====================================== | # 134.87 [+0.00] [ 9.896271] ip (168) used greatest stack depth: 23728 bytes left | # 134.88 [+0.00] [ 28.320133] GACT probability NOT on | # 134.88 [+0.00] [ 33.056197] Mirror/redirect action on | # 134.88 [+0.00] [ 143.173120] irq 51: nobody cared (try booting with the "irqpoll" option) # 134.89 [+0.00] [ 143.173884] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 # 134.89 [+0.00] [ 143.173886] Call Trace: # 134.89 [+0.00] [ 143.173890] # 134.89 [+0.00] [ 143.173893] dump_stack_lvl (lib/dump_stack.c:123) # 134.89 [+0.00] [ 143.173932] __report_bad_irq (kernel/irq/spurious.c:170) # 134.89 [+0.00] [ 143.173950] note_interrupt (kernel/irq/spurious.c:372) # 134.89 [+0.00] [ 143.173958] handle_irq_event (kernel/irq/handle.c:245 kernel/irq/handle.c:257) # 134.90 [+0.00] [ 143.173964] handle_edge_irq (kernel/irq/chip.c:857) # 134.90 [+0.00] [ 143.173976] __common_interrupt (./include/asm-generic/irq_regs.h:28 arch/x86/kernel/irq.c:328) # 134.90 [+0.00] [ 143.173994] common_interrupt (arch/x86/kernel/irq.c:318 (discriminator 14)) # 134.90 [+0.00] [ 143.174000] # 134.90 [+0.00] [ 143.174001] # 134.90 [+0.00] [ 143.174005] asm_common_interrupt (./arch/x86/include/asm/idtentry.h:688) # 134.90 [+0.00] [ 143.174014] RIP: 0010:_raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) # 134.91 [+0.00] [ 143.174030] Code: 74 24 10 e8 51 2a ff fd 48 89 ef e8 79 79 ff fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 0a b2 f3 fd 65 8b 05 b3 8b 07 02 85 c0 74 0a 5b 5d c3 e8 87 3e All code ======== 0: 74 24 je 0x26 2: 10 e8 adc %ch,%al 4: 51 push %rcx 5: 2a ff sub %bh,%bh 7: fd std 8: 48 89 ef mov %rbp,%rdi b: e8 79 79 ff fd call 0xfffffffffdff7989 10: 81 e3 00 02 00 00 and $0x200,%ebx 16: 75 25 jne 0x3d 18: 9c pushf 19: 58 pop %rax 1a: f6 c4 02 test $0x2,%ah 1d: 75 2d jne 0x4c 1f: 48 85 db test %rbx,%rbx 22: 74 01 je 0x25 24: fb sti 25: bf 01 00 00 00 mov $0x1,%edi 2a:* e8 0a b2 f3 fd call 0xfffffffffdf3b239 <-- trapping instruction 2f: 65 8b 05 b3 8b 07 02 mov %gs:0x2078bb3(%rip),%eax # 0x2078be9 36: 85 c0 test %eax,%eax 38: 74 0a je 0x44 3a: 5b pop %rbx 3b: 5d pop %rbp 3c: c3 ret 3d: e8 .byte 0xe8 3e: 87 3e xchg %edi,(%rsi) Code starting with the faulting instruction =========================================== 0: e8 0a b2 f3 fd call 0xfffffffffdf3b20f 5: 65 8b 05 b3 8b 07 02 mov %gs:0x2078bb3(%rip),%eax # 0x2078bbf c: 85 c0 test %eax,%eax e: 74 0a je 0x1a 10: 5b pop %rbx 11: 5d pop %rbp 12: c3 ret 13: e8 .byte 0xe8 14: 87 3e xchg %edi,(%rsi) # 134.91 [+0.01] [ 143.174035] RSP: 0018:ffffc90000ab7a88 EFLAGS: 00000206 # 134.91 [+0.00] [ 143.174040] RAX: 0000000000000006 RBX: 0000000000000200 RCX: 0000000000000040 # 134.92 [+0.00] [ 143.174042] RDX: 0000000000000000 RSI: ffffffff87b86a11 RDI: 0000000000000001 # 134.92 [+0.00] [ 143.174044] RBP: ffffffff8a46e560 R08: 0000000000000001 R09: 0000000000000001 # 134.92 [+0.00] [ 143.174046] R10: ffffffff88a24157 R11: ffff8880058a8970 R12: 00000000ffffffff # 134.92 [+0.00] [ 143.174047] R13: 0000000000000001 R14: ffffffff8a46e668 R15: 00000000ffffffff # 134.93 [+0.00] [ 143.174065] uart_write (drivers/tty/serial/serial_core.c:74 drivers/tty/serial/serial_core.c:92 drivers/tty/serial/serial_core.c:88 drivers/tty/serial/serial_core.c:634) # 134.93 [+0.00] [ 143.174082] process_output_block (drivers/tty/n_tty.c:561) # 134.93 [+0.00] [ 143.174095] ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) # 134.93 [+0.00] [ 