bisecting cause commit starting from 12d125b4574bd7f602802d94d7b4a55d85aa8e25
building syzkaller on b599f2fcc734e2183016a340d4f6fc2891d8e41f
testing commit 12d125b4574bd7f602802d94d7b4a55d85aa8e25
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 798b17899341510a43ec2e4ad33e0f51de46d5a23ef0189718ec34d1d60ae028
all runs: crashed: KASAN: slab-out-of-bounds Read in sk_psock_get
testing release v5.13
testing commit 62fb9874f5da54fdb243003b386128037319b219
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 909f5b513362d755e99068620c19525cb2afd91ca8725228219fd46574a48866
all runs: crashed: KASAN: slab-out-of-bounds Read in sk_psock_get
testing release v5.12
testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: bb4e26dd8f4a005b0fd76547575ef29621d4d502b5251ddaf0a5696974104629
all runs: crashed: KASAN: slab-out-of-bounds Read in sk_psock_get
testing release v5.11
testing commit f40ddce88593482919761f74910f42f4b84c004b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 3222e6ed80513dd888ba5df1ed0bb0fed90b38311471a07f8ebfef14f678fd42
all runs: crashed: KASAN: slab-out-of-bounds Read in sk_psock_get
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 35c88fb67e0626f0232c5254d6e9f188ff33bdc5ecf75a2e20b39b0354577e82
all runs: crashed: KASAN: slab-out-of-bounds Read in sk_psock_get
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 4753fc6113ccf19b73886623e431f1d42203e5df7900561c23ce4babeaf8f756
all runs: crashed: KASAN: slab-out-of-bounds Read in sk_psock_get
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c
compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 64bef9c619e4f9660afe7c971d6b25d7fe2654ae1e3be1137534ef774e1b1619
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: f76fe31c01316385978519b5b4e89add706a0c3d5fe63afc28097ce825bd70af
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: ce1c40f29ea7dac1ab1efcb8a4c28e91d707e6db2dd3c7ba2f4d3ff05339b929
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 52e3d19b3dd1254ec0fc70d5e850d8b373790b6a1ce2b4832bb7a2a2d3945561
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: aaf25273084462a2ad615141adb1da70de0e843313526173854dc50400e6d06c
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 6a118b86ece6a00ec309dfe958551a7e37b62c5a38c74bfffbdf71d5ff2118cf
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: dc0a4e06aabc5a71b7bb3c51a117c73e328564b4a4f21cfd43ea9747d8ce137d
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 6f28a54ae9631f7a38ae82812fc557e8efc8855fdd74a27360b3ac8c36083bee
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: cc4af3f53694d3fa6e61b52de0e00edfb6449f3b5e2c0a6ea7e7eb72c3e13ece
all runs: OK
# git bisect start e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd 1c163f4c7b3f621efff9b28a47abb36f7378d783
Bisecting: 7074 revisions left to test after this (roughly 13 steps)
[b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew)

testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 61af8cf1c51e8853a710ecadbb95b3a9a63c95cd38cd9b30e029d4ab97e0f4df
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad b5dd0c658c31b469ccff1b637e5124851e7a4a1c
Bisecting: 3569 revisions left to test after this (roughly 12 steps)
[3478588b5136966c80c571cf0006f08e9e5b8f04] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit 3478588b5136966c80c571cf0006f08e9e5b8f04
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 1d726204187ff3388d7e342fbb4293a36d9b143a473f5c31dab6cbb608306e7f
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad 3478588b5136966c80c571cf0006f08e9e5b8f04
Bisecting: 1673 revisions left to test after this (roughly 11 steps)
[1a2566085650be593d464c4d73ac2d20ff67c058] Merge tag 'wireless-drivers-next-for-davem-2019-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next

