================================================================== BUG: KASAN: use-after-free in tcp_skb_pcount include/net/tcp.h:798 [inline] BUG: KASAN: use-after-free in tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline] BUG: KASAN: use-after-free in tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068 Read of size 2 at addr ffff8801d042b1b0 by task syz-executor5/4245 CPU: 1 PID: 4245 Comm: syz-executor5 Not tainted 4.4.164+ #123 0000000000000000 5a23ec7d05789ff0 ffff8800b270f870 ffffffff81aa5d4d ffffea0007410a80 ffff8801d042b1b0 0000000000000000 ffff8801d042b1b0 dffffc0000000000 ffff8800b270f8a8 ffffffff8148b2eb ffff8801d042b1b0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x217 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:427 [] tcp_skb_pcount include/net/tcp.h:798 [inline] [] tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline] [] tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068 [] __tcp_push_pending_frames+0xa4/0x2a0 net/ipv4/tcp_output.c:2319 [] tcp_send_fin+0x176/0xab0 net/ipv4/tcp_output.c:2895 [] tcp_close+0xc97/0xf60 net/ipv4/tcp.c:2112 [] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435 [] __sock_release+0xd9/0x260 net/socket.c:592 [] sock_close+0x19/0x20 net/socket.c:1050 [] __fput+0x235/0x6f0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x21c/0x2d0 kernel/task_work.c:115 [] get_signal+0x1182/0x14a0 kernel/signal.c:2151 [] do_signal+0x95/0x1840 arch/x86/kernel/signal.c:712 [] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:250 [] prepare_exit_to_usermode arch/x86/entry/common.c:287 [inline] [] syscall_return_slowpath+0x254/0x2d0 arch/x86/entry/common.c:352 [] int_ret_from_sys_call+0x25/0xa3 Allocated by task 4213: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628 [] kmem_cache_alloc_node include/linux/slab.h:350 [inline] [] __alloc_skb+0xe6/0x5b0 net/core/skbuff.c:218 [] alloc_skb_fclone include/linux/skbuff.h:856 [inline] [] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:833 [] tcp_sendmsg+0xf81/0x2b30 net/ipv4/tcp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x220/0x370 net/socket.c:1646 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 4245: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x350 mm/slub.c:2881 [] kfree_skbmem+0xcf/0x100 net/core/skbuff.c:635 [] __kfree_skb+0x1d/0x20 net/core/skbuff.c:676 [] sk_wmem_free_skb include/net/sock.h:1447 [inline] [] tcp_write_queue_purge include/net/tcp.h:1460 [inline] [] tcp_connect_init net/ipv4/tcp_output.c:3134 [inline] [] tcp_connect+0xae9/0x3110 net/ipv4/tcp_output.c:3273 [] tcp_v4_connect+0xf31/0x1890 net/ipv4/tcp_ipv4.c:246 [] __inet_stream_connect+0x2a9/0xc30 net/ipv4/af_inet.c:615 [] tcp_sendmsg_fastopen net/ipv4/tcp.c:1092 [inline] [] tcp_sendmsg+0x1a07/0x2b30 net/ipv4/tcp.c:1112 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x220/0x370 net/socket.c:1646 [] entry_SYSCALL_64_fastpath+0x1e/0x9a The buggy address belongs to the object at ffff8801d042b180 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 48 bytes inside of 456-byte region [ffff8801d042b180, ffff8801d042b348) The buggy address belongs to the page: BUG: unable to handle kernel paging request at fffff94000e82150 IP: [] memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:61 PGD 3304067 PUD 3303063 PMD 3302063 PTE 8000000003305161 Oops: 0003 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 584 Comm: udevd Not tainted 4.4.164+ #123 task: ffff8801d4d34740 task.stack: ffff8801d4dc8000 RIP: 0010:[] [] memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:61 RSP: 0018:ffff8801d4dcfb68 EFLAGS: 00010202 RAX: 1ffffd4000e82100 RBX: fffff94000e82166 RCX: 0000000000000016 RDX: 0000000000000016 RSI: 0000000000000000 RDI: fffff94000e82150 RBP: ffff8801d4dcfb80 R08: ffff8801d4d35008 R09: fffff94000e82150 R10: 0000000000000000 R11: ffffffff831a2c38 R12: 00000000000000b0 R13: ffffea0007410b2f R14: ffffea0007410a80 R15: ffffea0007410b2f FS: 00007fd512c5d7a0(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffff94000e82150 CR3: 00000001d4db2000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8147f475 ffffea0007410b30 ffff8801da548000 ffff8801d4dcfbc8 ffffffff8147f58a 00000000000000b0 024000c0d4dcfbd8 4000000000004080 ffff8801da548000 00000000024000c0 ffffffff810cf9e6 ffffea0007410a80 Call Trace: [] kasan_kmalloc+0x4a/0xc0 mm/kasan/kasan.c:611 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628 [] dup_mmap kernel/fork.c:462 [inline] [] dup_mm kernel/fork.c:985 [inline] [] copy_mm kernel/fork.c:1039 [inline] [] copy_process+0x42c6/0x6890 kernel/fork.c:1521 [] _do_fork+0x146/0xdc0 kernel/fork.c:1797 [] SYSC_clone kernel/fork.c:1908 [inline] [] SyS_clone+0x37/0x50 kernel/fork.c:1902 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Code: 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 RIP [] memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:61 RSP CR2: fffff94000e82150 ---[ end trace 6f91577b7a043829 ]---