[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.823879] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 12.153294] random: crng init done Warning: Permanently added '10.128.0.159' (ECDSA) to the list of known hosts. executing program executing program [ 42.783557] ================================================================== [ 42.784823] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 42.785848] Write of size 4 at addr ffff8801c48471c8 by task syz-executor417/2055 [ 42.786951] [ 42.787232] CPU: 1 PID: 2055 Comm: syz-executor417 Not tainted 4.9.153+ #18 [ 42.788272] ffff8801db707950 ffffffff81b47491 0000000000000001 ffffea00071211c0 [ 42.789502] ffff8801c48471c8 0000000000000004 ffffffff826026fe ffff8801db707988 [ 42.790692] ffffffff81502615 0000000000000001 ffff8801c48471c8 ffff8801c48471c8 [ 42.791884] Call Trace: [ 42.792263] [ 42.792563] [] dump_stack+0xc1/0x120 [ 42.793330] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 42.794233] [] print_address_description+0x6f/0x238 [ 42.795166] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 42.796100] [] kasan_report.cold+0x8c/0x2ba [ 42.796916] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 42.797782] [] __asan_report_store4_noabort+0x17/0x20 [ 42.798817] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 42.799765] [] nf_iterate+0x12e/0x310 [ 42.800548] [] nf_hook_slow+0x114/0x1f0 [ 42.801370] [] ? nf_iterate+0x310/0x310 [ 42.802134] [] ip_rcv+0xb79/0xf90 [ 42.802836] [] ? ip_rcv+0x8be/0xf90 [ 42.803569] [] ? ip_local_deliver+0x4d0/0x4d0 [ 42.808831] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 42.815559] [] ? ip_local_deliver+0x4d0/0x4d0 [ 42.821683] [] __netif_receive_skb_core+0x1156/0x2990 [ 42.828498] [] ? dev_loopback_xmit+0x430/0x430 [ 42.834709] [] ? find_busiest_group+0x6320/0x6320 [ 42.841177] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 42.847910] [] ? check_preemption_disabled+0x3c/0x200 [ 42.854734] [] ? process_backlog+0x190/0x610 [ 42.860768] [] __netif_receive_skb+0x58/0x1c0 [ 42.866890] [] process_backlog+0x1e8/0x610 [ 42.872748] [] ? process_backlog+0x190/0x610 [ 42.878784] [] ? trace_hardirqs_on+0x10/0x10 [ 42.884818] [] net_rx_action+0x3aa/0xdd0 [ 42.890508] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 42.898378] [] __do_softirq+0x22d/0x964 [ 42.903982] [] do_softirq_own_stack+0x1c/0x30 [ 42.910098] [ 42.912156] [] do_softirq.part.0+0x62/0x70 [ 42.918041] [] do_softirq+0x18/0x20 [ 42.923299] [] netif_rx_ni+0xbe/0x310 [ 42.928738] [] tun_get_user+0xcd2/0x2430 [ 42.934428] [] ? tun_select_queue+0x400/0x400 [ 42.940560] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 42.947291] [] tun_chr_write_iter+0xda/0x190 [ 42.953324] [] do_iter_readv_writev+0x3d9/0x4b0 [ 42.959621] [] ? vfs_iter_write+0x460/0x460 [ 42.965573] [] ? selinux_file_permission+0x85/0x470 [ 42.972216] [] ? security_file_permission+0x8f/0x1f0 [ 42.978964] [] ? rw_verify_area+0xea/0x2b0 [ 42.984825] [] do_readv_writev+0x2ed/0x7a0 [ 42.990684] [] ? vfs_write+0x520/0x520 [ 42.996215] [] ? __lru_cache_add+0x186/0x250 [ 43.002250] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 43.008894] [] ? _raw_spin_unlock+0x2d/0x50 [ 43.014844] [] ? handle_mm_fault+0x54a/0x2380 [ 43.020965] [] ? vm_insert_page+0x840/0x840 [ 43.026912] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 43.033639] [] vfs_writev+0x89/0xc0 [ 43.038889] [] do_writev+0xe9/0x260 [ 43.044150] [] ? vfs_writev+0xc0/0xc0 [ 43.049585] [] ? SyS_readv+0x30/0x30 [ 43.054923] [] SyS_writev+0x28/0x30 [ 43.060175] [] do_syscall_64+0x1ad/0x570 [ 43.065863] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 43.072762] [ 43.074365] Allocated by task 2055: [ 43.077968] save_stack_trace+0x16/0x20 [ 43.081921] kasan_kmalloc.part.0+0x62/0xf0 [ 43.086218] kasan_kmalloc+0xb7/0xd0 [ 43.089907] kasan_slab_alloc+0xf/0x20 [ 43.093767] kmem_cache_alloc+0xd5/0x2b0 [ 43.097800] __alloc_skb+0xe7/0x5e0 [ 43.101401] alloc_skb_with_frags+0xb0/0x4f0 [ 43.105783] sock_alloc_send_pskb+0x5ec/0x760 [ 43.110260] tun_get_user+0x53b/0x2430 [ 43.114127] tun_chr_write_iter+0xda/0x190 [ 43.118343] do_iter_readv_writev+0x3d9/0x4b0 [ 43.122813] do_readv_writev+0x2ed/0x7a0 [ 43.126847] vfs_writev+0x89/0xc0 [ 43.130274] do_writev+0xe9/0x260 [ 43.133705] SyS_writev+0x28/0x30 [ 43.137133] do_syscall_64+0x1ad/0x570 [ 43.141010] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 43.146093] [ 43.147695] Freed by task 2055: [ 43.150952] save_stack_trace+0x16/0x20 [ 43.154899] kasan_slab_free+0xb0/0x190 [ 43.158849] kmem_cache_free+0xbe/0x310 [ 43.162798] kfree_skbmem+0x9f/0x100 [ 43.166489] kfree_skb+0xd4/0x350 [ 43.169918] ip_defrag+0x620/0x3bc0 [ 43.173530] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 43.178088] nf_iterate+0x12e/0x310 [ 43.181690] nf_hook_slow+0x114/0x1f0 [ 43.185474] ip_rcv+0xb79/0xf90 [ 43.188743] __netif_receive_skb_core+0x1156/0x2990 [ 43.193740] __netif_receive_skb+0x58/0x1c0 [ 43.198035] process_backlog+0x1e8/0x610 [ 43.202084] net_rx_action+0x3aa/0xdd0 [ 43.205972] __do_softirq+0x22d/0x964 [ 43.209745] [ 43.211377] The buggy address belongs to the object at ffff8801c4847140 [ 43.211377] which belongs to the cache skbuff_head_cache of size 224 [ 43.224529] The buggy address is located 136 bytes inside of [ 43.224529] 224-byte region [ffff8801c4847140, ffff8801c4847220) [ 43.236376] The buggy address belongs to the page: [ 43.241289] page:ffffea00071211c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 43.249527] flags: 0x4000000000000080(slab) [ 43.253822] page dumped because: kasan: bad access detected [ 43.259513] [ 43.261117] Memory state around the buggy address: [ 43.266025] ffff8801c4847080: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 43.273360] ffff8801c4847100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.280695] >ffff8801c4847180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.288038] ^ [ 43.293730] ffff8801c4847200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 43.301082] ffff8801c4847280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.308416] ================================================================== [ 43.315746] Disabling lock debugging due to kernel taint [ 43.321209] Kernel panic - not syncing: panic_on_warn set ... [ 43.321209] [ 43.328565] CPU: 1 PID: 2055 Comm: syz-executor417 Tainted: G B 4.9.153+ #18 [ 43.336854] ffff8801db707890 