[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 11.195604] random: crng init done [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.217' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 43.932648] ================================================================== [ 43.933914] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 43.935079] Write of size 4 at addr ffff8801cea9e448 by task syz-executor738/2062 [ 43.936178] [ 43.936476] CPU: 1 PID: 2062 Comm: syz-executor738 Not tainted 4.9.151+ #10 [ 43.937679] ffff8801db707950 ffffffff81b46e61 0000000000000001 ffffea00073aa780 [ 43.938940] ffff8801cea9e448 0000000000000004 ffffffff8260164e ffff8801db707988 [ 43.940225] ffffffff81502195 0000000000000001 ffff8801cea9e448 ffff8801cea9e448 [ 43.941447] Call Trace: [ 43.941842] [ 43.942236] [] dump_stack+0xc1/0x120 [ 43.943006] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 43.943950] [] print_address_description+0x6f/0x238 [ 43.944911] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 43.946035] [] kasan_report.cold+0x8c/0x2ba [ 43.946869] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 43.947818] [] __asan_report_store4_noabort+0x17/0x20 [ 43.948790] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 43.949819] [] nf_iterate+0x12e/0x310 [ 43.950635] [] nf_hook_slow+0x114/0x1f0 [ 43.951485] [] ? nf_iterate+0x310/0x310 [ 43.952297] [] ip_rcv+0xb79/0xf90 [ 43.954206] [] ? ip_rcv+0x8be/0xf90 [ 43.959458] [] ? ip_local_deliver+0x4d0/0x4d0 [ 43.965606] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 43.972334] [] ? ip_local_deliver+0x4d0/0x4d0 [ 43.978455] [] __netif_receive_skb_core+0x1156/0x2990 [ 43.985268] [] ? dev_loopback_xmit+0x430/0x430 [ 43.991478] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 43.998207] [] ? check_preemption_disabled+0x3c/0x200 [ 44.005023] [] ? process_backlog+0x190/0x610 [ 44.011054] [] __netif_receive_skb+0x58/0x1c0 [ 44.017175] [] process_backlog+0x1e8/0x610 [ 44.023031] [] ? process_backlog+0x190/0x610 [ 44.029063] [] ? trace_hardirqs_on+0x10/0x10 [ 44.035111] [] net_rx_action+0x3aa/0xdd0 [ 44.040804] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 44.048664] [] __do_softirq+0x22d/0x964 [ 44.054264] [] do_softirq_own_stack+0x1c/0x30 [ 44.060378] [ 44.062417] [] do_softirq.part.0+0x62/0x70 [ 44.068291] [] do_softirq+0x18/0x20 [ 44.073550] [] netif_rx_ni+0xbe/0x310 [ 44.078974] [] tun_get_user+0xcd2/0x2430 [ 44.084669] [] ? tun_select_queue+0x400/0x400 [ 44.090793] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.097553] [] tun_chr_write_iter+0xda/0x190 [ 44.103581] [] do_iter_readv_writev+0x3d9/0x4b0 [ 44.109874] [] ? vfs_iter_write+0x460/0x460 [ 44.115824] [] ? selinux_file_permission+0x85/0x470 [ 44.122462] [] ? security_file_permission+0x8f/0x1f0 [ 44.129186] [] ? rw_verify_area+0xea/0x2b0 [ 44.135041] [] do_readv_writev+0x2ed/0x7a0 [ 44.140892] [] ? vfs_write+0x520/0x520 [ 44.146398] [] ? __lru_cache_add+0x186/0x250 [ 44.152429] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 44.159099] [] ? _raw_spin_unlock+0x2d/0x50 [ 44.165062] [] ? handle_mm_fault+0x54a/0x2380 [ 44.171181] [] ? vm_insert_page+0x840/0x840 [ 44.177203] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.183979] [] vfs_writev+0x89/0xc0 [ 44.189339] [] do_writev+0xe9/0x260 [ 44.194590] [] ? vfs_writev+0xc0/0xc0 [ 44.200015] [] ? SyS_readv+0x30/0x30 [ 44.205562] [] SyS_writev+0x28/0x30 [ 44.210811] [] do_syscall_64+0x1ad/0x570 [ 44.216509] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.223414] [ 44.225171] Allocated by task 2062: [ 44.228792] save_stack_trace+0x16/0x20 [ 44.232737] kasan_kmalloc.part.0+0x62/0xf0 [ 44.237030] kasan_kmalloc+0xb7/0xd0 [ 44.240723] kasan_slab_alloc+0xf/0x20 [ 44.244583] kmem_cache_alloc+0xd5/0x2b0 [ 44.248613] __alloc_skb+0xe7/0x5e0 [ 44.252213] alloc_skb_with_frags+0xb0/0x4f0 [ 44.256598] sock_alloc_send_pskb+0x5ec/0x760 [ 44.261065] tun_get_user+0x53b/0x2430 [ 44.264923] tun_chr_write_iter+0xda/0x190 [ 44.269129] do_iter_readv_writev+0x3d9/0x4b0 [ 44.273599] do_readv_writev+0x2ed/0x7a0 [ 44.277631] vfs_writev+0x89/0xc0 [ 44.281057] do_writev+0xe9/0x260 [ 44.284483] SyS_writev+0x28/0x30 [ 44.287907] do_syscall_64+0x1ad/0x570 [ 44.291768] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.296844] [ 44.298444] Freed by task 2062: [ 44.301892] save_stack_trace+0x16/0x20 [ 44.305856] kasan_slab_free+0xb0/0x190 [ 44.309937] kmem_cache_free+0xbe/0x310 [ 44.313900] kfree_skbmem+0x9f/0x100 [ 44.317585] kfree_skb+0xd4/0x350 [ 44.321024] ip_defrag+0x620/0x3bc0 [ 44.324622] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 44.329193] nf_iterate+0x12e/0x310 [ 44.332798] nf_hook_slow+0x114/0x1f0 [ 