tipc: 32-bit node address hash set to fbff1eac ================================================================== BUG: KASAN: slab-out-of-bounds in tipc_named_reinit+0x1aa/0x360 net/tipc/name_distr.c:344 Read of size 8 at addr ffff8881c505e000 by task kworker/0:9/16995 CPU: 0 PID: 16995 Comm: kworker/0:9 Not tainted 5.4.17-syzkaller-00005-g2303d908db80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b0/0x228 lib/dump_stack.c:118 print_address_description+0x96/0x5d0 mm/kasan/report.c:374 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:634 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 tipc_named_reinit+0x1aa/0x360 net/tipc/name_distr.c:344 tipc_net_finalize+0xcb/0x130 net/tipc/net.c:138 tipc_net_finalize_work+0x54/0x80 net/tipc/net.c:150 process_one_work+0x9d8/0x1030 kernel/workqueue.c:2270 worker_thread+0xbbc/0x1610 kernel/workqueue.c:2416 kthread+0x31a/0x340 kernel/kthread.c:255 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8881c505df80 which belongs to the cache TIPC of size 984 The buggy address is located 128 bytes inside of 984-byte region [ffff8881c505df80, ffff8881c505e358) The buggy address belongs to the page: page:ffffea0007141700 refcount:1 mapcount:0 mapping:ffff8881d70cf400 index:0x0 compound_mapcount: 0 raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881d70cf400 raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881c505df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c505df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881c505e000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881c505e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c505e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 16995 Comm: kworker/0:9 Tainted: G B 5.4.17-syzkaller-00005-g2303d908db80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work RIP: 0010:__rht_bucket_nested lib/rhashtable.c:1178 [inline] RIP: 0010:rht_bucket_nested lib/rhashtable.c:1203 [inline] RIP: 0010:rht_bucket include/linux/rhashtable.h:290 [inline] RIP: 0010:__rhashtable_walk_find_next+0x4b5/0x9b0 lib/rhashtable.c:794 Code: 00 74 0e 89 cb e8 7b a8 78 ff 89 d9 48 8b 7c 24 78 49 c1 e7 03 4c 03 3f 48 8b 44 24 58 d3 e8 89 44 24 2c 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 4c a8 78 ff 4d 8b 3f 31 ff 4c 89 RSP: 0018:ffff88819cd779e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000ffff8881 RCX: 00000000ffff8881 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c73b0040 RBP: ffff88819cd77b40 R08: ffffffff81f8318d R09: 0000000000000003 R10: ffffed10339aef49 R11: 0000000000000004 R12: ffff8881c505e010 R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001840 CR3: 00000001c7890004 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rhashtable_walk_next+0x23b/0x2e0 lib/rhashtable.c:878 tipc_sk_reinit+0x119/0x4a0 net/tipc/socket.c:2790 tipc_net_finalize+0xd3/0x130 net/tipc/net.c:139 tipc_net_finalize_work+0x54/0x80 net/tipc/net.c:150 process_one_work+0x9d8/0x1030 kernel/workqueue.c:2270 worker_thread+0xbbc/0x1610 kernel/workqueue.c:2416 kthread+0x31a/0x340 kernel/kthread.c:255 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace 7e2eda9cb19c9b43 ]--- RIP: 0010:__rht_bucket_nested lib/rhashtable.c:1178 [inline] RIP: 0010:rht_bucket_nested lib/rhashtable.c:1203 [inline] RIP: 0010:rht_bucket include/linux/rhashtable.h:290 [inline] RIP: 0010:__rhashtable_walk_find_next+0x4b5/0x9b0 lib/rhashtable.c:794 Code: 00 74 0e 89 cb e8 7b a8 78 ff 89 d9 48 8b 7c 24 78 49 c1 e7 03 4c 03 3f 48 8b 44 24 58 d3 e8 89 44 24 2c 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 4c a8 78 ff 4d 8b 3f 31 ff 4c 89 RSP: 0018:ffff88819cd779e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000ffff8881 RCX: 00000000ffff8881 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c73b0040 RBP: ffff88819cd77b40 R08: ffffffff81f8318d R09: 0000000000000003 R10: ffffed10339aef49 R11: 0000000000000004 R12: ffff8881c505e010 R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001840 CR3: 00000001c7890004 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400