KASAN: use-after-free Read in __lock_sock

Bug Impact analysis

One thread freed sk, but another thread is still using it.

static int sctp_sock_dump(struct sctp_transport *tsp, void *p)

{

...

lock_sock(sk); // sk was freed, here comes the UAF read when it's trying to lock sk. This is the UAF read reported by syzbot originally.

...

release_sock(sk); // Inside release_sock, a function pointer derference will occur.

return err;

}

void release_sock(struct sock *sk)

{

spin_lock_bh(&sk->sk_lock.slock);

if (sk->sk_backlog.tail)

__release_sock(sk);

if (sk->sk_prot->release_cb)

sk->sk_prot->release_cb(sk); // sk was freed, therefore release_cb() can lead to control flow hijacking.

...

}

the function pointer release_cb was eventually dereferenced from sk, which means release_cb can point to any memory address. This makes it become a control flow hijacking

Trace in high level:

|__lock_acquire kernel/locking/lockdep.c:3974(Triggered the UAF read bug)

|lock_acquire ./arch/x86/include/asm/current.h:15

|_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136

|__lock_sock ./include/linux/lockdep.h:361

|lock_sock_nested net/core/sock.c:2938

|sctp_sock_dump net/sctp/diag.c:311

|release_sock net/sctp/diag.c:349

|None net/core/sock.c:2959(Triggered a new bug: Control flow hijacking)

Trace in detail:

