==================================================================
BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3ba2/0x5490 kernel/locking/lockdep.c:3664
Read of size 8 at addr ffff8880963e3fc0 by task syz-executor.0/1082

CPU: 1 PID: 1082 Comm: syz-executor.0 Not tainted 5.2.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 __lock_acquire+0x3ba2/0x5490 kernel/locking/lockdep.c:3664
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4302
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:338 [inline]
 rhashtable_walk_enter+0xf9/0x390 lib/rhashtable.c:669
 __tipc_dump_start+0x1fa/0x3c0 net/tipc/socket.c:3414
 tipc_dump_start+0x70/0x90 net/tipc/socket.c:3396
 __netlink_dump_start+0x4f8/0x7d0 net/netlink/af_netlink.c:2351
 netlink_dump_start include/linux/netlink.h:226 [inline]
 tipc_sock_diag_handler_dump+0x1d9/0x270 net/tipc/diag.c:91
 __sock_diag_cmd net/core/sock_diag.c:232 [inline]
 sock_diag_rcv_msg+0x319/0x410 net/core/sock_diag.c:263
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2486
 sock_diag_rcv+0x2b/0x40 net/core/sock_diag.c:274
 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
 netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1337
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1926
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:671
 ___sys_sendmsg+0x803/0x920 net/socket.c:2292
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2330
 __do_sys_sendmsg net/socket.c:2339 [inline]
 __se_sys_sendmsg net/socket.c:2337 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2337
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1019df3c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1019df46d4
R13: 00000000004c6c94 R14: 00000000004dba90 R15: 00000000ffffffff

Allocated by task 789:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc mm/slab.c:3326 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488
 __sigqueue_alloc+0x268/0x4d0 kernel/signal.c:423
 __send_signal+0xda0/0x1580 kernel/signal.c:1126
 send_signal+0x49/0xd0 kernel/signal.c:1209
 force_sig_info+0x251/0x310 kernel/signal.c:1300
 force_sig_fault+0xbb/0xf0 kernel/signal.c:1597
 __bad_area_nosemaphore+0x332/0x420 arch/x86/mm/fault.c:921
 __bad_area arch/x86/mm/fault.c:950 [inline]
 bad_area+0x69/0x80 arch/x86/mm/fault.c:956
 do_user_addr_fault arch/x86/mm/fault.c:1420 [inline]
 __do_page_fault+0x996/0xda0 arch/x86/mm/fault.c:1523
 do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1554
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1156

Freed by task 789:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3698
 __sigqueue_free.part.0+0x74/0x90 kernel/signal.c:446
 __sigqueue_free kernel/signal.c:442 [inline]
 dequeue_synchronous_signal kernel/signal.c:733 [inline]
 get_signal+0xd49/0x2240 kernel/signal.c:2525
 do_signal+0x87/0x1900 arch/x86/kernel/signal.c:815
 exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:164
 prepare_exit_to_usermode+0x2e4/0x350 arch/x86/entry/common.c:199
 retint_user+0x8/0x18

The buggy address belongs to the object at ffff8880963e3f50
 which belongs to the cache sigqueue of size 80
The buggy address is located 32 bytes to the right of
 80-byte region [ffff8880963e3f50, ffff8880963e3fa0)
The buggy address belongs to the page:
page:ffffea000258f8c0 refcount:1 mapcount:0 mapping:ffff88821bc48800 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00029e0288 ffffea00029e0fc8 ffff88821bc48800
raw: 0000000000000000 ffff8880963e3000 0000000100000024 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880963e3e80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
 ffff8880963e3f00: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb
>ffff8880963e3f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff8880963e4000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880963e4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================