[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [ 10.016062] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.362143] random: sshd: uninitialized urandom read (32 bytes read) [ 22.475766] random: crng init done Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. executing program executing program [ 29.170347] ================================================================== [ 29.177826] BUG: KASAN: use-after-free in ipv4_conntrack_defrag+0x2ae/0x2f0 [ 29.184908] Write of size 4 at addr ffff8801d0781948 by task syz-executor291/2055 [ 29.192615] [ 29.194229] CPU: 0 PID: 2055 Comm: syz-executor291 Not tainted 4.9.151+ #12 [ 29.201310] ffff8801db607950 ffffffff81b46e21 0000000000000001 ffffea000741e040 [ 29.209356] ffff8801d0781948 0000000000000004 ffffffff82601b3e ffff8801db607988 [ 29.217353] ffffffff81502195 0000000000000001 ffff8801d0781948 ffff8801d0781948 [ 29.225383] Call Trace: [ 29.227996] [ 29.230047] [] dump_stack+0xc1/0x120 [ 29.235423] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 29.241995] [] print_address_description+0x6f/0x238 [ 29.248645] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 29.255202] [] kasan_report.cold+0x8c/0x2ba [ 29.261167] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 29.267589] [] __asan_report_store4_noabort+0x17/0x20 [ 29.274405] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 29.280889] [] nf_iterate+0x12e/0x310 [ 29.286335] [] nf_hook_slow+0x114/0x1f0 [ 29.291934] [] ? nf_iterate+0x310/0x310 [ 29.297550] [] ip_rcv+0xb79/0xf90 [ 29.302633] [] ? ip_rcv+0x8be/0xf90 [ 29.307886] [] ? ip_local_deliver+0x4d0/0x4d0 [ 29.314009] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 29.320740] [] ? ip_local_deliver+0x4d0/0x4d0 [ 29.326861] [] __netif_receive_skb_core+0x1156/0x2990 [ 29.333686] [] ? dev_loopback_xmit+0x430/0x430 [ 29.339896] [] ? find_busiest_group+0x6320/0x6320 [ 29.346364] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 29.353091] [] ? check_preemption_disabled+0x3c/0x200 [ 29.359911] [] ? process_backlog+0x190/0x610 [ 29.365954] [] __netif_receive_skb+0x58/0x1c0 [ 29.372085] [] process_backlog+0x1e8/0x610 [ 29.377956] [] ? process_backlog+0x190/0x610 [ 29.383992] [] ? trace_hardirqs_on+0x10/0x10 [ 29.390026] [] net_rx_action+0x3aa/0xdd0 [ 29.395712] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 29.403587] [] __do_softirq+0x22d/0x964 [ 29.409186] [] do_softirq_own_stack+0x1c/0x30 [ 29.415303] [ 29.417345] [] do_softirq.part.0+0x62/0x70 [ 29.423237] [] do_softirq+0x18/0x20 [ 29.428485] [] netif_rx_ni+0xbe/0x310 [ 29.433909] [] tun_get_user+0xcd2/0x2430 [ 29.439592] [] ? tun_select_queue+0x400/0x400 [ 29.445827] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 29.452669] [] tun_chr_write_iter+0xda/0x190 [ 29.458712] [] do_iter_readv_writev+0x3d9/0x4b0 [ 29.465012] [] ? vfs_iter_write+0x460/0x460 [ 29.470966] [] ? selinux_file_permission+0x85/0x470 [ 29.477612] [] ? security_file_permission+0x8f/0x1f0 [ 29.484539] [] ? rw_verify_area+0xea/0x2b0 [ 29.490544] [] do_readv_writev+0x2ed/0x7a0 [ 29.496443] [] ? vfs_write+0x520/0x520 [ 29.502078] [] ? __lru_cache_add+0x186/0x250 [ 29.508114] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 