ 37.520610] ? do_iter_readv_writev+0x379/0x580 [ 37.525468] ? clone_verify_area+0x1e0/0x1e0 [ 37.529856] ? avc_policy_seqno+0x5/0x10 [ 37.533903] ? security_file_permission+0x88/0x1e0 [ 37.538806] ? do_iter_write+0x152/0x550 [ 37.542845] ? lock_downgrade+0x5d0/0x5d0 [ 37.546980] ? vfs_writev+0x146/0x2d0 [ 37.550750] ? vfs_iter_write+0xa0/0xa0 [ 37.554824] ? __handle_mm_fault+0x6c5/0x2640 [ 37.559296] ? __fsnotify_inode_delete+0x20/0x20 [ 37.564326] ? __do_page_fault+0x48e/0xb80 [ 37.568540] ? lock_downgrade+0x5d0/0x5d0 [ 37.572776] ? check_preemption_disabled+0x35/0x1f0 [ 37.577772] ? do_writev+0xc9/0x240 [ 37.581459] ? vfs_writev+0x2d0/0x2d0 [ 37.585244] ? do_syscall_64+0x43/0x4b0 [ 37.589192] ? SyS_readv+0x30/0x30 [ 37.592703] ? do_syscall_64+0x19b/0x4b0 [ 37.596856] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.602527] Kernel Offset: 0x37c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 37.613479] Rebooting in 86400 seconds..