IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready hrtimer: interrupt took 31369 ns ========================================================= [ INFO: possible irq lock inversion dependency detected ] 4.6.0-rc2+ #1 Not tainted --------------------------------------------------------- syz-executor3/7291 just changed the state of lock: (&sctp_ep_hashtable[i].lock){++.+..}, at: [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 but this lock was taken by another, SOFTIRQ-safe lock in the past: (slock-AF_INET){+.-...} other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sctp_ep_hashtable[i].lock); local_irq_disable(); lock(slock-AF_INET); lock(&sctp_ep_hashtable[i].lock); lock(slock-AF_INET); *** DEADLOCK *** 4 locks held by syz-executor3/7291: #0: (sock_diag_mutex){+.+.+.}, at: [] sock_diag_rcv+0x16/0x40 net/core/sock_diag.c:280 #1: (sock_diag_table_mutex){+.+.+.}, at: [] __sock_diag_cmd net/core/sock_diag.c:234 [inline] #1: (sock_diag_table_mutex){+.+.+.}, at: [] sock_diag_rcv_msg+0x11c/0x350 net/core/sock_diag.c:270 #2: (nlk->cb_mutex){+.+.+.}, at: [] netlink_dump+0x4b/0xa40 net/netlink/af_netlink.c:2066 #3: (inet_diag_table_mutex){+.+...}, at: [] inet_diag_lock_handler+0x4b/0xd0 net/ipv4/inet_diag.c:57 the shortest dependencies between 2nd lock and 1st lock: -> (slock-AF_INET){+.-...} ops: 10285 { HARDIRQ-ON-W at: [] mark_irqflags kernel/locking/lockdep.c:2904 [inline] [] __lock_acquire+0x1324/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] [] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 [] spin_lock_bh include/linux/spinlock.h:307 [inline] [] lock_sock_nested+0x3e/0x100 net/core/sock.c:2474 [] lock_sock include/net/sock.h:1362 [inline] [] do_tcp_setsockopt.isra.32+0x129/0x1730 net/ipv4/tcp.c:2364 [] tcp_setsockopt+0x7e/0xd0 net/ipv4/tcp.c:2621 [] sock_common_setsockopt+0x73/0xf0 net/core/sock.c:2677 [] rds_tcp_nonagle+0x130/0x1b0 net/rds/tcp.c:91 [] rds_tcp_listen_init+0x108/0x380 net/rds/tcp_listen.c:183 [] rds_tcp_init_net+0x1ec/0x4d0 net/rds/tcp.c:369 [] ops_init+0x95/0x360 net/core/net_namespace.c:109 [] __register_pernet_operations net/core/net_namespace.c:781 [inline] [] register_pernet_operations+0x21d/0x480 net/core/net_namespace.c:846 [] register_pernet_subsys+0x25/0x40 net/core/net_namespace.c:888 [] rds_tcp_init+0x47/0xc0 net/rds/tcp.c:540 [] do_one_initcall+0x10e/0x330 init/main.c:770 [] do_initcall_level init/main.c:835 [inline] [] do_initcalls init/main.c:843 [inline] [] do_basic_setup init/main.c:861 [inline] [] kernel_init_freeable+0x43b/0x4d2 init/main.c:1008 [] kernel_init+0xe/0x120 init/main.c:934 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 IN-SOFTIRQ-W at: [] mark_irqflags kernel/locking/lockdep.c:2890 [inline] [] __lock_acquire+0x12f0/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] udp_queue_rcv_skb+0x49f/0x1650 net/ipv4/udp.c:1645 [] __udp4_lib_rcv+0x579/0x2f10 net/ipv4/udp.c:1815 [] udp_rcv+0x15/0x20 net/ipv4/udp.c:2007 [] ip_local_deliver_finish+0x2b2/0x9b0 net/ipv4/ip_input.c:216 [] NF_HOOK_THRESH include/linux/netfilter.h:219 [inline] [] NF_HOOK include/linux/netfilter.h:242 [inline] [] ip_local_deliver+0x197/0x330 net/ipv4/ip_input.c:257 [] dst_input include/net/dst.h:510 [inline] [] ip_rcv_finish+0x5ba/0x17e0 net/ipv4/ip_input.c:388 [] NF_HOOK_THRESH include/linux/netfilter.h:219 [inline] [] NF_HOOK include/linux/netfilter.h:242 [inline] [] ip_rcv+0x867/0x1470 net/ipv4/ip_input.c:478 [] __netif_receive_skb_core+0x1740/0x2d90 net/core/dev.c:4201 [] __netif_receive_skb+0x1f/0x150 net/core/dev.c:4239 [] netif_receive_skb_internal+0xc7/0x300 net/core/dev.c:4267 [] napi_skb_finish net/core/dev.c:4595 [inline] [] napi_gro_receive+0x293/0x4a0 net/core/dev.c:4627 [] receive_buf drivers/net/virtio_net.c:529 [inline] [] virtnet_receive+0xa97/0x1da0 drivers/net/virtio_net.c:744 [] virtnet_poll+0x1d/0x120 drivers/net/virtio_net.c:762 [] napi_poll net/core/dev.c:5131 [inline] [] net_rx_action+0x721/0xe70 net/core/dev.c:5196 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] do_IRQ+0x92/0x1c0 arch/x86/kernel/irq.c:252 [] ret_from_intr+0x0/0x20 [] arch_safe_halt arch/x86/include/asm/paravirt.h:118 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:242 [inline] [] cpu_startup_entry+0x5a7/0x7e0 kernel/sched/idle.c:291 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x5ba/0x5e0 init/main.c:661 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x14a/0x157 arch/x86/kernel/head64.c:176 INITIAL USE at: [] __lock_acquire+0xb9e/0x4f90 kernel/locking/lockdep.c:3257 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] [] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 [] spin_lock_bh include/linux/spinlock.h:307 [inline] [] lock_sock_nested+0x3e/0x100 net/core/sock.c:2474 [] lock_sock include/net/sock.h:1362 [inline] [] do_tcp_setsockopt.isra.32+0x129/0x1730 net/ipv4/tcp.c:2364 [] tcp_setsockopt+0x7e/0xd0 net/ipv4/tcp.c:2621 [] sock_common_setsockopt+0x73/0xf0 net/core/sock.c:2677 [] rds_tcp_nonagle+0x130/0x1b0 net/rds/tcp.c:91 [] rds_tcp_listen_init+0x108/0x380 net/rds/tcp_listen.c:183 [] rds_tcp_init_net+0x1ec/0x4d0 net/rds/tcp.c:369 [] ops_init+0x95/0x360 net/core/net_namespace.c:109 [] __register_pernet_operations net/core/net_namespace.c:781 [inline] [] register_pernet_operations+0x21d/0x480 net/core/net_namespace.c:846 [] register_pernet_subsys+0x25/0x40 net/core/net_namespace.c:888 [] rds_tcp_init+0x47/0xc0 net/rds/tcp.c:540 [] do_one_initcall+0x10e/0x330 init/main.c:770 [] do_initcall_level init/main.c:835 [inline] [] do_initcalls init/main.c:843 [inline] [] do_basic_setup init/main.c:861 [inline] [] kernel_init_freeable+0x43b/0x4d2 init/main.c:1008 [] kernel_init+0xe/0x120 init/main.c:934 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 } ... key at: [] af_family_slock_keys+0x10/0x180 ... acquired at: [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline] [] _raw_write_lock+0x36/0x50 kernel/locking/spinlock.c:295 [] __sctp_unhash_endpoint net/sctp/input.c:747 [inline] [] sctp_unhash_endpoint+0x13c/0x290 net/sctp/input.c:756 [] sctp_endpoint_free+0x8a/0xb0 net/sctp/endpointola.c:235 [] sctp_destroy_sock+0x80/0x1d0 net/sctp/socket.c:4152 [] sk_common_release+0x5e/0x3e0 net/core/sock.c:2698 [] sctp_close+0x4bf/0x740 net/sctp/socket.c:1543 [] inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:420 [] sock_release+0x83/0x1a0 net/socket.c:573 [] sock_close+0xd/0x20 net/socket.c:1023 [] __fput+0x20e/0x750 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0x132/0x200 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233 [] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline] [] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329 [] entry_SYSCALL_64_fastpath+0xbf/0xc1 -> (&sctp_ep_hashtable[i].lock){++.+..