================================================================== BUG: KASAN: stack-out-of-bounds in csd_lock_record+0xcb/0xe0 kernel/smp.c:118 Read of size 8 at addr ffffc90017e87570 by task syz-executor.0/11940 CPU: 1 PID: 11940 Comm: syz-executor.0 Not tainted 5.8.0-rc3-next-20200703-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x436 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 csd_lock_record+0xcb/0xe0 kernel/smp.c:118 flush_smp_call_function_queue+0x285/0x730 kernel/smp.c:391 __sysvec_call_function_single+0x98/0x490 arch/x86/kernel/smp.c:248 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] sysvec_call_function_single+0xe0/0x120 arch/x86/kernel/smp.c:243 asm_sysvec_call_function_single+0x12/0x20 arch/x86/include/asm/idtentry.h:604 RIP: 0010:unwind_next_frame+0xd28/0x1f90 arch/x86/kernel/unwind_orc.c:580 Code: c1 ea 03 48 c1 ee 03 0f b6 14 02 0f b6 04 06 4c 89 ce 83 e6 07 40 38 f2 40 0f 9e c6 84 d2 0f 95 c2 40 84 d6 0f 85 bd 0b 00 00 <83> e1 07 38 c8 0f 9e c2 84 c0 0f 95 c0 84 c2 0f 85 a8 0b 00 00 41 RSP: 0018:ffffc90017e67270 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 1ffff92002fcce56 RCX: ffffffff8b79327f RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffc90017e673a0 RBP: 0000000000000001 R08: ffffffff8b79327a R09: ffffffff8b79327e R10: 000000000007201e R11: 0000000000000001 R12: ffffc90017e67b50 R13: ffffc90017e6737d R14: ffffc90017e67398 R15: ffffc90017e67348 arch_stack_walk+0x81/0xf0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:123 save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:494 slab_post_alloc_hook mm/slab.h:535 [inline] slab_alloc_node mm/slab.c:3258 [inline] kmem_cache_alloc_node_trace+0x153/0x590 mm/slab.c:3596 __do_kmalloc_node mm/slab.c:3618 [inline] __kmalloc_node_track_caller+0x38/0x60 mm/slab.c:3633 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0xae/0x550 net/core/skbuff.c:210 alloc_skb include/linux/skbuff.h:1084 [inline] nlmsg_new include/net/netlink.h:940 [inline] netlink_ack+0x331/0xa10 net/netlink/af_netlink.c:2407 netlink_rcv_skb+0x344/0x430 net/netlink/af_netlink.c:2475 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352 ___sys_sendmsg+0xf3/0x170 net/socket.c:2406 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:367 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45cb29 Code: Bad RIP value. RSP: 002b:00007fdd8b98cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000005027a0 RCX: 000000000045cb29 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000007 RBP: 000000000078c0e0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000a44 R14: 00000000004cd2b2 R15: 00007fdd8b98d6d4 Memory state around the buggy address: ffffc90017e87400: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 ffffc90017e87480: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 >ffffc90017e87500: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 ^ ffffc90017e87580: 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 ffffc90017e87600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================