Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.417571] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.292855] random: sshd: uninitialized urandom read (32 bytes read) [ 34.429702] random: crng init done Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. executing program executing program [ 40.981906] ================================================================== [ 40.989415] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 40.996487] Write of size 4 at addr ffff8801cf266808 by task syz-executor529/2061 [ 41.004075] [ 41.005677] CPU: 0 PID: 2061 Comm: syz-executor529 Not tainted 4.9.149+ #5 [ 41.012664] ffff8801db607950 ffffffff81b47f01 0000000000000001 ffffea00073c9980 [ 41.020665] ffff8801cf266808 0000000000000004 ffffffff826026be ffff8801db607988 [ 41.028682] ffffffff815020d5 0000000000000001 ffff8801cf266808 ffff8801cf266808 [ 41.036740] Call Trace: [ 41.039294] [ 41.041336] [] dump_stack+0xc1/0x120 [ 41.046734] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.053296] [] print_address_description+0x6f/0x238 [ 41.059963] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.066638] [] kasan_report.cold+0x8c/0x2ba [ 41.072585] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 41.078988] [] __asan_report_store4_noabort+0x17/0x20 [ 41.085815] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.092200] [] nf_iterate+0x12e/0x310 [ 41.097643] [] nf_hook_slow+0x114/0x1f0 [ 41.103243] [] ? nf_iterate+0x310/0x310 [ 41.108840] [] ip_rcv+0xb79/0xf90 [ 41.113913] [] ? ip_rcv+0x8be/0xf90 [ 41.119227] [] ? ip_local_deliver+0x4d0/0x4d0 [ 41.125421] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 41.132254] [] ? ip_local_deliver+0x4d0/0x4d0 [ 41.138377] [] __netif_receive_skb_core+0x1156/0x2990 [ 41.145189] [] ? dev_loopback_xmit+0x430/0x430 [ 41.151408] [] ? find_busiest_group+0x6320/0x6320 [ 41.157879] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.164707] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.171437] [] ? check_preemption_disabled+0x3c/0x200 [ 41.178254] [] ? process_backlog+0x190/0x610 [ 41.184361] [] __netif_receive_skb+0x58/0x1c0 [ 41.190489] [] process_backlog+0x1e8/0x610 [ 41.196391] [] ? process_backlog+0x190/0x610 [ 41.202447] [] ? trace_hardirqs_on+0x10/0x10 [ 41.208478] [] net_rx_action+0x3aa/0xdd0 [ 41.214265] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 41.222121] [] __do_softirq+0x22d/0x964 [ 41.227723] [] do_softirq_own_stack+0x1c/0x30 [ 41.233949] [ 41.235995] [] do_softirq.part.0+0x62/0x70 [ 41.241874] [] do_softirq+0x18/0x20 [ 41.247168] [] netif_rx_ni+0xbe/0x310 [ 41.252599] [] tun_get_user+0xcd2/0x2430 [ 41.258288] [] ? tun_select_queue+0x400/0x400 [ 41.264476] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.271214] [] tun_chr_write_iter+0xda/0x190 [ 41.277249] [] do_iter_readv_writev+0x3d9/0x4b0 [ 41.283536] [] ? vfs_iter_write+0x460/0x460 [ 41.289480] [] ? selinux_file_permission+0x85/0x470 [ 41.296121] [] ? security_file_permission+0x8f/0x1f0 [ 41.302844] [] ? rw_verify_area+0xea/0x2b0 [ 41.308705] [] do_readv_writev+0x2ed/0x7a0 [ 41.314566] [] ? vfs_write+0x520/0x520 [ 41.320072] [] ? __lru_cache_add+0x186/0x250 [ 41.326099] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 