Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.248736] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.353071] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.197' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 35.614614] ================================================================== [ 35.616029] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.618434] Write of size 4 at addr ffff8801cfbe0d08 by task syz-executor968/2054 [ 35.619628] [ 35.619897] CPU: 1 PID: 2054 Comm: syz-executor968 Not tainted 4.9.151+ #12 [ 35.621001] ffff8801db707950 ffffffff81b46e21 0000000000000001 ffffea00073ef800 [ 35.622528] ffff8801cfbe0d08 0000000000000004 ffffffff82601b3e ffff8801db707988 [ 35.623927] ffffffff81502195 0000000000000001 ffff8801cfbe0d08 ffff8801cfbe0d08 [ 35.625256] Call Trace: [ 35.625634] [ 35.625992] [] dump_stack+0xc1/0x120 [ 35.627028] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.627982] [] print_address_description+0x6f/0x238 [ 35.628977] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.630010] [] kasan_report.cold+0x8c/0x2ba [ 35.630911] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 35.631862] [] __asan_report_store4_noabort+0x17/0x20 [ 35.632835] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.633748] [] nf_iterate+0x12e/0x310 [ 35.634497] [] nf_hook_slow+0x114/0x1f0 [ 35.638994] [] ? nf_iterate+0x310/0x310 [ 35.644610] [] ip_rcv+0xb79/0xf90 [ 35.649780] [] ? ip_rcv+0x8be/0xf90 [ 35.655296] [] ? ip_local_deliver+0x4d0/0x4d0 [ 35.661441] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 35.668190] [] ? ip_local_deliver+0x4d0/0x4d0 [ 35.674323] [] __netif_receive_skb_core+0x1156/0x2990 [ 35.681148] [] ? dev_loopback_xmit+0x430/0x430 [ 35.687356] [] ? check_preemption_disabled+0x3c/0x200 [ 35.694170] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.701033] [] ? check_preemption_disabled+0x3c/0x200 [ 35.707856] [] ? process_backlog+0x190/0x610 [ 35.714044] [] __netif_receive_skb+0x58/0x1c0 [ 35.720170] [] process_backlog+0x1e8/0x610 [ 35.726258] [] ? process_backlog+0x190/0x610 [ 35.732362] [] ? trace_hardirqs_on+0x10/0x10 [ 35.738412] [] net_rx_action+0x3aa/0xdd0 [ 35.744105] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 35.751984] [] __do_softirq+0x22d/0x964 [ 35.758027] [] do_softirq_own_stack+0x1c/0x30 [ 35.764158] [ 35.766208] [] do_softirq.part.0+0x62/0x70 [ 35.772524] [] do_softirq+0x18/0x20 [ 35.777874] [] netif_rx_ni+0xbe/0x310 [ 35.783304] [] tun_get_user+0xcd2/0x2430 [ 35.789003] [] ? tun_select_queue+0x400/0x400 [ 35.795122] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.801848] [] tun_chr_write_iter+0xda/0x190 [ 35.807877] [] do_iter_readv_writev+0x3d9/0x4b0 [ 35.814164] [] ? vfs_iter_write+0x460/0x460 [ 35.820108] [] ? selinux_file_permission+0x85/0x470 [ 35.826750] [] ? security_file_permission+0x8f/0x1f0 [ 35.833476] [] ? rw_verify_area+0xea/0x2b0 [ 35.839333] [] do_readv_writev+0x2ed/0x7a0 [ 35.845190] [] ? vfs_write+0x520/0x520 [ 35.850977] [] ? __lru_cache_add+0x186/0x250 [ 35.857086] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 35.863736] [] ? _raw_spin_unlock+0x2d/0x50 [ 