[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.768310] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.600574] random: crng init done Warning: Permanently added '10.128.0.239' (ECDSA) to the list of known hosts. executing program executing program [ 45.396357] ================================================================== [ 45.403771] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 45.410973] Write of size 4 at addr ffff8801cf258808 by task syz-executor671/2058 [ 45.418561] [ 45.420270] CPU: 1 PID: 2058 Comm: syz-executor671 Not tainted 4.9.151+ #12 [ 45.427343] ffff8801db707950 ffffffff81b46e21 0000000000000001 ffffea00073c9600 [ 45.435320] ffff8801cf258808 0000000000000004 ffffffff82601b3e ffff8801db707988 [ 45.443295] ffffffff81502195 0000000000000001 ffff8801cf258808 ffff8801cf258808 [ 45.451293] Call Trace: [ 45.453849] [ 45.455884] [] dump_stack+0xc1/0x120 [ 45.461238] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 45.467789] [] print_address_description+0x6f/0x238 [ 45.474427] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 45.480977] [] kasan_report.cold+0x8c/0x2ba [ 45.486920] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 45.493356] [] __asan_report_store4_noabort+0x17/0x20 [ 45.500182] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 45.506570] [] nf_iterate+0x12e/0x310 [ 45.511994] [] nf_hook_slow+0x114/0x1f0 [ 45.517587] [] ? nf_iterate+0x310/0x310 [ 45.523184] [] ip_rcv+0xb79/0xf90 [ 45.528344] [] ? ip_rcv+0x8be/0xf90 [ 45.533648] [] ? ip_local_deliver+0x4d0/0x4d0 [ 45.539773] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 45.546501] [] ? ip_local_deliver+0x4d0/0x4d0 [ 45.552618] [] __netif_receive_skb_core+0x1156/0x2990 [ 45.559431] [] ? dev_loopback_xmit+0x430/0x430 [ 45.565642] [] ? find_busiest_group+0x6320/0x6320 [ 45.572109] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.578834] [] ? check_preemption_disabled+0x3c/0x200 [ 45.585646] [] ? process_backlog+0x190/0x610 [ 45.591675] [] __netif_receive_skb+0x58/0x1c0 [ 45.597798] [] process_backlog+0x1e8/0x610 [ 45.603652] [] ? process_backlog+0x190/0x610 [ 45.609681] [] ? trace_hardirqs_on+0x10/0x10 [ 45.615727] [] net_rx_action+0x3aa/0xdd0 [ 45.621462] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 45.629323] [] __do_softirq+0x22d/0x964 [ 45.634919] [] do_softirq_own_stack+0x1c/0x30 [ 45.641036] [ 45.643072] [] do_softirq.part.0+0x62/0x70 [ 45.648946] [] do_softirq+0x18/0x20 [ 45.654232] [] netif_rx_ni+0xbe/0x310 [ 45.659664] [] tun_get_user+0xcd2/0x2430 [ 45.665349] [] ? tun_select_queue+0x400/0x400 [ 45.671466] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.678188] [] tun_chr_write_iter+0xda/0x190 [ 45.684220] [] do_iter_readv_writev+0x3d9/0x4b0 [ 45.690516] [] ? vfs_iter_write+0x460/0x460 [ 45.696479] [] ? selinux_file_permission+0x85/0x470 [ 45.703117] [] ? security_file_permission+0x8f/0x1f0 [ 45.709839] [] ? rw_verify_area+0xea/0x2b0 [ 45.715702] [] do_readv_writev+0x2ed/0x7a0 [ 45.721622] [] ? vfs_write+0x520/0x520 [ 45.727189] [] ? __lru_cache_add+0x186/0x250 [ 45.733227] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 45.739871] [] ? _raw_spin_unlock+0x2d/0x50 [ 45.745860] [] ? handle_mm_fault+0x54a/0x2380 [ 45.751983] [] ? vm_insert_page+0x840/0x840 [ 45.757928] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.764653] [] vfs_writev+0x89/0xc0 [ 45.769902] [] do_writev+0xe9/0x260 [ 45.775156] [] ? vfs_writev+0xc0/0xc0 [ 45.780581] [] ? SyS_readv+0x30/0x30 [ 45.785921] [] SyS_writev+0x28/0x30 [ 45.791169] [] do_syscall_64+0x1ad/0x570 [ 45.796855] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.803756] [ 45.805361] Allocated by task 2058: [ 45.808990] save_stack_trace+0x16/0x20 [ 45.812937] kasan_kmalloc.part.0+0x62/0xf0 [ 45.817231] kasan_kmalloc+0xb7/0xd0 [ 45.820915] kasan_slab_alloc+0xf/0x20 [ 45.824771] kmem_cache_alloc+0xd5/0x2b0 [ 45.828807] __alloc_skb+0xe7/0x5e0 [ 45.832412] alloc_skb_with_frags+0xb0/0x4f0 [ 45.836794] sock_alloc_send_pskb+0x5ec/0x760 [ 45.841259] tun_get_user+0x53b/0x2430 [ 45.845120] tun_chr_write_iter+0xda/0x190 [ 45.849324] do_iter_readv_writev+0x3d9/0x4b0 [ 45.853791] do_readv_writev+0x2ed/0x7a0 [ 45.857821] vfs_writev+0x89/0xc0 [ 45.861251] do_writev+0xe9/0x260 [ 45.864689] SyS_writev+0x28/0x30 [ 45.868118] do_syscall_64+0x1ad/0x570 [ 45.872081] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.877155] [ 45.878755] Freed by task 2058: [ 45.882007] save_stack_trace+0x16/0x20 [ 45.885951] kasan_slab_free+0xb0/0x190 [ 45.889897] kmem_cache_free+0xbe/0x310 [ 45.893844] kfree_skbmem+0x9f/0x100 [ 45.897525] kfree_skb+0xd4/0x350 [ 45.900948] ip_defrag+0x620/0x3bc0 [ 45.904560] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 45.909115] nf_iterate+0x12e/0x310 [ 45.912717] nf_hook_slow+0x114/0x1f0 [ 45.916490] ip_rcv+0xb79/0xf90 [ 45.919738] __netif_receive_skb_core+0x1156/0x2990 [ 45.924735] __netif_receive_skb+0x58/0x1c0 [ 45.929032] process_backlog+0x1e8/0x610 [ 45.933069] net_rx_action+0x3aa/0xdd0 [ 45.936929] __do_softirq+0x22d/0x964 [ 45.940705] [ 45.942308] The buggy address belongs to the object at ffff8801cf258780 [ 45.942308] which belongs to the cache skbuff_head_cache of size 224 [ 45.955454] The buggy address is located 136 bytes inside of [ 45.955454] 224-byte region [ffff8801cf258780, ffff8801cf258860) [ 45.967301] The buggy address belongs to the page: [ 45.972205] page:ffffea00073c9600 count:1 mapcount:0 mapping: (null) index:0xffff8801cf258dc0 [ 45.981745] flags: 0x4000000000000080(slab) [ 45.986036] page dumped because: kasan: bad access detected [ 45.991716] [ 45.993314] Memory state around the buggy address: [ 45.998214] ffff8801cf258700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 46.005544] ffff8801cf258780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.012875] >ffff8801cf258800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.020203] ^ [ 46.023798] ffff8801cf258880: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 46.031194] ffff8801cf258900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.038534] ================================================================== [ 46.045866] Disabling lock debugging due to kernel taint [ 46.051341] Kernel panic - not syncing: panic_on_warn set ... [ 46.051341] [ 46.058678] CPU: 1 PID: 2058 Comm: syz-executor671 Tainted: G B 4.9.151+ #12 [ 