Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. executing program [ 42.388172][ T136] ------------[ cut here ]------------ [ 42.389516][ T136] refcount_t: addition on 0; use-after-free. [ 42.391138][ T136] WARNING: CPU: 0 PID: 136 at lib/refcount.c:25 refcount_warn_saturate+0x1a8/0x20c [ 42.393294][ T136] Modules linked in: [ 42.394223][ T136] CPU: 0 PID: 136 Comm: kworker/u4:1 Not tainted 5.15.102-syzkaller #0 [ 42.396128][ T136] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 42.398408][ T136] Workqueue: qrtr_ns_handler qrtr_ns_worker [ 42.399784][ T136] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 42.401616][ T136] pc : refcount_warn_saturate+0x1a8/0x20c [ 42.402892][ T136] lr : refcount_warn_saturate+0x1a8/0x20c [ 42.404143][ T136] sp : ffff800018e66e40 [ 42.405145][ T136] x29: ffff800018e66e40 x28: dfff800000000000 x27: ffff7000031ccddc [ 42.407051][ T136] x26: ffff800018e66f00 x25: 0000000000000000 x24: 00000000003a6056 [ 42.408888][ T136] x23: ffff0000cc2ff670 x22: 0000000000000000 x21: 0000000000000002 [ 42.410740][ T136] x20: ffff0000ce43e098 x19: ffff800016dd0000 x18: 0000000000000002 [ 42.412540][ T136] x17: ff808000083386a0 x16: ffff800011a080c4 x15: ffff8000083386a0 [ 42.414441][ T136] x14: 00000000ffffffff x13: ffffffffffffffff x12: 0000000000000000 [ 42.416317][ T136] x11: ff80800008330148 x10: 0000000000000000 x9 : 88691575a4efc200 [ 42.418118][ T136] x8 : 88691575a4efc200 x7 : 0000000000000001 x6 : 0000000000000001 [ 42.419895][ T136] x5 : ffff800018e665b8 x4 : ffff800014aa0700 x3 : ffff8000085518f8 [ 42.421769][ T136] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 000000000000002a [ 42.423559][ T136] Call trace: [ 42.424321][ T136] refcount_warn_saturate+0x1a8/0x20c [ 42.425550][ T136] qrtr_node_lookup+0xe0/0x110 [ 42.426621][ T136] qrtr_recvmsg+0x3e0/0x958 [ 42.427694][ T136] kernel_recvmsg+0x128/0x154 [ 42.428740][ T136] qrtr_ns_worker+0x25c/0x4fb8 [ 42.429956][ T136] process_one_work+0x84c/0x14b8 [ 42.431130][ T136] worker_thread+0x910/0x1034 [ 42.432233][ T136] kthread+0x37c/0x45c [ 42.433210][ T136] ret_from_fork+0x10/0x20 [ 42.434224][ T136] irq event stamp: 142944 [ 42.435189][ T136] hardirqs last enabled at (142943): [] _raw_spin_unlock_irqrestore+0xac/0x158 [ 42.437621][ T136] hardirqs last disabled at (142944): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 42.439898][ T136] softirqs last enabled at (142940): [] lock_sock_nested+0x160/0x1ec [ 42.442226][ T136] softirqs last disabled at (142938): [] lock_sock_nested+0x108/0x1ec [ 42.444390][ T136] ---[ end trace c5272773e48d5854 ]--- executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 48.176371][ T148] ================================================================== [ 48.178322][ T148] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xec/0x6d4 [ 48.180284][ T148] Read of size 8 at addr ffff0000d19af800 by task kworker/u4:2/148 [ 48.182156][ T148] [ 48.182757][ T148] CPU: 0 PID: 148 Comm: kworker/u4:2 Tainted: G W 5.15.102-syzkaller #0 [ 48.185163][ T148] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 48.187655][ T148] Workqueue: qrtr_ns_handler qrtr_ns_worker [ 48.189107][ T148] Call trace: [ 48.189843][ T148] dump_backtrace+0x0/0x530 [ 48.190962][ T148] show_stack+0x2c/0x3c [ 48.191952][ T148] dump_stack_lvl+0x108/0x170 [ 48.193074][ T148] print_address_description+0x7c/0x3f0 [ 48.194458][ T148] kasan_report+0x174/0x1e4 [ 48.195488][ T148] kasan_check_range+0x274/0x2b4 [ 48.196705][ T148] __kasan_check_read+0x44/0x54 [ 48.197915][ T148] __mutex_unlock_slowpath+0xec/0x6d4 [ 48.199237][ T148] mutex_unlock+0x8c/0xe0 [ 48.200366][ T148] qrtr_node_enqueue+0x388/0x9cc [ 48.201603][ T148] qrtr_recvmsg+0x514/0x958 [ 48.202671][ T148] kernel_recvmsg+0x128/0x154 [ 48.203806][ T148] qrtr_ns_worker+0x25c/0x4fb8 [ 48.205016][ T148] process_one_work+0x84c/0x14b8 [ 48.206174][ T148] worker_thread+0x910/0x1034 [ 48.207303][ T148] kthread+0x37c/0x45c [ 48.208312][ T148] ret_from_fork+0x10/0x20 [ 48.209475][ T148] [ 48.210098][ T148] Allocated by task 4117: [ 48.211189][ T148] ____kasan_kmalloc+0xbc/0xfc [ 48.212393][ T148] __kasan_kmalloc+0x10/0x1c [ 48.213625][ T148] kmem_cache_alloc_trace+0x248/0x3b4 [ 48.215012][ T148] qrtr_endpoint_register+0x8c/0x3f4 [ 48.216286][ T148] qrtr_tun_open+0x130/0x1ac [ 48.217393][ T148] misc_open+0x2f0/0x368 [ 48.218460][ T148] chrdev_open+0x3e8/0x4fc [ 48.219627][ T148] do_dentry_open+0x780/0xed8 [ 48.220802][ T148] vfs_open+0x7c/0x90 [ 48.221751][ T148] path_openat+0x1f04/0x26cc [ 48.222885][ T148] do_filp_open+0x1a8/0x3b4 [ 48.223940][ T148] do_sys_openat2+0x128/0x3d8 [ 48.225106][ T148] __arm64_sys_openat+0x1f0/0x240 [ 48.226292][ T148] invoke_syscall+0x98/0x2b8 [ 48.227439][ T148] el0_svc_common+0x138/0x258 [ 48.228559][ T148] do_el0_svc+0x58/0x14c [ 48.229589][ T148] el0_svc+0x7c/0x1f0 [ 48.230573][ T148] el0t_64_sync_handler+0x84/0xe4 [ 48.231818][ T148] el0t_64_sync+0x1a0/0x1a4 [ 48.232919][ T148] [ 48.233517][ T148] Freed by task 4117: [ 48.234437][ T148] kasan_set_track+0x4c/0x84 [ 48.235573][ T148] kasan_set_free_info+0x28/0x4c [ 48.236786][ T148] ____kasan_slab_free+0x118/0x164 [ 48.238012][ T148] __kasan_slab_free+0x18/0x28 [ 48.239162][ T148] slab_free_freelist_hook+0x128/0x1ec [ 48.240496][ T148] kfree+0x1b0/0x480 [ 48.241477][ T148] qrtr_node_release+0x444/0x498 [ 48.242679][ T148] qrtr_endpoint_unregister+0x59c/0x6cc [ 48.244053][ T148] qrtr_tun_release+0x44/0x68 [ 48.245229][ T148] __fput+0x30c/0x7f0 [ 48.246273][ T148] ____fput+0x20/0x30 [ 48.247196][ T148] task_work_run+0x130/0x1e4 [ 48.248349][ T148] do_notify_resume+0x262c/0x32b8 [ 48.249549][ T148] el0_svc+0xfc/0x1f0 [ 48.250592][ T148] el0t_64_sync_handler+0x84/0xe4 [ 48.251815][ T148] el0t_64_sync+0x1a0/0x1a4 [ 48.252933][ T148] [ 48.253505][ T148] The buggy address belongs to the object at ffff0000d19af800 [ 48.253505][ T148] which belongs to the cache kmalloc-512 of size 512 [ 48.256923][ T148] The buggy address is located 0 bytes inside of [ 48.256923][ T148] 512-byte region [ffff0000d19af800, ffff0000d19afa00) [ 48.260147][ T148] The buggy address belongs to the page: [ 48.261429][ T148] page:000000004a61df14 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1119ac [ 48.263724][ T148] head:000000004a61df14 order:2 compound_mapcount:0 compound_pincount:0 [ 48.265733][ T148] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 48.267589][ T148] raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002600 [ 48.269539][ T148] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 48.271602][ T148] page dumped because: kasan: bad access detected [ 48.273001][ T148] [ 48.273508][ T148] Memory state around the buggy address: [ 48.274772][ T148] ffff0000d19af700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.276701][ T148] ffff0000d19af780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.278553][ T148] >ffff0000d19af800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.280424][ T148] ^ [ 48.281375][ T148] ffff0000d19af880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.283428][ T148] ffff0000d19af900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.285252][ T148] ================================================================== [ 48.287148][ T148] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program