Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 47.825316][ T1596] ------------[ cut here ]------------ [ 47.826983][ T1596] refcount_t: addition on 0; use-after-free. [ 47.828811][ T1596] WARNING: CPU: 0 PID: 1596 at lib/refcount.c:25 refcount_warn_saturate+0x1a8/0x20c [ 47.831243][ T1596] Modules linked in: [ 47.832249][ T1596] CPU: 0 PID: 1596 Comm: kworker/u4:4 Not tainted 6.1.19-syzkaller #0 [ 47.834338][ T1596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 47.836861][ T1596] Workqueue: qrtr_ns_handler qrtr_ns_worker [ 47.838380][ T1596] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 47.840373][ T1596] pc : refcount_warn_saturate+0x1a8/0x20c [ 47.841861][ T1596] lr : refcount_warn_saturate+0x1a8/0x20c [ 47.843401][ T1596] sp : ffff800022036da0 [ 47.844485][ T1596] x29: ffff800022036da0 x28: dfff800000000000 x27: ffff700004406dc8 [ 47.846538][ T1596] x26: ffff800022036e60 x25: 0000000000000000 x24: 00000000003a6056 [ 47.848604][ T1596] x23: ffff0000c26c58f0 x22: 0000000000000000 x21: 0000000000000002 [ 47.850629][ T1596] x20: ffff0000db455498 x19: ffff800018053000 x18: ffff8000220361a0 [ 47.852785][ T1596] x17: 0000000000000000 x16: ffff800012253e1c x15: 0000000000000000 [ 47.854831][ T1596] x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 [ 47.856927][ T1596] x11: ff808000081b28cc x10: 0000000000000000 x9 : b18c0c206b39e600 [ 47.858983][ T1596] x8 : b18c0c206b39e600 x7 : 0000000000000001 x6 : 0000000000000001 [ 47.861060][ T1596] x5 : ffff800022036698 x4 : ffff800015813880 x3 : ffff800008590318 [ 47.863182][ T1596] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000 [ 47.865286][ T1596] Call trace: [ 47.866151][ T1596] refcount_warn_saturate+0x1a8/0x20c [ 47.867570][ T1596] qrtr_node_lookup+0xdc/0x100 [ 47.868752][ T1596] qrtr_recvmsg+0x3dc/0x954 [ 47.869966][ T1596] kernel_recvmsg+0x128/0x154 [ 47.871204][ T1596] qrtr_ns_worker+0x294/0x513c [ 47.872463][ T1596] process_one_work+0x868/0x16f4 [ 47.873788][ T1596] worker_thread+0x8e4/0xfec [ 47.874962][ T1596] kthread+0x24c/0x2d4 [ 47.876015][ T1596] ret_from_fork+0x10/0x20 [ 47.877101][ T1596] irq event stamp: 33478 [ 47.878180][ T1596] hardirqs last enabled at (33477): [] _raw_spin_unlock_irqrestore+0x48/0xac [ 47.880799][ T1596] hardirqs last disabled at (33478): [] _raw_spin_lock_irqsave+0xa4/0xb4 [ 47.883323][ T1596] softirqs last enabled at (33474): [] lock_sock_nested+0xe8/0x138 [ 47.885783][ T1596] softirqs last disabled at (33472): [] lock_sock_nested+0x90/0x138 [ 47.888185][ T1596] ---[ end trace 0000000000000000 ]--- [ 47.891073][ T1596] ================================================================== [ 47.893027][ T1596] BUG: KASAN: use-after-free in __mutex_lock_common+0x100/0x21a0 [ 47.894976][ T1596] Read of size 8 at addr ffff0000db455460 by task kworker/u4:4/1596 [ 47.897003][ T1596] [ 47.897617][ T1596] CPU: 0 PID: 1596 Comm: kworker/u4:4 Tainted: G W 6.1.19-syzkaller #0 [ 47.900094][ T1596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 47.902634][ T1596] Workqueue: qrtr_ns_handler qrtr_ns_worker [ 47.904100][ T1596] Call trace: [ 47.904967][ T1596] dump_backtrace+0x1c8/0x1f4 [ 47.906187][ T1596] show_stack+0x2c/0x3c [ 47.907212][ T1596] dump_stack_lvl+0x108/0x170 [ 47.908372][ T1596] print_report+0x174/0x4c0 [ 47.909497][ T1596] kasan_report+0xd4/0x130 [ 47.910588][ T1596] __asan_report_load8_noabort+0x2c/0x38 [ 47.912015][ T1596] __mutex_lock_common+0x100/0x21a0 [ 47.913305][ T1596] mutex_lock_nested+0x38/0x44 [ 47.914497][ T1596] qrtr_node_enqueue+0x31c/0x9cc [ 47.915729][ T1596] qrtr_recvmsg+0x510/0x954 [ 47.916840][ T1596] kernel_recvmsg+0x128/0x154 [ 47.918063][ T1596] qrtr_ns_worker+0x294/0x513c [ 47.919262][ T1596] process_one_work+0x868/0x16f4 [ 47.920460][ T1596] worker_thread+0x8e4/0xfec [ 47.921608][ T1596] kthread+0x24c/0x2d4 [ 47.922609][ T1596] ret_from_fork+0x10/0x20 [ 47.923711][ T1596] [ 47.924291][ T1596] Allocated by task 4401: [ 47.925395][ T1596] kasan_set_track+0x4c/0x80 [ 47.926537][ T1596] kasan_save_alloc_info+0x24/0x30 [ 47.927857][ T1596] __kasan_kmalloc+0xac/0xc4 [ 47.929030][ T1596] kmalloc_trace+0x7c/0x94 [ 47.930141][ T1596] qrtr_endpoint_register+0x8c/0x3f4 [ 47.931489][ T1596] qrtr_tun_open+0x130/0x1ac [ 47.932719][ T1596] misc_open+0x2f0/0x368 [ 47.933898][ T1596] chrdev_open+0x3e8/0x4fc [ 47.935060][ T1596] do_dentry_open+0x734/0xfa0 [ 47.936247][ T1596] vfs_open+0x7c/0x90 [ 47.937266][ T1596] path_openat+0x1e14/0x2548 [ 47.938453][ T1596] do_filp_open+0x1bc/0x3cc [ 47.939597][ T1596] do_sys_openat2+0x128/0x3d8 [ 47.940793][ T1596] __arm64_sys_openat+0x1f0/0x240 [ 47.942103][ T1596] invoke_syscall+0x98/0x2c0 [ 47.943283][ T1596] el0_svc_common+0x138/0x258 [ 47.944472][ T1596] do_el0_svc+0x64/0x218 [ 47.945660][ T1596] el0_svc+0x58/0x168 [ 47.946661][ T1596] el0t_64_sync_handler+0x84/0xf0 [ 47.947926][ T1596] el0t_64_sync+0x18c/0x190 [ 47.949051][ T1596] [ 47.949672][ T1596] Freed by task 4401: [ 47.950660][ T1596] kasan_set_track+0x4c/0x80 [ 47.951797][ T1596] kasan_save_free_info+0x38/0x5c [ 47.953140][ T1596] ____kasan_slab_free+0x144/0x1c0 [ 47.954341][ T1596] __kasan_slab_free+0x18/0x28 [ 47.955591][ T1596] __kmem_cache_free+0x2c0/0x4b4 [ 47.956900][ T1596] kfree+0x104/0x228 [ 47.957888][ T1596] qrtr_node_release+0x444/0x498 [ 47.959144][ T1596] qrtr_endpoint_unregister+0x59c/0x6cc [ 47.960521][ T1596] qrtr_tun_release+0x44/0x68 [ 47.961725][ T1596] __fput+0x30c/0x7bc [ 47.962740][ T1596] ____fput+0x20/0x30 [ 47.963714][ T1596] task_work_run+0x240/0x2f0 [ 47.964941][ T1596] do_notify_resume+0x2144/0x3470 [ 47.966217][ T1596] el0_svc+0x9c/0x168 [ 47.967196][ T1596] el0t_64_sync_handler+0x84/0xf0 [ 47.968389][ T1596] el0t_64_sync+0x18c/0x190 [ 47.969576][ T1596] [ 47.970159][ T1596] The buggy address belongs to the object at ffff0000db455400 [ 47.970159][ T1596] which belongs to the cache kmalloc-512 of size 512 [ 47.973758][ T1596] The buggy address is located 96 bytes inside of [ 47.973758][ T1596] 512-byte region [ffff0000db455400, ffff0000db455600) [ 47.977064][ T1596] [ 47.977647][ T1596] The buggy address belongs to the physical page: [ 47.979225][ T1596] page:000000003cdd2af7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b454 [ 47.981799][ T1596] head:000000003cdd2af7 order:2 compound_mapcount:0 compound_pincount:0 [ 47.983928][ T1596] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 47.985916][ T1596] raw: 05ffc00000010200 0000000000000000 dead000000000001 ffff0000c0002600 [ 47.988051][ T1596] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 47.990200][ T1596] page dumped because: kasan: bad access detected [ 47.991842][ T1596] [ 47.992406][ T1596] Memory state around the buggy address: [ 47.993790][ T1596] ffff0000db455300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.995802][ T1596] ffff0000db455380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.997857][ T1596] >ffff0000db455400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.999862][ T1596] ^ [ 48.001670][ T1596] ffff0000db455480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.003764][ T1596] ffff0000db455500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.005763][ T1596] ================================================================== [ 48.007984][ T1596] Disabling lock debugging due to kernel taint