[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.305262] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.300080] random: sshd: uninitialized urandom read (32 bytes read) [ 28.307484] random: crng init done Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts. executing program executing program [ 49.170438] ================================================================== [ 49.177859] BUG: KASAN: use-after-free in ip_check_defrag+0x571/0x5b0 [ 49.184537] Write of size 4 at addr ffff8801d26e6e5c by task syz-executor527/2206 [ 49.192394] [ 49.194205] CPU: 1 PID: 2206 Comm: syz-executor527 Not tainted 4.9.149+ #4 [ 49.201312] ffff8801cc03f658 ffffffff81b46481 0000000000000001 ffffea000749b980 [ 49.209438] ffff8801d26e6e5c 0000000000000004 ffffffff824a2fe1 ffff8801cc03f690 [ 49.217540] ffffffff815020d5 0000000000000001 ffff8801d26e6e5c ffff8801d26e6e5c [ 49.225762] Call Trace: [ 49.228327] [] dump_stack+0xc1/0x120 [ 49.233877] [] ? ip_check_defrag+0x571/0x5b0 [ 49.239918] [] print_address_description+0x6f/0x238 [ 49.246567] [] ? ip_check_defrag+0x571/0x5b0 [ 49.252699] [] kasan_report.cold+0x8c/0x2ba [ 49.259117] [] __asan_report_store4_noabort+0x17/0x20 [ 49.266043] [] ip_check_defrag+0x571/0x5b0 [ 49.271906] [] ? ip_defrag+0x3bc0/0x3bc0 [ 49.277706] [] packet_rcv_fanout+0x51e/0x5f0 [ 49.283744] [] ? fanout_demux_rollover+0x4b0/0x4b0 [ 49.290429] [] dev_queue_xmit_nit+0x5e0/0x800 [ 49.297461] [] ? netif_rx+0x2c0/0x2c0 [ 49.302966] [] dev_hard_start_xmit+0xa7/0x8b0 [ 49.309106] [] __dev_queue_xmit+0x11a3/0x1bd0 [ 49.315340] [] ? __dev_queue_xmit+0x1d4/0x1bd0 [ 49.321577] [] ? netdev_pick_tx+0x300/0x300 [ 49.327527] [] ? skb_copy_datagram_from_iter+0x32b/0x5c0 [ 49.334610] [] ? packet_cached_dev_get+0xfd/0x1f0 [ 49.341084] [] dev_queue_xmit+0x18/0x20 [ 49.346881] [] packet_sendmsg+0x2778/0x4840 [ 49.352984] [] ? check_preemption_disabled+0x3c/0x200 [ 49.359935] [] ? check_preemption_disabled+0x3c/0x200 [ 49.366859] [] ? check_preemption_disabled+0x3c/0x200 [ 49.373694] [] ? sock_has_perm+0x1c8/0x3e0 [ 49.379562] [] ? compat_packet_setsockopt+0x140/0x140 [ 49.386501] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 49.392977] [] ? security_socket_sendmsg+0x8f/0xc0 [ 49.399664] [] ? compat_packet_setsockopt+0x140/0x140 [ 49.406493] [] sock_sendmsg+0xbe/0x110 [ 49.412046] [] SyS_sendto+0x201/0x340 [ 49.417571] [] ? SyS_getpeername+0x2a0/0x2a0 [ 49.423721] [] ? packet_bind+0x140/0x190 [ 49.429887] [] ? SyS_socketpair+0x510/0x510 [ 49.435887] [] ? security_file_ioctl+0x8f/0xc0 [ 49.442992] [] ? do_syscall_64+0x4a/0x570 [ 49.449091] [] ? SyS_getpeername+0x2a0/0x2a0 [ 49.455163] [] do_syscall_64+0x1ad/0x570 [ 49.455173] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.455176] [ 49.455180] Allocated by task 2206: [ 49.455189] save_stack_trace+0x16/0x20 [ 49.455197] kasan_kmalloc.part.0+0x62/0xf0 [ 49.455206] kasan_kmalloc+0xb7/0xd0 [ 49.455221] kasan_slab_alloc+0xf/0x20 [ 49.455228] kmem_cache_alloc+0xd5/0x2b0 [ 49.455242] skb_clone+0x122/0x2a0 [ 49.455248] dev_queue_xmit_nit+0x2d2/0x800 [ 49.455253] dev_hard_start_xmit+0xa7/0x8b0 [ 49.455262] __dev_queue_xmit+0x11a3/0x1bd0 [ 49.455267] dev_queue_xmit+0x18/0x20 [ 49.455274] packet_sendmsg+0x2778/0x4840 [ 49.455278] sock_sendmsg+0xbe/0x110 [ 49.455283] SyS_sendto+0x201/0x340 [ 49.455288] do_syscall_64+0x1ad/0x570 [ 49.455294] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.455296] [ 49.455298] Freed by task 2206: [ 49.455305] save_stack_trace+0x16/0x20 [ 49.455310] kasan_slab_free+0xb0/0x190 [ 49.455317] kmem_cache_free+0xbe/0x310 [ 49.455323] kfree_skbmem+0x9f/0x100 [ 49.455328] kfree_skb+0xd4/0x350 [ 49.455335] ip_defrag+0x620/0x3bc0 [ 49.455342] ip_check_defrag+0x3d6/0x5b0 [ 49.455348] packet_rcv_fanout+0x51e/0x5f0 [ 49.455354] dev_queue_xmit_nit+0x5e0/0x800 [ 