[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.442942] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.972688] random: crng init done Warning: Permanently added '10.128.0.181' (ECDSA) to the list of known hosts. executing program executing program [ 52.495750] ================================================================== [ 52.503147] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 52.510230] Write of size 4 at addr ffff8801d121dbc8 by task syz-executor584/2091 [ 52.517833] [ 52.519443] CPU: 0 PID: 2091 Comm: syz-executor584 Not tainted 4.9.151+ #12 [ 52.526603] ffff8801db607950 ffffffff81b46e21 0000000000000001 ffffea0007448740 [ 52.534607] ffff8801d121dbc8 0000000000000004 ffffffff82601b3e ffff8801db607988 [ 52.542618] ffffffff81502195 0000000000000001 ffff8801d121dbc8 ffff8801d121dbc8 [ 52.550693] Call Trace: [ 52.553250] [ 52.555308] [] dump_stack+0xc1/0x120 [ 52.560674] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 52.567333] [] print_address_description+0x6f/0x238 [ 52.573985] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 52.580557] [] kasan_report.cold+0x8c/0x2ba [ 52.586526] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 52.593112] [] __asan_report_store4_noabort+0x17/0x20 [ 52.599938] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 52.606342] [] nf_iterate+0x12e/0x310 [ 52.611776] [] nf_hook_slow+0x114/0x1f0 [ 52.617395] [] ? nf_iterate+0x310/0x310 [ 52.623130] [] ip_rcv+0xb79/0xf90 [ 52.628230] [] ? ip_rcv+0x8be/0xf90 [ 52.633499] [] ? ip_local_deliver+0x4d0/0x4d0 [ 52.639622] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 52.646356] [] ? ip_local_deliver+0x4d0/0x4d0 [ 52.652480] [] __netif_receive_skb_core+0x1156/0x2990 [ 52.659315] [] ? dev_loopback_xmit+0x430/0x430 [ 52.665527] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 52.672274] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 52.679014] [] ? check_preemption_disabled+0x3c/0x200 [ 52.685841] [] ? process_backlog+0x190/0x610 [ 52.691899] [] __netif_receive_skb+0x58/0x1c0 [ 52.698024] [] process_backlog+0x1e8/0x610 [ 52.703917] [] ? process_backlog+0x190/0x610 [ 52.709959] [] ? trace_hardirqs_on+0x10/0x10 [ 52.715992] [] net_rx_action+0x3aa/0xdd0 [ 52.721680] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 52.729590] [] __do_softirq+0x22d/0x964 [ 52.735201] [] do_softirq_own_stack+0x1c/0x30 [ 52.741314] [ 52.743761] [] do_softirq.part.0+0x62/0x70 [ 52.749650] [] do_softirq+0x18/0x20 [ 52.754899] [] netif_rx_ni+0xbe/0x310 [ 52.760328] [] tun_get_user+0xcd2/0x2430 [ 52.766015] [] ? tun_select_queue+0x400/0x400 [ 52.772135] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 52.778862] [] tun_chr_write_iter+0xda/0x190 [ 52.784980] [] do_iter_readv_writev+0x3d9/0x4b0 [ 52.791278] [] ? vfs_iter_write+0x460/0x460 [ 52.797228] [] ? selinux_file_permission+0x85/0x470 [ 52.803873] [] ? security_file_permission+0x8f/0x1f0 [ 52.810606] [] ? rw_verify_area+0xea/0x2b0 [ 52.816467] [] do_readv_writev+0x2ed/0x7a0 [ 52.822324] [] ? vfs_write+0x520/0x520 [ 52.827839] [] ? __lru_cache_add+0x186/0x250 [ 52.833872] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 52.840570] [] ? _raw_spin_unlock+0x2d/0x50 [ 52.846534] [] ? handle_mm_fault+0x54a/0x2380 [ 52.852767] [] ? vm_insert_page+0x840/0x840 [ 52.858719] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 52.865447] [] vfs_writev+0x89/0xc0 [ 52.870696] [] do_writev+0xe9/0x260 [ 52.875947] [] ? vfs_writev+0xc0/0xc0 [ 52.881376] [] ? SyS_readv+0x30/0x30 [ 52.886751] [] SyS_writev+0x28/0x30 [ 52.892003] [] do_syscall_64+0x1ad/0x570 [ 52.897692] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 52.904591] [ 52.906192] Allocated by task 2091: [ 52.909799] save_stack_trace+0x16/0x20 [ 52.913746] kasan_kmalloc.part.0+0x62/0xf0 [ 52.918068] kasan_kmalloc+0xb7/0xd0 [ 52.921757] kasan_slab_alloc+0xf/0x20 [ 52.925618] kmem_cache_alloc+0xd5/0x2b0 [ 52.929653] __alloc_skb+0xe7/0x5e0 [ 52.933254] alloc_skb_with_frags+0xb0/0x4f0 [ 52.937638] sock_alloc_send_pskb+0x5ec/0x760 [ 52.942125] tun_get_user+0x53b/0x2430 [ 52.945986] tun_chr_write_iter+0xda/0x190 [ 52.950197] do_iter_readv_writev+0x3d9/0x4b0 [ 52.954680] do_readv_writev+0x2ed/0x7a0 [ 52.958833] vfs_writev+0x89/0xc0 [ 52.962264] do_writev+0xe9/0x260 [ 52.965687] SyS_writev+0x28/0x30 [ 52.969114] do_syscall_64+0x1ad/0x570 [ 52.972987] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 52.978059] [ 52.979660] Freed by task 2091: [ 52.982917] save_stack_trace+0x16/0x20 [ 52.986872] kasan_slab_free+0xb0/0x190 [ 52.990823] kmem_cache_free+0xbe/0x310 [ 52.994780] kfree_skbmem+0x9f/0x100 [ 52.998480] kfree_skb+0xd4/0x350 [ 53.001922] ip_defrag+0x620/0x3bc0 [ 53.005525] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 53.010090] nf_iterate+0x12e/0x310 [ 53.013689] nf_hook_slow+0x114/0x1f0 [ 53.017463] ip_rcv+0xb79/0xf90 [ 53.020718] __netif_receive_skb_core+0x1156/0x2990 [ 53.025715] __netif_receive_skb+0x58/0x1c0 [ 53.030012] process_backlog+0x1e8/0x610 [ 53.034049] net_rx_action+0x3aa/0xdd0 [ 53.037996] __do_softirq+0x22d/0x964 [ 53.041772] [ 53.043374] The buggy address belongs to the object at ffff8801d121db40 [ 53.043374] which belongs to the cache skbuff_head_cache of size 224 [ 53.056632] The buggy address is located 136 bytes inside of [ 53.056632] 224-byte region [ffff8801d121db40, ffff8801d121dc20) [ 53.068491] The buggy address belongs to the page: [ 53.073398] page:ffffea0007448740 count:1 mapcount:0 mapping: (null) index:0x0 [ 53.081667] flags: 0x4000000000000080(slab) [ 53.085956] page dumped because: kasan: bad access detected [ 53.091637] [ 53.093235] Memory state around the buggy address: [ 53.098167] ffff8801d121da80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 53.105502] ffff8801d121db00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 53.112838] >ffff8801d121db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.120169] ^ [ 53.125869] ffff8801d121dc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 53.133201] ffff8801d121dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.140539] ================================================================== [ 53.147874] Disabling lock debugging due to kernel taint [ 53.153389] Kernel panic - not syncing: panic_on_warn set ... [ 53.153389] [ 53.160741] CPU: 0 PID: 2091 Comm: syz-executor584 Tainted: G B 4.9.151+ #12 [ 