[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 8.984399] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.631390] random: sshd: uninitialized urandom read (32 bytes read) [ 30.944926] random: sshd: uninitialized urandom read (32 bytes read) [ 31.223553] random: crng init done Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. executing program executing program [ 37.370370] ================================================================== [ 37.377751] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.384826] Write of size 4 at addr ffff8801d0062448 by task syz-executor088/2046 [ 37.392417] [ 37.394024] CPU: 1 PID: 2046 Comm: syz-executor088 Not tainted 4.9.151+ #12 [ 37.401092] ffff8801db707950 ffffffff81b46e21 0000000000000001 ffffea0007401880 [ 37.409088] ffff8801d0062448 0000000000000004 ffffffff82601b3e ffff8801db707988 [ 37.417083] ffffffff81502195 0000000000000001 ffff8801d0062448 ffff8801d0062448 [ 37.425074] Call Trace: [ 37.427628] [ 37.429668] [] dump_stack+0xc1/0x120 [ 37.435038] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.441595] [] print_address_description+0x6f/0x238 [ 37.448237] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.454793] [] kasan_report.cold+0x8c/0x2ba [ 37.460741] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 37.467126] [] __asan_report_store4_noabort+0x17/0x20 [ 37.473939] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.480328] [] nf_iterate+0x12e/0x310 [ 37.485750] [] nf_hook_slow+0x114/0x1f0 [ 37.491348] [] ? nf_iterate+0x310/0x310 [ 37.496946] [] ip_rcv+0xb79/0xf90 [ 37.502020] [] ? ip_rcv+0x8be/0xf90 [ 37.507272] [] ? ip_local_deliver+0x4d0/0x4d0 [ 37.513393] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 37.520118] [] ? ip_local_deliver+0x4d0/0x4d0 [ 37.526232] [] __netif_receive_skb_core+0x1156/0x2990 [ 37.533044] [] ? dev_loopback_xmit+0x430/0x430 [ 37.539249] [] ? find_busiest_group+0x6320/0x6320 [ 37.546909] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.554890] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.562591] [] ? check_preemption_disabled+0x3c/0x200 [ 37.569872] [] ? process_backlog+0x190/0x610 [ 37.576232] [] __netif_receive_skb+0x58/0x1c0 [ 37.582517] [] process_backlog+0x1e8/0x610 [ 37.588624] [] ? process_backlog+0x190/0x610 [ 37.595819] [] ? trace_hardirqs_on+0x10/0x10 [ 37.601879] [] net_rx_action+0x3aa/0xdd0 [ 37.607568] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 37.615438] [] __do_softirq+0x22d/0x964 [ 37.621035] [] do_softirq_own_stack+0x1c/0x30 [ 37.627155] [ 37.629201] [] do_softirq.part.0+0x62/0x70 [ 37.635079] [] do_softirq+0x18/0x20 [ 37.640330] [] netif_rx_ni+0xbe/0x310 [ 37.645756] [] tun_get_user+0xcd2/0x2430 [ 37.651440] [] ? tun_select_queue+0x400/0x400 [ 37.657561] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.664307] [] tun_chr_write_iter+0xda/0x190 [ 37.670348] [] do_iter_readv_writev+0x3d9/0x4b0 [ 37.676689] [] ? vfs_iter_write+0x460/0x460 [ 37.682699] [] ? selinux_file_permission+0x85/0x470 [ 37.689407] [] ? security_file_permission+0x8f/0x1f0 [ 37.696143] [] ? rw_verify_area+0xea/0x2b0 [ 37.702001] [] do_readv_writev+0x2ed/0x7a0 [ 37.707905] [] ? vfs_write+0x520/0x520 [ 37.713426] [] ? __lru_cache_add+0x186/0x250 [ 