Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.349756] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.539971] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.215' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 38.411570] ================================================================== [ 38.412983] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.414004] Write of size 4 at addr ffff8801cf9b7948 by task syz-executor542/2056 [ 38.415084] [ 38.415341] CPU: 1 PID: 2056 Comm: syz-executor542 Not tainted 4.9.154+ #19 [ 38.416331] ffff8801db707948 ffffffff81b47411 0000000000000001 ffffea00073e6dc0 [ 38.417536] ffff8801cf9b7948 0000000000000004 ffffffff826028fe ffff8801db707980 [ 38.418876] ffffffff81502615 0000000000000001 ffff8801cf9b7948 ffff8801cf9b7948 [ 38.420114] Call Trace: [ 38.420505] [ 38.420843] [] dump_stack+0xc1/0x120 [ 38.421857] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.422858] [] print_address_description+0x6f/0x238 [ 38.423828] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.424840] [] kasan_report.cold+0x8c/0x2ba [ 38.425749] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 38.426650] [] __asan_report_store4_noabort+0x17/0x20 [ 38.427607] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.428499] [] nf_iterate+0x12e/0x310 [ 38.429532] [] nf_hook_slow+0x114/0x1f0 [ 38.430546] [] ? nf_iterate+0x310/0x310 [ 38.431450] [] ip_rcv+0xbdf/0x1040 [ 38.435557] [] ? ip_rcv+0x91c/0x1040 [ 38.440900] [] ? ip_local_deliver+0x4d0/0x4d0 [ 38.447020] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 38.453747] [] ? ip_local_deliver+0x4d0/0x4d0 [ 38.459869] [] __netif_receive_skb_core+0x1156/0x2990 [ 38.466686] [] ? dev_loopback_xmit+0x430/0x430 [ 38.472894] [] ? trace_hardirqs_on_caller+0x260/0x5a0 [ 38.479708] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.486439] [] ? check_preemption_disabled+0x3c/0x200 [ 38.493251] [] ? process_backlog+0x190/0x610 [ 38.499289] [] __netif_receive_skb+0x58/0x1c0 [ 38.505442] [] process_backlog+0x1e8/0x610 [ 38.511299] [] ? process_backlog+0x190/0x610 [ 38.517332] [] ? trace_hardirqs_on+0x10/0x10 [ 38.523366] [] net_rx_action+0x3aa/0xdd0 [ 38.529053] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 38.537070] [] __do_softirq+0x22d/0x964 [ 38.542692] [] do_softirq_own_stack+0x1c/0x30 [ 38.548812] [ 38.550853] [] do_softirq.part.0+0x62/0x70 [ 38.556742] [] do_softirq+0x18/0x20 [ 38.561996] [] netif_rx_ni+0xbe/0x310 [ 38.567424] [] tun_get_user+0xcd2/0x2430 [ 38.573108] [] ? tun_select_queue+0x400/0x400 [ 38.579227] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.585959] [] tun_chr_write_iter+0xda/0x190 [ 38.592011] [] do_iter_readv_writev+0x3d9/0x4b0 [ 38.598763] [] ? vfs_iter_write+0x460/0x460 [ 38.604724] [] ? selinux_file_permission+0x85/0x470 [ 38.611377] [] ? security_file_permission+0x8f/0x1f0 [ 38.618197] [] ? rw_verify_area+0xea/0x2b0 [ 38.624063] [] do_readv_writev+0x2ed/0x7a0 [ 38.629928] [] ? vfs_write+0x520/0x520 [ 38.635609] [] ? __lru_cache_add+0x186/0x250 [ 38.641650] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 38.648298] [] ? _raw_spin_unlock+0x2d/0x50 [ 