} ops: 6 { HARDIRQ-ON-W at: [] mark_irqflags kernel/locking/lockdep.c:2904 [inline] [] __lock_acquire+0x1324/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline] [] _raw_write_lock+0x36/0x50 kernel/locking/spinlock.c:295 [] __sctp_unhash_endpoint net/sctp/input.c:747 [inline] [] sctp_unhash_endpoint+0x13c/0x290 net/sctp/input.c:756 [] sctp_endpoint_free+0x8a/0xb0 net/sctp/endpointola.c:235 [] sctp_destroy_sock+0x80/0x1d0 net/sctp/socket.c:4152 [] sctp_v6_destroy_sock+0xd/0x20 net/sctp/socket.c:7605 [] sk_common_release+0x5e/0x3e0 net/core/sock.c:2698 [] sctp_close+0x4bf/0x740 net/sctp/socket.c:1543 [] inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:420 [] inet6_release+0x46/0x60 net/ipv6/af_inet6.c:415 [] sock_release+0x83/0x1a0 net/socket.c:573 [] inet_ctl_sock_destroy include/net/inet_common.h:45 [inline] [] sctp_ctrlsock_exit+0x5c/0x70 net/sctp/protocol.c:1344 [] ops_exit_list.isra.4+0x8e/0x120 net/core/net_namespace.c:134 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x698/0x1570 kernel/workqueue.c:2093 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2227 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 HARDIRQ-ON-R at: [] mark_irqflags kernel/locking/lockdep.c:2896 [inline] [] __lock_acquire+0xa8b/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 SOFTIRQ-ON-R at: [] mark_irqflags kernel/locking/lockdep.c:2908 [inline] [] __lock_acquire+0x1392/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 INITIAL USE at: [] __lock_acquire+0xb9e/0x4f90 kernel/locking/lockdep.c:3257 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline] [] _raw_write_lock+0x36/0x50 kernel/locking/spinlock.c:295 [] __sctp_unhash_endpoint net/sctp/input.c:747 [inline] [] sctp_unhash_endpoint+0x13c/0x290 net/sctp/input.c:756 [] sctp_endpoint_free+0x8a/0xb0 net/sctp/endpointola.c:235 [] sctp_destroy_sock+0x80/0x1d0 net/sctp/socket.c:4152 [] sctp_v6_destroy_sock+0xd/0x20 net/sctp/socket.c:7605 [] sk_common_release+0x5e/0x3e0 net/core/sock.c:2698 [] sctp_close+0x4bf/0x740 net/sctp/socket.c:1543 [] inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:420 [] inet6_release+0x46/0x60 net/ipv6/af_inet6.c:415 [] sock_release+0x83/0x1a0 net/socket.c:573 [] inet_ctl_sock_destroy include/net/inet_common.h:45 [inline] [] sctp_ctrlsock_exit+0x5c/0x70 net/sctp/protocol.c:1344 [] ops_exit_list.isra.4+0x8e/0x120 net/core/net_namespace.c:134 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x698/0x1570 kernel/workqueue.c:2093 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2227 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 } ... key at: [] __key.62716+0x0/0x40 ... acquired at: [] print_irq_inversion_bug kernel/locking/lockdep.c:147 [inline] [] check_usage_backwards+0x2fa/0x330 kernel/locking/lockdep.c:2488 [] mark_lock_irq kernel/locking/lockdep.c:2577 [inline] [] mark_lock+0x76a/0x1200 kernel/locking/lockdep.c:3024 [] mark_irqflags kernel/locking/lockdep.c:2908 [inline] [] __lock_acquire+0x1392/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 stack backtrace: CPU: 0 PID: 7291 Comm: syz-executor3 Not tainted 4.6.