================================================================== BUG: KASAN: use-after-free in tipc_conn_close+0x38/0x130 net/tipc/topsrv.c:158 Read of size 8 at addr ffff8881e5b0f408 by task kworker/u4:4/437 CPU: 1 PID: 437 Comm: kworker/u4:4 Tainted: G W 5.4.210-syzkaller-00019-g035e4939365c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18e/0x1d5 lib/dump_stack.c:118 print_address_description+0x8c/0x630 mm/kasan/report.c:384 __kasan_report+0xf6/0x130 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 tipc_conn_close+0x38/0x130 net/tipc/topsrv.c:158 tipc_topsrv_stop net/tipc/topsrv.c:694 [inline] tipc_topsrv_exit_net+0x148/0x330 net/tipc/topsrv.c:715 ops_exit_list net/core/net_namespace.c:172 [inline] cleanup_net+0x654/0xcf0 net/core/net_namespace.c:602 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433 kthread+0x2d8/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 437: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] tipc_conn_alloc+0x51/0x3c0 net/tipc/topsrv.c:185 tipc_topsrv_accept+0xc9/0x260 net/tipc/topsrv.c:463 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433 kthread+0x2d8/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Freed by task 172: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:345 [inline] __kasan_slab_free+0x178/0x240 mm/kasan/common.c:487 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494 slab_free mm/slub.c:3080 [inline] kfree+0xc6/0x260 mm/slub.c:4071 tipc_conn_recv_work+0x378/0x3b0 net/tipc/topsrv.c:430 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433 kthread+0x2d8/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8881e5b0f400 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of 192-byte region [ffff8881e5b0f400, ffff8881e5b0f4c0) The buggy address belongs to the page: page:ffffea000796c3c0 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 ffffea0006c44c40 0000000200000002 ffff8881f5c02a00 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x194/0x380 mm/page_alloc.c:2171 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x2ab/0x6f0 mm/page_alloc.c:4857 alloc_slab_page+0x39/0x3e0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x450 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x320/0x4a0 mm/slub.c:2667 __slab_alloc+0x5a/0x90 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] __kmalloc_track_caller+0x168/0x280 mm/slub.c:4449 kmemdup+0x21/0x50 mm/util.c:127 neigh_parms_alloc+0x7b/0x410 net/core/neighbour.c:1628 ipv6_add_dev+0x2e2/0x1050 net/ipv6/addrconf.c:389 addrconf_notify+0x591/0xe60 net/ipv6/addrconf.c:3534 notifier_call_chain kernel/notifier.c:98 [inline] __raw_notifier_call_chain kernel/notifier.c:399 [inline] raw_notifier_call_chain+0x9d/0x110 kernel/notifier.c:406 call_netdevice_notifiers_info net/core/dev.c:1670 [inline] call_netdevice_notifiers_extack net/core/dev.c:1682 [inline] call_netdevice_notifiers net/core/dev.c:1696 [inline] register_netdevice+0xd9e/0x1140 net/core/dev.c:9206 register_netdev+0x37/0x50 net/core/dev.c:9304 vti6_init_net+0x2a2/0x350 net/ipv6/ip6_vti.c:1150 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] free_pcp_prepare+0x1a4/0x290 mm/page_alloc.c:1233 free_unref_page_prepare mm/page_alloc.c:3085 [inline] free_unref_page mm/page_alloc.c:3134 [inline] free_the_page mm/page_alloc.c:4917 [inline] __free_pages+0x52/0x1e0 mm/page_alloc.c:4925 tlb_batch_list_free mm/mmu_gather.c:61 [inline] tlb_finish_mmu+0x124/0x200 mm/mmu_gather.c:275 exit_mmap+0x2a6/0x4f0 mm/mmap.c:3168 __mmput+0x34/0x240 kernel/fork.c:1090 exit_mm kernel/exit.c:489 [inline] do_exit+0xb40/0x2b40 kernel/exit.c:799 do_group_exit+0x136/0x300 kernel/exit.c:910 get_signal+0xd99/0x13f0 kernel/signal.c:2735 do_signal+0x41/0x10a0 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0xdd/0x1d0 arch/x86/entry/common.c:159 