IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:199! TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. ================================================================== BUG: KASAN: use-after-free in tls_sk_proto_close+0x828/0x900 net/tls/tls_main.c:290 Read of size 1 at addr ffff8800a503d458 by task syz-executor.2/7050 CPU: 1 PID: 7050 Comm: syz-executor.2 Not tainted 4.17.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x109/0x15a lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 tls_sk_proto_close+0x828/0x900 net/tls/tls_main.c:290 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:460 sock_release+0x83/0x190 net/socket.c:594 sock_close+0xd/0x20 net/socket.c:1149 __fput+0x232/0x780 fs/file_table.c:209 invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: ____fput+0x9/0x10 fs/file_table.c:243 task_work_run+0x111/0x180 kernel/task_work.c:113 CPU: 0 PID: 7051 Comm: syz-executor.2 Not tainted 4.17.0-rc3-syzkaller #0 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:166 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x407/0x4d0 arch/x86/entry/common.c:290 RIP: 0010:sg_mark_end include/linux/scatterlist.h:199 [inline] RIP: 0010:tls_push_record+0xef0/0x1660 net/tls/tls_sw.c:234 entry_SYSCALL_64_after_hwframe+0x49/0xbe RSP: 0018:ffff880082d5f9b0 EFLAGS: 00010287 RIP: 0033:0x414f31 RSP: 002b:00007ffe6d4dc420 EFLAGS: 00000293 RAX: 0000000087654321 RBX: ffff88009a82e980 RCX: ffff88009a82ee20 ORIG_RAX: 0000000000000003 RDX: 1ffff10013505dbf RSI: ffff88009a82eb70 RDI: ffff88009a82eb78 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000414f31 RBP: ffff880082d5fa60 R08: ffff880082d5fd28 R09: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000004 R10: ffffed00150cac38 R11: ffff8800a86561c1 R12: ffff8800a561db80 RBP: 0000000000000000 R08: 0000000000760928 R09: ffffffffffffffff R10: 00007ffe6d4dc4f0 R11: 0000000000000293 R12: 000000000075bfc8 R13: ffff88009a82edf8 R14: ffff88008cb20040 R15: 0000000000000017 R13: 0000000000000006 R14: 0000000000760930 R15: 000000000075bfd4 FS: 00007f5ded3df700(0000) GS:ffff8800aec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Allocated by task 7105: CR2: 00007f0c2069e000 CR3: 000000009f603000 CR4: 00000000001406f0 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3620 Call Trace: kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] create_ctx net/tls/tls_main.c:514 [inline] tls_init+0x13a/0x910 net/tls/tls_main.c:626 tcp_set_ulp+0x197/0x480 net/ipv4/tcp_ulp.c:153 tls_sw_sendmsg+0xc5c/0x1110 net/tls/tls_sw.c:484 do_tcp_setsockopt.isra.37+0x2ab/0x2210 net/ipv4/tcp.c:2587 tcp_setsockopt+0x80/0xd0 net/ipv4/tcp.c:2892 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:3039 __sys_setsockopt+0x13e/0x210 net/socket.c:1903 inet_sendmsg+0x108/0x440 net/ipv4/af_inet.c:798 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xb9/0x150 net/socket.c:1911 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:287 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:639 entry_SYSCALL_64_after_hwframe+0x49/0xbe __sys_sendto+0x1f2/0x2e0 net/socket.c:1789 Freed by task 7050: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x270 mm/slab.c:3813 tls_sw_free_resources+0x277/0x340 net/tls/tls_sw.c:1037 tls_sk_proto_close+0x558/0x900 net/tls/tls_main.c:281 inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:460 sock_release+0x83/0x190 net/socket.c:594 __do_sys_sendto net/socket.c:1801 [inline] __se_sys_sendto net/socket.c:1797 [inline] __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1797 sock_close+0xd/0x20 net/socket.c:1149 __fput+0x232/0x780 fs/file_table.c:209 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:287 ____fput+0x9/0x10 fs/file_table.c:243 task_work_run+0x111/0x180 kernel/task_work.c:113 entry_SYSCALL_64_after_hwframe+0x49/0xbe tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:166 RIP: 0033:0x45b399 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x407/0x4d0 arch/x86/entry/common.c:290 RSP: 002b:00007f5ded3dec78 EFLAGS: 00000246 entry_SYSCALL_64_after_hwframe+0x49/0xbe ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f5ded3df6d4 RCX: 000000000045b399 The buggy address belongs to the object at ffff8800a503d400 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 88 bytes inside of 256-byte region [ffff8800a503d400, ffff8800a503d500) RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000004 The buggy address belongs to the page: RBP: 000000000075bf20 R08: 0000000000000000 R09: 00000000000000d8 page:ffffea0002940f40 count:1 mapcount:0 mapping:ffff8800a503d040 index:0x0 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff flags: 0xfffe0000000100(slab) R13: 00000000000009d6 R14: 00000000004cb45d R15: 000000000075bf2c raw: 00fffe0000000100 ffff8800a503d040 0000000000000000 000000010000000c Code: raw: ffffea0002940e60 ffffea0002941020 ffff8800aa8007c0 0000000000000000 48 page dumped because: kasan: bad access detected b8 00 Memory state around the buggy address: ffff8800a503d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 00 ffff8800a503d380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 00 >ffff8800a503d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 00 ^ 00 ffff8800a503d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc ffff8800a503d500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ff ================================================================== df