================================================================== BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005 Read of size 8 at addr ffff888022a8dfa8 by task kworker/u8:1/11 CPU: 0 PID: 11 Comm: kworker/u8:1 Not tainted 6.9.0-rc1-next-20240328-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: writeback wb_workfn (flush-8:0) Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] wb_writeback+0x66f/0xd30 fs/fs-writeback.c:2160 wb_do_writeback fs/fs-writeback.c:2274 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2314 process_one_work kernel/workqueue.c:3218 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3299 worker_thread+0x86d/0xd70 kernel/workqueue.c:3380 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 Allocated by task 19769: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace_noprof+0x19c/0x2b0 mm/slub.c:4079 kmalloc_noprof include/linux/slab.h:660 [inline] kzalloc_noprof include/linux/slab.h:775 [inline] sctp_association_new+0x8a/0x23f0 net/sctp/associola.c:291 sctp_connect_new_asoc+0x2d8/0x6c0 net/sctp/socket.c:1091 sctp_sendmsg_new_asoc net/sctp/socket.c:1693 [inline] sctp_sendmsg+0x219a/0x3520 net/sctp/socket.c:2004 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 __sys_sendto+0x3a4/0x4f0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2199 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Freed by task 7: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2180 [inline] slab_free_freelist_hook mm/slub.c:2209 [inline] slab_free_bulk mm/slub.c:4387 [inline] kmem_cache_free_bulk+0x1f8/0x360 mm/slub.c:4601 kfree_bulk include/linux/slab.h:568 [inline] kvfree_rcu_bulk+0x24b/0x4e0 kernel/rcu/tree.c:3033 kfree_rcu_work+0x44b/0x500 kernel/rcu/tree.c:3112 process_one_work kernel/workqueue.c:3218 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3299 worker_thread+0x86d/0xd70 kernel/workqueue.c:3380 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 Last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 kvfree_call_rcu+0xfc/0x790 kernel/rcu/tree.c:3443 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:944 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1330 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x4393/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_SHUTDOWN+0x98/0xc0 net/sctp/primitive.c:89 sctp_close+0x3cd/0x920 net/sctp/socket.c:1528 inet_release+0x17d/0x200 net/ipv4/af_inet.c:437 __sock_release net/socket.c:659 [inline] sock_close+0xbc/0x240 net/socket.c:1421 __fput+0x429/0x8a0 fs/file_table.c:422 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1541 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 The buggy address belongs to the object at ffff888022a8c000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 4008 bytes to the right of allocated 4096-byte region [ffff888022a8c000, ffff888022a8d000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22a88 head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff80000000040(head|node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffefff(slab) raw: 00fff80000000040 ffff888015042140 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000040004 00000001ffffefff 0000000000000000 head: 00fff80000000040 ffff888015042140 dead000000000100 dead000000000122 head: 0000000000000000 0000000000040004 00000001ffffefff 0000000000000000 head: 00fff80000000003 ffffea00008aa201 ffffea00008aa248 00000000ffffffff head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 11, tgid 2076906332 (kworker/u8:1), ts 11, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1487 prep_new_page mm/page_alloc.c:1495 [inline] get_page_from_freelist+0x2e8a/0x2f40 mm/page_alloc.c:3454 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4712 __alloc_pages_node_noprof include/linux/gfp.h:244 [inline] alloc_pages_node_noprof include/linux/gfp.h:271 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2249 allocate_slab+0x5a/0x2e0 mm/slub.c:2412 new_slab mm/slub.c:2465 [inline] ___slab_alloc+0xea8/0x1430 mm/slub.c:3599 __slab_alloc+0x58/0xa0 mm/slub.c:3684 __slab_alloc_node mm/slub.c:3737 [inline] slab_alloc_node mm/slub.c:3915 [inline] kmalloc_trace_noprof+0x1d5/0x2b0 mm/slub.c:4074 kmalloc_noprof include/linux/slab.h:660 [inline] kzalloc_noprof include/linux/slab.h:775 [inline] kobject_uevent_env+0x28b/0x8e0 lib/kobject_uevent.c:525 device_add+0x63b/0xbf0 drivers/base/core.c:3693 scsi_target_add drivers/scsi/scsi_sysfs.c:1382 [inline] scsi_sysfs_add_sdev+0x84/0x5a0 drivers/scsi/scsi_sysfs.c:1409 scsi_sysfs_add_devices drivers/scsi/scsi_scan.c:1889 [inline] scsi_finish_async_scan drivers/scsi/scsi_scan.c:1974 [inline] do_scan_async+0x42a/0x7a0 drivers/scsi/scsi_scan.c:2017 async_run_entry_fn+0xa8/0x420 kernel/async.c:129 process_one_work kernel/workqueue.c:3218 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3299 worker_thread+0x86d/0xd70 kernel/workqueue.c:3380 kthread+0x2f0/0x390 kernel/kthread.c:388 page_owner free stack trace missing Memory state around the buggy address: ffff888022a8de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888022a8df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888022a8df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888022a8e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888022a8e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================