testing commit 1a2566085650be593d464c4d73ac2d20ff67c058
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 65e9cb0635a6f9b5bdcde8262c086d8c055141300f588ca41213e048172cc167
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad 1a2566085650be593d464c4d73ac2d20ff67c058
Bisecting: 920 revisions left to test after this (roughly 10 steps)
[deedf1feb255c7a390309f615e50de37cb82fb61] r8169: Avoid pointer aliasing

testing commit deedf1feb255c7a390309f615e50de37cb82fb61
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 1ad9bfc6d498b0c04764100ad6897e764dff220a7bd2b94ee549ad5f347d6101
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad deedf1feb255c7a390309f615e50de37cb82fb61
Bisecting: 432 revisions left to test after this (roughly 9 steps)
[ec7146db150082737cbfeacaae0f33e42c95cf18] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

testing commit ec7146db150082737cbfeacaae0f33e42c95cf18
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 8e46d1be6b7e5c0de3f06960fbc4617dfdc5203a7505587ebd6ba9e749c0ef5e
run #0: OK
run #1: boot failed: KASAN: use-after-free Read in generic_make_request
run #2: boot failed: KASAN: use-after-free Read in generic_make_request
run #3: boot failed: KASAN: use-after-free Read in generic_make_request
run #4: boot failed: KASAN: use-after-free Read in generic_make_request
run #5: boot failed: KASAN: use-after-free Read in generic_make_request
run #6: boot failed: KASAN: use-after-free Read in generic_make_request
run #7: boot failed: KASAN: use-after-free Read in generic_make_request
run #8: boot failed: KASAN: use-after-free Read in generic_make_request
run #9: boot failed: KASAN: use-after-free Read in generic_make_request
# git bisect skip ec7146db150082737cbfeacaae0f33e42c95cf18
Bisecting: 432 revisions left to test after this (roughly 9 steps)
[6e6b904ad4f9aed43ec320afbd5a52ed8461ab41] ip_tunnel: Fix route fl4 init in ip_md_tunnel_xmit

testing commit 6e6b904ad4f9aed43ec320afbd5a52ed8461ab41
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 30eb2de62b4979cd9fd87e5fd533c3c66fd2161b3c5f3b781e1ce3aa68d4c339
all runs: OK
# git bisect good 6e6b904ad4f9aed43ec320afbd5a52ed8461ab41
Bisecting: 267 revisions left to test after this (roughly 8 steps)
[beb73559bf57b0151dba0c27c4f866599f57bb0b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

testing commit beb73559bf57b0151dba0c27c4f866599f57bb0b
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 0efcea8b35669487536cbb1980ad661fb4b6b49a3ad33735604315209cff0629
failed: failed to create VM pool: failed to create GCE image: create image operation failed: &{Code:PERMISSIONS_ERROR Location: Message:Required 'read' permission for 'disks/ci-upstream-net-this-kasan-gce-bisect-job-bisect-job-image.tar.gz' ForceSendFields:[] NullFields:[]}.
# git bisect skip beb73559bf57b0151dba0c27c4f866599f57bb0b
Bisecting: 267 revisions left to test after this (roughly 8 steps)
[06240e1b526d426acfe7b21e673da49e12f5a225] sh_eth: offload RX checksum on SH7734

testing commit 06240e1b526d426acfe7b21e673da49e12f5a225
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 086be7524cf633c17c457a12d1e1a6488a1b3dee0d0a139beb233c9316a7267f
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad 06240e1b526d426acfe7b21e673da49e12f5a225
Bisecting: 175 revisions left to test after this (roughly 8 steps)
[cb56e214679ffd1e30e980c56349831c5a00cfdf] mlxsw: spectrum_acl: Include delta bits into hashtable key

testing commit cb56e214679ffd1e30e980c56349831c5a00cfdf
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 914612c7f41bc76b342f03faa544b2e3a1701bcd4a56f3c39c76eb869cb1acda
all runs: OK
# git bisect good cb56e214679ffd1e30e980c56349831c5a00cfdf
Bisecting: 87 revisions left to test after this (roughly 7 steps)
[ddb6e99e2db14d4b3c22a0dbddc6a09234856bb7] ethtool: add compat for devlink info