53.169029] ffff8801db607890 ffffffff81b46e21 ffff8801db607900 ffffffff82e43922 [ 53.177018] 00000000ffffffff 0000000000000000 ffffffff82601b3e ffff8801db607970 [ 53.185009] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 53.192983] Call Trace: [ 53.195540] [ 53.197578] [] dump_stack+0xc1/0x120 [ 53.202934] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 53.209484] [] panic+0x1d9/0x3bd [ 53.214469] [] ? add_taint.cold+0x16/0x16 [ 53.220235] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 53.226785] [] kasan_end_report+0x47/0x4f [ 53.232557] [] kasan_report.cold+0xa9/0x2ba [ 53.238498] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 53.244874] [] __asan_report_store4_noabort+0x17/0x20 [ 53.251686] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 53.258063] [] nf_iterate+0x12e/0x310 [ 53.263484] [] nf_hook_slow+0x114/0x1f0 [ 53.269077] [] ? nf_iterate+0x310/0x310 [ 53.274703] [] ip_rcv+0xb79/0xf90 [ 53.279774] [] ? ip_rcv+0x8be/0xf90 [ 53.285074] [] ? ip_local_deliver+0x4d0/0x4d0 [ 53.291196] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 53.297922] [] ? ip_local_deliver+0x4d0/0x4d0 [ 53.304040] [] __netif_receive_skb_core+0x1156/0x2990 [ 53.311205] [] ? dev_loopback_xmit+0x430/0x430 [ 53.317409] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 53.324131] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 53.330855] [] ? check_preemption_disabled+0x3c/0x200 [ 53.337665] [] ? process_backlog+0x190/0x610 [ 53.343696] [] __netif_receive_skb+0x58/0x1c0 [ 53.349814] [] process_backlog+0x1e8/0x610 [ 53.355666] [] ? process_backlog+0x190/0x610 [ 53.361836] [] ? trace_hardirqs_on+0x10/0x10 [ 53.367870] [] net_rx_action+0x3aa/0xdd0 [ 53.373554] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 53.381412] [] __do_softirq+0x22d/0x964 [ 53.387008] [] do_softirq_own_stack+0x1c/0x30 [ 53.393122] [ 53.395159] [] do_softirq.part.0+0x62/0x70 [ 53.401038] [] do_softirq+0x18/0x20 [ 53.406283] [] netif_rx_ni+0xbe/0x310 [ 53.411707] [] tun_get_user+0xcd2/0x2430 [ 53.417395] [] ? tun_select_queue+0x400/0x400 [ 53.423517] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 53.430248] [] tun_chr_write_iter+0xda/0x190 [ 53.436279] [] do_iter_readv_writev+0x3d9/0x4b0 [ 53.442567] [] ? vfs_iter_write+0x460/0x460 [ 53.448514] [] ? selinux_file_permission+0x85/0x470 [ 53.455158] [] ? security_file_permission+0x8f/0x1f0 [ 53.461891] [] ? rw_verify_area+0xea/0x2b0 [ 53.467748] [] do_readv_writev+0x2ed/0x7a0 [ 53.473606] [] ? vfs_write+0x520/0x520 [ 53.479124] [] ? __lru_cache_add+0x186/0x250 [ 53.485157] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 53.491798] [] ? _raw_spin_unlock+0x2d/0x50 [ 53.497743] [] ? handle_mm_fault+0x54a/0x2380 [ 53.503861] [] ? vm_insert_page+0x840/0x840 [ 53.510080] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 53.516805] [] vfs_writev+0x89/0xc0 [ 53.522053] [] do_writev+0xe9/0x260 [ 53.527310] [] ? vfs_writev+0xc0/0xc0 [ 53.532731] [] ? SyS_readv+0x30/0x30 [ 53.538064] [] SyS_writev+0x28/0x30 [ 53.543315] [] do_syscall_64+0x1ad/0x570 [ 53.549017] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 53.556246] Kernel Offset: disabled [ 53.559852] Rebooting in 86400 seconds..