tipc: 32-bit node address hash set to 0
==================================================================
BUG: KASAN: use-after-free in tipc_named_reinit+0x198/0x320 net/tipc/name_distr.c:344
Read of size 8 at addr ffff8881ecd36000 by task kworker/1:7/621

CPU: 1 PID: 621 Comm: kworker/1:7 Not tainted 5.4.289-syzkaller-00011-g39762b7a60e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: events tipc_net_finalize_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 tipc_named_reinit+0x198/0x320 net/tipc/name_distr.c:344
 tipc_net_finalize+0xc8/0x130 net/tipc/net.c:132
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

The buggy address belongs to the page:
page:ffffea0007b34d80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea0007b34d88 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 kmalloc_order mm/slab_common.c:1342 [inline]
 kmalloc_order_trace+0x2a/0x100 mm/slab_common.c:1358
 kmalloc_large include/linux/slab.h:485 [inline]
 kmalloc include/linux/slab.h:549 [inline]
 kzalloc include/linux/slab.h:690 [inline]
 tipc_nametbl_init+0x94/0x260 net/tipc/name_table.c:738
 tipc_init_net+0x22d/0x360 net/tipc/core.c:74
 ops_init+0x1d4/0x4a0 net/core/net_namespace.c:141
 setup_net+0x214/0x990 net/core/net_namespace.c:348
 copy_net_ns+0x30d/0x510 net/core/net_namespace.c:489
 create_new_namespaces+0x47a/0x570 kernel/nsproxy.c:103
 unshare_nsproxy_namespaces+0x119/0x170 kernel/nsproxy.c:202
 ksys_unshare+0x544/0x990 kernel/fork.c:2908
 __do_sys_unshare kernel/fork.c:2976 [inline]
 __se_sys_unshare kernel/fork.c:2974 [inline]
 __x64_sys_unshare+0x34/0x40 kernel/fork.c:2974
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 tipc_exit_net+0x92/0xf0 net/tipc/core.c:108
 ops_exit_list net/core/net_namespace.c:182 [inline]
 cleanup_net+0x665/0xc90 net/core/net_namespace.c:612
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Memory state around the buggy address:
 ffff8881ecd35f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881ecd35f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881ecd36000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8881ecd36080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881ecd36100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 621 Comm: kworker/1:7 Tainted: G    B             5.4.289-syzkaller-00011-g39762b7a60e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: events tipc_net_finalize_work
RIP: 0010:__rht_bucket_nested lib/rhashtable.c:1178 [inline]
RIP: 0010:rht_bucket_nested+0xb5/0x1c0 lib/rhashtable.c:1203
Code: 89 f0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 f7 e8 40 e5 66 ff 89 ed 48 c1 e5 03 49 03 2e 89 d9 41 d3 ec 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 1c e5 66 ff 48 8b 6d 00 31 ff 48
RSP: 0018:ffff8881e3b97b50 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffff8881 RCX: 00000000ffff8881
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d573a040
RBP: 0000000000000000 R08: ffffffff822d13f5 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8881d573a040 R15: 000000006c1a2200
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555618844e8 CR3: 00000001dde2f000 CR4: 00000000003426a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rht_bucket include/linux/rhashtable.h:290 [inline]
 __rhashtable_walk_find_next+0x373/0x710 lib/rhashtable.c:794
 tipc_sk_reinit+0x12d/0x510 net/tipc/socket.c:2825
 tipc_net_finalize+0xd0/0x130 net/tipc/net.c:133
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
---[ end trace e05d4b65316f4cb4 ]---
RIP: 0010:__rht_bucket_nested lib/rhashtable.c:1178 [inline]
RIP: 0010:rht_bucket_nested+0xb5/0x1c0 lib/rhashtable.c:1203
Code: 89 f0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 f7 e8 40 e5 66 ff 89 ed 48 c1 e5 03 49 03 2e 89 d9 41 d3 ec 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 1c e5 66 ff 48 8b 6d 00 31 ff 48
RSP: 0018:ffff8881e3b97b50 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffff8881 RCX: 00000000ffff8881
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d573a040
RBP: 0000000000000000 R08: ffffffff822d13f5 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8881d573a040 R15: 000000006c1a2200
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31d0affc CR3: 00000001ed31a000 CR4: 00000000003426a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	89 f0                	mov    %esi,%eax
   2:	48 c1 e8 03          	shr    $0x3,%rax
   6:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
   b:	74 08                	je     0x15
   d:	4c 89 f7             	mov    %r14,%rdi
  10:	e8 40 e5 66 ff       	call   0xff66e555
  15:	89 ed                	mov    %ebp,%ebp
  17:	48 c1 e5 03          	shl    $0x3,%rbp
  1b:	49 03 2e             	add    (%r14),%rbp
  1e:	89 d9                	mov    %ebx,%ecx
  20:	41 d3 ec             	shr    %cl,%r12d
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 ef             	mov    %rbp,%rdi
  34:	e8 1c e5 66 ff       	call   0xff66e555
  39:	48 8b 6d 00          	mov    0x0(%rbp),%rbp
  3d:	31 ff                	xor    %edi,%edi
  3f:	48                   	rex.W