[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.729202] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.635423] random: sshd: uninitialized urandom read (32 bytes read) [ 27.663509] random: crng init done Warning: Permanently added '10.128.0.203' (ECDSA) to the list of known hosts. executing program executing program [ 34.375613] ================================================================== [ 34.382990] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.390063] Write of size 4 at addr ffff8801cf74c308 by task syz-executor676/2054 [ 34.397651] [ 34.399256] CPU: 0 PID: 2054 Comm: syz-executor676 Not tainted 4.9.151+ #12 [ 34.406333] ffff8801db607950 ffffffff81b46e21 0000000000000001 ffffea00073dd300 [ 34.414340] ffff8801cf74c308 0000000000000004 ffffffff82601b3e ffff8801db607988 [ 34.422334] ffffffff81502195 0000000000000001 ffff8801cf74c308 ffff8801cf74c308 [ 34.430430] Call Trace: [ 34.432990] [ 34.435035] [] dump_stack+0xc1/0x120 [ 34.440543] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.447107] [] print_address_description+0x6f/0x238 [ 34.453795] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.460358] [] kasan_report.cold+0x8c/0x2ba [ 34.466312] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 34.472693] [] __asan_report_store4_noabort+0x17/0x20 [ 34.479516] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.485907] [] nf_iterate+0x12e/0x310 [ 34.491333] [] nf_hook_slow+0x114/0x1f0 [ 34.496940] [] ? nf_iterate+0x310/0x310 [ 34.502545] [] ip_rcv+0xb79/0xf90 [ 34.507623] [] ? ip_rcv+0x8be/0xf90 [ 34.512872] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.519001] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 34.525732] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.531852] [] __netif_receive_skb_core+0x1156/0x2990 [ 34.538669] [] ? dev_loopback_xmit+0x430/0x430 [ 34.544884] [] ? find_busiest_group+0x6320/0x6320 [ 34.551355] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.558098] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.564833] [] ? check_preemption_disabled+0x3c/0x200 [ 34.571765] [] ? process_backlog+0x190/0x610 [ 34.577821] [] __netif_receive_skb+0x58/0x1c0 [ 34.583940] [] process_backlog+0x1e8/0x610 [ 34.589799] [] ? process_backlog+0x190/0x610 [ 34.595836] [] ? trace_hardirqs_on+0x10/0x10 [ 34.601885] [] net_rx_action+0x3aa/0xdd0 [ 34.607664] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 34.615522] [] __do_softirq+0x22d/0x964 [ 34.621121] [] do_softirq_own_stack+0x1c/0x30 [ 34.627236] [ 34.629274] [] do_softirq.part.0+0x62/0x70 [ 34.635152] [] do_softirq+0x18/0x20 [ 34.640410] [] netif_rx_ni+0xbe/0x310 [ 34.645839] [] tun_get_user+0xcd2/0x2430 [ 34.651530] [] ? tun_select_queue+0x400/0x400 [ 34.657661] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.664418] [] tun_chr_write_iter+0xda/0x190 [ 34.670519] [] do_iter_readv_writev+0x3d9/0x4b0 [ 34.676828] [] ? vfs_iter_write+0x460/0x460 [ 34.682788] [] ? selinux_file_permission+0x85/0x470 [ 34.689431] [] ? security_file_permission+0x8f/0x1f0 [ 34.696165] [] ? rw_verify_area+0xea/0x2b0 [ 34.702029] [] do_readv_writev+0x2ed/0x7a0 [ 34.707896] [] ? vfs_write+0x520/0x520 [ 34.713416] [] ? __lru_cache_add+0x186/0x250 [ 