[ 8.273535] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.792431] random: sshd: uninitialized urandom read (32 bytes read) [ 26.057794] random: sshd: uninitialized urandom read (32 bytes read) [ 26.456899] random: sshd: uninitialized urandom read (32 bytes read) [ 35.460239] random: sshd: uninitialized urandom read (32 bytes read) [ 40.275269] random: crng init done Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts. executing program executing program [ 41.235300] ================================================================== [ 41.242827] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.249906] Write of size 4 at addr ffff8801d2560948 by task syz-executor928/2063 [ 41.257619] [ 41.259223] CPU: 1 PID: 2063 Comm: syz-executor928 Not tainted 4.9.151+ #12 [ 41.266293] ffff8801db707950 ffffffff81b46e21 0000000000000001 ffffea0007495800 [ 41.274303] ffff8801d2560948 0000000000000004 ffffffff82601b3e ffff8801db707988 [ 41.282286] ffffffff81502195 0000000000000001 ffff8801d2560948 ffff8801d2560948 [ 41.290275] Call Trace: [ 41.292826] [ 41.294862] [] dump_stack+0xc1/0x120 [ 41.300226] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.306780] [] print_address_description+0x6f/0x238 [ 41.313474] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.320031] [] kasan_report.cold+0x8c/0x2ba [ 41.326128] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 41.332504] [] __asan_report_store4_noabort+0x17/0x20 [ 41.339335] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.345788] [] nf_iterate+0x12e/0x310 [ 41.351342] [] nf_hook_slow+0x114/0x1f0 [ 41.357562] [] ? nf_iterate+0x310/0x310 [ 41.363163] [] ip_rcv+0xb79/0xf90 [ 41.368240] [] ? ip_rcv+0x8be/0xf90 [ 41.373484] [] ? ip_local_deliver+0x4d0/0x4d0 [ 41.379605] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 41.386470] [] ? ip_local_deliver+0x4d0/0x4d0 [ 41.392590] [] __netif_receive_skb_core+0x1156/0x2990 [ 41.399683] [] ? dev_loopback_xmit+0x430/0x430 [ 41.405897] [] ? find_busiest_group+0x6320/0x6320 [ 41.412519] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.419242] [] ? check_preemption_disabled+0x3c/0x200 [ 41.426069] [] ? process_backlog+0x190/0x610 [ 41.432102] [] __netif_receive_skb+0x58/0x1c0 [ 41.438218] [] process_backlog+0x1e8/0x610 [ 41.444089] [] ? process_backlog+0x190/0x610 [ 41.450117] [] ? trace_hardirqs_on+0x10/0x10 [ 41.456145] [] net_rx_action+0x3aa/0xdd0 [ 41.461844] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 41.469924] [] __do_softirq+0x22d/0x964 [ 41.475754] [] do_softirq_own_stack+0x1c/0x30 [ 41.482086] [ 41.484129] [] do_softirq.part.0+0x62/0x70 [ 41.490051] [] do_softirq+0x18/0x20 [ 41.495445] [] netif_rx_ni+0xbe/0x310 [ 41.500886] [] tun_get_user+0xcd2/0x2430 [ 41.506747] [] ? tun_select_queue+0x400/0x400 [ 41.512883] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.519932] [] tun_chr_write_iter+0xda/0x190 [ 41.525984] [] do_iter_readv_writev+0x3d9/0x4b0 [ 41.532654] [] ? vfs_iter_write+0x460/0x460 [ 41.538722] [] ? selinux_file_permission+0x85/0x470 [ 41.545364] [] ? security_file_permission+0x8f/0x1f0 [ 41.552095] [] ? rw_verify_area+0xea/0x2b0 [ 41.558085] [] do_readv_writev+0x2ed/0x7a0 [ 41.563961] [] ? vfs_write+0x520/0x520 [ 