29.514843] [] ? _raw_spin_unlock+0x2d/0x50 [ 29.520790] [] ? handle_mm_fault+0x54a/0x2380 [ 29.526913] [] ? vm_insert_page+0x840/0x840 [ 29.532864] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 29.539594] [] vfs_writev+0x89/0xc0 [ 29.544850] [] do_writev+0xe9/0x260 [ 29.550107] [] ? vfs_writev+0xc0/0xc0 [ 29.555536] [] ? SyS_readv+0x30/0x30 [ 29.560874] [] SyS_writev+0x28/0x30 [ 29.566127] [] do_syscall_64+0x1ad/0x570 [ 29.572307] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.579322] [ 29.580930] Allocated by task 2055: [ 29.584535] save_stack_trace+0x16/0x20 [ 29.588484] kasan_kmalloc.part.0+0x62/0xf0 [ 29.592784] kasan_kmalloc+0xb7/0xd0 [ 29.596507] kasan_slab_alloc+0xf/0x20 [ 29.600473] kmem_cache_alloc+0xd5/0x2b0 [ 29.604511] __alloc_skb+0xe7/0x5e0 [ 29.608122] alloc_skb_with_frags+0xb0/0x4f0 [ 29.612502] sock_alloc_send_pskb+0x5ec/0x760 [ 29.617009] tun_get_user+0x53b/0x2430 [ 29.620897] tun_chr_write_iter+0xda/0x190 [ 29.625185] do_iter_readv_writev+0x3d9/0x4b0 [ 29.629694] do_readv_writev+0x2ed/0x7a0 [ 29.633802] vfs_writev+0x89/0xc0 [ 29.637349] do_writev+0xe9/0x260 [ 29.640785] SyS_writev+0x28/0x30 [ 29.644224] do_syscall_64+0x1ad/0x570 [ 29.648083] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.653169] [ 29.654775] Freed by task 2055: [ 29.658045] save_stack_trace+0x16/0x20 [ 29.662011] kasan_slab_free+0xb0/0x190 [ 29.665962] kmem_cache_free+0xbe/0x310 [ 29.670035] kfree_skbmem+0x9f/0x100 [ 29.673728] kfree_skb+0xd4/0x350 [ 29.677166] ip_defrag+0x620/0x3bc0 [ 29.680802] ipv4_conntrack_defrag+0x1b4/0x2f0 [ 29.685359] nf_iterate+0x12e/0x310 [ 29.688983] nf_hook_slow+0x114/0x1f0 [ 29.692762] ip_rcv+0xb79/0xf90 [ 29.696018] __netif_receive_skb_core+0x1156/0x2990 [ 29.701040] __netif_receive_skb+0x58/0x1c0 [ 29.705336] process_backlog+0x1e8/0x610 [ 29.709514] net_rx_action+0x3aa/0xdd0 [ 29.713501] __do_softirq+0x22d/0x964 [ 29.717276] [ 29.718886] The buggy address belongs to the object at ffff8801d07818c0 [ 29.718886] which belongs to the cache skbuff_head_cache of size 224 [ 29.732037] The buggy address is located 136 bytes inside of [ 29.732037] 224-byte region [ffff8801d07818c0, ffff8801d07819a0) [ 29.743886] The buggy address belongs to the page: [ 29.748793] page:ffffea000741e040 count:1 mapcount:0 mapping: (null) index:0x0 [ 29.757027] flags: 0x4000000000000080(slab) [ 29.761318] page dumped because: kasan: bad access detected [ 29.766999] [ 29.768602] Memory state around the buggy address: [ 29.773507] ffff8801d0781800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 29.780839] ffff8801d0781880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.788191] >ffff8801d0781900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.795539] ^ [ 29.801248] ffff8801d0781980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 29.808584] ffff8801d0781a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.815927] ================================================================== [ 29.823256] Disabling lock debugging due to kernel taint [ 29.828729] Kernel panic - not syncing: panic_on_warn set ... [ 29.828729] [ 29.836080] CPU: 0 PID: 2055 Comm: