[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.161510] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 13.610881] random: crng init done Warning: Permanently added '10.128.0.90' (ECDSA) to the list of known hosts. executing program executing program [ 30.000409] ================================================================== [ 30.007925] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 30.015023] Write of size 4 at addr ffff8801ce744308 by task syz-executor443/2058 [ 30.022616] [ 30.024317] CPU: 1 PID: 2058 Comm: syz-executor443 Not tainted 4.9.151+ #12 [ 30.031412] ffff8801db707950 ffffffff81b46e21 0000000000000001 ffffea000739d100 [ 30.039402] ffff8801ce744308 0000000000000004 ffffffff82601b3e ffff8801db707988 [ 30.047448] ffffffff81502195 0000000000000001 ffff8801ce744308 ffff8801ce744308 [ 30.055470] Call Trace: [ 30.058026] [ 30.060078] [] dump_stack+0xc1/0x120 [ 30.065444] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 30.072006] [] print_address_description+0x6f/0x238 [ 30.078651] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 30.085212] [] kasan_report.cold+0x8c/0x2ba [ 30.091163] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 30.097577] [] __asan_report_store4_noabort+0x17/0x20 [ 30.104406] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 30.110787] [] nf_iterate+0x12e/0x310 [ 30.116234] [] nf_hook_slow+0x114/0x1f0 [ 30.121850] [] ? nf_iterate+0x310/0x310 [ 30.127481] [] ip_rcv+0xb79/0xf90 [ 30.132570] [] ? ip_rcv+0x8be/0xf90 [ 30.137820] [] ? ip_local_deliver+0x4d0/0x4d0 [ 30.143938] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 30.150668] [] ? ip_local_deliver+0x4d0/0x4d0 [ 30.156788] [] __netif_receive_skb_core+0x1156/0x2990 [ 30.163859] [] ? dev_loopback_xmit+0x430/0x430 [ 30.170070] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.176816] [] ? check_preemption_disabled+0x3c/0x200 [ 30.183632] [] ? process_backlog+0x190/0x610 [ 30.189664] [] __netif_receive_skb+0x58/0x1c0 [ 30.195784] [] process_backlog+0x1e8/0x610 [ 30.201660] [] ? process_backlog+0x190/0x610 [ 30.207750] [] ? trace_hardirqs_on+0x10/0x10 [ 30.213806] [] net_rx_action+0x3aa/0xdd0 [ 30.219496] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 30.227357] [] __do_softirq+0x22d/0x964 [ 30.232960] [] do_softirq_own_stack+0x1c/0x30 [ 30.239084] [ 30.241126] [] do_softirq.part.0+0x62/0x70 [ 30.247007] [] do_softirq+0x18/0x20 [ 30.252259] [] netif_rx_ni+0xbe/0x310 [ 30.257685] [] tun_get_user+0xcd2/0x2430 [ 30.263400] [] ? tun_select_queue+0x400/0x400 [ 30.269535] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.276276] [] tun_chr_write_iter+0xda/0x190 [ 30.282318] [] do_iter_readv_writev+0x3d9/0x4b0 [ 30.288618] [] ? vfs_iter_write+0x460/0x460 [ 30.294594] [] ? selinux_file_permission+0x85/0x470 [ 30.294603] [] ? security_file_permission+0x8f/0x1f0 [ 30.294610] [] ? rw_verify_area+0xea/0x2b0 [ 30.294620] [] do_readv_writev+0x2ed/0x7a0 [ 30.294626] [] ? vfs_write+0x520/0x520 [ 30.294632] [] ? __lru_cache_add+0x186/0x250 [ 30.294640] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 30.294647] [] ? _raw_spin_unlock+0x2d/0x50 [ 