41.569619] [] ? __lru_cache_add+0x186/0x250 [ 41.575667] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 41.582453] [] ? _raw_spin_unlock+0x2d/0x50 [ 41.588399] [] ? handle_mm_fault+0x54a/0x2380 [ 41.594519] [] ? vm_insert_page+0x840/0x840 [ 41.600464] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.607359] [] vfs_writev+0x89/0xc0 [ 41.612921] [] do_writev+0xe9/0x260 [ 41.618589] [] ? vfs_writev+0xc0/0xc0 [ 41.624277] [] ? SyS_readv+0x30/0x30 [ 41.629625] [] SyS_writev+0x28/0x30 [ 41.634872] [] do_syscall_64+0x1ad/0x570 [ 41.640562] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 41.647586] [ 41.649189] Allocated by task 2063: [ 41.652789] save_stack_trace+0x16/0x20 [ 41.656736] kasan_kmalloc.part.0+0x62/0xf0 [ 41.661027] kasan_kmalloc+0xb7/0xd0 [ 41.664712] kasan_slab_alloc+0xf/0x20 [ 41.668574] kmem_cache_alloc+0xd5/0x2b0 [ 41.672745] __alloc_skb+0xe7/0x5e0 [ 41.676449] alloc_skb_with_frags+0xb0/0x4f0 [ 41.680957] sock_alloc_send_pskb+0x5ec/0x760 [ 41.685428] tun_get_user+0x53b/0x2430 [ 41.689284] tun_chr_write_iter+0xda/0x190 [ 41.693595] do_iter_readv_writev+0x3d9/0x4b0 [ 41.698063] do_readv_writev+0x2ed/0x7a0 [ 41.702103] vfs_writev+0x89/0xc0 [ 41.705536] do_writev+0xe9/0x260 [ 41.708961] SyS_writev+0x28/0x30 [ 41.712389] do_syscall_64+0x1ad/0x570 [ 41.716395] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 41.721479] [ 41.723080] Freed by task 2063: [ 41.726339] save_stack_trace+0x16/0x20 [ 41.730386] kasan_slab_free+0xb0/0x190 [ 41.734338] kmem_cache_free+0xbe/0x310 [ 41.738293] kfree_skbmem+0x9f/0x100 [ 41.741991] kfree_skb+0xd4/0x350 [ 41.745545] ip_defrag+0x620/0x3bc0 [ 41.749147] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 41.753699] nf_iterate+0x12e/0x310 [ 41.757300] nf_hook_slow+0x114/0x1f0 [ 41.761201] ip_rcv+0xb79/0xf90 [ 41.764454] __netif_receive_skb_core+0x1156/0x2990 [ 41.769445] __netif_receive_skb+0x58/0x1c0 [ 41.773739] process_backlog+0x1e8/0x610 [ 41.777932] net_rx_action+0x3aa/0xdd0 [ 41.781795] __do_softirq+0x22d/0x964 [ 41.785702] [ 41.787320] The buggy address belongs to the object at ffff8801d25608c0 [ 41.787320] which belongs to the cache skbuff_head_cache of size 224 [ 41.800622] The buggy address is located 136 bytes inside of [ 41.800622] 224-byte region [ffff8801d25608c0, ffff8801d25609a0) [ 41.812477] The buggy address belongs to the page: [ 41.817377] page:ffffea0007495800 count:1 mapcount:0 mapping: (null) index:0x0 [ 41.825631] flags: 0x4000000000000080(slab) [ 41.829946] page dumped because: kasan: bad access detected [ 41.835630] [ 41.837249] Memory state around the buggy address: [ 41.842147] ffff8801d2560800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 41.849496] ffff8801d2560880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.856826] >ffff8801d2560900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.864255] ^ [ 41.869946] ffff8801d2560980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 41.877281] ffff8801d2560a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.884740] ================================================================== [ 41.892271] Disabling lock debugging due to kernel taint [ 41.897776] Kernel panic - not syncing: panic_on_warn set ... [ 41.897776] [ 41.905113] CPU: 