tipc: 32-bit node address hash set to f1414ac
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:268 [inline]
BUG: KASAN: use-after-free in tipc_named_reinit+0x1b0/0x340 net/tipc/name_distr.c:344
Read of size 8 at addr ffff8881eec5e000 by task kworker/1:3/331
CPU: 1 PID: 331 Comm: kworker/1:3 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: events tipc_net_finalize_work
Call Trace:
__dump_stack+0x1e/0x20 lib/dump_stack.c:77
dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
__kasan_report+0xef/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
__read_once_size include/linux/compiler.h:268 [inline]
tipc_named_reinit+0x1b0/0x340 net/tipc/name_distr.c:344
tipc_net_finalize+0xcd/0x130 net/tipc/net.c:132
tipc_net_finalize_work+0x4f/0x70 net/tipc/net.c:144
process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290
worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436
kthread+0x31e/0x3a0 kernel/kthread.c:288
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
The buggy address belongs to the page:
page:ffffea0007bb1780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea0007bb1788 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
__alloc_pages include/linux/gfp.h:503 [inline]
__alloc_pages_node include/linux/gfp.h:516 [inline]
alloc_pages_node include/linux/gfp.h:530 [inline]
kmalloc_order mm/slab_common.c:1342 [inline]
kmalloc_order_trace+0x31/0x100 mm/slab_common.c:1358
kmalloc_large include/linux/slab.h:485 [inline]
kmalloc include/linux/slab.h:549 [inline]
kzalloc include/linux/slab.h:690 [inline]
tipc_nametbl_init+0x99/0x260 net/tipc/name_table.c:738
tipc_init_net+0x237/0x370 net/tipc/core.c:74
ops_init+0x1ba/0x4a0 net/core/net_namespace.c:141
setup_net+0x20c/0x9b0 net/core/net_namespace.c:348
copy_net_ns+0x314/0x520 net/core/net_namespace.c:489
create_new_namespaces+0x49c/0x590 kernel/nsproxy.c:103
unshare_nsproxy_namespaces+0x120/0x170 kernel/nsproxy.c:202
ksys_unshare+0x4a4/0x7d0 kernel/fork.c:2908
__do_sys_unshare kernel/fork.c:2976 [inline]
__se_sys_unshare kernel/fork.c:2974 [inline]
__x64_sys_unshare+0x38/0x40 kernel/fork.c:2974
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
__free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438
free_the_page mm/page_alloc.c:4956 [inline]
__free_pages+0x8c/0x110 mm/page_alloc.c:4962
kfree+0x1ca/0x260 mm/slub.c:4068
tipc_nametbl_stop+0x754/0x7b0 net/tipc/name_table.c:798
tipc_exit_net+0x96/0x100 net/tipc/core.c:108
ops_exit_list net/core/net_namespace.c:182 [inline]
cleanup_net+0x588/0xb40 net/core/net_namespace.c:612
process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290
worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436
kthread+0x31e/0x3a0 kernel/kthread.c:288
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Memory state around the buggy address:
ffff8881eec5df00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881eec5df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881eec5e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881eec5e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881eec5e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 331 Comm: kworker/1:3 Tainted: G B 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: events tipc_net_finalize_work
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:__rht_bucket_nested lib/rhashtable.c:-1 [inline]
RIP: 0010:rht_bucket_nested+0x9a/0x1b0 lib/rhashtable.c:1203
Code: e8 03 42 80 3c 20 00 74 0e 4c 89 ff 89 4d d4 e8 bc 03 71 ff 8b 4d d4 45 89 ed 49 c1 e5 03 4d 03 2f d3 eb 4c 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ef e8 97 03 71 ff 4d 8b 7d 00 31 ff 4c
RSP: 0018:ffff8881f0b0fa80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ffff8881
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881eec70040
RBP: ffff8881f0b0fab0 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103e161f60 R11: 1ffff1103e161f60 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000077969800 R15: ffff8881eec70040
FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7a7ad6038 CR3: 0000000005c0e000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rht_bucket include/linux/rhashtable.h:290 [inline]
__rhashtable_walk_find_next+0x33d/0x6b0 lib/rhashtable.c:794
rhashtable_walk_next+0x221/0x2e0 lib/rhashtable.c:878
tipc_sk_reinit+0x128/0x520 net/tipc/socket.c:2825
tipc_net_finalize+0xd5/0x130 net/tipc/net.c:133
tipc_net_finalize_work+0x4f/0x70 net/tipc/net.c:144
process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290
worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436
kthread+0x31e/0x3a0 kernel/kthread.c:288
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
---[ end trace be337ae9b5624f74 ]---
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:__rht_bucket_nested lib/rhashtable.c:-1 [inline]
RIP: 0010:rht_bucket_nested+0x9a/0x1b0 lib/rhashtable.c:1203
Code: e8 03 42 80 3c 20 00 74 0e 4c 89 ff 89 4d d4 e8 bc 03 71 ff 8b 4d d4 45 89 ed 49 c1 e5 03 4d 03 2f d3 eb 4c 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ef e8 97 03 71 ff 4d 8b 7d 00 31 ff 4c
RSP: 0018:ffff8881f0b0fa80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ffff8881
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881eec70040
RBP: ffff8881f0b0fab0 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103e161f60 R11: 1ffff1103e161f60 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000077969800 R15: ffff8881eec70040
FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7a7ad6038 CR3: 0000000005c0e000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: e8 03 42 80 3c call 0x3c804208
5: 20 00 and %al,(%rax)
7: 74 0e je 0x17
9: 4c 89 ff mov %r15,%rdi
c: 89 4d d4 mov %ecx,-0x2c(%rbp)
f: e8 bc 03 71 ff call 0xff7103d0
14: 8b 4d d4 mov -0x2c(%rbp),%ecx
17: 45 89 ed mov %r13d,%r13d
1a: 49 c1 e5 03 shl $0x3,%r13
1e: 4d 03 2f add (%r15),%r13
21: d3 eb shr %cl,%ebx
23: 4c 89 e8 mov %r13,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 ef mov %r13,%rdi
34: e8 97 03 71 ff call 0xff7103d0
39: 4d 8b 7d 00 mov 0x0(%r13),%r15
3d: 31 ff xor %edi,%edi
3f: 4c rex.WR