0xffffffff813c9d87

__lock_acquire kernel/locking/lockdep.c:3974(Triggered the UAF read bug)

--------------------------------------

0xffffffff813c9d95

__lock_acquire kernel/locking/lockdep.c:3830

--------------------------------------

0xffffffff813c9d9f

__lock_acquire kernel/locking/lockdep.c:3831

--------------------------------------

0xffffffff813c9dac

__lock_acquire kernel/locking/lockdep.c:3831

--------------------------------------

0xffffffff813c92a6

__lock_acquire kernel/locking/lockdep.c:3856

--------------------------------------

0xffffffff813c92bc

__lock_acquire kernel/locking/lockdep.c:3856

--------------------------------------

0xffffffff813c92d8

__lock_acquire kernel/locking/lockdep.c:3860

--------------------------------------

0xffffffff813c92e2

__lock_acquire kernel/locking/lockdep.c:3860

--------------------------------------

0xffffffff813c92ec

__lock_acquire kernel/locking/lockdep.c:3860

--------------------------------------

0xffffffff813c9332

__lock_acquire kernel/locking/lockdep.c:3866

--------------------------------------

0xffffffff813c9347

__lock_acquire kernel/locking/lockdep.c:3867

--------------------------------------

0xffffffff813c9371

__lock_acquire kernel/locking/lockdep.c:3884

--------------------------------------

0xffffffff813c938b

__lock_acquire kernel/locking/lockdep.c:3891

--------------------------------------

0xffffffff813c93ac

__lock_acquire kernel/locking/lockdep.c:3892

--------------------------------------

0xffffffff813c93bd

__lock_acquire kernel/locking/lockdep.c:3893

--------------------------------------

0xffffffff813c93d4

__lock_acquire kernel/locking/lockdep.c:3894

--------------------------------------

0xffffffff813c93eb

__lock_acquire kernel/locking/lockdep.c:3895

--------------------------------------

0xffffffff813c940a

__lock_acquire kernel/locking/lockdep.c:3900

--------------------------------------

0xffffffff813c9480

__lock_acquire kernel/locking/lockdep.c:3905

--------------------------------------

0xffffffff813c9490

__lock_acquire kernel/locking/lockdep.c:3550

--------------------------------------

0xffffffff813c9499

__lock_acquire kernel/locking/lockdep.c:3550

--------------------------------------

0xffffffff813c94aa

__lock_acquire kernel/locking/lockdep.c:3550

--------------------------------------

0xffffffff813c94b3

__lock_acquire kernel/locking/lockdep.c:3551

--------------------------------------

0xffffffff813c94c2

__lock_acquire kernel/locking/lockdep.c:3561

--------------------------------------

0xffffffff813c94ca

__lock_acquire kernel/locking/lockdep.c:3564

--------------------------------------

0xffffffff813c94d9

__lock_acquire kernel/locking/lockdep.c:3564

--------------------------------------

0xffffffff813c94e2

__lock_acquire kernel/locking/lockdep.c:3570

--------------------------------------

0xffffffff813c9e0b

__lock_acquire kernel/locking/lockdep.c:3579

--------------------------------------

0xffffffff813c8670

mark_lock kernel/locking/lockdep.c:3633

--------------------------------------

0xffffffff813c86b7

mark_lock kernel/locking/lockdep.c:3634

--------------------------------------

0xffffffff813c86cc

mark_lock kernel/locking/lockdep.c:3642

--------------------------------------

0xffffffff813c86f2

mark_lock ./arch/x86/include/asm/bitops.h:214

--------------------------------------

0xffffffff813c8700

mark_lock kernel/locking/lockdep.c:175

--------------------------------------

0xffffffff813c8717

mark_lock kernel/locking/lockdep.c:175

--------------------------------------

0xffffffff813c87de

mark_lock kernel/locking/lockdep.c:167

--------------------------------------

0xffffffff813c5340

graph_lock kernel/locking/lockdep.c:91

--------------------------------------

0xffffffff813c53b5

graph_lock ./include/asm-generic/atomic-instrumented.h:694

--------------------------------------

0xffffffff813c53c3

graph_lock ./arch/x86/include/asm/atomic.h:200

--------------------------------------

0xffffffff813c53d9

graph_lock kernel/locking/lockdep.c:99

--------------------------------------

0xffffffff813c53e5

graph_lock kernel/locking/lockdep.c:99

--------------------------------------

0xffffffff813c5445

graph_lock ./arch/x86/include/asm/paravirt.h:643

--------------------------------------

0xffffffff813c5451

graph_lock ./arch/x86/include/asm/paravirt.h:643

--------------------------------------

0xffffffff813c545b

graph_lock ./arch/x86/include/asm/paravirt.h:643

--------------------------------------

0xffffffff813c5465

graph_lock ./arch/x86/include/asm/paravirt.h:643

--------------------------------------

0xffffffff813c5416

graph_lock kernel/locking/lockdep.c:105

--------------------------------------

0xffffffff813c543a

graph_lock kernel/locking/lockdep.c:105

--------------------------------------

0xffffffff813c87e7

mark_lock kernel/locking/lockdep.c:3645

--------------------------------------

0xffffffff813c86a2

mark_lock kernel/locking/lockdep.c:3634

--------------------------------------

0xffffffff813c9e1b

__lock_acquire kernel/locking/lockdep.c:3579

--------------------------------------

0xffffffff813c9d31

__lock_acquire kernel/locking/lockdep.c:3974

--------------------------------------

0xffffffff813c9d6d

__lock_acquire kernel/locking/lockdep.c:3974

--------------------------------------

0xffffffff813cbf9e

lock_acquire ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cbfae

lock_acquire ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cbfc4

lock_acquire ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff813cbfd2

lock_acquire ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff811a4930

native_restore_fl arch/x86/kernel/irqflags.S:22

--------------------------------------

0xffffffff813cbfdd

lock_acquire ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff853fe5a3

_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136

