Warning: Permanently added '10.128.0.156' (ECDSA) to the list of known hosts. executing program executing program executing program executing program [ 35.030970] ================================================================== [ 35.038393] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 35.045063] Read of size 8 at addr ffff8880ab697420 by task kworker/u4:1/22 [ 35.052318] [ 35.053936] CPU: 1 PID: 22 Comm: kworker/u4:1 Not tainted 4.14.302-syzkaller #0 [ 35.061769] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.071121] Workqueue: tipc_rcv tipc_recv_work [ 35.075753] Call Trace: [ 35.078347] dump_stack+0x1b2/0x281 [ 35.081984] print_address_description.cold+0x54/0x1d3 [ 35.087381] kasan_report_error.cold+0x8a/0x191 [ 35.092040] ? __lock_acquire+0x2c57/0x3f20 [ 35.096364] __asan_report_load8_noabort+0x68/0x70 [ 35.101291] ? tipc_subscrb_rcv_cb+0x2f0/0xa40 [ 35.105870] ? __lock_acquire+0x2c57/0x3f20 [ 35.110180] __lock_acquire+0x2c57/0x3f20 [ 35.114337] ? io_schedule_timeout+0x140/0x140 [ 35.118924] ? __wake_up_common_lock+0xcd/0x140 [ 35.124111] ? trace_hardirqs_on+0x10/0x10 [ 35.128341] ? trace_hardirqs_on+0x10/0x10 [ 35.132598] ? preempt_schedule_common+0x45/0xc0 [ 35.137456] ? ___preempt_schedule+0x16/0x18 [ 35.141874] ? tipc_recvmsg+0x43e/0x9e0 [ 35.145840] ? __local_bh_enable_ip+0x132/0x170 [ 35.150637] lock_acquire+0x170/0x3f0 [ 35.154434] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 35.159019] _raw_spin_lock_bh+0x2f/0x40 [ 35.163069] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 35.167653] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 35.172071] tipc_receive_from_sock+0x25c/0x450 [ 35.176737] ? trace_hardirqs_on+0x10/0x10 [ 35.180961] ? lock_acquire+0x170/0x3f0 [ 35.184920] ? tipc_close_conn+0x200/0x200 [ 35.189153] tipc_recv_work+0x75/0xd0 [ 35.192944] process_one_work+0x793/0x14a0 [ 35.197250] ? work_busy+0x320/0x320 [ 35.200956] ? worker_thread+0x158/0xff0 [ 35.205001] ? _raw_spin_unlock_irq+0x24/0x80 [ 35.209706] worker_thread+0x5cc/0xff0 [ 35.213582] ? rescuer_thread+0xc80/0xc80 [ 35.217731] kthread+0x30d/0x420 [ 35.221100] ? kthread_create_on_node+0xd0/0xd0 [ 35.225911] ret_from_fork+0x24/0x30 [ 35.229643] [ 35.231256] Allocated by task 22: [ 35.234699] kasan_kmalloc+0xeb/0x160 [ 35.238488] kmem_cache_alloc_trace+0x131/0x3d0 [ 35.243149] tipc_subscrb_connect_cb+0x40/0x150 [ 35.247800] tipc_accept_from_sock+0x25b/0x400 [ 35.252367] tipc_recv_work+0x75/0xd0 [ 35.256151] process_one_work+0x793/0x14a0 [ 35.260372] worker_thread+0x5cc/0xff0 [ 35.264239] kthread+0x30d/0x420 [ 35.267588] ret_from_fork+0x24/0x30 [ 35.271279] [ 35.272887] Freed by task 58: [ 35.275977] kasan_slab_free+0xc3/0x1a0 [ 35.279937] kfree+0xc9/0x250 [ 35.283034] tipc_subscrb_put+0x22/0x30 [ 35.286995] tipc_close_conn+0x16a/0x200 [ 35.291199] tipc_send_work+0x41e/0x520 [ 35.295168] process_one_work+0x793/0x14a0 [ 35.299421] worker_thread+0x5cc/0xff0 [ 35.303298] kthread+0x30d/0x420 [ 35.306742] ret_from_fork+0x24/0x30 [ 35.310465] [ 35.312081] The buggy address belongs to the object at ffff8880ab697400 [ 35.312081] which belongs to the cache kmalloc-96 of size 96 [ 35.324702] The buggy address is located 