[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 9.645160] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.218874] random: sshd: uninitialized urandom read (32 bytes read) [ 32.603391] random: sshd: uninitialized urandom read (32 bytes read) [ 32.777688] random: crng init done Warning: Permanently added '10.128.0.180' (ECDSA) to the list of known hosts. executing program executing program [ 54.322819] ================================================================== [ 54.330245] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 54.337320] Write of size 4 at addr ffff8801cf2e0088 by task syz-executor992/2065 [ 54.344908] [ 54.346528] CPU: 1 PID: 2065 Comm: syz-executor992 Not tainted 4.9.153+ #18 [ 54.353600] ffff8801db707950 ffffffff81b47491 0000000000000001 ffffea00073cb800 [ 54.361774] ffff8801cf2e0088 0000000000000004 ffffffff826026fe ffff8801db707988 [ 54.369783] ffffffff81502615 0000000000000001 ffff8801cf2e0088 ffff8801cf2e0088 [ 54.377769] Call Trace: [ 54.380323] [ 54.382381] [] dump_stack+0xc1/0x120 [ 54.387783] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 54.394336] [] print_address_description+0x6f/0x238 [ 54.400975] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 54.407669] [] kasan_report.cold+0x8c/0x2ba [ 54.413618] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 54.419997] [] __asan_report_store4_noabort+0x17/0x20 [ 54.426811] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 54.433258] [] nf_iterate+0x12e/0x310 [ 54.438683] [] nf_hook_slow+0x114/0x1f0 [ 54.444278] [] ? nf_iterate+0x310/0x310 [ 54.449877] [] ip_rcv+0xb79/0xf90 [ 54.454953] [] ? ip_rcv+0x8be/0xf90 [ 54.460218] [] ? ip_local_deliver+0x4d0/0x4d0 [ 54.466347] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 54.473075] [] ? ip_local_deliver+0x4d0/0x4d0 [ 54.479197] [] __netif_receive_skb_core+0x1156/0x2990 [ 54.486028] [] ? dev_loopback_xmit+0x430/0x430 [ 54.492237] [] ? find_busiest_group+0x6320/0x6320 [ 54.498767] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 54.505515] [] ? check_preemption_disabled+0x3c/0x200 [ 54.512420] [] ? process_backlog+0x190/0x610 [ 54.518458] [] __netif_receive_skb+0x58/0x1c0 [ 54.524593] [] process_backlog+0x1e8/0x610 [ 54.530456] [] ? process_backlog+0x190/0x610 [ 54.536504] [] ? trace_hardirqs_on+0x10/0x10 [ 54.542539] [] net_rx_action+0x3aa/0xdd0 [ 54.548235] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 54.556094] [] __do_softirq+0x22d/0x964 [ 54.561696] [] do_softirq_own_stack+0x1c/0x30 [ 54.567942] [ 54.570051] [] do_softirq.part.0+0x62/0x70 [ 54.575947] [] do_softirq+0x18/0x20 [ 54.581290] [] netif_rx_ni+0xbe/0x310 [ 54.586755] [] tun_get_user+0xcd2/0x2430 [ 54.592439] [] ? tun_select_queue+0x400/0x400 [ 54.598576] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 54.605398] [] tun_chr_write_iter+0xda/0x190 [ 54.611432] [] do_iter_readv_writev+0x3d9/0x4b0 [ 54.617733] [] ? vfs_iter_write+0x460/0x460 [ 54.623893] [] ? selinux_file_permission+0x85/0x470 [ 54.630547] [] ? security_file_permission+0x8f/0x1f0 [ 54.637376] [] ? rw_verify_area+0xea/0x2b0 [ 54.643238] [] do_readv_writev+0x2ed/0x7a0 [ 54.649096] [] ? vfs_write+0x520/0x520 [ 54.654609] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 54.661431] [] ? do_signal+0x4b9/0x1920 [ 54.667053] [] ? setup_sigcontext+0x7d0/0x7d0 [ 54.673191] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 54.680099] [] vfs_writev+0x89/0xc0 [ 54.685358] [] do_writev+0xe9/0x260 [ 54.690611] [] ? vfs_writev+0xc0/0xc0 [ 54.696148] [] ? SyS_readv+0x30/0x30 [ 54.701500] [] SyS_writev+0x28/0x30 [ 54.706862] [] do_syscall_64+0x1ad/0x570 [ 54.712547] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 54.719442] [ 54.721041] Allocated by task 2065: [ 54.724657] save_stack_trace+0x16/0x20 [ 54.728615] kasan_kmalloc.part.0+0x62/0xf0 [ 54.732916] kasan_kmalloc+0xb7/0xd0 [ 54.736600] kasan_slab_alloc+0xf/0x20 [ 54.740584] kmem_cache_alloc+0xd5/0x2b0 [ 54.744718] __alloc_skb+0xe7/0x5e0 [ 54.748321] alloc_skb_with_frags+0xb0/0x4f0 [ 54.752718] sock_alloc_send_pskb+0x5ec/0x760 [ 54.757287] tun_get_user+0x53b/0x2430 [ 54.761149] tun_chr_write_iter+0xda/0x190 [ 54.765374] do_iter_readv_writev+0x3d9/0x4b0 [ 54.769869] do_readv_writev+0x2ed/0x7a0 [ 54.774160] vfs_writev+0x89/0xc0 [ 54.777708] do_writev+0xe9/0x260 [ 54.781151] SyS_writev+0x28/0x30 [ 54.784574] do_syscall_64+0x1ad/0x570 [ 54.788588] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 54.793784] [ 54.795385] Freed by task 2065: [ 54.798637] save_stack_trace+0x16/0x20 [ 54.802697] kasan_slab_free+0xb0/0x190 [ 54.806661] kmem_cache_free+0xbe/0x310 [ 54.810609] kfree_skbmem+0x9f/0x100 [ 54.814311] kfree_skb+0xd4/0x350 [ 54.817734] ip_defrag+0x620/0x3bc0 [ 54.821389] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 54.825945] nf_iterate+0x12e/0x310 [ 54.829661] nf_hook_slow+0x114/0x1f0 [ 54.833496] ip_rcv+0xb79/0xf90 [ 54.836873] __netif_receive_skb_core+0x1156/0x2990 [ 54.841868] __netif_receive_skb+0x58/0x1c0 [ 54.846176] process_backlog+0x1e8/0x610 [ 54.850230] net_rx_action+0x3aa/0xdd0 [ 54.854090] __do_softirq+0x22d/0x964 [ 54.857872] [ 54.859500] The buggy address belongs to the object at ffff8801cf2e0000 [ 54.859500] which belongs to the cache skbuff_head_cache of size 224 [ 54.872652] The buggy address is located 136 bytes inside of [ 54.872652] 224-byte region [ffff8801cf2e0000, ffff8801cf2e00e0) [ 54.884502] The buggy address belongs to the page: [ 54.889501] page:ffffea00073cb800 count:1 mapcount:0 mapping: (null) index:0x0 [ 54.897980] flags: 0x4000000000000080(slab) [ 54.902269] page dumped because: kasan: bad access detected [ 54.908329] [ 54.909945] Memory state around the buggy address: [ 54.914844] ffff8801cf2dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.922181] ffff8801cf2e0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.929762] >ffff8801cf2e0080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 54.937213] ^ [ 54.940990] ffff8801cf2e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.948324] ffff8801cf2e0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.955755] ================================================================== [ 54.963293] Disabling lock debugging due to kernel taint [ 54.968800] Kernel panic - not syncing: panic_on_warn set ... [ 54.968800] [ 54.976148] CPU: 1 PID: 