==================================================================
BUG: KASAN: use-after-free in tcp_skb_pcount include/net/tcp.h:798 [inline]
BUG: KASAN: use-after-free in tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline]
BUG: KASAN: use-after-free in tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068
Read of size 2 at addr ffff8801d12aa030 by task syz-executor4/7450

CPU: 0 PID: 7450 Comm: syz-executor4 Not tainted 4.4.163+ #11
 0000000000000000 e0a2f8eebaf5d63e ffff8801c1397670 ffffffff81aa556d
 ffffea000744aa80 ffff8801d12aa030 0000000000000000 ffff8801d12aa030
 dffffc0000000000 ffff8801c13976a8 ffffffff8148a8db ffff8801d12aa030
Call Trace:
 [<ffffffff81aa556d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aa556d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8148a8db>] print_address_description+0x6c/0x217 mm/kasan/report.c:252
 [<ffffffff8148abfb>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8148abfb>] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff8147f8e4>] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:427
 [<ffffffff82430342>] tcp_skb_pcount include/net/tcp.h:798 [inline]
 [<ffffffff82430342>] tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline]
 [<ffffffff82430342>] tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068
 [<ffffffff82431734>] __tcp_push_pending_frames+0xa4/0x2a0 net/ipv4/tcp_output.c:2319
 [<ffffffff824386d6>] tcp_send_fin+0x176/0xab0 net/ipv4/tcp_output.c:2895
 [<ffffffff823f8357>] tcp_close+0xc97/0xf60 net/ipv4/tcp.c:2112
 [<ffffffff824a073f>] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435
 [<ffffffff821cadd9>] __sock_release+0xd9/0x260 net/socket.c:592
 [<ffffffff821caf79>] sock_close+0x19/0x20 net/socket.c:1050
 [<ffffffff81496e35>] __fput+0x235/0x6f0 fs/file_table.c:208
 [<ffffffff81497375>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8112f23f>] task_work_run+0x10f/0x190 kernel/task_work.c:115
 [<ffffffff810d936c>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff810d936c>] do_exit+0x9cc/0x29a0 kernel/exit.c:755
 [<ffffffff810df5a1>] do_group_exit+0x111/0x300 kernel/exit.c:885
 [<ffffffff81100e1c>] get_signal+0x4ec/0x14a0 kernel/signal.c:2321
 [<ffffffff8100bf65>] do_signal+0x95/0x1840 arch/x86/kernel/signal.c:712
 [<ffffffff81003eba>] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:250
 [<ffffffff81006712>] prepare_exit_to_usermode arch/x86/entry/common.c:287 [inline]
 [<ffffffff81006712>] syscall_return_slowpath arch/x86/entry/common.c:352 [inline]
 [<ffffffff81006712>] do_syscall_32_irqs_on arch/x86/entry/common.c:402 [inline]
 [<ffffffff81006712>] do_fast_syscall_32+0x792/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82713b50>] sysenter_flags_fixed+0xd/0x1a

Allocated by task 7450:
 [<ffffffff8102e4d6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff8147e962>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff8147e962>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff8147e962>] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616
 [<ffffffff8147ebdf>] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601
 [<ffffffff8147f1a2>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554
 [<ffffffff8147a89c>] slab_post_alloc_hook mm/slub.c:1349 [inline]
 [<ffffffff8147a89c>] slab_alloc_node mm/slub.c:2615 [inline]
 [<ffffffff8147a89c>] slab_alloc mm/slub.c:2623 [inline]
 [<ffffffff8147a89c>] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628
 [<ffffffff821eef56>] kmem_cache_alloc_node include/linux/slab.h:350 [inline]
 [<ffffffff821eef56>] __alloc_skb+0xe6/0x5b0 net/core/skbuff.c:218
 [<ffffffff823f2983>] alloc_skb_fclone include/linux/skbuff.h:856 [inline]
 [<ffffffff823f2983>] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:833
