[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.496141] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.073760] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.210' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 31.961859] ================================================================== [ 31.963095] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.964191] Write of size 4 at addr ffff8801d6785bc8 by task syz-executor248/2058 [ 31.965310] [ 31.965594] CPU: 0 PID: 2058 Comm: syz-executor248 Not tainted 4.9.149+ #5 [ 31.966596] ffff8801db607950 ffffffff81b47f01 0000000000000001 ffffea000759e140 [ 31.968069] ffff8801d6785bc8 0000000000000004 ffffffff826026be ffff8801db607988 [ 31.969320] ffffffff815020d5 0000000000000001 ffff8801d6785bc8 ffff8801d6785bc8 [ 31.970578] Call Trace: [ 31.970985] [ 31.971280] [] dump_stack+0xc1/0x120 [ 31.972347] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.973290] [] print_address_description+0x6f/0x238 [ 31.974199] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.975100] [] kasan_report.cold+0x8c/0x2ba [ 31.975935] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 31.976841] [] __asan_report_store4_noabort+0x17/0x20 [ 31.977887] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.978797] [] nf_iterate+0x12e/0x310 [ 31.979599] [] nf_hook_slow+0x114/0x1f0 [ 31.980464] [] ? nf_iterate+0x310/0x310 [ 31.981300] [] ip_rcv+0xb79/0xf90 [ 31.982488] [] ? ip_rcv+0x8be/0xf90 [ 31.987758] [] ? ip_local_deliver+0x4d0/0x4d0 [ 31.993879] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 32.000731] [] ? ip_local_deliver+0x4d0/0x4d0 [ 32.006861] [] __netif_receive_skb_core+0x1156/0x2990 [ 32.013684] [] ? dev_loopback_xmit+0x430/0x430 [ 32.019893] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.026624] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.033352] [] ? check_preemption_disabled+0x3c/0x200 [ 32.040169] [] ? process_backlog+0x190/0x610 [ 32.046224] [] __netif_receive_skb+0x58/0x1c0 [ 32.052347] [] process_backlog+0x1e8/0x610 [ 32.058207] [] ? process_backlog+0x190/0x610 [ 32.064240] [] ? trace_hardirqs_on+0x10/0x10 [ 32.070273] [] net_rx_action+0x3aa/0xdd0 [ 32.075960] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 32.083818] [] __do_softirq+0x22d/0x964 [ 32.089418] [] do_softirq_own_stack+0x1c/0x30 [ 32.095547] [ 32.097588] [] do_softirq.part.0+0x62/0x70 [ 32.103469] [] do_softirq+0x18/0x20 [ 32.108831] [] netif_rx_ni+0xbe/0x310 [ 32.114274] [] tun_get_user+0xcd2/0x2430 [ 32.119960] [] ? tun_select_queue+0x400/0x400 [ 32.126082] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.132812] [] tun_chr_write_iter+0xda/0x190 [ 32.138848] [] do_iter_readv_writev+0x3d9/0x4b0 [ 32.145177] [] ? vfs_iter_write+0x460/0x460 [ 32.151127] [] ? selinux_file_permission+0x85/0x470 [ 32.157768] [] ? security_file_permission+0x8f/0x1f0 [ 32.164500] [] ? rw_verify_area+0xea/0x2b0 [ 32.170383] [] do_readv_writev+0x2ed/0x7a0 [ 32.176240] [] ? vfs_write+0x520/0x520 [ 32.181765] [] ? __lru_cache_add+0x186/0x250 [ 32.187813] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 32.194469] [] ? _raw_spin_unlock+0x2d/0x50 [ 32.200430] [] ? handle_mm_fault+0x54a/0x2380 [ 32.206550] [] ? vm_insert_page+0x840/0x840 [ 32.212516] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.219243] [] vfs_writev+0x89/0xc0 [ 32.224496] [] do_writev+0xe9/0x260 [ 32.229747] [] ? vfs_writev+0xc0/0xc0 [ 32.235198] [] ? SyS_readv+0x30/0x30 [ 32.240541] [] SyS_writev+0x28/0x30 [ 32.245796] [] do_syscall_64+0x1ad/0x570 [ 32.251492] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.258394] [ 32.259996] Allocated by task 2058: [ 32.263602] save_stack_trace+0x16/0x20 [ 32.267555] kasan_kmalloc.part.0+0x62/0xf0 [ 32.271858] kasan_kmalloc+0xb7/0xd0 [ 32.275544] kasan_slab_alloc+0xf/0x20 [ 32.279406] kmem_cache_alloc+0xd5/0x2b0 [ 32.283438] __alloc_skb+0xe7/0x5e0 [ 32.287039] alloc_skb_with_frags+0xb0/0x4f0 [ 32.291425] sock_alloc_send_pskb+0x5ec/0x760 [ 32.295902] tun_get_user+0x53b/0x2430 [ 32.299811] tun_chr_write_iter+0xda/0x190 [ 32.304028] do_iter_readv_writev+0x3d9/0x4b0 [ 32.308499] do_readv_writev+0x2ed/0x7a0 [ 32.312557] vfs_writev+0x89/0xc0 [ 32.315984] do_writev+0xe9/0x260 [ 32.319410] SyS_writev+0x28/0x30 [ 32.322900] do_syscall_64+0x1ad/0x570 [ 32.326792] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.331869] [ 32.333479] Freed by task 2058: [ 32.336736] save_stack_trace+0x16/0x20 [ 32.340705] kasan_slab_free+0xb0/0x190 [ 32.344652] kmem_cache_free+0xbe/0x310 [ 32.348626] kfree_skbmem+0x9f/0x100 [ 32.352341] kfree_skb+0xd4/0x350 [ 32.355767] ip_defrag+0x620/0x3bc0 [ 32.359376] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 32.363932] nf_iterate+0x12e/0x310 [ 