bisecting cause commit starting from 0072a0c14d5b7cb72c611d396f143f5dcd73ebe2 building syzkaller on ac6c05788bacd0648a3fe6267f25c1d40a00ed98 testing commit 0072a0c14d5b7cb72c611d396f143f5dcd73ebe2 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __lock_sock testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __lock_sock run #1: crashed: KASAN: use-after-free Read in __lock_sock run #2: crashed: KASAN: use-after-free Read in __lock_sock run #3: crashed: KASAN: use-after-free Read in __lock_sock run #4: crashed: KASAN: use-after-free Read in __lock_sock run #5: crashed: KASAN: use-after-free Read in __lock_sock run #6: crashed: KASAN: use-after-free Read in __lock_sock run #7: crashed: KASAN: use-after-free Read in __lock_sock run #8: crashed: KASAN: use-after-free Read in __lock_sock run #9: OK testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #1: crashed: KASAN: use-after-free Read in __lock_sock run #2: crashed: KASAN: use-after-free Read in sctp_sock_dump run #3: crashed: KASAN: use-after-free Read in __lock_sock run #4: crashed: KASAN: use-after-free Read in __lock_sock run #5: crashed: KASAN: use-after-free Read in __lock_sock run #6: crashed: KASAN: use-after-free Read in __lock_sock run #7: crashed: KASAN: use-after-free Read in __lock_sock run #8: crashed: KASAN: use-after-free Read in __lock_sock run #9: crashed: KASAN: use-after-free Read in __lock_sock testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __lock_sock run #1: crashed: KASAN: use-after-free Read in __lock_sock run #2: crashed: KASAN: use-after-free Read in sctp_sock_dump run #3: crashed: KASAN: use-after-free Read in __lock_sock run #4: crashed: KASAN: use-after-free Read in __lock_sock run #5: crashed: KASAN: use-after-free Read in __lock_sock run #6: crashed: KASAN: use-after-free Read in __lock_sock run #7: crashed: KASAN: use-after-free Read in __lock_sock run #8: crashed: KASAN: use-after-free Read in __lock_sock run #9: crashed: KASAN: use-after-free Read in __lock_sock testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sctp_sock_dump run #1: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #2: crashed: KASAN: use-after-free Read in sctp_sock_dump run #3: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #4: crashed: KASAN: use-after-free Read in __lock_sock run #5: crashed: KASAN: use-after-free Read in __lock_sock run #6: crashed: KASAN: use-after-free Read in __lock_sock run #7: crashed: KASAN: use-after-free Read in __lock_sock run #8: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #9: crashed: KASAN: use-after-free Read in __lock_sock testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __lock_sock run #1: crashed: KASAN: use-after-free Read in __lock_sock run #2: crashed: KASAN: use-after-free Read in __lock_sock run #3: crashed: KASAN: use-after-free Read in __lock_sock run #4: crashed: KASAN: use-after-free Read in __lock_sock run #5: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #6: crashed: KASAN: use-after-free Read in __lock_sock run #7: crashed: KASAN: use-after-free Read in __lock_sock run #8: crashed: KASAN: use-after-free Read in __lock_sock run #9: OK testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #1: crashed: KASAN: use-after-free Read in __lock_sock run #2: crashed: KASAN: use-after-free Read in __lock_sock run #3: crashed: KASAN: use-after-free Read in __lock_sock run #4: crashed: KASAN: use-after-free Read in __lock_sock run #5: crashed: KASAN: use-after-free Read in __lock_sock run #6: crashed: KASAN: use-after-free Read in __lock_sock run #7: crashed: KASAN: use-after-free Read in __lock_sock run #8: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #9: OK testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sctp_transport_get_next run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in inet_diag_msg_sctpladdrs_fill testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint testing release v4.7 testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint testing release v4.6 testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0 all runs: OK # git bisect start v4.7 v4.6 Bisecting: 6716 revisions left to test after this (roughly 13 steps) [0694f0c9e20c47063e4237e5f6649ae5ce5a369a] radix tree test suite: remove dependencies on height testing commit 0694f0c9e20c47063e4237e5f6649ae5ce5a369a with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint # git bisect bad 0694f0c9e20c47063e4237e5f6649ae5ce5a369a Bisecting: 3281 revisions left to test after this (roughly 12 steps) [a7fd20d1c476af4563e66865213474a2f9f473a4] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit a7fd20d1c476af4563e66865213474a2f9f473a4 with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint # git bisect bad a7fd20d1c476af4563e66865213474a2f9f473a4 Bisecting: 1716 revisions left to test after this (roughly 11 steps) [9dc0b289c4c09bc1a92bdcc055cb37af9b72eb28] net/mlx5_core: Firmware commands to support flow counters testing commit 9dc0b289c4c09bc1a92bdcc055cb37af9b72eb28 with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint # git bisect bad 9dc0b289c4c09bc1a92bdcc055cb37af9b72eb28 Bisecting: 858 revisions left to test after this (roughly 10 steps) [4319a7976722f6925b5bbbdac417d87a0cbde859] ixgbe: Add work around for empty SFP+ cage crosstalk testing commit 4319a7976722f6925b5bbbdac417d87a0cbde859 with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint # git bisect bad 4319a7976722f6925b5bbbdac417d87a0cbde859 Bisecting: 339 revisions left to test after this (roughly 9 steps) [bddf59046d804638d998f9015246d4990f1cab09] Merge tag 'wireless-drivers-next-for-davem-2016-04-11' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit bddf59046d804638d998f9015246d4990f1cab09 with gcc (GCC) 5.5.0 all runs: OK # git bisect good bddf59046d804638d998f9015246d4990f1cab09 Bisecting: 169 revisions left to test after this (roughly 7 steps) [544a773a01828e3cc3b553721f68d880d0d27a97] vxlan: reduce usage of synchronize_net in ndo_stop testing commit 544a773a01828e3cc3b553721f68d880d0d27a97 with gcc (GCC) 5.5.0 all runs: crashed: possible deadlock in sctp_for_each_endpoint # git bisect bad 544a773a01828e3cc3b553721f68d880d0d27a97 Bisecting: 84 revisions left to test after this (roughly 6 steps) [dfb6cbf693536937fc49a7c5822dd39ef9d1a8e5] Merge branch 'sctp-delayed-wakeups' testing commit dfb6cbf693536937fc49a7c5822dd39ef9d1a8e5 with gcc (GCC) 5.5.0 all runs: OK # git bisect good dfb6cbf693536937fc49a7c5822dd39ef9d1a8e5 Bisecting: 42 revisions left to test after this (roughly 5 steps) [d21fd63ea3856208c3a1cb9b26d81898a2ccf71b] net: validate_xmit_skb() changes testing commit d21fd63ea3856208c3a1cb9b26d81898a2ccf71b with gcc (GCC) 5.5.0 all runs: OK # git bisect good d21fd63ea3856208c3a1cb9b26d81898a2ccf71b Bisecting: 20 revisions left to test after this (roughly 5 steps) [125c8d1233b7dd4688f14dd992d724c20d055dee] Merge branch 'tcp-synflood-perf' testing commit 125c8d1233b7dd4688f14dd992d724c20d055dee with gcc (GCC) 5.5.0 all runs: OK # git bisect good 125c8d1233b7dd4688f14dd992d724c20d055dee Bisecting: 10 revisions left to test after