[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.528355] random: crng init done [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.227' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 34.032036] ================================================================== [ 34.033547] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.034773] Write of size 4 at addr ffff8801d243b948 by task syz-executor672/2056 [ 34.035871] [ 34.036195] CPU: 1 PID: 2056 Comm: syz-executor672 Not tainted 4.9.153+ #18 [ 34.037400] ffff8801db707950 ffffffff81b47491 0000000000000001 ffffea0007490ec0 [ 34.038792] ffff8801d243b948 0000000000000004 ffffffff826026fe ffff8801db707988 [ 34.040153] ffffffff81502615 0000000000000001 ffff8801d243b948 ffff8801d243b948 [ 34.041400] Call Trace: [ 34.041769] [ 34.042136] [] dump_stack+0xc1/0x120 [ 34.043027] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.043903] [] print_address_description+0x6f/0x238 [ 34.044893] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.045908] [] kasan_report.cold+0x8c/0x2ba [ 34.046782] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 34.047664] [] __asan_report_store4_noabort+0x17/0x20 [ 34.048585] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.049452] [] nf_iterate+0x12e/0x310 [ 34.050183] [] nf_hook_slow+0x114/0x1f0 [ 34.050964] [] ? nf_iterate+0x310/0x310 [ 34.051783] [] ip_rcv+0xb79/0xf90 [ 34.055034] [] ? ip_rcv+0x8be/0xf90 [ 34.060283] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.066396] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 34.073115] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.079228] [] __netif_receive_skb_core+0x1156/0x2990 [ 34.086038] [] ? dev_loopback_xmit+0x430/0x430 [ 34.092240] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.098961] [] ? check_preemption_disabled+0x3c/0x200 [ 34.105892] [] ? process_backlog+0x190/0x610 [ 34.111919] [] __netif_receive_skb+0x58/0x1c0 [ 34.118088] [] process_backlog+0x1e8/0x610 [ 34.123949] [] ? process_backlog+0x190/0x610 [ 34.129995] [] ? trace_hardirqs_on+0x10/0x10 [ 34.136030] [] net_rx_action+0x3aa/0xdd0 [ 34.141810] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 34.149677] [] __do_softirq+0x22d/0x964 [ 34.155291] [] do_softirq_own_stack+0x1c/0x30 [ 34.161405] [ 34.163440] [] do_softirq.part.0+0x62/0x70 [ 34.169331] [] do_softirq+0x18/0x20 [ 34.174579] [] netif_rx_ni+0xbe/0x310 [ 34.180000] [] tun_get_user+0xcd2/0x2430 [ 34.185681] [] ? tun_select_queue+0x400/0x400 [ 34.191797] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.198516] [] tun_chr_write_iter+0xda/0x190 [ 34.204749] [] do_iter_readv_writev+0x3d9/0x4b0 [ 34.211096] [] ? vfs_iter_write+0x460/0x460 [ 34.217042] [] ? selinux_file_permission+0x85/0x470 [ 34.223686] [] ? security_file_permission+0x8f/0x1f0 [ 34.230430] [] ? rw_verify_area+0xea/0x2b0 [ 34.236282] [] do_readv_writev+0x2ed/0x7a0 [ 34.242137] [] ? vfs_write+0x520/0x520 [ 34.247644] [] ? __lru_cache_add+0x186/0x250 [ 34.253786] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 34.260422] [] ? _raw_spin_unlock+0x2d/0x50 [ 34.266365] [] ? handle_mm_fault+0x54a/0x2380 [ 34.272484] [] ? vm_insert_page+0x840/0x840 [ 34.278426] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.285147] [] vfs_writev+0x89/0xc0 [ 34.290400] [] do_writev+0xe9/0x260 [ 34.295698] [] ? vfs_writev+0xc0/0xc0 [ 34.301123] [] ? SyS_readv+0x30/0x30 [ 34.306454] [] SyS_writev+0x28/0x30 [ 34.311700] [] do_syscall_64+0x1ad/0x570 [ 34.317380] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.324272] [ 34.325872] Allocated by task 2056: [ 34.329467] save_stack_trace+0x16/0x20 [ 34.333499] kasan_kmalloc.part.0+0x62/0xf0 [ 34.337800] kasan_kmalloc+0xb7/0xd0 [ 34.341670] kasan_slab_alloc+0xf/0x20 [ 34.345532] kmem_cache_alloc+0xd5/0x2b0 [ 34.349591] __alloc_skb+0xe7/0x5e0 [ 34.353201] alloc_skb_with_frags+0xb0/0x4f0 [ 34.357605] sock_alloc_send_pskb+0x5ec/0x760 [ 34.362088] tun_get_user+0x53b/0x2430 [ 34.365946] tun_chr_write_iter+0xda/0x190 [ 34.370152] do_iter_readv_writev+0x3d9/0x4b0 [ 34.374617] do_readv_writev+0x2ed/0x7a0 [ 34.378650] vfs_writev+0x89/0xc0 [ 34.382070] do_writev+0xe9/0x260 [ 34.385496] SyS_writev+0x28/0x30 [ 34.388922] do_syscall_64+0x1ad/0x570 [ 34.392782] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.397855] [ 34.399453] Freed by task 2056: [ 34.402722] save_stack_trace+0x16/0x20 [ 34.406665] kasan_slab_free+0xb0/0x190 [ 34.410616] kmem_cache_free+0xbe/0x310 [ 34.414561] kfree_skbmem+0x9f/0x100 [ 34.418247] kfree_skb+0xd4/0x350 [ 34.421690] ip_defrag+0x620/0x3bc0 [ 34.425286] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 34.429897] nf_iterate+0x12e/0x310 [ 34.433518] nf_hook_slow+0x114/0x1f0 [ 