tipc: 32-bit node address hash set to feff1eac ================================================================== BUG: KASAN: use-after-free in tipc_named_reinit+0x194/0x340 net/tipc/name_distr.c:344 Read of size 8 at addr ffff8881c8752000 by task kworker/1:4/3385 CPU: 1 PID: 3385 Comm: kworker/1:4 Not tainted 5.4.68-syzkaller-00463-g14bc969ca0c4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b0/0x21e lib/dump_stack.c:118 print_address_description+0x96/0x5d0 mm/kasan/report.c:374 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 kasan_report+0x27/0x50 mm/kasan/common.c:634 tipc_named_reinit+0x194/0x340 net/tipc/name_distr.c:344 tipc_net_finalize+0xc7/0x130 net/tipc/net.c:138 tipc_net_finalize_work+0x50/0x70 net/tipc/net.c:150 process_one_work+0x777/0xf90 kernel/workqueue.c:2274 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420 kthread+0x317/0x340 kernel/kthread.c:268 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 3490: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510 __kmalloc+0xf7/0x2c0 mm/slub.c:3848 kmalloc_array+0x2d/0x50 include/linux/slab.h:618 kcalloc include/linux/slab.h:629 [inline] iter_file_splice_write+0x21d/0xf20 fs/splice.c:690 splice_direct_to_actor+0x496/0xb00 fs/splice.c:976 do_splice_direct+0x279/0x3d0 fs/splice.c:1064 do_sendfile+0x89d/0x1110 fs/read_write.c:1464 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 Freed by task 3490: do_splice_direct+0x279/0x3d0 fs/splice.c:1064 do_sendfile+0x89d/0x1110 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1525 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x1ae/0x220 fs/read_write.c:1511 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881c8752000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes inside of 256-byte region [ffff8881c8752000, ffff8881c8752100) The buggy address belongs to the page: page:ffffea000721d480 refcount:1 mapcount:0 mapping:ffff8881da802780 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802780 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881c8751f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c8751f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881c8752000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881c8752080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881c8752100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== BUG: unable to handle page fault for address: fffffffffffffff0 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 4c0f067 P4D 4c0f067 PUD 4c11067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 1 PID: 3385 Comm: kworker/1:4 Tainted: G B 5.4.68-syzkaller-00463-g14bc969ca0c4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_named_reinit+0x1c4/0x340 net/tipc/name_distr.c:345 Code: 74 6a e8 4f e3 7d fd 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 8d 7b f0 48 89 f8 48 c1 e8 03 42 0f b6 04 28 84 c0 75 28 <89> 6b f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 23 RSP: 0018:ffff8881d455fcb0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881c7f22e80 RDX: 0000000000000000 RSI: 0000000000000008 RDI: fffffffffffffff0 RBP: 00000000feff1eac R08: dffffc0000000000 R09: fffffbfff0ac45e9 R10: fffffbfff0ac45e9 R11: 0000000000000000 R12: ffff8881c8750000 R13: dffffc0000000000 R14: ffff888192c75160 R15: ffff8881c8752000 FS: 0000000000000000(0000) GS:ffff8881db900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffff0 CR3: 00000001c4c02002 CR4: 00000000001606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: tipc_net_finalize+0xc7/0x130 net/tipc/net.c:138 tipc_net_finalize_work+0x50/0x70 net/tipc/net.c:150 process_one_work+0x777/0xf90 kernel/workqueue.c:2274 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420 kthread+0x317/0x340 kernel/kthread.c:268 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: CR2: fffffffffffffff0 ---[ end trace 3ea02ee9ee30d17b ]--- RIP: 0010:tipc_named_reinit+0x1c4/0x340 net/tipc/name_distr.c:345 Code: 74 6a e8 4f e3 7d fd 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 8d 7b f0 48 89 f8 48 c1 e8 03 42 0f b6 04 28 84 c0 75 28 <89> 6b f0 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 23 RSP: 0018:ffff8881d455fcb0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881c7f22e80 RDX: 0000000000000000 RSI: 0000000000000008 RDI: fffffffffffffff0 RBP: 00000000feff1eac R08: dffffc0000000000 R09: fffffbfff0ac45e9 R10: fffffbfff0ac45e9 R11: 0000000000000000 R12: ffff8881c8750000 R13: dffffc0000000000 R14: ffff888192c75160 R15: ffff8881c8752000 FS: 0000000000000000(0000) GS:ffff8881db900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffff0 CR3: 00000001c4c02002 CR4: 00000000001606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600