syz-executor291 Tainted: G B 4.9.151+ #12 [ 29.844365] ffff8801db607890 ffffffff81b46e21 ffff8801db607900 ffffffff82e43922 [ 29.852379] 00000000ffffffff 0000000000000000 ffffffff82601b3e ffff8801db607970 [ 29.860398] ffffffff813f725a 0000000041b58ab3 ffffffff82e35a4a ffffffff813f7081 [ 29.868425] Call Trace: [ 29.870982] [ 29.873023] [] dump_stack+0xc1/0x120 [ 29.878385] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 29.884941] [] panic+0x1d9/0x3bd [ 29.889940] [] ? add_taint.cold+0x16/0x16 [ 29.895719] [] ? ipv4_conntrack_defrag+0x2ae/0x2f0 [ 29.902309] [] kasan_end_report+0x47/0x4f [ 29.908091] [] kasan_report.cold+0xa9/0x2ba [ 29.914046] [] ? nf_defrag_ipv4_enable+0x10/0x10 [ 29.920436] [] __asan_report_store4_noabort+0x17/0x20 [ 29.927276] [] ipv4_conntrack_defrag+0x2ae/0x2f0 [ 29.933658] [] nf_iterate+0x12e/0x310 [ 29.939084] [] nf_hook_slow+0x114/0x1f0 [ 29.944683] [] ? nf_iterate+0x310/0x310 [ 29.950287] [] ip_rcv+0xb79/0xf90 [ 29.955382] [] ? ip_rcv+0x8be/0xf90 [ 29.960638] [] ? ip_local_deliver+0x4d0/0x4d0 [ 29.966889] [] ? ip_local_deliver_finish+0xa70/0xa70 [ 29.973624] [] ? ip_local_deliver+0x4d0/0x4d0 [ 29.979749] [] __netif_receive_skb_core+0x1156/0x2990 [ 29.986583] [] ? dev_loopback_xmit+0x430/0x430 [ 29.992912] [] ? find_busiest_group+0x6320/0x6320 [ 29.999411] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.006149] [] ? check_preemption_disabled+0x3c/0x200 [ 30.012992] [] ? process_backlog+0x190/0x610 [ 30.019131] [] __netif_receive_skb+0x58/0x1c0 [ 30.025253] [] process_backlog+0x1e8/0x610 [ 30.031116] [] ? process_backlog+0x190/0x610 [ 30.037161] [] ? trace_hardirqs_on+0x10/0x10 [ 30.043198] [] net_rx_action+0x3aa/0xdd0 [ 30.049009] [] ? net_rps_action_and_irq_enable.isra.0+0x130/0x130 [ 30.056903] [] __do_softirq+0x22d/0x964 [ 30.062506] [] do_softirq_own_stack+0x1c/0x30 [ 30.068628] [ 30.070669] [] do_softirq.part.0+0x62/0x70 [ 30.076544] [] do_softirq+0x18/0x20 [ 30.081795] [] netif_rx_ni+0xbe/0x310 [ 30.087224] [] tun_get_user+0xcd2/0x2430 [ 30.093169] [] ? tun_select_queue+0x400/0x400 [ 30.099291] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.106120] [] tun_chr_write_iter+0xda/0x190 [ 30.112160] [] do_iter_readv_writev+0x3d9/0x4b0 [ 30.118582] [] ? vfs_iter_write+0x460/0x460 [ 30.124529] [] ? selinux_file_permission+0x85/0x470 [ 30.131183] [] ? security_file_permission+0x8f/0x1f0 [ 30.137911] [] ? rw_verify_area+0xea/0x2b0 [ 30.143784] [] do_readv_writev+0x2ed/0x7a0 [ 30.149641] [] ? vfs_write+0x520/0x520 [ 30.155161] [] ? __lru_cache_add+0x186/0x250 [ 30.161195] [] ? __this_cpu_preempt_check+0x1d/0x30 [ 30.167835] [] ? _raw_spin_unlock+0x2d/0x50 [ 30.173832] [] ? handle_mm_fault+0x54a/0x2380 [ 30.179974] [] ? vm_insert_page+0x840/0x840 [ 30.185927] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.192677] [] vfs_writev+0x89/0xc0 [ 30.192683] [] do_writev+0xe9/0x260 [ 30.192689] [] ? vfs_writev+0xc0/0xc0 [ 30.192695] [] ? SyS_readv+0x30/0x30 [ 30.192705] [] SyS_writev+0x28/0x30 [ 30.192711] [] do_syscall_64+0x1ad/0x570 [ 30.192717] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 30.198321] Kernel Offset: disabled [ 30.235776] Rebooting in 86400 seconds..