================================================================== BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3ba2/0x5490 kernel/locking/lockdep.c:3664 Read of size 8 at addr ffff8880963e3fc0 by task syz-executor.0/1082 CPU: 1 PID: 1082 Comm: syz-executor.0 Not tainted 5.2.0-rc1+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __lock_acquire+0x3ba2/0x5490 kernel/locking/lockdep.c:3664 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4302 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] rhashtable_walk_enter+0xf9/0x390 lib/rhashtable.c:669 __tipc_dump_start+0x1fa/0x3c0 net/tipc/socket.c:3414 tipc_dump_start+0x70/0x90 net/tipc/socket.c:3396 __netlink_dump_start+0x4f8/0x7d0 net/netlink/af_netlink.c:2351 netlink_dump_start include/linux/netlink.h:226 [inline] tipc_sock_diag_handler_dump+0x1d9/0x270 net/tipc/diag.c:91 __sock_diag_cmd net/core/sock_diag.c:232 [inline] sock_diag_rcv_msg+0x319/0x410 net/core/sock_diag.c:263 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2486 sock_diag_rcv+0x2b/0x40 net/core/sock_diag.c:274 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1337 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1926 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:671 ___sys_sendmsg+0x803/0x920 net/socket.c:2292 __sys_sendmsg+0x105/0x1d0 net/socket.c:2330 __do_sys_sendmsg net/socket.c:2339 [inline] __se_sys_sendmsg net/socket.c:2337 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2337 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459279 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1019df3c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1019df46d4 R13: 00000000004c6c94 R14: 00000000004dba90 R15: 00000000ffffffff Allocated by task 789: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497 slab_post_alloc_hook mm/slab.h:437 [inline] slab_alloc mm/slab.c:3326 [inline] kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488 __sigqueue_alloc+0x268/0x4d0 kernel/signal.c:423 __send_signal+0xda0/0x1580 kernel/signal.c:1126 send_signal+0x49/0xd0 kernel/signal.c:1209 force_sig_info+0x251/0x310 kernel/signal.c:1300 force_sig_fault+0xbb/0xf0 kernel/signal.c:1597 __bad_area_nosemaphore+0x332/0x420 arch/x86/mm/fault.c:921 __bad_area arch/x86/mm/fault.c:950 [inline] bad_area+0x69/0x80 arch/x86/mm/fault.c:956 do_user_addr_fault arch/x86/mm/fault.c:1420 [inline] __do_page_fault+0x996/0xda0 arch/x86/mm/fault.c:1523 do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1554 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1156 Freed by task 789: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kmem_cache_free+0x86/0x260 mm/slab.c:3698 __sigqueue_free.part.0+0x74/0x90 kernel/signal.c:446 __sigqueue_free kernel/signal.c:442 [inline] dequeue_synchronous_signal kernel/signal.c:733 [inline] get_signal+0xd49/0x2240 kernel/signal.c:2525 do_signal+0x87/0x1900 arch/x86/kernel/signal.c:815 exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:164 prepare_exit_to_usermode+0x2e4/0x350 arch/x86/entry/common.c:199 retint_user+0x8/0x18 The buggy address belongs to the object at ffff8880963e3f50 which belongs to the cache sigqueue of size 80 The buggy address is located 32 bytes to the right of 80-byte region [ffff8880963e3f50, ffff8880963e3fa0) The buggy address belongs to the page: page:ffffea000258f8c0 refcount:1 mapcount:0 mapping:ffff88821bc48800 index:0x0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00029e0288 ffffea00029e0fc8 ffff88821bc48800 raw: 0000000000000000 ffff8880963e3000 0000000100000024 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880963e3e80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ffff8880963e3f00: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb >ffff8880963e3f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880963e4000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880963e4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================