BUG: MAX_LOCKDEP_CHAINS too low! turning off the locking correctness validator. CPU: 1 PID: 9232 Comm: kworker/u4:5 Not tainted 4.14.231-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: krdsd rds_connect_worker Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 add_chain_cache kernel/locking/lockdep.c:2303 [inline] lookup_chain_cache_add kernel/locking/lockdep.c:2415 [inline] validate_chain kernel/locking/lockdep.c:2435 [inline] __lock_acquire.cold+0x19a/0x97c kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5b/0x80 kernel/locking/spinlock.c:168 spin_lock_irq include/linux/spinlock.h:342 [inline] clear_inode+0x2c/0x1b0 fs/inode.c:508 evict+0x586/0x700 fs/inode.c:558 iput_final fs/inode.c:1524 [inline] iput+0x458/0x7e0 fs/inode.c:1551 __sock_release net/socket.c:615 [inline] sock_release+0x180/0x1e0 net/socket.c:623 rds_tcp_conn_path_connect+0x387/0x4d0 net/rds/tcp_connect.c:151 rds_connect_worker+0x143/0x1d0 net/rds/threads.c:165 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 audit: type=1800 audit(6618824670.983:28155): pid=21422 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.3" name="SYSV00000000" dev="hugetlbfs" ino=65538 res=0 audit: type=1326 audit(6618824671.012:28156): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=21388 comm="syz-executor.1" exe="/root/syz-executor.1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x466459 code=0x0 audit: type=1800 audit(6618824671.131:28157): pid=21436 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.3" name="SYSV00000000" dev="hugetlbfs" ino=262152 res=0 audit: type=1800 audit(6618824671.171:28158): pid=21440 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=65538 res=0 audit: type=1800 audit(6618824671.231:28159): pid=21447 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=163845 res=0 audit: type=1800 audit(6618824671.241:28160): pid=21443 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.3" name="SYSV00000000" dev="hugetlbfs" ino=360459 res=0 audit: type=1800 audit(6618824671.280:28161): pid=21450 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.3" name="SYSV00000000" dev="hugetlbfs" ino=458766 res=0 audit: type=1800 audit(6618824671.588:28162): pid=21464 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=262152 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. syz-executor.4 (21550): drop_caches: 2 syz-executor.4 (21578): drop_caches: 2 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. syz-executor.4 (21592): drop_caches: 2 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. syz-executor.4 (21612): drop_caches: 2 syz-executor.4 (21617): drop_caches: 2 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. IPVS: ftp: loaded support on port[0] = 21 md: invalid raid superblock magic on ram96 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. md: ram96 does not have a valid v0.0 superblock, not importing! md: md_import_device returned -22 md: invalid raid superblock magic on ram96 md: ram96 does not have a valid v0.0 superblock, not importing! md: md_import_device returned -22 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. IPVS: ftp: loaded support on port[0] = 21 audit: type=1400 audit(6618824675.258:28163): apparmor="DENIED" operation="setprocattr" info="current" error=-22 profile="unconfined" pid=21802 comm="syz-executor.3" md: invalid raid superblock magic on ram96 md: ram96 does not have a valid v0.0 superblock, not importing! md: md_import_device returned -22 md: invalid raid superblock magic on ram96 md: ram96 does not have a valid v0.0 superblock, not importing! md: md_import_device returned -22 IPVS: ftp: loaded support on port[0] = 21 md: invalid raid superblock magic on ram96 md: ram96 does not have a valid v0.0 superblock, not importing! md: md_import_device returned -22 IPVS: ftp: loaded support on port[0] = 21 team0: No ports can be present during mode change team0: No ports can be present during mode change team0: No ports can be present during mode change team0: No ports can be present during mode change team0: No ports can be present during mode change block nbd3: shutting down sockets device syzkaller1 entered promiscuous mode device syzkaller1 entered promiscuous mode device team0 left promiscuous mode bridge0: port 1(team0) entered disabled state device veth1_macvtap left promiscuous mode device veth0_macvtap left promiscuous mode device veth1_vlan left promiscuous mode device veth0_vlan left promiscuous mode bond2 (unregistering): Released all slaves bond1 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode bond0 (unregistering): Released all slaves ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 Read of size 8 at addr ffff888098c3dcd8 by task kworker/u4:5/9232 CPU: 0 PID: 9232 Comm: kworker/u4:5 Not tainted 4.14.231-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430 __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] rds_tcp_conn_free+0x84/0x1c0 net/rds/tcp.c:310 rds_conn_path_destroy net/rds/connection.c:408 [inline] rds_conn_destroy+0x4b3/0x730 net/rds/connection.c:439 rds_tcp_kill_sock net/rds/tcp.c:545 [inline] rds_tcp_dev_event+0x79a/0xa30 net/rds/tcp.c:573 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_run_todo+0x242/0xad0 net/core/dev.c:7927 default_device_exit_batch+0x2e2/0x380 net/core/dev.c:8747 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:145 cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 Allocated by task 9232: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552 rds_tcp_conn_alloc+0x4d/0x290 net/rds/tcp.c:279 __rds_conn_create+0xc92/0x16f0 net/rds/connection.c:223 rds_tcp_accept_one+0x2d9/0x8b0 net/rds/tcp_listen.c:171 rds_tcp_accept_worker+0x4d/0x70 net/rds/tcp.c:407 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 Freed by task 9232: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758 rds_conn_path_destroy net/rds/connection.c:408 [inline] rds_conn_destroy+0x4b3/0x730 net/rds/connection.c:439 rds_tcp_kill_sock net/rds/tcp.c:545 [inline] rds_tcp_dev_event+0x79a/0xa30 net/rds/tcp.c:573 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_run_todo+0x242/0xad0 net/core/dev.c:7927 default_device_exit_batch+0x2e2/0x380 net/core/dev.c:8747 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:145 cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 The buggy address belongs to the object at ffff888098c3dcd8 which belongs to the cache rds_tcp_connection of size 504 The buggy address is located 0 bytes inside of 504-byte region [ffff888098c3dcd8, ffff888098c3ded0) The buggy address belongs to the page: page:ffffea0002630f40 count:1 mapcount:0 mapping:ffff888098c3d080 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffff888098c3d080 0000000000000000 0000000100000006 raw: ffffea000155ea60 ffffea0002862fa0 ffff8882350166c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888098c3db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888098c3dc00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc >ffff888098c3dc80: fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb ^ ffff888098c3dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888098c3dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================