37.719467] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 37.726115] [] ? _raw_spin_unlock+0x2d/0x50 [ 37.732059] [] ? handle_mm_fault+0x54a/0x2380 [ 37.738177] [] ? vm_insert_page+0x840/0x840 [ 37.744120] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.750847] [] vfs_writev+0x89/0xc0 [ 37.756099] [] do_writev+0xe9/0x260 [ 37.761352] [] ? vfs_writev+0xc0/0xc0 [ 37.766779] [] ? SyS_readv+0x30/0x30 [ 37.772127] [] SyS_writev+0x28/0x30 [ 37.777386] [] do_syscall_64+0x1ad/0x570 [ 37.783072] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.789974] [ 37.791578] Allocated by task 2046: [ 37.795179] save_stack_trace+0x16/0x20 [ 37.799127] kasan_kmalloc.part.0+0x62/0xf0 [ 37.803419] kasan_kmalloc+0xb7/0xd0 [ 37.807113] kasan_slab_alloc+0xf/0x20 [ 37.810980] kmem_cache_alloc+0xd5/0x2b0 [ 37.815017] __alloc_skb+0xe7/0x5e0 [ 37.818616] alloc_skb_with_frags+0xb0/0x4f0 [ 37.822996] sock_alloc_send_pskb+0x5ec/0x760 [ 37.827473] tun_get_user+0x53b/0x2430 [ 37.831337] tun_chr_write_iter+0xda/0x190 [ 37.835548] do_iter_readv_writev+0x3d9/0x4b0 [ 37.840020] do_readv_writev+0x2ed/0x7a0 [ 37.844058] vfs_writev+0x89/0xc0 [ 37.847487] do_writev+0xe9/0x260 [ 37.850913] SyS_writev+0x28/0x30 [ 37.854345] do_syscall_64+0x1ad/0x570 [ 37.858209] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.863288] [ 37.864889] Freed by task 2046: [ 37.868142] save_stack_trace+0x16/0x20 [ 37.872095] kasan_slab_free+0xb0/0x190 [ 37.876041] kmem_cache_free+0xbe/0x310 [ 37.879988] kfree_skbmem+0x9f/0x100 [ 37.883672] kfree_skb+0xd4/0x350 [ 37.887096] ip_defrag+0x620/0x3bc0 [ 37.890695] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 37.895252] nf_iterate+0x12e/0x310 [ 37.898859] nf_hook_slow+0x114/0x1f0 [ 37.902630] ip_rcv+0xb79/0xf90 [ 37.905883] __netif_receive_skb_core+0x1156/0x2990 [ 37.910872] __netif_receive_skb+0x58/0x1c0 [ 37.915177] process_backlog+0x1e8/0x610 [ 37.919217] net_rx_action+0x3aa/0xdd0 [ 37.923079] __do_softirq+0x22d/0x964 [ 37.926849] [ 37.928452] The buggy address belongs to the object at ffff8801d00623c0 [ 37.928452] which belongs to the cache skbuff_head_cache of size 224 [ 37.941655] The buggy address is located 136 bytes inside of [ 37.941655] 224-byte region [ffff8801d00623c0, ffff8801d00624a0) [ 37.953511] The buggy address belongs to the page: [ 37.958416] page:ffffea0007401880 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.966648] flags: 0x4000000000000080(slab) [ 37.970943] page dumped because: kasan: bad access detected [ 37.976621] [ 37.978222] Memory state around the buggy address: [ 37.983126] ffff8801d0062300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 37.990460] ffff8801d0062380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.997790] >ffff8801d0062400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.005118] ^ [ 38.010799] ffff8801d0062480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 38.018128] ffff8801d0062500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.025458] ================================================================== [ 38.032786] Disabling lock debugging due to kernel taint [ 38.038275] Kernel panic - not syncing: panic_on_warn set ... [ 38.038275] [ 38.045616] CPU: 1 PID: 2046 Comm: syz-executor088 Tainted: G