bisecting cause commit starting from d3fde8ff50ab265749704bd7fbcf70d35235421f building syzkaller on a46af3462c457f5f23b620200144d9a2a430f49f testing commit d3fde8ff50ab265749704bd7fbcf70d35235421f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5929349063b086e4bafd3d847bfd907d1d6fc5572d86cc4df0cdb32c1ebfeccc run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #2: crashed: KASAN: use-after-free Write in inet_put_port run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #5: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #6: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #7: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #8: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 46eef239264887ffe4f9af01ff7ba7b112774423d199f73bc9bdd14a5617e902 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect start d3fde8ff50ab265749704bd7fbcf70d35235421f 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 7255 revisions left to test after this (roughly 13 steps) [2518f226c60d8e04d18ba4295500a5b0b8ac7659] Merge tag 'drm-next-2022-05-25' of git://anongit.freedesktop.org/drm/drm testing commit 2518f226c60d8e04d18ba4295500a5b0b8ac7659 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8751ffc43b36b41956cde19f975a96c2fce6c25da401e631988c1072162505a4 run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #2: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Write in inet_put_port run #5: crashed: KASAN: use-after-free Write in inet_put_port run #6: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #7: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #8: OK run #9: OK run #10: OK run #11: OK run #12: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 2518f226c60d8e04d18ba4295500a5b0b8ac7659 Bisecting: 3998 revisions left to test after this (roughly 12 steps) [5d1772b1739b085721431eef0c0400f3aff01abf] Merge branch 'for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq testing commit 5d1772b1739b085721431eef0c0400f3aff01abf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8377c9001332936a495d735c549d89bd7dda473c468cd08bdf7769df7244b6c3 all runs: OK # git bisect good 5d1772b1739b085721431eef0c0400f3aff01abf Bisecting: 1999 revisions left to test after this (roughly 11 steps) [57d7becda9c9e612e6b00676f2eecfac3e719e88] Merge branch 'ptp-ocp-various-updates' testing commit 57d7becda9c9e612e6b00676f2eecfac3e719e88 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 280b1b3a0a014a5f8b370958c382b776f261cca5e61f4b833d7897fc160e0c01 run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Write in inet_put_port run #2: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #5: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #6: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 57d7becda9c9e612e6b00676f2eecfac3e719e88 Bisecting: 933 revisions left to test after this (roughly 10 steps) [f43f0cd2d9b07caf38d744701b0b54d4244da8cc] Merge tag 'wireless-next-2022-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next testing commit f43f0cd2d9b07caf38d744701b0b54d4244da8cc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9dcb32a95936906a66009b57ffcf3584c5410397b8b545221a205232b3ac0793 all runs: OK # git bisect good f43f0cd2d9b07caf38d744701b0b54d4244da8cc Bisecting: 469 revisions left to test after this (roughly 9 steps) [1a6dd9996699889313327be03981716a8337656b] can: mcp251xfd: silence clang's -Wunaligned-access warning testing commit 1a6dd9996699889313327be03981716a8337656b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 68c1ef0cd7a4b6fecc1bc5cb1cb252598fd4c640f54e03872994f8585b324572 all runs: OK # git bisect good 1a6dd9996699889313327be03981716a8337656b Bisecting: 234 revisions left to test after this (roughly 8 steps) [cf0005d2b07b6eccc8d4f3f3c4faee59e7409a95] Merge branch 'net-gcc12-warnings' testing commit cf0005d2b07b6eccc8d4f3f3c4faee59e7409a95 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e94fba82c5a852eefa515e176d5353ccc93a73e752e6c3370f0863bf12391b27 run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #2: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #5: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #6: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad cf0005d2b07b6eccc8d4f3f3c4faee59e7409a95 Bisecting: 116 revisions