[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.076697] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.833747] random: crng init done Warning: Permanently added '10.128.0.203' (ECDSA) to the list of known hosts. executing program executing program [ 34.745753] ================================================================== [ 34.753155] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.760227] Write of size 4 at addr ffff8801cf7331c8 by task syz-executor515/2057 [ 34.767819] [ 34.769423] CPU: 1 PID: 2057 Comm: syz-executor515 Not tainted 4.9.151+ #12 [ 34.776496] ffff8801db707950 ffffffff81b46e21 0000000000000001 ffffea00073dccc0 [ 34.784503] ffff8801cf7331c8 0000000000000004 ffffffff82601b3e ffff8801db707988 [ 34.792502] ffffffff81502195 0000000000000001 ffff8801cf7331c8 ffff8801cf7331c8 [ 34.800497] Call Trace: [ 34.803055] [ 34.805096] [] dump_stack+0xc1/0x120 [ 34.810464] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.817019] [] print_address_description+0x6f/0x238 [ 34.823658] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.830215] [] kasan_report.cold+0x8c/0x2ba [ 34.836170] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 34.842563] [] __asan_report_store4_noabort+0x17/0x20 [ 34.849386] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 34.855780] [] nf_iterate+0x12e/0x310 [ 34.861207] [] nf_hook_slow+0x114/0x1f0 [ 34.866817] [] ? nf_iterate+0x310/0x310 [ 34.872422] [] ip_rcv+0xb79/0xf90 [ 34.877559] [] ? ip_rcv+0x8be/0xf90 [ 34.882819] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.888940] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 34.895678] [] ? ip_local_deliver+0x4d0/0x4d0 [ 34.901809] [] __netif_receive_skb_core+0x1156/0x2990 [ 34.908624] [] ? dev_loopback_xmit+0x430/0x430 [ 34.915008] [] ? find_busiest_group+0x6320/0x6320 [ 34.923078] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.929812] [] ? check_preemption_disabled+0x3c/0x200 [ 34.936626] [] ? process_backlog+0x190/0x610 [ 34.942661] [] __netif_receive_skb+0x58/0x1c0 [ 34.948779] [] process_backlog+0x1e8/0x610 [ 34.954641] [] ? process_backlog+0x190/0x610 [ 34.960674] [] ? trace_hardirqs_on+0x10/0x10 [ 34.966721] [] net_rx_action+0x3aa/0xdd0 [ 34.972407] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 34.980268] [] __do_softirq+0x22d/0x964 [ 34.985875] [] do_softirq_own_stack+0x1c/0x30 [ 34.991992] [ 34.994045] [] do_softirq.part.0+0x62/0x70 [ 34.999923] [] do_softirq+0x18/0x20 [ 35.005173] [] netif_rx_ni+0xbe/0x310 [ 35.010603] [] tun_get_user+0xcd2/0x2430 [ 35.016302] [] ? tun_select_queue+0x400/0x400 [ 35.022532] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.029280] [] tun_chr_write_iter+0xda/0x190 [ 35.035786] [] do_iter_readv_writev+0x3d9/0x4b0 [ 35.042083] [] ? vfs_iter_write+0x460/0x460 [ 35.048045] [] ? selinux_file_permission+0x85/0x470 [ 35.054689] [] ? security_file_permission+0x8f/0x1f0 [ 35.061417] [] ? rw_verify_area+0xea/0x2b0 [ 35.067285] [] do_readv_writev+0x2ed/0x7a0 [ 35.073143] [] ? vfs_write+0x520/0x520 [ 35.078766] [] ? __lru_cache_add+0x186/0x250 [ 35.084802] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 35.091446] [] ? _raw_spin_unlock+0x2d/0x50 [ 35.097395] [] ? handle_mm_fault+0x54a/0x2380 [ 35.103522] [] ? vm_insert_page+0x840/0x840 [ 35.109478] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.116206] [] vfs_writev+0x89/0xc0 [ 35.121457] [] do_writev+0xe9/0x260 [ 35.126707] [] ? vfs_writev+0xc0/0xc0 [ 35.132131] [] ? SyS_readv+0x30/0x30 [ 35.137468] [] SyS_writev+0x28/0x30 [ 35.142719] [] do_syscall_64+0x1ad/0x570 [ 35.148406] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.155303] [ 35.156904] Allocated by task 2057: [ 35.160509] save_stack_trace+0x16/0x20 [ 35.164460] kasan_kmalloc.part.0+0x62/0xf0 [ 35.168758] kasan_kmalloc+0xb7/0xd0 [ 35.172447] kasan_slab_alloc+0xf/0x20 [ 35.176425] kmem_cache_alloc+0xd5/0x2b0 [ 35.180472] __alloc_skb+0xe7/0x5e0 [ 35.184078] alloc_skb_with_frags+0xb0/0x4f0 [ 35.188469] sock_alloc_send_pskb+0x5ec/0x760 [ 35.192944] tun_get_user+0x53b/0x2430 [ 35.196805] tun_chr_write_iter+0xda/0x190 [ 35.201014] do_iter_readv_writev+0x3d9/0x4b0 [ 35.205487] do_readv_writev+0x2ed/0x7a0 [ 35.209528] vfs_writev+0x89/0xc0 [ 35.212971] do_writev+0xe9/0x260 [ 35.216404] SyS_writev+0x28/0x30 [ 35.219832] do_syscall_64+0x1ad/0x570 [ 35.223698] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.228770] [ 35.230370] Freed by task 2057: [ 35.233623] save_stack_trace+0x16/0x20 [ 35.237601] kasan_slab_free+0xb0/0x190 [ 35.241555] kmem_cache_free+0xbe/0x310 [ 35.245602] kfree_skbmem+0x9f/0x100 [ 35.249303] kfree_skb+0xd4/0x350 [ 35.252736] ip_defrag+0x620/0x3bc0 [ 35.256340] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 35.261016] nf_iterate+0x12e/0x310 [ 35.264622] nf_hook_slow+0x114/0x1f0 [ 35.268399] ip_rcv+0xb79/0xf90 [ 35.271654] __netif_receive_skb_core+0x1156/0x2990 [ 35.276658] __netif_receive_skb+0x58/0x1c0 [ 35.280958] process_backlog+0x1e8/0x610 [ 35.285125] net_rx_action+0x3aa/0xdd0 [ 35.288990] __do_softirq+0x22d/0x964 [ 35.292762] [ 35.294366] The buggy address belongs to the object at ffff8801cf733140 [ 35.294366] which belongs to the cache skbuff_head_cache of size 224 [ 35.307520] The buggy address is located 136 bytes inside of [ 35.307520] 224-byte region [ffff8801cf733140, ffff8801cf733220) [ 35.319469] The buggy address belongs to the page: [ 35.324373] page:ffffea00073dccc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 35.332612] flags: 0x4000000000000080(slab) [ 35.336913] page dumped because: kasan: bad access detected [ 35.342595] [ 35.344201] Memory state around the buggy address: [ 35.349113] ffff8801cf733080: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 35.356450] ffff8801cf733100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.363785] >ffff8801cf733180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.371122] ^ [ 35.376821] ffff8801cf733200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 35.384155] ffff8801cf733280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.391489] ================================================================== [ 35.398922] Disabling lock debugging due to kernel taint [ 35.404393] Kernel panic - not syncing: panic_on_warn set ... [ 35.404393] [ 35.411740] CPU: 1 PID: 2057 Comm: syz-executor515 Tainted: G B 4.9.151+ #12 [ 35.420026] ffff8801db707890 ffffffff81b46e21 ffff8801db707900 ffffffff82e43922 [ 35.428025] 00000000ffffffff 0000000000000001 ffffffff82601b3e ffff8801db707970 [ 35.436017] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 35.444002] Call Trace: [ 35.446560] [ 35.448605] [] dump_stack+0xc1/0x120 [ 35.453963] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.460518] [] panic+0x1d9/0x3bd [ 35.465514] [] ? add_taint.cold+0x16/0x16 [ 35.471285] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.477841] [] kasan_end_report+0x47/0x4f [ 35.483611] [] kasan_report.cold+0xa9/0x2ba [ 35.489562] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 35.495940] [] __asan_report_store4_noabort+0x17/0x20 [ 35.502758] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 35.509140] [] nf_iterate+0x12e/0x310 [ 35.514564] [] nf_hook_slow+0x114/0x1f0 [ 35.520163] [] ? nf_iterate+0x310/0x310 [ 35.525765] [] ip_rcv+0xb79/0xf90 [ 35.530846] [] ? ip_rcv+0x8be/0xf90 [ 35.536192] [] ? ip_local_deliver+0x4d0/0x4d0 [ 35.542326] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 35.549056] [] ? ip_local_deliver+0x4d0/0x4d0 [ 35.555180] [] __netif_receive_skb_core+0x1156/0x2990 [ 35.561994] [] ? dev_loopback_xmit+0x430/0x430 [ 35.568358] [] ? find_busiest_group+0x6320/0x6320 [ 35.574830] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.581564] [] ? check_preemption_disabled+0x3c/0x200 [ 35.588379] [] ? process_backlog+0x190/0x610 [ 35.594410] [] __netif_receive_skb+0x58/0x1c0 [ 35.600528] [] process_backlog+0x1e8/0x610 [ 35.606391] [] ? process_backlog+0x190/0x610 [ 35.612426] [] ? trace_hardirqs_on+0x10/0x10 [ 35.618461] [] net_rx_action+0x3aa/0xdd0 [ 35.624148] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 35.632011] [] __do_softirq+0x22d/0x964 [ 35.637613] [] do_softirq_own_stack+0x1c/0x30 [ 35.643730] [ 35.645768] [] do_softirq.part.0+0x62/0x70 [ 35.651655] [] do_softirq+0x18/0x20 [ 35.656907] [] netif_rx_ni+0xbe/0x310 [ 35.662334] [] tun_get_user+0xcd2/0x2430 [ 35.668024] [] ? tun_select_queue+0x400/0x400 [ 35.674148] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.680883] [] tun_chr_write_iter+0xda/0x190 [ 35.686920] [] do_iter_readv_writev+0x3d9/0x4b0 [ 35.693211] [] ? vfs_iter_write+0x460/0x460 [ 35.699158] [] ? selinux_file_permission+0x85/0x470 [ 35.705799] [] ? security_file_permission+0x8f/0x1f0 [ 35.712644] [] ? rw_verify_area+0xea/0x2b0 [ 35.718509] [] do_readv_writev+0x2ed/0x7a0 [ 35.724372] [] ? vfs_write+0x520/0x520 [ 35.729888] [] ? __lru_cache_add+0x186/0x250 [ 35.735924] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 35.742567] [] ? _raw_spin_unlock+0x2d/0x50 [ 35.748515] [] ? handle_mm_fault+0x54a/0x2380 [ 35.754772] [] ? vm_insert_page+0x840/0x840 [ 35.760731] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.767568] [] vfs_writev+0x89/0xc0 [ 35.772834] [] do_writev+0xe9/0x260 [ 35.778086] [] ? vfs_writev+0xc0/0xc0 [ 35.783512] [] ? SyS_readv+0x30/0x30 [ 35.788850] [] SyS_writev+0x28/0x30 [ 35.794102] [] do_syscall_64+0x1ad/0x570 [ 35.799789] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 35.807022] Kernel Offset: disabled [ 35.810632] Rebooting in 86400 seconds..