bisecting fixing commit since 14cfdbd39e316efd91ae6e403ef8211f0b022603 building syzkaller on 68660b21c27c417771037b3f1fe4aa072cfdeef9 testing commit 14cfdbd39e316efd91ae6e403ef8211f0b022603 with gcc (GCC) 8.1.0 kernel signature: db8c528768861aa9fc733e061a2d893bdace2795b4db1b6f56e80b564c616b9b run #0: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #1: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #2: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #3: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #4: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #5: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #6: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #7: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #8: OK run #9: OK testing current HEAD 7edd66cf61670d2d0c31f89cb3a247016e489a8a testing commit 7edd66cf61670d2d0c31f89cb3a247016e489a8a with gcc (GCC) 8.1.0 kernel signature: 5020504ba852a940350cfe87d5ec229687fa19ea79ed893a9cf3befef4b25ddd run #0: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #1: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #2: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #3: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #4: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #5: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #6: crashed: kernel BUG at net/sctp/sm_sideeffect.c:LINE! run #7: OK run #8: OK run #9: crashed: KASAN: use-after-free Read in sctp_do_8_2_transport_strike revisions tested: 2, total time: 39m53.817631844s (build: 18m28.572899181s, test: 20m5.640831011s) the crash still happens on HEAD commit msg: Linux 4.19.118 crash: KASAN: use-after-free Read in sctp_do_8_2_transport_strike bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves NOHZ: local_softirq_pending 08 ================================================================== BUG: KASAN: use-after-free in sctp_do_8_2_transport_strike.isra.19+0x79a/0x800 net/sctp/sm_sideeffect.c:548 Read of size 4 at addr ffff8880838e2ed4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.118-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x177 lib/dump_stack.c:118 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 sctp_do_8_2_transport_strike.isra.19+0x79a/0x800 net/sctp/sm_sideeffect.c:548 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1642 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x328e/0x5020 net/sctp/sm_sideeffect.c:1170 sctp_generate_timeout_event+0x185/0x300 net/sctp/sm_sideeffect.c:310 sctp_generate_t2_shutdown_event+0x15/0x20 net/sctp/sm_sideeffect.c:344 call_timer_fn+0x14c/0x510 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers kernel/time/timer.c:1684 [inline] run_timer_softirq+0xb63/0x1180 kernel/time/timer.c:1697 __do_softirq+0x260/0x92d kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x13e/0x540 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:893 RIP: 0010:native_safe_halt+0x12/0x20 arch/x86/include/asm/irqflags.h:61 Code: 11 ff ff ff 4c 89 e7 e8 4c ef bc fa eb 97 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 e9 07 00 00 00 0f 00 2d 70 1e 53 00 fb f4 <5d> c3 66 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 e9 07 00 00 RSP: 0018:ffffffff88407c88 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffffffff88479e00 RCX: 0000000000000000 RDX: 1ffffffff10a4034 RSI: 0000000000000001 RDI: ffffffff885201a0 RBP: ffffffff88407c88 R08: ffffed1015d44733 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff88520190 R14: ffffffff892276d8 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x51/0x310 arch/x86/kernel/process.c:565 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:556 default_idle_call+0x6d/0x90 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x41e/0x560 kernel/sched/idle.c:263 cpu_startup_entry+0xc8/0xe0 kernel/sched/idle.c:369 rest_init+0x193/0x199 init/main.c:441 start_kernel+0x6a9/0x6e2 init/main.c:737 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:471 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 Allocated by task 30134: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x740 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] sctp_transport_new+0x53/0x6a0 net/sctp/transport.c:111 sctp_assoc_add_peer+0x1c1/0xe40 net/sctp/associola.c:636 sctp_assoc_update+0x93a/0xd40 net/sctp/associola.c:1185 sctp_cmd_assoc_update net/sctp/sm_sideeffect.c:850 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1319 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x2220/0x5020 net/sctp/sm_sideeffect.c:1170 sctp_assoc_bh_rcv+0x27b/0x5c0 net/sctp/associola.c:1073 sctp_inq_push+0x1a5/0x230 net/sctp/inqueue.c:95 sctp_backlog_rcv+0x1ac/0x1280 net/sctp/input.c:356 sk_backlog_rcv include/net/sock.h:946 [inline] __release_sock+0x107/0x360 net/core/sock.c:2342 release_sock+0x4f/0x180 net/core/sock.c:2858 sctp_wait_for_connect+0x22c/0x4c0 net/sctp/socket.c:8632 __sctp_connect+0x83d/0x9e0 net/sctp/socket.c:1259 __sctp_setsockopt_connectx+0xec/0x140 net/sctp/socket.c:1367 sctp_setsockopt_connectx net/sctp/socket.c:1399 [inline] sctp_setsockopt+0x1e88/0x4390 net/sctp/socket.c:4344 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:3049 __sys_setsockopt+0x13e/0x210 net/socket.c:1901 __do_sys_setsockopt net/socket.c:1912 [inline] __se_sys_setsockopt net/socket.c:1909 [inline] __x64_sys_setsockopt+0xb9/0x150 net/socket.c:1909 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 sctp_transport_destroy_rcu+0x44/0x50 net/sctp/transport.c:163 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0xbcd/0x19a0 kernel/rcu/tree.c:2881 __do_softirq+0x260/0x92d kernel/softirq.c:292 The buggy address belongs to the object at ffff8880838e2d80 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 340 bytes inside of 1024-byte region [ffff8880838e2d80, ffff8880838e3180) The buggy address belongs to the page: page:ffffea00020e3880 count:1 mapcount:0 mapping:ffff88812c29cac0 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffffea0002415808 ffffea00028ecd08 ffff88812c29cac0 raw: 0000000000000000 ffff8880838e2000 0000000100000007 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880838e2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880838e2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880838e2e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880838e2f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880838e2f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================