this (roughly 3 steps) [936d4b41b08f566d0901e81321e4f51ae35c1f45] Merge branch 'mlx5_ifc-updates' testing commit 936d4b41b08f566d0901e81321e4f51ae35c1f45 with gcc (GCC) 5.5.0 all runs: OK # git bisect good 936d4b41b08f566d0901e81321e4f51ae35c1f45 Bisecting: 5 revisions left to test after this (roughly 3 steps) [8f840e47f190cbe61a96945c13e9551048d42cef] sctp: add the sctp_diag.c file testing commit 8f840e47f190cbe61a96945c13e9551048d42cef with gcc (GCC) 5.5.0 run #0: crashed: possible deadlock in sctp_for_each_endpoint run #1: crashed: possible deadlock in sctp_for_each_endpoint run #2: crashed: possible deadlock in sctp_for_each_endpoint run #3: crashed: possible deadlock in sctp_for_each_endpoint run #4: crashed: possible deadlock in sctp_for_each_endpoint run #5: crashed: INFO: possible irq lock inversion dependency detected ] run #6: crashed: possible deadlock in sctp_for_each_endpoint run #7: crashed: possible deadlock in sctp_for_each_endpoint run #8: crashed: possible deadlock in sctp_for_each_endpoint run #9: crashed: possible deadlock in sctp_for_each_endpoint # git bisect bad 8f840e47f190cbe61a96945c13e9551048d42cef Bisecting: 2 revisions left to test after this (roughly 1 step) [52c52a61a39fb319c14a582f8631619e5d5f55bf] sctp: add sctp_info dump api for sctp_diag testing commit 52c52a61a39fb319c14a582f8631619e5d5f55bf with gcc (GCC) 5.5.0 all runs: OK # git bisect good 52c52a61a39fb319c14a582f8631619e5d5f55bf Bisecting: 0 revisions left to test after this (roughly 1 step) [cb2050a7b8131a9a9f3f97276df1feaae8987dc8] sctp: export some functions for sctp_diag in inet_diag testing commit cb2050a7b8131a9a9f3f97276df1feaae8987dc8 with gcc (GCC) 5.5.0 all runs: OK # git bisect good cb2050a7b8131a9a9f3f97276df1feaae8987dc8 8f840e47f190cbe61a96945c13e9551048d42cef is the first bad commit commit 8f840e47f190cbe61a96945c13e9551048d42cef Author: Xin Long Date: Thu Apr 14 15:35:33 2016 +0800 sctp: add the sctp_diag.c file This one will implement all the interface of inet_diag, inet_diag_handler. which includes sctp_diag_dump, sctp_diag_dump_one and sctp_diag_get_info. It will work as a module, and register inet_diag_handler when loading. v2->v3: - fix the mistake in inet_assoc_attr_size(). - change inet_diag_msg_laddrs_fill() name to inet_diag_msg_sctpladdrs_fill. - change inet_diag_msg_paddrs_fill() name to inet_diag_msg_sctpaddrs_fill. - add inet_diag_msg_sctpinfo_fill() to make asoc/ep fill code clearer. - add inet_diag_msg_sctpasoc_fill() to make asoc fill code clearer. - merge inet_asoc_diag_fill() and inet_ep_diag_fill() to inet_sctp_diag_fill(). - call sctp_diag_get_info() directly, instead by handler, cause the caller is in the same file with it. - call lock_sock in sctp_tsp_dump_one() to make sure we call get sctp info safely. - after lock_sock(sk), we should check sk != assoc->base.sk. - change mem[SK_MEMINFO_WMEM_ALLOC] to asoc->sndbuf_used for asoc dump when asoc->ep->sndbuf_policy is set. don't use INET_DIAG_MEMINFO attr any more. Signed-off-by: Xin Long Signed-off-by: David S. Miller :040000 040000 c3909ff5fc5d977f836e339aae6a476721fe77a7 f050c4d147ebc7cf978bb8d3b952c344959a678a M include :040000 040000 3d2dc64ee76f982dddaeac7e2c344a001cc0786b f13862d862331a2067848ad2a4c624e93e23e5ee M net revisions tested: 28, total time: 5h40m56.551399443s (build: 2h1m7.39430891s, test: 3h31m20.545586113s) first bad commit: 8f840e47f190cbe61a96945c13e9551048d42cef sctp: add the sctp_diag.c file cc: ["davem@davemloft.net" "linux-kernel@vger.kernel.org" "linux-sctp@vger.kernel.org" "lucien.xin@gmail.com" "netdev@vger.kernel.org" "nhorman@tuxdriver.com" "vyasevich@gmail.com"] crash: possible deadlock in sctp_for_each_endpoint IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready hrtimer: interrupt took 31369 ns ========================================================= [ INFO: possible irq lock inversion dependency detected ] 4.6.0-rc2+ #1 Not tainted --------------------------------------------------------- syz-executor3/7291 just changed the state of lock: (&sctp_ep_hashtable[i].lock){++.