49.455360] dev_hard_start_xmit+0xa7/0x8b0 [ 49.455365] __dev_queue_xmit+0x11a3/0x1bd0 [ 49.455371] dev_queue_xmit+0x18/0x20 [ 49.455377] packet_sendmsg+0x2778/0x4840 [ 49.455389] sock_sendmsg+0xbe/0x110 [ 49.455395] SyS_sendto+0x201/0x340 [ 49.455398] do_syscall_64+0x1ad/0x570 [ 49.455406] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.455407] [ 49.455412] The buggy address belongs to the object at ffff8801d26e6dc0 [ 49.455412] which belongs to the cache skbuff_head_cache of size 224 [ 49.455418] The buggy address is located 156 bytes inside of [ 49.455418] 224-byte region [ffff8801d26e6dc0, ffff8801d26e6ea0) [ 49.455420] The buggy address belongs to the page: [ 49.455428] page:ffffea000749b980 count:1 mapcount:0 mapping: (null) index:0x0 [ 49.455432] flags: 0x4000000000000080(slab) [ 49.455435] page dumped because: kasan: bad access detected [ 49.455436] [ 49.455438] Memory state around the buggy address: [ 49.455445] ffff8801d26e6d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 49.455451] ffff8801d26e6d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.455456] >ffff8801d26e6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.455459] ^ [ 49.455464] ffff8801d26e6e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 49.455469] ffff8801d26e6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.455471] ================================================================== [ 49.455473] Disabling lock debugging due to kernel taint [ 49.455518] Kernel panic - not syncing: panic_on_warn set ... [ 49.455518] [ 49.455526] CPU: 1 PID: 2206 Comm: syz-executor527 Tainted: G B 4.9.149+ #4 [ 49.455539] ffff8801cc03f598 ffffffff81b46481 ffff8801cc03f600 ffffffff82e436f2 [ 49.455548] 00000000ffffffff 0000000000000001 ffffffff824a2fe1 ffff8801cc03f678 [ 49.455558] ffffffff813f727a 0000000041b58ab3 ffffffff82e3581a ffffffff813f70a1 [ 49.455560] Call Trace: [ 49.455571] [] dump_stack+0xc1/0x120 [ 49.455579] [] ? ip_check_defrag+0x571/0x5b0 [ 49.455587] [] panic+0x1d9/0x3bd [ 49.455594] [] ? add_taint.cold+0x16/0x16 [ 49.455614] [] kasan_end_report+0x47/0x4f [ 49.455622] [] kasan_report.cold+0xa9/0x2ba [ 49.455629] [] __asan_report_store4_noabort+0x17/0x20 [ 49.455637] [] ip_check_defrag+0x571/0x5b0 [ 49.455645] [] ? ip_defrag+0x3bc0/0x3bc0 [ 49.455653] [] packet_rcv_fanout+0x51e/0x5f0 [ 49.455661] [] ? fanout_demux_rollover+0x4b0/0x4b0 [ 49.455669] [] dev_queue_xmit_nit+0x5e0/0x800 [ 49.455676] [] ? netif_rx+0x2c0/0x2c0 [ 49.455684] [] dev_hard_start_xmit+0xa7/0x8b0 [ 49.455691] [] __dev_queue_xmit+0x11a3/0x1bd0 [ 49.455698] [] ? __dev_queue_xmit+0x1d4/0x1bd0 [ 49.455705] [] ? netdev_pick_tx+0x300/0x300 [ 49.455713] [] ? skb_copy_datagram_from_iter+0x32b/0x5c0 [ 49.455721] [] ? packet_cached_dev_get+0xfd/0x1f0 [ 49.455729] [] dev_queue_xmit+0x18/0x20 [ 49.455736] [] packet_sendmsg+0x2778/0x4840 [ 49.455744] [] ? check_preemption_disabled+0x3c/0x200 [ 49.455752] [] ? check_preemption_disabled+0x3c/0x200 [ 49.455759] [] ? check_preemption_disabled+0x3c/0x200 [ 49.455768] [] ? sock_has_perm+0x1c8/0x3e0 [ 49.455777] [] ? compat_packet_setsockopt+0x140/0x140 [ 49.455785] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 49.455793] [] ? security_socket_sendmsg+0x8f/0xc0 [ 49.455801] [] ? compat_packet_setsockopt+0x140/0x140 [ 49.455807] [] sock_sendmsg+0xbe/0x110 [ 49.455814] [] SyS_sendto+0x201/0x340 [ 49.455821] [] ? SyS_getpeername+0x2a0/0x2a0 [ 49.455829] [] ? packet_bind+0x140/0x190 [ 49.455836] [] ? SyS_socketpair+0x510/0x510 [ 49.455843] [] ? security_file_ioctl+0x8f/0xc0 [ 49.455849] [] ? do_syscall_64+0x4a/0x570 [ 49.455856] [] ? SyS_getpeername+0x2a0/0x2a0 [ 49.455862] [] do_syscall_64+0x1ad/0x570 [ 49.455870] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.461341] Kernel Offset: disabled [ 50.010658] Rebooting in 86400 seconds..