[ 17.428976][ T294] ================================================================== [ 17.429246][ T294] BUG: KASAN: slab-use-after-free in account_kernel_stack.isra.0+0xf9/0x140 [ 17.429528][ T294] Read of size 8 at addr ffff888001932740 by task ip/294 [ 17.429730][ T294] [ 17.429816][ T294] CPU: 0 UID: 0 PID: 294 Comm: ip Not tainted 6.16.0-rc2-virtme #1 PREEMPT(full) [ 17.429821][ T294] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 17.429823][ T294] Call Trace: [ 17.429825][ T294] [ 17.429827][ T294] dump_stack_lvl+0x82/0xd0 [ 17.429834][ T294] print_address_description.constprop.0+0x2c/0x400 [ 17.429841][ T294] ? account_kernel_stack.isra.0+0xf9/0x140 [ 17.429844][ T294] print_report+0xb4/0x270 [ 17.429848][ T294] ? account_kernel_stack.isra.0+0xf9/0x140 [ 17.429851][ T294] ? kasan_addr_to_slab+0x25/0x80 [ 17.429854][ T294] ? account_kernel_stack.isra.0+0xf9/0x140 [ 17.429857][ T294] kasan_report+0xca/0x100 [ 17.429861][ T294] ? account_kernel_stack.isra.0+0xf9/0x140 [ 17.429866][ T294] account_kernel_stack.isra.0+0xf9/0x140 [ 17.429870][ T294] do_exit+0x767/0xe90 [ 17.429874][ T294] ? __pfx_do_exit+0x10/0x10 [ 17.429877][ T294] ? do_group_exit+0x183/0x260 [ 17.429880][ T294] ? __lock_release+0x5d/0x170 [ 17.429885][ T294] ? rcu_is_watching+0x12/0xc0 [ 17.429891][ T294] do_group_exit+0xb8/0x260 [ 17.429895][ T294] __x64_sys_exit_group+0x3e/0x50 [ 17.429898][ T294] x64_sys_call+0xf76/0x18a0 [ 17.429902][ T294] do_syscall_64+0xc1/0x380 [ 17.429907][ T294] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 17.429910][ T294] RIP: 0033:0x7f7ac9bcaabd [ 17.429914][ T294] Code: Unable to access opcode bytes at 0x7f7ac9bcaa93. [ 17.429916][ T294] RSP: 002b:00007fffe7d54548 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 17.429919][ T294] RAX: ffffffffffffffda RBX: 00007f7ac9ca79c0 RCX: 00007f7ac9bcaabd [ 17.429922][ T294] RDX: 00000000000000e7 RSI: fffffffffffffe90 RDI: 0000000000000000 [ 17.429923][ T294] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000060 [ 17.429925][ T294] R10: 00007fffe7d54370 R11: 0000000000000246 R12: 00007f7ac9ca79c0 [ 17.429927][ T294] R13: 00007f7ac9cacee0 R14: 0000000000000001 R15: 00007f7ac9cacec8 [ 17.429933][ T294] [ 17.429934][ T294] [ 17.436041][ T294] Allocated by task 237: [ 17.436170][ T294] kasan_save_stack+0x24/0x50 [ 17.436343][ T294] kasan_save_track+0x14/0x30 [ 17.436512][ T294] __kasan_kmalloc+0x7f/0x90 [ 17.436681][ T294] __get_vm_area_node+0xbe/0x2d0 [ 17.436850][ T294] __vmalloc_node_range_noprof+0x207/0x490 [ 17.437056][ T294] __vmalloc_node_noprof+0x8e/0x100 [ 17.437228][ T294] dup_task_struct+0x5ff/0x7f0 [ 17.437402][ T294] copy_process+0x355/0x5210 [ 17.437570][ T294] kernel_clone+0xc1/0x510 [ 17.437735][ T294] __do_sys_clone+0xb5/0x100 [ 17.437900][ T294] do_syscall_64+0xc1/0x380 [ 17.438068][ T294] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 17.438275][ T294] [ 17.438361][ T294] Freed by task 295: [ 17.438486][ T294] kasan_save_stack+0x24/0x50 [ 17.438655][ T294] kasan_save_track+0x14/0x30 [ 17.438824][ T294] kasan_save_free_info+0x3b/0x60 [ 17.438994][ T294] __kasan_slab_free+0x38/0x50 [ 17.439164][ T294] kfree+0x144/0x320 [ 17.439293][ T294] krealloc_noprof+0xd4/0x320 [ 17.439463][ T294] emit_its_trampoline+0xa5/0x300 [ 17.439630][ T294] apply_retpolines+0xcf/0x550 [ 17.439799][ T294] module_finalize+0x3d5/0x9d0 [ 17.439969][ T294] load_module+0x139a/0x2660 [ 17.440139][ T294] init_module_from_file+0xe9/0x150 [ 17.440308][ T294] idempotent_init_module+0x335/0x620 [ 17.440476][ T294] __x64_sys_finit_module+0xca/0x150 [ 17.440642][ T294] do_syscall_64+0xc1/0x380 [ 17.440810][ T294] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 17.441015][ T294] [ 17.441099][ T294] The buggy address belongs to the object at ffff888001932720 [ 17.441099][ T294] which belongs to the cache kmalloc-96 of size 96 [ 17.441530][ T294] The buggy address is located 32 bytes inside of [ 17.441530][ T294] freed 96-byte region [ffff888001932720, ffff888001932780) [ 17.441945][ T294] [ 17.442028][ T294] The buggy address belongs to the physical page: [ 17.442233][ T294] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1932 [ 17.442537][ T294] flags: 0x80000000000000(node=0|zone=1) [ 17.442716][ T294] page_type: f5(slab) [ 17.442848][ T294] raw: 0080000000000000 ffff888001042340 ffffea000012dd90 ffffea000022b690 [ 17.443146][ T294] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 17.443442][ T294] page dumped because: kasan: bad access detected [ 17.443643][ T294] [ 17.443726][ T294] Memory state around the buggy address: [ 17.443891][ T294] ffff888001932600: fc fc fc fc 00 00 00 00 00 00 00 00 00 fc fc fc [ 17.444136][ T294] ffff888001932680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.444377][ T294] >ffff888001932700: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb [ 17.444619][ T294] ^ [ 17.444824][ T294] ffff888001932780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.445068][ T294] ffff888001932800: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 fc [ 17.445303][ T294] ================================================================== [ 17.445581][ T294] Disabling lock debugging due to kernel taint [ 27.256136][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 27.256441][ C0] #PF: supervisor instruction fetch in kernel mode [ 27.256608][ C0] #PF: error_code(0x0010) - not-present page [ 27.256738][ T387] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 28.317481][ T387] Shutting down cpus with NMI [ 28.318201][ T387] Kernel Offset: 0xb200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 28.318628][ T387] ---[ end Kernel panic - not syncing: corrupted stack end detected inside scheduler ]--- WAIT TIMEOUT stderr Ctrl-C stderr Ctrl-C stderr WAIT TIMEOUT stderr