Warning: Permanently added '10.128.1.26' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program [ 29.164785] ================================================================== [ 29.172282] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 29.178921] Read of size 8 at addr ffff8880a1d03820 by task kworker/u4:2/27 [ 29.185984] [ 29.187592] CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted 4.14.302-syzkaller #0 [ 29.195004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.204423] Workqueue: tipc_rcv tipc_recv_work [ 29.208972] Call Trace: [ 29.211535] dump_stack+0x1b2/0x281 [ 29.215136] print_address_description.cold+0x54/0x1d3 [ 29.220394] kasan_report_error.cold+0x8a/0x191 [ 29.225042] ? __lock_acquire+0x2c57/0x3f20 [ 29.229334] __asan_report_load8_noabort+0x68/0x70 [ 29.234233] ? tipc_subscrb_rcv_cb+0x2f0/0xa40 [ 29.238896] ? __lock_acquire+0x2c57/0x3f20 [ 29.243332] __lock_acquire+0x2c57/0x3f20 [ 29.247474] ? io_schedule_timeout+0x140/0x140 [ 29.252035] ? __wake_up_common_lock+0xcd/0x140 [ 29.256691] ? trace_hardirqs_on+0x10/0x10 [ 29.260897] ? trace_hardirqs_on+0x10/0x10 [ 29.265104] ? preempt_schedule_common+0x45/0xc0 [ 29.269829] ? ___preempt_schedule+0x16/0x18 [ 29.274209] ? tipc_recvmsg+0x43e/0x9e0 [ 29.278156] ? __local_bh_enable_ip+0x132/0x170 [ 29.282827] lock_acquire+0x170/0x3f0 [ 29.286601] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.291155] _raw_spin_lock_bh+0x2f/0x40 [ 29.295277] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.299933] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.304315] tipc_receive_from_sock+0x25c/0x450 [ 29.308960] ? trace_hardirqs_on+0x10/0x10 [ 29.313163] ? lock_acquire+0x170/0x3f0 [ 29.317368] ? tipc_close_conn+0x200/0x200 [ 29.321580] tipc_recv_work+0x75/0xd0 [ 29.325354] process_one_work+0x793/0x14a0 [ 29.329684] ? work_busy+0x320/0x320 [ 29.333373] ? worker_thread+0x158/0xff0 [ 29.337416] ? _raw_spin_unlock_irq+0x24/0x80 [ 29.341892] worker_thread+0x5cc/0xff0 [ 29.345780] ? rescuer_thread+0xc80/0xc80 [ 29.350129] kthread+0x30d/0x420 [ 29.353475] ? kthread_create_on_node+0xd0/0xd0 [ 29.358129] ret_from_fork+0x24/0x30 [ 29.361839] [ 29.363462] Allocated by task 27: [ 29.366890] kasan_kmalloc+0xeb/0x160 [ 29.370666] kmem_cache_alloc_trace+0x131/0x3d0 [ 29.375306] tipc_subscrb_connect_cb+0x40/0x150 [ 29.380117] tipc_accept_from_sock+0x25b/0x400 [ 29.384674] tipc_recv_work+0x75/0xd0 [ 29.388465] process_one_work+0x793/0x14a0 [ 29.392676] worker_thread+0x5cc/0xff0 [ 29.396534] kthread+0x30d/0x420 [ 29.399877] ret_from_fork+0x24/0x30 [ 29.403563] [ 29.405164] Freed by task 5: [ 29.408158] kasan_slab_free+0xc3/0x1a0 [ 29.412108] kfree+0xc9/0x250 [ 29.415185] tipc_subscrb_put+0x22/0x30 [ 29.419129] tipc_close_conn+0x16a/0x200 [ 29.423160] tipc_send_work+0x41e/0x520 [ 29.427107] process_one_work+0x793/0x14a0 [ 29.431312] worker_thread+0x5cc/0xff0 [ 29.435173] kthread+0x30d/0x420 [ 29.438513] ret_from_fork+0x24/0x30 [ 29.442195] [ 29.443796] The buggy address belongs to the object at ffff8880a1d03800 [ 29.443796] which belongs to the cache kmalloc-96 of size 96 [ 29.456421] The buggy address is located 32 bytes inside of [ 29.456421] 96-byte region [ffff8880a1d03800, ffff8880a1d03860) [ 29.468087] The buggy address belongs to the page: [ 29.472988] page:ffffea00028740c0 count:1 mapcount:0 mapping:ffff8880a1d03000 index:0xffff8880a1d03980 [ 29.482486] flags: 0xfff00000000100(slab) [ 29.486604] raw: 00fff00000000100 ffff8880a1d03000 ffff8880a1d03980 0000000100000004 [ 29.494453] raw: ffffea0002a97a60 ffffea0002875320 ffff88813fe744c0 0000000000000000 [ 29.502299] page dumped because: kasan: bad access detected [ 29.507984] [ 29.509579] Memory state around the buggy address: [ 29.514482] ffff8880a1d03700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.521815] ffff8880a1d03780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.529142] >ffff8880a1d03800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.536467] ^ [ 29.540860] ffff8880a1d03880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 29.548186] ffff8880a1d03900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.555513] ================================================================== [ 29.562840] Disabling lock debugging due to kernel taint [ 29.568344] Kernel panic - not syncing: panic_on_warn set ... [ 29.568344] [ 29.575674] CPU: 1 PID: 27 Comm: kworker/u4:2 Tainted: G B 4.14.302-syzkaller #0 [ 29.584304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.593637] Workqueue: tipc_rcv tipc_recv_work [ 29.598187] Call Trace: [ 29.600751] dump_stack+0x1b2/0x281 [ 29.605566] panic+0x1f9/0x42d [ 29.608731] ? add_taint.cold+0x16/0x16 [ 29.612685] ? lock_downgrade+0x740/0x740 [ 29.616803] kasan_end_report+0x43/0x49 [ 29.620748] kasan_report_error.cold+0xa7/0x191 [ 29.625430] ? __lock_acquire+0x2c57/0x3f20 [ 29.629724] __asan_report_load8_noabort+0x68/0x70 [ 29.634624] ? tipc_subscrb_rcv_cb+0x2f0/0xa40 [ 29.639264] ? __lock_acquire+0x2c57/0x3f20 [ 29.643557] __lock_acquire+0x2c57/0x3f20 [ 29.647679] ? io_schedule_timeout+0x140/0x140 [ 29.652234] ? __wake_up_common_lock+0xcd/0x140 [ 29.656877] ? trace_hardirqs_on+0x10/0x10 [ 29.661085] ? trace_hardirqs_on+0x10/0x10 [ 29.665385] ? preempt_schedule_common+0x45/0xc0 [ 29.670114] ? ___preempt_schedule+0x16/0x18 [ 29.674498] ? tipc_recvmsg+0x43e/0x9e0 [ 29.678450] ? __local_bh_enable_ip+0x132/0x170 [ 29.683108] lock_acquire+0x170/0x3f0 [ 29.686880] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.691431] _raw_spin_lock_bh+0x2f/0x40 [ 29.695461] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.700013] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.704423] tipc_receive_from_sock+0x25c/0x450 [ 29.709062] ? trace_hardirqs_on+0x10/0x10 [ 29.713274] ? lock_acquire+0x170/0x3f0 [ 29.717219] ? tipc_close_conn+0x200/0x200 [ 29.721425] tipc_recv_work+0x75/0xd0 [ 29.725197] process_one_work+0x793/0x14a0 [ 29.729403] ? work_busy+0x320/0x320 [ 29.733088] ? worker_thread+0x158/0xff0 [ 29.737119] ? _raw_spin_unlock_irq+0x24/0x80 [ 29.741600] worker_thread+0x5cc/0xff0 [ 29.745595] ? rescuer_thread+0xc80/0xc80 [ 29.749723] kthread+0x30d/0x420 [ 29.753153] ? kthread_create_on_node+0xd0/0xd0 [ 29.757795] ret_from_fork+0x24/0x30 [ 29.761564] Kernel Offset: disabled [ 29.765168] Rebooting in 86400 seconds..