[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 10.300014] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 13.402006] random: crng init done Warning: Permanently added '10.128.0.142' (ECDSA) to the list of known hosts. executing program executing program [ 44.175365] ================================================================== [ 44.182877] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.189968] Write of size 4 at addr ffff8801cffdbd08 by task syz-executor489/2066 [ 44.197562] [ 44.199171] CPU: 1 PID: 2066 Comm: syz-executor489 Not tainted 4.9.151+ #10 [ 44.206245] ffff8801db707950 ffffffff81b46e61 0000000000000001 ffffea00073ff6c0 [ 44.214243] ffff8801cffdbd08 0000000000000004 ffffffff8260164e ffff8801db707988 [ 44.222248] ffffffff81502195 0000000000000001 ffff8801cffdbd08 ffff8801cffdbd08 [ 44.230235] Call Trace: [ 44.233035] [ 44.235079] [] dump_stack+0xc1/0x120 [ 44.240544] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.247110] [] print_address_description+0x6f/0x238 [ 44.253955] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.260601] [] kasan_report.cold+0x8c/0x2ba [ 44.266667] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 44.273053] [] __asan_report_store4_noabort+0x17/0x20 [ 44.279868] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.286346] [] nf_iterate+0x12e/0x310 [ 44.291783] [] nf_hook_slow+0x114/0x1f0 [ 44.297386] [] ? nf_iterate+0x310/0x310 [ 44.303317] [] ip_rcv+0xb79/0xf90 [ 44.308488] [] ? ip_rcv+0x8be/0xf90 [ 44.313766] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.319894] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 44.326631] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.332872] [] __netif_receive_skb_core+0x1156/0x2990 [ 44.339695] [] ? dev_loopback_xmit+0x430/0x430 [ 44.346000] [] ? check_preemption_disabled+0x3c/0x200 [ 44.352935] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.359673] [] ? check_preemption_disabled+0x3c/0x200 [ 44.366498] [] ? process_backlog+0x190/0x610 [ 44.372966] [] __netif_receive_skb+0x58/0x1c0 [ 44.379351] [] process_backlog+0x1e8/0x610 [ 44.385555] [] ? process_backlog+0x190/0x610 [ 44.391879] [] ? trace_hardirqs_on+0x10/0x10 [ 44.398129] [] net_rx_action+0x3aa/0xdd0 [ 44.403832] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 44.411813] [] __do_softirq+0x22d/0x964 [ 44.417593] [] do_softirq_own_stack+0x1c/0x30 [ 44.423712] [ 44.425756] [] do_softirq.part.0+0x62/0x70 [ 44.431638] [] do_softirq+0x18/0x20 [ 44.436909] [] netif_rx_ni+0xbe/0x310 [ 44.442337] [] tun_get_user+0xcd2/0x2430 [ 44.448026] [] ? tun_select_queue+0x400/0x400 [ 44.454150] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.460877] [] tun_chr_write_iter+0xda/0x190 [ 44.466914] [] do_iter_readv_writev+0x3d9/0x4b0 [ 44.473206] [] ? vfs_iter_write+0x460/0x460 [ 44.479158] [] ? selinux_file_permission+0x85/0x470 [ 44.486082] [] ? security_file_permission+0x8f/0x1f0 [ 44.492812] [] ? rw_verify_area+0xea/0x2b0 [ 44.498692] [] do_readv_writev+0x2ed/0x7a0 [ 44.504607] [] ? vfs_write+0x520/0x520 [ 44.510166] [] ? __lru_cache_add+0x186/0x250 [ 44.516206] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 44.522946] [] ? _raw_spin_unlock+0x2d/0x50 [ 44.528914] [] ? handle_mm_fault+0x54a/0x2380 [ 44.535083] [] ? vm_insert_page+0x840/0x840 [ 44.541093] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.547830] [] vfs_writev+0x89/0xc0 [ 44.553084] [] do_writev+0xe9/0x260 [ 44.558336] [] ? vfs_writev+0xc0/0xc0 [ 44.563768] [] ? SyS_readv+0x30/0x30 [ 44.569183] [] SyS_writev+0x28/0x30 [ 44.574738] [] do_syscall_64+0x1ad/0x570 [ 44.580525] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.587424] [ 44.589030] Allocated by task 2066: [ 44.592648] save_stack_trace+0x16/0x20 [ 44.596707] kasan_kmalloc.part.0+0x62/0xf0 [ 44.601068] kasan_kmalloc+0xb7/0xd0 [ 44.604769] kasan_slab_alloc+0xf/0x20 [ 44.608651] kmem_cache_alloc+0xd5/0x2b0 [ 44.612709] __alloc_skb+0xe7/0x5e0 [ 44.616313] alloc_skb_with_frags+0xb0/0x4f0 [ 44.620762] sock_alloc_send_pskb+0x5ec/0x760 [ 44.625247] tun_get_user+0x53b/0x2430 [ 44.629117] tun_chr_write_iter+0xda/0x190 [ 44.633429] do_iter_readv_writev+0x3d9/0x4b0 [ 44.637912] do_readv_writev+0x2ed/0x7a0 [ 44.641945] vfs_writev+0x89/0xc0 [ 44.645371] do_writev+0xe9/0x260 [ 44.648839] SyS_writev+0x28/0x30 [ 44.652272] do_syscall_64+0x1ad/0x570 [ 44.656133] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 44.661210] [ 44.662811] Freed by task 2066: [ 44.666068] save_stack_trace+0x16/0x20 [ 44.670080] kasan_slab_free+0xb0/0x190 [ 44.674035] kmem_cache_free+0xbe/0x310 [ 44.678004] kfree_skbmem+0x9f/0x100 [ 44.681700] kfree_skb+0xd4/0x350 [ 44.685138] ip_defrag+0x620/0x3bc0 [ 44.688759] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 44.693322] nf_iterate+0x12e/0x310 [ 