TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. ================================================================== BUG: KASAN: use-after-free in tls_fill_prepend include/net/tls.h:379 [inline] BUG: KASAN: use-after-free in tls_push_record+0x104c/0x1370 net/tls/tls_sw.c:220 Write of size 1 at addr ffff88809fa70c3c by task syz-executor.2/15146 CPU: 1 PID: 15146 Comm: syz-executor.2 Not tainted 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_store1_noabort+0x88/0x90 mm/kasan/report.c:435 tls_fill_prepend include/net/tls.h:379 [inline] tls_push_record+0x104c/0x1370 net/tls/tls_sw.c:220 tls_handle_open_record net/tls/tls_main.c:156 [inline] tls_sk_proto_close+0x8cf/0xc20 net/tls/tls_main.c:271 inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:472 __sock_release+0xcd/0x2a0 net/socket.c:579 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4193eb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffedf238150 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004193eb RDX: 0000000000000000 RSI: 0000001b2ea27760 RDI: 0000000000000004 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000781 R10: 00000000f1dfc785 R11: 0000000000000293 R12: 000000000056cb00 R13: 000000000056cb00 R14: 000000000056bf80 R15: 000000000004e44d The buggy address belongs to the page: page:ffffea00027e9c00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 flags: 0xfff00000000000() raw: 00fff00000000000 ffffea0000ef3408 ffffea0000ef0408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809fa70b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88809fa70b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88809fa70c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88809fa70c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88809fa70d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.