KASAN: use-after-free Read in __lock_sock
Original report of the bug: https://syzkaller.appspot.com/bug?id=27934d200d11e2fbae5c715bfefad252f41785fb
Our system SyzScope detect 6 UAF write, 2 arbitrary value write, and 1 control flow hijacking in this bug.
We only exhibit the most high-risk one as a demonstration.
Fuzzer tested kernel version: 0a679e13
Primitive 1: Control flow hijacking in release_sock
Bug Impact analysis
One thread freed sk, but another thread is still using it.
static int sctp_sock_dump(struct sctp_transport *tsp, void *p)
{
...
lock_sock(sk); // sk was freed, here comes the UAF read when it's trying to lock sk. This is the UAF read reported by syzbot originally.
...
release_sock(sk); // Inside release_sock, a function pointer derference will occur.
return err;
}
void release_sock(struct sock *sk)
{
spin_lock_bh(&sk->sk_lock.slock);
if (sk->sk_backlog.tail)
__release_sock(sk);
if (sk->sk_prot->release_cb)
sk->sk_prot->release_cb(sk); // sk was freed, therefore release_cb() can lead to control flow hijacking.
...
}
the function pointer release_cb was eventually dereferenced from sk, which means release_cb can point to any memory address. This makes it become a control flow hijacking
Trace in high level:
|__lock_acquire kernel/locking/lockdep.c:3974(Triggered the UAF read bug)
|lock_acquire ./arch/x86/include/asm/current.h:15
|_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136
|__lock_sock ./include/linux/lockdep.h:361
|lock_sock_nested net/core/sock.c:2938
|sctp_sock_dump net/sctp/diag.c:311
|release_sock net/sctp/diag.c:349
|None net/core/sock.c:2959(Triggered a new bug: Control flow hijacking)
Trace in detail:
0xffffffff813c9d87
__lock_acquire kernel/locking/lockdep.c:3974(Triggered the UAF read bug)
--------------------------------------
0xffffffff813c9d95
__lock_acquire kernel/locking/lockdep.c:3830
--------------------------------------
0xffffffff813c9d9f
__lock_acquire kernel/locking/lockdep.c:3831
--------------------------------------
0xffffffff813c9dac
__lock_acquire kernel/locking/lockdep.c:3831
--------------------------------------
0xffffffff813c92a6
__lock_acquire kernel/locking/lockdep.c:3856
--------------------------------------
0xffffffff813c92bc
__lock_acquire kernel/locking/lockdep.c:3856
--------------------------------------
0xffffffff813c92d8
__lock_acquire kernel/locking/lockdep.c:3860
--------------------------------------
0xffffffff813c92e2
__lock_acquire kernel/locking/lockdep.c:3860
--------------------------------------
0xffffffff813c92ec
__lock_acquire kernel/locking/lockdep.c:3860
--------------------------------------
0xffffffff813c9332
__lock_acquire kernel/locking/lockdep.c:3866
--------------------------------------
0xffffffff813c9347
__lock_acquire kernel/locking/lockdep.c:3867
--------------------------------------
0xffffffff813c9371
__lock_acquire kernel/locking/lockdep.c:3884
--------------------------------------
0xffffffff813c938b
__lock_acquire kernel/locking/lockdep.c:3891
--------------------------------------
0xffffffff813c93ac
__lock_acquire kernel/locking/lockdep.c:3892
--------------------------------------
0xffffffff813c93bd
__lock_acquire kernel/locking/lockdep.c:3893
--------------------------------------
0xffffffff813c93d4
__lock_acquire kernel/locking/lockdep.c:3894
--------------------------------------
0xffffffff813c93eb
__lock_acquire kernel/locking/lockdep.c:3895
--------------------------------------
0xffffffff813c940a
__lock_acquire kernel/locking/lockdep.c:3900
--------------------------------------
0xffffffff813c9480
__lock_acquire kernel/locking/lockdep.c:3905
--------------------------------------
0xffffffff813c9490
__lock_acquire kernel/locking/lockdep.c:3550
--------------------------------------
0xffffffff813c9499
__lock_acquire kernel/locking/lockdep.c:3550
--------------------------------------
0xffffffff813c94aa
__lock_acquire kernel/locking/lockdep.c:3550
--------------------------------------
0xffffffff813c94b3
__lock_acquire kernel/locking/lockdep.c:3551
--------------------------------------
0xffffffff813c94c2
__lock_acquire kernel/locking/lockdep.c:3561
--------------------------------------
0xffffffff813c94ca
__lock_acquire kernel/locking/lockdep.c:3564
--------------------------------------
0xffffffff813c94d9
__lock_acquire kernel/locking/lockdep.c:3564
--------------------------------------
0xffffffff813c94e2
__lock_acquire kernel/locking/lockdep.c:3570
--------------------------------------
0xffffffff813c9e0b
__lock_acquire kernel/locking/lockdep.c:3579
--------------------------------------
0xffffffff813c8670
mark_lock kernel/locking/lockdep.c:3633
--------------------------------------
0xffffffff813c86b7
mark_lock kernel/locking/lockdep.c:3634
--------------------------------------
0xffffffff813c86cc
mark_lock kernel/locking/lockdep.c:3642
--------------------------------------
0xffffffff813c86f2
mark_lock ./arch/x86/include/asm/bitops.h:214
--------------------------------------
0xffffffff813c8700
mark_lock kernel/locking/lockdep.c:175
--------------------------------------
0xffffffff813c8717
mark_lock kernel/locking/lockdep.c:175
--------------------------------------