35.869697] [] ? handle_mm_fault+0x54a/0x2380 [ 35.875857] [] ? vm_insert_page+0x840/0x840 [ 35.881800] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.888525] [] vfs_writev+0x89/0xc0 [ 35.893796] [] do_writev+0xe9/0x260 [ 35.899044] [] ? vfs_writev+0xc0/0xc0 [ 35.904465] [] ? SyS_readv+0x30/0x30 [ 35.909799] [] SyS_writev+0x28/0x30 [ 35.915047] [] do_syscall_64+0x1ad/0x570 [ 35.920836] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.927733] [ 35.929331] Allocated by task 2054: [ 35.932930] save_stack_trace+0x16/0x20 [ 35.936877] kasan_kmalloc.part.0+0x62/0xf0 [ 35.941169] kasan_kmalloc+0xb7/0xd0 [ 35.944855] kasan_slab_alloc+0xf/0x20 [ 35.948717] kmem_cache_alloc+0xd5/0x2b0 [ 35.952780] __alloc_skb+0xe7/0x5e0 [ 35.956375] alloc_skb_with_frags+0xb0/0x4f0 [ 35.960757] sock_alloc_send_pskb+0x5ec/0x760 [ 35.965237] tun_get_user+0x53b/0x2430 [ 35.969093] tun_chr_write_iter+0xda/0x190 [ 35.973296] do_iter_readv_writev+0x3d9/0x4b0 [ 35.977763] do_readv_writev+0x2ed/0x7a0 [ 35.981794] vfs_writev+0x89/0xc0 [ 35.985220] do_writev+0xe9/0x260 [ 35.988643] SyS_writev+0x28/0x30 [ 35.992082] do_syscall_64+0x1ad/0x570 [ 35.995939] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 36.001010] [ 36.002641] Freed by task 2054: [ 36.005893] save_stack_trace+0x16/0x20 [ 36.009841] kasan_slab_free+0xb0/0x190 [ 36.013787] kmem_cache_free+0xbe/0x310 [ 36.017734] kfree_skbmem+0x9f/0x100 [ 36.021421] kfree_skb+0xd4/0x350 [ 36.024848] ip_defrag+0x620/0x3bc0 [ 36.028449] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 36.033000] nf_iterate+0x12e/0x310 [ 36.036599] nf_hook_slow+0x114/0x1f0 [ 36.040378] ip_rcv+0xb79/0xf90 [ 36.043630] __netif_receive_skb_core+0x1156/0x2990 [ 36.048616] __netif_receive_skb+0x58/0x1c0 [ 36.052911] process_backlog+0x1e8/0x610 [ 36.056941] net_rx_action+0x3aa/0xdd0 [ 36.060800] __do_softirq+0x22d/0x964 [ 36.064567] [ 36.066168] The buggy address belongs to the object at ffff8801cfbe0c80 [ 36.066168] which belongs to the cache skbuff_head_cache of size 224 [ 36.079317] The buggy address is located 136 bytes inside of [ 36.079317] 224-byte region [ffff8801cfbe0c80, ffff8801cfbe0d60) [ 36.091162] The buggy address belongs to the page: [ 36.096060] page:ffffea00073ef800 count:1 mapcount:0 mapping: (null) index:0x0 [ 36.104295] flags: 0x4000000000000080(slab) [ 36.108585] page dumped because: kasan: bad access detected [ 36.114264] [ 36.115893] Memory state around the buggy address: [ 36.120902] ffff8801cfbe0c00: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 36.128233] ffff8801cfbe0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.135562] >ffff8801cfbe0d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.142891] ^ [ 36.146495] ffff8801cfbe0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.153828] ffff8801cfbe0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.161157] ================================================================== [ 36.168483] Disabling lock debugging due to kernel taint [ 36.173964] Kernel panic - not syncing: panic_on_warn set ... [ 36.173964] [ 36.181315] CPU: 1 PID: 2054 Comm: syz-executor968 Tainted: G B 4.9.151+ #12 [ 36.189600] ffff8801db707890 