--------------------------------------

0xffffffff813d4290

do_raw_spin_lock kernel/locking/spinlock_debug.c:111

--------------------------------------

0xffffffff813d4300

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4310

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d431d

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4334

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4341

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4355

do_raw_spin_lock ./include/asm-generic/qspinlock.h:76

--------------------------------------

0xffffffff813d436a

do_raw_spin_lock ./include/asm-generic/atomic-instrumented.h:694

--------------------------------------

0xffffffff813d4378

do_raw_spin_lock ./arch/x86/include/asm/atomic.h:200

--------------------------------------

0xffffffff813d438d

do_raw_spin_lock kernel/locking/spinlock_debug.c:115

--------------------------------------

0xffffffff813d439d

do_raw_spin_lock ./include/linux/compiler.h:225

--------------------------------------

0xffffffff813d43aa

do_raw_spin_lock ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813d43dd

do_raw_spin_lock kernel/locking/spinlock_debug.c:92

--------------------------------------

0xffffffff853fe5ab

_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136

--------------------------------------

0xffffffff8431ba8d

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff813c67e0

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c680f

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c681d

lock_is_held_type ./arch/x86/include/asm/paravirt.h:769

--------------------------------------

0xffffffff813c6829

lock_is_held_type ./arch/x86/include/asm/paravirt.h:769

--------------------------------------

0xffffffff813c6837

lock_is_held_type ./arch/x86/include/asm/paravirt.h:747

--------------------------------------

0xffffffff811a4920

native_save_fl arch/x86/kernel/irqflags.S:11

--------------------------------------

0xffffffff813c683e

lock_is_held_type ./arch/x86/include/asm/paravirt.h:747

--------------------------------------

0xffffffff813c684e

lock_is_held_type ./arch/x86/include/asm/paravirt.h:770

--------------------------------------

0xffffffff813c685c

lock_is_held_type ./arch/x86/include/asm/paravirt.h:757

--------------------------------------

0xffffffff811fc850

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff811fc851

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff813c6863

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c6875

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c6887

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c6952

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff813c6900

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c6915

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c692b

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff813c6935

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff811a4930

native_restore_fl arch/x86/kernel/irqflags.S:22

--------------------------------------

0xffffffff813c6940

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff8431ba9a

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431baa6

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431baab

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431bab0

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff813c67e0

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c680f

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c681d

lock_is_held_type ./arch/x86/include/asm/paravirt.h:769

--------------------------------------

0xffffffff813c6829

lock_is_held_type ./arch/x86/include/asm/paravirt.h:769

--------------------------------------

0xffffffff813c6837

lock_is_held_type ./arch/x86/include/asm/paravirt.h:747

--------------------------------------

0xffffffff811a4920

native_save_fl arch/x86/kernel/irqflags.S:11

--------------------------------------

0xffffffff813c683e

lock_is_held_type ./arch/x86/include/asm/paravirt.h:747

--------------------------------------

0xffffffff813c684e

lock_is_held_type ./arch/x86/include/asm/paravirt.h:770

--------------------------------------

0xffffffff813c685c

lock_is_held_type ./arch/x86/include/asm/paravirt.h:757

--------------------------------------

0xffffffff811fc850

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff811fc851

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff813c6863

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c6875

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c6887

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ba

lock_is_held_type kernel/locking/lockdep.c:4303

--------------------------------------

0xffffffff813c5e90

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eb0

match_held_lock kernel/locking/lockdep.c:4013

--------------------------------------

0xffffffff813c5eba

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5ec3

match_held_lock kernel/locking/lockdep.c:4016

--------------------------------------

0xffffffff813c5fa8

match_held_lock kernel/locking/lockdep.c:833

--------------------------------------

0xffffffff813c68d4

lock_is_held_type kernel/locking/lockdep.c:4305

--------------------------------------

0xffffffff813c68a1

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c68ad

lock_is_held_type kernel/locking/lockdep.c:4302

--------------------------------------

0xffffffff813c6952

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff813c6900

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c6915

lock_is_held_type ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813c692b

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff813c6935

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff811a4930

native_restore_fl arch/x86/kernel/irqflags.S:22

--------------------------------------

0xffffffff813c6940

lock_is_held_type ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff8431bac1