+..}, at: [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 but this lock was taken by another, SOFTIRQ-safe lock in the past: (slock-AF_INET){+.-...} other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sctp_ep_hashtable[i].lock); local_irq_disable(); lock(slock-AF_INET); lock(&sctp_ep_hashtable[i].lock); lock(slock-AF_INET); *** DEADLOCK *** 4 locks held by syz-executor3/7291: #0: (sock_diag_mutex){+.+.+.}, at: [] sock_diag_rcv+0x16/0x40 net/core/sock_diag.c:280 #1: (sock_diag_table_mutex){+.+.+.}, at: [] __sock_diag_cmd net/core/sock_diag.c:234 [inline] #1: (sock_diag_table_mutex){+.+.+.}, at: [] sock_diag_rcv_msg+0x11c/0x350 net/core/sock_diag.c:270 #2: (nlk->cb_mutex){+.+.+.}, at: [] netlink_dump+0x4b/0xa40 net/netlink/af_netlink.c:2066 #3: (inet_diag_table_mutex){+.+...}, at: [] inet_diag_lock_handler+0x4b/0xd0 net/ipv4/inet_diag.c:57 the shortest dependencies between 2nd lock and 1st lock: -> (slock-AF_INET){+.-...} ops: 10285 { HARDIRQ-ON-W at: [] mark_irqflags kernel/locking/lockdep.c:2904 [inline] [] __lock_acquire+0x1324/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] [] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 [] spin_lock_bh include/linux/spinlock.h:307 [inline] [] lock_sock_nested+0x3e/0x100 net/core/sock.c:2474 [] lock_sock include/net/sock.h:1362 [inline] [] do_tcp_setsockopt.isra.32+0x129/0x1730 net/ipv4/tcp.c:2364 [] tcp_setsockopt+0x7e/0xd0 net/ipv4/tcp.c:2621 [] sock_common_setsockopt+0x73/0xf0 net/core/sock.c:2677 [] rds_tcp_nonagle+0x130/0x1b0 net/rds/tcp.c:91 [] rds_tcp_listen_init+0x108/0x380 net/rds/tcp_listen.c:183 [] rds_tcp_init_net+0x1ec/0x4d0 net/rds/tcp.c:369 [] ops_init+0x95/0x360 net/core/net_namespace.c:109 [] __register_pernet_operations net/core/net_namespace.c:781 [inline] [] register_pernet_operations+0x21d/0x480 net/core/net_namespace.c:846 [] register_pernet_subsys+0x25/0x40 net/core/net_namespace.c:888 [] rds_tcp_init+0x47/0xc0 net/rds/tcp.c:540 [] do_one_initcall+0x10e/0x330 init/main.c:770 [] do_initcall_level init/main.c:835 [inline] [] do_initcalls init/main.c:843 [inline] [] do_basic_setup init/main.c:861 [inline] [] kernel_init_freeable+0x43b/0x4d2 init/main.c:1008 [] kernel_init+0xe/0x120 init/main.c:934 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 IN-SOFTIRQ-W at: [] mark_irqflags kernel/locking/lockdep.c:2890 [inline] [] __lock_acquire+0x12f0/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] udp_queue_rcv_skb+0x49f/0x1650 net/ipv4/udp.c:1645 [] __udp4_lib_rcv+0x579/0x2f10 net/ipv4/udp.c:1815 [] udp_rcv+0x15/0x20 net/ipv4/udp.c:2007 [] ip_local_deliver_finish+0x2b2/0x9b0 net/ipv4/ip_input.c:216 [] NF_HOOK_THRESH include/linux/netfilter.h:219 [inline] [] NF_HOOK include/linux/netfilter.h:242 [inline] [] ip_local_deliver+0x197/0x330 net/ipv4/ip_input.c:257 [] dst_input include/net/dst.h:510 [inline] [] ip_rcv_finish+0x5ba/0x17e0 net/ipv4/ip_input.c:388 [] NF_HOOK_THRESH include/linux/netfilter.h:219 [inline] [] NF_HOOK include/linux/netfilter.h:242 [inline] [] ip_rcv+0x867/0x1470 