 [<ffffffff823f5611>] tcp_sendmsg+0xf81/0x2b30 net/ipv4/tcp.c:1178
 [<ffffffff824a27c3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
 [<ffffffff821cf9eb>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff821cf9eb>] sock_sendmsg+0xbb/0x110 net/socket.c:648
 [<ffffffff821d3c10>] SYSC_sendto net/socket.c:1678 [inline]
 [<ffffffff821d3c10>] SyS_sendto+0x220/0x370 net/socket.c:1646
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82713b50>] sysenter_flags_fixed+0xd/0x1a

Freed by task 7450:
 [<ffffffff8102e4d6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff8147f25c>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff8147f25c>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff8147f25c>] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589
 [<ffffffff8147bf5e>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff8147bf5e>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff8147bf5e>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff8147bf5e>] kmem_cache_free+0xbe/0x350 mm/slub.c:2881
 [<ffffffff821e741f>] kfree_skbmem+0xcf/0x100 net/core/skbuff.c:635
 [<ffffffff821f47bd>] __kfree_skb+0x1d/0x20 net/core/skbuff.c:676
 [<ffffffff824324f9>] sk_wmem_free_skb include/net/sock.h:1447 [inline]
 [<ffffffff824324f9>] tcp_write_queue_purge include/net/tcp.h:1460 [inline]
 [<ffffffff824324f9>] tcp_connect_init net/ipv4/tcp_output.c:3134 [inline]
 [<ffffffff824324f9>] tcp_connect+0xae9/0x3110 net/ipv4/tcp_output.c:3273
 [<ffffffff82440401>] tcp_v4_connect+0xf31/0x1890 net/ipv4/tcp_ipv4.c:246
 [<ffffffff824a16d9>] __inet_stream_connect+0x2a9/0xc30 net/ipv4/af_inet.c:615
 [<ffffffff823f6097>] tcp_sendmsg_fastopen net/ipv4/tcp.c:1092 [inline]
 [<ffffffff823f6097>] tcp_sendmsg+0x1a07/0x2b30 net/ipv4/tcp.c:1112
 [<ffffffff824a27c3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
 [<ffffffff821cf9eb>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff821cf9eb>] sock_sendmsg+0xbb/0x110 net/socket.c:648
 [<ffffffff821d3c10>] SYSC_sendto net/socket.c:1678 [inline]
 [<ffffffff821d3c10>] SyS_sendto+0x220/0x370 net/socket.c:1646
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82713b50>] sysenter_flags_fixed+0xd/0x1a

The buggy address belongs to the object at ffff8801d12aa000
 which belongs to the cache skbuff_fclone_cache of size 456
The buggy address is located 48 bytes inside of
 456-byte region [ffff8801d12aa000, ffff8801d12aa1c8)
The buggy address belongs to the page:
audit: type=1400 audit(1542006448.349:306): avc:  denied  { sigchld } for  pid=2135 comm="syz-executor3" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=1
kasan: CONFIG_KASAN_INLINE enabled
BUG: unable to handle kernel paging request at fffffffb9762be00
IP: [<ffffffff811f0d75>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
PGD 2e0d067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 2135 Comm: syz-executor3 Not tainted 4.4.163+ #11
task: ffff8800b6cbc740 task.stack: ffff8801c4ab0000
RIP: 0010:[<ffffffff811f0d75>]  [<ffffffff811f0d75>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
RSP: 0018:ffff8801db707968  EFLAGS: 00010046
RAX: 1ffffffff05d2a0b RBX: 00000000000181a8 RCX: ffffffff831a2900
RDX: fffffbff72ec57c0 RSI: fffffffb9762be00 RDI: ffffffff82e95058
RBP: ffff8801db7079a8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffed0043fffa09 R11: 0000002c6d26931d R12: ffffffff82e94f80
R13: dffffc0000000000 R14: 000000000f1d4c2c R15: ffffffff828912a0
FS:  0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:0000000009912900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: fffffffb9762be00 CR3: 00000001cf34b000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff811f0c80 0000000000000004 ffff8800b6cbd080 ffff8801cbc8c7a0
 ffff8801cbc8c740 000000000f1d4c2c ffff8801cbc8c7f0 0000000000000000