0xffffffff813c87de
mark_lock kernel/locking/lockdep.c:167
--------------------------------------
0xffffffff813c5340
graph_lock kernel/locking/lockdep.c:91
--------------------------------------
0xffffffff813c53b5
graph_lock ./include/asm-generic/atomic-instrumented.h:694
--------------------------------------
0xffffffff813c53c3
graph_lock ./arch/x86/include/asm/atomic.h:200
--------------------------------------
0xffffffff813c53d9
graph_lock kernel/locking/lockdep.c:99
--------------------------------------
0xffffffff813c53e5
graph_lock kernel/locking/lockdep.c:99
--------------------------------------
0xffffffff813c5445
graph_lock ./arch/x86/include/asm/paravirt.h:643
--------------------------------------
0xffffffff813c5451
graph_lock ./arch/x86/include/asm/paravirt.h:643
--------------------------------------
0xffffffff813c545b
graph_lock ./arch/x86/include/asm/paravirt.h:643
--------------------------------------
0xffffffff813c5465
graph_lock ./arch/x86/include/asm/paravirt.h:643
--------------------------------------
0xffffffff813c5416
graph_lock kernel/locking/lockdep.c:105
--------------------------------------
0xffffffff813c543a
graph_lock kernel/locking/lockdep.c:105
--------------------------------------
0xffffffff813c87e7
mark_lock kernel/locking/lockdep.c:3645
--------------------------------------
0xffffffff813c86a2
mark_lock kernel/locking/lockdep.c:3634
--------------------------------------
0xffffffff813c9e1b
__lock_acquire kernel/locking/lockdep.c:3579
--------------------------------------
0xffffffff813c9d31
__lock_acquire kernel/locking/lockdep.c:3974
--------------------------------------
0xffffffff813c9d6d
__lock_acquire kernel/locking/lockdep.c:3974
--------------------------------------
0xffffffff813cbf9e
lock_acquire ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cbfae
lock_acquire ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cbfc4
lock_acquire ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff813cbfd2
lock_acquire ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff811a4930
native_restore_fl arch/x86/kernel/irqflags.S:22
--------------------------------------
0xffffffff813cbfdd
lock_acquire ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff853fe5a3
_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136
--------------------------------------
0xffffffff813d4290
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813d4300
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4310
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d431d
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4334
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4341
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4355
do_raw_spin_lock ./include/asm-generic/qspinlock.h:76
--------------------------------------
0xffffffff813d436a
do_raw_spin_lock ./include/asm-generic/atomic-instrumented.h:694
--------------------------------------
0xffffffff813d4378
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:200
--------------------------------------
0xffffffff813d438d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813d439d
do_raw_spin_lock ./include/linux/compiler.h:225
--------------------------------------
0xffffffff813d43aa
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813d43dd
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff853fe5ab
_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136
--------------------------------------
0xffffffff8431ba8d
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff813c67e0
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c680f
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c681d
lock_is_held_type ./arch/x86/include/asm/paravirt.h:769
--------------------------------------
0xffffffff813c6829
lock_is_held_type ./arch/x86/include/asm/paravirt.h:769
--------------------------------------
0xffffffff813c6837
lock_is_held_type ./arch/x86/include/asm/paravirt.h:747
--------------------------------------
0xffffffff811a4920
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff813c683e
lock_is_held_type ./arch/x86/include/asm/paravirt.h:747
--------------------------------------
0xffffffff813c684e
lock_is_held_type ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff813c685c
lock_is_held_type ./arch/x86/include/asm/paravirt.h:757
--------------------------------------
0xffffffff811fc850
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff811fc851
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff813c6863
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c6875
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c6887
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c6952
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff813c6900
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c6915
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c692b
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff813c6935
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff811a4930
native_restore_fl arch/x86/kernel/irqflags.S:22
--------------------------------------
0xffffffff813c6940
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff8431ba9a