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431bacd

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431bad6

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431badb

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431bae7

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431bafa

__lock_sock ./include/linux/lockdep.h:361

--------------------------------------

0xffffffff8431ba33

__lock_sock ./include/net/sock.h:1570

--------------------------------------

0xffffffff8431ba38

__lock_sock ./include/net/sock.h:1570

--------------------------------------

0xffffffff8431ba44

__lock_sock ./include/net/sock.h:1570

--------------------------------------

0xffffffff8431ba56

__lock_sock ./include/net/sock.h:1570

--------------------------------------

0xffffffff8431bb14

__lock_sock net/core/sock.c:2418

--------------------------------------

0xffffffff8431bb19

__lock_sock net/core/sock.c:2418

--------------------------------------

0xffffffff813b07a0

finish_wait ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813b07cd

finish_wait ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813b07e3

finish_wait ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813b07fc

finish_wait ./include/linux/list.h:301

--------------------------------------

0xffffffff813b0891

finish_wait ./include/linux/spinlock.h:393

--------------------------------------

0xffffffff813b0899

finish_wait ./include/linux/spinlock.h:393

--------------------------------------

0xffffffff813b08a3

finish_wait ./include/linux/spinlock.h:393

--------------------------------------

0xffffffff813b0882

finish_wait ./include/linux/spinlock.h:393

--------------------------------------

0xffffffff8431bb28

__lock_sock net/core/sock.c:2418

--------------------------------------

0xffffffff8431bb57

__lock_sock net/core/sock.c:2418

--------------------------------------

0xffffffff8431bc40

lock_sock_nested net/core/sock.c:2938

--------------------------------------

0xffffffff8431bbcf

lock_sock_nested net/core/sock.c:2939

--------------------------------------

0xffffffff8431bbd4

lock_sock_nested net/core/sock.c:2939

--------------------------------------

0xffffffff8431bbdc

lock_sock_nested net/core/sock.c:2939

--------------------------------------

0xffffffff853fe6b0

_raw_spin_unlock ./include/linux/spinlock_api_smp.h:150

--------------------------------------

0xffffffff813cb9f0

lock_release kernel/locking/lockdep.c:4492

--------------------------------------

0xffffffff853fe6c6

_raw_spin_unlock ./include/linux/spinlock_api_smp.h:151

--------------------------------------

0xffffffff813d45a0

do_raw_spin_unlock kernel/locking/spinlock_debug.c:138

--------------------------------------

0xffffffff813d45b6

do_raw_spin_unlock kernel/locking/spinlock_debug.c:138

--------------------------------------

0xffffffff813d45c5

do_raw_spin_unlock ./include/asm-generic/atomic-instrumented.h:26

--------------------------------------

0xffffffff813d45d2

do_raw_spin_unlock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d45da

do_raw_spin_unlock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d45e6

do_raw_spin_unlock kernel/locking/spinlock_debug.c:99

--------------------------------------

0xffffffff813d45f3

do_raw_spin_unlock ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813d4607

do_raw_spin_unlock kernel/locking/spinlock_debug.c:100

--------------------------------------

0xffffffff813d4614

do_raw_spin_unlock kernel/locking/spinlock_debug.c:100

--------------------------------------

0xffffffff813d4626

do_raw_spin_unlock ./include/linux/compiler.h:226

--------------------------------------

0xffffffff813d462e

do_raw_spin_unlock ./include/linux/compiler.h:226

--------------------------------------

0xffffffff813d463f

do_raw_spin_unlock ./include/linux/compiler.h:225

--------------------------------------

0xffffffff813d4654

