IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready ================================================================== BUG: KASAN: use-after-free in tcp_skb_pcount include/net/tcp.h:796 [inline] BUG: KASAN: use-after-free in tcp_init_tso_segs net/ipv4/tcp_output.c:1619 [inline] BUG: KASAN: use-after-free in tcp_write_xmit+0x3fc2/0x4cb0 net/ipv4/tcp_output.c:2056 Read of size 2 at addr ffff8800bab66a30 by task syz-executor0/4104 CPU: 0 PID: 4104 Comm: syz-executor0 Not tainted 4.4.135-ge75204c #53 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 05ea7f6aa19870db ffff8801d826f700 ffffffff81e0ed0d ffffea0002ead980 ffff8800bab66a30 0000000000000000 ffff8800bab66a30 dffffc0000000000 ffff8801d826f738 ffffffff81515946 ffff8800bab66a30 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:427 [] tcp_skb_pcount include/net/tcp.h:796 [inline] [] tcp_init_tso_segs net/ipv4/tcp_output.c:1619 [inline] [] tcp_write_xmit+0x3fc2/0x4cb0 net/ipv4/tcp_output.c:2056 [] __tcp_push_pending_frames+0xa0/0x290 net/ipv4/tcp_output.c:2307 [] tcp_push+0x3e2/0x5a0 net/ipv4/tcp.c:692 [] tcp_sendmsg+0x1ac1/0x2b00 net/ipv4/tcp.c:1293 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] sock_write_iter+0x223/0x3b0 net/socket.c:834 [] new_sync_write fs/read_write.c:478 [inline] [] __vfs_write+0x30d/0x3f0 fs/read_write.c:491 [] vfs_write+0x191/0x4e0 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1c0 fs/read_write.c:577 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 4104: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628 [] kmem_cache_alloc_node include/linux/slab.h:350 [inline] [] __alloc_skb+0xe6/0x600 net/core/skbuff.c:218 [] alloc_skb_fclone include/linux/skbuff.h:856 [inline] [] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:833 [] tcp_sendmsg+0xd34/0x2b00 net/ipv4/tcp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] sock_write_iter+0x223/0x3b0 net/socket.c:834 [] new_sync_write fs/read_write.c:478 [inline] [] __vfs_write+0x30d/0x3f0 fs/read_write.c:491 [] vfs_write+0x191/0x4e0 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1c0 fs/read_write.c:577 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Freed by task 4106: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x340 mm/slub.c:2881 [] kfree_skbmem+0xcf/0x100 net/core/skbuff.c:635 [] __kfree_skb+0x1d/0x20 net/core/skbuff.c:676 [] sk_wmem_free_skb include/net/sock.h:1447 [inline] [] tcp_write_queue_purge include/net/tcp.h:1460 [inline] [] tcp_connect_init net/ipv4/tcp_output.c:3122 [inline] [] tcp_connect+0xb24/0x30c0 net/ipv4/tcp_output.c:3261 [] tcp_v4_connect+0xf31/0x1890 net/ipv4/tcp_ipv4.c:246 [] __inet_stream_connect+0x2a9/0xc30 net/ipv4/af_inet.c:615 [] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:676 [] SYSC_connect+0x1b8/0x300 net/socket.c:1557 [] SyS_connect+0x24/0x30 net/socket.c:1538 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 The buggy address belongs to the object at ffff8800bab66a00 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 48 bytes inside of 456-byte region [ffff8800bab66a00, ffff8800bab66bc8) The buggy address belongs to the page: kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffff8801d4b65220 IP: [] 0xffff8801d4b65220 PGD 632d067 PUD 80000001c00001e3 Oops: 0011 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.135-ge75204c #53 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d9a41800 task.stack: ffff8801d9a50000 RIP: 0010:[] [] 0xffff8801d4b65220 RSP: 0018:ffff8801db307f08 EFLAGS: 00010046 RAX: ffff8801d4b65220 RBX: ffff8801d9a57cf8 RCX: 1ffffffff0942999 RDX: 1ffff1003a96ca3c RSI: ffff8801d9a57cf8 RDI: ffff8801d4b65180 RBP: ffff8801db307f70 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: ffff8801d9a41800 R12: ffff8801d4b65180 R13: ffff8801d9a57d90 R14: ffff8801d9a50000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8801d4b65220 CR3: 00000000b6141000 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff81015b06 ffff8801db307f40 ffff8801db307f58 ffffffff81e6e89b 0000000000000001 ffffffff83a08cc0 00000000000000a1 0000000000000001 ffff8801d9a57cf8 00000000000000a1 ffff8801d4b65180 00000000000000a1 Call Trace: [] do_IRQ+0x89/0x1c0 arch/x86/kernel/irq.c:239 [] common_interrupt+0xa0/0xa0 arch/x86/entry/entry_64.S:596 [] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline] [] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290 [] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:281 [] default_idle_call+0x57/0x70 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:157 [inline] [] cpu_idle_loop kernel/sched/idle.c:253 [inline] [] cpu_startup_entry+0x6af/0x780 kernel/sched/idle.c:301 [] start_secondary+0x324/0x400 arch/x86/kernel/smpboot.c:242 Code: 00 00 00 80 d9 ea 02 00 ea ff ff 00 00 00 00 00 00 00 00 e0 9e aa 83 ff ff ff ff 00 6a b6 ba 00 88 ff ff c8 6b b6 ba 00 88 ff ff <60> 52 b6 d4 01 88 ff ff 07 cf 48 81 ff ff ff ff ff ff ff ff ff RIP [] 0xffff8801d4b65220 RSP CR2: ffff8801d4b65220 ---[ end trace 1335b8947e1f1a34 ]---