testing commit ddb6e99e2db14d4b3c22a0dbddc6a09234856bb7
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: a1c52e0bbe1d8bf5b71163d973eb40607ab84929776eaed50594dfd2980e94c7
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad ddb6e99e2db14d4b3c22a0dbddc6a09234856bb7
Bisecting: 42 revisions left to test after this (roughly 6 steps)
[752cfee90d11e280d727617bf8d6df894141e157] Merge remote-tracking branch 'net-next/master' into mac80211-next

testing commit 752cfee90d11e280d727617bf8d6df894141e157
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 998c22edfd98438eb6c295e591cc303af8b59fd9d491d9b472a5473b232a7c1d
all runs: OK
# git bisect good 752cfee90d11e280d727617bf8d6df894141e157
Bisecting: 20 revisions left to test after this (roughly 5 steps)
[1f533ba6d50d0e7a104d1a2c1e1a28ee0b919a90] ipv4: fib: use struct_size() in kzalloc()

testing commit 1f533ba6d50d0e7a104d1a2c1e1a28ee0b919a90
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 76609b144744c84a93e84c9ae129935034153efa690e943239a486761a9e9b82
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad 1f533ba6d50d0e7a104d1a2c1e1a28ee0b919a90
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[fb99bce7120014307dde57b3d7def6977a9a62a1] net: tls: Support 256 bit keys

testing commit fb99bce7120014307dde57b3d7def6977a9a62a1
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 1487309368cb3dfea6af6662016c3bf2aba6a8efeec622d0a0f14e82f5facca2
all runs: OK
# git bisect good fb99bce7120014307dde57b3d7def6977a9a62a1
Bisecting: 4 revisions left to test after this (roughly 3 steps)
[5b053e121ffdec851dc3a7046e9bece287a3c5b1] net: tls: Set async_capable for tls zerocopy only if we see EINPROGRESS

testing commit 5b053e121ffdec851dc3a7046e9bece287a3c5b1
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 41f3efb3b0c4c426ea3a2162e71170d37c87b6f1db1d2c033f1a5ae4ba090dd3
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad 5b053e121ffdec851dc3a7046e9bece287a3c5b1
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[130b392c6cd6b2aed1b7eb32253d4920babb4891] net: tls: Add tls 1.3 support

testing commit 130b392c6cd6b2aed1b7eb32253d4920babb4891
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: a453d9e9b573c8e28b4545d4c1f5fe29569d75308b990e0f0bf0056cfc224937
all runs: crashed: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
# git bisect bad 130b392c6cd6b2aed1b7eb32253d4920babb4891
Bisecting: 1 revision left to test after this (roughly 1 step)
[a2ef9b6a22bd22841bde53e52cc50476fb4d1a5d] net: tls: Refactor tls aad space size calculation

testing commit a2ef9b6a22bd22841bde53e52cc50476fb4d1a5d
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 3d5f12c2fa977b75e6117cadb43d4d2811153d7d865edc242ed3fb0cda6b3986
all runs: OK
# git bisect good a2ef9b6a22bd22841bde53e52cc50476fb4d1a5d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[fedf201e12960bd2fab0596422851b20a8d80d20] net: tls: Refactor control message handling on recv

testing commit fedf201e12960bd2fab0596422851b20a8d80d20
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 1f1354a6e7970f3cf682d38e5e773fde1249a40fa63136df07b8ed2c544303e5
all runs: OK
# git bisect good fedf201e12960bd2fab0596422851b20a8d80d20
130b392c6cd6b2aed1b7eb32253d4920babb4891 is the first bad commit
commit 130b392c6cd6b2aed1b7eb32253d4920babb4891
Author: Dave Watson <davejwatson@fb.com>
Date:   Wed Jan 30 21:58:31 2019 +0000

    net: tls: Add tls 1.3 support
    
    TLS 1.3 has minor changes from TLS 1.2 at the record layer.
    
