Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts. executing program executing program executing program executing program [ 28.302115] ================================================================== [ 28.309535] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 28.316174] Read of size 8 at addr ffff8880abbdf7a0 by task kworker/u4:2/76 [ 28.323242] [ 28.324848] CPU: 0 PID: 76 Comm: kworker/u4:2 Not tainted 4.14.266-syzkaller #0 [ 28.332264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.341599] Workqueue: tipc_rcv tipc_recv_work [ 28.346152] Call Trace: [ 28.348715] dump_stack+0x1b2/0x281 [ 28.352315] print_address_description.cold+0x54/0x1d3 [ 28.357567] kasan_report_error.cold+0x8a/0x191 [ 28.362212] ? __lock_acquire+0x2c57/0x3f20 [ 28.366509] __asan_report_load8_noabort+0x68/0x70 [ 28.371426] ? tipc_subscrb_rcv_cb+0x350/0xa40 [ 28.375982] ? __lock_acquire+0x2c57/0x3f20 [ 28.380277] __lock_acquire+0x2c57/0x3f20 [ 28.384403] ? lock_acquire+0x170/0x3f0 [ 28.388351] ? __release_sock+0x227/0x350 [ 28.392468] ? trace_hardirqs_on+0x10/0x10 [ 28.396687] ? trace_hardirqs_on+0x10/0x10 [ 28.400894] ? mark_held_locks+0xa6/0xf0 [ 28.404937] ? __local_bh_enable_ip+0xc1/0x170 [ 28.409494] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 28.414484] ? tipc_recvmsg+0x43e/0x9e0 [ 28.418430] ? __local_bh_enable_ip+0xc1/0x170 [ 28.422984] lock_acquire+0x170/0x3f0 [ 28.426755] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.431310] _raw_spin_lock_bh+0x2f/0x40 [ 28.435343] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.439907] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.444302] tipc_receive_from_sock+0x25c/0x450 [ 28.448943] ? trace_hardirqs_on+0x10/0x10 [ 28.453150] ? lock_acquire+0x170/0x3f0 [ 28.457108] ? tipc_close_conn+0x200/0x200 [ 28.461317] tipc_recv_work+0x75/0xd0 [ 28.465091] process_one_work+0x793/0x14a0 [ 28.469298] ? work_busy+0x320/0x320 [ 28.472985] ? worker_thread+0x158/0xff0 [ 28.477017] ? _raw_spin_unlock_irq+0x24/0x80 [ 28.481486] worker_thread+0x5cc/0xff0 [ 28.485350] ? rescuer_thread+0xc80/0xc80 [ 28.489473] kthread+0x30d/0x420 [ 28.492814] ? kthread_create_on_node+0xd0/0xd0 [ 28.497458] ret_from_fork+0x24/0x30 [ 28.501143] [ 28.502741] Allocated by task 76: [ 28.506169] kasan_kmalloc+0xeb/0x160 [ 28.509943] kmem_cache_alloc_trace+0x131/0x3d0 [ 28.514585] tipc_subscrb_connect_cb+0x40/0x150 [ 28.519225] tipc_accept_from_sock+0x25b/0x400 [ 28.523779] tipc_recv_work+0x75/0xd0 [ 28.527554] process_one_work+0x793/0x14a0 [ 28.531757] worker_thread+0x5cc/0xff0 [ 28.535615] kthread+0x30d/0x420 [ 28.538962] ret_from_fork+0x24/0x30 [ 28.542641] [ 28.544241] Freed by task 3015: [ 28.547497] kasan_slab_free+0xc3/0x1a0 [ 28.551444] kfree+0xc9/0x250 [ 28.554520] tipc_subscrb_put+0x22/0x30 [ 28.558466] tipc_close_conn+0x16a/0x200 [ 28.562500] tipc_send_work+0x41e/0x520 [ 28.566445] process_one_work+0x793/0x14a0 [ 28.570650] worker_thread+0x5cc/0xff0 [ 28.574509] kthread+0x30d/0x420 [ 28.577851] ret_from_fork+0x24/0x30 [ 28.581533] [ 28.583132] The buggy address belongs to the object at ffff8880abbdf780 [ 28.583132] which belongs to the cache kmalloc-96 of size 96 [ 28.596016] The buggy address is located 32 bytes