[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.526535] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.652796] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.207' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 31.557025] ================================================================== [ 31.558277] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.559420] Write of size 4 at addr ffff8801cef321c8 by task syz-executor165/2053 [ 31.560540] [ 31.560779] CPU: 0 PID: 2053 Comm: syz-executor165 Not tainted 4.9.149+ #5 [ 31.561771] ffff8801db607950 ffffffff81b47f01 0000000000000001 ffffea00073bcc80 [ 31.563002] ffff8801cef321c8 0000000000000004 ffffffff826026be ffff8801db607988 [ 31.564424] ffffffff815020d5 0000000000000001 ffff8801cef321c8 ffff8801cef321c8 [ 31.565645] Call Trace: [ 31.566066] [ 31.566360] [] dump_stack+0xc1/0x120 [ 31.567132] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.568065] [] print_address_description+0x6f/0x238 [ 31.569019] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.570003] [] kasan_report.cold+0x8c/0x2ba [ 31.570829] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 31.571853] [] __asan_report_store4_noabort+0x17/0x20 [ 31.572803] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 31.573821] [] nf_iterate+0x12e/0x310 [ 31.574630] [] nf_hook_slow+0x114/0x1f0 [ 31.575498] [] ? nf_iterate+0x310/0x310 [ 31.576252] [] ip_rcv+0xb79/0xf90 [ 31.576934] [] ? ip_rcv+0x8be/0xf90 [ 31.580758] [] ? ip_local_deliver+0x4d0/0x4d0 [ 31.586879] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 31.593603] [] ? ip_local_deliver+0x4d0/0x4d0 [ 31.599721] [] __netif_receive_skb_core+0x1156/0x2990 [ 31.606533] [] ? dev_loopback_xmit+0x430/0x430 [ 31.612735] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 31.619509] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 31.626248] [] ? check_preemption_disabled+0x3c/0x200 [ 31.633062] [] ? process_backlog+0x190/0x610 [ 31.639090] [] __netif_receive_skb+0x58/0x1c0 [ 31.645206] [] process_backlog+0x1e8/0x610 [ 31.651061] [] ? process_backlog+0x190/0x610 [ 31.657091] [] ? trace_hardirqs_on+0x10/0x10 [ 31.663119] [] net_rx_action+0x3aa/0xdd0 [ 31.668800] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 31.676654] [] __do_softirq+0x22d/0x964 [ 31.682250] [] do_softirq_own_stack+0x1c/0x30 [ 31.688366] [ 31.690404] [] do_softirq.part.0+0x62/0x70 [ 31.696378] [] do_softirq+0x18/0x20 [ 31.701635] [] netif_rx_ni+0xbe/0x310 [ 31.707068] [] tun_get_user+0xcd2/0x2430 [ 31.712755] [] ? tun_select_queue+0x400/0x400 [ 31.718873] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 31.725770] [] tun_chr_write_iter+0xda/0x190 [ 31.731805] [] do_iter_readv_writev+0x3d9/0x4b0 [ 31.738104] [] ? vfs_iter_write+0x460/0x460 [ 31.744052] [] ? selinux_file_permission+0x85/0x470 [ 31.750691] [] ? security_file_permission+0x8f/0x1f0 [ 31.757416] [] ? rw_verify_area+0xea/0x2b0 [ 31.763277] [] do_readv_writev+0x2ed/0x7a0 [ 31.769136] [] ? vfs_write+0x520/0x520 [ 31.774644] [] ? __lru_cache_add+0x186/0x250 [ 31.780676] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 31.787319] [] ? _raw_spin_unlock+0x2d/0x50 [ 