net/ipv4/ip_input.c:478 [] __netif_receive_skb_core+0x1740/0x2d90 net/core/dev.c:4201 [] __netif_receive_skb+0x1f/0x150 net/core/dev.c:4239 [] netif_receive_skb_internal+0xc7/0x300 net/core/dev.c:4267 [] napi_skb_finish net/core/dev.c:4595 [inline] [] napi_gro_receive+0x293/0x4a0 net/core/dev.c:4627 [] receive_buf drivers/net/virtio_net.c:529 [inline] [] virtnet_receive+0xa97/0x1da0 drivers/net/virtio_net.c:744 [] virtnet_poll+0x1d/0x120 drivers/net/virtio_net.c:762 [] napi_poll net/core/dev.c:5131 [inline] [] net_rx_action+0x721/0xe70 net/core/dev.c:5196 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] do_IRQ+0x92/0x1c0 arch/x86/kernel/irq.c:252 [] ret_from_intr+0x0/0x20 [] arch_safe_halt arch/x86/include/asm/paravirt.h:118 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:242 [inline] [] cpu_startup_entry+0x5a7/0x7e0 kernel/sched/idle.c:291 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x5ba/0x5e0 init/main.c:661 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x14a/0x157 arch/x86/kernel/head64.c:176 INITIAL USE at: [] __lock_acquire+0xb9e/0x4f90 kernel/locking/lockdep.c:3257 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] [] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 [] spin_lock_bh include/linux/spinlock.h:307 [inline] [] lock_sock_nested+0x3e/0x100 net/core/sock.c:2474 [] lock_sock include/net/sock.h:1362 [inline] [] do_tcp_setsockopt.isra.32+0x129/0x1730 net/ipv4/tcp.c:2364 [] tcp_setsockopt+0x7e/0xd0 net/ipv4/tcp.c:2621 [] sock_common_setsockopt+0x73/0xf0 net/core/sock.c:2677 [] rds_tcp_nonagle+0x130/0x1b0 net/rds/tcp.c:91 [] rds_tcp_listen_init+0x108/0x380 net/rds/tcp_listen.c:183 [] rds_tcp_init_net+0x1ec/0x4d0 net/rds/tcp.c:369 [] ops_init+0x95/0x360 net/core/net_namespace.c:109 [] __register_pernet_operations net/core/net_namespace.c:781 [inline] [] register_pernet_operations+0x21d/0x480 net/core/net_namespace.c:846 [] register_pernet_subsys+0x25/0x40 net/core/net_namespace.c:888 [] rds_tcp_init+0x47/0xc0 net/rds/tcp.c:540 [] do_one_initcall+0x10e/0x330 init/main.c:770 [] do_initcall_level init/main.c:835 [inline] [] do_initcalls init/main.c:843 [inline] [] do_basic_setup init/main.c:861 [inline] [] kernel_init_freeable+0x43b/0x4d2 init/main.c:1008 [] kernel_init+0xe/0x120 init/main.c:934 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 } ... key at: [] af_family_slock_keys+0x10/0x180 ... acquired at: [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline] [] _raw_write_lock+0x36/0x50 kernel/locking/spinlock.c:295 [] __sctp_unhash_endpoint net/sctp/input.c:747 [inline] [] sctp_unhash_endpoint+0x13c/0x290 net/sctp/input.c:756 [] sctp_endpoint_free+0x8a/0xb0 net/sctp/endpointola.c:235 [] sctp_destroy_sock+0x80/0x1d0 net/sctp/socket.c:4152 [] sk_common_release+0x5e/0x3e0 net/core/sock.c:2698 [] sctp_close+0x4bf/0x740 net/sctp/socket.c:1543 [] inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:420 [] sock_release+0x83/0x1a0 net/socket.c:573 [] sock_close+0xd/0x20 net/socket.c:1023 [] __fput+0x20e/0x750 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0x132/0x200 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233 [] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline] [] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329 [] entry_SYSCALL_64_fastpath+0xbf/0xc1 -> (&sctp_ep_hashtable[i].lock){++.+..