1 PID: 2063 Comm: syz-executor928 Tainted: G B 4.9.151+ #12 [ 41.913661] ffff8801db707890 ffffffff81b46e21 ffff8801db707900 ffffffff82e43922 [ 41.921632] 00000000ffffffff 0000000000000001 ffffffff82601b3e ffff8801db707970 [ 41.929649] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 41.937649] Call Trace: [ 41.940200] [ 41.942236] [] dump_stack+0xc1/0x120 [ 41.947591] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.954300] [] panic+0x1d9/0x3bd [ 41.959395] [] ? add_taint.cold+0x16/0x16 [ 41.965302] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.971968] [] kasan_end_report+0x47/0x4f [ 41.977737] [] kasan_report.cold+0xa9/0x2ba [ 41.983832] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 41.990395] [] __asan_report_store4_noabort+0x17/0x20 [ 41.997208] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 42.003586] [] nf_iterate+0x12e/0x310 [ 42.009013] [] nf_hook_slow+0x114/0x1f0 [ 42.014619] [] ? nf_iterate+0x310/0x310 [ 42.020213] [] ip_rcv+0xb79/0xf90 [ 42.025391] [] ? ip_rcv+0x8be/0xf90 [ 42.030641] [] ? ip_local_deliver+0x4d0/0x4d0 [ 42.036756] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 42.043482] [] ? ip_local_deliver+0x4d0/0x4d0 [ 42.049599] [] __netif_receive_skb_core+0x1156/0x2990 [ 42.056418] [] ? dev_loopback_xmit+0x430/0x430 [ 42.062621] [] ? find_busiest_group+0x6320/0x6320 [ 42.069187] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 42.076329] [] ? check_preemption_disabled+0x3c/0x200 [ 42.083476] [] ? process_backlog+0x190/0x610 [ 42.089732] [] __netif_receive_skb+0x58/0x1c0 [ 42.095848] [] process_backlog+0x1e8/0x610 [ 42.101839] [] ? process_backlog+0x190/0x610 [ 42.107966] [] ? trace_hardirqs_on+0x10/0x10 [ 42.113999] [] net_rx_action+0x3aa/0xdd0 [ 42.119683] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 42.127625] [] __do_softirq+0x22d/0x964 [ 42.133402] [] do_softirq_own_stack+0x1c/0x30 [ 42.139650] [ 42.141706] [] do_softirq.part.0+0x62/0x70 [ 42.147848] [] do_softirq+0x18/0x20 [ 42.153101] [] netif_rx_ni+0xbe/0x310 [ 42.158549] [] tun_get_user+0xcd2/0x2430 [ 42.164237] [] ? tun_select_queue+0x400/0x400 [ 42.170374] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 42.177234] [] tun_chr_write_iter+0xda/0x190 [ 42.183409] [] do_iter_readv_writev+0x3d9/0x4b0 [ 42.189701] [] ? vfs_iter_write+0x460/0x460 [ 42.195642] [] ? selinux_file_permission+0x85/0x470 [ 42.202275] [] ? security_file_permission+0x8f/0x1f0 [ 42.209229] [] ? rw_verify_area+0xea/0x2b0 [ 42.215220] [] do_readv_writev+0x2ed/0x7a0 [ 42.221219] [] ? vfs_write+0x520/0x520 [ 42.226734] [] ? __lru_cache_add+0x186/0x250 [ 42.232764] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 42.239403] [] ? _raw_spin_unlock+0x2d/0x50 [ 42.245366] [] ? handle_mm_fault+0x54a/0x2380 [ 42.251488] [] ? vm_insert_page+0x840/0x840 [ 42.258283] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 42.265012] [] vfs_writev+0x89/0xc0 [ 42.270264] [] do_writev+0xe9/0x260 [ 42.275511] [] ? vfs_writev+0xc0/0xc0 [ 42.280927] [] ? SyS_readv+0x30/0x30 [ 42.286284] [] SyS_writev+0x28/0x30 [ 42.291615] [] do_syscall_64+0x1ad/0x570 [ 42.297303] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 42.304625] Kernel Offset: disabled [ 42.308228] Rebooting in 86400 seconds..