ffffffff81b46e21 ffff8801db707900 ffffffff82e43922 [ 36.197586] 00000000ffffffff 0000000000000001 ffffffff82601b3e ffff8801db707970 [ 36.205678] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 36.213660] Call Trace: [ 36.216215] [ 36.218254] [] dump_stack+0xc1/0x120 [ 36.223610] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.230167] [] panic+0x1d9/0x3bd [ 36.235158] [] ? add_taint.cold+0x16/0x16 [ 36.240936] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.247492] [] kasan_end_report+0x47/0x4f [ 36.253262] [] kasan_report.cold+0xa9/0x2ba [ 36.259204] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 36.265579] [] __asan_report_store4_noabort+0x17/0x20 [ 36.272390] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.278771] [] nf_iterate+0x12e/0x310 [ 36.284194] [] nf_hook_slow+0x114/0x1f0 [ 36.289789] [] ? nf_iterate+0x310/0x310 [ 36.295385] [] ip_rcv+0xb79/0xf90 [ 36.300483] [] ? ip_rcv+0x8be/0xf90 [ 36.305764] [] ? ip_local_deliver+0x4d0/0x4d0 [ 36.311879] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 36.318603] [] ? ip_local_deliver+0x4d0/0x4d0 [ 36.324746] [] __netif_receive_skb_core+0x1156/0x2990 [ 36.331556] [] ? dev_loopback_xmit+0x430/0x430 [ 36.337759] [] ? check_preemption_disabled+0x3c/0x200 [ 36.344584] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.351307] [] ? check_preemption_disabled+0x3c/0x200 [ 36.358118] [] ? process_backlog+0x190/0x610 [ 36.364147] [] __netif_receive_skb+0x58/0x1c0 [ 36.370268] [] process_backlog+0x1e8/0x610 [ 36.376125] [] ? process_backlog+0x190/0x610 [ 36.382216] [] ? trace_hardirqs_on+0x10/0x10 [ 36.388247] [] net_rx_action+0x3aa/0xdd0 [ 36.393928] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 36.401986] [] __do_softirq+0x22d/0x964 [ 36.407580] [] do_softirq_own_stack+0x1c/0x30 [ 36.413697] [ 36.415736] [] do_softirq.part.0+0x62/0x70 [ 36.421609] [] do_softirq+0x18/0x20 [ 36.426853] [] netif_rx_ni+0xbe/0x310 [ 36.432283] [] tun_get_user+0xcd2/0x2430 [ 36.437980] [] ? tun_select_queue+0x400/0x400 [ 36.444099] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.450822] [] tun_chr_write_iter+0xda/0x190 [ 36.456851] [] do_iter_readv_writev+0x3d9/0x4b0 [ 36.463156] [] ? vfs_iter_write+0x460/0x460 [ 36.469117] [] ? selinux_file_permission+0x85/0x470 [ 36.475757] [] ? security_file_permission+0x8f/0x1f0 [ 36.482481] [] ? rw_verify_area+0xea/0x2b0 [ 36.488334] [] do_readv_writev+0x2ed/0x7a0 [ 36.494186] [] ? vfs_write+0x520/0x520 [ 36.499702] [] ? __lru_cache_add+0x186/0x250 [ 36.505734] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 36.512374] [] ? _raw_spin_unlock+0x2d/0x50 [ 36.518319] [] ? handle_mm_fault+0x54a/0x2380 [ 36.524433] [] ? vm_insert_page+0x840/0x840 [ 36.530375] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.537099] [] vfs_writev+0x89/0xc0 [ 36.542348] [] do_writev+0xe9/0x260 [ 36.547611] [] ? vfs_writev+0xc0/0xc0 [ 36.553062] [] ? SyS_readv+0x30/0x30 [ 36.558394] [] SyS_writev+0x28/0x30 [ 36.563640] [] do_syscall_64+0x1ad/0x570 [ 36.569318] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 36.576563] Kernel Offset: disabled [ 36.580173] Rebooting in 86400 seconds..