left to test after this (roughly 7 steps) [d93185a92918c38996dbe24ecb6bb0f30078bc75] Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git testing commit d93185a92918c38996dbe24ecb6bb0f30078bc75 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f0d4c600bea10ab5f31c22dd5297ee594d59d126eb4e76b5187e19d46818cf1f all runs: OK # git bisect good d93185a92918c38996dbe24ecb6bb0f30078bc75 Bisecting: 58 revisions left to test after this (roughly 6 steps) [c9d92cf28c0cda6e3bd76b75e6e343b86075cd2d] net: ipa: rename a GSI error code testing commit c9d92cf28c0cda6e3bd76b75e6e343b86075cd2d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7b7363ab1a4b580b44e5dd202e9f1564c613299091005c025b1f739fdddc5131 all runs: OK # git bisect good c9d92cf28c0cda6e3bd76b75e6e343b86075cd2d Bisecting: 29 revisions left to test after this (roughly 5 steps) [153213f0554d5053d5f9385ae6b4f116c4dc1fb8] net: ipa: make endpoint HOLB drop configurable testing commit 153213f0554d5053d5f9385ae6b4f116c4dc1fb8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 78dd9853bdcbe4400b77afe2ed71f835c935c93c078c1e80c98dca283936ad53 run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #2: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 153213f0554d5053d5f9385ae6b4f116c4dc1fb8 Bisecting: 14 revisions left to test after this (roughly 4 steps) [c2e10f53455c898050738d6a5f8c237f27aec225] net: vxlan: Fix kernel coding style testing commit c2e10f53455c898050738d6a5f8c237f27aec225 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 89c529804763394b8e8702892c960aa5e0fe3e76592e91b4e7941373c50cfb58 all runs: OK # git bisect good c2e10f53455c898050738d6a5f8c237f27aec225 Bisecting: 7 revisions left to test after this (roughly 3 steps) [1f36a72ae347bc922bddf9382b608afa47a25a28] net: sparx5: switchdev: fix typo in comment testing commit 1f36a72ae347bc922bddf9382b608afa47a25a28 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d78dac849f8ad1ce5c003537aba6fe048acd306c2feaa38d2a1090a3007c7e86 run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #2: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Write in inet_put_port run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 1f36a72ae347bc922bddf9382b608afa47a25a28 Bisecting: 3 revisions left to test after this (roughly 2 steps) [eac67d83bf2553f98cfddd42cfbcfd6f9ccfc287] wwan: iosm: use a flexible array rather than allocate short objects testing commit eac67d83bf2553f98cfddd42cfbcfd6f9ccfc287 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9ae34d3877006782c091da84091a9fcc4a7b5addbaea158834b493345ea22b20 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good eac67d83bf2553f98cfddd42cfbcfd6f9ccfc287 Bisecting: 1 revision left to test after this (roughly 1 step) [538aaf9b2383701094a47797b4554c6a21c83eed] selftests: Add test for timing a bind request to a port with a populated bhash entry testing commit 538aaf9b2383701094a47797b4554c6a21c83eed compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 920581385218fdcea1f914b5852e895c56f3c4d74eb07f6bdefd0cdf1e9cbbec run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #2: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #5: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #6: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 538aaf9b2383701094a47797b4554c6a21c83eed Bisecting: 0 revisions left to test after this (roughly 0 steps) [d5a42de8bdbe25081f07b801d8b35f4d75a791f4] net: Add a second bind table hashed by port and address testing commit d5a42de8bdbe25081f07b801d8b35f4d75a791f4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1d24afc50bda9fc8c8b183a2c94a94de3b5a2120a99b23c9bf691ddb48d9b68a run #0: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #1: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #2: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #3: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #4: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #5: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #6: OK run #7: crashed: KASAN: use-after-free Read in inet_bind2_bucket_find run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad d5a42de8bdbe25081f07b801d8b35f4d75a791f4 d5a42de8bdbe25081f07b801d8b35f4d75a791f4 is the first bad commit commit d5a42de8bdbe25081f07b801d8b35f4d75a791f4 