ffffffff81b47491 ffff8801db707900 ffffffff82e4391a [ 43.344839] 00000000ffffffff 0000000000000001 ffffffff826026fe ffff8801db707970 [ 43.352837] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a42 ffffffff813f7081 [ 43.360827] Call Trace: [ 43.363383] [ 43.365422] [] dump_stack+0xc1/0x120 [ 43.370799] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 43.377354] [] panic+0x1d9/0x3bd [ 43.382348] [] ? add_taint.cold+0x16/0x16 [ 43.388125] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 43.394688] [] kasan_end_report+0x47/0x4f [ 43.400765] [] kasan_report.cold+0xa9/0x2ba [ 43.406714] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 43.413100] [] __asan_report_store4_noabort+0x17/0x20 [ 43.419915] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 43.426298] [] nf_iterate+0x12e/0x310 [ 43.431724] [] nf_hook_slow+0x114/0x1f0 [ 43.437323] [] ? nf_iterate+0x310/0x310 [ 43.442921] [] ip_rcv+0xb79/0xf90 [ 43.448007] [] ? ip_rcv+0x8be/0xf90 [ 43.453263] [] ? ip_local_deliver+0x4d0/0x4d0 [ 43.459385] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 43.466112] [] ? ip_local_deliver+0x4d0/0x4d0 [ 43.472241] [] __netif_receive_skb_core+0x1156/0x2990 [ 43.479080] [] ? dev_loopback_xmit+0x430/0x430 [ 43.485307] [] ? find_busiest_group+0x6320/0x6320 [ 43.491776] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 43.498506] [] ? check_preemption_disabled+0x3c/0x200 [ 43.505322] [] ? process_backlog+0x190/0x610 [ 43.511355] [] __netif_receive_skb+0x58/0x1c0 [ 43.517492] [] process_backlog+0x1e8/0x610 [ 43.523354] [] ? process_backlog+0x190/0x610 [ 43.529390] [] ? trace_hardirqs_on+0x10/0x10 [ 43.535423] [] net_rx_action+0x3aa/0xdd0 [ 43.541108] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 43.548967] [] __do_softirq+0x22d/0x964 [ 43.554568] [] do_softirq_own_stack+0x1c/0x30 [ 43.560682] [ 43.562727] [] do_softirq.part.0+0x62/0x70 [ 43.568612] [] do_softirq+0x18/0x20 [ 43.573866] [] netif_rx_ni+0xbe/0x310 [ 43.579304] [] tun_get_user+0xcd2/0x2430 [ 43.584992] [] ? tun_select_queue+0x400/0x400 [ 43.591113] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 43.597840] [] tun_chr_write_iter+0xda/0x190 [ 43.603872] [] do_iter_readv_writev+0x3d9/0x4b0 [ 43.610166] [] ? vfs_iter_write+0x460/0x460 [ 43.616113] [] ? selinux_file_permission+0x85/0x470 [ 43.622756] [] ? security_file_permission+0x8f/0x1f0 [ 43.629482] [] ? rw_verify_area+0xea/0x2b0 [ 43.635339] [] do_readv_writev+0x2ed/0x7a0 [ 43.641214] [] ? vfs_write+0x520/0x520 [ 43.646727] [] ? __lru_cache_add+0x186/0x250 [ 43.652760] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 43.659402] [] ? _raw_spin_unlock+0x2d/0x50 [ 43.665351] [] ? handle_mm_fault+0x54a/0x2380 [ 43.671476] [] ? vm_insert_page+0x840/0x840 [ 43.677429] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 43.684167] [] vfs_writev+0x89/0xc0 [ 43.689427] [] do_writev+0xe9/0x260 [ 43.694679] [] ? vfs_writev+0xc0/0xc0 [ 43.700104] [] ? SyS_readv+0x30/0x30 [ 43.705441] [] SyS_writev+0x28/0x30 [ 43.710691] [] do_syscall_64+0x1ad/0x570 [ 43.716378] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 43.723612] Kernel Offset: disabled [ 43.727224] Rebooting in 86400 seconds..