34.437290] ip_rcv+0xb79/0xf90 [ 34.440538] __netif_receive_skb_core+0x1156/0x2990 [ 34.445522] __netif_receive_skb+0x58/0x1c0 [ 34.449822] process_backlog+0x1e8/0x610 [ 34.453849] net_rx_action+0x3aa/0xdd0 [ 34.457704] __do_softirq+0x22d/0x964 [ 34.461468] [ 34.463067] The buggy address belongs to the object at ffff8801d243b8c0 [ 34.463067] which belongs to the cache skbuff_head_cache of size 224 [ 34.476211] The buggy address is located 136 bytes inside of [ 34.476211] 224-byte region [ffff8801d243b8c0, ffff8801d243b9a0) [ 34.488055] The buggy address belongs to the page: [ 34.492970] page:ffffea0007490ec0 count:1 mapcount:0 mapping: (null) index:0x0 [ 34.501204] flags: 0x4000000000000080(slab) [ 34.505493] page dumped because: kasan: bad access detected [ 34.511167] [ 34.512763] Memory state around the buggy address: [ 34.517799] ffff8801d243b800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 34.525141] ffff8801d243b880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.532473] >ffff8801d243b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.539888] ^ [ 34.545568] ffff8801d243b980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 34.552893] ffff8801d243ba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.560220] ================================================================== [ 34.567544] Disabling lock debugging due to kernel taint [ 34.572997] Kernel panic - not syncing: panic_on_warn set ... [ 34.572997] [ 34.580345] CPU: 1 PID: 2056 Comm: syz-executor672 Tainted: G B 4.9.153+ #18 [ 34.588625] ffff8801db707890 ffffffff81b47491 ffff8801db707900 ffffffff82e4391a [ 34.596672] 00000000ffffffff 0000000000000001 ffffffff826026fe ffff8801db707970 [ 34.604654] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a42 ffffffff813f7081 [ 34.612783] Call Trace: [ 34.615334] [ 34.617368] [] dump_stack+0xc1/0x120 [ 34.622734] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.629284] [] panic+0x1d9/0x3bd [ 34.634270] [] ? add_taint.cold+0x16/0x16 [ 34.640039] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.646586] [] kasan_end_report+0x47/0x4f [ 34.652368] [] kasan_report.cold+0xa9/0x2ba [ 34.658394] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 34.664771] [] __asan_report_store4_noabort+0x17/0x20 [ 34.671579] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.677950] [] nf_iterate+0x12e/0x310 [ 34.683370] [] nf_hook_slow+0x114/0x1f0 [ 34.688969] [] ? nf_iterate+0x310/0x310 [ 34.694571] [] ip_rcv+0xb79/0xf90 [ 34.699643] [] ? ip_rcv+0x8be/0xf90 [ 34.704886] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.710999] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 34.717717] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.723829] [] __netif_receive_skb_core+0x1156/0x2990 [ 34.730642] [] ? dev_loopback_xmit+0x430/0x430 [ 34.736844] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.743697] [] ? check_preemption_disabled+0x3c/0x200 [ 34.750509] [] ? process_backlog+0x190/0x610 [ 34.756543] [] __netif_receive_skb+0x58/0x1c0 [ 34.762806] [] process_backlog+0x1e8/0x610 [ 34.768659] [] ? process_backlog+0x190/0x610 [ 34.774683] [] ? trace_hardirqs_on+0x10/0x10 [ 34.780709] [] net_rx_action+0x3aa/0xdd0 [ 34.786389] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 34.794239] [] __do_softirq+0x22d/0x964 [ 34.799955] [] do_softirq_own_stack+0x1c/0x30 [ 34.806064] [ 34.808097] [] do_softirq.part.0+0x62/0x70 [ 34.813969] [] do_softirq+0x18/0x20 [ 34.819228] [] netif_rx_ni+0xbe/0x310 [ 34.824647] [] tun_get_user+0xcd2/0x2430 [ 34.830326] [] ? tun_select_queue+0x400/0x400 [ 34.836485] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.843219] [] tun_chr_write_iter+0xda/0x190 [ 34.849247] [] do_iter_readv_writev+0x3d9/0x4b0 [ 34.855548] [] ? vfs_iter_write+0x460/0x460 [ 34.861493] [] ? selinux_file_permission+0x85/0x470 [ 34.868126] [] ? security_file_permission+0x8f/0x1f0 [ 34.874940] [] ? rw_verify_area+0xea/0x2b0 [ 34.880793] [] do_readv_writev+0x2ed/0x7a0 [ 34.886648] [] ? vfs_write+0x520/0x520 [ 34.892176] [] ? __lru_cache_add+0x186/0x250 [ 34.898343] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 34.905087] [] ? _raw_spin_unlock+0x2d/0x50 [ 34.911037] [] ? handle_mm_fault+0x54a/0x2380 [ 34.917158] [] ? vm_insert_page+0x840/0x840 [ 34.923235] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.929961] [] vfs_writev+0x89/0xc0 [ 34.935208] [] do_writev+0xe9/0x260 [ 34.940462] [] ? vfs_writev+0xc0/0xc0 [ 34.945879] [] ? SyS_readv+0x30/0x30 [ 34.951212] [] SyS_writev+0x28/0x30 [ 34.956460] [] do_syscall_64+0x1ad/0x570 [ 34.962142] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.969527] Kernel Offset: disabled [ 34.973136] Rebooting in 86400 seconds..