do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:643

--------------------------------------

0xffffffff813d4662

do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:643

--------------------------------------

0xffffffff813d466c

do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:643

--------------------------------------

0xffffffff853fe6ce

_raw_spin_unlock ./include/linux/spinlock_api_smp.h:152

--------------------------------------

0xffffffff81375a50

preempt_count_sub kernel/sched/core.c:3812

--------------------------------------

0xffffffff81375a63

preempt_count_sub kernel/sched/core.c:3812

--------------------------------------

0xffffffff81375a6d

preempt_count_sub ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81375a80

preempt_count_sub kernel/sched/core.c:3817

--------------------------------------

0xffffffff81375aca

preempt_count_sub ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81375a88

preempt_count_sub ./arch/x86/include/asm/preempt.h:84

--------------------------------------

0xffffffff853fe6d8

_raw_spin_unlock ./arch/x86/include/asm/preempt.h:102

--------------------------------------

0xffffffff853fe6e3

_raw_spin_unlock ./arch/x86/include/asm/preempt.h:102

--------------------------------------

0xffffffff8431bbee

lock_sock_nested net/core/sock.c:2944

--------------------------------------

0xffffffff813cbe80

lock_acquire ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff8431bc0d

lock_sock_nested ./include/linux/bottom_half.h:32

--------------------------------------

0xffffffff8431bc13

lock_sock_nested ./include/linux/bottom_half.h:32

--------------------------------------

0xffffffff81310d50

__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81310d70

__local_bh_enable_ip kernel/softirq.c:169

--------------------------------------

0xffffffff81310d7c

__local_bh_enable_ip kernel/softirq.c:169

--------------------------------------

0xffffffff81310daa

__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:757

--------------------------------------

0xffffffff81310db6

__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:757

--------------------------------------

0xffffffff81310dc4

__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:757

--------------------------------------

0xffffffff811fc850

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff811fc851

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff81310dcb

__local_bh_enable_ip kernel/softirq.c:171

--------------------------------------

0xffffffff81519bb0

trace_hardirqs_off kernel/trace/trace_preemptirq.c:38

--------------------------------------

0xffffffff81519bc2

trace_hardirqs_off kernel/trace/trace_preemptirq.c:38

--------------------------------------

0xffffffff81519bd2

trace_hardirqs_off kernel/trace/trace_preemptirq.c:38

--------------------------------------

0xffffffff81519c00

trace_hardirqs_off kernel/trace/trace_preemptirq.c:45

--------------------------------------

0xffffffff81519c05

trace_hardirqs_off kernel/trace/trace_preemptirq.c:45

--------------------------------------

0xffffffff813cd510

lockdep_hardirqs_off ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cd526

lockdep_hardirqs_off ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cd5cc

lockdep_hardirqs_off kernel/locking/lockdep.c:3464

--------------------------------------

0xffffffff81519c0e

trace_hardirqs_off kernel/trace/trace_preemptirq.c:45

--------------------------------------

0xffffffff81310dd0

__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81310e85

__local_bh_enable_ip kernel/softirq.c:177

--------------------------------------

0xffffffff813cd630

trace_softirqs_on ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cd648

trace_softirqs_on ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cd767

trace_softirqs_on ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff81310e8d

