usb usb6: selecting invalid altsetting 3 usb usb6: selecting invalid altsetting 3 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1804 audit(1620552503.306:351): pid=10405 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir078644117/syzkaller.VDIkRh/450/bus" dev="sda1" ino=15009 res=1 ================================================================== BUG: KASAN: slab-out-of-bounds in sg_mark_end include/linux/scatterlist.h:190 [inline] BUG: KASAN: slab-out-of-bounds in tls_push_record+0x10cc/0x1270 net/tls/tls_sw.c:255 Read of size 8 at addr ffff888035732638 by task syz-executor.2/10402 CPU: 1 PID: 10402 Comm: syz-executor.2 Not tainted 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430 sg_mark_end include/linux/scatterlist.h:190 [inline] tls_push_record+0x10cc/0x1270 net/tls/tls_sw.c:255 tls_handle_open_record net/tls/tls_main.c:158 [inline] tls_sk_proto_close+0x6f0/0x8b0 net/tls/tls_main.c:270 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450 __sock_release+0xcd/0x2b0 net/socket.c:602 sock_close+0x15/0x20 net/socket.c:1139 __fput+0x25f/0x7a0 fs/file_table.c:210 task_work_run+0x11f/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x41940b RSP: 002b:00007ffd7d544810 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 000000000041940b RDX: 0000000000000000 RSI: 0000001b30d26828 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000f9e R10: 0000000019d74fa2 R11: 0000000000000293 R12: 000000000056c9e0 R13: 000000000056c9e0 R14: 000000000056bf60 R15: 00000000000c6512 Allocated by task 10406: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618 kmalloc include/linux/slab.h:488 [inline] kzalloc include/linux/slab.h:661 [inline] tls_set_sw_offload+0x88/0xcd0 net/tls/tls_sw.c:683 do_tls_setsockopt_tx net/tls/tls_main.c:443 [inline] do_tls_setsockopt net/tls/tls_main.c:468 [inline] tls_setsockopt+0x216/0x3f0 net/tls/tls_main.c:486 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888035732640 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 8 bytes to the left of 2048-byte region [ffff888035732640, ffff888035732e40) The buggy address belongs to the page: page:ffffea0000d5cc80 count:1 mapcount:0 mapping:ffff888035732640 index:0x0 compound_mapcount: 0 flags: 0xfff00000008100(slab|head) raw: 00fff00000008100 ffff888035732640 0000000000000000 0000000100000003 raw: ffffea0001039aa0 ffffea0002866c20 ffff88813fe80c40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888035732500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888035732580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888035732600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff888035732680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888035732700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================