[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.330691] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.119571] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 27.426761] ================================================================== [ 27.427967] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 27.428925] Write of size 4 at addr ffff8801d2b1a948 by task syz-executor577/2052 [ 27.430004] [ 27.430282] CPU: 1 PID: 2052 Comm: syz-executor577 Not tainted 4.9.149+ #4 [ 27.431439] ffff8801db707950 ffffffff81b46481 0000000000000001 ffffea00074ac680 [ 27.432667] ffff8801d2b1a948 0000000000000004 ffffffff82600c3e ffff8801db707988 [ 27.433934] ffffffff815020d5 0000000000000001 ffff8801d2b1a948 ffff8801d2b1a948 [ 27.435284] Call Trace: [ 27.435782] [ 27.436149] [] dump_stack+0xc1/0x120 [ 27.436993] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 27.438010] [] print_address_description+0x6f/0x238 [ 27.439040] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 27.439983] [] kasan_report.cold+0x8c/0x2ba [ 27.440862] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 27.441722] [] __asan_report_store4_noabort+0x17/0x20 [ 27.442645] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 27.443514] [] nf_iterate+0x12e/0x310 [ 27.444257] [] nf_hook_slow+0x114/0x1f0 [ 27.445027] [] ? nf_iterate+0x310/0x310 [ 27.445780] [] ip_rcv+0xb79/0xf90 [ 27.446525] [] ? ip_rcv+0x8be/0xf90 [ 27.449633] [] ? ip_local_deliver+0x4d0/0x4d0 [ 27.455751] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 27.462496] [] ? ip_local_deliver+0x4d0/0x4d0 [ 27.468619] [] __netif_receive_skb_core+0x1156/0x2990 [ 27.475443] [] ? dev_loopback_xmit+0x430/0x430 [ 27.481782] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 27.488609] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 27.495353] [] ? check_preemption_disabled+0x3c/0x200 [ 27.502170] [] ? process_backlog+0x190/0x610 [ 27.508218] [] __netif_receive_skb+0x58/0x1c0 [ 27.514385] [] process_backlog+0x1e8/0x610 [ 27.520254] [] ? process_backlog+0x190/0x610 [ 27.526416] [] ? trace_hardirqs_on+0x10/0x10 [ 27.532497] [] net_rx_action+0x3aa/0xdd0 [ 27.538219] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 27.546098] [] __do_softirq+0x22d/0x964 [ 27.551699] [] do_softirq_own_stack+0x1c/0x30 [ 27.557833] [ 27.559880] [] do_softirq.part.0+0x62/0x70 [ 27.565760] [] do_softirq+0x18/0x20 [ 27.571018] [] netif_rx_ni+0xbe/0x310 [ 27.576533] [] tun_get_user+0xcd2/0x2430 [ 27.582238] [] ? tun_select_queue+0x400/0x400 [ 27.588369] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 27.595099] [] tun_chr_write_iter+0xda/0x190 [ 27.601163] [] do_iter_readv_writev+0x3d9/0x4b0 [ 27.607477] [] ? vfs_iter_write+0x460/0x460 [ 27.613435] [] ? selinux_file_permission+0x85/0x470 [ 27.620083] [] ? security_file_permission+0x8f/0x1f0 [ 27.626814] [] ? rw_verify_area+0xea/0x2b0 [ 27.632679] [] do_readv_writev+0x2ed/0x7a0 [ 27.638542] [] ? vfs_write+0x520/0x520 [ 27.644058] [] ? __lru_cache_add+0x186/0x250 [ 27.650110] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 27.656862] [] ? _raw_spin_unlock+0x2d/0x50 [ 27.662814] [] ? handle_mm_fault+0x54a/0x2380 [ 27.669052] [] ? vm_insert_page+0x840/0x840 [ 27.675005] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 27.681740] [] vfs_writev+0x89/0xc0 [ 27.686994] [] do_writev+0xe9/0x260 [ 27.692269] [] ? vfs_writev+0xc0/0xc0 [ 27.697697] [] ? SyS_readv+0x30/0x30 [ 27.703048] [] SyS_writev+0x28/0x30 [ 27.708424] [] do_syscall_64+0x1ad/0x570 [ 27.714281] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.721222] [ 27.722832] Allocated by task 2052: [ 27.726441] save_stack_trace+0x16/0x20 [ 27.730390] kasan_kmalloc.part.0+0x62/0xf0 [ 27.734685] kasan_kmalloc+0xb7/0xd0 [ 27.738481] kasan_slab_alloc+0xf/0x20 [ 27.742348] kmem_cache_alloc+0xd5/0x2b0 [ 27.746384] __alloc_skb+0xe7/0x5e0 [ 27.749989] alloc_skb_with_frags+0xb0/0x4f0 [ 27.754384] sock_alloc_send_pskb+0x5ec/0x760 [ 27.758892] tun_get_user+0x53b/0x2430 [ 27.762768] tun_chr_write_iter+0xda/0x190 [ 27.766979] do_iter_readv_writev+0x3d9/0x4b0 [ 27.771463] do_readv_writev+0x2ed/0x7a0 [ 27.775497] vfs_writev+0x89/0xc0 [ 27.778927] do_writev+0xe9/0x260 [ 27.782354] SyS_writev+0x28/0x30 [ 27.785785] do_syscall_64+0x1ad/0x570 [ 27.789912] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.794990] [ 27.796599] Freed by task 2052: [ 27.799939] save_stack_trace+0x16/0x20 [ 27.803892] kasan_slab_free+0xb0/0x190 [ 27.807846] kmem_cache_free+0xbe/0x310 [ 27.811799] kfree_skbmem+0x9f/0x100 [ 27.815492] kfree_skb+0xd4/0x350 [ 27.818920] ip_defrag+0x620/0x3bc0 [ 27.822526] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 27.827084] nf_iterate+0x12e/0x310 [ 27.830820] nf_hook_slow+0x114/0x1f0 [ 27.834610] ip_rcv+0xb79/0xf90 [ 27.837890] __netif_receive_skb_core+0x1156/0x2990 [ 27.843002] __netif_receive_skb+0x58/0x1c0 [ 27.847300] process_backlog+0x1e8/0x610 [ 27.851334] net_rx_action+0x3aa/0xdd0 [ 27.855218] __do_softirq+0x22d/0x964 [ 27.858991] [ 27.860594] The buggy address belongs to the object at ffff8801d2b1a8c0 [ 27.860594] which belongs to the cache skbuff_head_cache of size 224 [ 27.873745] The buggy address is located 136 bytes inside of [ 27.873745] 224-byte region [ffff8801d2b1a8c0, ffff8801d2b1a9a0) [ 27.885594] The buggy address belongs to the page: [ 27.890579] page:ffffea00074ac680 count:1 mapcount:0 mapping: (null) index:0x0 [ 27.898925] flags: 0x4000000000000080(slab) [ 27.903223] page dumped because: kasan: bad access detected [ 27.908906] [ 27.910506] Memory state around the buggy address: [ 27.915405] ffff8801d2b1a800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 27.922741] ffff8801d2b1a880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.930075] >ffff8801d2b1a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.937410] ^ [ 27.943092] ffff8801d2b1a980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 27.950421] ffff8801d2b1aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.957853] ================================================================== [ 27.965183] Disabling lock debugging due to kernel taint [ 27.970650] Kernel panic - not syncing: panic_on_warn set ... [ 27.970650] [ 27.977989] CPU: 1 PID: 2052 Comm: syz-executor577 Tainted: G B 4.9.149+ #4 [ 27.986186] ffff8801db707890 ffffffff81b46481 