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431baa6
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431baab
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431bab0
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff813c67e0
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c680f
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c681d
lock_is_held_type ./arch/x86/include/asm/paravirt.h:769
--------------------------------------
0xffffffff813c6829
lock_is_held_type ./arch/x86/include/asm/paravirt.h:769
--------------------------------------
0xffffffff813c6837
lock_is_held_type ./arch/x86/include/asm/paravirt.h:747
--------------------------------------
0xffffffff811a4920
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff813c683e
lock_is_held_type ./arch/x86/include/asm/paravirt.h:747
--------------------------------------
0xffffffff813c684e
lock_is_held_type ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff813c685c
lock_is_held_type ./arch/x86/include/asm/paravirt.h:757
--------------------------------------
0xffffffff811fc850
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff811fc851
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff813c6863
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c6875
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c6887
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ba
lock_is_held_type kernel/locking/lockdep.c:4303
--------------------------------------
0xffffffff813c5e90
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eb0
match_held_lock kernel/locking/lockdep.c:4013
--------------------------------------
0xffffffff813c5eba
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5ec3
match_held_lock kernel/locking/lockdep.c:4016
--------------------------------------
0xffffffff813c5fa8
match_held_lock kernel/locking/lockdep.c:833
--------------------------------------
0xffffffff813c68d4
lock_is_held_type kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813c68a1
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c68ad
lock_is_held_type kernel/locking/lockdep.c:4302
--------------------------------------
0xffffffff813c6952
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff813c6900
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c6915
lock_is_held_type ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c692b
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff813c6935
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff811a4930
native_restore_fl arch/x86/kernel/irqflags.S:22
--------------------------------------
0xffffffff813c6940
lock_is_held_type ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff8431bac1
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431bacd
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431bad6
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431badb
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431bae7
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431bafa
__lock_sock ./include/linux/lockdep.h:361
--------------------------------------
0xffffffff8431ba33
__lock_sock ./include/net/sock.h:1570
--------------------------------------
0xffffffff8431ba38
__lock_sock ./include/net/sock.h:1570
--------------------------------------
0xffffffff8431ba44
__lock_sock ./include/net/sock.h:1570
--------------------------------------
0xffffffff8431ba56
__lock_sock ./include/net/sock.h:1570
--------------------------------------
0xffffffff8431bb14
__lock_sock net/core/sock.c:2418
--------------------------------------
0xffffffff8431bb19
__lock_sock net/core/sock.c:2418
--------------------------------------
0xffffffff813b07a0
finish_wait ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813b07cd
finish_wait ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813b07e3
finish_wait ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813b07fc
finish_wait ./include/linux/list.h:301
--------------------------------------
0xffffffff813b0891
finish_wait ./include/linux/spinlock.h:393
--------------------------------------
0xffffffff813b0899
finish_wait ./include/linux/spinlock.h:393
--------------------------------------
0xffffffff813b08a3
finish_wait ./include/linux/spinlock.h:393
--------------------------------------
0xffffffff813b0882
finish_wait ./include/linux/spinlock.h:393
--------------------------------------
0xffffffff8431bb28
__lock_sock net/core/sock.c:2418
--------------------------------------
0xffffffff8431bb57
__lock_sock net/core/sock.c:2418
--------------------------------------
0xffffffff8431bc40
lock_sock_nested net/core/sock.c:2938
--------------------------------------
0xffffffff8431bbcf
lock_sock_nested net/core/sock.c:2939
--------------------------------------
0xffffffff8431bbd4
lock_sock_nested net/core/sock.c:2939
--------------------------------------
0xffffffff8431bbdc
lock_sock_nested net/core/sock.c:2939
--------------------------------------
0xffffffff853fe6b0
_raw_spin_unlock ./include/linux/spinlock_api_smp.h:150
--------------------------------------
0xffffffff813cb9f0
lock_release kernel/locking/lockdep.c:4492
--------------------------------------
0xffffffff853fe6c6
