================================================================== BUG: KASAN: slab-out-of-bounds in __swab64p include/uapi/linux/swab.h:192 [inline] BUG: KASAN: slab-out-of-bounds in __be64_to_cpup include/uapi/linux/byteorder/little_endian.h:74 [inline] BUG: KASAN: slab-out-of-bounds in is_tx_ready include/net/tls.h:354 [inline] BUG: KASAN: slab-out-of-bounds in tls_write_space+0x29d/0x2d0 net/tls/tls_main.c:236 Read of size 8 at addr ffff8801bbe64270 by task syz-executor5/9434 CPU: 1 PID: 9434 Comm: syz-executor5 Not tainted 4.19.0-rc4+ #228 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __swab64p include/uapi/linux/swab.h:192 [inline] __be64_to_cpup include/uapi/linux/byteorder/little_endian.h:74 [inline] is_tx_ready include/net/tls.h:354 [inline] tls_write_space+0x29d/0x2d0 net/tls/tls_main.c:236 tcp_new_space net/ipv4/tcp_input.c:5154 [inline] tcp_check_space+0x53f/0x920 net/ipv4/tcp_input.c:5165 tcp_data_snd_check net/ipv4/tcp_input.c:5175 [inline] tcp_rcv_established+0xde8/0x2120 net/ipv4/tcp_input.c:5656 tcp_v6_do_rcv+0x4b3/0x13c0 net/ipv6/tcp_ipv6.c:1326 sk_backlog_rcv include/net/sock.h:932 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2336 release_sock+0xad/0x2c0 net/core/sock.c:2849 tls_sw_sendmsg+0xed9/0x17a0 net/tls/tls_sw.c:887 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:631 __sys_sendto+0x3d7/0x670 net/socket.c:1788 __do_sys_sendto net/socket.c:1800 [inline] __se_sys_sendto net/socket.c:1796 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457679 Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4324c7ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f4324c7b6d4 RCX: 0000000000457679 RDX: 000000000039a191 RSI: 00000000200005c0 RDI: 0000000000000003 RBP: 000000000072bfa0 R08: 0000000020000000 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004d5610 R14: 00000000004c3963 R15: 0000000000000001 Allocated by task 9236: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x730 mm/slab.c:3554 kmem_cache_zalloc include/linux/slab.h:697 [inline] __alloc_file+0xa8/0x470 fs/file_table.c:100 alloc_empty_file+0x72/0x170 fs/file_table.c:150 path_openat+0x170/0x5160 fs/namei.c:3523 do_filp_open+0x255/0x380 fs/namei.c:3564 do_open_execat+0x221/0x8e0 fs/exec.c:853 __do_execve_file.isra.33+0x173f/0x2540 fs/exec.c:1755 do_execveat_common fs/exec.c:1866 [inline] do_execve fs/exec.c:1883 [inline] __do_sys_execve fs/exec.c:1964 [inline] __se_sys_execve fs/exec.c:1959 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9246: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3756 file_free_rcu+0x91/0xd0 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2576 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2880 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2847 [inline] rcu_process_callbacks+0xf23/0x2670 kernel/rcu/tree.c:2864 __do_softirq+0x30b/0xad8 kernel/softirq.c:292 The buggy address belongs to the object at ffff8801bbe64040 which belongs to the cache filp of size 456 The buggy address is located 104 bytes to the right of 456-byte region [ffff8801bbe64040, ffff8801bbe64208) The buggy address belongs to the page: page:ffffea0006ef9900 count:1 mapcount:0 mapping:ffff8801da972900 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0006f2fd88 ffffea00070e7b08 ffff8801da972900 raw: 0000000000000000 ffff8801bbe64040 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801bbe64100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801bbe64180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801bbe64200: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801bbe64280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff8801bbe64300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================