38.654252] [] ? handle_mm_fault+0x54a/0x2380 [ 38.660374] [] ? vm_insert_page+0x840/0x840 [ 38.666321] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.673074] [] vfs_writev+0x89/0xc0 [ 38.678335] [] do_writev+0xe9/0x260 [ 38.683588] [] ? vfs_writev+0xc0/0xc0 [ 38.689015] [] ? SyS_readv+0x30/0x30 [ 38.694350] [] SyS_writev+0x28/0x30 [ 38.699599] [] do_syscall_64+0x1ad/0x570 [ 38.705284] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.712194] [ 38.713801] Allocated by task 2056: [ 38.717404] save_stack_trace+0x16/0x20 [ 38.721355] kasan_kmalloc.part.0+0x62/0xf0 [ 38.725648] kasan_kmalloc+0xb7/0xd0 [ 38.729335] kasan_slab_alloc+0xf/0x20 [ 38.733349] kmem_cache_alloc+0xd5/0x2b0 [ 38.737541] __alloc_skb+0xe7/0x5e0 [ 38.741174] alloc_skb_with_frags+0xb0/0x4f0 [ 38.745560] sock_alloc_send_pskb+0x5ec/0x760 [ 38.750035] tun_get_user+0x53b/0x2430 [ 38.754074] tun_chr_write_iter+0xda/0x190 [ 38.758776] do_iter_readv_writev+0x3d9/0x4b0 [ 38.763355] do_readv_writev+0x2ed/0x7a0 [ 38.767389] vfs_writev+0x89/0xc0 [ 38.770817] do_writev+0xe9/0x260 [ 38.774248] SyS_writev+0x28/0x30 [ 38.777676] do_syscall_64+0x1ad/0x570 [ 38.781542] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.786628] [ 38.788233] Freed by task 2056: [ 38.791495] save_stack_trace+0x16/0x20 [ 38.795474] kasan_slab_free+0xb0/0x190 [ 38.799608] kmem_cache_free+0xbe/0x310 [ 38.803734] kfree_skbmem+0x9f/0x100 [ 38.807437] kfree_skb+0xd4/0x350 [ 38.810868] ip_defrag+0x620/0x3bc0 [ 38.814471] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 38.819029] nf_iterate+0x12e/0x310 [ 38.822633] nf_hook_slow+0x114/0x1f0 [ 38.826407] ip_rcv+0xbdf/0x1040 [ 38.829747] __netif_receive_skb_core+0x1156/0x2990 [ 38.834736] __netif_receive_skb+0x58/0x1c0 [ 38.839116] process_backlog+0x1e8/0x610 [ 38.843158] net_rx_action+0x3aa/0xdd0 [ 38.847033] __do_softirq+0x22d/0x964 [ 38.851036] [ 38.852641] The buggy address belongs to the object at ffff8801cf9b78c0 [ 38.852641] which belongs to the cache skbuff_head_cache of size 224 [ 38.865886] The buggy address is located 136 bytes inside of [ 38.865886] 224-byte region [ffff8801cf9b78c0, ffff8801cf9b79a0) [ 38.877732] The buggy address belongs to the page: [ 38.882636] page:ffffea00073e6dc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 38.890872] flags: 0x4000000000000080(slab) [ 38.895167] page dumped because: kasan: bad access detected [ 38.900851] [ 38.902451] Memory state around the buggy address: [ 38.907354] ffff8801cf9b7800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 38.914686] ffff8801cf9b7880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 38.922021] >ffff8801cf9b7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.929355] ^ [ 38.935040] ffff8801cf9b7980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 38.942373] ffff8801cf9b7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.949705] ================================================================== [ 38.957037] Disabling lock debugging due to kernel taint [ 38.962499] Kernel panic - not syncing: panic_on_warn set ... [ 38.962499] [ 38.969844] CPU: 1 PID: 2056 Comm: syz-executor542 Tainted: G B 