    * Header now hardcodes the same version and application content type in
      the header.
    * The real content type is appended after the data, before encryption (or
      after decryption).
    * The IV is xored with the sequence number, instead of concatinating four
      bytes of IV with the explicit IV.
    * Zero-padding:  No exlicit length is given, we search backwards from the
      end of the decrypted data for the first non-zero byte, which is the
      content type.  Currently recv supports reading zero-padding, but there
      is no way for send to add zero padding.
    
    Signed-off-by: Dave Watson <davejwatson@fb.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/tls.h             |  66 +++++++++++++++++-------
 include/uapi/linux/tls.h      |   4 ++
 net/tls/tls_device.c          |   5 +-
 net/tls/tls_device_fallback.c |   3 +-
 net/tls/tls_main.c            |   3 +-
 net/tls/tls_sw.c              | 116 ++++++++++++++++++++++++++++++++++--------
 6 files changed, 154 insertions(+), 43 deletions(-)

culprit signature: a453d9e9b573c8e28b4545d4c1f5fe29569d75308b990e0f0bf0056cfc224937
parent  signature: 1f1354a6e7970f3cf682d38e5e773fde1249a40fa63136df07b8ed2c544303e5
revisions tested: 32, total time: 6h25m15.896815596s (build: 4h0m20.366273162s, test: 2h20m46.39288687s)
first bad commit: 130b392c6cd6b2aed1b7eb32253d4920babb4891 net: tls: Add tls 1.3 support
recipients (to): ["aviadye@mellanox.com" "borisp@mellanox.com" "daniel@iogearbox.net" "davejwatson@fb.com" "davejwatson@fb.com" "davem@davemloft.net" "davem@davemloft.net" "john.fastabend@gmail.com" "netdev@vger.kernel.org"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: KASAN: slab-out-of-bounds Read in tls_sw_recvmsg
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
tls_set_device_offload_rx: netdev lo with no TLS offload
==================================================================
BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: slab-out-of-bounds in refcount_add_not_zero arch/x86/include/asm/refcount.h:87 [inline]
BUG: KASAN: slab-out-of-bounds in refcount_inc_not_zero arch/x86/include/asm/refcount.h:109 [inline]
BUG: KASAN: slab-out-of-bounds in sk_psock_get include/linux/skmsg.h:404 [inline]
BUG: KASAN: slab-out-of-bounds in tls_sw_recvmsg+0xa78/0x10f0 net/tls/tls_sw.c:1626
Read of size 4 at addr ffff8880a11b8258 by task syz-executor.3/10222

CPU: 0 PID: 10222 Comm: syz-executor.3 Not tainted 5.0.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x86/0xca lib/dump_stack.c:113
 print_address_description.cold.3+0x9/0x244 mm/kasan/report.c:187
 kasan_report.cold.4+0x1b/0x35 mm/kasan/report.c:317
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x13c/0x1b0 mm/kasan/generic.c:191
 kasan_check_read+0x11/0x20 mm/kasan/common.c:100
 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
 refcount_add_not_zero arch/x86/include/asm/refcount.h:87 [inline]
 refcount_inc_not_zero arch/x86/include/asm/refcount.h:109 [inline]
 sk_psock_get include/linux/skmsg.h:404 [inline]
 tls_sw_recvmsg+0xa78/0x10f0 net/tls/tls_sw.c:1626
 inet_recvmsg+0x111/0x580 net/ipv4/af_inet.c:830
 sock_recvmsg_nosec net/socket.c:794 [inline]
 sock_recvmsg net/socket.c:801 [inline]
 sock_recvmsg+0xb7/0xf0 net/socket.c:797
 ___sys_recvmsg+0x219/0x540 net/socket.c:2278
 do_recvmmsg+0x221/0x650 net/socket.c:2391
 __sys_recvmmsg+0x175/0x1c0 net/socket.c:2470
 __do_sys_recvmmsg net/socket.c:2493 [inline]
 __se_sys_recvmmsg net/socket.c:2486 [inline]
 __x64_sys_recvmmsg+0xc0/0x160 net/socket.c:2486
 do_syscall_64+0xa3/0x440 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f939c848188 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 000000000000000a RSI: 00000000200030c0 RDI: 0000000000000005
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000010000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffef2a579df R14: 00007f939c848300 R15: 0000000000022000