inside of [ 28.596016] 96-byte region [ffff8880abbdf780, ffff8880abbdf7e0) [ 28.607686] The buggy address belongs to the page: [ 28.612588] page:ffffea0002aef7c0 count:1 mapcount:0 mapping:ffff8880abbdf000 index:0xffff8880abbdf880 [ 28.622002] flags: 0xfff00000000100(slab) [ 28.626134] raw: 00fff00000000100 ffff8880abbdf000 ffff8880abbdf880 0000000100000001 [ 28.633987] raw: ffffea0002bc6d20 ffffea0002bdfae0 ffff88813fe744c0 0000000000000000 [ 28.641840] page dumped because: kasan: bad access detected [ 28.647520] [ 28.649121] Memory state around the buggy address: [ 28.654020] ffff8880abbdf680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.661349] ffff8880abbdf700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.668689] >ffff8880abbdf780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.676018] ^ [ 28.680397] ffff8880abbdf800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.687724] ffff8880abbdf880: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.695064] ================================================================== [ 28.702392] Disabling lock debugging due to kernel taint [ 28.707813] Kernel panic - not syncing: panic_on_warn set ... [ 28.707813] [ 28.715149] CPU: 0 PID: 76 Comm: kworker/u4:2 Tainted: G B 4.14.266-syzkaller #0 [ 28.723789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.733139] Workqueue: tipc_rcv tipc_recv_work [ 28.737693] Call Trace: [ 28.740256] dump_stack+0x1b2/0x281 [ 28.743856] panic+0x1f9/0x42d [ 28.747020] ? add_taint.cold+0x16/0x16 [ 28.750966] ? lock_downgrade+0x740/0x740 [ 28.755105] kasan_end_report+0x43/0x49 [ 28.759061] kasan_report_error.cold+0xa7/0x191 [ 28.763707] ? __lock_acquire+0x2c57/0x3f20 [ 28.768004] __asan_report_load8_noabort+0x68/0x70 [ 28.772912] ? tipc_subscrb_rcv_cb+0x350/0xa40 [ 28.777467] ? __lock_acquire+0x2c57/0x3f20 [ 28.781774] __lock_acquire+0x2c57/0x3f20 [ 28.785901] ? lock_acquire+0x170/0x3f0 [ 28.789849] ? __release_sock+0x227/0x350 [ 28.793970] ? trace_hardirqs_on+0x10/0x10 [ 28.798184] ? trace_hardirqs_on+0x10/0x10 [ 28.802393] ? mark_held_locks+0xa6/0xf0 [ 28.806428] ? __local_bh_enable_ip+0xc1/0x170 [ 28.810981] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 28.815970] ? tipc_recvmsg+0x43e/0x9e0 [ 28.819916] ? __local_bh_enable_ip+0xc1/0x170 [ 28.824475] lock_acquire+0x170/0x3f0 [ 28.828265] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.832821] _raw_spin_lock_bh+0x2f/0x40 [ 28.836853] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.841408] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.845798] tipc_receive_from_sock+0x25c/0x450 [ 28.850438] ? trace_hardirqs_on+0x10/0x10 [ 28.854644] ? lock_acquire+0x170/0x3f0 [ 28.858592] ? tipc_close_conn+0x200/0x200 [ 28.862801] tipc_recv_work+0x75/0xd0 [ 28.866573] process_one_work+0x793/0x14a0 [ 28.870783] ? work_busy+0x320/0x320 [ 28.874483] ? worker_thread+0x158/0xff0 [ 28.878521] ? _raw_spin_unlock_irq+0x24/0x80 [ 28.882988] worker_thread+0x5cc/0xff0 [ 28.886851] ? rescuer_thread+0xc80/0xc80 [ 28.890967] kthread+0x30d/0x420 [ 28.894312] ? kthread_create_on_node+0xd0/0xd0 [ 28.898952] ret_from_fork+0x24/0x30 [ 28.902809] Kernel Offset: disabled [ 28.906423] Rebooting in 86400 seconds..