B 4.9.151+ #12 [ 38.053902] ffff8801db707890 ffffffff81b46e21 ffff8801db707900 ffffffff82e43922 [ 38.061899] 00000000ffffffff 0000000000000001 ffffffff82601b3e ffff8801db707970 [ 38.069895] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 38.077891] Call Trace: [ 38.080446] [ 38.082485] [] dump_stack+0xc1/0x120 [ 38.087844] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.094400] [] panic+0x1d9/0x3bd [ 38.099390] [] ? add_taint.cold+0x16/0x16 [ 38.105159] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.111710] [] kasan_end_report+0x47/0x4f [ 38.117479] [] kasan_report.cold+0xa9/0x2ba [ 38.123422] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 38.129797] [] __asan_report_store4_noabort+0x17/0x20 [ 38.136607] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 38.142987] [] nf_iterate+0x12e/0x310 [ 38.148408] [] nf_hook_slow+0x114/0x1f0 [ 38.154002] [] ? nf_iterate+0x310/0x310 [ 38.159597] [] ip_rcv+0xb79/0xf90 [ 38.164669] [] ? ip_rcv+0x8be/0xf90 [ 38.169916] [] ? ip_local_deliver+0x4d0/0x4d0 [ 38.176042] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 38.182768] [] ? ip_local_deliver+0x4d0/0x4d0 [ 38.188889] [] __netif_receive_skb_core+0x1156/0x2990 [ 38.195703] [] ? dev_loopback_xmit+0x430/0x430 [ 38.201911] [] ? find_busiest_group+0x6320/0x6320 [ 38.208382] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.215109] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.221838] [] ? check_preemption_disabled+0x3c/0x200 [ 38.228651] [] ? process_backlog+0x190/0x610 [ 38.234681] [] __netif_receive_skb+0x58/0x1c0 [ 38.240797] [] process_backlog+0x1e8/0x610 [ 38.246653] [] ? process_backlog+0x190/0x610 [ 38.252930] [] ? trace_hardirqs_on+0x10/0x10 [ 38.258960] [] net_rx_action+0x3aa/0xdd0 [ 38.264645] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 38.272498] [] __do_softirq+0x22d/0x964 [ 38.278092] [] do_softirq_own_stack+0x1c/0x30 [ 38.284212] [ 38.286267] [] do_softirq.part.0+0x62/0x70 [ 38.292145] [] do_softirq+0x18/0x20 [ 38.297681] [] netif_rx_ni+0xbe/0x310 [ 38.303108] [] tun_get_user+0xcd2/0x2430 [ 38.308799] [] ? tun_select_queue+0x400/0x400 [ 38.314922] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.321650] [] tun_chr_write_iter+0xda/0x190 [ 38.327683] [] do_iter_readv_writev+0x3d9/0x4b0 [ 38.333974] [] ? vfs_iter_write+0x460/0x460 [ 38.339931] [] ? selinux_file_permission+0x85/0x470 [ 38.346572] [] ? security_file_permission+0x8f/0x1f0 [ 38.353298] [] ? rw_verify_area+0xea/0x2b0 [ 38.359157] [] do_readv_writev+0x2ed/0x7a0 [ 38.365013] [] ? vfs_write+0x520/0x520 [ 38.370524] [] ? __lru_cache_add+0x186/0x250 [ 38.376555] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 38.383194] [] ? _raw_spin_unlock+0x2d/0x50 [ 38.389140] [] ? handle_mm_fault+0x54a/0x2380 [ 38.395257] [] ? vm_insert_page+0x840/0x840 [ 38.401201] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.407924] [] vfs_writev+0x89/0xc0 [ 38.413172] [] do_writev+0xe9/0x260 [ 38.418420] [] ? vfs_writev+0xc0/0xc0 [ 38.423846] [] ? SyS_readv+0x30/0x30 [ 38.429180] [] SyS_writev+0x28/0x30 [ 38.434430] [] do_syscall_64+0x1ad/0x570 [ 38.440115] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 38.447353] Kernel Offset: disabled [ 38.450959] Rebooting in 86400 seconds..