2065 Comm: syz-executor992 Tainted: G B 4.9.153+ #18 [ 54.984440] ffff8801db707890 ffffffff81b47491 ffff8801db707900 ffffffff82e4391a [ 54.992437] 00000000ffffffff 0000000000000001 ffffffff826026fe ffff8801db707970 [ 55.000466] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a42 ffffffff813f7081 [ 55.008576] Call Trace: [ 55.011161] [ 55.013207] [] dump_stack+0xc1/0x120 [ 55.018591] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 55.025170] [] panic+0x1d9/0x3bd [ 55.030171] [] ? add_taint.cold+0x16/0x16 [ 55.035940] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 55.042493] [] kasan_end_report+0x47/0x4f [ 55.048261] [] kasan_report.cold+0xa9/0x2ba [ 55.054233] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 55.060622] [] __asan_report_store4_noabort+0x17/0x20 [ 55.067440] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 55.073822] [] nf_iterate+0x12e/0x310 [ 55.079246] [] nf_hook_slow+0x114/0x1f0 [ 55.084966] [] ? nf_iterate+0x310/0x310 [ 55.090569] [] ip_rcv+0xb79/0xf90 [ 55.095644] [] ? ip_rcv+0x8be/0xf90 [ 55.100996] [] ? ip_local_deliver+0x4d0/0x4d0 [ 55.107122] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 55.113898] [] ? ip_local_deliver+0x4d0/0x4d0 [ 55.120042] [] __netif_receive_skb_core+0x1156/0x2990 [ 55.126855] [] ? dev_loopback_xmit+0x430/0x430 [ 55.133070] [] ? find_busiest_group+0x6320/0x6320 [ 55.139544] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 55.146287] [] ? check_preemption_disabled+0x3c/0x200 [ 55.153105] [] ? process_backlog+0x190/0x610 [ 55.159223] [] __netif_receive_skb+0x58/0x1c0 [ 55.165502] [] process_backlog+0x1e8/0x610 [ 55.171366] [] ? process_backlog+0x190/0x610 [ 55.177395] [] ? trace_hardirqs_on+0x10/0x10 [ 55.183525] [] net_rx_action+0x3aa/0xdd0 [ 55.189220] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 55.197085] [] __do_softirq+0x22d/0x964 [ 55.202807] [] do_softirq_own_stack+0x1c/0x30 [ 55.208940] [ 55.210984] [] do_softirq.part.0+0x62/0x70 [ 55.216859] [] do_softirq+0x18/0x20 [ 55.222121] [] netif_rx_ni+0xbe/0x310 [ 55.227562] [] tun_get_user+0xcd2/0x2430 [ 55.233253] [] ? tun_select_queue+0x400/0x400 [ 55.239391] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 55.246115] [] tun_chr_write_iter+0xda/0x190 [ 55.252145] [] do_iter_readv_writev+0x3d9/0x4b0 [ 55.258433] [] ? vfs_iter_write+0x460/0x460 [ 55.264382] [] ? selinux_file_permission+0x85/0x470 [ 55.271039] [] ? security_file_permission+0x8f/0x1f0 [ 55.277775] [] ? rw_verify_area+0xea/0x2b0 [ 55.283635] [] do_readv_writev+0x2ed/0x7a0 [ 55.289490] [] ? vfs_write+0x520/0x520 [ 55.295013] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 55.301979] [] ? do_signal+0x4b9/0x1920 [ 55.307576] [] ? setup_sigcontext+0x7d0/0x7d0 [ 55.313690] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 55.320422] [] vfs_writev+0x89/0xc0 [ 55.325670] [] do_writev+0xe9/0x260 [ 55.330921] [] ? vfs_writev+0xc0/0xc0 [ 55.336342] [] ? SyS_readv+0x30/0x30 [ 55.341673] [] SyS_writev+0x28/0x30 [ 55.346917] [] do_syscall_64+0x1ad/0x570 [ 55.352609] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 55.359814] Kernel Offset: disabled [ 55.363421] Rebooting in 86400 seconds..