} ops: 6 { HARDIRQ-ON-W at: [] mark_irqflags kernel/locking/lockdep.c:2904 [inline] [] __lock_acquire+0x1324/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline] [] _raw_write_lock+0x36/0x50 kernel/locking/spinlock.c:295 [] __sctp_unhash_endpoint net/sctp/input.c:747 [inline] [] sctp_unhash_endpoint+0x13c/0x290 net/sctp/input.c:756 [] sctp_endpoint_free+0x8a/0xb0 net/sctp/endpointola.c:235 [] sctp_destroy_sock+0x80/0x1d0 net/sctp/socket.c:4152 [] sctp_v6_destroy_sock+0xd/0x20 net/sctp/socket.c:7605 [] sk_common_release+0x5e/0x3e0 net/core/sock.c:2698 [] sctp_close+0x4bf/0x740 net/sctp/socket.c:1543 [] inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:420 [] inet6_release+0x46/0x60 net/ipv6/af_inet6.c:415 [] sock_release+0x83/0x1a0 net/socket.c:573 [] inet_ctl_sock_destroy include/net/inet_common.h:45 [inline] [] sctp_ctrlsock_exit+0x5c/0x70 net/sctp/protocol.c:1344 [] ops_exit_list.isra.4+0x8e/0x120 net/core/net_namespace.c:134 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x698/0x1570 kernel/workqueue.c:2093 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2227 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 HARDIRQ-ON-R at: [] mark_irqflags kernel/locking/lockdep.c:2896 [inline] [] __lock_acquire+0xa8b/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 SOFTIRQ-ON-R at: [] mark_irqflags kernel/locking/lockdep.c:2908 [inline] [] __lock_acquire+0x1392/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 INITIAL USE at: [] __lock_acquire+0xb9e/0x4f90 kernel/locking/lockdep.c:3257 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline] [] _raw_write_lock+0x36/0x50 kernel/locking/spinlock.c:295 [] __sctp_unhash_endpoint net/sctp/input.c:747 [inline] [] sctp_unhash_endpoint+0x13c/0x290 net/sctp/input.c:756 [] sctp_endpoint_free+0x8a/0xb0 net/sctp/endpointola.c:235 [] sctp_destroy_sock+0x80/0x1d0 net/sctp/socket.c:4152 [] sctp_v6_destroy_sock+0xd/0x20 net/sctp/socket.c:7605 [] sk_common_release+0x5e/0x3e0 net/core/sock.c:2698 [] sctp_close+0x4bf/0x740 net/sctp/socket.c:1543 [] inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:420 [] inet6_release+0x46/0x60 net/ipv6/af_inet6.c:415 [] sock_release+0x83/0x1a0 net/socket.c:573 [] inet_ctl_sock_destroy include/net/inet_common.h:45 [inline] [] sctp_ctrlsock_exit+0x5c/0x70 net/sctp/protocol.c:1344 [] ops_exit_list.isra.4+0x8e/0x120 net/core/net_namespace.c:134 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x698/0x1570 kernel/workqueue.c:2093 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2227 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 } ... key at: [] __key.62716+0x0/0x40 ... acquired at: [] print_irq_inversion_bug kernel/locking/lockdep.c:147 [inline] [] check_usage_backwards+0x2fa/0x330 kernel/locking/lockdep.c:2488 [] mark_lock_irq kernel/locking/lockdep.c:2577 [inline] [] mark_lock+0x76a/0x1200 kernel/locking/lockdep.c:3024 [] mark_irqflags kernel/locking/lockdep.c:2908 [inline] [] __lock_acquire+0x1392/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 stack backtrace: CPU: 0 PID: 7291 Comm: syz-executor3 Not tainted 4.6.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0cd5746 ffff8801cc347158 ffffffff829c2f86 ffffffff87d07c20 ffff8801cc347230 ffffffff87d07c20 ffffffff879a6e90 ffff8801cc3471b0 ffffffff8162624e ffff8801cc3471f0 00000000cc347188 ffffffff00000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_irq_inversion_bug.part.42+0x347/0x356 kernel/locking/lockdep.c:2439 [] print_irq_inversion_bug kernel/locking/lockdep.c:147 [inline] [] check_usage_backwards+0x2fa/0x330 kernel/locking/lockdep.c:2488 [] mark_lock_irq kernel/locking/lockdep.c:2577 [inline] [] mark_lock+0x76a/0x1200 kernel/locking/lockdep.c:3024 [] mark_irqflags kernel/locking/lockdep.c:2908 [inline] [] __lock_acquire+0x1392/0x4f90 kernel/locking/lockdep.c:3253 [] lock_acquire+0x196/0x480 kernel/locking/lockdep.c:3675 [] __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] [] _raw_read_lock+0x39/0x50 kernel/locking/spinlock.c:223 [] sctp_for_each_endpoint+0x9f/0x190 net/sctp/socket.c:4355 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:318 at addr ffff8800af82efa0 Read of size 128 by task syz-executor3/7291 CPU: 0 PID: 7291 Comm: syz-executor3 Not tainted 4.6.