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0cd5746 ffff8801cc347158 ffffffff829c2f86 ffffffff87d07c20 ffff8801cc347230 ffffffff87d07c20 ffffffff879a6e90 ffff8801cc3471b0 ffffffff8162624e ffff8801cc3471f0 00000000cc347188 ffffffff00000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_irq_inversion_bug.part.42+0x347/0x356 kernel/locking/lockdep.c:2439 [] print_irq_inversion_bug kernel/locking/lockdep.c:147 [inline] [] check_usage_backwards+0x2fa/0x330 kernel/locking/lockdep.c:2488 [] mark_lock_irq kernel/locking/lockdep.c:2577 [inline] [] mark_lock+0x76a/0x1200 kernel/locking/lockdep.c:3024 [] mark_irqflags kernel/locking/lockdep.c:2908 [inline] [] __lock_acquire+0x1392/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:318 at addr ffff8800af82efa0 Read of size 128 by task syz-executor3/7291 CPU: 0 PID: 7291 Comm: syz-executor3 Not tainted 4.6.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0cd5746 ffff8801cc3472b8 ffffffff829c2f86 0000000000000080 ffff8801cc347348 ffff8800af82ef80 ffff8801da800200 ffff8801cc347338 ffffffff8174e337 0000000000000001 0000000000000007 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report+0x34/0x40 mm/kasan/report.c:297 [] check_memory_region mm/kasan/kasan.c:285 [inline] [] __asan_loadN+0x12a/0x180 mm/kasan/kasan.c:678 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:318 [] inet_diag_msg_sctpladdrs_fill net/sctp/sctp_diag.c:75 [inline] [] inet_sctp_diag_fill+0x65e/0xc60 net/sctp/sctp_diag.c:179 [] sctp_ep_dump+0x46b/0x6d0 net/sctp/sctp_diag.c:368 [] sctp_for_each_endpoint+0xe4/0x190 net/sctp/socket.c:4357 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800af82ef80, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 7291 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] sctp_add_bind_addr+0x5f/0x240 net/sctp/bind_addr.c:159 [] sctp_do_bind+0x2cf/0x4c0 net/sctp/socket.c:389 [] sctp_autobind+0x14c/0x1b0 net/sctp/socket.c:6764 [] __sctp_connect+0x4f5/0xa30 net/sctp/socket.c:1143 [] sctp_connect+0x95/0xd0 net/sctp/socket.c:3870 [] inet_dgram_connect+0xf1/0x220 net/ipv4/af_inet.c:535 [] SYSC_connect+0x202/0x2a0 net/socket.c:1539 [] SyS_connect+0x9/0x10 net/socket.c:1520 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800af82ee80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800af82ef00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8800af82ef80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8800af82f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800af82f080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:318 at addr ffff8801d7b64ca0 Read of size 128 by task syz-executor3/7291 CPU: 0 PID: 7291 Comm: syz-executor3 Tainted: G B 4.6.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0cd5746 ffff8801cc3472b8 ffffffff829c2f86 0000000000000080 ffff8801cc347348 ffff8801d7b64c80 ffff8801da800200 ffff8801cc347338 ffffffff8174e337 0000000000000001 0000000000000007 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report+0x34/0x40 mm/kasan/report.c:297 [] check_memory_region mm/kasan/kasan.c:285 [inline] [] __asan_loadN+0x12a/0x180 mm/kasan/kasan.c:678 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:318 [] inet_diag_msg_sctpladdrs_fill net/sctp/sctp_diag.c:75 [inline] [] inet_sctp_diag_fill+0x65e/0xc60 net/sctp/sctp_diag.c:179 [] sctp_ep_dump+0x46b/0x6d0 net/sctp/sctp_diag.c:368 [] sctp_for_each_endpoint+0xe4/0x190 net/sctp/socket.c:4357 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8801d7b64c80, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 7303 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] sctp_add_bind_addr+0x5f/0x240 net/sctp/bind_addr.c:159 [] sctp_do_bind+0x2cf/0x4c0 net/sctp/socket.c:389 [