======================================
| [  618.553975][T19316] ==================================================================
| [  618.554200][T19316] BUG: KASAN: slab-use-after-free in nfqnl_enqueue_packet (net/netfilter/nfnetlink_queue.c:1137) nfnetlink_queue
| [  618.554424][T19316] Write of size 1 at addr ff1100001cc9ae68 by task socat/19316
| [  618.554600][T19316]
[  618.554665][T19316] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  618.554667][T19316] Call Trace:
[  618.554669][T19316]  <TASK>
[  618.554670][T19316]  dump_stack_lvl (lib/dump_stack.c:122)
[  618.554678][T19316]  print_address_description.constprop.0 (mm/kasan/report.c:379)
[  618.554683][T19316]  print_report (mm/kasan/report.c:483)
[  618.554684][T19316]  ? nfqnl_enqueue_packet (net/netfilter/nfnetlink_queue.c:1137) nfnetlink_queue
[  618.554687][T19316]  ? __virt_addr_valid (./include/linux/rcupdate.h:981 (discriminator 3) ./include/linux/mmzone.h:2194 (discriminator 3) arch/x86/mm/physaddr.c:54 (discriminator 3))
[  618.554691][T19316]  ? nfqnl_enqueue_packet (net/netfilter/nfnetlink_queue.c:1137) nfnetlink_queue
[  618.554693][T19316]  kasan_report (mm/kasan/report.c:597)
[  618.554697][T19316]  ? nfqnl_enqueue_packet (net/netfilter/nfnetlink_queue.c:1137) nfnetlink_queue
[  618.554699][T19316] nfqnl_enqueue_packet (net/netfilter/nfnetlink_queue.c:1137) nfnetlink_queue
[  618.554702][T19316]  ? __nfqnl_enqueue_packet (net/netfilter/nfnetlink_queue.c:1076) nfnetlink_queue
[  618.554703][T19316]  ? nf_queue_entry_release_refs (./include/linux/netdevice.h:4380 (discriminator 36) ./include/linux/netdevice.h:4441 (discriminator 36) ./include/linux/netdevice.h:4466 (discriminator 36) net/netfilter/nf_queue.c:69 (discriminator 36))
[  618.554707][T19316]  ? __nf_queue (./include/linux/slab.h:961 net/netfilter/nf_queue.c:193)
[  618.554709][T19316]  __nf_queue (net/netfilter/nf_queue.c:226)
[  618.554710][T19316]  ? nft_do_chain_inet (net/netfilter/nft_chain_filter.c:161) nf_tables
[  618.554722][T19316]  ? nf_queue_entry_get_refs (net/netfilter/nf_queue.c:158)
[  618.554724][T19316]  nf_queue (net/netfilter/nf_queue.c:241)
[  618.554726][T19316]  nf_hook_slow (net/netfilter/core.c:636)
[  618.554729][T19316]  __ip_local_out (./include/linux/netfilter.h:273 net/ipv4/ip_output.c:120)
[  618.554731][T19316]  ? ip_output (net/ipv4/ip_output.c:103)
[  618.554732][T19316]  ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 kernel/locking/lockdep.c:5870)
[  618.554735][T19316]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[  618.554737][T19316]  ? ip_append_data.part.0 (./include/net/dst.h:463)
[  618.554740][T19316]  ? ip4_dst_hoplimit (./include/linux/rcupdate.h:341 (discriminator 1) ./include/linux/rcupdate.h:897 (discriminator 1) ./include/net/route.h:395 (discriminator 1))
[  618.554742][T19316]  __ip_queue_xmit (net/ipv4/ip_output.c:129 net/ipv4/ip_output.c:534)
[  618.554744][T19316] sctp_packet_transmit (net/sctp/output.c:653 (discriminator 1)) sctp
[  618.554757][T19316] sctp_outq_flush_transports (net/sctp/outqueue.c:1174) sctp
[  618.554768][T19316] sctp_outq_flush (net/sctp/outqueue.c:1193) sctp
[  618.554775][T19316]  ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 kernel/locking/lockdep.c:5870)
[  618.554777][T19316]  ? sctp_outq_flush_data (net/sctp/outqueue.c:1193) sctp
[  618.554784][T19316]  ? sctp_outq_tail (net/sctp/outqueue.c:90 (discriminator 1) net/sctp/outqueue.c:299 (discriminator 1)) sctp
[  618.554791][T19316] sctp_cmd_interpreter.isra.0 (net/sctp/sm_sideeffect.c:1826) sctp
[  618.554801][T19316]  ? sctp_generate_t1_cookie_event (net/sctp/sm_sideeffect.c:1275) sctp
[  618.554807][T19316]  ? rcu_lockdep_current_cpu_online (kernel/rcu/tree.c:4028 (discriminator 2) kernel/rcu/tree.c:4020 (discriminator 2))
[  618.554812][T19316] sctp_side_effects (net/sctp/sm_sideeffect.c:1204 (discriminator 1)) sctp
[  618.554819][T19316]  ? sctp_cmd_interpreter.isra.0 (net/sctp/sm_sideeffect.c:1195) sctp
[  618.554825][T19316]  ? __lock_acquire (kernel/locking/lockdep.c:5237 (discriminator 1))
[  618.554828][T19316]  ? br_deinit (net/bridge/br.c:73) bridge
[  618.554836][T19316] sctp_do_sm (net/sctp/sm_sideeffect.c:1175) sctp
[  618.554844][T19316]  ? sctp_cname (net/sctp/debug.c:128) sctp
[  618.554851][T19316]  ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536)
[  618.554853][T19316]  ? sctp_do_8_2_transport_strike.isra.0 (net/sctp/sm_sideeffect.c:1153) sctp
[  618.554860][T19316]  ? __might_fault (mm/memory.c:7177 (discriminator 4))
