[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.720131] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.600351] random: crng init done Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. executing program executing program [ 50.785059] ================================================================== [ 50.792474] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.799563] Write of size 4 at addr ffff8801ceb47e48 by task syz-executor055/2072 [ 50.807159] [ 50.808885] CPU: 0 PID: 2072 Comm: syz-executor055 Not tainted 4.9.154+ #19 [ 50.815975] ffff8801db607948 ffffffff81b47411 0000000000000001 ffffea00073ad1c0 [ 50.824066] ffff8801ceb47e48 0000000000000004 ffffffff826028fe ffff8801db607980 [ 50.832080] ffffffff81502615 0000000000000001 ffff8801ceb47e48 ffff8801ceb47e48 [ 50.840086] Call Trace: [ 50.842685] [ 50.844737] [] dump_stack+0xc1/0x120 [ 50.850283] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.856913] [] print_address_description+0x6f/0x238 [ 50.863935] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.863945] [] kasan_report.cold+0x8c/0x2ba [ 50.863957] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 50.863961] [] __asan_report_store4_noabort+0x17/0x20 [ 50.863966] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.863972] [] nf_iterate+0x12e/0x310 [ 50.863976] [] nf_hook_slow+0x114/0x1f0 [ 50.863979] [] ? nf_iterate+0x310/0x310 [ 50.863986] [] ip_rcv+0xbdf/0x1040 [ 50.863990] [] ? ip_rcv+0x91c/0x1040 [ 50.863994] [] ? ip_local_deliver+0x4d0/0x4d0 [ 50.863999] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 50.864004] [] ? ip_local_deliver+0x4d0/0x4d0 [ 50.864009] [] __netif_receive_skb_core+0x1156/0x2990 [ 50.864013] [] ? dev_loopback_xmit+0x430/0x430 [ 50.864019] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864023] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864030] [] ? check_preemption_disabled+0x3c/0x200 [ 50.864035] [] ? process_backlog+0x190/0x610 [ 50.864039] [] __netif_receive_skb+0x58/0x1c0 [ 50.864043] [] process_backlog+0x1e8/0x610 [ 50.864046] [] ? process_backlog+0x190/0x610 [ 50.864051] [] ? trace_hardirqs_on+0x10/0x10 [ 50.864055] [] net_rx_action+0x3aa/0xdd0 [ 50.864060] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 50.864066] [] __do_softirq+0x22d/0x964 [ 50.864071] [] do_softirq_own_stack+0x1c/0x30 [ 50.864079] [ 50.864079] [] do_softirq.part.0+0x62/0x70 [ 50.864083] [] do_softirq+0x18/0x20 [ 50.864086] [] netif_rx_ni+0xbe/0x310 [ 50.864092] [] tun_get_user+0xcd2/0x2430 [ 50.864097] [] ? tun_select_queue+0x400/0x400 [ 50.864101] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864105] [] tun_chr_write_iter+0xda/0x190 [ 50.864109] [] do_iter_readv_writev+0x3d9/0x4b0 [ 50.864113] [] ? vfs_iter_write+0x460/0x460 [ 50.864119] [] ? selinux_file_permission+0x85/0x470 [ 50.864125] [] ? security_file_permission+0x8f/0x1f0 [ 50.864129] [] ? rw_verify_area+0xea/0x2b0 [ 50.864133] [] do_readv_writev+0x2ed/0x7a0 [ 50.864136] [] ? vfs_write+0x520/0x520 [ 50.864140] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 50.864147] [] ? do_signal+0x4b9/0x1920 [ 50.864151] [] ? setup_sigcontext+0x7d0/0x7d0 [ 50.864155] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864158] [] vfs_writev+0x89/0xc0 [ 50.864162] [] do_writev+0xe9/0x260 [ 50.864166] [] ? vfs_writev+0xc0/0xc0 [ 50.864169] [] ? SyS_readv+0x30/0x30 [ 50.864173] [] SyS_writev+0x28/0x30 [ 50.864177] [] do_syscall_64+0x1ad/0x570 [ 50.864182] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.864184] [ 50.864188] Allocated by task 2072: [ 50.864195] save_stack_trace+0x16/0x20 [ 50.864198] kasan_kmalloc.part.0+0x62/0xf0 [ 50.864201] kasan_kmalloc+0xb7/0xd0 [ 50.864204] kasan_slab_alloc+0xf/0x20 [ 50.864208] kmem_cache_alloc+0xd5/0x2b0 [ 50.864212] __alloc_skb+0xe7/0x5e0 [ 50.864214] alloc_skb_with_frags+0xb0/0x4f0 [ 50.864219] sock_alloc_send_pskb+0x5ec/0x760 [ 50.864222] tun_get_user+0x53b/0x2430 [ 50.864225] tun_chr_write_iter+0xda/0x190 [ 50.864228] do_iter_readv_writev+0x3d9/0x4b0 [ 50.864231] do_readv_writev+0x2ed/0x7a0 [ 50.864233] vfs_writev+0x89/0xc0 [ 50.864236] do_writev+0xe9/0x260 [ 50.864238] SyS_writev+0x28/0x30 [ 50.864241] do_syscall_64+0x1ad/0x570 [ 50.864245] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.864245] [ 50.864247] Freed by task 2072: [ 50.864250] save_stack_trace+0x16/0x20 [ 50.864253] kasan_slab_free+0xb0/0x190 [ 50.864256] kmem_cache_free+0xbe/0x310 [ 50.864260] kfree_skbmem+0x9f/0x100 [ 50.864264] kfree_skb+0xd4/0x350 [ 50.864267] ip_defrag+0x620/0x3bc0 [ 50.864272] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 50.864275] nf_iterate+0x12e/0x310 [ 50.864278] nf_hook_slow+0x114/0x1f0 [ 50.864281] ip_rcv+0xbdf/0x1040 [ 50.864284] __netif_receive_skb_core+0x1156/0x2990 [ 50.864287] __netif_receive_skb+0x58/0x1c0 [ 50.864290] process_backlog+0x1e8/0x610 [ 50.864293] net_rx_action+0x3aa/0xdd0 [ 50.864296] __do_softirq+0x22d/0x964 [ 50.864297] [ 50.864300] The buggy address belongs to the object at ffff8801ceb47dc0 [ 50.864300] which belongs to the cache skbuff_head_cache of size 224 [ 50.864303] The buggy address is located 136 bytes inside of [ 50.864303] 224-byte region [ffff8801ceb47dc0, ffff8801ceb47ea0) [ 50.864304] The buggy address belongs to the page: [ 50.864310] page:ffffea00073ad1c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 50.864313] flags: 0x4000000000000080(slab) [ 50.864315] page dumped because: kasan: bad access detected [ 50.864315] [ 50.864317] Memory state around the buggy address: [ 50.864321] ffff8801ceb47d00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 50.864325] ffff8801ceb47d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 50.864327] >ffff8801ceb47e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.864329] ^ [ 50.864332] ffff8801ceb47e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 50.864334] ffff8801ceb47f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.864335] ================================================================== [ 50.864337] Disabling lock debugging due to kernel taint [ 50.864381] Kernel panic - not syncing: panic_on_warn set ... [ 50.864381] [ 50.864387] CPU: 0 PID: 2072 Comm: syz-executor055 Tainted: G B 4.9.154+ #19 [ 50.864395] ffff8801db607888 ffffffff81b47411 ffff8801db607900 ffffffff82e439da [ 50.864400] 00000000ffffffff 0000000000000000 ffffffff826028fe ffff8801db607968 [ 50.864404] ffffffff813f725a 0000000041b58ab3 ffffffff82e35b02 ffffffff813f7081 [ 50.864405] Call Trace: [ 50.864412] [ 50.864412] [] dump_stack+0xc1/0x120 [ 50.864416] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.864423] [] panic+0x1d9/0x3bd [ 50.864427] [] ? add_taint.cold+0x16/0x16 [ 50.864431] [] kasan_end_report+0x47/0x4f [ 50.864435] [] kasan_report.cold+0xa9/0x2ba [ 50.864440] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 50.864444] [] __asan_report_store4_noabort+0x17/0x20 [ 50.864448] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.864452] [] nf_iterate+0x12e/0x310 [ 50.864455] [] nf_hook_slow+0x114/0x1f0 [ 50.864459] [] ? nf_iterate+0x310/0x310 [ 50.864463] [] ip_rcv+0xbdf/0x1040 [ 50.864466] [] ? ip_rcv+0x91c/0x1040 [ 50.864471] [] ? ip_local_deliver+0x4d0/0x4d0 [ 50.864475] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 50.864479] [] ? ip_local_deliver+0x4d0/0x4d0 [ 50.864483] [] __netif_receive_skb_core+0x1156/0x2990 [ 50.864487] [] ? dev_loopback_xmit+0x430/0x430 [ 50.864491] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864494] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864499] [] ? check_preemption_disabled+0x3c/0x200 [ 50.864502] [] ? process_backlog+0x190/0x610 [ 50.864506] [] __netif_receive_skb+0x58/0x1c0 [ 50.864510] [] process_backlog+0x1e8/0x610 [ 50.864514] [] ? process_backlog+0x190/0x610 [ 50.864517] [] ? trace_hardirqs_on+0x10/0x10 [ 50.864521] [] net_rx_action+0x3aa/0xdd0 [ 50.864533] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 50.864537] [] __do_softirq+0x22d/0x964 [ 50.864542] [] do_softirq_own_stack+0x1c/0x30 [ 50.864547] [ 50.864547] [] do_softirq.part.0+0x62/0x70 [ 50.864550] [] do_softirq+0x18/0x20 [ 50.864554] [] netif_rx_ni+0xbe/0x310 [ 50.864558] [] tun_get_user+0xcd2/0x2430 [ 50.864561] [] ? tun_select_queue+0x400/0x400 [ 50.864565] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864570] [] tun_chr_write_iter+0xda/0x190 [ 50.864573] [] do_iter_readv_writev+0x3d9/0x4b0 [ 50.864577] [] ? vfs_iter_write+0x460/0x460 [ 50.864581] [] ? selinux_file_permission+0x85/0x470 [ 50.864585] [] ? security_file_permission+0x8f/0x1f0 [ 50.864588] [] ? rw_verify_area+0xea/0x2b0 [ 50.864592] [] do_readv_writev+0x2ed/0x7a0 [ 50.864595] [] ? vfs_write+0x520/0x520 [ 50.864599] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 50.864603] [] ? do_signal+0x4b9/0x1920 [ 50.864607] [] ? setup_sigcontext+0x7d0/0x7d0 [ 50.864611] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.864614] [] vfs_writev+0x89/0xc0 [ 50.864618] [] do_writev+0xe9/0x260 [ 50.864621] [] ? vfs_writev+0xc0/0xc0 [ 50.864625] [] ? SyS_readv+0x30/0x30 [ 50.864628] [] SyS_writev+0x28/0x30 [ 50.864632] [] do_syscall_64+0x1ad/0x570 [ 50.864636] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.870915] Kernel Offset: disabled [ 51.822106] Rebooting in 86400 seconds..