TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. ================================================================== BUG: KASAN: slab-out-of-bounds in tls_push_record+0xffe/0x1210 /net/tls/tls_sw.c:255 Read of size 8 at addr ffff888095616af8 by task syz-executor551/7220 CPU: 1 PID: 7220 Comm: syz-executor551 Not tainted 4.14.134 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. Call Trace: __dump_stack /lib/dump_stack.c:17 [inline] dump_stack+0x138/0x19c /lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc /mm/kasan/report.c:252 kasan_report_error /mm/kasan/report.c:351 [inline] kasan_report /mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af /mm/kasan/report.c:393 __asan_report_load8_noabort+0x14/0x20 /mm/kasan/report.c:430 tls_push_record+0xffe/0x1210 /net/tls/tls_sw.c:255 tls_sw_push_pending_record+0x23/0x30 /net/tls/tls_sw.c:299 tls_handle_open_record /net/tls/tls_main.c:158 [inline] tls_sk_proto_close+0x5d1/0x750 /net/tls/tls_main.c:270 inet_release+0xec/0x1c0 /net/ipv4/af_inet.c:425 inet6_release+0x53/0x80 /net/ipv6/af_inet6.c:450 __sock_release+0xce/0x2b0 /net/socket.c:602 sock_close+0x1b/0x30 /net/socket.c:1139 __fput+0x275/0x7a0 /fs/file_table.c:210 ____fput+0x16/0x20 /fs/file_table.c:244 task_work_run+0x114/0x190 /kernel/task_work.c:113 tracehook_notify_resume /./include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1da/0x220 /arch/x86/entry/common.c:164 prepare_exit_to_usermode /arch/x86/entry/common.c:199 [inline] syscall_return_slowpath /arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4bc/0x640 /arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x406791 RSP: 002b:00007fff6cc04440 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000406791 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003 RBP: 00000000006dcc30 R08: 00007fcb1f110700 R09: 0000000000000000 R10: 00007fff6cc04450 R11: 0000000000000293 R12: 00007fff6cc04460 R13: 0000000000000064 R14: 000000000000000a R15: 00000000006dcc3c Allocated by task 7047: save_stack_trace+0x16/0x20 /arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 /mm/kasan/kasan.c:447 set_track /mm/kasan/kasan.c:459 [inline] kasan_kmalloc /mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 /mm/kasan/kasan.c:529 __do_kmalloc_node /mm/slab.c:3682 [inline] __kmalloc_node_track_caller+0x51/0x80 /mm/slab.c:3696 __kmalloc_reserve.isra.0+0x40/0xe0 /net/core/skbuff.c:137 __alloc_skb+0xcf/0x500 /net/core/skbuff.c:205 alloc_skb_fclone /./include/linux/skbuff.h:1022 [inline] sk_stream_alloc_skb+0xb3/0x780 /net/ipv4/tcp.c:855 tcp_sendmsg_locked+0xf56/0x3400 /net/ipv4/tcp.c:1284 tcp_sendmsg+0x30/0x50 /net/ipv4/tcp.c:1446 inet_sendmsg+0x122/0x500 /net/ipv4/af_inet.c:762 sock_sendmsg_nosec /net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 /net/socket.c:656 SYSC_sendto+0x206/0x310 /net/socket.c:1763 SyS_sendto+0x40/0x50 /net/socket.c:1731 do_syscall_64+0x1e8/0x640 /arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 7047: save_stack_trace+0x16/0x20 /arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 /mm/kasan/kasan.c:447 set_track /mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 /mm/kasan/kasan.c:524 __cache_free /mm/slab.c:3496 [inline] kfree+0xcc/0x270 /mm/slab.c:3815 skb_free_head+0x8b/0xb0 /net/core/skbuff.c:554 skb_release_data+0x4af/0x700 /net/core/skbuff.c:574 skb_release_all+0x4d/0x60 /net/core/skbuff.c:631 __kfree_skb+0x16/0x30 /net/core/skbuff.c:645 sk_wmem_free_skb /./include/net/sock.h:1416 [inline] tcp_sendmsg_locked+0x1ce5/0x3400 /net/ipv4/tcp.c:1422 tcp_sendmsg+0x30/0x50 /net/ipv4/tcp.c:1446 inet_sendmsg+0x122/0x500 /net/ipv4/af_inet.c:762 sock_sendmsg_nosec /net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 /net/socket.c:656 SYSC_sendto+0x206/0x310 /net/socket.c:1763 SyS_sendto+0x40/0x50 /net/socket.c:1731 do_syscall_64+0x1e8/0x640 /arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff888095616280 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 120 bytes to the right of 2048-byte region [ffff888095616280, ffff888095616a80) The buggy address belongs to the page: page:ffffea0002558580 count:1 mapcount:0 mapping:ffff888095616280 index:0xffff888095616280 compound_mapcount: 0 flags: 0x1fffc0000008100(slab|head) raw: 01fffc0000008100 ffff888095616280 ffff888095616280 0000000100000002 raw: ffffea0002853020 ffffea0002933720 ffff8880aa800c40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888095616980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888095616a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888095616a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888095616b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888095616b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.