44.696925] nf_hook_slow+0x114/0x1f0 [ 44.700706] ip_rcv+0xb79/0xf90 [ 44.703965] __netif_receive_skb_core+0x1156/0x2990 [ 44.709060] __netif_receive_skb+0x58/0x1c0 [ 44.713475] process_backlog+0x1e8/0x610 [ 44.717516] net_rx_action+0x3aa/0xdd0 [ 44.721385] __do_softirq+0x22d/0x964 [ 44.725159] [ 44.726762] The buggy address belongs to the object at ffff8801cffdbc80 [ 44.726762] which belongs to the cache skbuff_head_cache of size 224 [ 44.739976] The buggy address is located 136 bytes inside of [ 44.739976] 224-byte region [ffff8801cffdbc80, ffff8801cffdbd60) [ 44.751960] The buggy address belongs to the page: [ 44.756869] page:ffffea00073ff6c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 44.765102] flags: 0x4000000000000080(slab) [ 44.769507] page dumped because: kasan: bad access detected [ 44.775291] [ 44.776915] Memory state around the buggy address: [ 44.782019] ffff8801cffdbc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 44.789353] ffff8801cffdbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.796691] >ffff8801cffdbd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 44.804024] ^ [ 44.807634] ffff8801cffdbd80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 44.814982] ffff8801cffdbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.822317] ================================================================== [ 44.829764] Disabling lock debugging due to kernel taint [ 44.835446] Kernel panic - not syncing: panic_on_warn set ... [ 44.835446] [ 44.842801] CPU: 1 PID: 2066 Comm: syz-executor489 Tainted: G B 4.9.151+ #10 [ 44.851097] ffff8801db707890 ffffffff81b46e61 ffff8801db707900 ffffffff82e4383a [ 44.859268] 00000000ffffffff 0000000000000001 ffffffff8260164e ffff8801db707970 [ 44.867488] ffffffff813f725a 0000000041b58ab3 ffffffff82e35962 ffffffff813f7081 [ 44.875586] Call Trace: [ 44.878171] [ 44.880342] [] dump_stack+0xc1/0x120 [ 44.885730] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.892324] [] panic+0x1d9/0x3bd [ 44.897335] [] ? add_taint.cold+0x16/0x16 [ 44.903114] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.909775] [] kasan_end_report+0x47/0x4f [ 44.915658] [] kasan_report.cold+0xa9/0x2ba [ 44.921640] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 44.928243] [] __asan_report_store4_noabort+0x17/0x20 [ 44.935120] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.941522] [] nf_iterate+0x12e/0x310 [ 44.946972] [] nf_hook_slow+0x114/0x1f0 [ 44.952606] [] ? nf_iterate+0x310/0x310 [ 44.958241] [] ip_rcv+0xb79/0xf90 [ 44.963334] [] ? ip_rcv+0x8be/0xf90 [ 44.968590] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.974825] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 44.982012] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.988139] [] __netif_receive_skb_core+0x1156/0x2990 [ 44.994962] [] ? dev_loopback_xmit+0x430/0x430 [ 45.001309] [] ? check_preemption_disabled+0x3c/0x200 [ 45.008244] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.014989] [] ? check_preemption_disabled+0x3c/0x200 [ 45.021817] [] ? process_backlog+0x190/0x610 [ 45.027883] [] __netif_receive_skb+0x58/0x1c0 [ 45.034352] [] process_backlog+0x1e8/0x610 [ 45.040354] [] ? process_backlog+0x190/0x610 [ 45.046394] [] ? trace_hardirqs_on+0x10/0x10 [ 45.052436] [] net_rx_action+0x3aa/0xdd0 [ 45.058224] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 45.066152] [] __do_softirq+0x22d/0x964 [ 45.071758] [] do_softirq_own_stack+0x1c/0x30 [ 45.077880] [ 45.080052] [] do_softirq.part.0+0x62/0x70 [ 45.085933] [] do_softirq+0x18/0x20 [ 45.091189] [] netif_rx_ni+0xbe/0x310 [ 45.096769] [] tun_get_user+0xcd2/0x2430 [ 45.102461] [] ? tun_select_queue+0x400/0x400 [ 45.108716] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.115557] [] tun_chr_write_iter+0xda/0x190 [ 45.121647] [] do_iter_readv_writev+0x3d9/0x4b0 [ 45.128001] [] ? vfs_iter_write+0x460/0x460 [ 45.133968] [] ? selinux_file_permission+0x85/0x470 [ 45.140737] [] ? security_file_permission+0x8f/0x1f0 [ 45.147497] [] ? rw_verify_area+0xea/0x2b0 [ 45.153500] [] do_readv_writev+0x2ed/0x7a0 [ 45.159454] [] ? vfs_write+0x520/0x520 [ 45.165165] [] ? __lru_cache_add+0x186/0x250 [ 45.171233] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 45.178015] [] ? _raw_spin_unlock+0x2d/0x50 [ 45.183998] [] ? handle_mm_fault+0x54a/0x2380 [ 45.190277] [] ? vm_insert_page+0x840/0x840 [ 45.196393] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.203125] [] vfs_writev+0x89/0xc0 [ 45.208396] [] do_writev+0xe9/0x260 [ 45.213669] [] ? vfs_writev+0xc0/0xc0 [ 45.219110] [] ? SyS_readv+0x30/0x30 [ 45.224454] [] SyS_writev+0x28/0x30 [ 45.229708] [] do_syscall_64+0x1ad/0x570 [ 45.235498] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.242823] Kernel Offset: disabled [ 45.246514] Rebooting in 86400 seconds..