Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 44.448177][ T9] ------------[ cut here ]------------ [ 44.449791][ T9] refcount_t: addition on 0; use-after-free. [ 44.451570][ T9] WARNING: CPU: 1 PID: 9 at lib/refcount.c:25 refcount_warn_saturate+0x1a8/0x20c [ 44.453920][ T9] Modules linked in: [ 44.454912][ T9] CPU: 1 PID: 9 Comm: kworker/u4:0 Not tainted 6.3.0-rc1-syzkaller-gfe15c26ee26e #0 [ 44.457271][ T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 44.459832][ T9] Workqueue: qrtr_ns_handler qrtr_ns_worker [ 44.461330][ T9] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 44.463354][ T9] pc : refcount_warn_saturate+0x1a8/0x20c [ 44.464835][ T9] lr : refcount_warn_saturate+0x1a8/0x20c [ 44.466278][ T9] sp : ffff80001a3a6da0 [ 44.467309][ T9] x29: ffff80001a3a6da0 x28: dfff800000000000 x27: ffff700003474dc8 [ 44.469333][ T9] x26: ffff80001a3a6e60 x25: 0000000000000000 x24: 00000000003a6056 [ 44.471336][ T9] x23: ffff0000d22173f0 x22: 0000000000000000 x21: 0000000000000002 [ 44.473400][ T9] x20: ffff0000d751c098 x19: ffff8000186ee000 x18: ffff80001a3a62a0 [ 44.475450][ T9] x17: 0000000000000000 x16: ffff80001246250c x15: 0000000000000000 [ 44.477495][ T9] x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 [ 44.479500][ T9] x11: ff808000081bd230 x10: 0000000000000000 x9 : 04bb8433d1680a00 [ 44.481523][ T9] x8 : 04bb8433d1680a00 x7 : 0000000000000001 x6 : 0000000000000001 [ 44.483548][ T9] x5 : ffff80001a3a6698 x4 : ffff800015dc52c0 x3 : ffff80000859c514 [ 44.485560][ T9] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000 [ 44.487630][ T9] Call trace: [ 44.488463][ T9] refcount_warn_saturate+0x1a8/0x20c [ 44.489889][ T9] qrtr_node_lookup+0xdc/0x100 [ 44.491160][ T9] qrtr_recvmsg+0x3dc/0x954 [ 44.492306][ T9] kernel_recvmsg+0x124/0x18c [ 44.493471][ T9] qrtr_ns_worker+0x294/0x513c [ 44.494699][ T9] process_one_work+0x868/0x16f4 [ 44.495949][ T9] worker_thread+0x8e0/0xfe8 [ 44.497087][ T9] kthread+0x24c/0x2d4 [ 44.498113][ T9] ret_from_fork+0x10/0x20 [ 44.499229][ T9] irq event stamp: 766220 [ 44.500305][ T9] hardirqs last enabled at (766219): [] _raw_spin_unlock_irqrestore+0x44/0xa4 [ 44.502978][ T9] hardirqs last disabled at (766220): [] _raw_spin_lock_irqsave+0x2c/0x88 [ 44.505558][ T9] softirqs last enabled at (766216): [] lock_sock_nested+0xe8/0x138 [ 44.507978][ T9] softirqs last disabled at (766214): [] lock_sock_nested+0x90/0x138 [ 44.510421][ T9] ---[ end trace 0000000000000000 ]--- executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 47.308644][ T11] ================================================================== [ 47.310875][ T11] BUG: KASAN: slab-use-after-free in __mutex_unlock_slowpath+0xec/0x6cc [ 47.312998][ T11] Read of size 8 at addr ffff0000d1c79800 by task kworker/u4:1/11 [ 47.315108][ T11] [ 47.315697][ T11] CPU: 1 PID: 11 Comm: kworker/u4:1 Tainted: G W 6.3.0-rc1-syzkaller-gfe15c26ee26e #0 [ 47.318532][ T11] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 47.321177][ T11] Workqueue: qrtr_ns_handler qrtr_ns_worker [ 47.322722][ T11] Call trace: [ 47.323582][ T11] dump_backtrace+0x1c8/0x1f4 [ 47.324819][ T11] show_stack+0x2c/0x3c [ 47.325931][ T11] dump_stack_lvl+0xd0/0x124 [ 47.327086][ T11] print_report+0x174/0x514 [ 47.328271][ T11] kasan_report+0xd4/0x130 [ 47.329490][ T11] kasan_check_range+0x264/0x2a4 [ 47.330854][ T11] __kasan_check_read+0x2c/0x3c [ 47.332185][ T11] __mutex_unlock_slowpath+0xec/0x6cc [ 47.333641][ T11] mutex_unlock+0x24/0x30 [ 47.334785][ T11] qrtr_node_enqueue+0x388/0x9cc [ 47.336096][ T11] qrtr_recvmsg+0x510/0x954 [ 47.337199][ T11] kernel_recvmsg+0x124/0x18c [ 47.338485][ T11] qrtr_ns_worker+0x294/0x513c [ 47.339767][ T11] process_one_work+0x868/0x16f4 [ 47.341054][ T11] worker_thread+0x8e0/0xfe8 [ 47.342239][ T11] kthread+0x24c/0x2d4 [ 47.343314][ T11] ret_from_fork+0x10/0x20 [ 47.344504][ T11] [ 47.345102][ T11] Allocated by task 6023: [ 47.346222][ T11] kasan_set_track+0x4c/0x7c [ 47.347512][ T11] kasan_save_alloc_info+0x24/0x30 [ 47.348800][ T11] __kasan_kmalloc+0xac/0xc4 [ 47.350014][ T11] kmalloc_trace+0x7c/0x94 [ 47.351163][ T11] qrtr_endpoint_register+0x8c/0x3f4 [ 47.352561][ T11] qrtr_tun_open+0x130/0x1ac [ 47.353728][ T11] misc_open+0x2f0/0x368 [ 47.354819][ T11] chrdev_open+0x3e8/0x4fc [ 47.355988][ T11] do_dentry_open+0x734/0xfa0 [ 47.357247][ T11] vfs_open+0x7c/0x90 [ 47.358344][ T11] path_openat+0x1f2c/0x2810 [ 47.359607][ T11] do_filp_open+0x1bc/0x3cc [ 47.360749][ T11] do_sys_openat2+0x128/0x3d8 [ 47.361966][ T11] __arm64_sys_openat+0x1f0/0x240 [ 47.363273][ T11] invoke_syscall+0x98/0x2c0 [ 47.364446][ T11] el0_svc_common+0x138/0x258 [ 47.365685][ T11] do_el0_svc+0x64/0x198 [ 47.366809][ T11] el0_svc+0x58/0x168 [ 47.367885][ T11] el0t_64_sync_handler+0x84/0xf0 [ 47.369179][ T11] el0t_64_sync+0x190/0x194 [ 47.370311][ T11] [ 47.370930][ T11] Freed by task 6023: [ 47.371965][ T11] kasan_set_track+0x4c/0x7c [ 47.373178][ T11] kasan_save_free_info+0x38/0x5c [ 47.374449][ T11] ____kasan_slab_free+0x144/0x1c0 [ 47.375810][ T11] __kasan_slab_free+0x18/0x28 [ 47.377113][ T11] __kmem_cache_free+0x2c0/0x4b4 [ 47.378528][ T11] kfree+0x104/0x228 [ 47.379550][ T11] qrtr_node_release+0x444/0x498 [ 47.380828][ T11] qrtr_endpoint_unregister+0x59c/0x6cc [ 47.382321][ T11] qrtr_tun_release+0x44/0x68 [ 47.383576][ T11] __fput+0x30c/0x7bc [ 47.384573][ T11] ____fput+0x20/0x30 [ 47.385631][ T11] task_work_run+0x240/0x2f0 [ 47.386863][ T11] do_notify_resume+0x2180/0x3c90 [ 47.388223][ T11] el0_svc+0x9c/0x168 [ 47.389292][ T11] el0t_64_sync_handler+0x84/0xf0 [ 47.390654][ T11] el0t_64_sync+0x190/0x194 [ 47.391876][ T11] [ 47.392501][ T11] The buggy address belongs to the object at ffff0000d1c79800 [ 47.392501][ T11] which belongs to the cache kmalloc-512 of size 512 [ 47.396210][ T11] The buggy address is located 0 bytes inside of [ 47.396210][ T11] freed 512-byte region [ffff0000d1c79800, ffff0000d1c79a00) [ 47.399855][ T11] [ 47.400502][ T11] The buggy address belongs to the physical page: [ 47.402121][ T11] page:00000000bb218065 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111c78 [ 47.404802][ T11] head:00000000bb218065 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 47.407075][ T11] anon flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 47.409329][ T11] raw: 05ffc00000010200 ffff0000c0002600 0000000000000000 dead000000000001 [ 47.411580][ T11] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 47.413846][ T11] page dumped because: kasan: bad access detected [ 47.415536][ T11] [ 47.416119][ T11] Memory state around the buggy address: [ 47.417543][ T11] ffff0000d1c79700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.419665][ T11] ffff0000d1c79780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.421771][ T11] >ffff0000d1c79800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.423846][ T11] ^ [ 47.424952][ T11] ffff0000d1c79880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.427131][ T11] ffff0000d1c79900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.429174][ T11] ================================================================== [ 47.431989][ T11] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program