__local_bh_enable_ip kernel/softirq.c:177

--------------------------------------

0xffffffff81310de7

__local_bh_enable_ip kernel/softirq.c:182

--------------------------------------

0xffffffff81375a50

preempt_count_sub kernel/sched/core.c:3812

--------------------------------------

0xffffffff81375a63

preempt_count_sub kernel/sched/core.c:3812

--------------------------------------

0xffffffff81375a6d

preempt_count_sub ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81375a80

preempt_count_sub kernel/sched/core.c:3817

--------------------------------------

0xffffffff81375a88

preempt_count_sub ./arch/x86/include/asm/preempt.h:84

--------------------------------------

0xffffffff81310def

__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81310e9d

__local_bh_enable_ip kernel/softirq.c:184

--------------------------------------

0xffffffff82ac4b20

__this_cpu_preempt_check lib/smp_processor_id.c:64

--------------------------------------

0xffffffff82ac4b31

__this_cpu_preempt_check lib/smp_processor_id.c:64

--------------------------------------

0xffffffff82ac4b4e

__this_cpu_preempt_check ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff82ac4b52

__this_cpu_preempt_check lib/smp_processor_id.c:52

--------------------------------------

0xffffffff82ac4b57

__this_cpu_preempt_check lib/smp_processor_id.c:52

--------------------------------------

0xffffffff81310ea9

__local_bh_enable_ip kernel/softirq.c:184

--------------------------------------

0xffffffff81310e01

__local_bh_enable_ip kernel/softirq.c:192

--------------------------------------

0xffffffff81375a50

preempt_count_sub kernel/sched/core.c:3812

--------------------------------------

0xffffffff81375a63

preempt_count_sub kernel/sched/core.c:3812

--------------------------------------

0xffffffff81375a6d

preempt_count_sub ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81375a80

preempt_count_sub kernel/sched/core.c:3817

--------------------------------------

0xffffffff81375aca

preempt_count_sub ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81375a88

preempt_count_sub ./arch/x86/include/asm/preempt.h:84

--------------------------------------

0xffffffff81310e0b

__local_bh_enable_ip kernel/softirq.c:194

--------------------------------------

0xffffffff81519d90

trace_hardirqs_on kernel/trace/trace_preemptirq.c:24

--------------------------------------

0xffffffff81519da2

trace_hardirqs_on kernel/trace/trace_preemptirq.c:24

--------------------------------------

0xffffffff81519db2

trace_hardirqs_on kernel/trace/trace_preemptirq.c:24

--------------------------------------

0xffffffff81519db6

trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81519dbb

trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81519dd1

trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81519dfe

trace_hardirqs_on kernel/trace/trace_preemptirq.c:26

--------------------------------------

0xffffffff81519e03

trace_hardirqs_on kernel/trace/trace_preemptirq.c:26

--------------------------------------

0xffffffff81519e19

trace_hardirqs_on ./arch/x86/include/asm/jump_label.h:34

--------------------------------------

0xffffffff81519dd5

trace_hardirqs_on kernel/trace/trace_preemptirq.c:27

--------------------------------------

0xffffffff81519dda

trace_hardirqs_on kernel/trace/trace_preemptirq.c:28

--------------------------------------

0xffffffff81519dea

trace_hardirqs_on kernel/trace/trace_preemptirq.c:31

--------------------------------------

0xffffffff813cd270

lockdep_hardirqs_on kernel/locking/lockdep.c:3398

--------------------------------------

0xffffffff813cd286

lockdep_hardirqs_on kernel/locking/lockdep.c:3398

--------------------------------------

0xffffffff813cd3b3

lockdep_hardirqs_on ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff81519df3

