XFS (loop3): Invalid superblock magic number ================================================================== BUG: KASAN: slab-out-of-bounds in sock_net include/net/sock.h:2435 [inline] BUG: KASAN: slab-out-of-bounds in ip_send_unicast_reply+0x1040/0x11b0 net/ipv4/ip_output.c:1569 Read of size 8 at addr ffff888090d07ebc by task syz-executor.2/24911 CPU: 0 PID: 24911 Comm: syz-executor.2 Not tainted 5.0.0+ #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 sock_net include/net/sock.h:2435 [inline] ip_send_unicast_reply+0x1040/0x11b0 net/ipv4/ip_output.c:1569 tcp_v4_send_reset+0x1051/0x2140 net/ipv4/tcp_ipv4.c:778 tcp_v4_rcv+0x209e/0x3730 net/ipv4/tcp_ipv4.c:1939 ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:414 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:524 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 process_backlog+0x206/0x750 net/core/dev.c:5923 napi_poll net/core/dev.c:6346 [inline] net_rx_action+0x4fa/0x1070 net/core/dev.c:6412 __do_softirq+0x266/0x95a kernel/softirq.c:292 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027 do_softirq.part.0+0x11a/0x170 kernel/softirq.c:337 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:696 [inline] ip_finish_output2+0x99c/0x1740 net/ipv4/ip_output.c:231 ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x21f/0x670 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc4/0x1b0 net/ipv4/ip_output.c:124 __ip_queue_xmit+0x86f/0x1bf0 net/ipv4/ip_output.c:505 ip_queue_xmit+0x5a/0x70 include/net/ip.h:198 __tcp_transmit_skb+0x1a5f/0x3680 net/ipv4/tcp_output.c:1160 tcp_transmit_skb net/ipv4/tcp_output.c:1176 [inline] tcp_send_syn_data net/ipv4/tcp_output.c:3470 [inline] tcp_connect+0x1ba9/0x40a0 net/ipv4/tcp_output.c:3535 tcp_sendmsg_fastopen net/ipv4/tcp.c:1152 [inline] tcp_sendmsg_locked+0x2c0a/0x34a0 net/ipv4/tcp.c:1208 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1443 inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:632 ___sys_sendmsg+0x3e2/0x930 net/socket.c:2115 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2210 __do_sys_sendmmsg net/socket.c:2239 [inline] __se_sys_sendmmsg net/socket.c:2236 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457e29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f2171f64c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457e29 RDX: 0031e9cd3487dc94 RSI: 0000000020004c80 RDI: 0000000000000006 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000020004bc0 R11: 0000000000000246 R12: 00007f2171f656d4 R13: 00000000004c4dd7 R14: 00000000004d8b10 R15: 00000000ffffffff Allocated by task 14345: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:503 slab_post_alloc_hook mm/slab.h:440 [inline] slab_alloc mm/slab.c:3388 [inline] kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3548 sk_prot_alloc+0x67/0x2e0 net/core/sock.c:1471 sk_alloc+0x39/0xf70 net/core/sock.c:1531 inet_create net/ipv4/af_inet.c:321 [inline] inet_create+0x36a/0xe10 net/ipv4/af_inet.c:247 __sock_create+0x3e6/0x750 net/socket.c:1276 sock_create_kern+0x3b/0x50 net/socket.c:1322 inet_ctl_sock_create+0x9d/0x1f0 net/ipv4/af_inet.c:1614 icmp_sk_init net/ipv4/icmp.c:1204 [inline] icmp_sk_init+0x120/0x680 net/ipv4/icmp.c:1193 ops_init+0xb6/0x410 net/core/net_namespace.c:129 setup_net+0x2c5/0x730 net/core/net_namespace.c:314 copy_net_ns+0x1d9/0x340 net/core/net_namespace.c:437 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x440/0x980 kernel/fork.c:2550 __do_sys_unshare kernel/fork.c:2618 [inline] __se_sys_unshare kernel/fork.c:2616 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 27640: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:457 kasan_slab_free+0xe/0x10 mm/kasan/common.c:465 __cache_free mm/slab.c:3494 [inline] kmem_cache_free+0x86/0x260 mm/slab.c:3754 sk_prot_free net/core/sock.c:1512 [inline] __sk_destruct+0x4b6/0x6d0 net/core/sock.c:1596 sk_destruct+0x7b/0x90 net/core/sock.c:1604 __sk_free+0xce/0x300 net/core/sock.c:1615 sk_free+0x42/0x50 net/core/sock.c:1626 sock_put include/net/sock.h:1707 [inline] sk_common_release+0x224/0x330 net/core/sock.c:3042 raw_close+0x22/0x30 net/ipv4/raw.c:708 inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428 __sock_release+0x1fe/0x2b0 net/socket.c:579 sock_release+0x18/0x20 net/socket.c:599 inet_ctl_sock_destroy include/net/inet_common.h:56 [inline] icmp_sk_exit+0x11f/0x1f0 net/ipv4/icmp.c:1188 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173 worker_thread+0x98/0xe40 kernel/workqueue.c:2319 kthread+0x357/0x430 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888090d07780 which belongs to the cache RAW of size 1320 The buggy address is located 532 bytes to the right of 1320-byte region [ffff888090d07780, ffff888090d07ca8) The buggy address belongs to the page: page:ffffea0002434180 count:1 mapcount:0 mapping:ffff8880a7b1a780 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea00023d5288 ffffea0002997488 ffff8880a7b1a780 raw: 0000000000000000 ffff888090d06080 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888090d07d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888090d07e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888090d07e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888090d07f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888090d07f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================