34.719460] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 34.726113] [] ? _raw_spin_unlock+0x2d/0x50 [ 34.732060] [] ? handle_mm_fault+0x54a/0x2380 [ 34.738180] [] ? vm_insert_page+0x840/0x840 [ 34.744132] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.750861] [] vfs_writev+0x89/0xc0 [ 34.756293] [] do_writev+0xe9/0x260 [ 34.761547] [] ? vfs_writev+0xc0/0xc0 [ 34.766972] [] ? SyS_readv+0x30/0x30 [ 34.772309] [] SyS_writev+0x28/0x30 [ 34.777571] [] do_syscall_64+0x1ad/0x570 [ 34.783269] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.790168] [ 34.791774] Allocated by task 2054: [ 34.795378] save_stack_trace+0x16/0x20 [ 34.799330] kasan_kmalloc.part.0+0x62/0xf0 [ 34.803646] kasan_kmalloc+0xb7/0xd0 [ 34.807354] kasan_slab_alloc+0xf/0x20 [ 34.811223] kmem_cache_alloc+0xd5/0x2b0 [ 34.815260] __alloc_skb+0xe7/0x5e0 [ 34.818862] alloc_skb_with_frags+0xb0/0x4f0 [ 34.823246] sock_alloc_send_pskb+0x5ec/0x760 [ 34.827724] tun_get_user+0x53b/0x2430 [ 34.831636] tun_chr_write_iter+0xda/0x190 [ 34.835854] do_iter_readv_writev+0x3d9/0x4b0 [ 34.840324] do_readv_writev+0x2ed/0x7a0 [ 34.844376] vfs_writev+0x89/0xc0 [ 34.847806] do_writev+0xe9/0x260 [ 34.851240] SyS_writev+0x28/0x30 [ 34.854670] do_syscall_64+0x1ad/0x570 [ 34.858542] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 34.863617] [ 34.865219] Freed by task 2054: [ 34.868474] save_stack_trace+0x16/0x20 [ 34.872422] kasan_slab_free+0xb0/0x190 [ 34.876371] kmem_cache_free+0xbe/0x310 [ 34.880322] kfree_skbmem+0x9f/0x100 [ 34.884029] kfree_skb+0xd4/0x350 [ 34.887460] ip_defrag+0x620/0x3bc0 [ 34.891062] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 34.895620] nf_iterate+0x12e/0x310 [ 34.899222] nf_hook_slow+0x114/0x1f0 [ 34.902998] ip_rcv+0xb79/0xf90 [ 34.906255] __netif_receive_skb_core+0x1156/0x2990 [ 34.911245] __netif_receive_skb+0x58/0x1c0 [ 34.915540] process_backlog+0x1e8/0x610 [ 34.919584] net_rx_action+0x3aa/0xdd0 [ 34.923507] __do_softirq+0x22d/0x964 [ 34.927331] [ 34.928962] The buggy address belongs to the object at ffff8801cf74c280 [ 34.928962] which belongs to the cache skbuff_head_cache of size 224 [ 34.942119] The buggy address is located 136 bytes inside of [ 34.942119] 224-byte region [ffff8801cf74c280, ffff8801cf74c360) [ 34.953972] The buggy address belongs to the page: [ 34.958881] page:ffffea00073dd300 count:1 mapcount:0 mapping: (null) index:0x0 [ 34.967126] flags: 0x4000000000000080(slab) [ 34.971421] page dumped because: kasan: bad access detected [ 34.977104] [ 34.978711] Memory state around the buggy address: [ 34.983678] ffff8801cf74c200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 34.991018] ffff8801cf74c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.998367] >ffff8801cf74c300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.005706] ^ [ 35.009306] ffff8801cf74c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.016685] ffff8801cf74c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.024028] ================================================================== [ 35.031367] Disabling lock debugging due to kernel taint [ 35.036844] Kernel panic - not syncing: panic_on_warn set ... [ 35.036844] [ 35.044190] CPU: 0 PID: 2054 Comm: syz-executor676 Tainted: G B 4.9.151+ #12 [ 35.052478] ffff8801db607890 ffffffff81b46e21 ffff8801db607900 ffffffff82e43922 [ 35.060508] 00000000ffffffff 0000000000000000 ffffffff82601b3e ffff8801db607970 [ 35.068534] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 35.076538] Call Trace: [ 35.079096] [ 35.081139] [] dump_stack+0xc1/0x120 [ 35.086568] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.093132] [] panic+0x1d9/0x3bd [ 35.098122] [] ? add_taint.cold+0x16/0x16 [ 35.103898] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.110453] [] kasan_end_report+0x47/0x4f [ 35.116242] [] kasan_report.cold+0xa9/0x2ba [ 35.122207] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 35.128601] [] __asan_report_store4_noabort+0x17/0x20 [ 35.135428] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.141813] [] nf_iterate+0x12e/0x310 [ 35.147240] [] nf_hook_slow+0x114/0x1f0 [ 35.152848] [] ? nf_iterate+0x310/0x310 [ 35.158461] [] ip_rcv+0xb79/0xf90 [ 35.163548] [] ? ip_rcv+0x8be/0xf90 [ 35.168802] [] ? ip_local_deliver+0x4d0/0x4d0 [ 35.174922] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 35.181759] [] ? ip_local_deliver+0x4d0/0x4d0 [ 35.187929] [] __netif_receive_skb_core+0x1156/0x2990 [ 35.194755] [] ? dev_loopback_xmit+0x430/0x430 [ 35.200972] [] ? find_busiest_group+0x6320/0x6320 [ 35.207440] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.214173] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.220906] [] ? check_preemption_disabled+0x3c/0x200 [ 35.227730] [] ? process_backlog+0x190/0x610 [ 35.233776] [] __netif_receive_skb+0x58/0x1c0 [ 35.239901] [] process_backlog+0x1e8/0x610 [ 35.245762] [] ? process_backlog+0x190/0x610 [ 35.251799] [] ? trace_hardirqs_on+0x10/0x10 [ 35.257837] [] net_rx_action+0x3aa/0xdd0 [ 35.263535] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 35.271405] [] __do_softirq+0x22d/0x964 [ 35.277009] [] do_softirq_own_stack+0x1c/0x30 [ 35.283129] [ 35.285170] [] do_softirq.part.0+0x62/0x70 [ 35.291050] [] do_softirq+0x18/0x20 [ 35.296321] [] netif_rx_ni+0xbe/0x310 [ 35.301758] [] tun_get_user+0xcd2/0x2430 [ 35.307445] [] ? tun_select_queue+0x400/0x400 [ 35.313567] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.320296] [] tun_chr_write_iter+0xda/0x190 [ 35.326376] [] do_iter_readv_writev+0x3d9/0x4b0 [ 35.332670] [] ? vfs_iter_write+0x460/0x460 [ 35.338619] [] ? selinux_file_permission+0x85/0x470 [ 35.345270] [] ? security_file_permission+0x8f/0x1f0 [ 35.352007] [] ? rw_verify_area+0xea/0x2b0 [ 35.357870] [] do_readv_writev+0x2ed/0x7a0 [ 35.363728] [] ? vfs_write+0x520/0x520 [ 35.369243] [] ? __lru_cache_add+0x186/0x250 [ 35.375283] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 35.382114] [] ? _raw_spin_unlock+0x2d/0x50 [ 35.388061] [] ? handle_mm_fault+0x54a/0x2380 [ 35.394190] [] ? vm_insert_page+0x840/0x840 [ 35.400140] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.406867] [] vfs_writev+0x89/0xc0 [ 35.412117] [] do_writev+0xe9/0x260 [ 35.417475] [] ? vfs_writev+0xc0/0xc0 [ 35.423598] [] ? SyS_readv+0x30/0x30 [ 35.428945] [] SyS_writev+0x28/0x30 [ 35.434198] [] do_syscall_64+0x1ad/0x570 [ 35.439885] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.447191] Kernel Offset: disabled [ 35.450806] Rebooting in 86400 seconds..