tipc: 32-bit node address hash set to f1414ac ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:268 [inline] BUG: KASAN: use-after-free in tipc_named_reinit+0x1b0/0x340 net/tipc/name_distr.c:344 Read of size 8 at addr ffff8881eec5e000 by task kworker/1:3/331 CPU: 1 PID: 331 Comm: kworker/1:3 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: events tipc_net_finalize_work Call Trace: __dump_stack+0x1e/0x20 lib/dump_stack.c:77 dump_stack+0x15b/0x1b8 lib/dump_stack.c:118 print_address_description+0x8d/0x4c0 mm/kasan/report.c:384 __kasan_report+0xef/0x120 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __read_once_size include/linux/compiler.h:268 [inline] tipc_named_reinit+0x1b0/0x340 net/tipc/name_distr.c:344 tipc_net_finalize+0xcd/0x130 net/tipc/net.c:132 tipc_net_finalize_work+0x4f/0x70 net/tipc/net.c:144 process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290 worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436 kthread+0x31e/0x3a0 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 The buggy address belongs to the page: page:ffffea0007bb1780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 0000000000000000 ffffea0007bb1788 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x35e/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894 __alloc_pages include/linux/gfp.h:503 [inline] __alloc_pages_node include/linux/gfp.h:516 [inline] alloc_pages_node include/linux/gfp.h:530 [inline] kmalloc_order mm/slab_common.c:1342 [inline] kmalloc_order_trace+0x31/0x100 mm/slab_common.c:1358 kmalloc_large include/linux/slab.h:485 [inline] kmalloc include/linux/slab.h:549 [inline] kzalloc include/linux/slab.h:690 [inline] tipc_nametbl_init+0x99/0x260 net/tipc/name_table.c:738 tipc_init_net+0x237/0x370 net/tipc/core.c:74 ops_init+0x1ba/0x4a0 net/core/net_namespace.c:141 setup_net+0x20c/0x9b0 net/core/net_namespace.c:348 copy_net_ns+0x314/0x520 net/core/net_namespace.c:489 create_new_namespaces+0x49c/0x590 kernel/nsproxy.c:103 unshare_nsproxy_namespaces+0x120/0x170 kernel/nsproxy.c:202 ksys_unshare+0x4a4/0x7d0 kernel/fork.c:2908 __do_sys_unshare kernel/fork.c:2976 [inline] __se_sys_unshare kernel/fork.c:2974 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:2974 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4956 [inline] __free_pages+0x8c/0x110 mm/page_alloc.c:4962 kfree+0x1ca/0x260 mm/slub.c:4068 tipc_nametbl_stop+0x754/0x7b0 net/tipc/name_table.c:798 tipc_exit_net+0x96/0x100 net/tipc/core.c:108 ops_exit_list net/core/net_namespace.c:182 [inline] cleanup_net+0x588/0xb40 net/core/net_namespace.c:612 process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290 worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436 kthread+0x31e/0x3a0 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 Memory state around the buggy address: ffff8881eec5df00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881eec5df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881eec5e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881eec5e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881eec5e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 331 Comm: kworker/1:3 Tainted: G B 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: events tipc_net_finalize_work RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline] RIP: 0010:__rht_bucket_nested lib/rhashtable.c:-1 [inline] RIP: 0010:rht_bucket_nested+0x9a/0x1b0 lib/rhashtable.c:1203 Code: e8 03 42 80 3c 20 00 74 0e 4c 89 ff 89 4d d4 e8 bc 03 71 ff 8b 4d d4 45 89 ed 49 c1 e5 03 4d 03 2f d3 eb 4c 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ef e8 97 03 71 ff 4d 8b 7d 00 31 ff 4c RSP: 0018:ffff8881f0b0fa80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ffff8881 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881eec70040 RBP: ffff8881f0b0fab0 R08: 0000000000000004 R09: 0000000000000003 R10: ffffed103e161f60 R11: 1ffff1103e161f60 R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000077969800 R15: ffff8881eec70040 FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7a7ad6038 CR3: 0000000005c0e000 CR4: 00000000003406a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rht_bucket include/linux/rhashtable.h:290 [inline] __rhashtable_walk_find_next+0x33d/0x6b0 lib/rhashtable.c:794 rhashtable_walk_next+0x221/0x2e0 lib/rhashtable.c:878 tipc_sk_reinit+0x128/0x520 net/tipc/socket.c:2825 tipc_net_finalize+0xd5/0x130 net/tipc/net.c:133 tipc_net_finalize_work+0x4f/0x70 net/tipc/net.c:144 process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290 worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436 kthread+0x31e/0x3a0 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 Modules linked in: ---[ end trace be337ae9b5624f74 ]--- RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline] RIP: 0010:__rht_bucket_nested lib/rhashtable.c:-1 [inline] RIP: 0010:rht_bucket_nested+0x9a/0x1b0 lib/rhashtable.c:1203 Code: e8 03 42 80 3c 20 00 74 0e 4c 89 ff 89 4d d4 e8 bc 03 71 ff 8b 4d d4 45 89 ed 49 c1 e5 03 4d 03 2f d3 eb 4c 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ef e8 97 03 71 ff 4d 8b 7d 00 31 ff 4c RSP: 0018:ffff8881f0b0fa80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ffff8881 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881eec70040 RBP: ffff8881f0b0fab0 R08: 0000000000000004 R09: 0000000000000003 R10: ffffed103e161f60 R11: 1ffff1103e161f60 R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000077969800 R15: ffff8881eec70040 FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7a7ad6038 CR3: 0000000005c0e000 CR4: 00000000003406a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: e8 03 42 80 3c call 0x3c804208 5: 20 00 and %al,(%rax) 7: 74 0e je 0x17 9: 4c 89 ff mov %r15,%rdi c: 89 4d d4 mov %ecx,-0x2c(%rbp) f: e8 bc 03 71 ff call 0xff7103d0 14: 8b 4d d4 mov -0x2c(%rbp),%ecx 17: 45 89 ed mov %r13d,%r13d 1a: 49 c1 e5 03 shl $0x3,%r13 1e: 4d 03 2f add (%r15),%r13 21: d3 eb shr %cl,%ebx 23: 4c 89 e8 mov %r13,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 4c 89 ef mov %r13,%rdi 34: e8 97 03 71 ff call 0xff7103d0 39: 4d 8b 7d 00 mov 0x0(%r13),%r15 3d: 31 ff xor %edi,%edi 3f: 4c rex.WR