[  618.554866][T19316]  ? sctp_datamsg_from_user (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:283 (discriminator 4) ./include/linux/refcount.h:366 (discriminator 4) ./include/linux/refcount.h:383 (discriminator 4) net/sctp/chunk.c:121 (discriminator 4) net/sctp/chunk.c:134 (discriminator 4) net/sctp/chunk.c:280 (discriminator 4)) sctp
[  618.554875][T19316]  ? skb_set_owner_w (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:283 (discriminator 4) net/core/sock.c:2733 (discriminator 4))
[  618.554879][T19316]  ? sock_recv_errqueue (net/core/sock.c:2717)
[  618.554881][T19316] sctp_primitive_SEND (net/sctp/primitive.c:163) sctp
[  618.554889][T19316] sctp_sendmsg_to_asoc (net/sctp/socket.c:1873) sctp
[  618.554898][T19316]  ? sctp_close (net/sctp/socket.c:1793) sctp
[  618.554904][T19316]  ? mark_held_locks (kernel/locking/lockdep.c:4325 (discriminator 1))
[  618.554907][T19316] sctp_sendmsg (net/sctp/socket.c:2030) sctp
[  618.554915][T19316]  ? sctp_sendmsg_new_asoc (net/sctp/socket.c:1943) sctp
[  618.554921][T19316]  ? current_time (./include/linux/fs.h:2305 fs/inode.c:2348)
[  618.554924][T19316]  ? new_sync_write (fs/read_write.c:814)
[  618.554927][T19316]  ? make_vfsuid (fs/mnt_idmapping.c:122)
[  618.554930][T19316]  ? ovl_path_next (fs/overlayfs/namei.c:1038)
[  618.554934][T19316]  ? atime_needs_update (fs/inode.c:2209)
[  618.554937][T19316]  sock_write_iter (net/socket.c:730 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1))
[  618.554938][T19316]  ? backing_file_read_iter (fs/backing-file.c:210)
[  618.554942][T19316]  ? ____sys_recvmsg (net/socket.c:1176)
[  618.554945][T19316]  ? ovl_mmap (fs/overlayfs/file.c:295)
[  618.554947][T19316]  ? ____sys_recvmsg (net/socket.c:1176)
[  618.554948][T19316]  new_sync_write (fs/read_write.c:594 (discriminator 1))
[  618.554950][T19316]  ? new_sync_read (fs/read_write.c:492 (discriminator 1))
[  618.554952][T19316]  ? new_sync_read (fs/read_write.c:584)
[  618.554954][T19316]  ? generic_atomic_write_valid (fs/read_write.c:482)
[  618.554956][T19316]  ? __set_current_blocked (kernel/signal.c:3271)
[  618.554959][T19316]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[  618.554961][T19316]  ? do_pselect.constprop.0 (fs/select.c:760 (discriminator 1))
[  618.554964][T19316]  vfs_write (fs/read_write.c:686)
[  618.554966][T19316]  ? vfs_read (fs/read_write.c:572)
[  618.554968][T19316]  ksys_write (fs/read_write.c:739)
[  618.554970][T19316]  ? __ia32_sys_read (fs/read_write.c:728)
[  618.554972][T19316]  ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 1) kernel/rcu/tree.c:751 (discriminator 1))
[  618.554974][T19316]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[  618.554979][T19316]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
[  618.554981][T19316] RIP: 0033:0x7fd5f9750c5e
[  618.554984][T19316] Code: 4d 89 d8 e8 34 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
All code
========
   0:	4d 89 d8             	mov    %r11,%r8
   3:	e8 34 bd 00 00       	call   0xbd3c
   8:	4c 8b 5d f8          	mov    -0x8(%rbp),%r11
   c:	41 8b 93 08 03 00 00 	mov    0x308(%r11),%edx
  13:	59                   	pop    %rcx
  14:	5e                   	pop    %rsi
  15:	48 83 f8 fc          	cmp    $0xfffffffffffffffc,%rax
  19:	74 11                	je     0x2c
  1b:	c9                   	leave
  1c:	c3                   	ret
  1d:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  24:	48 8b 45 10          	mov    0x10(%rbp),%rax
  28:	0f 05                	syscall
  2a:*	c9                   	leave		<-- trapping instruction
  2b:	c3                   	ret
  2c:	83 e2 39             	and    $0x39,%edx
  2f:	83 fa 08             	cmp    $0x8,%edx
  32:	75 e7                	jne    0x1b
  34:	e8 13 ff ff ff       	call   0xffffffffffffff4c
  39:	0f 1f 00             	nopl   (%rax)
  3c:	f3 0f 1e fa          	endbr64

Code starting with the faulting instruction
===========================================
   0:	c9                   	leave
   1:	c3                   	ret
   2:	83 e2 39             	and    $0x39,%edx
   5:	83 fa 08             	cmp    $0x8,%edx
   8:	75 e7                	jne    0xfffffffffffffff1
   a:	e8 13 ff ff ff       	call   0xffffffffffffff22
   f:	0f 1f 00             	nopl   (%rax)
  12:	f3 0f 1e fa          	endbr64
[  618.554987][T19316] RSP: 002b:00007fffca8a36c0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[  618.554990][T19316] RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007fd5f9750c5e
[  618.554992][T19316] RDX: 0000000000002000 RSI: 000055fcf0fd4000 RDI: 0000000000000007
[  618.554993][T19316] RBP: 00007fffca8a36d0 R08: 0000000000000000 R09: 0000000000000000
[  618.554994][T19316] R10: 0000000000000000 R11: 0000000000000202 R12: 000055fcf0fd4000


Finger prints:
print_report:kasan_report:nfqnl_enqueue_packet:__nf_queue:nf_queue