[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.562607] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 12.345820] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 34.240866] ================================================================== [ 34.242362] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.243418] Write of size 4 at addr ffff8801ceb041c8 by task syz-executor319/2061 [ 34.244697] [ 34.244943] CPU: 0 PID: 2061 Comm: syz-executor319 Not tainted 4.9.151+ #10 [ 34.246095] ffff8801db607950 ffffffff81b46e61 0000000000000001 ffffea00073ac100 [ 34.247310] ffff8801ceb041c8 0000000000000004 ffffffff8260164e ffff8801db607988 [ 34.248543] ffffffff81502195 0000000000000001 ffff8801ceb041c8 ffff8801ceb041c8 [ 34.249791] Call Trace: [ 34.250168] [ 34.250468] [] dump_stack+0xc1/0x120 [ 34.251282] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.252246] [] print_address_description+0x6f/0x238 [ 34.253176] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.254145] [] kasan_report.cold+0x8c/0x2ba [ 34.255068] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 34.256131] [] __asan_report_store4_noabort+0x17/0x20 [ 34.257127] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.258034] [] nf_iterate+0x12e/0x310 [ 34.258843] [] nf_hook_slow+0x114/0x1f0 [ 34.259644] [] ? nf_iterate+0x310/0x310 [ 34.260505] [] ip_rcv+0xb79/0xf90 [ 34.262868] [] ? ip_rcv+0x8be/0xf90 [ 34.268127] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.274345] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 34.281106] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.287238] [] __netif_receive_skb_core+0x1156/0x2990 [ 34.294063] [] ? dev_loopback_xmit+0x430/0x430 [ 34.301249] [] ? find_busiest_group+0x6320/0x6320 [ 34.308100] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.314848] [] ? check_preemption_disabled+0x3c/0x200 [ 34.321735] [] ? process_backlog+0x190/0x610 [ 34.327795] [] __netif_receive_skb+0x58/0x1c0 [ 34.333927] [] process_backlog+0x1e8/0x610 [ 34.339845] [] ? process_backlog+0x190/0x610 [ 34.345928] [] ? trace_hardirqs_on+0x10/0x10 [ 34.352315] [] net_rx_action+0x3aa/0xdd0 [ 34.358016] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 34.365992] [] __do_softirq+0x22d/0x964 [ 34.371603] [] do_softirq_own_stack+0x1c/0x30 [ 34.378047] [ 34.380101] [] do_softirq.part.0+0x62/0x70 [ 34.386122] [] do_softirq+0x18/0x20 [ 34.391507] [] netif_rx_ni+0xbe/0x310 [ 34.397078] [] tun_get_user+0xcd2/0x2430 [ 34.402777] [] ? tun_select_queue+0x400/0x400 [ 34.408977] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.415726] [] tun_chr_write_iter+0xda/0x190 [ 34.421781] [] do_iter_readv_writev+0x3d9/0x4b0 [ 34.428086] [] ? vfs_iter_write+0x460/0x460 [ 34.434048] [] ? selinux_file_permission+0x85/0x470 [ 34.440801] [] ? security_file_permission+0x8f/0x1f0 [ 34.447541] [] ? rw_verify_area+0xea/0x2b0 [ 34.453415] [] do_readv_writev+0x2ed/0x7a0 [ 34.459283] [] ? vfs_write+0x520/0x520 [ 34.464805] [] ? __lru_cache_add+0x186/0x250 [ 34.470856] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 34.477522] [] ? _raw_spin_unlock+0x2d/0x50 [ 34.483487] [] ? handle_mm_fault+0x54a/0x2380 [ 34.489637] [] ? vm_insert_page+0x840/0x840 [ 34.495599] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.502397] [] vfs_writev+0x89/0xc0 [ 34.507736] [] do_writev+0xe9/0x260 [ 34.513006] [] ? vfs_writev+0xc0/0xc0 [ 34.518449] [] ? SyS_readv+0x30/0x30 [ 34.523812] [] SyS_writev+0x28/0x30 [ 34.529076] [] do_syscall_64+0x1ad/0x570 [ 34.534776] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.541683] [ 34.543297] Allocated by task 2061: [ 34.546906] save_stack_trace+0x16/0x20 [ 34.550866] kasan_kmalloc.part.0+0x62/0xf0 [ 34.555167] kasan_kmalloc+0xb7/0xd0 [ 34.558860] kasan_slab_alloc+0xf/0x20 [ 34.562725] kmem_cache_alloc+0xd5/0x2b0 [ 34.566762] __alloc_skb+0xe7/0x5e0 [ 34.570363] alloc_skb_with_frags+0xb0/0x4f0 [ 34.574754] sock_alloc_send_pskb+0x5ec/0x760 [ 34.579229] tun_get_user+0x53b/0x2430 [ 34.583096] tun_chr_write_iter+0xda/0x190 [ 34.587309] do_iter_readv_writev+0x3d9/0x4b0 [ 34.591860] do_readv_writev+0x2ed/0x7a0 [ 34.595904] vfs_writev+0x89/0xc0 [ 34.599332] do_writev+0xe9/0x260 [ 34.602765] SyS_writev+0x28/0x30 [ 34.606194] do_syscall_64+0x1ad/0x570 [ 34.610071] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.615329] [ 34.616942] Freed by task 2061: [ 34.620203] save_stack_trace+0x16/0x20 [ 34.624260] kasan_slab_free+0xb0/0x190 [ 34.628219] kmem_cache_free+0xbe/0x310 [ 34.632174] kfree_skbmem+0x9f/0x100 [ 34.635865] kfree_skb+0xd4/0x350 [ 34.640041] ip_defrag+0x620/0x3bc0 [ 34.643648] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 34.648268] nf_iterate+0x12e/0x310 [ 34.651901] nf_hook_slow+0x114/0x1f0 [ 34.655687] ip_rcv+0xb79/0xf90 [ 34.658950] __netif_receive_skb_core+0x1156/0x2990 [ 34.663960] __netif_receive_skb+0x58/0x1c0 [ 34.668274] process_backlog+0x1e8/0x610 [ 34.672328] net_rx_action+0x3aa/0xdd0 [ 34.676198] __do_softirq+0x22d/0x964 [ 34.679971] [ 34.681581] The buggy address belongs to the object at ffff8801ceb04140 [ 34.681581] which belongs to the cache skbuff_head_cache of size 224 [ 34.694748] The buggy address is located 136 bytes inside of [ 34.694748] 224-byte region [ffff8801ceb04140, ffff8801ceb04220) [ 34.706602] The buggy address belongs to the page: [ 34.711522] page:ffffea00073ac100 count:1 mapcount:0 mapping: (null) index:0xffff8801ceb04000 [ 34.721073] flags: 0x4000000000000080(slab) [ 34.725370] page dumped because: kasan: bad access detected [ 34.731078] [ 34.732696] Memory state around the buggy address: [ 34.737680] ffff8801ceb04080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 34.745028] ffff8801ceb04100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.752376] >ffff8801ceb04180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.759720] ^ [ 34.765411] ffff8801ceb04200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 34.772750] ffff8801ceb04280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.780085] ================================================================== [ 34.787423] Disabling lock debugging due to kernel taint [ 34.792907] Kernel panic - not syncing: panic_on_warn set ... [ 34.792907] [ 34.800382] CPU: 0 PID: 2061 Comm: syz-executor319 Tainted: G B 4.9.151+ #10 [ 34.808678] ffff8801db607890 ffffffff81b46e61 ffff8801db607900 ffffffff82e4383a [ 34.816706] 00000000ffffffff 0000000000000000 ffffffff8260164e ffff8801db607970 [ 34.824709] ffffffff813f725a 0000000041b58ab3 ffffffff82e35962 ffffffff813f7081 [ 34.832749] Call Trace: [ 34.835309] [ 34.837349] [] dump_stack+0xc1/0x120 [ 34.842712] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.849380] [] panic+0x1d9/0x3bd [ 34.854381] [] ? add_taint.cold+0x16/0x16 [ 34.860579] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.867144] [] kasan_end_report+0x47/0x4f [ 34.872927] [] kasan_report.cold+0xa9/0x2ba [ 34.878886] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 34.885278] [] __asan_report_store4_noabort+0x17/0x20 [ 34.892099] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.898484] [] nf_iterate+0x12e/0x310 [ 34.903918] [] nf_hook_slow+0x114/0x1f0 [ 34.909524] [] ? nf_iterate+0x310/0x310 [ 34.915142] [] ip_rcv+0xb79/0xf90 [ 34.920234] [] ? ip_rcv+0x8be/0xf90 [ 34.925494] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.931633] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 34.938528] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.944662] [] __netif_receive_skb_core+0x1156/0x2990 [ 34.951606] [] ? dev_loopback_xmit+0x430/0x430 [ 34.957837] [] ? find_busiest_group+0x6320/0x6320 [ 34.964315] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.971202] [] ? check_preemption_disabled+0x3c/0x200 [ 34.978029] [] ? process_backlog+0x190/0x610 [ 34.984073] [] __netif_receive_skb+0x58/0x1c0 [ 34.990293] [] process_backlog+0x1e8/0x610 [ 34.996167] [] ? process_backlog+0x190/0x610 [ 35.002328] [] ? trace_hardirqs_on+0x10/0x10 [ 35.008370] [] net_rx_action+0x3aa/0xdd0 [ 35.014073] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 35.021946] [] __do_softirq+0x22d/0x964 [ 35.027570] [] do_softirq_own_stack+0x1c/0x30 [ 35.033692] [ 35.035739] [] do_softirq.part.0+0x62/0x70 [ 35.041647] [] do_softirq+0x18/0x20 [ 35.046905] [] netif_rx_ni+0xbe/0x310 [ 35.052353] [] tun_get_user+0xcd2/0x2430 [ 35.058279] [] ? tun_select_queue+0x400/0x400 [ 35.064409] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.071146] [] tun_chr_write_iter+0xda/0x190 [ 35.077190] [] do_iter_readv_writev+0x3d9/0x4b0 [ 35.083490] [] ? vfs_iter_write+0x460/0x460 [ 35.089442] [] ? selinux_file_permission+0x85/0x470 [ 35.096100] [] ? security_file_permission+0x8f/0x1f0 [ 35.102841] [] ? rw_verify_area+0xea/0x2b0 [ 35.108713] [] do_readv_writev+0x2ed/0x7a0 [ 35.114596] [] ? vfs_write+0x520/0x520 [ 35.120140] [] ? __lru_cache_add+0x186/0x250 [ 35.126186] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 35.132849] [] ? _raw_spin_unlock+0x2d/0x50 [ 35.138805] [] ? handle_mm_fault+0x54a/0x2380 [ 35.144961] [] ? vm_insert_page+0x840/0x840 [ 35.151039] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.157780] [] vfs_writev+0x89/0xc0 [ 35.163045] [] do_writev+0xe9/0x260 [ 35.168310] [] ? vfs_writev+0xc0/0xc0 [ 35.173745] [] ? SyS_readv+0x30/0x30 [ 35.179150] [] SyS_writev+0x28/0x30 [ 35.184418] [] do_syscall_64+0x1ad/0x570 [ 35.190126] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.197380] Kernel Offset: disabled [ 35.201001] Rebooting in 86400 seconds..