ffff8801db707900 ffffffff82e436f2 [ 27.994215] 00000000ffffffff 0000000000000001 ffffffff82600c3e ffff8801db707970 [ 28.002256] ffffffff813f727a 0000000041b58ab3 ffffffff82e3581a ffffffff813f70a1 [ 28.010303] Call Trace: [ 28.012860] [ 28.014904] [] dump_stack+0xc1/0x120 [ 28.020281] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 28.026844] [] panic+0x1d9/0x3bd [ 28.031843] [] ? add_taint.cold+0x16/0x16 [ 28.037618] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 28.044195] [] kasan_end_report+0x47/0x4f [ 28.049974] [] kasan_report.cold+0xa9/0x2ba [ 28.055989] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 28.062374] [] __asan_report_store4_noabort+0x17/0x20 [ 28.069192] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 28.075678] [] nf_iterate+0x12e/0x310 [ 28.081108] [] nf_hook_slow+0x114/0x1f0 [ 28.086709] [] ? nf_iterate+0x310/0x310 [ 28.092320] [] ip_rcv+0xb79/0xf90 [ 28.097399] [] ? ip_rcv+0x8be/0xf90 [ 28.102651] [] ? ip_local_deliver+0x4d0/0x4d0 [ 28.108770] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 28.115496] [] ? ip_local_deliver+0x4d0/0x4d0 [ 28.121620] [] __netif_receive_skb_core+0x1156/0x2990 [ 28.128481] [] ? dev_loopback_xmit+0x430/0x430 [ 28.134694] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 28.141425] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 28.148225] [] ? check_preemption_disabled+0x3c/0x200 [ 28.155051] [] ? process_backlog+0x190/0x610 [ 28.161201] [] __netif_receive_skb+0x58/0x1c0 [ 28.167321] [] process_backlog+0x1e8/0x610 [ 28.173255] [] ? process_backlog+0x190/0x610 [ 28.179437] [] ? trace_hardirqs_on+0x10/0x10 [ 28.185471] [] net_rx_action+0x3aa/0xdd0 [ 28.191162] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 28.199038] [] __do_softirq+0x22d/0x964 [ 28.204642] [] do_softirq_own_stack+0x1c/0x30 [ 28.210764] [ 28.212805] [] do_softirq.part.0+0x62/0x70 [ 28.218701] [] do_softirq+0x18/0x20 [ 28.223961] [] netif_rx_ni+0xbe/0x310 [ 28.229384] [] tun_get_user+0xcd2/0x2430 [ 28.235089] [] ? tun_select_queue+0x400/0x400 [ 28.241317] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 28.248049] [] tun_chr_write_iter+0xda/0x190 [ 28.254078] [] do_iter_readv_writev+0x3d9/0x4b0 [ 28.260381] [] ? vfs_iter_write+0x460/0x460 [ 28.266331] [] ? selinux_file_permission+0x85/0x470 [ 28.272976] [] ? security_file_permission+0x8f/0x1f0 [ 28.279704] [] ? rw_verify_area+0xea/0x2b0 [ 28.285567] [] do_readv_writev+0x2ed/0x7a0 [ 28.291434] [] ? vfs_write+0x520/0x520 [ 28.296962] [] ? __lru_cache_add+0x186/0x250 [ 28.302996] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 28.309648] [] ? _raw_spin_unlock+0x2d/0x50 [ 28.315739] [] ? handle_mm_fault+0x54a/0x2380 [ 28.321863] [] ? vm_insert_page+0x840/0x840 [ 28.328140] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 28.334874] [] vfs_writev+0x89/0xc0 [ 28.340122] [] do_writev+0xe9/0x260 [ 28.345375] [] ? vfs_writev+0xc0/0xc0 [ 28.350821] [] ? SyS_readv+0x30/0x30 [ 28.356178] [] SyS_writev+0x28/0x30 [ 28.361428] [] do_syscall_64+0x1ad/0x570 [ 28.367133] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.374367] Kernel Offset: disabled [ 28.377977] Rebooting in 86400 seconds..