ip6_tunnel: ip6tnl6 xmit: Local address not yet configured! ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline] BUG: KASAN: use-after-free in nf_hook include/linux/netfilter.h:198 [inline] BUG: KASAN: use-after-free in NF_HOOK include/linux/netfilter.h:248 [inline] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 net/ipv4/ip_input.c:257 Read of size 8 at addr ffff88818cd35290 by task syz-executor2/6358 CPU: 1 PID: 6358 Comm: syz-executor2 Not tainted 4.14.97+ #4 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x10e lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393 kauditd_printk_skb: 183 callbacks suppressed audit: type=1400 audit(1549523709.199:29994): avc: denied { map } for pid=6360 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1549523709.199:29995): avc: denied { map } for pid=6360 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1549523709.199:29996): avc: denied { map } for pid=6360 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Allocated by task 6358: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551 slab_post_alloc_hook mm/slab.h:442 [inline] slab_alloc_node mm/slub.c:2723 [inline] slab_alloc mm/slub.c:2731 [inline] kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736 __build_skb+0x2e/0x2d0 net/core/skbuff.c:281 audit: type=1400 audit(1549523709.199:29997): avc: denied { map } for pid=6360 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 build_skb+0x1a/0x1f0 net/core/skbuff.c:312 tun_build_skb drivers/net/tun.c:1354 [inline] tun_get_user+0x248b/0x3790 drivers/net/tun.c:1467 tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596 call_write_iter include/linux/fs.h:1784 [inline] do_iter_readv_writev+0x379/0x580 fs/read_write.c:678 do_iter_write fs/read_write.c:957 [inline] do_iter_write+0x152/0x550 fs/read_write.c:938 vfs_writev+0x146/0x2d0 fs/read_write.c:1002 audit: type=1400 audit(1549523709.199:29998): avc: denied { map } for pid=6360 comm="blkid" path="/etc/ld.so.cache" dev="sda1" ino=2503 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 do_writev+0xc9/0x240 fs/read_write.c:1037 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 Freed by task 6358: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kmem_cache_free+0xc4/0x330 mm/slub.c:2988 kfree_skbmem net/core/skbuff.c:582 [inline] kfree_skbmem+0xa0/0x100 net/core/skbuff.c:576 audit: type=1400 audit(1549523709.199:29999): avc: denied { map } for pid=6360 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0" dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 __kfree_skb net/core/skbuff.c:642 [inline] kfree_skb+0xcd/0x350 net/core/skbuff.c:659 ip_frag_queue net/ipv4/ip_fragment.c:507 [inline] ip_defrag+0x5f4/0x3b50 net/ipv4/ip_fragment.c:699 ip_local_deliver+0x165/0x450 net/ipv4/ip_input.c:253 dst_input include/net/dst.h:465 [inline] ip_rcv_finish+0x5c9/0x1490 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:250 [inline] ip_rcv+0xa1c/0xf41 net/ipv4/ip_input.c:494 __netif_receive_skb_core+0x1364/0x2c60 net/core/dev.c:4477 __netif_receive_skb+0x55/0x1f0 net/core/dev.c:4515 audit: type=1400 audit(1549523709.199:30000): avc: denied { map } for pid=6360 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0" dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 netif_receive_skb_internal+0xec/0x5c0 net/core/dev.c:4588 tun_rx_batched.isra.0+0x45d/0x730 drivers/net/tun.c:1218 tun_get_user+0xd95/0x3790 drivers/net/tun.c:1570 tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596 call_write_iter include/linux/fs.h:1784 [inline] do_iter_readv_writev+0x379/0x580 fs/read_write.c:678 do_iter_write fs/read_write.c:957 [inline] do_iter_write+0x152/0x550 fs/read_write.c:938 vfs_writev+0x146/0x2d0 fs/read_write.c:1002 do_writev+0xc9/0x240 fs/read_write.c:1037 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 The buggy address belongs to the object at ffff88818cd35280 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 16 bytes inside of 224-byte region [ffff88818cd35280, ffff88818cd35360) audit: type=1400 audit(1549523709.199:30001): avc: denied { map } for pid=6360 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1" ino=2784 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 The buggy address belongs to the page: page:ffffea0006334d40 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000100(slab) raw: 4000000000000100 0000000000000000 0000000000000000 00000001000c000c raw: ffffea000764d340 0000000600000006 ffff8881dab58200 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88818cd35180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88818cd35200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc >ffff88818cd35280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88818cd35300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88818cd35380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb audit: type=1400 audit(1549523709.199:30002): avc: denied { map } for pid=6360 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1" ino=2784 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 ==================================================================