31.793260] [] ? handle_mm_fault+0x54a/0x2380 [ 31.799375] [] ? vm_insert_page+0x840/0x840 [ 31.805319] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 31.812042] [] vfs_writev+0x89/0xc0 [ 31.817292] [] do_writev+0xe9/0x260 [ 31.822541] [] ? vfs_writev+0xc0/0xc0 [ 31.827964] [] ? SyS_readv+0x30/0x30 [ 31.833328] [] SyS_writev+0x28/0x30 [ 31.838575] [] do_syscall_64+0x1ad/0x570 [ 31.844261] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 31.851157] [ 31.852758] Allocated by task 2053: [ 31.856361] save_stack_trace+0x16/0x20 [ 31.860329] kasan_kmalloc.part.0+0x62/0xf0 [ 31.864631] kasan_kmalloc+0xb7/0xd0 [ 31.868348] kasan_slab_alloc+0xf/0x20 [ 31.872204] kmem_cache_alloc+0xd5/0x2b0 [ 31.876238] __alloc_skb+0xe7/0x5e0 [ 31.879842] alloc_skb_with_frags+0xb0/0x4f0 [ 31.884219] sock_alloc_send_pskb+0x5ec/0x760 [ 31.888800] tun_get_user+0x53b/0x2430 [ 31.892683] tun_chr_write_iter+0xda/0x190 [ 31.896997] do_iter_readv_writev+0x3d9/0x4b0 [ 31.901472] do_readv_writev+0x2ed/0x7a0 [ 31.905503] vfs_writev+0x89/0xc0 [ 31.908927] do_writev+0xe9/0x260 [ 31.912357] SyS_writev+0x28/0x30 [ 31.915782] do_syscall_64+0x1ad/0x570 [ 31.919645] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 31.924714] [ 31.926314] Freed by task 2053: [ 31.929567] save_stack_trace+0x16/0x20 [ 31.933514] kasan_slab_free+0xb0/0x190 [ 31.937461] kmem_cache_free+0xbe/0x310 [ 31.941408] kfree_skbmem+0x9f/0x100 [ 31.945091] kfree_skb+0xd4/0x350 [ 31.948516] ip_defrag+0x620/0x3bc0 [ 31.952120] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 31.956676] nf_iterate+0x12e/0x310 [ 31.960276] nf_hook_slow+0x114/0x1f0 [ 31.964048] ip_rcv+0xb79/0xf90 [ 31.967301] __netif_receive_skb_core+0x1156/0x2990 [ 31.972288] __netif_receive_skb+0x58/0x1c0 [ 31.976579] process_backlog+0x1e8/0x610 [ 31.980705] net_rx_action+0x3aa/0xdd0 [ 31.984590] __do_softirq+0x22d/0x964 [ 31.988361] [ 31.989967] The buggy address belongs to the object at ffff8801cef32140 [ 31.989967] which belongs to the cache skbuff_head_cache of size 224 [ 32.003240] The buggy address is located 136 bytes inside of [ 32.003240] 224-byte region [ffff8801cef32140, ffff8801cef32220) [ 32.015194] The buggy address belongs to the page: [ 32.020100] page:ffffea00073bcc80 count:1 mapcount:0 mapping: (null) index:0x0 [ 32.028329] flags: 0x4000000000000080(slab) [ 32.032617] page dumped because: kasan: bad access detected [ 32.038297] [ 32.039899] Memory state around the buggy address: [ 32.044800] ffff8801cef32080: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 32.052204] ffff8801cef32100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.059557] >ffff8801cef32180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.066956] ^ [ 32.072643] ffff8801cef32200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.079974] ffff8801cef32280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.087306] ================================================================== [ 32.094646] Disabling lock debugging due to kernel taint [ 32.100168] Kernel panic - not syncing: panic_on_warn set ... [ 32.100168] [ 32.107515] CPU: 0 PID: 2053 Comm: syz-executor165 Tainted: G B 4.9.149+ #5 [ 32.115712] ffff8801db607890 