================================================================== BUG: KASAN: use-after-free in smc_fback_error_report+0x6c/0x98 net/smc/af_smc.c:656 Read of size 8 at addr ffff0000ec0e0538 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 __asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309 smc_fback_error_report+0x6c/0x98 net/smc/af_smc.c:656 sk_error_report+0x44/0x374 net/core/sock.c:339 tcp_write_err net/ipv4/tcp_timer.c:71 [inline] tcp_write_timeout net/ipv4/tcp_timer.c:277 [inline] tcp_retransmit_timer+0xc40/0x1d3c net/ipv4/tcp_timer.c:532 tcp_write_timer_handler+0x1e8/0x8a8 net/ipv4/tcp_timer.c:644 tcp_write_timer+0x178/0x318 net/ipv4/tcp_timer.c:664 call_timer_fn+0x19c/0x8f0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers+0x554/0x718 kernel/time/timer.c:1737 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1750 __do_softirq+0x344/0xdb0 kernel/softirq.c:558 do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] invoke_softirq kernel/softirq.c:439 [inline] __irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:637 irq_exit+0x14/0x88 kernel/softirq.c:661 handle_domain_irq+0xf4/0x178 kernel/irq/irqdesc.c:710 gic_handle_irq+0x78/0x1c8 drivers/irqchip/irq-gic-v3.c:758 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:899 do_interrupt_handler+0x74/0x94 arch/arm64/kernel/entry-common.c:267 el1_interrupt+0x30/0x58 arch/arm64/kernel/entry-common.c:454 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:470 el1h_64_irq+0x78/0x7c arch/arm64/kernel/entry.S:580 arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35 default_idle_call+0xcc/0x4a8 kernel/sched/idle.c:112 cpuidle_idle_call kernel/sched/idle.c:194 [inline] do_idle+0x1d4/0x4dc kernel/sched/idle.c:306 cpu_startup_entry+0x24/0x28 kernel/sched/idle.c:403 secondary_start_kernel+0x240/0x298 arch/arm64/kernel/smp.c:265 __secondary_switched+0x94/0x98 arch/arm64/kernel/head.S:661 The buggy address belongs to the page: page:00000000c7759db4 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x3 pfn:0x12c0e0 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 fffffc0003668808 fffffc0003acd008 0000000000000000 raw: 0000000000000003 0000000000000004 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000ec0e0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000ec0e0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff0000ec0e0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000ec0e0580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000ec0e0600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== IPVS: wrr: TCP 172.20.20.170:21 - no destination available IPVS: wrr: TCP 172.20.20.170:21 - no destination available IPVS: wrr: TCP 172.20.20.170:21 - no destination available