_raw_spin_unlock ./include/linux/spinlock_api_smp.h:151
--------------------------------------
0xffffffff813d45a0
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813d45b6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813d45c5
do_raw_spin_unlock ./include/asm-generic/atomic-instrumented.h:26
--------------------------------------
0xffffffff813d45d2
do_raw_spin_unlock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d45da
do_raw_spin_unlock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d45e6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:99
--------------------------------------
0xffffffff813d45f3
do_raw_spin_unlock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813d4607
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813d4614
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813d4626
do_raw_spin_unlock ./include/linux/compiler.h:226
--------------------------------------
0xffffffff813d462e
do_raw_spin_unlock ./include/linux/compiler.h:226
--------------------------------------
0xffffffff813d463f
do_raw_spin_unlock ./include/linux/compiler.h:225
--------------------------------------
0xffffffff813d4654
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:643
--------------------------------------
0xffffffff813d4662
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:643
--------------------------------------
0xffffffff813d466c
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:643
--------------------------------------
0xffffffff853fe6ce
_raw_spin_unlock ./include/linux/spinlock_api_smp.h:152
--------------------------------------
0xffffffff81375a50
preempt_count_sub kernel/sched/core.c:3812
--------------------------------------
0xffffffff81375a63
preempt_count_sub kernel/sched/core.c:3812
--------------------------------------
0xffffffff81375a6d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81375a80
preempt_count_sub kernel/sched/core.c:3817
--------------------------------------
0xffffffff81375aca
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81375a88
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff853fe6d8
_raw_spin_unlock ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff853fe6e3
_raw_spin_unlock ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff8431bbee
lock_sock_nested net/core/sock.c:2944
--------------------------------------
0xffffffff813cbe80
lock_acquire ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff8431bc0d
lock_sock_nested ./include/linux/bottom_half.h:32
--------------------------------------
0xffffffff8431bc13
lock_sock_nested ./include/linux/bottom_half.h:32
--------------------------------------
0xffffffff81310d50
__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81310d70
__local_bh_enable_ip kernel/softirq.c:169
--------------------------------------
0xffffffff81310d7c
__local_bh_enable_ip kernel/softirq.c:169
--------------------------------------
0xffffffff81310daa
__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:757
--------------------------------------
0xffffffff81310db6
__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:757
--------------------------------------
0xffffffff81310dc4
__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:757
--------------------------------------
0xffffffff811fc850
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff811fc851
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff81310dcb
__local_bh_enable_ip kernel/softirq.c:171
--------------------------------------
0xffffffff81519bb0
trace_hardirqs_off kernel/trace/trace_preemptirq.c:38
--------------------------------------
0xffffffff81519bc2
trace_hardirqs_off kernel/trace/trace_preemptirq.c:38
--------------------------------------
0xffffffff81519bd2
trace_hardirqs_off kernel/trace/trace_preemptirq.c:38
--------------------------------------
0xffffffff81519c00
trace_hardirqs_off kernel/trace/trace_preemptirq.c:45
--------------------------------------
0xffffffff81519c05
trace_hardirqs_off kernel/trace/trace_preemptirq.c:45
--------------------------------------
0xffffffff813cd510
lockdep_hardirqs_off ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cd526
lockdep_hardirqs_off ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cd5cc
lockdep_hardirqs_off kernel/locking/lockdep.c:3464
--------------------------------------
0xffffffff81519c0e
trace_hardirqs_off kernel/trace/trace_preemptirq.c:45
--------------------------------------
0xffffffff81310dd0
__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81310e85
__local_bh_enable_ip kernel/softirq.c:177
--------------------------------------
0xffffffff813cd630
trace_softirqs_on ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cd648
trace_softirqs_on ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cd767
trace_softirqs_on ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff81310e8d
__local_bh_enable_ip kernel/softirq.c:177
--------------------------------------
0xffffffff81310de7
__local_bh_enable_ip kernel/softirq.c:182
--------------------------------------
0xffffffff81375a50
preempt_count_sub kernel/sched/core.c:3812
--------------------------------------
0xffffffff81375a63