30.294654] [] ? handle_mm_fault+0x54a/0x2380 [ 30.294660] [] ? vm_insert_page+0x840/0x840 [ 30.294667] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.294673] [] vfs_writev+0x89/0xc0 [ 30.294679] [] do_writev+0xe9/0x260 [ 30.294685] [] ? vfs_writev+0xc0/0xc0 [ 30.294691] [] ? SyS_readv+0x30/0x30 [ 30.294710] [] SyS_writev+0x28/0x30 [ 30.294717] [] do_syscall_64+0x1ad/0x570 [ 30.294740] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 30.294743] [ 30.294747] Allocated by task 2058: [ 30.294757] save_stack_trace+0x16/0x20 [ 30.294762] kasan_kmalloc.part.0+0x62/0xf0 [ 30.294767] kasan_kmalloc+0xb7/0xd0 [ 30.294772] kasan_slab_alloc+0xf/0x20 [ 30.294778] kmem_cache_alloc+0xd5/0x2b0 [ 30.294783] __alloc_skb+0xe7/0x5e0 [ 30.294788] alloc_skb_with_frags+0xb0/0x4f0 [ 30.294795] sock_alloc_send_pskb+0x5ec/0x760 [ 30.294801] tun_get_user+0x53b/0x2430 [ 30.294807] tun_chr_write_iter+0xda/0x190 [ 30.294812] do_iter_readv_writev+0x3d9/0x4b0 [ 30.294817] do_readv_writev+0x2ed/0x7a0 [ 30.294821] vfs_writev+0x89/0xc0 [ 30.294826] do_writev+0xe9/0x260 [ 30.294830] SyS_writev+0x28/0x30 [ 30.294835] do_syscall_64+0x1ad/0x570 [ 30.294841] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 30.294842] [ 30.294845] Freed by task 2058: [ 30.294851] save_stack_trace+0x16/0x20 [ 30.294856] kasan_slab_free+0xb0/0x190 [ 30.294861] kmem_cache_free+0xbe/0x310 [ 30.294867] kfree_skbmem+0x9f/0x100 [ 30.294873] kfree_skb+0xd4/0x350 [ 30.294880] ip_defrag+0x620/0x3bc0 [ 30.294887] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 30.294893] nf_iterate+0x12e/0x310 [ 30.294898] nf_hook_slow+0x114/0x1f0 [ 30.294903] ip_rcv+0xb79/0xf90 [ 30.294909] __netif_receive_skb_core+0x1156/0x2990 [ 30.294914] __netif_receive_skb+0x58/0x1c0 [ 30.294919] process_backlog+0x1e8/0x610 [ 30.294925] net_rx_action+0x3aa/0xdd0 [ 30.294931] __do_softirq+0x22d/0x964 [ 30.294932] [ 30.294938] The buggy address belongs to the object at ffff8801ce744280 [ 30.294938] which belongs to the cache skbuff_head_cache of size 224 [ 30.294943] The buggy address is located 136 bytes inside of [ 30.294943] 224-byte region [ffff8801ce744280, ffff8801ce744360) [ 30.294945] The buggy address belongs to the page: [ 30.294953] page:ffffea000739d100 count:1 mapcount:0 mapping: (null) index:0xffff8801ce744dc0 [ 30.294957] flags: 0x4000000000000080(slab) [ 30.294959] page dumped because: kasan: bad access detected [ 30.294960] [ 30.294962] Memory state around the buggy address: [ 30.294968] ffff8801ce744200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 30.294973] ffff8801ce744280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.294978] >ffff8801ce744300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 30.294980] ^ [ 30.294985] ffff8801ce744380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 30.294989] ffff8801ce744400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.294991] ================================================================== [ 30.294993] Disabling lock debugging due to kernel taint [ 30.295066] Kernel panic - not syncing: panic_on_warn set ... [ 30.295066] [ 30.295074] CPU: 1 PID: 2058 Comm: syz-executor443 Tainted: