Starting mcstransd: [ 8.746910] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.626132] random: sshd: uninitialized urandom read (32 bytes read) [ 29.849595] random: sshd: uninitialized urandom read (32 bytes read) [ 30.014802] random: crng init done Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts. executing program executing program [ 49.418654] ================================================================== [ 49.426310] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.433393] Write of size 4 at addr ffff8801ce8521c8 by task syz-executor469/2066 [ 49.441086] [ 49.442689] CPU: 0 PID: 2066 Comm: syz-executor469 Not tainted 4.9.153+ #18 [ 49.449756] ffff8801db607950 ffffffff81b47491 0000000000000001 ffffea00073a1480 [ 49.457911] ffff8801ce8521c8 0000000000000004 ffffffff826026fe ffff8801db607988 [ 49.465921] ffffffff81502615 0000000000000001 ffff8801ce8521c8 ffff8801ce8521c8 [ 49.473931] Call Trace: [ 49.476491] [ 49.478536] [] dump_stack+0xc1/0x120 [ 49.483895] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.490455] [] print_address_description+0x6f/0x238 [ 49.497098] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.503651] [] kasan_report.cold+0x8c/0x2ba [ 49.509719] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 49.516104] [] __asan_report_store4_noabort+0x17/0x20 [ 49.522921] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 49.529303] [] nf_iterate+0x12e/0x310 [ 49.534724] [] nf_hook_slow+0x114/0x1f0 [ 49.540480] [] ? nf_iterate+0x310/0x310 [ 49.546092] [] ip_rcv+0xb79/0xf90 [ 49.551181] [] ? ip_rcv+0x8be/0xf90 [ 49.556444] [] ? ip_local_deliver+0x4d0/0x4d0 [ 49.562584] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 49.569322] [] ? ip_local_deliver+0x4d0/0x4d0 [ 49.575445] [] __netif_receive_skb_core+0x1156/0x2990 [ 49.582257] [] ? dev_loopback_xmit+0x430/0x430 [ 49.588475] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.595214] [] ? check_preemption_disabled+0x3c/0x200 [ 49.602073] [] ? process_backlog+0x190/0x610 [ 49.608112] [] __netif_receive_skb+0x58/0x1c0 [ 49.614264] [] process_backlog+0x1e8/0x610 [ 49.620125] [] ? process_backlog+0x190/0x610 [ 49.626216] [] ? trace_hardirqs_on+0x10/0x10 [ 49.632498] [] net_rx_action+0x3aa/0xdd0 [ 49.638182] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 49.646037] [] __do_softirq+0x22d/0x964 [ 49.651664] [] do_softirq_own_stack+0x1c/0x30 [ 49.657785] [ 49.660028] [] do_softirq.part.0+0x62/0x70 [ 49.666225] [] do_softirq+0x18/0x20 [ 49.671475] [] netif_rx_ni+0xbe/0x310 [ 49.676897] [] tun_get_user+0xcd2/0x2430 [ 49.682587] [] ? tun_select_queue+0x400/0x400 [ 49.688716] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.695579] [] tun_chr_write_iter+0xda/0x190 [ 49.701646] [] do_iter_readv_writev+0x3d9/0x4b0 [ 49.707932] [] ? vfs_iter_write+0x460/0x460 [ 49.713874] [] ? selinux_file_permission+0x85/0x470 [ 49.720514] [] ? security_file_permission+0x8f/0x1f0 [ 49.727241] [] ? rw_verify_area+0xea/0x2b0 [ 49.733093] [] do_readv_writev+0x2ed/0x7a0 [ 49.739093] [] ? vfs_write+0x520/0x520 [ 49.744700] [] ? __lru_cache_add+0x186/0x250 [ 49.750737] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 