46.066973] ffff8801db707890 ffffffff81b46e21 ffff8801db707900 ffffffff82e43922 [ 46.074957] 00000000ffffffff 0000000000000001 ffffffff82601b3e ffff8801db707970 [ 46.082966] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 46.091082] Call Trace: [ 46.093635] [ 46.095672] [] dump_stack+0xc1/0x120 [ 46.101039] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 46.107590] [] panic+0x1d9/0x3bd [ 46.112584] [] ? add_taint.cold+0x16/0x16 [ 46.118357] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 46.124916] [] kasan_end_report+0x47/0x4f [ 46.130685] [] kasan_report.cold+0xa9/0x2ba [ 46.136765] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 46.143147] [] __asan_report_store4_noabort+0x17/0x20 [ 46.149961] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 46.156367] [] nf_iterate+0x12e/0x310 [ 46.161806] [] nf_hook_slow+0x114/0x1f0 [ 46.167408] [] ? nf_iterate+0x310/0x310 [ 46.173009] [] ip_rcv+0xb79/0xf90 [ 46.178336] [] ? ip_rcv+0x8be/0xf90 [ 46.183584] [] ? ip_local_deliver+0x4d0/0x4d0 [ 46.189706] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 46.196430] [] ? ip_local_deliver+0x4d0/0x4d0 [ 46.202548] [] __netif_receive_skb_core+0x1156/0x2990 [ 46.209359] [] ? dev_loopback_xmit+0x430/0x430 [ 46.215564] [] ? find_busiest_group+0x6320/0x6320 [ 46.222027] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 46.228751] [] ? check_preemption_disabled+0x3c/0x200 [ 46.235577] [] ? process_backlog+0x190/0x610 [ 46.241621] [] __netif_receive_skb+0x58/0x1c0 [ 46.247742] [] process_backlog+0x1e8/0x610 [ 46.253611] [] ? process_backlog+0x190/0x610 [ 46.259659] [] ? trace_hardirqs_on+0x10/0x10 [ 46.265687] [] net_rx_action+0x3aa/0xdd0 [ 46.271376] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 46.279228] [] __do_softirq+0x22d/0x964 [ 46.284825] [] do_softirq_own_stack+0x1c/0x30 [ 46.290939] [ 46.292981] [] do_softirq.part.0+0x62/0x70 [ 46.298853] [] do_softirq+0x18/0x20 [ 46.304102] [] netif_rx_ni+0xbe/0x310 [ 46.309672] [] tun_get_user+0xcd2/0x2430 [ 46.315375] [] ? tun_select_queue+0x400/0x400 [ 46.321506] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 46.328412] [] tun_chr_write_iter+0xda/0x190 [ 46.334467] [] do_iter_readv_writev+0x3d9/0x4b0 [ 46.340781] [] ? vfs_iter_write+0x460/0x460 [ 46.346738] [] ? selinux_file_permission+0x85/0x470 [ 46.353398] [] ? security_file_permission+0x8f/0x1f0 [ 46.360462] [] ? rw_verify_area+0xea/0x2b0 [ 46.366332] [] do_readv_writev+0x2ed/0x7a0 [ 46.372201] [] ? vfs_write+0x520/0x520 [ 46.377728] [] ? __lru_cache_add+0x186/0x250 [ 46.383772] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 46.390423] [] ? _raw_spin_unlock+0x2d/0x50 [ 46.396381] [] ? handle_mm_fault+0x54a/0x2380 [ 46.402510] [] ? vm_insert_page+0x840/0x840 [ 46.408460] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 46.415197] [] vfs_writev+0x89/0xc0 [ 46.420464] [] do_writev+0xe9/0x260 [ 46.425721] [] ? vfs_writev+0xc0/0xc0 [ 46.431148] [] ? SyS_readv+0x30/0x30 [ 46.436485] [] SyS_writev+0x28/0x30 [ 46.441738] [] do_syscall_64+0x1ad/0x570 [ 46.447441] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 46.454680] Kernel Offset: disabled [ 46.458296] Rebooting in 86400 seconds..