Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. executing program [ 57.201775] audit: type=1400 audit(1559760228.586:36): avc: denied { map } for pid=8044 comm="syz-executor758" path="/root/syz-executor758718441" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 57.242548] FAULT_INJECTION: forcing a failure. [ 57.242548] name failslab, interval 1, probability 0, space 0, times 1 [ 57.254409] CPU: 1 PID: 8044 Comm: syz-executor758 Not tainted 4.19.48 #20 [ 57.261444] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.270787] Call Trace: [ 57.273389] dump_stack+0x172/0x1f0 [ 57.277019] should_fail.cold+0xa/0x1b [ 57.280900] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 57.286018] ? mark_held_locks+0xb1/0x100 [ 57.290165] __should_failslab+0x121/0x190 [ 57.294390] should_failslab+0x9/0x14 [ 57.298197] __kmalloc+0x71/0x750 [ 57.301670] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 57.306786] ? depot_save_stack+0x1de/0x460 [ 57.311099] ? gcmaes_encrypt.constprop.0+0x6c4/0xd90 [ 57.316281] gcmaes_encrypt.constprop.0+0x6c4/0xd90 [ 57.321285] ? save_stack+0x45/0xd0 [ 57.324901] ? kasan_kmalloc+0xce/0xf0 [ 57.328800] ? tls_push_record+0x107/0x13a0 [ 57.333117] ? generic_gcmaes_decrypt+0x160/0x160 [ 57.337952] ? mark_held_locks+0x100/0x100 [ 57.342183] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 57.347195] ? iov_iter_advance+0x261/0xe30 [ 57.351518] ? fs_reclaim_acquire+0x20/0x20 [ 57.355843] ? __lock_is_held+0xb6/0x140 [ 57.359892] ? should_fail+0x14d/0x85c [ 57.363776] generic_gcmaes_encrypt+0x108/0x159 [ 57.368443] ? generic_gcmaes_encrypt+0x108/0x159 [ 57.373275] ? helper_rfc4106_encrypt+0x390/0x390 [ 57.378107] ? __kmalloc+0x5e1/0x750 [ 57.381925] gcmaes_wrapper_encrypt+0x15f/0x200 [ 57.386587] tls_push_record+0x9c0/0x13a0 [ 57.390730] tls_sw_sendmsg+0xb22/0x1220 [ 57.394806] ? find_held_lock+0x35/0x130 [ 57.398884] ? decrypt_skb_update+0x5c0/0x5c0 [ 57.403376] ? __local_bh_enable_ip+0x15a/0x270 [ 57.408036] ? lockdep_hardirqs_on+0x3d7/0x5d0 [ 57.412783] ? trace_hardirqs_on+0x67/0x220 [ 57.417100] ? lock_sock_nested+0x9a/0x120 [ 57.421326] inet_sendmsg+0x141/0x5d0 [ 57.425132] smc_sendmsg+0x29e/0x3b0 [ 57.428830] ? smc_sendpage+0x1b0/0x1b0 [ 57.432791] sock_sendmsg+0xd7/0x130 [ 57.436508] sock_write_iter+0x27c/0x3e0 [ 57.440582] ? sock_sendmsg+0x130/0x130 [ 57.444579] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 57.450111] ? iov_iter_init+0xc6/0x1f0 [ 57.454078] __vfs_write+0x587/0x810 [ 57.457793] ? kernel_read+0x120/0x120 [ 57.461675] ? selinux_file_permission+0x92/0x550 [ 57.466516] ? security_file_permission+0x89/0x230 [ 57.471446] ? rw_verify_area+0x118/0x360 [ 57.475584] vfs_write+0x20c/0x560 [ 57.479112] ksys_write+0x14f/0x2d0 [ 57.482738] ? __ia32_sys_read+0xb0/0xb0 [ 57.486788] ? do_syscall_64+0x26/0x620 [ 57.490748] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.496269] ? do_syscall_64+0x26/0x620 [ 57.500234] __x64_sys_write+0x73/0xb0 [ 57.504111] do_syscall_64+0xfd/0x620 [ 57.507918] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.513172] RIP: 0033:0x4405d9 [ 57.516361] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.535268] RSP: 002b:00007fff6d16b188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 57.542966] RAX: ffffffffffffffda RBX: 00007fff6d16b190 RCX: 00000000004405d9 [ 57.550222] RDX: 000000000000fdef RSI: 00000000200000c0 RDI: 0000000000000003 [ 57.557491] RBP: 0000000000000004 R08: 0000000000000001 R09: 00007fff6d160033 [ 57.564751] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ec0 [ 57.572035] R13: 0000000000401f50 R14: 0000000000000000 R15: 0000000000000000 [ 57.582823] ================================================================== [ 57.590259] BUG: KASAN: use-after-free in tls_write_space+0x2b2/0x310 [ 57.596835] Read of size 1 at addr ffff88809ecae8a0 by task syz-executor758/8044 [ 57.604355] [ 57.606004] CPU: 1 PID: 8044 Comm: syz-executor758 Not tainted 4.19.48 #20 [ 57.613058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.622565] Call Trace: [ 57.625154] dump_stack+0x172/0x1f0 [ 57.628796] ? tls_write_space+0x2b2/0x310 [ 57.633057] print_address_description.cold+0x7c/0x20d [ 57.638325] ? tls_write_space+0x2b2/0x310 [ 57.642677] kasan_report.cold+0x8c/0x2ba [ 57.646823] __asan_report_load1_noabort+0x14/0x20 [ 57.651744] tls_write_space+0x2b2/0x310 [ 57.655822] ? tls_push_pending_closed_record+0x150/0x150 [ 57.661351] ? tcp_send_rcvq+0x500/0x500 [ 57.665407] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 57.670409] tcp_check_space+0x430/0x720 [ 57.674455] tcp_rcv_established+0x9e9/0x1f10 [ 57.678939] ? tcp_data_queue+0x4220/0x4220 [ 57.683246] ? __local_bh_enable_ip+0x15a/0x270 [ 57.687906] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 57.692912] tcp_v4_do_rcv+0x616/0x8d0 [ 57.696792] __release_sock+0x129/0x3a0 [ 57.700953] release_sock+0x59/0x1c0 [ 57.704654] tls_sk_proto_close+0x691/0xa20 [ 57.708966] ? tcp_check_oom+0x560/0x560 [ 57.713027] ? tls_write_space+0x310/0x310 [ 57.717385] ? __local_bh_enable_ip+0x15a/0x270 [ 57.722042] ? lockdep_hardirqs_on+0x415/0x5d0 [ 57.726618] ? ip_mc_drop_socket+0x20c/0x270 [ 57.731029] ? trace_hardirqs_on+0x67/0x220 [ 57.735351] inet_release+0xff/0x1e0 [ 57.739050] __sock_release+0x1f4/0x2a0 [ 57.743008] sock_release+0x18/0x20 [ 57.746653] smc_release+0x2c1/0x810 [ 57.750389] __sock_release+0xce/0x2a0 [ 57.754263] ? __sock_release+0x2a0/0x2a0 [ 57.758396] sock_close+0x1b/0x30 [ 57.761836] __fput+0x2dd/0x8b0 [ 57.765103] ____fput+0x16/0x20 [ 57.768371] task_work_run+0x145/0x1c0 [ 57.772245] do_exit+0x933/0x2fa0 [ 57.775717] ? vfs_write+0x161/0x560 [ 57.779414] ? mm_update_next_owner+0x660/0x660 [ 57.784070] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 57.789689] ? ksys_write+0x1f1/0x2d0 [ 57.793477] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.798219] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.802962] do_group_exit+0x135/0x370 [ 57.806857] __x64_sys_exit_group+0x44/0x50 [ 57.811167] do_syscall_64+0xfd/0x620 [ 57.814966] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.820145] RIP: 0033:0x43f298 [ 57.823373] Code: Bad RIP value. [ 57.826739] RSP: 002b:00007fff6d16b188 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.834433] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f298 [ 57.841790] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 57.849048] RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.856301] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 57.863575] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 57.870857] [ 57.872468] Allocated by task 8044: [ 57.876086] save_stack+0x45/0xd0 [ 57.879525] kasan_kmalloc+0xce/0xf0 [ 57.883224] kmem_cache_alloc_trace+0x152/0x760 [ 57.887902] create_ctx+0x46/0x1f0 [ 57.891428] tls_init+0x158/0x7a0 [ 57.894974] tcp_set_ulp+0x216/0x5f0 [ 57.898672] do_tcp_setsockopt.isra.0+0x321/0x2320 [ 57.903586] tcp_setsockopt+0xbe/0xe0 [ 57.907373] sock_common_setsockopt+0x94/0xd0 [ 57.911854] smc_setsockopt+0xcb/0x790 [ 57.915728] __sys_setsockopt+0x17a/0x280 [ 57.919965] __x64_sys_setsockopt+0xbe/0x150 [ 57.924359] do_syscall_64+0xfd/0x620 [ 57.928143] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.933310] [ 57.934925] Freed by task 8044: [ 57.938219] save_stack+0x45/0xd0 [ 57.941655] __kasan_slab_free+0x102/0x150 [ 57.945876] kasan_slab_free+0xe/0x10 [ 57.949661] kfree+0xcf/0x220 [ 57.952780] tls_ctx_free.part.0+0x32/0x40 [ 57.957087] tls_sk_proto_close+0x684/0xa20 [ 57.961416] inet_release+0xff/0x1e0 [ 57.965117] __sock_release+0x1f4/0x2a0 [ 57.969078] sock_release+0x18/0x20 [ 57.972692] smc_release+0x2c1/0x810 [ 57.976396] __sock_release+0xce/0x2a0 [ 57.980265] sock_close+0x1b/0x30 [ 57.983726] __fput+0x2dd/0x8b0 [ 57.987027] ____fput+0x16/0x20 [ 57.990294] task_work_run+0x145/0x1c0 [ 57.994162] do_exit+0x933/0x2fa0 [ 57.997609] do_group_exit+0x135/0x370 [ 58.001478] __x64_sys_exit_group+0x44/0x50 [ 58.005786] do_syscall_64+0xfd/0x620 [ 58.009571] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.014736] [ 58.016350] The buggy address belongs to the object at ffff88809ecae7c0 [ 58.016350] which belongs to the cache kmalloc-512 of size 512 [ 58.028997] The buggy address is located 224 bytes inside of [ 58.028997] 512-byte region [ffff88809ecae7c0, ffff88809ecae9c0) [ 58.040863] The buggy address belongs to the page: [ 58.045794] page:ffffea00027b2b80 count:1 mapcount:0 mapping:ffff88812c3f0940 index:0x0 [ 58.053937] flags: 0x1fffc0000000100(slab) [ 58.058166] raw: 01fffc0000000100 ffffea00026d1a08 ffffea00027c1748 ffff88812c3f0940 [ 58.066038] raw: 0000000000000000 ffff88809ecae040 0000000100000006 0000000000000000 [ 58.073901] page dumped because: kasan: bad access detected [ 58.079596] [ 58.081211] Memory state around the buggy address: [ 58.086126] ffff88809ecae780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 58.093471] ffff88809ecae800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.100828] >ffff88809ecae880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.108169] ^ [ 58.112560] ffff88809ecae900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.119913] ffff88809ecae980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 58.127264] ================================================================== [ 58.134611] Disabling lock debugging due to kernel taint [ 58.140681] Kernel panic - not syncing: panic_on_warn set ... [ 58.140681] [ 58.148112] CPU: 1 PID: 8044 Comm: syz-executor758 Tainted: G B 4.19.48 #20 [ 58.156624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.173210] Call Trace: [ 58.175809] dump_stack+0x172/0x1f0 [ 58.179423] ? tls_write_space+0x2b2/0x310 [ 58.183747] panic+0x263/0x507 [ 58.186926] ? __warn_printk+0xf3/0xf3 [ 58.190797] ? tls_write_space+0x2b2/0x310 [ 58.195024] ? preempt_schedule+0x4b/0x60 [ 58.199158] ? ___preempt_schedule+0x16/0x18 [ 58.203556] ? trace_hardirqs_on+0x5e/0x220 [ 58.207961] ? tls_write_space+0x2b2/0x310 [ 58.212279] kasan_end_report+0x47/0x4f [ 58.216239] kasan_report.cold+0xa9/0x2ba [ 58.221326] __asan_report_load1_noabort+0x14/0x20 [ 58.226374] tls_write_space+0x2b2/0x310 [ 58.230459] ? tls_push_pending_closed_record+0x150/0x150 [ 58.235985] ? tcp_send_rcvq+0x500/0x500 [ 58.240037] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 58.245051] tcp_check_space+0x430/0x720 [ 58.249102] tcp_rcv_established+0x9e9/0x1f10 [ 58.253616] ? tcp_data_queue+0x4220/0x4220 [ 58.265338] ? __local_bh_enable_ip+0x15a/0x270 [ 58.270002] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 58.275073] tcp_v4_do_rcv+0x616/0x8d0 [ 58.278955] __release_sock+0x129/0x3a0 [ 58.282919] release_sock+0x59/0x1c0 [ 58.286620] tls_sk_proto_close+0x691/0xa20 [ 58.290961] ? tcp_check_oom+0x560/0x560 [ 58.295138] ? tls_write_space+0x310/0x310 [ 58.299368] ? __local_bh_enable_ip+0x15a/0x270 [ 58.304048] ? lockdep_hardirqs_on+0x415/0x5d0 [ 58.308626] ? ip_mc_drop_socket+0x20c/0x270 [ 58.313041] ? trace_hardirqs_on+0x67/0x220 [ 58.317440] inet_release+0xff/0x1e0 [ 58.324425] __sock_release+0x1f4/0x2a0 [ 58.328393] sock_release+0x18/0x20 [ 58.332015] smc_release+0x2c1/0x810 [ 58.335719] __sock_release+0xce/0x2a0 [ 58.339595] ? __sock_release+0x2a0/0x2a0 [ 58.343730] sock_close+0x1b/0x30 [ 58.347196] __fput+0x2dd/0x8b0 [ 58.350472] ____fput+0x16/0x20 [ 58.353779] task_work_run+0x145/0x1c0 [ 58.357651] do_exit+0x933/0x2fa0 [ 58.361089] ? vfs_write+0x161/0x560 [ 58.364783] ? mm_update_next_owner+0x660/0x660 [ 58.369440] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.375049] ? ksys_write+0x1f1/0x2d0 [ 58.380789] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 58.385539] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 58.390287] do_group_exit+0x135/0x370 [ 58.394163] __x64_sys_exit_group+0x44/0x50 [ 58.398506] do_syscall_64+0xfd/0x620 [ 58.402297] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.407472] RIP: 0033:0x43f298 [ 58.410673] Code: Bad RIP value. [ 58.414036] RSP: 002b:00007fff6d16b188 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 58.421730] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f298 [ 58.429058] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 58.438246] RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 58.445523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 58.452791] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 58.461311] Kernel Offset: disabled [ 58.464954] Rebooting in 86400 seconds..