 ffff8801db7079f0 ffffffff8117c469 0000000000000008 0000000000000001
Call Trace:
 [<ffffffff8117c469>] update_curr+0x2c9/0x6d0 kernel/sched/fair.c:882
 [<ffffffff8119c0ba>] enqueue_entity kernel/sched/fair.c:3512 [inline]
 [<ffffffff8119c0ba>] enqueue_task_fair+0x12a/0xab90 kernel/sched/fair.c:4711
 [<ffffffff81163b4d>] enqueue_task kernel/sched/core.c:858 [inline]
 [<ffffffff81163b4d>] activate_task+0x1dd/0x280 kernel/sched/core.c:874
 [<ffffffff81164d2f>] ttwu_activate kernel/sched/core.c:1736 [inline]
 [<ffffffff81164d2f>] ttwu_do_activate.constprop.29+0xbf/0x1e0 kernel/sched/core.c:1789
 [<ffffffff811681cd>] ttwu_queue kernel/sched/core.c:1934 [inline]
 [<ffffffff811681cd>] try_to_wake_up+0x6dd/0x1120 kernel/sched/core.c:2068
 [<ffffffff81168d95>] default_wake_function+0x35/0x50 kernel/sched/core.c:3494
 [<ffffffff811e7481>] autoremove_wake_function+0x11/0x40 kernel/sched/wait.c:293
 [<ffffffff811e52d6>] __wake_up_common+0xb6/0x150 kernel/sched/wait.c:73
 [<ffffffff811e53a4>] __wake_up+0x34/0x50 kernel/sched/wait.c:95
 [<ffffffff8121f0c0>] wake_up_klogd_work_func+0x80/0x90 kernel/printk/printk.c:2736
 [<ffffffff8136b457>] irq_work_run_list+0xd7/0x140 kernel/irq_work.c:156
 [<ffffffff8136bad6>] irq_work_tick+0x116/0x170 kernel/irq_work.c:182
 [<ffffffff8125b1a9>] update_process_times+0x69/0x70 kernel/time/timer.c:1430
 [<ffffffff8128914a>] tick_sched_handle.isra.6+0x4a/0xf0 kernel/time/tick-sched.c:151
 [<ffffffff81289266>] tick_sched_timer+0x76/0x130 kernel/time/tick-sched.c:1097
 [<ffffffff8125d1f0>] __run_hrtimer kernel/time/hrtimer.c:1261 [inline]
 [<ffffffff8125d1f0>] __hrtimer_run_queues+0x390/0xfc0 kernel/time/hrtimer.c:1325
 [<ffffffff8125fe71>] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1359
 [<ffffffff8108b594>] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:901
 [<ffffffff82714a3c>] smp_apic_timer_interrupt+0x7c/0xb0 arch/x86/kernel/apic/apic.c:925
 [<ffffffff82713d9d>] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:741
 <EOI> [  188.910874]  [<ffffffff8121d694>] ? console_cont_flush kernel/printk/printk.c:2217 [inline]
 <EOI> [  188.910874]  [<ffffffff8121d694>] ? console_unlock+0x8c4/0xa10 kernel/printk/printk.c:2265
 [<ffffffff8121dbd5>] vprintk_emit+0x3f5/0x830 kernel/printk/printk.c:1832
 [<ffffffff8121e038>] vprintk+0x28/0x30 kernel/printk/printk.c:1843
 [<ffffffff8121e05d>] vprintk_default+0x1d/0x30 kernel/printk/printk.c:1844
 [<ffffffff813acbb9>] printk+0xaf/0xd7 kernel/printk/printk.c:1922
 [<ffffffff810c76ad>] kasan_die_handler.cold.3+0x11/0x22 arch/x86/mm/kasan_init_64.c:58
 [<ffffffff81137c49>] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93
 [<ffffffff81137e77>] __atomic_notifier_call_chain+0x87/0x150 kernel/notifier.c:183
 [<ffffffff811391b2>] atomic_notifier_call_chain kernel/notifier.c:193 [inline]
 [<ffffffff811391b2>] notify_die+0xe2/0x160 kernel/notifier.c:549
 [<ffffffff8100f0ca>] do_general_protection+0x20a/0x2b0 arch/x86/kernel/traps.c:461
 [<ffffffff827135d5>] general_protection+0x25/0x30 arch/x86/entry/entry_64.S:1036
 [<ffffffff810decc6>] do_wait_thread kernel/exit.c:1439 [inline]
 [<ffffffff810decc6>] do_wait+0x366/0xa30 kernel/exit.c:1510
 [<ffffffff810dfc0b>] SYSC_wait4 kernel/exit.c:1641 [inline]
 [<ffffffff810dfc0b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606
 [<ffffffff812b1c0a>] C_SYSC_wait4 kernel/compat.c:543 [inline]
 [<ffffffff812b1c0a>] compat_SyS_wait4+0x25a/0x2a0 kernel/compat.c:536
 [<ffffffff810bf165>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82713b50>] sysenter_flags_fixed+0xd/0x1a
Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 
RIP  [<ffffffff811f0d75>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
 RSP <ffff8801db707968>
CR2: fffffffb9762be00
---[ end trace 713af5787b324bcf ]---