================================================================== BUG: KASAN: use-after-free in tcp_ack_probe net/ipv4/tcp_input.c:3293 [inline] BUG: KASAN: use-after-free in tcp_ack+0x3beb/0x42c0 net/ipv4/tcp_input.c:3715 Read of size 4 at addr ffff8881d65c6a2c by task syz-executor.0/7046 CPU: 1 PID: 7046 Comm: syz-executor.0 Not tainted 4.14.145+ #0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xca/0x134 lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 tcp_ack_probe net/ipv4/tcp_input.c:3293 [inline] tcp_ack+0x3beb/0x42c0 net/ipv4/tcp_input.c:3715 tcp_rcv_established+0x4a9/0x1610 net/ipv4/tcp_input.c:5556 tcp_v6_do_rcv+0xcbd/0x10d0 net/ipv6/tcp_ipv6.c:1301 tcp_v6_rcv+0x20db/0x2ec0 net/ipv6/tcp_ipv6.c:1519 ip6_input_finish+0x3d6/0x1500 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:250 [inline] ip6_input+0x1fd/0x320 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:468 [inline] ip6_rcv_finish+0x148/0x640 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:250 [inline] ipv6_rcv+0xcf6/0x1bb0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x13ad/0x2cf0 net/core/dev.c:4477 __netif_receive_skb+0x66/0x210 net/core/dev.c:4515 process_backlog+0x1dc/0x640 net/core/dev.c:5197 napi_poll net/core/dev.c:5598 [inline] net_rx_action+0x366/0xcd0 net/core/dev.c:5664 __do_softirq+0x234/0x9ec kernel/softirq.c:288 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1015 do_softirq.part.0+0x5b/0x60 kernel/softirq.c:332 do_softirq kernel/softirq.c:324 [inline] __local_bh_enable_ip+0xb0/0xc0 kernel/softirq.c:185 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:725 [inline] ip6_finish_output2+0x106e/0x1fa0 net/ipv6/ip6_output.c:121 ip6_finish_output+0x64b/0xb40 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1dc/0x680 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:462 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] ip6_xmit+0x10a1/0x1ca0 net/ipv6/ip6_output.c:275 inet6_csk_xmit+0x298/0x500 net/ipv6/inet6_connection_sock.c:139 __tcp_transmit_skb+0x18bc/0x2e20 net/ipv4/tcp_output.c:1130 tcp_transmit_skb net/ipv4/tcp_output.c:1146 [inline] tcp_write_xmit+0x510/0x4730 net/ipv4/tcp_output.c:2382 tcp_sendmsg_locked+0x1522/0x2f50 net/ipv4/tcp.c:1406 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb7/0x100 net/socket.c:656 SYSC_sendto net/socket.c:1763 [inline] SyS_sendto+0x1de/0x2f0 net/socket.c:1731 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459a09 RSP: 002b:00007f5d56defc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459a09 RDX: 00000000fffffdda RSI: 00000000200000c0 RDI: 0000000000000008 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5d56df06d4 R13: 00000000004c79b8 R14: 00000000004dd418 R15: 00000000ffffffff Allocated by task 7044: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495 slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2800 [inline] kmem_cache_alloc+0xee/0x360 mm/slub.c:2805 kmem_cache_alloc_node include/linux/slab.h:361 [inline] __alloc_skb+0xea/0x5c0 net/core/skbuff.c:193 alloc_skb_fclone include/linux/skbuff.h:1022 [inline] sk_stream_alloc_skb+0xf4/0x8a0 net/ipv4/tcp.c:855 tcp_sendmsg_locked+0xf11/0x2f50 net/ipv4/tcp.c:1301 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb7/0x100 net/socket.c:656 SYSC_sendto net/socket.c:1763 [inline] SyS_sendto+0x1de/0x2f0 net/socket.c:1731 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff Freed by task 7044: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055 kfree_skbmem+0x84/0x110 net/core/skbuff.c:607 sk_wmem_free_skb include/net/sock.h:1416 [inline] tcp_remove_empty_skb net/ipv4/tcp.c:929 [inline] tcp_remove_empty_skb+0x264/0x320 net/ipv4/tcp.c:923 tcp_sendmsg_locked+0x1c09/0x2f50 net/ipv4/tcp.c:1435 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb7/0x100 net/socket.c:656 SYSC_sendto net/socket.c:1763 [inline] SyS_sendto+0x1de/0x2f0 net/socket.c:1731 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff The buggy address belongs to the object at ffff8881d65c6a00 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 44 bytes inside of 456-byte region [ffff8881d65c6a00, ffff8881d65c6bc8) The buggy address belongs to the page: page:ffffea0007597180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab|head) raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c raw: ffffea0007581000 0000000200000002 ffff8881dab70400 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d65c6900: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff8881d65c6980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881d65c6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d65c6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d65c6b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================