[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.676909] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.283866] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 44.776729] ================================================================== [ 44.777991] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.778995] Write of size 4 at addr ffff8801cf704448 by task syz-executor436/2060 [ 44.780129] [ 44.780369] CPU: 0 PID: 2060 Comm: syz-executor436 Not tainted 4.9.154+ #19 [ 44.781584] ffff8801db607948 ffffffff81b47411 0000000000000001 ffffea00073dc100 [ 44.782868] ffff8801cf704448 0000000000000004 ffffffff826028fe ffff8801db607980 [ 44.784335] ffffffff81502615 0000000000000001 ffff8801cf704448 ffff8801cf704448 [ 44.785639] Call Trace: [ 44.785998] [ 44.786305] [] dump_stack+0xc1/0x120 [ 44.787115] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.788149] [] print_address_description+0x6f/0x238 [ 44.789122] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.790014] [] kasan_report.cold+0x8c/0x2ba [ 44.790823] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 44.791855] [] __asan_report_store4_noabort+0x17/0x20 [ 44.792806] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 44.793889] [] nf_iterate+0x12e/0x310 [ 44.794704] [] nf_hook_slow+0x114/0x1f0 [ 44.795569] [] ? nf_iterate+0x310/0x310 [ 44.796465] [] ip_rcv+0xbdf/0x1040 [ 44.799246] [] ? ip_rcv+0x91c/0x1040 [ 44.804587] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.810713] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 44.817469] [] ? ip_local_deliver+0x4d0/0x4d0 [ 44.823590] [] __netif_receive_skb_core+0x1156/0x2990 [ 44.830403] [] ? dev_loopback_xmit+0x430/0x430 [ 44.836612] [] ? find_busiest_group+0x6320/0x6320 [ 44.843079] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.849834] [] ? check_preemption_disabled+0x3c/0x200 [ 44.856664] [] ? process_backlog+0x190/0x610 [ 44.862698] [] __netif_receive_skb+0x58/0x1c0 [ 44.868819] [] process_backlog+0x1e8/0x610 [ 44.874685] [] ? process_backlog+0x190/0x610 [ 44.880743] [] ? trace_hardirqs_on+0x10/0x10 [ 44.886775] [] net_rx_action+0x3aa/0xdd0 [ 44.892465] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 44.900325] [] __do_softirq+0x22d/0x964 [ 44.905925] [] do_softirq_own_stack+0x1c/0x30 [ 44.912039] [ 44.914081] [] do_softirq.part.0+0x62/0x70 [ 44.919959] [] do_softirq+0x18/0x20 [ 44.925212] [] netif_rx_ni+0xbe/0x310 [ 44.930640] [] tun_get_user+0xcd2/0x2430 [ 44.936327] [] ? tun_select_queue+0x400/0x400 [ 44.942458] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.949187] [] tun_chr_write_iter+0xda/0x190 [ 44.955238] [] do_iter_readv_writev+0x3d9/0x4b0 [ 44.961536] [] ? vfs_iter_write+0x460/0x460 [ 44.967484] [] ? selinux_file_permission+0x85/0x470 [ 44.974126] [] ? security_file_permission+0x8f/0x1f0 [ 44.980854] [] ? rw_verify_area+0xea/0x2b0 [ 44.986712] [] do_readv_writev+0x2ed/0x7a0 [ 44.992573] [] ? vfs_write+0x520/0x520 [ 44.998087] [] ? __lru_cache_add+0x186/0x250 [ 45.004124] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 45.010791] [] ? _raw_spin_unlock+0x2d/0x50 [ 45.016738] [] ? handle_mm_fault+0x54a/0x2380 [ 45.022858] [] ? vm_insert_page+0x840/0x840 [ 45.028807] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.035536] [] vfs_writev+0x89/0xc0 [ 45.040787] [] do_writev+0xe9/0x260 [ 45.046043] [] ? vfs_writev+0xc0/0xc0 [ 45.051473] [] ? SyS_readv+0x30/0x30 [ 45.056810] [] SyS_writev+0x28/0x30 [ 45.062094] [] do_syscall_64+0x1ad/0x570 [ 45.067778] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.074678] [ 45.076285] Allocated by task 2060: [ 45.079895] save_stack_trace+0x16/0x20 [ 45.083859] kasan_kmalloc.part.0+0x62/0xf0 [ 45.088156] kasan_kmalloc+0xb7/0xd0 [ 45.091842] kasan_slab_alloc+0xf/0x20 [ 45.095704] kmem_cache_alloc+0xd5/0x2b0 [ 45.099738] __alloc_skb+0xe7/0x5e0 [ 45.103338] alloc_skb_with_frags+0xb0/0x4f0 [ 45.107723] sock_alloc_send_pskb+0x5ec/0x760 [ 45.112197] tun_get_user+0x53b/0x2430 [ 45.116069] tun_chr_write_iter+0xda/0x190 [ 45.120279] do_iter_readv_writev+0x3d9/0x4b0 [ 45.124753] do_readv_writev+0x2ed/0x7a0 [ 45.128787] vfs_writev+0x89/0xc0 [ 45.132217] do_writev+0xe9/0x260 [ 45.135645] SyS_writev+0x28/0x30 [ 45.139088] do_syscall_64+0x1ad/0x570 [ 45.142951] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.148033] [ 45.149639] Freed by task 2060: [ 45.152910] save_stack_trace+0x16/0x20 [ 45.156856] kasan_slab_free+0xb0/0x190 [ 45.160809] kmem_cache_free+0xbe/0x310 [ 45.164762] kfree_skbmem+0x9f/0x100 [ 45.168448] kfree_skb+0xd4/0x350 [ 45.171879] ip_defrag+0x620/0x3bc0 [ 45.175483] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 45.180044] nf_iterate+0x12e/0x310 [ 45.183646] nf_hook_slow+0x114/0x1f0 [ 45.187427] ip_rcv+0xbdf/0x1040 [ 45.190771] __netif_receive_skb_core+0x1156/0x2990 [ 45.195760] __netif_receive_skb+0x58/0x1c0 [ 45.200052] process_backlog+0x1e8/0x610 [ 45.204101] net_rx_action+0x3aa/0xdd0 [ 45.207963] __do_softirq+0x22d/0x964 [ 45.211731] [ 45.213334] The buggy address belongs to the object at ffff8801cf7043c0 [ 45.213334] which belongs to the cache skbuff_head_cache of size 224 [ 45.226485] The buggy address is located 136 bytes inside of [ 45.226485] 224-byte region [ffff8801cf7043c0, ffff8801cf7044a0) [ 45.238338] The buggy address belongs to the page: [ 45.243243] page:ffffea00073dc100 count:1 mapcount:0 mapping: (null) index:0x0 [ 45.251489] flags: 0x4000000000000080(slab) [ 45.255782] page dumped because: kasan: bad access detected [ 45.261464] [ 45.263096] Memory state around the buggy address: [ 45.268030] ffff8801cf704300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 45.275383] ffff8801cf704380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 45.282730] >ffff8801cf704400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.290059] ^ [ 45.295744] ffff8801cf704480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 45.303077] ffff8801cf704500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.310407] ================================================================== [ 45.317736] Disabling lock debugging due to kernel taint [ 45.323200] Kernel panic - not syncing: panic_on_warn set ... [ 45.323200] [ 45.330554] CPU: 0 PID: 2060 Comm: syz-executor436 Tainted: G B 4.9.154+ #19 [ 45.338843] ffff8801db607888 ffffffff81b47411 ffff8801db607900 ffffffff82e439da [ 45.346878] 00000000ffffffff 0000000000000000 ffffffff826028fe ffff8801db607968 [ 45.354895] ffffffff813f725a 0000000041b58ab3 ffffffff82e35b02 ffffffff813f7081 [ 45.362901] Call Trace: [ 45.365464] [ 45.367517] [] dump_stack+0xc1/0x120 [ 45.372877] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 45.379440] [] panic+0x1d9/0x3bd [ 45.384433] [] ? add_taint.cold+0x16/0x16 [ 45.390233] [] kasan_end_report+0x47/0x4f [ 45.396005] [] kasan_report.cold+0xa9/0x2ba [ 45.401956] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 45.408337] [] __asan_report_store4_noabort+0x17/0x20 [ 45.415149] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 45.421532] [] nf_iterate+0x12e/0x310 [ 45.426961] [] nf_hook_slow+0x114/0x1f0 [ 45.432557] [] ? nf_iterate+0x310/0x310 [ 45.438154] [] ip_rcv+0xbdf/0x1040 [ 45.443317] [] ? ip_rcv+0x91c/0x1040 [ 45.448656] [] ? ip_local_deliver+0x4d0/0x4d0 [ 45.454781] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 45.461517] [] ? ip_local_deliver+0x4d0/0x4d0 [ 45.467641] [] __netif_receive_skb_core+0x1156/0x2990 [ 45.474455] [] ? dev_loopback_xmit+0x430/0x430 [ 45.480661] [] ? find_busiest_group+0x6320/0x6320 [ 45.487128] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.493855] [] ? check_preemption_disabled+0x3c/0x200 [ 45.500672] [] ? process_backlog+0x190/0x610 [ 45.506712] [] __netif_receive_skb+0x58/0x1c0 [ 45.512850] [] process_backlog+0x1e8/0x610 [ 45.518706] [] ? process_backlog+0x190/0x610 [ 45.524751] [] ? trace_hardirqs_on+0x10/0x10 [ 45.530780] [] net_rx_action+0x3aa/0xdd0 [ 45.536469] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 45.544360] [] __do_softirq+0x22d/0x964 [ 45.549961] [] do_softirq_own_stack+0x1c/0x30 [ 45.556080] [ 45.558119] [] do_softirq.part.0+0x62/0x70 [ 45.564003] [] do_softirq+0x18/0x20 [ 45.569270] [] netif_rx_ni+0xbe/0x310 [ 45.574699] [] tun_get_user+0xcd2/0x2430 [ 45.580388] [] ? tun_select_queue+0x400/0x400 [ 45.586508] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.593240] [] tun_chr_write_iter+0xda/0x190 [ 45.599309] [] do_iter_readv_writev+0x3d9/0x4b0 [ 45.605606] [] ? vfs_iter_write+0x460/0x460 [ 45.611553] [] ? selinux_file_permission+0x85/0x470 [ 45.618226] [] ? security_file_permission+0x8f/0x1f0 [ 45.624952] [] ? rw_verify_area+0xea/0x2b0 [ 45.630809] [] do_readv_writev+0x2ed/0x7a0 [ 45.636671] [] ? vfs_write+0x520/0x520 [ 45.642197] [] ? __lru_cache_add+0x186/0x250 [ 45.648233] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 45.654873] [] ? _raw_spin_unlock+0x2d/0x50 [ 45.660819] [] ? handle_mm_fault+0x54a/0x2380 [ 45.666936] [] ? vm_insert_page+0x840/0x840 [ 45.672884] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.679612] [] vfs_writev+0x89/0xc0 [ 45.684881] [] do_writev+0xe9/0x260 [ 45.690132] [] ? vfs_writev+0xc0/0xc0 [ 45.695593] [] ? SyS_readv+0x30/0x30 [ 45.700966] [] SyS_writev+0x28/0x30 [ 45.706248] [] do_syscall_64+0x1ad/0x570 [ 45.711936] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.719179] Kernel Offset: disabled [ 45.722785] Rebooting in 86400 seconds..