[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.269492] random: crng init done Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.154' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 36.725521] ================================================================== [ 36.726743] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.727728] Write of size 4 at addr ffff8801ceecc6c8 by task syz-executor551/2054 [ 36.728855] [ 36.729099] CPU: 0 PID: 2054 Comm: syz-executor551 Not tainted 4.9.154+ #19 [ 36.730154] ffff8801db607948 ffffffff81b47411 0000000000000001 ffffea00073bb300 [ 36.731362] ffff8801ceecc6c8 0000000000000004 ffffffff826028fe ffff8801db607980 [ 36.732591] ffffffff81502615 0000000000000001 ffff8801ceecc6c8 ffff8801ceecc6c8 [ 36.733803] Call Trace: [ 36.734161] [ 36.734460] [] dump_stack+0xc1/0x120 [ 36.735235] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.736131] [] print_address_description+0x6f/0x238 [ 36.737083] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.737995] [] kasan_report.cold+0x8c/0x2ba [ 36.738876] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 36.739879] [] __asan_report_store4_noabort+0x17/0x20 [ 36.740862] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 36.741769] [] nf_iterate+0x12e/0x310 [ 36.742533] [] nf_hook_slow+0x114/0x1f0 [ 36.743304] [] ? nf_iterate+0x310/0x310 [ 36.744079] [] ip_rcv+0xbdf/0x1040 [ 36.744824] [] ? ip_rcv+0x91c/0x1040 [ 36.745620] [] ? ip_local_deliver+0x4d0/0x4d0 [ 36.751719] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 36.758456] [] ? ip_local_deliver+0x4d0/0x4d0 [ 36.764585] [] __netif_receive_skb_core+0x1156/0x2990 [ 36.771407] [] ? dev_loopback_xmit+0x430/0x430 [ 36.777620] [] ? find_busiest_group+0x6320/0x6320 [ 36.784095] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.790831] [] ? check_preemption_disabled+0x3c/0x200 [ 36.797666] [] ? process_backlog+0x190/0x610 [ 36.803728] [] __netif_receive_skb+0x58/0x1c0 [ 36.809858] [] process_backlog+0x1e8/0x610 [ 36.815737] [] ? process_backlog+0x190/0x610 [ 36.821773] [] ? trace_hardirqs_on+0x10/0x10 [ 36.827810] [] net_rx_action+0x3aa/0xdd0 [ 36.833505] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 36.841383] [] __do_softirq+0x22d/0x964 [ 36.846996] [] do_softirq_own_stack+0x1c/0x30 [ 36.853131] [ 36.855187] [] do_softirq.part.0+0x62/0x70 [ 36.861076] [] do_softirq+0x18/0x20 [ 36.866331] [] netif_rx_ni+0xbe/0x310 [ 36.871762] [] tun_get_user+0xcd2/0x2430 [ 36.877458] [] ? tun_select_queue+0x400/0x400 [ 36.883588] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.890319] [] tun_chr_write_iter+0xda/0x190 [ 36.896358] [] do_iter_readv_writev+0x3d9/0x4b0 [ 36.902693] [] ? vfs_iter_write+0x460/0x460 [ 36.908661] [] ? selinux_file_permission+0x85/0x470 [ 36.915311] [] ? security_file_permission+0x8f/0x1f0 [ 36.922051] [] ? rw_verify_area+0xea/0x2b0 [ 36.927911] [] do_readv_writev+0x2ed/0x7a0 [ 36.933770] [] ? vfs_write+0x520/0x520 [ 36.939285] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 36.946105] [] ? do_signal+0x4b9/0x1920 [ 36.951713] [] ? setup_sigcontext+0x7d0/0x7d0 [ 36.957844] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.964572] [] vfs_writev+0x89/0xc0 [ 36.969825] [] do_writev+0xe9/0x260 [ 36.975080] [] ? vfs_writev+0xc0/0xc0 [ 36.980510] [] ? SyS_readv+0x30/0x30 [ 36.985855] [] SyS_writev+0x28/0x30 [ 36.991119] [] do_syscall_64+0x1ad/0x570 [ 36.996819] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.003715] [ 37.005318] Allocated by task 2054: [ 37.008924] save_stack_trace+0x16/0x20 [ 37.012875] kasan_kmalloc.part.0+0x62/0xf0 [ 37.017175] kasan_kmalloc+0xb7/0xd0 [ 37.020864] kasan_slab_alloc+0xf/0x20 [ 37.024728] kmem_cache_alloc+0xd5/0x2b0 [ 37.028762] __alloc_skb+0xe7/0x5e0 [ 37.032373] alloc_skb_with_frags+0xb0/0x4f0 [ 37.036770] sock_alloc_send_pskb+0x5ec/0x760 [ 37.041252] tun_get_user+0x53b/0x2430 [ 37.045116] tun_chr_write_iter+0xda/0x190 [ 37.049330] do_iter_readv_writev+0x3d9/0x4b0 [ 37.053802] do_readv_writev+0x2ed/0x7a0 [ 37.057838] vfs_writev+0x89/0xc0 [ 37.061268] do_writev+0xe9/0x260 [ 37.064695] SyS_writev+0x28/0x30 [ 37.068122] do_syscall_64+0x1ad/0x570 [ 37.071986] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.077064] [ 37.078670] Freed by task 2054: [ 37.081937] save_stack_trace+0x16/0x20 [ 37.085897] kasan_slab_free+0xb0/0x190 [ 37.089847] kmem_cache_free+0xbe/0x310 [ 37.093797] kfree_skbmem+0x9f/0x100 [ 37.097492] kfree_skb+0xd4/0x350 [ 37.100924] ip_defrag+0x620/0x3bc0 [ 37.104528] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 37.109086] nf_iterate+0x12e/0x310 [ 