Starting mcstransd: [ 9.586690] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.683140] random: sshd: uninitialized urandom read (32 bytes read) [ 25.084075] random: sshd: uninitialized urandom read (32 bytes read) [ 25.196000] random: crng init done Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program executing program [ 31.591051] ================================================================== [ 31.598461] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.605536] Write of size 4 at addr ffff8801cf4fe308 by task syz-executor656/2060 [ 31.613142] [ 31.614756] CPU: 1 PID: 2060 Comm: syz-executor656 Not tainted 4.9.151+ #12 [ 31.621834] ffff8801db707950 ffffffff81b46e21 0000000000000001 ffffea00073d3f80 [ 31.629883] ffff8801cf4fe308 0000000000000004 ffffffff82601b3e ffff8801db707988 [ 31.637983] ffffffff81502195 0000000000000001 ffff8801cf4fe308 ffff8801cf4fe308 [ 31.645980] Call Trace: [ 31.648538] [ 31.650583] [] dump_stack+0xc1/0x120 [ 31.655963] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.662522] [] print_address_description+0x6f/0x238 [ 31.669165] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.675717] [] kasan_report.cold+0x8c/0x2ba [ 31.681661] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 31.688044] [] __asan_report_store4_noabort+0x17/0x20 [ 31.694872] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.701254] [] nf_iterate+0x12e/0x310 [ 31.706683] [] nf_hook_slow+0x114/0x1f0 [ 31.712306] [] ? nf_iterate+0x310/0x310 [ 31.717905] [] ip_rcv+0xb79/0xf90 [ 31.722991] [] ? ip_rcv+0x8be/0xf90 [ 31.728245] [] ? ip_local_deliver+0x4d0/0x4d0 [ 31.734380] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 31.741107] [] ? ip_local_deliver+0x4d0/0x4d0 [ 31.747233] [] __netif_receive_skb_core+0x1156/0x2990 [ 31.754049] [] ? dev_loopback_xmit+0x430/0x430 [ 31.760273] [] ? check_preemption_disabled+0x3c/0x200 [ 31.767097] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 31.773825] [] ? check_preemption_disabled+0x3c/0x200 [ 31.780637] [] ? process_backlog+0x190/0x610 [ 31.786671] [] __netif_receive_skb+0x58/0x1c0 [ 31.792791] [] process_backlog+0x1e8/0x610 [ 31.798654] [] ? process_backlog+0x190/0x610 [ 31.804689] [] ? trace_hardirqs_on+0x10/0x10 [ 31.810726] [] net_rx_action+0x3aa/0xdd0 [ 31.816425] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 31.824283] [] __do_softirq+0x22d/0x964 [ 31.829904] [] do_softirq_own_stack+0x1c/0x30 [ 31.836022] [ 31.838062] [] do_softirq.part.0+0x62/0x70 [ 31.843943] [] do_softirq+0x18/0x20 [ 31.849194] [] netif_rx_ni+0xbe/0x310 [ 31.854619] [] tun_get_user+0xcd2/0x2430 [ 31.860315] [] ? tun_select_queue+0x400/0x400 [ 31.866438] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 31.873167] [] tun_chr_write_iter+0xda/0x190 [ 31.879203] [] do_iter_readv_writev+0x3d9/0x4b0 [ 31.885505] [] ? vfs_iter_write+0x460/0x460 [ 31.891453] [] ? selinux_file_permission+0x85/0x470 [ 31.898093] [] ? security_file_permission+0x8f/0x1f0 [ 31.904821] [] ? rw_verify_area+0xea/0x2b0 [ 31.910681] [] do_readv_writev+0x2ed/0x7a0 [ 31.916537] [] ? vfs_write+0x520/0x520 [ 31.922054] [] ? __lru_cache_add+0x186/0x250 [ 31.928088] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 