32 bytes inside of [ 35.324702] 96-byte region [ffff8880ab697400, ffff8880ab697460) [ 35.336852] The buggy address belongs to the page: [ 35.341780] page:ffffea0002ada5c0 count:1 mapcount:0 mapping:ffff8880ab697000 index:0xffff8880ab697000 [ 35.351213] flags: 0xfff00000000100(slab) [ 35.355808] raw: 00fff00000000100 ffff8880ab697000 ffff8880ab697000 000000010000000b [ 35.363721] raw: ffffea0002ab42e0 ffffea0002abab20 ffff88813fe744c0 0000000000000000 [ 35.371597] page dumped because: kasan: bad access detected [ 35.377306] [ 35.378937] Memory state around the buggy address: [ 35.383859] ffff8880ab697300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.391318] ffff8880ab697380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.398664] >ffff8880ab697400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.406005] ^ [ 35.410501] ffff8880ab697480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.418023] ffff8880ab697500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.425532] ================================================================== [ 35.432876] Disabling lock debugging due to kernel taint [ 35.438425] Kernel panic - not syncing: panic_on_warn set ... [ 35.438425] [ 35.445967] CPU: 1 PID: 22 Comm: kworker/u4:1 Tainted: G B 4.14.302-syzkaller #0 [ 35.454615] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.464076] Workqueue: tipc_rcv tipc_recv_work [ 35.468761] Call Trace: [ 35.471533] dump_stack+0x1b2/0x281 [ 35.475167] panic+0x1f9/0x42d [ 35.478482] ? add_taint.cold+0x16/0x16 [ 35.482477] ? lock_downgrade+0x740/0x740 [ 35.486634] kasan_end_report+0x43/0x49 [ 35.490601] kasan_report_error.cold+0xa7/0x191 [ 35.495260] ? __lock_acquire+0x2c57/0x3f20 [ 35.499575] __asan_report_load8_noabort+0x68/0x70 [ 35.504503] ? tipc_subscrb_rcv_cb+0x2f0/0xa40 [ 35.509175] ? __lock_acquire+0x2c57/0x3f20 [ 35.513576] __lock_acquire+0x2c57/0x3f20 [ 35.517832] ? io_schedule_timeout+0x140/0x140 [ 35.522408] ? __wake_up_common_lock+0xcd/0x140 [ 35.527171] ? trace_hardirqs_on+0x10/0x10 [ 35.531414] ? trace_hardirqs_on+0x10/0x10 [ 35.535659] ? preempt_schedule_common+0x45/0xc0 [ 35.540519] ? ___preempt_schedule+0x16/0x18 [ 35.544919] ? tipc_recvmsg+0x43e/0x9e0 [ 35.548886] ? __local_bh_enable_ip+0x132/0x170 [ 35.553549] lock_acquire+0x170/0x3f0 [ 35.557357] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 35.562219] _raw_spin_lock_bh+0x2f/0x40 [ 35.566265] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 35.570830] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 35.575230] tipc_receive_from_sock+0x25c/0x450 [ 35.579910] ? trace_hardirqs_on+0x10/0x10 [ 35.584131] ? lock_acquire+0x170/0x3f0 [ 35.588108] ? tipc_close_conn+0x200/0x200 [ 35.592336] tipc_recv_work+0x75/0xd0 [ 35.596255] process_one_work+0x793/0x14a0 [ 35.600481] ? work_busy+0x320/0x320 [ 35.604179] ? worker_thread+0x158/0xff0 [ 35.608325] ? _raw_spin_unlock_irq+0x24/0x80 [ 35.612928] worker_thread+0x5cc/0xff0 [ 35.616801] ? rescuer_thread+0xc80/0xc80 [ 35.621018] kthread+0x30d/0x420 [ 35.624389] ? kthread_create_on_node+0xd0/0xd0 [ 35.629147] ret_from_fork+0x24/0x30 [ 35.633204] Kernel Offset: disabled [ 35.636828] Rebooting in 86400 seconds..