================================================================== BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: slab-out-of-bounds in refcount_read include/linux/refcount.h:43 [inline] BUG: KASAN: slab-out-of-bounds in check_net include/net/net_namespace.h:254 [inline] BUG: KASAN: slab-out-of-bounds in rds_destroy_pending net/rds/rds.h:951 [inline] BUG: KASAN: slab-out-of-bounds in rds_cong_queue_updates+0x209/0x4d0 net/rds/cong.c:229 Read of size 4 at addr ffff888084d34104 by task kworker/u4:1/21 CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.1.0-rc2 #36 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: krdsd rds_send_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x123/0x190 mm/kasan/generic.c:191 kasan_check_read+0x11/0x20 mm/kasan/common.c:102 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] refcount_read include/linux/refcount.h:43 [inline] check_net include/net/net_namespace.h:254 [inline] rds_destroy_pending net/rds/rds.h:951 [inline] rds_cong_queue_updates+0x209/0x4d0 net/rds/cong.c:229 rds_recv_rcvbuf_delta.part.0+0x34f/0x3f0 net/rds/recv.c:118 rds_recv_rcvbuf_delta net/rds/recv.c:379 [inline] rds_recv_incoming+0x789/0x11f0 net/rds/recv.c:379 rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96 rds_send_xmit+0x1113/0x2560 net/rds/send.c:355 rds_send_worker+0x90/0x290 net/rds/threads.c:200 process_one_work+0x98e/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x357/0x430 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Allocated by task 23768: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511 __do_kmalloc mm/slab.c:3726 [inline] __kmalloc+0x15c/0x740 mm/slab.c:3735 kmalloc include/linux/slab.h:550 [inline] sk_prot_alloc+0x19c/0x2e0 net/core/sock.c:1607 sk_alloc+0x39/0xf70 net/core/sock.c:1661 __netlink_create+0x6a/0x280 net/netlink/af_netlink.c:638 __netlink_kernel_create+0x13c/0x870 net/netlink/af_netlink.c:2051 netlink_kernel_create include/linux/netlink.h:60 [inline] audit_net_init+0x220/0x400 kernel/audit.c:1555 ops_init+0xb6/0x410 net/core/net_namespace.c:129 setup_net+0x2c5/0x730 net/core/net_namespace.c:314 copy_net_ns+0x1d9/0x340 net/core/net_namespace.c:437 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x440/0x980 kernel/fork.c:2549 __do_sys_unshare kernel/fork.c:2617 [inline] __se_sys_unshare kernel/fork.c:2615 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2615 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3821 sk_prot_free net/core/sock.c:1644 [inline] __sk_destruct+0x4f1/0x6d0 net/core/sock.c:1726 sk_destruct+0x7b/0x90 net/core/sock.c:1734 __sk_free+0xce/0x300 net/core/sock.c:1745 sk_free+0x42/0x50 net/core/sock.c:1756 deferred_put_nlk_sk+0x112/0x290 net/netlink/af_netlink.c:738 __rcu_reclaim kernel/rcu/rcu.h:227 [inline] rcu_do_batch kernel/rcu/tree.c:2475 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline] rcu_core+0x928/0x1390 kernel/rcu/tree.c:2769 __do_softirq+0x266/0x95a kernel/softirq.c:293 The buggy address belongs to the object at ffff888084d344c0 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 956 bytes to the left of 2048-byte region [ffff888084d344c0, ffff888084d34cc0) The buggy address belongs to the page: page:ffffea0002134d00 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea00027e6a08 ffffea00022e1088 ffff88812c3f0c40 raw: 0000000000000000 ffff888084d344c0 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888084d34000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888084d34080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888084d34100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888084d34180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888084d34200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================