31.934744] [] ? _raw_spin_unlock+0x2d/0x50 [ 31.940695] [] ? handle_mm_fault+0x54a/0x2380 [ 31.946813] [] ? vm_insert_page+0x840/0x840 [ 31.952759] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 31.959489] [] vfs_writev+0x89/0xc0 [ 31.964744] [] do_writev+0xe9/0x260 [ 31.969996] [] ? vfs_writev+0xc0/0xc0 [ 31.975457] [] ? SyS_readv+0x30/0x30 [ 31.980798] [] SyS_writev+0x28/0x30 [ 31.986050] [] do_syscall_64+0x1ad/0x570 [ 31.991743] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 31.998869] [ 32.000477] Allocated by task 2060: [ 32.004083] save_stack_trace+0x16/0x20 [ 32.008033] kasan_kmalloc.part.0+0x62/0xf0 [ 32.012331] kasan_kmalloc+0xb7/0xd0 [ 32.016023] kasan_slab_alloc+0xf/0x20 [ 32.019898] kmem_cache_alloc+0xd5/0x2b0 [ 32.023936] __alloc_skb+0xe7/0x5e0 [ 32.027535] alloc_skb_with_frags+0xb0/0x4f0 [ 32.031917] sock_alloc_send_pskb+0x5ec/0x760 [ 32.036386] tun_get_user+0x53b/0x2430 [ 32.040246] tun_chr_write_iter+0xda/0x190 [ 32.044463] do_iter_readv_writev+0x3d9/0x4b0 [ 32.048949] do_readv_writev+0x2ed/0x7a0 [ 32.052999] vfs_writev+0x89/0xc0 [ 32.056441] do_writev+0xe9/0x260 [ 32.059869] SyS_writev+0x28/0x30 [ 32.063305] do_syscall_64+0x1ad/0x570 [ 32.067167] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.072241] [ 32.073846] Freed by task 2060: [ 32.077106] save_stack_trace+0x16/0x20 [ 32.081058] kasan_slab_free+0xb0/0x190 [ 32.085009] kmem_cache_free+0xbe/0x310 [ 32.088959] kfree_skbmem+0x9f/0x100 [ 32.092649] kfree_skb+0xd4/0x350 [ 32.096079] ip_defrag+0x620/0x3bc0 [ 32.099682] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 32.104244] nf_iterate+0x12e/0x310 [ 32.107863] nf_hook_slow+0x114/0x1f0 [ 32.111639] ip_rcv+0xb79/0xf90 [ 32.114895] __netif_receive_skb_core+0x1156/0x2990 [ 32.119886] __netif_receive_skb+0x58/0x1c0 [ 32.124182] process_backlog+0x1e8/0x610 [ 32.128216] net_rx_action+0x3aa/0xdd0 [ 32.132077] __do_softirq+0x22d/0x964 [ 32.135848] [ 32.137458] The buggy address belongs to the object at ffff8801cf4fe280 [ 32.137458] which belongs to the cache skbuff_head_cache of size 224 [ 32.150611] The buggy address is located 136 bytes inside of [ 32.150611] 224-byte region [ffff8801cf4fe280, ffff8801cf4fe360) [ 32.162457] The buggy address belongs to the page: [ 32.167365] page:ffffea00073d3f80 count:1 mapcount:0 mapping: (null) index:0x0 [ 32.175616] flags: 0x4000000000000080(slab) [ 32.179910] page dumped because: kasan: bad access detected [ 32.185629] [ 32.187229] Memory state around the buggy address: [ 32.192147] ffff8801cf4fe200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.199529] ffff8801cf4fe280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.206878] >ffff8801cf4fe300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.214207] ^ [ 32.217808] ffff8801cf4fe380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.225157] ffff8801cf4fe400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.232492] ================================================================== [ 32.239821] Disabling lock debugging due to kernel taint [ 32.245285] Kernel panic - not syncing: panic_on_warn set ... [ 32.245285] [ 32.252660] CPU: 1 PID: 2060 Comm: syz-executor656 