41.332740] [] ? _raw_spin_unlock+0x2d/0x50 [ 41.338683] [] ? handle_mm_fault+0x54a/0x2380 [ 41.344797] [] ? vm_insert_page+0x840/0x840 [ 41.350746] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.357473] [] vfs_writev+0x89/0xc0 [ 41.362826] [] do_writev+0xe9/0x260 [ 41.368073] [] ? vfs_writev+0xc0/0xc0 [ 41.373492] [] ? SyS_readv+0x30/0x30 [ 41.378825] [] SyS_writev+0x28/0x30 [ 41.384070] [] do_syscall_64+0x1ad/0x570 [ 41.389750] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 41.396646] [ 41.398318] Allocated by task 2061: [ 41.401944] save_stack_trace+0x16/0x20 [ 41.405896] kasan_kmalloc.part.0+0x62/0xf0 [ 41.410393] kasan_kmalloc+0xb7/0xd0 [ 41.414082] kasan_slab_alloc+0xf/0x20 [ 41.417956] kmem_cache_alloc+0xd5/0x2b0 [ 41.421991] __alloc_skb+0xe7/0x5e0 [ 41.425590] alloc_skb_with_frags+0xb0/0x4f0 [ 41.430066] sock_alloc_send_pskb+0x5ec/0x760 [ 41.434535] tun_get_user+0x53b/0x2430 [ 41.438392] tun_chr_write_iter+0xda/0x190 [ 41.442592] do_iter_readv_writev+0x3d9/0x4b0 [ 41.447121] do_readv_writev+0x2ed/0x7a0 [ 41.451155] vfs_writev+0x89/0xc0 [ 41.454648] do_writev+0xe9/0x260 [ 41.458186] SyS_writev+0x28/0x30 [ 41.461608] do_syscall_64+0x1ad/0x570 [ 41.465463] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 41.470533] [ 41.472241] Freed by task 2061: [ 41.475493] save_stack_trace+0x16/0x20 [ 41.479437] kasan_slab_free+0xb0/0x190 [ 41.483380] kmem_cache_free+0xbe/0x310 [ 41.487387] kfree_skbmem+0x9f/0x100 [ 41.491080] kfree_skb+0xd4/0x350 [ 41.494503] ip_defrag+0x620/0x3bc0 [ 41.498106] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 41.502662] nf_iterate+0x12e/0x310 [ 41.506260] nf_hook_slow+0x114/0x1f0 [ 41.510032] ip_rcv+0xb79/0xf90 [ 41.513299] __netif_receive_skb_core+0x1156/0x2990 [ 41.518299] __netif_receive_skb+0x58/0x1c0 [ 41.522596] process_backlog+0x1e8/0x610 [ 41.526627] net_rx_action+0x3aa/0xdd0 [ 41.530484] __do_softirq+0x22d/0x964 [ 41.534253] [ 41.535852] The buggy address belongs to the object at ffff8801cf266780 [ 41.535852] which belongs to the cache skbuff_head_cache of size 224 [ 41.549008] The buggy address is located 136 bytes inside of [ 41.549008] 224-byte region [ffff8801cf266780, ffff8801cf266860) [ 41.560961] The buggy address belongs to the page: [ 41.565865] page:ffffea00073c9980 count:1 mapcount:0 mapping: (null) index:0x0 [ 41.574189] flags: 0x4000000000000080(slab) [ 41.578483] page dumped because: kasan: bad access detected [ 41.584259] [ 41.585857] Memory state around the buggy address: [ 41.590754] ffff8801cf266700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 41.598083] ffff8801cf266780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.605413] >ffff8801cf266800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 41.612740] ^ [ 41.616333] ffff8801cf266880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.623658] ffff8801cf266900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.631002] ================================================================== [ 41.638329] Disabling lock debugging due to kernel taint [ 41.643820] Kernel panic - not syncing: panic_on_warn set ... [ 41.643820] [ 41.651162] CPU: 0 PID: 2061 Comm: syz-executor529 Tainted: G B 4.9.149+ #5 [ 41.659367] ffff8801db607890 