================================================================== BUG: KASAN: invalid-access in tcp_init_congestion_control+0x14/0xfc net/ipv4/tcp_cong.c:178 Write at addr f8ff0000062c700c by task syz-executor.1/12148 Pointer tag: [f8], memory tag: [fd] CPU: 1 PID: 12148 Comm: syz-executor.1 Not tainted 5.13.0-rc1-syzkaller-00111-g315d99318179 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x1b0 arch/arm64/kernel/stacktrace.c:138 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:217 __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xd0/0x12c lib/dump_stack.c:120 print_address_description+0x70/0x2ac mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x134/0x380 mm/kasan/report.c:436 report_tag_fault arch/arm64/mm/fault.c:324 [inline] do_tag_recovery arch/arm64/mm/fault.c:336 [inline] __do_kernel_fault+0x1a8/0x1dc arch/arm64/mm/fault.c:378 do_bad_area arch/arm64/mm/fault.c:474 [inline] do_tag_check_fault+0x74/0x90 arch/arm64/mm/fault.c:745 do_mem_abort+0x44/0xbc arch/arm64/mm/fault.c:821 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:171 el1_sync_handler+0xac/0xd0 arch/arm64/kernel/entry-common.c:255 el1_sync+0x78/0x100 arch/arm64/kernel/entry.S:710 tcp_init_congestion_control+0x14/0xfc net/ipv4/tcp_cong.c:178 tcp_reinit_congestion_control net/ipv4/tcp_cong.c:207 [inline] tcp_set_congestion_control+0x23c/0x270 net/ipv4/tcp_cong.c:381 mptcp_setsockopt_sol_tcp_congestion net/mptcp/sockopt.c:550 [inline] mptcp_setsockopt_sol_tcp net/mptcp/sockopt.c:563 [inline] mptcp_setsockopt+0x3ac/0x770 net/mptcp/sockopt.c:599 sock_common_setsockopt+0x1c/0x30 net/core/sock.c:3257 __sys_setsockopt+0xa0/0x1a0 net/socket.c:2117 __do_sys_setsockopt net/socket.c:2128 [inline] __se_sys_setsockopt net/socket.c:2125 [inline] __arm64_sys_setsockopt+0x2c/0x40 net/socket.c:2125 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0x44/0xd0 arch/arm64/kernel/syscall.c:145 do_el0_svc+0x74/0x90 arch/arm64/kernel/syscall.c:184 el0_svc+0x2c/0x54 arch/arm64/kernel/entry-common.c:408 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:424 el0_sync+0x1b4/0x1c0 arch/arm64/kernel/entry.S:734 Allocated by task 12100: kasan_save_stack+0x28/0x5c mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] __kasan_slab_alloc+0xdc/0x14c mm/kasan/common.c:461 kasan_slab_alloc include/linux/kasan.h:236 [inline] slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:2912 [inline] slab_alloc mm/slub.c:2920 [inline] kmem_cache_alloc+0x1d4/0x350 mm/slub.c:2925 sk_prot_alloc+0x38/0x174 net/core/sock.c:1697 sk_alloc+0x38/0x214 net/core/sock.c:1756 inet6_create net/ipv6/af_inet6.c:183 [inline] inet6_create+0xc8/0x3cc net/ipv6/af_inet6.c:110 __sock_create+0x154/0x220 net/socket.c:1408 sock_create net/socket.c:1459 [inline] __sys_socket+0x58/0x110 net/socket.c:1501 __do_sys_socket net/socket.c:1510 [inline] __se_sys_socket net/socket.c:1508 [inline] __arm64_sys_socket+0x24/0x34 net/socket.c:1508 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0x44/0xd0 arch/arm64/kernel/syscall.c:145 do_el0_svc+0x74/0x90 arch/arm64/kernel/syscall.c:184 el0_svc+0x2c/0x54 arch/arm64/kernel/entry-common.c:408 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:424 el0_sync+0x1b4/0x1c0 arch/arm64/kernel/entry.S:734 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff0000062c7000 which belongs to the cache MPTCPv6 of size 1992 The buggy address is located 12 bytes inside of 1992-byte region [ffff0000062c7000, ffff0000062c77c8) The buggy address belongs to the page: page:00000000f03d5a5a refcount:1 mapcount:0 mapping:0000000000000000 index:0xf9ff0000062c6000 pfn:0x462c0 head:00000000f03d5a5a order:3 compound_mapcount:0 compound_pincount:0 memcg:fdff00002161c701 flags: 0x1ffc00000010200(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) raw: 01ffc00000010200 dead000000000100 dead000000000122 f8ff000005a72600 raw: f9ff0000062c6000 0000000080100003 00000001ffffffff fdff00002161c701 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000062c6e00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff0000062c6f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 fe fe fe >ffff0000062c7000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ^ ffff0000062c7100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ffff0000062c7200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ==================================================================