================================================================== BUG: KASAN: use-after-free in tcp_skb_pcount include/net/tcp.h:798 [inline] BUG: KASAN: use-after-free in tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline] BUG: KASAN: use-after-free in tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068 Read of size 2 at addr ffff8801d738a2b0 by task syz-executor5/4668 CPU: 0 PID: 4668 Comm: syz-executor5 Not tainted 4.4.169+ #7 0000000000000000 87c69b8a8d1f0cef ffff8801c19cf828 ffffffff81aa635d ffffea00075ce280 ffff8801d738a2b0 0000000000000000 ffff8801d738a2b0 dffffc0000000000 ffff8801c19cf860 ffffffff8148b15b ffff8801d738a2b0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x217 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:427 [] tcp_skb_pcount include/net/tcp.h:798 [inline] [] tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline] [] tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068 [] __tcp_push_pending_frames+0xa4/0x2a0 net/ipv4/tcp_output.c:2323 [] tcp_send_fin+0x176/0xab0 net/ipv4/tcp_output.c:2899 [] tcp_close+0xc97/0xf60 net/ipv4/tcp.c:2112 [] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435 [] __sock_release+0xd9/0x260 net/socket.c:592 [] sock_close+0x19/0x20 net/socket.c:1050 [] __fput+0x235/0x6f0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x21c/0x2d0 kernel/task_work.c:115 [] get_signal+0x1182/0x14a0 kernel/signal.c:2151 [] do_signal+0x95/0x1840 arch/x86/kernel/signal.c:712 [] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:184 [] prepare_exit_to_usermode arch/x86/entry/common.c:221 [inline] [] syscall_return_slowpath arch/x86/entry/common.c:286 [inline] [] do_syscall_32_irqs_on arch/x86/entry/common.c:336 [inline] [] do_fast_syscall_32+0x795/0xa80 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a Allocated by task 4653: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628 [] kmem_cache_alloc_node include/linux/slab.h:350 [inline] [] __alloc_skb+0xe6/0x5b0 net/core/skbuff.c:218 [] alloc_skb_fclone include/linux/skbuff.h:856 [inline] [] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:833 [] tcp_sendmsg+0xf81/0x2b30 net/ipv4/tcp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x220/0x370 net/socket.c:1646 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x321/0xa80 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a Freed by task 4668: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x350 mm/slub.c:2881 [] kfree_skbmem+0xcf/0x100 net/core/skbuff.c:635 [] __kfree_skb+0x1d/0x20 net/core/skbuff.c:676 [] sk_wmem_free_skb include/net/sock.h:1447 [inline] [] tcp_write_queue_purge include/net/tcp.h:1460 [inline] [] tcp_connect_init net/ipv4/tcp_output.c:3138 [inline] [] tcp_connect+0xae9/0x3110 net/ipv4/tcp_output.c:3277 [] tcp_v4_connect+0xf31/0x1890 net/ipv4/tcp_ipv4.c:246 [] __inet_stream_connect+0x2a9/0xc30 net/ipv4/af_inet.c:615 [] tcp_sendmsg_fastopen net/ipv4/tcp.c:1092 [inline] [] tcp_sendmsg+0x1a07/0x2b30 net/ipv4/tcp.c:1112 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x220/0x370 net/socket.c:1646 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x321/0xa80 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a The buggy address belongs to the object at ffff8801d738a280 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 48 bytes inside of 456-byte region [ffff8801d738a280, ffff8801d738a448) The buggy address belongs to the page: BUG: unable to handle kernel paging request at ffffff4085894804 IP: [] task_has_perm+0x10d/0x330 security/selinux/hooks.c:1522 PGD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 2132 Comm: syz-executor0 Not tainted 4.4.169+ #7 task: ffff8800b7ef17c0 task.stack: ffff8800a84c0000 RIP: 0010:[] [] task_has_perm+0x10d/0x330 security/selinux/hooks.c:1522 RSP: 0018:ffff8800a84c79a8 EFLAGS: 00010246 RAX: 0000000000000007 RBX: 0000000000000004 RCX: ffffed0016fde410 RDX: 0000000000000000 RSI: ffffffff8195a992 RDI: ffff8800b7ef1ed0 RBP: ffff8800a84c79c8 R08: ffff8800b7ef2088 R09: 1ffff10016fde415 R10: ffffffff82835d40 R11: ffffffff831a49f8 R12: ffffff4085894800 R13: ffff8800b7ef17c0 R14: ffff8800a84c7c8c R15: ffff8800a84c7c88 FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:0000000009d44900 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: ffffff4085894804 CR3: 00000000a8fee000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8195a8e0 ffff8801c18a4740 dffffc0000000000 ffff8801c18a4740 ffff8800a84c79e0 ffffffff8195ac33 ffffffff82f92ce0 ffff8800a84c7a10 ffffffff819489f3 ffff8800b7ef2088 0000000040000005 0000000000000000 Call Trace: [] selinux_task_wait+0x23/0x30 security/selinux/hooks.c:3763 [] security_task_wait+0x73/0xb0 security/security.c:986 [] wait_consider_task+0x298/0x35e0 kernel/exit.c:1326 [] do_wait_thread kernel/exit.c:1439 [inline] [] do_wait+0x366/0xa30 kernel/exit.c:1510 [] SYSC_wait4 kernel/exit.c:1641 [inline] [] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606 [] C_SYSC_wait4 kernel/compat.c:543 [inline] [] compat_SyS_wait4+0x25a/0x2a0 kernel/compat.c:536 [] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x321/0xa80 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a Code: 8d 7c 24 04 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 f0 01 00 00 49 8d bd 10 07 00 00 <45> 8b 64 24 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea RIP [] __read_once_size include/linux/compiler.h:218 [inline] RIP [] task_has_perm+0x10d/0x330 security/selinux/hooks.c:1523 RSP CR2: ffffff4085894804 ---[ end trace 399c04567093b2e6 ]---