44.336570] ip_rcv+0xb79/0xf90 [ 44.339837] __netif_receive_skb_core+0x1156/0x2990 [ 44.344859] __netif_receive_skb+0x58/0x1c0 [ 44.349157] process_backlog+0x1e8/0x610 [ 44.353189] net_rx_action+0x3aa/0xdd0 [ 44.357081] __do_softirq+0x22d/0x964 [ 44.360849] [ 44.362446] The buggy address belongs to the object at ffff8801cea9e3c0 [ 44.362446] which belongs to the cache skbuff_head_cache of size 224 [ 44.375675] The buggy address is located 136 bytes inside of [ 44.375675] 224-byte region [ffff8801cea9e3c0, ffff8801cea9e4a0) [ 44.387515] The buggy address belongs to the page: [ 44.392411] page:ffffea00073aa780 count:1 mapcount:0 mapping: (null) index:0xffff8801cea9edc0 [ 44.401939] flags: 0x4000000000000080(slab) [ 44.406226] page dumped because: kasan: bad access detected [ 44.411902] [ 44.413617] Memory state around the buggy address: [ 44.418521] ffff8801cea9e300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 44.425865] ffff8801cea9e380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 44.433211] >ffff8801cea9e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.440536] ^ [ 44.446217] ffff8801cea9e480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 44.453545] ffff8801cea9e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.460870] ================================================================== [ 44.468195] Disabling lock debugging due to kernel taint [ 44.473668] Kernel panic - not syncing: panic_on_warn set ... [ 44.473668] [ 44.481005] CPU: 1 PID: 2062 Comm: syz-executor738 Tainted: G B 4.9.151+ #10 [ 44.489287] ffff8801db707890 ffffffff81b46e61 ffff8801db707900 ffffffff82e4383a [ 44.497334] 00000000ffffffff 0000000000000001 ffffffff8260164e ffff8801db707970 [ 44.505322] ffffffff813f725a 0000000041b58ab3 ffffffff82e35962 ffffffff813f7081 [ 44.513304] Call Trace: [ 44.515868] [ 44.517905] [] dump_stack+0xc1/0x120 [ 44.523256] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.529805] [] panic+0x1d9/0x3bd [ 44.534960] [] ? add_taint.cold+0x16/0x16 [ 44.540755] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.547318] [] kasan_end_report+0x47/0x4f [ 44.553091] [] kasan_report.cold+0xa9/0x2ba [ 44.559141] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 44.565521] [] __asan_report_store4_noabort+0x17/0x20 [ 44.572568] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.578975] [] nf_iterate+0x12e/0x310 [ 44.584396] [] nf_hook_slow+0x114/0x1f0 [ 44.590016] [] ? nf_iterate+0x310/0x310 [ 44.595610] [] ip_rcv+0xb79/0xf90 [ 44.600681] [] ? ip_rcv+0x8be/0xf90 [ 44.605926] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.612041] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 44.618761] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.624882] [] __netif_receive_skb_core+0x1156/0x2990 [ 44.631689] [] ? dev_loopback_xmit+0x430/0x430 [ 44.637892] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.644673] [] ? check_preemption_disabled+0x3c/0x200 [ 44.651488] [] ? process_backlog+0x190/0x610 [ 44.657516] [] __netif_receive_skb+0x58/0x1c0 [ 44.663631] [] process_backlog+0x1e8/0x610 [ 44.669485] [] ? process_backlog+0x190/0x610 [ 44.675527] [] ? trace_hardirqs_on+0x10/0x10 [ 44.681552] [] net_rx_action+0x3aa/0xdd0 [ 44.687235] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 44.695088] [] __do_softirq+0x22d/0x964 [ 44.700680] [] do_softirq_own_stack+0x1c/0x30 [ 44.706795] [ 44.708847] [] do_softirq.part.0+0x62/0x70 [ 44.714721] [] do_softirq+0x18/0x20 [ 44.719965] [] netif_rx_ni+0xbe/0x310 [ 44.725385] [] tun_get_user+0xcd2/0x2430 [ 44.731066] [] ? tun_select_queue+0x400/0x400 [ 44.737183] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.744015] [] tun_chr_write_iter+0xda/0x190 [ 44.750059] [] do_iter_readv_writev+0x3d9/0x4b0 [ 44.756353] [] ? vfs_iter_write+0x460/0x460 [ 44.762291] [] ? selinux_file_permission+0x85/0x470 [ 44.768926] [] ? security_file_permission+0x8f/0x1f0 [ 44.775646] [] ? rw_verify_area+0xea/0x2b0 [ 44.781502] [] do_readv_writev+0x2ed/0x7a0 [ 44.787356] [] ? vfs_write+0x520/0x520 [ 44.792862] [] ? __lru_cache_add+0x186/0x250 [ 44.798890] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 44.805526] [] ? _raw_spin_unlock+0x2d/0x50 [ 44.811468] [] ? handle_mm_fault+0x54a/0x2380 [ 44.817584] [] ? vm_insert_page+0x840/0x840 [ 44.823526] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.830248] [] vfs_writev+0x89/0xc0 [ 44.835495] [] do_writev+0xe9/0x260 [ 44.840853] [] ? vfs_writev+0xc0/0xc0 [ 44.846278] [] ? SyS_readv+0x30/0x30 [ 44.851612] [] SyS_writev+0x28/0x30 [ 44.856859] [] do_syscall_64+0x1ad/0x570 [ 44.862538] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.869724] Kernel Offset: disabled [ 44.873325] Rebooting in 86400 seconds..