Allocated by task 10248:
 save_stack mm/kasan/common.c:73 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x66/0x100 mm/kasan/common.c:496
 __kasan_kmalloc.constprop.1+0xb5/0xc0 mm/kasan/common.c:477
 kasan_kmalloc mm/kasan/common.c:504 [inline]
 kasan_slab_alloc+0x11/0x20 mm/kasan/common.c:411
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slub.c:2739 [inline]
 slab_alloc mm/slub.c:2747 [inline]
 kmem_cache_alloc+0xd9/0x2c0 mm/slub.c:2752
 kmem_cache_zalloc include/linux/slab.h:730 [inline]
 kcm_attach net/kcm/kcmsock.c:1405 [inline]
 kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline]
 kcm_ioctl+0x7a3/0x1400 net/kcm/kcmsock.c:1696
 sock_do_ioctl+0xd9/0x270 net/socket.c:950
 sock_ioctl+0x287/0x510 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xa3/0x440 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8880a11b8000
 which belongs to the cache kcm_psock_cache of size 544
The buggy address is located 56 bytes to the right of
 544-byte region [ffff8880a11b8000, ffff8880a11b8220)
The buggy address belongs to the page:
page:ffffea0002846e00 count:1 mapcount:0 mapping:ffff8882354a4600 index:0x0 compound_mapcount: 0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000200 ffff8882354a4600
raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page allocated via order 2, migratetype Unmovable, gfp_mask 0x152c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:1950 [inline]
 prep_new_page mm/page_alloc.c:1958 [inline]
 get_page_from_freelist.part.22+0x300d/0x45b0 mm/page_alloc.c:3500
 get_page_from_freelist mm/page_alloc.c:3390 [inline]
 __alloc_pages_nodemask+0x2a6/0x2500 mm/page_alloc.c:4535
 alloc_pages_current+0xd6/0x1b0 mm/mempolicy.c:2106
 alloc_pages include/linux/gfp.h:509 [inline]
 alloc_slab_page mm/slub.c:1477 [inline]
 allocate_slab mm/slub.c:1622 [inline]
 new_slab+0x417/0x780 mm/slub.c:1696
 new_slab_objects mm/slub.c:2450 [inline]
 ___slab_alloc+0x5b7/0x900 mm/slub.c:2602
 __slab_alloc.isra.22+0x4f/0x80 mm/slub.c:2642
 slab_alloc_node mm/slub.c:2705 [inline]
 slab_alloc mm/slub.c:2747 [inline]
 kmem_cache_alloc+0x244/0x2c0 mm/slub.c:2752
 kmem_cache_zalloc include/linux/slab.h:730 [inline]
 kcm_attach net/kcm/kcmsock.c:1405 [inline]
 kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline]
 kcm_ioctl+0x7a3/0x1400 net/kcm/kcmsock.c:1696
 sock_do_ioctl+0xd9/0x270 net/socket.c:950
 sock_ioctl+0x287/0x510 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xa3/0x440 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Memory state around the buggy address:
 ffff8880a11b8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a11b8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a11b8200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
                                                    ^
 ffff8880a11b8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a11b8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
tls_set_device_offload_rx: netdev lo with no TLS offload
------------[ cut here ]------------
downgrading a read lock
WARNING: CPU: 0 PID: 10256 at kernel/locking/lockdep.c:3553 __lock_downgrade kernel/locking/lockdep.c:3553 [inline]
WARNING: CPU: 0 PID: 10256 at kernel/locking/lockdep.c:3553 lock_downgrade+0x3c1/0x610 kernel/locking/lockdep.c:3816