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0cd5746 ffff8801cc3472b8 ffffffff829c2f86 0000000000000080 ffff8801cc347348 ffff8800af82ef80 ffff8801da800200 ffff8801cc347338 ffffffff8174e337 0000000000000001 0000000000000007 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report+0x34/0x40 mm/kasan/report.c:297 [] check_memory_region mm/kasan/kasan.c:285 [inline] [] __asan_loadN+0x12a/0x180 mm/kasan/kasan.c:678 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:318 [] inet_diag_msg_sctpladdrs_fill net/sctp/sctp_diag.c:75 [inline] [] inet_sctp_diag_fill+0x65e/0xc60 net/sctp/sctp_diag.c:179 [] sctp_ep_dump+0x46b/0x6d0 net/sctp/sctp_diag.c:368 [] sctp_for_each_endpoint+0xe4/0x190 net/sctp/socket.c:4357 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800af82ef80, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 7291 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] sctp_add_bind_addr+0x5f/0x240 net/sctp/bind_addr.c:159 [] sctp_do_bind+0x2cf/0x4c0 net/sctp/socket.c:389 [] sctp_autobind+0x14c/0x1b0 net/sctp/socket.c:6764 [] __sctp_connect+0x4f5/0xa30 net/sctp/socket.c:1143 [] sctp_connect+0x95/0xd0 net/sctp/socket.c:3870 [] inet_dgram_connect+0xf1/0x220 net/ipv4/af_inet.c:535 [] SYSC_connect+0x202/0x2a0 net/socket.c:1539 [] SyS_connect+0x9/0x10 net/socket.c:1520 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800af82ee80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800af82ef00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8800af82ef80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8800af82f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800af82f080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:318 at addr ffff8801d7b64ca0 Read of size 128 by task syz-executor3/7291 CPU: 0 PID: 7291 Comm: syz-executor3 Tainted: G B 4.6.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0cd5746 ffff8801cc3472b8 ffffffff829c2f86 0000000000000080 ffff8801cc347348 ffff8801d7b64c80 ffff8801da800200 ffff8801cc347338 ffffffff8174e337 0000000000000001 0000000000000007 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report+0x34/0x40 mm/kasan/report.c:297 [] check_memory_region mm/kasan/kasan.c:285 [inline] [] __asan_loadN+0x12a/0x180 mm/kasan/kasan.c:678 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:318 [] inet_diag_msg_sctpladdrs_fill net/sctp/sctp_diag.c:75 [inline] [] inet_sctp_diag_fill+0x65e/0xc60 net/sctp/sctp_diag.c:179 [] sctp_ep_dump+0x46b/0x6d0 net/sctp/sctp_diag.c:368 [] sctp_for_each_endpoint+0xe4/0x190 net/sctp/socket.c:4357 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8801d7b64c80, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 7303 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] sctp_add_bind_addr+0x5f/0x240 net/sctp/bind_addr.c:159 [] sctp_do_bind+0x2cf/0x4c0 net/sctp/socket.c:389 [] sctp_autobind+0x14c/0x1b0 net/sctp/socket.c:6764 [] __sctp_connect+0x4f5/0xa30 net/sctp/socket.c:1143 [] sctp_connect+0x95/0xd0 net/sctp/socket.c:3870 [] inet_dgram_connect+0xf1/0x220 net/ipv4/af_inet.c:535 [] SYSC_connect+0x202/0x2a0 net/socket.c:1539 [] SyS_connect+0x9/0x10 net/socket.c:1520 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801d7b64b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d7b64c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8801d7b64c80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8801d7b64d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8801d7b64d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:318 at addr ffff8801d7b64ca0 Read of size 128 by task syz-executor3/7303 CPU: 0 PID: 7303 Comm: syz-executor3 Tainted: G B 4.6.