ffffffff81b47f01 ffff8801db607900 ffffffff82e4386a [ 32.123694] 00000000ffffffff 0000000000000000 ffffffff826026be ffff8801db607970 [ 32.131684] ffffffff813f727a 0000000041b58ab3 ffffffff82e35992 ffffffff813f70a1 [ 32.139725] Call Trace: [ 32.142280] [ 32.144337] [] dump_stack+0xc1/0x120 [ 32.149700] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.156258] [] panic+0x1d9/0x3bd [ 32.161247] [] ? add_taint.cold+0x16/0x16 [ 32.167122] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.173680] [] kasan_end_report+0x47/0x4f [ 32.179450] [] kasan_report.cold+0xa9/0x2ba [ 32.185391] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 32.191771] [] __asan_report_store4_noabort+0x17/0x20 [ 32.198582] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 32.204966] [] nf_iterate+0x12e/0x310 [ 32.210388] [] nf_hook_slow+0x114/0x1f0 [ 32.215986] [] ? nf_iterate+0x310/0x310 [ 32.221583] [] ip_rcv+0xb79/0xf90 [ 32.226655] [] ? ip_rcv+0x8be/0xf90 [ 32.231901] [] ? ip_local_deliver+0x4d0/0x4d0 [ 32.238036] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 32.244777] [] ? ip_local_deliver+0x4d0/0x4d0 [ 32.250897] [] __netif_receive_skb_core+0x1156/0x2990 [ 32.257706] [] ? dev_loopback_xmit+0x430/0x430 [ 32.263907] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.270630] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.277356] [] ? check_preemption_disabled+0x3c/0x200 [ 32.284167] [] ? process_backlog+0x190/0x610 [ 32.290196] [] __netif_receive_skb+0x58/0x1c0 [ 32.296343] [] process_backlog+0x1e8/0x610 [ 32.302196] [] ? process_backlog+0x190/0x610 [ 32.308227] [] ? trace_hardirqs_on+0x10/0x10 [ 32.314273] [] net_rx_action+0x3aa/0xdd0 [ 32.319967] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 32.327822] [] __do_softirq+0x22d/0x964 [ 32.333421] [] do_softirq_own_stack+0x1c/0x30 [ 32.339536] [ 32.341573] [] do_softirq.part.0+0x62/0x70 [ 32.347447] [] do_softirq+0x18/0x20 [ 32.352696] [] netif_rx_ni+0xbe/0x310 [ 32.358121] [] tun_get_user+0xcd2/0x2430 [ 32.363803] [] ? tun_select_queue+0x400/0x400 [ 32.369920] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.376645] [] tun_chr_write_iter+0xda/0x190 [ 32.382675] [] do_iter_readv_writev+0x3d9/0x4b0 [ 32.388965] [] ? vfs_iter_write+0x460/0x460 [ 32.394913] [] ? selinux_file_permission+0x85/0x470 [ 32.401552] [] ? security_file_permission+0x8f/0x1f0 [ 32.408275] [] ? rw_verify_area+0xea/0x2b0 [ 32.414131] [] do_readv_writev+0x2ed/0x7a0 [ 32.420000] [] ? vfs_write+0x520/0x520 [ 32.425507] [] ? __lru_cache_add+0x186/0x250 [ 32.431536] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 32.438174] [] ? _raw_spin_unlock+0x2d/0x50 [ 32.444116] [] ? handle_mm_fault+0x54a/0x2380 [ 32.450240] [] ? vm_insert_page+0x840/0x840 [ 32.456187] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 32.462914] [] vfs_writev+0x89/0xc0 [ 32.468164] [] do_writev+0xe9/0x260 [ 32.473413] [] ? vfs_writev+0xc0/0xc0 [ 32.478833] [] ? SyS_readv+0x30/0x30 [ 32.484175] [] SyS_writev+0x28/0x30 [ 32.489495] [] do_syscall_64+0x1ad/0x570 [ 32.495188] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 32.502361] Kernel Offset: disabled [ 32.505968] Rebooting in 86400 seconds..