Author: Joanne Koong Date: Thu May 19 17:18:33 2022 -0700 net: Add a second bind table hashed by port and address We currently have one tcp bind table (bhash) which hashes by port number only. In the socket bind path, we check for bind conflicts by traversing the specified port's inet_bind2_bucket while holding the bucket's spinlock (see inet_csk_get_port() and inet_csk_bind_conflict()). In instances where there are tons of sockets hashed to the same port at different addresses, checking for a bind conflict is time-intensive and can cause softirq cpu lockups, as well as stops new tcp connections since __inet_inherit_port() also contests for the spinlock. This patch proposes adding a second bind table, bhash2, that hashes by port and ip address. Searching the bhash2 table leads to significantly faster conflict resolution and less time holding the spinlock. Signed-off-by: Joanne Koong Reviewed-by: Eric Dumazet Acked-by: Kuniyuki Iwashima Signed-off-by: Jakub Kicinski include/net/inet_connection_sock.h | 3 + include/net/inet_hashtables.h | 68 +++++++++- include/net/sock.h | 14 +++ net/dccp/proto.c | 33 ++++- net/ipv4/inet_connection_sock.c | 247 +++++++++++++++++++++++++++---------- net/ipv4/inet_hashtables.c | 193 +++++++++++++++++++++++++++-- net/ipv4/tcp.c | 14 ++- 7 files changed, 489 insertions(+), 83 deletions(-) culprit signature: 1d24afc50bda9fc8c8b183a2c94a94de3b5a2120a99b23c9bf691ddb48d9b68a parent signature: 9ae34d3877006782c091da84091a9fcc4a7b5addbaea158834b493345ea22b20 Reproducer flagged being flaky revisions tested: 16, total time: 4h2m43.03656772s (build: 1h38m11.375794699s, test: 2h23m6.412298626s) first bad commit: d5a42de8bdbe25081f07b801d8b35f4d75a791f4 net: Add a second bind table hashed by port and address recipients (to): ["edumazet@google.com" "joannelkoong@gmail.com" "kuba@kernel.org" "kuniyu@amazon.co.jp"] recipients (cc): [] crash: KASAN: use-after-free Read in inet_bind2_bucket_find ================================================================== BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:361 [inline] BUG: KASAN: use-after-free in ib2_net include/net/inet_hashtables.h:116 [inline] BUG: KASAN: use-after-free in check_bind2_bucket_match net/ipv4/inet_hashtables.c:765 [inline] BUG: KASAN: use-after-free in inet_bind2_bucket_find+0x449/0x790 net/ipv4/inet_hashtables.c:819 Read of size 8 at addr ffff88806838b880 by task syz-executor.3/11695 CPU: 1 PID: 11695 Comm: syz-executor.3 Not tainted 5.18.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 read_pnet include/net/net_namespace.h:361 [inline] ib2_net include/net/inet_hashtables.h:116 [inline] check_bind2_bucket_match net/ipv4/inet_hashtables.c:765 [inline] inet_bind2_bucket_find+0x449/0x790 net/ipv4/inet_hashtables.c:819 __inet_hash_connect+0x8de/0x12b0 net/ipv4/inet_hashtables.c:949 dccp_v4_connect+0xb1e/0x1750 net/dccp/ipv4.c:108 __inet_stream_connect+0x6d5/0xd10 net/ipv4/af_inet.c:660 inet_stream_connect+0x4e/0xa0 net/ipv4/af_inet.c:724 io_connect+0x27b/0x550 fs/io_uring.c:5690 io_issue_sqe+0x193a/0x75c0 fs/io_uring.c:7187 __io_queue_sqe fs/io_uring.c:7515 [inline] io_queue_sqe fs/io_uring.c:7557 [inline] io_submit_sqe fs/io_uring.c:7762 [inline] io_submit_sqes+0x1b37/0x8210 fs/io_uring.c:7868 __do_sys_io_uring_enter+0x9a0/0x1a60 fs/io_uring.c:10813 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fcec3c89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcec4d39168 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 00007fcec3d9bf60 RCX: 00007fcec3c89109 RDX: 0000000000000000 RSI: 00000000000045f5 RDI: 0000000000000003 RBP: 00007fcec3ce308d R08: 0000000000000000 R09: 0000000000000004 R10: 0000000000000009 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd2079ceaf R14: 00007fcec4d39300 R15: 0000000000022000 Allocated by task 11698: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:469 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:749 [inline] slab_alloc_node mm/slub.c:3217 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc+0x204/0x3b0 mm/slub.c:3242 inet_bind2_bucket_create+0x2a/0x380 net/ipv4/inet_hashtables.c:91 __inet_hash_connect+0xc83/0x12b0 net/ipv4/inet_hashtables.c:951 dccp_v4_connect+0xb1e/0x1750 net/dccp/ipv4.c:108 __inet_stream_connect+0x6d5/0xd10 