37.112695] nf_hook_slow+0x114/0x1f0 [ 37.116509] ip_rcv+0xbdf/0x1040 [ 37.119887] __netif_receive_skb_core+0x1156/0x2990 [ 37.124877] __netif_receive_skb+0x58/0x1c0 [ 37.129185] process_backlog+0x1e8/0x610 [ 37.133247] net_rx_action+0x3aa/0xdd0 [ 37.137111] __do_softirq+0x22d/0x964 [ 37.140883] [ 37.142587] The buggy address belongs to the object at ffff8801ceecc640 [ 37.142587] which belongs to the cache skbuff_head_cache of size 224 [ 37.155741] The buggy address is located 136 bytes inside of [ 37.155741] 224-byte region [ffff8801ceecc640, ffff8801ceecc720) [ 37.167600] The buggy address belongs to the page: [ 37.172528] page:ffffea00073bb300 count:1 mapcount:0 mapping: (null) index:0x0 [ 37.180775] flags: 0x4000000000000080(slab) [ 37.185067] page dumped because: kasan: bad access detected [ 37.190898] [ 37.192525] Memory state around the buggy address: [ 37.197432] ffff8801ceecc580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.204781] ffff8801ceecc600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.212235] >ffff8801ceecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.219583] ^ [ 37.225270] ffff8801ceecc700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.232605] ffff8801ceecc780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.239935] ================================================================== [ 37.247273] Disabling lock debugging due to kernel taint [ 37.252740] Kernel panic - not syncing: panic_on_warn set ... [ 37.252740] [ 37.260094] CPU: 0 PID: 2054 Comm: syz-executor551 Tainted: G B 4.9.154+ #19 [ 37.268384] ffff8801db607888 ffffffff81b47411 ffff8801db607900 ffffffff82e439da [ 37.276378] 00000000ffffffff 0000000000000000 ffffffff826028fe ffff8801db607968 [ 37.284428] ffffffff813f725a 0000000041b58ab3 ffffffff82e35b02 ffffffff813f7081 [ 37.292418] Call Trace: [ 37.294974] [ 37.297017] [] dump_stack+0xc1/0x120 [ 37.302379] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.308946] [] panic+0x1d9/0x3bd [ 37.313936] [] ? add_taint.cold+0x16/0x16 [ 37.319716] [] kasan_end_report+0x47/0x4f [ 37.325496] [] kasan_report.cold+0xa9/0x2ba [ 37.331454] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 37.337839] [] __asan_report_store4_noabort+0x17/0x20 [ 37.344655] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 37.351037] [] nf_iterate+0x12e/0x310 [ 37.356462] [] nf_hook_slow+0x114/0x1f0 [ 37.362062] [] ? nf_iterate+0x310/0x310 [ 37.367662] [] ip_rcv+0xbdf/0x1040 [ 37.372827] [] ? ip_rcv+0x91c/0x1040 [ 37.378169] [] ? ip_local_deliver+0x4d0/0x4d0 [ 37.384297] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 37.391032] [] ? ip_local_deliver+0x4d0/0x4d0 [ 37.397153] [] __netif_receive_skb_core+0x1156/0x2990 [ 37.403969] [] ? dev_loopback_xmit+0x430/0x430 [ 37.410192] [] ? find_busiest_group+0x6320/0x6320 [ 37.416667] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.423418] [] ? check_preemption_disabled+0x3c/0x200 [ 37.430245] [] ? process_backlog+0x190/0x610 [ 37.436281] [] __netif_receive_skb+0x58/0x1c0 [ 37.442402] [] process_backlog+0x1e8/0x610 [ 37.448261] [] ? process_backlog+0x190/0x610 [ 37.454294] [] ? trace_hardirqs_on+0x10/0x10 [ 37.460336] [] net_rx_action+0x3aa/0xdd0 [ 37.466037] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 37.473896] [] __do_softirq+0x22d/0x964 [ 37.479504] [] do_softirq_own_stack+0x1c/0x30 [ 37.485620] [ 37.487662] [] do_softirq.part.0+0x62/0x70 [ 37.493539] [] do_softirq+0x18/0x20 [ 37.498791] [] netif_rx_ni+0xbe/0x310 [ 37.504227] [] tun_get_user+0xcd2/0x2430 [ 37.509915] [] ? tun_select_queue+0x400/0x400 [ 37.516035] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.522764] [] tun_chr_write_iter+0xda/0x190 [ 37.528799] [] do_iter_readv_writev+0x3d9/0x4b0 [ 37.535091] [] ? vfs_iter_write+0x460/0x460 [ 37.541038] [] ? selinux_file_permission+0x85/0x470 [ 37.547679] [] ? security_file_permission+0x8f/0x1f0 [ 37.554405] [] ? rw_verify_area+0xea/0x2b0 [ 37.560287] [] do_readv_writev+0x2ed/0x7a0 [ 37.566150] [] ? vfs_write+0x520/0x520 [ 37.571666] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 37.578485] [] ? do_signal+0x4b9/0x1920 [ 37.584089] [] ? setup_sigcontext+0x7d0/0x7d0 [ 37.590211] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.596949] [] vfs_writev+0x89/0xc0 [ 37.602202] [] do_writev+0xe9/0x260 [ 37.607469] [] ? vfs_writev+0xc0/0xc0 [ 37.612901] [] ? SyS_readv+0x30/0x30 [ 37.618237] [] SyS_writev+0x28/0x30 [ 37.623502] [] do_syscall_64+0x1ad/0x570 [ 37.629198] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 37.636453] Kernel Offset: disabled [ 37.640059] Rebooting in 86400 seconds..