INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 1 PID: 25200 Comm: syz-executor.2 Not tainted 5.2.0-rc3+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
assign_lock_key kernel/locking/lockdep.c:775 [inline]
register_lock_class+0x167e/0x1860 kernel/locking/lockdep.c:1084
__lock_acquire+0x116/0x5490 kernel/locking/lockdep.c:3674
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
__raw_spin_trylock include/linux/spinlock_api_smp.h:90 [inline]
_raw_spin_trylock+0x62/0x80 kernel/locking/spinlock.c:135
spin_trylock include/linux/spinlock.h:348 [inline]
icmp_xmit_lock net/ipv4/icmp.c:214 [inline]
__icmp_send+0x4fc/0x13e0 net/ipv4/icmp.c:661
ipv4_send_dest_unreach net/ipv4/route.c:1220 [inline]
ipv4_link_failure+0x54e/0x920 net/ipv4/route.c:1227
dst_link_failure include/net/dst.h:416 [inline]
arp_error_report+0xce/0x1c0 net/ipv4/arp.c:293
neigh_invalidate+0x245/0x570 net/core/neighbour.c:996
neigh_timer_handler+0xc33/0xf30 net/core/neighbour.c:1082
call_timer_fn+0x193/0x720 kernel/time/timer.c:1322
expire_timers kernel/time/timer.c:1366 [inline]
__run_timers kernel/time/timer.c:1685 [inline]
__run_timers kernel/time/timer.c:1653 [inline]
run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698
__do_softirq+0x25c/0x94c kernel/softirq.c:293
invoke_softirq kernel/softirq.c:374 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:414
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x50 kernel/kcov.c:101
Code: f4 ff ff ff e8 fd 0e ea ff 48 c7 05 4e 97 f5 08 00 00 00 00 e9 a4 e9 ff ff 90 90 90 90 90 90 90 90 90 55 48 89 e5 48 8b 75 08 <65> 48 8b 04 25 c0 fd 01 00 65 8b 15 70 55 91 7e 81 e2 00 01 1f 00
RSP: 0018:ffff8880a8507560 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: ffffea0002360674 RCX: ffffffff818f84a0
RDX: 0000000000000004 RSI: ffffffff818f84ae RDI: 0000000000000005
RBP: ffff8880a8507560 R08: ffff888099b3c1c0 R09: fffff9400046c0cf
R10: fffff9400046c0ce R11: ffffea0002360677 R12: 0000000000000128
R13: 0000000000000004 R14: ffffea0002360640 R15: dffffc0000000000
atomic_dec_and_test include/asm-generic/atomic-instrumented.h:747 [inline]
page_ref_dec_and_test include/linux/page_ref.h:139 [inline]
put_page_testzero include/linux/mm.h:580 [inline]
release_pages+0x19e/0x1930 mm/swap.c:755
free_pages_and_swap_cache+0x2a0/0x3d0 mm/swap_state.c:295
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:184 [inline]
tlb_flush_mmu+0x89/0x630 mm/mmu_gather.c:191
zap_pte_range mm/memory.c:1160 [inline]
zap_pmd_range mm/memory.c:1195 [inline]
zap_pud_range mm/memory.c:1224 [inline]
zap_p4d_range mm/memory.c:1245 [inline]
unmap_page_range+0x17d9/0x22f0 mm/memory.c:1266
unmap_single_vma+0x19d/0x300 mm/memory.c:1311
unmap_vmas+0x135/0x280 mm/memory.c:1343
exit_mmap+0x2ad/0x510 mm/mmap.c:3145
__mmput kernel/fork.c:1059 [inline]
mmput+0x15f/0x4c0 kernel/fork.c:1080
exit_mm kernel/exit.c:547 [inline]
do_exit+0x816/0x2fa0 kernel/exit.c:864
do_group_exit+0x135/0x370 kernel/exit.c:981
get_signal+0x471/0x24b0 kernel/signal.c:2640
do_signal+0x87/0x1900 arch/x86/kernel/signal.c:815
exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd667bf0cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000075bf28 RCX: 0000000000459279
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c
R13: 00007ffc37cf4a0f R14: 00007fd667bf19c0 R15: 000000000075bf2c
==================================================================
BUG: KASAN: slab-out-of-bounds in __icmp_send+0x13a6/0x13e0 net/ipv4/icmp.c:704
Write of size 1 at addr ffff8880984b3ee4 by task syz-executor.2/25200
CPU: 1 PID: 25200 Comm: syz-executor.2 Not tainted 5.2.0-rc3+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
__kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
kasan_report+0x12/0x20 mm/kasan/common.c:614
__asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:134
__icmp_send+0x13a6/0x13e0 net/ipv4/icmp.c:704
ipv4_send_dest_unreach net/ipv4/route.c:1220 [inline]
ipv4_link_failure+0x54e/0x920 net/ipv4/route.c:1227
dst_link_failure include/net/dst.h:416 [inline]
arp_error_report+0xce/0x1c0 net/ipv4/arp.c:293
neigh_invalidate+0x245/0x570 net/core/neighbour.c:996
neigh_timer_handler+0xc33/0xf30 net/core/neighbour.c:1082
call_timer_fn+0x193/0x720 kernel/time/timer.c:1322
expire_timers kernel/time/timer.c:1366 [inline]
__run_timers kernel/time/timer.c:1685 [inline]
__run_timers kernel/time/timer.c:1653 [inline]
run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698
__do_softirq+0x25c/0x94c kernel/softirq.c:293
invoke_softirq kernel/softirq.c:374 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:414
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x50 kernel/kcov.c:101