ffffffff81b47f01 ffff8801db607900 ffffffff82e4386a [ 41.667375] 00000000ffffffff 0000000000000000 ffffffff826026be ffff8801db607970 [ 41.675376] ffffffff813f727a 0000000041b58ab3 ffffffff82e35992 ffffffff813f70a1 [ 41.683439] Call Trace: [ 41.685997] [ 41.688037] [] dump_stack+0xc1/0x120 [ 41.693397] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.699958] [] panic+0x1d9/0x3bd [ 41.704950] [] ? add_taint.cold+0x16/0x16 [ 41.710726] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.717283] [] kasan_end_report+0x47/0x4f [ 41.723052] [] kasan_report.cold+0xa9/0x2ba [ 41.728998] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 41.735377] [] __asan_report_store4_noabort+0x17/0x20 [ 41.742201] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 41.748698] [] nf_iterate+0x12e/0x310 [ 41.754231] [] nf_hook_slow+0x114/0x1f0 [ 41.759828] [] ? nf_iterate+0x310/0x310 [ 41.765428] [] ip_rcv+0xb79/0xf90 [ 41.770504] [] ? ip_rcv+0x8be/0xf90 [ 41.775756] [] ? ip_local_deliver+0x4d0/0x4d0 [ 41.781873] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 41.788613] [] ? ip_local_deliver+0x4d0/0x4d0 [ 41.794873] [] __netif_receive_skb_core+0x1156/0x2990 [ 41.801685] [] ? dev_loopback_xmit+0x430/0x430 [ 41.807898] [] ? find_busiest_group+0x6320/0x6320 [ 41.814365] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.821093] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.827823] [] ? check_preemption_disabled+0x3c/0x200 [ 41.834640] [] ? process_backlog+0x190/0x610 [ 41.840672] [] __netif_receive_skb+0x58/0x1c0 [ 41.846788] [] process_backlog+0x1e8/0x610 [ 41.852647] [] ? process_backlog+0x190/0x610 [ 41.858681] [] ? trace_hardirqs_on+0x10/0x10 [ 41.864725] [] net_rx_action+0x3aa/0xdd0 [ 41.870408] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 41.878269] [] __do_softirq+0x22d/0x964 [ 41.883980] [] do_softirq_own_stack+0x1c/0x30 [ 41.890099] [ 41.892138] [] do_softirq.part.0+0x62/0x70 [ 41.898023] [] do_softirq+0x18/0x20 [ 41.903517] [] netif_rx_ni+0xbe/0x310 [ 41.908985] [] tun_get_user+0xcd2/0x2430 [ 41.914680] [] ? tun_select_queue+0x400/0x400 [ 41.920801] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.927526] [] tun_chr_write_iter+0xda/0x190 [ 41.933554] [] do_iter_readv_writev+0x3d9/0x4b0 [ 41.939846] [] ? vfs_iter_write+0x460/0x460 [ 41.945794] [] ? selinux_file_permission+0x85/0x470 [ 41.952433] [] ? security_file_permission+0x8f/0x1f0 [ 41.959157] [] ? rw_verify_area+0xea/0x2b0 [ 41.965019] [] do_readv_writev+0x2ed/0x7a0 [ 41.970874] [] ? vfs_write+0x520/0x520 [ 41.976386] [] ? __lru_cache_add+0x186/0x250 [ 41.982426] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 41.989070] [] ? _raw_spin_unlock+0x2d/0x50 [ 41.995129] [] ? handle_mm_fault+0x54a/0x2380 [ 42.001372] [] ? vm_insert_page+0x840/0x840 [ 42.007319] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 42.014041] [] vfs_writev+0x89/0xc0 [ 42.019302] [] do_writev+0xe9/0x260 [ 42.024555] [] ? vfs_writev+0xc0/0xc0 [ 42.029979] [] ? SyS_readv+0x30/0x30 [ 42.035312] [] SyS_writev+0x28/0x30 [ 42.040582] [] do_syscall_64+0x1ad/0x570 [ 42.046272] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 42.053467] Kernel Offset: disabled [ 42.057073] Rebooting in 86400 seconds..