prepare_exit_to_usermode+0x17c/0x1d0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Memory state around the buggy address: ffff8881e5b0f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881e5b0f380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8881e5b0f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881e5b0f480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881e5b0f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000238 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1de2db067 P4D 1de2db067 PUD 1de2da067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 1 PID: 437 Comm: kworker/u4:4 Tainted: G B W 5.4.210-syzkaller-00019-g035e4939365c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Workqueue: netns cleanup_net RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline] RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline] RIP: 0010:queued_write_lock include/asm-generic/qrwlock.h:92 [inline] RIP: 0010:__raw_write_lock_bh include/linux/rwlock_api_smp.h:204 [inline] RIP: 0010:_raw_write_lock_bh+0x78/0x110 kernel/locking/spinlock.c:319 Code: 89 f7 be 04 00 00 00 e8 86 df 6c fd 4c 89 e7 be 04 00 00 00 e8 79 df 6c fd 42 8a 04 3b 84 c0 75 63 8b 44 24 04 b9 ff 00 00 00 41 0f b1 0e 75 1d 65 48 8b 04 25 28 00 00 00 48 3b 44 24 08 75 RSP: 0018:ffff8881b361fbf0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff110366c3f7e RCX: 00000000000000ff RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b361fbf4 RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed10366c3f7f R10: ffffed10366c3f7f R11: 1ffff110366c3f7e R12: ffff8881b361fbf4 R13: ffff8881e5b0fc18 R14: 0000000000000238 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000238 CR3: 00000001df5fe000 CR4: 00000000003406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tipc_conn_close+0x6a/0x130 net/tipc/topsrv.c:161 tipc_topsrv_stop net/tipc/topsrv.c:694 [inline] tipc_topsrv_exit_net+0x148/0x330 net/tipc/topsrv.c:715 ops_exit_list net/core/net_namespace.c:172 [inline] cleanup_net+0x654/0xcf0 net/core/net_namespace.c:602 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433 kthread+0x2d8/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: CR2: 0000000000000238 ---[ end trace 52fb90348ad37609 ]--- RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline] RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline] RIP: 0010:queued_write_lock include/asm-generic/qrwlock.h:92 [inline] RIP: 0010:__raw_write_lock_bh include/linux/rwlock_api_smp.h:204 [inline] RIP: 0010:_raw_write_lock_bh+0x78/0x110 kernel/locking/spinlock.c:319 Code: 89 f7 be 04 00 00 00 e8 86 df 6c fd 4c 89 e7 be 04 00 00 00 e8 79 df 6c fd 42 8a 04 3b 84 c0 75 63 8b 44 24 04 b9 ff 00 00 00 41 0f b1 0e 75 1d 65 48 8b 04 25 28 00 00 00 48 3b 44 24 08 75 RSP: 0018:ffff8881b361fbf0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff110366c3f7e RCX: 00000000000000ff RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b361fbf4 RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed10366c3f7f R10: ffffed10366c3f7f R11: 1ffff110366c3f7e R12: ffff8881b361fbf4 R13: ffff8881e5b0fc18 R14: 0000000000000238 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000238 CR3: 00000001df5fe000 CR4: 00000000003406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 89 f7 mov %esi,%edi 2: be 04 00 00 00 mov $0x4,%esi 7: e8 86 df 6c fd callq 0xfd6cdf92 c: 4c 89 e7 mov %r12,%rdi f: be 04 00 00 00 mov $0x4,%esi 14: e8 79 df 6c fd callq 0xfd6cdf92 19: 42 8a 04 3b mov (%rbx,%r15,1),%al 1d: 84 c0 test %al,%al 1f: 75 63 jne 0x84 21: 8b 44 24 04 mov 0x4(%rsp),%eax 25: b9 ff 00 00 00 mov $0xff,%ecx * 2a: f0 41 0f b1 0e lock cmpxchg %ecx,(%r14) <-- trapping instruction 2f: 75 1d jne 0x4e 31: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax 38: 00 00 3a: 48 3b 44 24 08 cmp 0x8(%rsp),%rax 3f: 75 .byte 0x75