[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.652041] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 11.552044] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 28.602977] ================================================================== [ 28.604170] BUG: KASAN: use-after-free in ip_check_defrag+0x571/0x5b0 [ 28.605129] Write of size 4 at addr ffff8801ce42a95c by task syz-executor920/2198 [ 28.606212] [ 28.606473] CPU: 0 PID: 2198 Comm: syz-executor920 Not tainted 4.9.149+ #4 [ 28.607403] ffff8801cb93f658 ffffffff81b46481 0000000000000001 ffffea0007390a80 [ 28.608636] ffff8801ce42a95c 0000000000000004 ffffffff824a2fe1 ffff8801cb93f690 [ 28.609885] ffffffff815020d5 0000000000000001 ffff8801ce42a95c ffff8801ce42a95c [ 28.611108] Call Trace: [ 28.611514] [] dump_stack+0xc1/0x120 [ 28.612308] [] ? ip_check_defrag+0x571/0x5b0 [ 28.613192] [] print_address_description+0x6f/0x238 [ 28.614184] [] ? ip_check_defrag+0x571/0x5b0 [ 28.615008] [] kasan_report.cold+0x8c/0x2ba [ 28.615829] [] __asan_report_store4_noabort+0x17/0x20 [ 28.616813] [] ip_check_defrag+0x571/0x5b0 [ 28.617698] [] ? ip_defrag+0x3bc0/0x3bc0 [ 28.618537] [] packet_rcv_fanout+0x51e/0x5f0 [ 28.619370] [] ? fanout_demux_rollover+0x4b0/0x4b0 [ 28.620432] [] dev_queue_xmit_nit+0x5e0/0x800 [ 28.621321] [] ? netif_rx+0x2c0/0x2c0 [ 28.622075] [] dev_hard_start_xmit+0xa7/0x8b0 [ 28.622933] [] __dev_queue_xmit+0x11a3/0x1bd0 [ 28.625909] [] ? __dev_queue_xmit+0x1d4/0x1bd0 [ 28.632119] [] ? netdev_pick_tx+0x300/0x300 [ 28.638066] [] ? skb_copy_datagram_from_iter+0x32b/0x5c0 [ 28.645147] [] ? packet_cached_dev_get+0xfd/0x1f0 [ 28.651625] [] dev_queue_xmit+0x18/0x20 [ 28.657281] [] packet_sendmsg+0x2778/0x4840 [ 28.663243] [] ? check_preemption_disabled+0x3c/0x200 [ 28.670066] [] ? check_preemption_disabled+0x3c/0x200 [ 28.676882] [] ? check_preemption_disabled+0x3c/0x200 [ 28.683743] [] ? sock_has_perm+0x1c8/0x3e0 [ 28.689622] [] ? compat_packet_setsockopt+0x140/0x140 [ 28.696453] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 28.702959] [] ? security_socket_sendmsg+0x8f/0xc0 [ 28.709534] [] ? compat_packet_setsockopt+0x140/0x140 [ 28.716368] [] sock_sendmsg+0xbe/0x110 [ 28.721884] [] SyS_sendto+0x201/0x340 [ 28.727312] [] ? SyS_getpeername+0x2a0/0x2a0 [ 28.733348] [] ? packet_bind+0x140/0x190 [ 28.739040] [] ? SyS_socketpair+0x510/0x510 [ 28.744992] [] ? security_file_ioctl+0x8f/0xc0 [ 28.751200] [] ? do_syscall_64+0x4a/0x570 [ 28.756984] [] ? SyS_getpeername+0x2a0/0x2a0 [ 28.763030] [] do_syscall_64+0x1ad/0x570 [ 28.768719] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.775617] [ 28.777226] Allocated by task 2198: [ 28.780832] save_stack_trace+0x16/0x20 [ 28.784783] kasan_kmalloc.part.0+0x62/0xf0 [ 28.789089] kasan_kmalloc+0xb7/0xd0 [ 28.792791] kasan_slab_alloc+0xf/0x20 [ 28.796667] kmem_cache_alloc+0xd5/0x2b0 [ 28.800711] skb_clone+0x122/0x2a0 [ 28.804228] dev_queue_xmit_nit+0x2d2/0x800 [ 28.808530] dev_hard_start_xmit+0xa7/0x8b0 [ 28.812834] __dev_queue_xmit+0x11a3/0x1bd0 [ 28.817140] dev_queue_xmit+0x18/0x20 [ 28.821000] packet_sendmsg+0x2778/0x4840 [ 28.825135] sock_sendmsg+0xbe/0x110 [ 28.828825] SyS_sendto+0x201/0x340 [ 28.832426] do_syscall_64+0x1ad/0x570 [ 28.836298] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.841370] [ 28.842983] Freed by task 2198: [ 28.846242] save_stack_trace+0x16/0x20 [ 28.850191] kasan_slab_free+0xb0/0x190 [ 28.854144] kmem_cache_free+0xbe/0x310 [ 28.858097] kfree_skbmem+0x9f/0x100 [ 28.861785] kfree_skb+0xd4/0x350 [ 28.865215] ip_defrag+0x620/0x3bc0 [ 28.868892] ip_check_defrag+0x3d6/0x5b0 [ 28.872938] packet_rcv_fanout+0x51e/0x5f0 [ 28.877150] dev_queue_xmit_nit+0x5e0/0x800 [ 28.881453] dev_hard_start_xmit+0xa7/0x8b0 [ 28.885849] __dev_queue_xmit+0x11a3/0x1bd0 [ 28.890155] dev_queue_xmit+0x18/0x20 [ 28.893936] packet_sendmsg+0x2778/0x4840 [ 28.898059] sock_sendmsg+0xbe/0x110 [ 28.901750] SyS_sendto+0x201/0x340 [ 28.905362] do_syscall_64+0x1ad/0x570 [ 28.909230] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.914306] [ 28.915910] The buggy address belongs to the object at ffff8801ce42a8c0 [ 28.915910] which belongs to the cache skbuff_head_cache of size 224 [ 28.929067] The buggy address is located 156 bytes inside of [ 28.929067] 224-byte region [ffff8801ce42a8c0, ffff8801ce42a9a0) [ 28.940913] The buggy address belongs to the page: [ 28.945818] page:ffffea0007390a80 count:1 mapcount:0 mapping: (null) index:0x0 [ 28.954050] flags: 0x4000000000000080(slab) [ 28.958387] page dumped because: kasan: bad access detected [ 28.964075] [ 28.965675] Memory state around the buggy address: [ 28.970580] ffff8801ce42a800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.977926] ffff8801ce42a880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.985370] >ffff8801ce42a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.992709] ^ [ 28.998919] ffff8801ce42a980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 29.006256] ffff8801ce42aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.013588] ================================================================== [ 29.021009] Disabling lock debugging due to kernel taint [ 29.026502] Kernel panic - not syncing: panic_on_warn set ... [ 29.026502] [ 29.033866] CPU: 0 PID: 2198 Comm: syz-executor920 Tainted: G B 4.9.149+ #4 [ 29.042069] ffff8801cb93f598 ffffffff81b46481 ffff8801cb93f600 ffffffff82e436f2 [ 29.050081] 00000000ffffffff 0000000000000000 ffffffff824a2fe1 ffff8801cb93f678 [ 29.058090] ffffffff813f727a 0000000041b58ab3 ffffffff82e3581a ffffffff813f70a1 [ 29.066086] Call Trace: [ 29.068655] [] dump_stack+0xc1/0x120 [ 29.074005] [] ? ip_check_defrag+0x571/0x5b0 [ 29.080042] [] panic+0x1d9/0x3bd [ 29.085103] [] ? add_taint.cold+0x16/0x16 [ 29.090948] [] kasan_end_report+0x47/0x4f [ 29.096744] [] kasan_report.cold+0xa9/0x2ba [ 29.102695] [] __asan_report_store4_noabort+0x17/0x20 [ 29.109585] [] ip_check_defrag+0x571/0x5b0 [ 29.115462] [] ? ip_defrag+0x3bc0/0x3bc0 [ 29.121169] [] packet_rcv_fanout+0x51e/0x5f0 [ 29.127218] [] ? fanout_demux_rollover+0x4b0/0x4b0 [ 29.133775] [] dev_queue_xmit_nit+0x5e0/0x800 [ 29.139898] [] ? netif_rx+0x2c0/0x2c0 [ 29.145325] [] dev_hard_start_xmit+0xa7/0x8b0 [ 29.151452] [] __dev_queue_xmit+0x11a3/0x1bd0 [ 29.157576] [] ? __dev_queue_xmit+0x1d4/0x1bd0 [ 29.163800] [] ? netdev_pick_tx+0x300/0x300 [ 29.169751] [] ? skb_copy_datagram_from_iter+0x32b/0x5c0 [ 29.176833] [] ? packet_cached_dev_get+0xfd/0x1f0 [ 29.183526] [] dev_queue_xmit+0x18/0x20 [ 29.189134] [] packet_sendmsg+0x2778/0x4840 [ 29.195089] [] ? check_preemption_disabled+0x3c/0x200 [ 29.201916] [] ? check_preemption_disabled+0x3c/0x200 [ 29.208739] [] ? check_preemption_disabled+0x3c/0x200 [ 29.215556] [] ? sock_has_perm+0x1c8/0x3e0 [ 29.221420] [] ? compat_packet_setsockopt+0x140/0x140 [ 29.228255] [] ? selinux_socket_sendmsg+0x3f/0x50 [ 29.234732] [] ? security_socket_sendmsg+0x8f/0xc0 [ 29.241307] [] ? compat_packet_setsockopt+0x140/0x140 [ 29.248122] [] sock_sendmsg+0xbe/0x110 [ 29.253642] [] SyS_sendto+0x201/0x340 [ 29.259073] [] ? SyS_getpeername+0x2a0/0x2a0 [ 29.265113] [] ? packet_bind+0x140/0x190 [ 29.270801] [] ? SyS_socketpair+0x510/0x510 [ 29.276847] [] ? security_file_ioctl+0x8f/0xc0 [ 29.283057] [] ? do_syscall_64+0x4a/0x570 [ 29.288833] [] ? SyS_getpeername+0x2a0/0x2a0 [ 29.294866] [] do_syscall_64+0x1ad/0x570 [ 29.300558] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.307816] Kernel Offset: disabled [ 29.311473] Rebooting in 86400 seconds..