4.9.154+ #19 [ 38.978140] ffff8801db707888 ffffffff81b47411 ffff8801db707900 ffffffff82e439da [ 38.986130] 00000000ffffffff 0000000000000001 ffffffff826028fe ffff8801db707968 [ 38.994144] ffffffff813f725a 0000000041b58ab3 ffffffff82e35b02 ffffffff813f7081 [ 39.002143] Call Trace: [ 39.004703] [ 39.006744] [] dump_stack+0xc1/0x120 [ 39.012103] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 39.018823] [] panic+0x1d9/0x3bd [ 39.023827] [] ? add_taint.cold+0x16/0x16 [ 39.029607] [] kasan_end_report+0x47/0x4f [ 39.035379] [] kasan_report.cold+0xa9/0x2ba [ 39.041416] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 39.047798] [] __asan_report_store4_noabort+0x17/0x20 [ 39.054704] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 39.061085] [] nf_iterate+0x12e/0x310 [ 39.066516] [] nf_hook_slow+0x114/0x1f0 [ 39.072117] [] ? nf_iterate+0x310/0x310 [ 39.077722] [] ip_rcv+0xbdf/0x1040 [ 39.082888] [] ? ip_rcv+0x91c/0x1040 [ 39.088233] [] ? ip_local_deliver+0x4d0/0x4d0 [ 39.094359] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 39.101085] [] ? ip_local_deliver+0x4d0/0x4d0 [ 39.107206] [] __netif_receive_skb_core+0x1156/0x2990 [ 39.114266] [] ? dev_loopback_xmit+0x430/0x430 [ 39.120958] [] ? trace_hardirqs_on_caller+0x260/0x5a0 [ 39.127778] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.134513] [] ? check_preemption_disabled+0x3c/0x200 [ 39.141339] [] ? process_backlog+0x190/0x610 [ 39.147377] [] __netif_receive_skb+0x58/0x1c0 [ 39.153498] [] process_backlog+0x1e8/0x610 [ 39.159357] [] ? process_backlog+0x190/0x610 [ 39.165389] [] ? trace_hardirqs_on+0x10/0x10 [ 39.171651] [] net_rx_action+0x3aa/0xdd0 [ 39.177347] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 39.185296] [] __do_softirq+0x22d/0x964 [ 39.190900] [] do_softirq_own_stack+0x1c/0x30 [ 39.197013] [ 39.199215] [] do_softirq.part.0+0x62/0x70 [ 39.205102] [] do_softirq+0x18/0x20 [ 39.210413] [] netif_rx_ni+0xbe/0x310 [ 39.215864] [] tun_get_user+0xcd2/0x2430 [ 39.222273] [] ? tun_select_queue+0x400/0x400 [ 39.228403] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.235296] [] tun_chr_write_iter+0xda/0x190 [ 39.241742] [] do_iter_readv_writev+0x3d9/0x4b0 [ 39.248800] [] ? vfs_iter_write+0x460/0x460 [ 39.254764] [] ? selinux_file_permission+0x85/0x470 [ 39.261406] [] ? security_file_permission+0x8f/0x1f0 [ 39.268648] [] ? rw_verify_area+0xea/0x2b0 [ 39.274511] [] do_readv_writev+0x2ed/0x7a0 [ 39.280373] [] ? vfs_write+0x520/0x520 [ 39.285886] [] ? __lru_cache_add+0x186/0x250 [ 39.291922] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 39.298567] [] ? _raw_spin_unlock+0x2d/0x50 [ 39.304516] [] ? handle_mm_fault+0x54a/0x2380 [ 39.310636] [] ? vm_insert_page+0x840/0x840 [ 39.316590] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.323316] [] vfs_writev+0x89/0xc0 [ 39.328567] [] do_writev+0xe9/0x260 [ 39.333966] [] ? vfs_writev+0xc0/0xc0 [ 39.339398] [] ? SyS_readv+0x30/0x30 [ 39.344739] [] SyS_writev+0x28/0x30 [ 39.349998] [] do_syscall_64+0x1ad/0x570 [ 39.356091] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.363983] Kernel Offset: disabled [ 39.367591] Rebooting in 86400 seconds..