G B 4.9.151+ #12 [ 30.295085] ffff8801db707890 ffffffff81b46e21 ffff8801db707900 ffffffff82e43922 [ 30.295094] 00000000ffffffff 0000000000000001 ffffffff82601b3e ffff8801db707970 [ 30.295102] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 30.295104] Call Trace: [ 30.295113] [ 30.295114] [] dump_stack+0xc1/0x120 [ 30.295121] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 30.295129] [] panic+0x1d9/0x3bd [ 30.295135] [] ? add_taint.cold+0x16/0x16 [ 30.295142] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 30.295151] [] kasan_end_report+0x47/0x4f [ 30.295158] [] kasan_report.cold+0xa9/0x2ba [ 30.295165] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 30.295172] [] __asan_report_store4_noabort+0x17/0x20 [ 30.295178] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 30.295185] [] nf_iterate+0x12e/0x310 [ 30.295191] [] nf_hook_slow+0x114/0x1f0 [ 30.295197] [] ? nf_iterate+0x310/0x310 [ 30.295203] [] ip_rcv+0xb79/0xf90 [ 30.295210] [] ? ip_rcv+0x8be/0xf90 [ 30.295217] [] ? ip_local_deliver+0x4d0/0x4d0 [ 30.295224] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 30.295231] [] ? ip_local_deliver+0x4d0/0x4d0 [ 30.295237] [] __netif_receive_skb_core+0x1156/0x2990 [ 30.295244] [] ? dev_loopback_xmit+0x430/0x430 [ 30.295250] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.295257] [] ? check_preemption_disabled+0x3c/0x200 [ 30.295264] [] ? process_backlog+0x190/0x610 [ 30.295270] [] __netif_receive_skb+0x58/0x1c0 [ 30.295276] [] process_backlog+0x1e8/0x610 [ 30.295283] [] ? process_backlog+0x190/0x610 [ 30.295289] [] ? trace_hardirqs_on+0x10/0x10 [ 30.295296] [] net_rx_action+0x3aa/0xdd0 [ 30.295303] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 30.295311] [] __do_softirq+0x22d/0x964 [ 30.295318] [] do_softirq_own_stack+0x1c/0x30 [ 30.295327] [ 30.295328] [] do_softirq.part.0+0x62/0x70 [ 30.295334] [] do_softirq+0x18/0x20 [ 30.295339] [] netif_rx_ni+0xbe/0x310 [ 30.295346] [] tun_get_user+0xcd2/0x2430 [ 30.295353] [] ? tun_select_queue+0x400/0x400 [ 30.295359] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.295367] [] tun_chr_write_iter+0xda/0x190 [ 30.295373] [] do_iter_readv_writev+0x3d9/0x4b0 [ 30.295379] [] ? vfs_iter_write+0x460/0x460 [ 30.295401] [] ? selinux_file_permission+0x85/0x470 [ 30.295407] [] ? security_file_permission+0x8f/0x1f0 [ 30.295413] [] ? rw_verify_area+0xea/0x2b0 [ 30.295419] [] do_readv_writev+0x2ed/0x7a0 [ 30.295425] [] ? vfs_write+0x520/0x520 [ 30.295431] [] ? __lru_cache_add+0x186/0x250 [ 30.295437] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 30.295444] [] ? _raw_spin_unlock+0x2d/0x50 [ 30.295450] [] ? handle_mm_fault+0x54a/0x2380 [ 30.295471] [] ? vm_insert_page+0x840/0x840 [ 30.295477] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.295483] [] vfs_writev+0x89/0xc0 [ 30.295489] [] do_writev+0xe9/0x260 [ 30.295495] [] ? vfs_writev+0xc0/0xc0 [ 30.295501] [] ? SyS_readv+0x30/0x30 [ 30.295507] [] SyS_writev+0x28/0x30 [ 30.295513] [] do_syscall_64+0x1ad/0x570 [ 30.295520] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 30.301705] Kernel Offset: disabled [ 31.051895] Rebooting in 86400 seconds..