preempt_count_sub kernel/sched/core.c:3812
--------------------------------------
0xffffffff81375a6d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81375a80
preempt_count_sub kernel/sched/core.c:3817
--------------------------------------
0xffffffff81375a88
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff81310def
__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81310e9d
__local_bh_enable_ip kernel/softirq.c:184
--------------------------------------
0xffffffff82ac4b20
__this_cpu_preempt_check lib/smp_processor_id.c:64
--------------------------------------
0xffffffff82ac4b31
__this_cpu_preempt_check lib/smp_processor_id.c:64
--------------------------------------
0xffffffff82ac4b4e
__this_cpu_preempt_check ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff82ac4b52
__this_cpu_preempt_check lib/smp_processor_id.c:52
--------------------------------------
0xffffffff82ac4b57
__this_cpu_preempt_check lib/smp_processor_id.c:52
--------------------------------------
0xffffffff81310ea9
__local_bh_enable_ip kernel/softirq.c:184
--------------------------------------
0xffffffff81310e01
__local_bh_enable_ip kernel/softirq.c:192
--------------------------------------
0xffffffff81375a50
preempt_count_sub kernel/sched/core.c:3812
--------------------------------------
0xffffffff81375a63
preempt_count_sub kernel/sched/core.c:3812
--------------------------------------
0xffffffff81375a6d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81375a80
preempt_count_sub kernel/sched/core.c:3817
--------------------------------------
0xffffffff81375aca
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81375a88
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff81310e0b
__local_bh_enable_ip kernel/softirq.c:194
--------------------------------------
0xffffffff81519d90
trace_hardirqs_on kernel/trace/trace_preemptirq.c:24
--------------------------------------
0xffffffff81519da2
trace_hardirqs_on kernel/trace/trace_preemptirq.c:24
--------------------------------------
0xffffffff81519db2
trace_hardirqs_on kernel/trace/trace_preemptirq.c:24
--------------------------------------
0xffffffff81519db6
trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81519dbb
trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81519dd1
trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81519dfe
trace_hardirqs_on kernel/trace/trace_preemptirq.c:26
--------------------------------------
0xffffffff81519e03
trace_hardirqs_on kernel/trace/trace_preemptirq.c:26
--------------------------------------
0xffffffff81519e19
trace_hardirqs_on ./arch/x86/include/asm/jump_label.h:34
--------------------------------------
0xffffffff81519dd5
trace_hardirqs_on kernel/trace/trace_preemptirq.c:27
--------------------------------------
0xffffffff81519dda
trace_hardirqs_on kernel/trace/trace_preemptirq.c:28
--------------------------------------
0xffffffff81519dea
trace_hardirqs_on kernel/trace/trace_preemptirq.c:31
--------------------------------------
0xffffffff813cd270
lockdep_hardirqs_on kernel/locking/lockdep.c:3398
--------------------------------------
0xffffffff813cd286
lockdep_hardirqs_on kernel/locking/lockdep.c:3398
--------------------------------------
0xffffffff813cd3b3
lockdep_hardirqs_on ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff81519df3
trace_hardirqs_on kernel/trace/trace_preemptirq.c:31
--------------------------------------
0xffffffff81310e10
__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:762
--------------------------------------
0xffffffff81310e1c
__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:762
--------------------------------------
0xffffffff81310e26
__local_bh_enable_ip ./arch/x86/include/asm/paravirt.h:762
--------------------------------------
0xffffffff811fc860
native_irq_enable ./arch/x86/include/asm/irqflags.h:54
--------------------------------------
0xffffffff811fc861
native_irq_enable ./arch/x86/include/asm/irqflags.h:54
--------------------------------------
0xffffffff81310e2d
__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff81310e3c
__local_bh_enable_ip ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff8431bc24
lock_sock_nested ./include/linux/bottom_half.h:32
--------------------------------------
0xffffffff84ea9aa5
sctp_sock_dump net/sctp/diag.c:311
--------------------------------------
0xffffffff84ea9ab1
sctp_sock_dump net/sctp/diag.c:311
--------------------------------------
0xffffffff84ea9e47
sctp_sock_dump ./include/net/sock.h:769
--------------------------------------
0xffffffff84ea9e64
sctp_sock_dump net/sctp/diag.c:345
--------------------------------------
0xffffffff84ea9e70
sctp_sock_dump net/sctp/diag.c:345
--------------------------------------
0xffffffff84ea9e81
sctp_sock_dump net/sctp/diag.c:346
--------------------------------------
0xffffffff84ea9e92
sctp_sock_dump net/sctp/diag.c:347
--------------------------------------
0xffffffff84ea9e9f
sctp_sock_dump net/sctp/diag.c:349
--------------------------------------
0xffffffff84323ee0
release_sock ./include/linux/spinlock.h:343
--------------------------------------
0xffffffff84323ef3
release_sock ./include/linux/spinlock.h:343
--------------------------------------