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0cd5746 ffff8800af8a72b8 ffffffff829c2f86 0000000000000080 ffff8800af8a7348 ffff8801d7b64c80 ffff8801da800200 ffff8800af8a7338 ffffffff8174e337 ffffed0015f12597 ffff8800af892cb3 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report+0x34/0x40 mm/kasan/report.c:297 [] check_memory_region mm/kasan/kasan.c:285 [inline] [] __asan_loadN+0x12a/0x180 mm/kasan/kasan.c:678 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:318 [] inet_diag_msg_sctpladdrs_fill net/sctp/sctp_diag.c:75 [inline] [] inet_sctp_diag_fill+0x65e/0xc60 net/sctp/sctp_diag.c:179 [] sctp_ep_dump+0x46b/0x6d0 net/sctp/sctp_diag.c:368 [] sctp_for_each_endpoint+0xe4/0x190 net/sctp/socket.c:4357 [] sctp_diag_dump+0x25a/0x380 net/sctp/sctp_diag.c:453 [] __inet_diag_dump+0x80/0x120 net/ipv4/inet_diag.c:919 [] inet_diag_dump+0x77/0xe0 net/ipv4/inet_diag.c:935 [] netlink_dump+0x32d/0xa40 net/netlink/af_netlink.c:2108 [] __netlink_dump_start+0x4a1/0x720 net/netlink/af_netlink.c:2196 [] netlink_dump_start include/linux/netlink.h:165 [inline] [] inet_diag_handler_cmd+0x241/0x2f0 net/ipv4/inet_diag.c:1040 [] __sock_diag_cmd net/core/sock_diag.c:239 [inline] [] sock_diag_rcv_msg+0x2d5/0x350 net/core/sock_diag.c:270 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2277 [] sock_diag_rcv+0x25/0x40 net/core/sock_diag.c:281 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x455/0x660 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x893/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] sock_write_iter+0x1e2/0x3b0 net/socket.c:820 [] do_iter_readv_writev+0x184/0x330 fs/read_write.c:709 [] do_readv_writev+0x359/0x660 fs/read_write.c:857 [] vfs_writev+0x6a/0xb0 fs/read_write.c:896 [] do_writev+0xd8/0x270 fs/read_write.c:929 [] SYSC_writev fs/read_write.c:1002 [inline] [] SyS_writev+0xb/0x10 fs/read_write.c:999 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8801d7b64c80, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 7303 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] sctp_add_bind_addr+0x5f/0x240 net/sctp/bind_addr.c:159 [] sctp_do_bind+0x2cf/0x4c0 net/sctp/socket.c:389 [] sctp_autobind+0x14c/0x1b0 net/sctp/socket.c:6764 [] __sctp_connect+0x4f5/0xa30 net/sctp/socket.c:1143 [] sctp_connect+0x95/0xd0 net/sctp/socket.c:3870 [] inet_dgram_connect+0xf1/0x220 net/ipv4/af_inet.c:535 [] SYSC_connect+0x202/0x2a0 net/socket.c:1539 [] SyS_connect+0x9/0x10 net/socket.c:1520 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801d7b64b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d7b64c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8801d7b64c80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8801d7b64d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8801d7b64d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== ------------[ cut here ]------------ WARNING: CPU: 1 PID: 5693 at include/net/sock.h:1408 sock_owned_by_user include/net/sock.h:1408 [inline] WARNING: CPU: 1 PID: 5693 at include/net/sock.h:1408 tcp_close+0x458/0xef0 net/ipv4/tcp.c:2124