TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. ================================================================== BUG: KASAN: slab-out-of-bounds in __swab64p include/uapi/linux/swab.h:192 [inline] BUG: KASAN: slab-out-of-bounds in __be64_to_cpup include/uapi/linux/byteorder/little_endian.h:74 [inline] BUG: KASAN: slab-out-of-bounds in is_tx_ready include/net/tls.h:354 [inline] BUG: KASAN: slab-out-of-bounds in tls_write_space+0x29d/0x2d0 net/tls/tls_main.c:236 Read of size 8 at addr ffff8801b769aff0 by task syz-executor5/10755 CPU: 1 PID: 10755 Comm: syz-executor5 Not tainted 4.19.0-rc4+ #230 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __swab64p include/uapi/linux/swab.h:192 [inline] __be64_to_cpup include/uapi/linux/byteorder/little_endian.h:74 [inline] is_tx_ready include/net/tls.h:354 [inline] tls_write_space+0x29d/0x2d0 net/tls/tls_main.c:236 tcp_new_space net/ipv4/tcp_input.c:5154 [inline] tcp_check_space+0x53f/0x920 net/ipv4/tcp_input.c:5165 tcp_data_snd_check net/ipv4/tcp_input.c:5175 [inline] tcp_rcv_established+0xde8/0x2120 net/ipv4/tcp_input.c:5656 tcp_v6_do_rcv+0x4b3/0x13c0 net/ipv6/tcp_ipv6.c:1326 sk_backlog_rcv include/net/sock.h:932 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2336 release_sock+0xad/0x2c0 net/core/sock.c:2849 sk_stream_wait_memory+0x752/0x1290 net/core/stream.c:149 tls_sw_sendmsg+0x6bb/0x17a0 net/tls/tls_sw.c:846 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:631 __sys_sendto+0x3d7/0x670 net/socket.c:1788 __do_sys_sendto net/socket.c:1800 [inline] __se_sys_sendto net/socket.c:1796 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457579 Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4f62d54c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457579 RDX: 000000000039a191 RSI: 00000000200005c0 RDI: 0000000000000003 RBP: 000000000072bf00 R08: 0000000020000000 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4f62d556d4 R13: 00000000004c389d R14: 00000000004d56a8 R15: 00000000ffffffff Allocated by task 9712: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x14e/0x760 mm/slab.c:3727 kmalloc include/linux/slab.h:518 [inline] load_elf_phdrs+0x176/0x260 fs/binfmt_elf.c:441 load_elf_binary+0x9c3/0x5620 fs/binfmt_elf.c:838 search_binary_handler+0x17d/0x570 fs/exec.c:1653 exec_binprm fs/exec.c:1695 [inline] __do_execve_file.isra.33+0x162f/0x2540 fs/exec.c:1819 do_execveat_common fs/exec.c:1866 [inline] do_execve fs/exec.c:1883 [inline] __do_sys_execve fs/exec.c:1964 [inline] __se_sys_execve fs/exec.c:1959 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9712: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3813 load_elf_binary+0x25a8/0x5620 fs/binfmt_elf.c:1117 search_binary_handler+0x17d/0x570 fs/exec.c:1653 exec_binprm fs/exec.c:1695 [inline] __do_execve_file.isra.33+0x162f/0x2540 fs/exec.c:1819 do_execveat_common fs/exec.c:1866 [inline] do_execve fs/exec.c:1883 [inline] __do_sys_execve fs/exec.c:1964 [inline] __se_sys_execve fs/exec.c:1959 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801b769ac80 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 368 bytes to the right of 512-byte region [ffff8801b769ac80, ffff8801b769ae80) The buggy address belongs to the page: page:ffffea0006dda680 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0006ee9f88 ffffea0007340ac8 ffff8801da800940 raw: 0000000000000000 ffff8801b769a000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801b769ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801b769af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801b769af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801b769b000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801b769b080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================