trace_hardirqs_on kernel/trace/trace_preemptirq.c:31

--------------------------------------

0xffffffff81310e10

__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:762

--------------------------------------

0xffffffff81310e1c

__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:762

--------------------------------------

0xffffffff81310e26

__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:762

--------------------------------------

0xffffffff811fc860

native_irq_enable ./arch/x86/include/asm/irqflags.h:54

--------------------------------------

0xffffffff811fc861

native_irq_enable ./arch/x86/include/asm/irqflags.h:54

--------------------------------------

0xffffffff81310e2d

__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:102

--------------------------------------

0xffffffff81310e3c

__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:102

--------------------------------------

0xffffffff8431bc24

lock_sock_nested ./include/linux/bottom_half.h:32

--------------------------------------

0xffffffff84ea9aa5

sctp_sock_dump net/sctp/diag.c:311

--------------------------------------

0xffffffff84ea9ab1

sctp_sock_dump net/sctp/diag.c:311

--------------------------------------

0xffffffff84ea9e47

sctp_sock_dump ./include/net/sock.h:769

--------------------------------------

0xffffffff84ea9e64

sctp_sock_dump net/sctp/diag.c:345

--------------------------------------

0xffffffff84ea9e70

sctp_sock_dump net/sctp/diag.c:345

--------------------------------------

0xffffffff84ea9e81

sctp_sock_dump net/sctp/diag.c:346

--------------------------------------

0xffffffff84ea9e92

sctp_sock_dump net/sctp/diag.c:347

--------------------------------------

0xffffffff84ea9e9f

sctp_sock_dump net/sctp/diag.c:349

--------------------------------------

0xffffffff84323ee0

release_sock ./include/linux/spinlock.h:343

--------------------------------------

0xffffffff84323ef3

release_sock ./include/linux/spinlock.h:343

--------------------------------------

0xffffffff853fe570

_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:134

--------------------------------------

0xffffffff81310c20

__local_bh_disable_ip ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81310c40

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:769

--------------------------------------

0xffffffff81310c4c

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:769

--------------------------------------

0xffffffff81310c5a

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:747

--------------------------------------

0xffffffff811a4920

native_save_fl arch/x86/kernel/irqflags.S:11

--------------------------------------

0xffffffff81310c61

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:747

--------------------------------------

0xffffffff81310c70

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:770

--------------------------------------

0xffffffff81310c7e

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:757

--------------------------------------

0xffffffff811fc850

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff811fc851

native_irq_disable ./arch/x86/include/asm/irqflags.h:49

--------------------------------------

0xffffffff81310c85

__local_bh_disable_ip ./arch/x86/include/asm/preempt.h:79

--------------------------------------

0xffffffff81310cd6

__local_bh_disable_ip kernel/softirq.c:129

--------------------------------------

0xffffffff813cd7e0

trace_softirqs_off ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cd7f6

trace_softirqs_off ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813cd8ba

trace_softirqs_off ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81310cde

__local_bh_disable_ip kernel/softirq.c:129

--------------------------------------

0xffffffff81310c9b

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff81310ca7

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff81310cb5

__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:752

--------------------------------------

0xffffffff811a4930

native_restore_fl arch/x86/kernel/irqflags.S:22

--------------------------------------

0xffffffff81310cbf

__local_bh_disable_ip ./arch/x86/include/asm/preempt.h:26

--------------------------------------

0xffffffff81310ce0

__local_bh_disable_ip ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813d08f0

in_lock_functions kernel/locking/spinlock.c:396

--------------------------------------

0xffffffff813d08fb

in_lock_functions kernel/locking/spinlock.c:396

--------------------------------------

0xffffffff81310cf5

__local_bh_disable_ip ./include/linux/ftrace.h:796

--------------------------------------

0xffffffff81310cf9

__local_bh_disable_ip ./include/linux/ftrace.h:798

--------------------------------------

0xffffffff813d08f0

in_lock_functions kernel/locking/spinlock.c:396

--------------------------------------

0xffffffff813d0907

in_lock_functions kernel/locking/spinlock.c:396

--------------------------------------

0xffffffff81310d09

__local_bh_disable_ip ./include/linux/ftrace.h:799

--------------------------------------

0xffffffff81310d18

__local_bh_disable_ip ./include/linux/ftrace.h:801

--------------------------------------

0xffffffff81310d25

__local_bh_disable_ip ./include/linux/ftrace.h:801

--------------------------------------

0xffffffff853fe587

_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135

--------------------------------------

0xffffffff813cbe80

lock_acquire ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff853fe5a3

_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136

--------------------------------------

0xffffffff813d4290

do_raw_spin_lock kernel/locking/spinlock_debug.c:111

--------------------------------------

0xffffffff813d4300

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4310

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d431d

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4334

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4341

do_raw_spin_lock ./include/linux/compiler.h:199

--------------------------------------

0xffffffff813d4355

do_raw_spin_lock ./include/asm-generic/qspinlock.h:76

--------------------------------------

0xffffffff813d436a

do_raw_spin_lock ./include/asm-generic/atomic-instrumented.h:694

--------------------------------------

0xffffffff813d4378

do_raw_spin_lock ./arch/x86/include/asm/atomic.h:200

--------------------------------------

0xffffffff813d438d

do_raw_spin_lock kernel/locking/spinlock_debug.c:115

--------------------------------------

0xffffffff813d439d

do_raw_spin_lock ./include/linux/compiler.h:225

--------------------------------------

0xffffffff813d43aa

do_raw_spin_lock ./arch/x86/include/asm/current.h:15

--------------------------------------

0xffffffff813d43dd

do_raw_spin_lock kernel/locking/spinlock_debug.c:92

--------------------------------------

0xffffffff853fe5ab

_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136

--------------------------------------

0xffffffff84323f02

release_sock net/core/sock.c:2952

--------------------------------------

0xffffffff84323f0e

release_sock net/core/sock.c:2952

--------------------------------------

0xffffffff84323f25

release_sock net/core/sock.c:2958

--------------------------------------

0xffffffff84323f2a

release_sock net/core/sock.c:2958

--------------------------------------

0xffffffff84323f33

release_sock net/core/sock.c:2958

--------------------------------------

0xffffffff84323f44

release_sock net/core/sock.c:2958

--------------------------------------

0xffffffff84323f51

release_sock net/core/sock.c:2959

--------------------------------------

0xffffffff84323f56

release_sock net/core/sock.c:2959(Triggered a new bug: Control flow hijacking)

--------------------------------------

Total 531 basic block