49.757381] [] ? _raw_spin_unlock+0x2d/0x50 [ 49.763339] [] ? handle_mm_fault+0x54a/0x2380 [ 49.769459] [] ? vm_insert_page+0x840/0x840 [ 49.775552] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.782280] [] vfs_writev+0x89/0xc0 [ 49.787531] [] do_writev+0xe9/0x260 [ 49.792783] [] ? vfs_writev+0xc0/0xc0 [ 49.798209] [] ? SyS_readv+0x30/0x30 [ 49.803605] [] SyS_writev+0x28/0x30 [ 49.808875] [] do_syscall_64+0x1ad/0x570 [ 49.814562] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.821458] [ 49.823057] Allocated by task 2066: [ 49.826656] save_stack_trace+0x16/0x20 [ 49.830708] kasan_kmalloc.part.0+0x62/0xf0 [ 49.835003] kasan_kmalloc+0xb7/0xd0 [ 49.838694] kasan_slab_alloc+0xf/0x20 [ 49.842554] kmem_cache_alloc+0xd5/0x2b0 [ 49.846586] __alloc_skb+0xe7/0x5e0 [ 49.850188] alloc_skb_with_frags+0xb0/0x4f0 [ 49.854569] sock_alloc_send_pskb+0x5ec/0x760 [ 49.859032] tun_get_user+0x53b/0x2430 [ 49.862894] tun_chr_write_iter+0xda/0x190 [ 49.867102] do_iter_readv_writev+0x3d9/0x4b0 [ 49.871571] do_readv_writev+0x2ed/0x7a0 [ 49.875710] vfs_writev+0x89/0xc0 [ 49.879136] do_writev+0xe9/0x260 [ 49.882564] SyS_writev+0x28/0x30 [ 49.885990] do_syscall_64+0x1ad/0x570 [ 49.889850] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 49.894923] [ 49.896524] Freed by task 2066: [ 49.899797] save_stack_trace+0x16/0x20 [ 49.903747] kasan_slab_free+0xb0/0x190 [ 49.907690] kmem_cache_free+0xbe/0x310 [ 49.911636] kfree_skbmem+0x9f/0x100 [ 49.915321] kfree_skb+0xd4/0x350 [ 49.918748] ip_defrag+0x620/0x3bc0 [ 49.922478] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 49.927042] nf_iterate+0x12e/0x310 [ 49.930646] nf_hook_slow+0x114/0x1f0 [ 49.934419] ip_rcv+0xb79/0xf90 [ 49.937672] __netif_receive_skb_core+0x1156/0x2990 [ 49.942671] __netif_receive_skb+0x58/0x1c0 [ 49.946979] process_backlog+0x1e8/0x610 [ 49.951134] net_rx_action+0x3aa/0xdd0 [ 49.955001] __do_softirq+0x22d/0x964 [ 49.958786] [ 49.960396] The buggy address belongs to the object at ffff8801ce852140 [ 49.960396] which belongs to the cache skbuff_head_cache of size 224 [ 49.973545] The buggy address is located 136 bytes inside of [ 49.973545] 224-byte region [ffff8801ce852140, ffff8801ce852220) [ 49.985649] The buggy address belongs to the page: [ 49.990558] page:ffffea00073a1480 count:1 mapcount:0 mapping: (null) index:0x0 [ 49.998919] flags: 0x4000000000000080(slab) [ 50.003213] page dumped because: kasan: bad access detected [ 50.008893] [ 50.010489] Memory state around the buggy address: [ 50.015387] ffff8801ce852080: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 50.022714] ffff8801ce852100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 50.030039] >ffff8801ce852180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.037363] ^ [ 50.043200] ffff8801ce852200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 50.050731] ffff8801ce852280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.058061] ================================================================== [ 50.065635] Disabling lock debugging due to kernel taint [ 50.071096] Kernel panic - not syncing: panic_on_warn set ... [ 50.071096] [ 50.078580] CPU: 0 PID: 2066 Comm: syz-executor469 