[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.859931] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.098355] random: crng init done Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts. executing program executing program [ 53.532553] ================================================================== [ 53.539995] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 53.547314] Write of size 4 at addr ffff8801ce8fcd08 by task syz-executor505/2064 [ 53.554916] [ 53.556527] CPU: 1 PID: 2064 Comm: syz-executor505 Not tainted 4.9.154+ #19 [ 53.563620] ffff8801db707948 ffffffff81b47411 0000000000000001 ffffea00073a3f00 [ 53.571614] ffff8801ce8fcd08 0000000000000004 ffffffff826028fe ffff8801db707980 [ 53.579717] ffffffff81502615 0000000000000001 ffff8801ce8fcd08 ffff8801ce8fcd08 [ 53.587708] Call Trace: [ 53.590397] [ 53.592442] [] dump_stack+0xc1/0x120 [ 53.597802] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 53.604418] [] print_address_description+0x6f/0x238 [ 53.611074] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 53.617785] [] kasan_report.cold+0x8c/0x2ba [ 53.623735] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 53.630123] [] __asan_report_store4_noabort+0x17/0x20 [ 53.636940] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 53.643424] [] nf_iterate+0x12e/0x310 [ 53.648869] [] nf_hook_slow+0x114/0x1f0 [ 53.654472] [] ? nf_iterate+0x310/0x310 [ 53.660094] [] ip_rcv+0xbdf/0x1040 [ 53.665273] [] ? ip_rcv+0x91c/0x1040 [ 53.670609] [] ? ip_local_deliver+0x4d0/0x4d0 [ 53.676907] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 53.683642] [] ? ip_local_deliver+0x4d0/0x4d0 [ 53.689898] [] __netif_receive_skb_core+0x1156/0x2990 [ 53.696733] [] ? dev_loopback_xmit+0x430/0x430 [ 53.702942] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 53.709710] [] ? check_preemption_disabled+0x3c/0x200 [ 53.716555] [] ? process_backlog+0x190/0x610 [ 53.722591] [] __netif_receive_skb+0x58/0x1c0 [ 53.728714] [] process_backlog+0x1e8/0x610 [ 53.734575] [] ? process_backlog+0x190/0x610 [ 53.740614] [] ? trace_hardirqs_on+0x10/0x10 [ 53.746646] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 53.753494] [] net_rx_action+0x3aa/0xdd0 [ 53.759204] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 53.767068] [] __do_softirq+0x22d/0x964 [ 53.772671] [] do_softirq_own_stack+0x1c/0x30 [ 53.778790] [ 53.780833] [] do_softirq.part.0+0x62/0x70 [ 53.786841] [] do_softirq+0x18/0x20 [ 53.792110] [] netif_rx_ni+0xbe/0x310 [ 53.797541] [] tun_get_user+0xcd2/0x2430 [ 53.803231] [] ? tun_select_queue+0x400/0x400 [ 53.809373] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 53.816226] [] tun_chr_write_iter+0xda/0x190 [ 53.822261] [] do_iter_readv_writev+0x3d9/0x4b0 [ 53.828557] [] ? vfs_iter_write+0x460/0x460 [ 53.834509] [] ? selinux_file_permission+0x85/0x470 [ 53.841163] [] ? security_file_permission+0x8f/0x1f0 [ 53.848031] [] ? rw_verify_area+0xea/0x2b0 [ 53.853896] [] do_readv_writev+0x2ed/0x7a0 [ 53.859882] [] ? vfs_write+0x520/0x520 [ 53.865562] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 53.872396] [] ? do_signal+0x4b9/0x1920 [ 53.878011] [] ? setup_sigcontext+0x7d0/0x7d0 [ 53.884131] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 53.890876] [] vfs_writev+0x89/0xc0 [ 53.896134] [] do_writev+0xe9/0x260 [ 53.901418] [] ? vfs_writev+0xc0/0xc0 [ 53.906854] [] ? SyS_readv+0x30/0x30 [ 53.912198] [] SyS_writev+0x28/0x30 [ 53.917450] [] do_syscall_64+0x1ad/0x570 [ 53.923370] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 53.930273] [ 53.931926] Allocated by task 2064: [ 53.935552] save_stack_trace+0x16/0x20 [ 53.939506] kasan_kmalloc.part.0+0x62/0xf0 [ 53.943805] kasan_kmalloc+0xb7/0xd0 [ 53.947497] kasan_slab_alloc+0xf/0x20 [ 53.951366] kmem_cache_alloc+0xd5/0x2b0 [ 53.955408] __alloc_skb+0xe7/0x5e0 [ 53.959010] alloc_skb_with_frags+0xb0/0x4f0 [ 53.963399] sock_alloc_send_pskb+0x5ec/0x760 [ 53.967890] tun_get_user+0x53b/0x2430 [ 53.971751] tun_chr_write_iter+0xda/0x190 [ 53.975960] do_iter_readv_writev+0x3d9/0x4b0 [ 53.980431] do_readv_writev+0x2ed/0x7a0 [ 53.984476] vfs_writev+0x89/0xc0 [ 53.988300] do_writev+0xe9/0x260 [ 53.991731] SyS_writev+0x28/0x30 [ 53.995187] do_syscall_64+0x1ad/0x570 [ 53.999054] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 54.004180] [ 54.005801] Freed by task 2064: [ 54.009056] save_stack_trace+0x16/0x20 [ 54.013018] kasan_slab_free+0xb0/0x190 [ 54.016964] kmem_cache_free+0xbe/0x310 [ 54.020912] kfree_skbmem+0x9f/0x100 [ 54.024603] kfree_skb+0xd4/0x350 [ 54.028031] ip_defrag+0x620/0x3bc0 [ 54.031635] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 54.036195] nf_iterate+0x12e/0x310 [ 54.039796] nf_hook_slow+0x114/0x1f0 [ 54.043570] ip_rcv+0xbdf/0x1040 [ 54.046910] __netif_receive_skb_core+0x1156/0x2990 [ 54.051900] __netif_receive_skb+0x58/0x1c0 [ 54.056221] process_backlog+0x1e8/0x610 [ 54.060285] net_rx_action+0x3aa/0xdd0 [ 54.064157] __do_softirq+0x22d/0x964 [ 54.067997] [ 54.069673] The buggy address belongs to the object at ffff8801ce8fcc80 [ 54.069673] which belongs to the cache skbuff_head_cache of size 224 [ 54.082876] The buggy address is located 136 bytes inside of [ 54.082876] 224-byte region [ffff8801ce8fcc80, ffff8801ce8fcd60) [ 54.094730] The buggy address belongs to the page: [ 54.099635] page:ffffea00073a3f00 count:1 mapcount:0 mapping: (null) index:0x0 [ 54.107992] flags: 0x4000000000000080(slab) [ 54.112285] page dumped because: kasan: bad access detected [ 54.117968] [ 54.119569] Memory state around the buggy address: [ 54.124474] ffff8801ce8fcc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 54.131812] ffff8801ce8fcc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.139163] >ffff8801ce8fcd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 54.146505] ^ [ 54.150105] ffff8801ce8fcd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 54.157465] ffff8801ce8fce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.164800] ================================================================== [ 54.172130] Disabling lock debugging due to kernel taint [ 54.177597] Kernel panic - not syncing: panic_on_warn set ... [ 54.177597] [ 54.184951] CPU: 1 PID: 2064 Comm: syz-executor505 Tainted: G B 4.9.154+ #19 [ 54.193293] ffff8801db707888 ffffffff81b47411 ffff8801db707900 ffffffff82e439da [ 54.201412] 00000000ffffffff 0000000000000001 ffffffff826028fe ffff8801db707968 [ 54.209442] ffffffff813f725a 0000000041b58ab3 ffffffff82e35b02 ffffffff813f7081 [ 54.217456] Call Trace: [ 54.220012] [ 54.222052] [] dump_stack+0xc1/0x120 [ 54.227411] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 54.233965] [] panic+0x1d9/0x3bd [ 54.238956] [] ? add_taint.cold+0x16/0x16 [ 54.244729] [] kasan_end_report+0x47/0x4f [ 54.250503] [] kasan_report.cold+0xa9/0x2ba [ 54.256453] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 54.262832] [] __asan_report_store4_noabort+0x17/0x20 [ 54.269645] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 54.276070] [] nf_iterate+0x12e/0x310 [ 54.281509] [] nf_hook_slow+0x114/0x1f0 [ 54.287110] [] ? nf_iterate+0x310/0x310 [ 54.292708] [] ip_rcv+0xbdf/0x1040 [ 54.297876] [] ? ip_rcv+0x91c/0x1040 [ 54.303220] [] ? ip_local_deliver+0x4d0/0x4d0 [ 54.309350] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 54.316081] [] ? ip_local_deliver+0x4d0/0x4d0 [ 54.322246] [] __netif_receive_skb_core+0x1156/0x2990 [ 54.329068] [] ? dev_loopback_xmit+0x430/0x430 [ 54.335279] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 54.342013] [] ? check_preemption_disabled+0x3c/0x200 [ 54.348829] [] ? process_backlog+0x190/0x610 [ 54.355037] [] __netif_receive_skb+0x58/0x1c0 [ 54.361165] [] process_backlog+0x1e8/0x610 [ 54.367027] [] ? process_backlog+0x190/0x610 [ 54.373066] [] ? trace_hardirqs_on+0x10/0x10 [ 54.379100] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 54.386015] [] net_rx_action+0x3aa/0xdd0 [ 54.391706] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 54.399573] [] __do_softirq+0x22d/0x964 [ 54.405182] [] do_softirq_own_stack+0x1c/0x30 [ 54.411307] [ 54.413362] [] do_softirq.part.0+0x62/0x70 [ 54.419244] [] do_softirq+0x18/0x20 [ 54.424502] [] netif_rx_ni+0xbe/0x310 [ 54.430014] [] tun_get_user+0xcd2/0x2430 [ 54.435709] [] ? tun_select_queue+0x400/0x400 [ 54.441833] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 54.448569] [] tun_chr_write_iter+0xda/0x190 [ 54.454602] [] do_iter_readv_writev+0x3d9/0x4b0 [ 54.460898] [] ? vfs_iter_write+0x460/0x460 [ 54.466848] [] ? selinux_file_permission+0x85/0x470 [ 54.473494] [] ? security_file_permission+0x8f/0x1f0 [ 54.480222] [] ? rw_verify_area+0xea/0x2b0 [ 54.486081] [] do_readv_writev+0x2ed/0x7a0 [ 54.491939] [] ? vfs_write+0x520/0x520 [ 54.497450] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 54.504263] [] ? do_signal+0x4b9/0x1920 [ 54.509873] [] ? setup_sigcontext+0x7d0/0x7d0 [ 54.516008] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 54.522734] [] vfs_writev+0x89/0xc0 [ 54.527980] [] do_writev+0xe9/0x260 [ 54.533231] [] ? vfs_writev+0xc0/0xc0 [ 54.538654] [] ? SyS_readv+0x30/0x30 [ 54.543990] [] SyS_writev+0x28/0x30 [ 54.549252] [] do_syscall_64+0x1ad/0x570 [ 54.554936] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 54.562218] Kernel Offset: disabled [ 54.565824] Rebooting in 86400 seconds..