net/ipv4/af_inet.c:660 inet_stream_connect+0x4e/0xa0 net/ipv4/af_inet.c:724 io_connect+0x27b/0x550 fs/io_uring.c:5690 io_issue_sqe+0x193a/0x75c0 fs/io_uring.c:7187 __io_queue_sqe fs/io_uring.c:7515 [inline] io_queue_sqe fs/io_uring.c:7557 [inline] io_submit_sqe fs/io_uring.c:7762 [inline] io_submit_sqes+0x1b37/0x8210 fs/io_uring.c:7868 __do_sys_io_uring_enter+0x9a0/0x1a60 fs/io_uring.c:10813 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 11698: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3510 [inline] kmem_cache_free+0xdd/0x5a0 mm/slub.c:3527 inet_bind2_bucket_destroy net/ipv4/inet_hashtables.c:137 [inline] inet_bind2_bucket_destroy net/ipv4/inet_hashtables.c:133 [inline] __inet_put_port net/ipv4/inet_hashtables.c:174 [inline] inet_put_port+0x456/0x720 net/ipv4/inet_hashtables.c:182 dccp_set_state+0x137/0x2b0 net/dccp/proto.c:103 dccp_done+0x10/0xd0 net/dccp/proto.c:138 dccp_rcv_state_process+0x916/0x1340 net/dccp/input.c:662 dccp_v4_do_rcv+0xd8/0x150 net/dccp/ipv4.c:695 sk_backlog_rcv include/net/sock.h:1061 [inline] __release_sock+0x113/0x360 net/core/sock.c:2849 release_sock+0x4a/0x170 net/core/sock.c:3404 inet_stream_connect+0x71/0xa0 net/ipv4/af_inet.c:725 io_connect+0x27b/0x550 fs/io_uring.c:5690 io_issue_sqe+0x193a/0x75c0 fs/io_uring.c:7187 __io_queue_sqe fs/io_uring.c:7515 [inline] io_queue_sqe fs/io_uring.c:7557 [inline] io_submit_sqe fs/io_uring.c:7762 [inline] io_submit_sqes+0x1b37/0x8210 fs/io_uring.c:7868 __do_sys_io_uring_enter+0x9a0/0x1a60 fs/io_uring.c:10813 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88806838b880 which belongs to the cache dccp_bind2_bucket of size 56 The buggy address is located 0 bytes inside of 56-byte region [ffff88806838b880, ffff88806838b8b8) The buggy address belongs to the physical page: page:ffffea0001a0e2c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6838b memcg:ffff88801958be01 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0001a67a00 dead000000000002 ffff888021fea140 raw: 0000000000000000 0000000000200020 00000001ffffffff ffff88801958be01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 4243, tgid 4242 (syz-executor.3), ts 76303355335, free_ts 9989963057 prep_new_page mm/page_alloc.c:2441 [inline] get_page_from_freelist+0x178d/0x3dc0 mm/page_alloc.c:4182 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x26c/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092 slab_alloc_node mm/slub.c:3183 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242 inet_bind2_bucket_create+0x2a/0x380 net/ipv4/inet_hashtables.c:91 __inet_hash_connect+0xc83/0x12b0 net/ipv4/inet_hashtables.c:951 dccp_v4_connect+0xb1e/0x1750 net/dccp/ipv4.c:108 __inet_stream_connect+0x6d5/0xd10 net/ipv4/af_inet.c:660 inet_stream_connect+0x4e/0xa0 net/ipv4/af_inet.c:724 io_connect+0x27b/0x550 fs/io_uring.c:5690 io_issue_sqe+0x193a/0x75c0 fs/io_uring.c:7187 __io_queue_sqe fs/io_uring.c:7515 [inline] io_req_task_submit+0xaa/0x5e0 fs/io_uring.c:2578 handle_tw_list fs/io_uring.c:2463 [inline] tctx_task_work+0x550/0xf50 fs/io_uring.c:2497 task_work_run+0xc0/0x160 kernel/task_work.c:164 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1356 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3328 [inline] free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423 free_contig_range+0xb1/0x180 mm/page_alloc.c:9418 destroy_args+0x7e/0x503 mm/debug_vm_pgtable.c:1018 debug_vm_pgtable+0x1fc8/0x204c mm/debug_vm_pgtable.c:1332 do_one_initcall+0xbe/0x440 init/main.c:1298 do_initcall_level init/main.c:1371 [inline] do_initcalls init/main.c:1387 [inline] do_basic_setup init/main.c:1406 [inline] kernel_init_freeable+0x5ab/0x605 init/main.c:1613 kernel_init+0x14/0x130 init/main.c:1502 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 Memory state around the buggy address: ffff88806838b780: fa fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc ffff88806838b800: fa fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc >ffff88806838b880: fa fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc ^ ffff88806838b900: fa fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc ffff88806838b980: fa fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc ==================================================================