Tainted: G B 4.9.153+ #18 [ 50.086872] ffff8801db607890 ffffffff81b47491 ffff8801db607900 ffffffff82e4391a [ 50.095142] 00000000ffffffff 0000000000000000 ffffffff826026fe ffff8801db607970 [ 50.103141] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a42 ffffffff813f7081 [ 50.111125] Call Trace: [ 50.113753] [ 50.115800] [] dump_stack+0xc1/0x120 [ 50.121166] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.127723] [] panic+0x1d9/0x3bd [ 50.132714] [] ? add_taint.cold+0x16/0x16 [ 50.138644] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.145198] [] kasan_end_report+0x47/0x4f [ 50.150978] [] kasan_report.cold+0xa9/0x2ba [ 50.156924] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 50.163412] [] __asan_report_store4_noabort+0x17/0x20 [ 50.170241] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 50.176634] [] nf_iterate+0x12e/0x310 [ 50.182054] [] nf_hook_slow+0x114/0x1f0 [ 50.187660] [] ? nf_iterate+0x310/0x310 [ 50.193257] [] ip_rcv+0xb79/0xf90 [ 50.198349] [] ? ip_rcv+0x8be/0xf90 [ 50.203704] [] ? ip_local_deliver+0x4d0/0x4d0 [ 50.209823] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 50.216565] [] ? ip_local_deliver+0x4d0/0x4d0 [ 50.222692] [] __netif_receive_skb_core+0x1156/0x2990 [ 50.229661] [] ? dev_loopback_xmit+0x430/0x430 [ 50.235870] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.242699] [] ? check_preemption_disabled+0x3c/0x200 [ 50.249648] [] ? process_backlog+0x190/0x610 [ 50.255684] [] __netif_receive_skb+0x58/0x1c0 [ 50.261799] [] process_backlog+0x1e8/0x610 [ 50.267658] [] ? process_backlog+0x190/0x610 [ 50.273688] [] ? trace_hardirqs_on+0x10/0x10 [ 50.279898] [] net_rx_action+0x3aa/0xdd0 [ 50.285584] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 50.293448] [] __do_softirq+0x22d/0x964 [ 50.299062] [] do_softirq_own_stack+0x1c/0x30 [ 50.305179] [ 50.307227] [] do_softirq.part.0+0x62/0x70 [ 50.313104] [] do_softirq+0x18/0x20 [ 50.318352] [] netif_rx_ni+0xbe/0x310 [ 50.323770] [] tun_get_user+0xcd2/0x2430 [ 50.329451] [] ? tun_select_queue+0x400/0x400 [ 50.335571] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.342503] [] tun_chr_write_iter+0xda/0x190 [ 50.348549] [] do_iter_readv_writev+0x3d9/0x4b0 [ 50.354838] [] ? vfs_iter_write+0x460/0x460 [ 50.360946] [] ? selinux_file_permission+0x85/0x470 [ 50.367621] [] ? security_file_permission+0x8f/0x1f0 [ 50.374361] [] ? rw_verify_area+0xea/0x2b0 [ 50.380226] [] do_readv_writev+0x2ed/0x7a0 [ 50.386083] [] ? vfs_write+0x520/0x520 [ 50.391591] [] ? __lru_cache_add+0x186/0x250 [ 50.397762] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 50.404521] [] ? _raw_spin_unlock+0x2d/0x50 [ 50.410465] [] ? handle_mm_fault+0x54a/0x2380 [ 50.416582] [] ? vm_insert_page+0x840/0x840 [ 50.422527] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.429253] [] vfs_writev+0x89/0xc0 [ 50.434500] [] do_writev+0xe9/0x260 [ 50.439762] [] ? vfs_writev+0xc0/0xc0 [ 50.445183] [] ? SyS_readv+0x30/0x30 [ 50.450514] [] SyS_writev+0x28/0x30 [ 50.455775] [] do_syscall_64+0x1ad/0x570 [ 50.461456] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 50.468779] Kernel Offset: disabled [ 50.472378] Rebooting in 86400 seconds..