Code: f4 ff ff ff e8 fd 0e ea ff 48 c7 05 4e 97 f5 08 00 00 00 00 e9 a4 e9 ff ff 90 90 90 90 90 90 90 90 90 55 48 89 e5 48 8b 75 08 <65> 48 8b 04 25 c0 fd 01 00 65 8b 15 70 55 91 7e 81 e2 00 01 1f 00
RSP: 0018:ffff8880a8507560 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: ffffea0002360674 RCX: ffffffff818f84a0
RDX: 0000000000000004 RSI: ffffffff818f84ae RDI: 0000000000000005
RBP: ffff8880a8507560 R08: ffff888099b3c1c0 R09: fffff9400046c0cf
R10: fffff9400046c0ce R11: ffffea0002360677 R12: 0000000000000128
R13: 0000000000000004 R14: ffffea0002360640 R15: dffffc0000000000
atomic_dec_and_test include/asm-generic/atomic-instrumented.h:747 [inline]
page_ref_dec_and_test include/linux/page_ref.h:139 [inline]
put_page_testzero include/linux/mm.h:580 [inline]
release_pages+0x19e/0x1930 mm/swap.c:755
free_pages_and_swap_cache+0x2a0/0x3d0 mm/swap_state.c:295
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:184 [inline]
tlb_flush_mmu+0x89/0x630 mm/mmu_gather.c:191
zap_pte_range mm/memory.c:1160 [inline]
zap_pmd_range mm/memory.c:1195 [inline]
zap_pud_range mm/memory.c:1224 [inline]
zap_p4d_range mm/memory.c:1245 [inline]
unmap_page_range+0x17d9/0x22f0 mm/memory.c:1266
unmap_single_vma+0x19d/0x300 mm/memory.c:1311
unmap_vmas+0x135/0x280 mm/memory.c:1343
exit_mmap+0x2ad/0x510 mm/mmap.c:3145
__mmput kernel/fork.c:1059 [inline]
mmput+0x15f/0x4c0 kernel/fork.c:1080
exit_mm kernel/exit.c:547 [inline]
do_exit+0x816/0x2fa0 kernel/exit.c:864
do_group_exit+0x135/0x370 kernel/exit.c:981
get_signal+0x471/0x24b0 kernel/signal.c:2640
do_signal+0x87/0x1900 arch/x86/kernel/signal.c:815
exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd667bf0cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000075bf28 RCX: 0000000000459279
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c
R13: 00007ffc37cf4a0f R14: 00007fd667bf19c0 R15: 000000000075bf2c
Allocated by task 32601:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:489 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497
slab_post_alloc_hook mm/slab.h:437 [inline]
slab_alloc mm/slab.c:3326 [inline]
kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488
sk_prot_alloc+0x67/0x2e0 net/core/sock.c:1596
sk_alloc+0x39/0xf70 net/core/sock.c:1656
inet_create net/ipv4/af_inet.c:321 [inline]
inet_create+0x36a/0xe00 net/ipv4/af_inet.c:247
__sock_create+0x3d8/0x730 net/socket.c:1424
sock_create_kern+0x3b/0x50 net/socket.c:1493
inet_ctl_sock_create+0x9d/0x1f0 net/ipv4/af_inet.c:1620
icmp_sk_init+0x11c/0x4c0 net/ipv4/icmp.c:1199
ops_init+0xb3/0x410 net/core/net_namespace.c:130
setup_net+0x2d3/0x740 net/core/net_namespace.c:316
copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439
create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
ksys_unshare+0x440/0x980 kernel/fork.c:2692
__do_sys_unshare kernel/fork.c:2760 [inline]
__se_sys_unshare kernel/fork.c:2758 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:2758
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9826:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
__cache_free mm/slab.c:3432 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3698
sk_prot_free net/core/sock.c:1637 [inline]
__sk_destruct+0x4bc/0x6e0 net/core/sock.c:1725
sk_destruct+0x7b/0x90 net/core/sock.c:1733
__sk_free+0xce/0x300 net/core/sock.c:1744
sk_free+0x42/0x50 net/core/sock.c:1755
sock_put include/net/sock.h:1723 [inline]
sk_common_release+0x21c/0x330 net/core/sock.c:3175
raw_close+0x22/0x30 net/ipv4/raw.c:704
inet_release+0xe0/0x1f0 net/ipv4/af_inet.c:427
__sock_release+0x1f4/0x2a0 net/socket.c:601
sock_release+0x18/0x20 net/socket.c:621
inet_ctl_sock_destroy include/net/inet_common.h:56 [inline]
icmp_sk_exit+0x11f/0x1f0 net/ipv4/icmp.c:1183
ops_exit_list.isra.0+0xaa/0x150 net/core/net_namespace.c:154
cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553
process_one_work+0x989/0x1790 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x354/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8880984b3900
which belongs to the cache RAW of size 1352
The buggy address is located 156 bytes to the right of
1352-byte region [ffff8880984b3900, ffff8880984b3e48)
The buggy address belongs to the page:
page:ffffea0002612c80 refcount:1 mapcount:0 mapping:ffff88821ad6cc00 index:0xffff8880984b2700 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffff8880a649e838 ffffea000265fd88 ffff88821ad6cc00
raw: ffff8880984b2700 ffff8880984b2100 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880984b3d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880984b3e00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff8880984b3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880984b3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880984b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================