[ 846.788630][ T52] fbnic 0000:01:00.0 enp1s0: Link is Down [ 846.796073][ T3986] fbnic 0000:01:00.0 enp1s0: configuring for inband/laui link mode [ 846.993713][ T3987] fbnic 0000:01:00.0 enp1s0: configuring for inband/laui link mode [ 858.281625][ T3993] ================================================================== [ 858.282028][ T3993] BUG: KASAN: slab-use-after-free in xsk_bind+0x1560/0x1a60 [ 858.282268][ T3993] Read of size 4 at addr ffff888006b2d17c by task xdp_helper/3993 [ 858.282507][ T3993] [ 858.282593][ T3993] CPU: 2 UID: 0 PID: 3993 Comm: xdp_helper Not tainted 6.16.0-rc7-virtme #1 PREEMPT(full) [ 858.282599][ T3993] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 858.282601][ T3993] Call Trace: [ 858.282604][ T3993] [ 858.282606][ T3993] dump_stack_lvl+0x82/0xd0 [ 858.282611][ T3993] print_address_description.constprop.0+0x2c/0x390 [ 858.282618][ T3993] ? xsk_bind+0x1560/0x1a60 [ 858.282622][ T3993] print_report+0xb4/0x270 [ 858.282626][ T3993] ? xsk_bind+0x1560/0x1a60 [ 858.282629][ T3993] ? kasan_addr_to_slab+0x25/0x80 [ 858.282633][ T3993] ? xsk_bind+0x1560/0x1a60 [ 858.282636][ T3993] kasan_report+0xca/0x100 [ 858.282640][ T3993] ? xsk_bind+0x1560/0x1a60 [ 858.282646][ T3993] xsk_bind+0x1560/0x1a60 [ 858.282651][ T3993] ? __pfx_xsk_bind+0x10/0x10 [ 858.282656][ T3993] ? __might_fault+0x11b/0x170 [ 858.282663][ T3993] __sys_bind+0x15e/0x230 [ 858.282669][ T3993] ? __pfx___sys_bind+0x10/0x10 [ 858.282673][ T3993] ? vm_mmap_pgoff+0x1d0/0x2e0 [ 858.282680][ T3993] ? __sys_setsockopt+0xec/0x160 [ 858.282686][ T3993] __x64_sys_bind+0x72/0xb0 [ 858.282689][ T3993] ? lockdep_hardirqs_on+0x7c/0x110 [ 858.282693][ T3993] do_syscall_64+0xc1/0x380 [ 858.282698][ T3993] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 858.282702][ T3993] RIP: 0033:0x7f5c6bb8ed3b [ 858.282706][ T3993] Code: c3 66 0f 1f 44 00 00 48 8b 15 b9 90 0e 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 90 0e 00 f7 d8 64 89 01 48 [ 858.282709][ T3993] RSP: 002b:00007ffdb63426c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000031 [ 858.282713][ T3993] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c6bb8ed3b [ 858.282716][ T3993] RDX: 0000000000000010 RSI: 00007ffdb63426e0 RDI: 0000000000000003 [ 858.282718][ T3993] RBP: 0000000000000003 R08: 0000000000000004 R09: 0000000000000000 [ 858.282720][ T3993] R10: 00007f5c6ba8fd68 R11: 0000000000000202 R12: 0000000000000000 [ 858.282721][ T3993] R13: 00007f5c6ba6c000 R14: 00007ffdb6342858 R15: 0000000000000003 [ 858.282728][ T3993] [ 858.282729][ T3993] [ 858.288879][ T3993] Allocated by task 3991: [ 858.288999][ T3993] kasan_save_stack+0x24/0x50 [ 858.289162][ T3993] kasan_save_track+0x14/0x30 [ 858.289323][ T3993] __kasan_kmalloc+0x7f/0x90 [ 858.289484][ T3993] __kmalloc_noprof+0x1d4/0x470 [ 858.289646][ T3993] fbnic_alloc_napi_vector+0xfd/0x1470 [ 858.289809][ T3993] fbnic_alloc_napi_vectors+0x18c/0x260 [ 858.289969][ T3993] __fbnic_open+0x44/0x180 [ 858.290130][ T3993] fbnic_open+0x4b/0x80 [ 858.290254][ T3993] __dev_open+0x22b/0x680 [ 858.290385][ T3993] __dev_change_flags+0x467/0x6c0 [ 858.290546][ T3993] netif_change_flags+0x80/0x160 [ 858.290706][ T3993] do_setlink.constprop.0+0x98a/0x2650 [ 858.290866][ T3993] rtnl_newlink+0x69a/0xa60 [ 858.291030][ T3993] rtnetlink_rcv_msg+0x710/0xc00 [ 858.291191][ T3993] netlink_rcv_skb+0x124/0x350 [ 858.291352][ T3993] netlink_unicast+0x4b3/0x790 [ 858.291512][ T3993] netlink_sendmsg+0x721/0xbe0 [ 858.291676][ T3993] ____sys_sendmsg+0x7aa/0xa10 [ 858.291836][ T3993] ___sys_sendmsg+0xed/0x170 [ 858.291998][ T3993] __sys_sendmsg+0x10b/0x1a0 [ 858.292160][ T3993] do_syscall_64+0xc1/0x380 [ 858.292320][ T3993] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 858.292518][ T3993] [ 858.292603][ T3993] Freed by task 3991: [ 858.292727][ T3993] kasan_save_stack+0x24/0x50 [ 858.292890][ T3993] kasan_save_track+0x14/0x30 [ 858.293049][ T3993] kasan_save_free_info+0x3b/0x60 [ 858.293208][ T3993] __kasan_slab_free+0x38/0x50 [ 858.293370][ T3993] kfree+0x144/0x320 [ 858.293490][ T3993] fbnic_free_napi_vectors+0x482/0x5f0 [ 858.293651][ T3993] __fbnic_open+0x88/0x180 [ 858.293810][ T3993] fbnic_open+0x4b/0x80 [ 858.293930][ T3993] __dev_open+0x22b/0x680 [ 858.294055][ T3993] __dev_change_flags+0x467/0x6c0 [ 858.294215][ T3993] netif_change_flags+0x80/0x160 [ 858.294377][ T3993] do_setlink.constprop.0+0x98a/0x2650 [ 858.294537][ T3993] rtnl_newlink+0x69a/0xa60 [ 858.294699][ T3993] rtnetlink_rcv_msg+0x710/0xc00 [ 858.294858][ T3993] netlink_rcv_skb+0x124/0x350 [ 858.295017][ T3993] netlink_unicast+0x4b3/0x790 [ 858.295175][ T3993] netlink_sendmsg+0x721/0xbe0 [ 858.295335][ T3993] ____sys_sendmsg+0x7aa/0xa10 [ 858.295498][ T3993] ___sys_sendmsg+0xed/0x170 [ 858.295658][ T3993] __sys_sendmsg+0x10b/0x1a0 [ 858.295820][ T3993] do_syscall_64+0xc1/0x380 [ 858.295980][ T3993] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 858.296175][ T3993] [ 858.296256][ T3993] The buggy address belongs to the object at ffff888006b2d000 [ 858.296256][ T3993] which belongs to the cache kmalloc-2k of size 2048 [ 858.296654][ T3993] The buggy address is located 380 bytes inside of [ 858.296654][ T3993] freed 2048-byte region [ffff888006b2d000, ffff888006b2d800) [ 858.297033][ T3993] [ 858.297119][ T3993] The buggy address belongs to the physical page: [ 858.297313][ T3993] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6b28 [ 858.297601][ T3993] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 858.297844][ T3993] flags: 0x80000000000040(head|node=0|zone=1) [ 858.298050][ T3993] page_type: f5(slab) [ 858.298175][ T3993] raw: 0080000000000040 ffff888001043240 ffffea0000201610 ffffea000081d210 [ 858.298466][ T3993] raw: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000 [ 858.298758][ T3993] head: 0080000000000040 ffff888001043240 ffffea0000201610 ffffea000081d210 [ 858.299046][ T3993] head: 0000000000000000 0000000000050005 00000000f5000000 0000000000000000 [ 858.299330][ T3993] head: 0080000000000003 ffffea00001aca01 00000000ffffffff 00000000ffffffff [ 858.299611][ T3993] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 858.299897][ T3993] page dumped because: kasan: bad access detected [ 858.300094][ T3993] [ 858.300175][ T3993] Memory state around the buggy address: [ 858.300329][ T3993] ffff888006b2d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 858.300560][ T3993] ffff888006b2d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 858.300793][ T3993] >ffff888006b2d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 858.301022][ T3993] ^ [ 858.301247][ T3993] ffff888006b2d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 858.301476][ T3993] ffff888006b2d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 858.301709][ T3993] ================================================================== [ 858.301975][ T3993] Disabling lock debugging due to kernel taint