Tainted: G B 4.9.151+ #12 [ 32.260956] ffff8801db707890 ffffffff81b46e21 ffff8801db707900 ffffffff82e43922 [ 32.268975] 00000000ffffffff 0000000000000001 ffffffff82601b3e ffff8801db707970 [ 32.276985] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 32.284970] Call Trace: [ 32.287527] [ 32.289568] [] dump_stack+0xc1/0x120 [ 32.294928] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.301485] [] panic+0x1d9/0x3bd [ 32.306480] [] ? add_taint.cold+0x16/0x16 [ 32.312348] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.318904] [] kasan_end_report+0x47/0x4f [ 32.324677] [] kasan_report.cold+0xa9/0x2ba [ 32.330623] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 32.337004] [] __asan_report_store4_noabort+0x17/0x20 [ 32.343821] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.350203] [] nf_iterate+0x12e/0x310 [ 32.355629] [] nf_hook_slow+0x114/0x1f0 [ 32.361229] [] ? nf_iterate+0x310/0x310 [ 32.366830] [] ip_rcv+0xb79/0xf90 [ 32.371908] [] ? ip_rcv+0x8be/0xf90 [ 32.377159] [] ? ip_local_deliver+0x4d0/0x4d0 [ 32.383281] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 32.390030] [] ? ip_local_deliver+0x4d0/0x4d0 [ 32.396149] [] __netif_receive_skb_core+0x1156/0x2990 [ 32.402964] [] ? dev_loopback_xmit+0x430/0x430 [ 32.409175] [] ? check_preemption_disabled+0x3c/0x200 [ 32.415990] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.422716] [] ? check_preemption_disabled+0x3c/0x200 [ 32.429531] [] ? process_backlog+0x190/0x610 [ 32.435562] [] __netif_receive_skb+0x58/0x1c0 [ 32.441685] [] process_backlog+0x1e8/0x610 [ 32.447551] [] ? process_backlog+0x190/0x610 [ 32.453599] [] ? trace_hardirqs_on+0x10/0x10 [ 32.459634] [] net_rx_action+0x3aa/0xdd0 [ 32.465321] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 32.473193] [] __do_softirq+0x22d/0x964 [ 32.478791] [] do_softirq_own_stack+0x1c/0x30 [ 32.484904] [ 32.486945] [] do_softirq.part.0+0x62/0x70 [ 32.492822] [] do_softirq+0x18/0x20 [ 32.498074] [] netif_rx_ni+0xbe/0x310 [ 32.503501] [] tun_get_user+0xcd2/0x2430 [ 32.509184] [] ? tun_select_queue+0x400/0x400 [ 32.515317] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.522043] [] tun_chr_write_iter+0xda/0x190 [ 32.528076] [] do_iter_readv_writev+0x3d9/0x4b0 [ 32.534370] [] ? vfs_iter_write+0x460/0x460 [ 32.540335] [] ? selinux_file_permission+0x85/0x470 [ 32.546977] [] ? security_file_permission+0x8f/0x1f0 [ 32.553704] [] ? rw_verify_area+0xea/0x2b0 [ 32.559697] [] do_readv_writev+0x2ed/0x7a0 [ 32.565555] [] ? vfs_write+0x520/0x520 [ 32.571066] [] ? __lru_cache_add+0x186/0x250 [ 32.577097] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 32.583737] [] ? _raw_spin_unlock+0x2d/0x50 [ 32.589697] [] ? handle_mm_fault+0x54a/0x2380 [ 32.595815] [] ? vm_insert_page+0x840/0x840 [ 32.601759] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.608487] [] vfs_writev+0x89/0xc0 [ 32.613752] [] do_writev+0xe9/0x260 [ 32.619004] [] ? vfs_writev+0xc0/0xc0 [ 32.624429] [] ? SyS_readv+0x30/0x30 [ 32.629767] [] SyS_writev+0x28/0x30 [ 32.635017] [] do_syscall_64+0x1ad/0x570 [ 32.640704] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.647994] Kernel Offset: disabled [ 32.651603] Rebooting in 86400 seconds..