32.367536] nf_hook_slow+0x114/0x1f0 [ 32.371307] ip_rcv+0xb79/0xf90 [ 32.374560] __netif_receive_skb_core+0x1156/0x2990 [ 32.379556] __netif_receive_skb+0x58/0x1c0 [ 32.383852] process_backlog+0x1e8/0x610 [ 32.387888] net_rx_action+0x3aa/0xdd0 [ 32.391750] __do_softirq+0x22d/0x964 [ 32.395524] [ 32.397139] The buggy address belongs to the object at ffff8801d6785b40 [ 32.397139] which belongs to the cache skbuff_head_cache of size 224 [ 32.410311] The buggy address is located 136 bytes inside of [ 32.410311] 224-byte region [ffff8801d6785b40, ffff8801d6785c20) [ 32.422262] The buggy address belongs to the page: [ 32.427185] page:ffffea000759e140 count:1 mapcount:0 mapping: (null) index:0x0 [ 32.435417] flags: 0x4000000000000080(slab) [ 32.439723] page dumped because: kasan: bad access detected [ 32.445400] [ 32.447001] Memory state around the buggy address: [ 32.451912] ffff8801d6785a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 32.459242] ffff8801d6785b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.466574] >ffff8801d6785b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.473906] ^ [ 32.479591] ffff8801d6785c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.486924] ffff8801d6785c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.494255] ================================================================== [ 32.501708] Disabling lock debugging due to kernel taint [ 32.507198] Kernel panic - not syncing: panic_on_warn set ... [ 32.507198] [ 32.514550] CPU: 0 PID: 2058 Comm: syz-executor248 Tainted: G B 4.9.149+ #5 [ 32.522759] ffff8801db607890 ffffffff81b47f01 ffff8801db607900 ffffffff82e4386a [ 32.530766] 00000000ffffffff 0000000000000000 ffffffff826026be ffff8801db607970 [ 32.538770] ffffffff813f727a 0000000041b58ab3 ffffffff82e35992 ffffffff813f70a1 [ 32.546762] Call Trace: [ 32.549317] [ 32.551353] [] dump_stack+0xc1/0x120 [ 32.556726] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.563284] [] panic+0x1d9/0x3bd [ 32.568281] [] ? add_taint.cold+0x16/0x16 [ 32.574052] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.580608] [] kasan_end_report+0x47/0x4f [ 32.586382] [] kasan_report.cold+0xa9/0x2ba [ 32.592329] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 32.598710] [] __asan_report_store4_noabort+0x17/0x20 [ 32.605522] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.611902] [] nf_iterate+0x12e/0x310 [ 32.617325] [] nf_hook_slow+0x114/0x1f0 [ 32.622923] [] ? nf_iterate+0x310/0x310 [ 32.628523] [] ip_rcv+0xb79/0xf90 [ 32.633602] [] ? ip_rcv+0x8be/0xf90 [ 32.638852] [] ? ip_local_deliver+0x4d0/0x4d0 [ 32.644991] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 32.651844] [] ? ip_local_deliver+0x4d0/0x4d0 [ 32.657964] [] __netif_receive_skb_core+0x1156/0x2990 [ 32.664796] [] ? dev_loopback_xmit+0x430/0x430 [ 32.671007] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.677738] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.684471] [] ? check_preemption_disabled+0x3c/0x200 [ 32.691400] [] ? process_backlog+0x190/0x610 [ 32.697437] [] __netif_receive_skb+0x58/0x1c0 [ 32.703557] [] process_backlog+0x1e8/0x610 [ 32.709418] [] ? process_backlog+0x190/0x610 [ 32.715452] [] ? trace_hardirqs_on+0x10/0x10 [ 32.721491] [] net_rx_action+0x3aa/0xdd0 [ 32.727211] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 32.735084] [] __do_softirq+0x22d/0x964 [ 32.740686] [] do_softirq_own_stack+0x1c/0x30 [ 32.746806] [ 32.748848] [] do_softirq.part.0+0x62/0x70 [ 32.754725] [] do_softirq+0x18/0x20 [ 32.759976] [] netif_rx_ni+0xbe/0x310 [ 32.765399] [] tun_get_user+0xcd2/0x2430 [ 32.771097] [] ? tun_select_queue+0x400/0x400 [ 32.777217] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.784054] [] tun_chr_write_iter+0xda/0x190 [ 32.790091] [] do_iter_readv_writev+0x3d9/0x4b0 [ 32.796387] [] ? vfs_iter_write+0x460/0x460 [ 32.802334] [] ? selinux_file_permission+0x85/0x470 [ 32.808975] [] ? security_file_permission+0x8f/0x1f0 [ 32.815705] [] ? rw_verify_area+0xea/0x2b0 [ 32.821563] [] do_readv_writev+0x2ed/0x7a0 [ 32.827421] [] ? vfs_write+0x520/0x520 [ 32.832933] [] ? __lru_cache_add+0x186/0x250 [ 32.838969] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 32.845608] [] ? _raw_spin_unlock+0x2d/0x50 [ 32.851571] [] ? handle_mm_fault+0x54a/0x2380 [ 32.857694] [] ? vm_insert_page+0x840/0x840 [ 32.863642] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.870373] [] vfs_writev+0x89/0xc0 [ 32.875620] [] do_writev+0xe9/0x260 [ 32.880871] [] ? vfs_writev+0xc0/0xc0 [ 32.886301] [] ? SyS_readv+0x30/0x30 [ 32.891647] [] SyS_writev+0x28/0x30 [ 32.896910] [] do_syscall_64+0x1ad/0x570 [ 32.902594] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.909947] Kernel Offset: disabled [ 32.913562] Rebooting in 86400 seconds..