0xffffffff853fe570
_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:134
--------------------------------------
0xffffffff81310c20
__local_bh_disable_ip ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81310c40
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:769
--------------------------------------
0xffffffff81310c4c
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:769
--------------------------------------
0xffffffff81310c5a
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:747
--------------------------------------
0xffffffff811a4920
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff81310c61
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:747
--------------------------------------
0xffffffff81310c70
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff81310c7e
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:757
--------------------------------------
0xffffffff811fc850
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff811fc851
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff81310c85
__local_bh_disable_ip ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff81310cd6
__local_bh_disable_ip kernel/softirq.c:129
--------------------------------------
0xffffffff813cd7e0
trace_softirqs_off ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cd7f6
trace_softirqs_off ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813cd8ba
trace_softirqs_off ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81310cde
__local_bh_disable_ip kernel/softirq.c:129
--------------------------------------
0xffffffff81310c9b
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff81310ca7
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff81310cb5
__local_bh_disable_ip ./arch/x86/include/asm/paravirt.h:752
--------------------------------------
0xffffffff811a4930
native_restore_fl arch/x86/kernel/irqflags.S:22
--------------------------------------
0xffffffff81310cbf
__local_bh_disable_ip ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81310ce0
__local_bh_disable_ip ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813d08f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813d08fb
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff81310cf5
__local_bh_disable_ip ./include/linux/ftrace.h:796
--------------------------------------
0xffffffff81310cf9
__local_bh_disable_ip ./include/linux/ftrace.h:798
--------------------------------------
0xffffffff813d08f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813d0907
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff81310d09
__local_bh_disable_ip ./include/linux/ftrace.h:799
--------------------------------------
0xffffffff81310d18
__local_bh_disable_ip ./include/linux/ftrace.h:801
--------------------------------------
0xffffffff81310d25
__local_bh_disable_ip ./include/linux/ftrace.h:801
--------------------------------------
0xffffffff853fe587
_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135
--------------------------------------
0xffffffff813cbe80
lock_acquire ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff853fe5a3
_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136
--------------------------------------
0xffffffff813d4290
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813d4300
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4310
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d431d
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4334
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4341
do_raw_spin_lock ./include/linux/compiler.h:199
--------------------------------------
0xffffffff813d4355
do_raw_spin_lock ./include/asm-generic/qspinlock.h:76
--------------------------------------
0xffffffff813d436a
do_raw_spin_lock ./include/asm-generic/atomic-instrumented.h:694
--------------------------------------
0xffffffff813d4378
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:200
--------------------------------------
0xffffffff813d438d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813d439d
do_raw_spin_lock ./include/linux/compiler.h:225
--------------------------------------
0xffffffff813d43aa
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813d43dd
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff853fe5ab
_raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:136
--------------------------------------
0xffffffff84323f02
release_sock net/core/sock.c:2952
--------------------------------------
0xffffffff84323f0e
release_sock net/core/sock.c:2952
--------------------------------------
0xffffffff84323f25
release_sock net/core/sock.c:2958
--------------------------------------
0xffffffff84323f2a
release_sock net/core/sock.c:2958
--------------------------------------
0xffffffff84323f33
release_sock net/core/sock.c:2958
--------------------------------------
0xffffffff84323f44
release_sock net/core/sock.c:2958
--------------------------------------
0xffffffff84323f51
release_sock net/core/sock.c:2959
--------------------------------------
0xffffffff84323f56
release_sock net/core/sock.c:2959(Triggered a new bug: Control flow hijacking)
--------------------------------------
Total 531 basic block