device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. ================================================================== BUG: KASAN: use-after-free in tcp_skb_pcount include/net/tcp.h:798 [inline] BUG: KASAN: use-after-free in tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline] BUG: KASAN: use-after-free in tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068 Read of size 2 at addr ffff8801d0040030 by task syz-executor5/4542 CPU: 0 PID: 4542 Comm: syz-executor5 Not tainted 4.4.165+ #1 0000000000000000 d26236d9ec0f4dcd ffff8801d0b9f870 ffffffff81aa5d4d ffffea0007401000 ffff8801d0040030 0000000000000000 ffff8801d0040030 dffffc0000000000 ffff8801d0b9f8a8 ffffffff8148b2eb ffff8801d0040030 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x217 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:427 [] tcp_skb_pcount include/net/tcp.h:798 [inline] [] tcp_init_tso_segs net/ipv4/tcp_output.c:1631 [inline] [] tcp_write_xmit+0x3b22/0x4680 net/ipv4/tcp_output.c:2068 [] __tcp_push_pending_frames+0xa4/0x2a0 net/ipv4/tcp_output.c:2319 [] tcp_push+0x3e2/0x5a0 net/ipv4/tcp.c:692 [] tcp_sendmsg+0x16b4/0x2b30 net/ipv4/tcp.c:1293 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x220/0x370 net/socket.c:1646 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Allocated by task 4542: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628 [] kmem_cache_alloc_node include/linux/slab.h:350 [inline] [] __alloc_skb+0xe6/0x5b0 net/core/skbuff.c:218 [] alloc_skb_fclone include/linux/skbuff.h:856 [inline] [] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:833 [] tcp_sendmsg+0xf81/0x2b30 net/ipv4/tcp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x220/0x370 net/socket.c:1646 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 4553: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x350 mm/slub.c:2881 [] kfree_skbmem+0xcf/0x100 net/core/skbuff.c:635 [] __kfree_skb+0x1d/0x20 net/core/skbuff.c:676 [] sk_wmem_free_skb include/net/sock.h:1447 [inline] [] tcp_write_queue_purge include/net/tcp.h:1460 [inline] [] tcp_connect_init net/ipv4/tcp_output.c:3134 [inline] [] tcp_connect+0xae9/0x3110 net/ipv4/tcp_output.c:3273 [] tcp_v4_connect+0xf31/0x1890 net/ipv4/tcp_ipv4.c:246 [] __inet_stream_connect+0x2a9/0xc30 net/ipv4/af_inet.c:615 [] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:676 [] SYSC_connect net/socket.c:1570 [inline] [] SyS_connect+0x1b8/0x310 net/socket.c:1551 [] entry_SYSCALL_64_fastpath+0x1e/0x9a The buggy address belongs to the object at ffff8801d0040000 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 48 bytes inside of 456-byte region [ffff8801d0040000, ffff8801d00401c8) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.165+ #1 task: ffff8801da6897c0 task.stack: ffff8801da698000 RIP: 0010:[] [] __rb_change_child include/linux/rbtree_augmented.h:125 [inline] RIP: 0010:[] [] __rb_rotate_set_parents lib/rbtree.c:93 [inline] RIP: 0010:[] [] __rb_insert lib/rbtree.c:181 [inline] RIP: 0010:[] [] rb_insert_color+0x1ba/0xb60 lib/rbtree.c:420 RSP: 0018:ffff8801db707cd8 EFLAGS: 00010006 RAX: ffff8801db7198c0 RBX: 4000000000004090 RCX: 0800000000000812 RDX: dffffc0000000000 RSI: ffff8801db719390 RDI: ffffea0007401010 RBP: ffff8801db707d18 R08: ffff8801da68a088 R09: 0000000000000001 R10: 0000000000000000 R11: ffffffff831a2d38 R12: ffffea0007401000 R13: 4000000000004080 R14: 4000000000004080 R15: ffff8801db7198c8 FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000254ed08 CR3: 00000000b8997000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff81b03deb ffff8801db719390 ffff8801db7198c0 ffff8801db7198c0 dffffc0000000000 0000000000000000 ffff8801db719390 ffff8801d0040008 ffff8801db707d68 ffffffff81ac33a7 ffff8801db7198d8 ffff8801db719390 Call Trace: [] timerqueue_add+0x157/0x2b0 lib/timerqueue.c:57 [] enqueue_hrtimer+0x15f/0x440 kernel/time/hrtimer.c:893 [] __run_hrtimer kernel/time/hrtimer.c:1276 [inline] [] __hrtimer_run_queues+0x694/0xfc0 kernel/time/hrtimer.c:1325 [] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1359 [] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:901 [] smp_apic_timer_interrupt+0x7c/0xb0 arch/x86/kernel/apic/apic.c:925 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:741 [] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline] [] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:432 [] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:423 [] default_idle_call+0x57/0x70 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:157 [inline] [] cpu_idle_loop kernel/sched/idle.c:253 [inline] [] cpu_startup_entry+0x31a/0x7a0 kernel/sched/idle.c:301 [] start_secondary+0x329/0x400 arch/x86/kernel/smpboot.c:245 Code: 0f 85 94 05 00 00 4d 85 ed 4c 89 33 49 89 04 24 0f 84 49 02 00 00 49 8d 5d 10 48 ba 00 00 00 00 00 fc ff df 48 89 d9 48 c1 e9 03 <80> 3c 11 00 0f 85 25 06 00 00 4d 3b 65 10 0f 84 27 04 00 00 49 RIP [] __rb_change_child include/linux/rbtree_augmented.h:125 [inline] RIP [] __rb_rotate_set_parents lib/rbtree.c:93 [inline] RIP [] __rb_insert lib/rbtree.c:181 [inline] RIP [] rb_insert_color+0x1ba/0xb60 lib/rbtree.c:420 RSP ---[ end trace e6b83ab60eca2620 ]---