143.174102] n_tty_write (drivers/tty/n_tty.c:2378) # 134.93 [+0.00] [ 143.174105] ? _copy_from_iter (./arch/x86/include/asm/uaccess_64.h:126 ./arch/x86/include/asm/uaccess_64.h:141 lib/iov_iter.c:55 ./include/linux/iov_iter.h:30 ./include/linux/iov_iter.h:302 ./include/linux/iov_iter.h:330 lib/iov_iter.c:249 lib/iov_iter.c:260) # 134.93 [+0.00] [ 143.174122] ? n_tty_receive_signal_char (drivers/tty/n_tty.c:2348) # 134.94 [+0.00] [ 143.174129] ? __init_waitqueue_head (kernel/sched/wait.c:458) # 134.94 [+0.00] [ 143.174139] ? lock_acquire (./include/trace/events/lock.h:24 kernel/locking/lockdep.c:5831) # 134.94 [+0.00] [ 143.174145] ? iterate_tty_write (drivers/tty/tty_io.c:939 drivers/tty/tty_io.c:958) # 134.94 [+0.00] [ 143.174156] iterate_tty_write (drivers/tty/tty_io.c:1007) # 134.95 [+0.01] [ 143.174162] ? tty_ldisc_ref_wait (drivers/tty/tty_ldisc.c:244) # 134.95 [+0.00] [ 143.174170] file_tty_write.constprop.0 (drivers/tty/tty_io.c:1081) # 134.95 [+0.00] [ 143.174177] vfs_write (fs/read_write.c:594 fs/read_write.c:686) # 134.96 [+0.00] [ 143.174189] ? find_held_lock (kernel/locking/lockdep.c:5350) # 134.96 [+0.00] [ 143.174193] ? kernel_write (fs/read_write.c:667) # 134.96 [+0.00] [ 143.174201] ? clockevents_program_event (kernel/time/clockevents.c:326) # 134.96 [+0.00] [ 143.174219] ? clockevents_program_event (kernel/time/clockevents.c:336 (discriminator 3)) # 134.96 [+0.00] [ 143.174227] ksys_write (fs/read_write.c:738) # 134.96 [+0.00] [ 143.174232] ? __ia32_sys_read (fs/read_write.c:728) # 134.97 [+0.00] [ 143.174243] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) # 134.97 [+0.00] [ 143.174249] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) # 134.97 [+0.00] [ 143.174252] RIP: 0033:0x7f499173f257 # 134.97 [+0.00] [ 143.174259] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 All code ======== 0: 0f 00 (bad) 2: f7 d8 neg %eax 4: 64 89 02 mov %eax,%fs:(%rdx) 7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax e: eb b7 jmp 0xffffffffffffffc7 10: 0f 1f 00 nopl (%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 ret 33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64 Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 ret 9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a # 134.98 [+0.01] [ 143.174261] RSP: 002b:00007ffec4a634a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 # 134.98 [+0.00] [ 143.174265] RAX: ffffffffffffffda RBX: 000056269b9152e0 RCX: 00007f499173f257 # 134.98 [+0.00] [ 143.174267] RDX: 0000000000000001 RSI: 000056269b9152e0 RDI: 0000000000000001 # 134.98 [+0.00] [ 143.174268] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000002000 # 134.99 [+0.00] [ 143.174270] R10: 0000000000000001 R11: 0000000000000246 R12: 000056269b900600 # 134.99 [+0.00] [ 143.174271] R13: 000056269b8e12a0 R14: 0000000000000001 R15: 000056269b900600 | 0 | xx__-> [ 28.320133][ T347] GACT probability NOT on | [ 33.056197][ T418] Mirror/redirect action on | [ 143.173120][ C0] irq 51: nobody cared (try booting with the "irqpoll" option) [ 143.173884][ C0] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 143.173886][ C0] Call Trace: [ 143.173890][ C0] [ 143.173893][ C0] dump_stack_lvl (lib/dump_stack.c:123) [ 143.173932][ C0] __report_bad_irq (kernel/irq/spurious.c:170) [ 143.173950][ C0] note_interrupt (kernel/irq/spurious.c:372) [ 143.173958][ C0] handle_irq_event (kernel/irq/handle.c:245 kernel/irq/handle.c:257) [ 143.173964][ C0] handle_edge_irq (kernel/irq/chip.c:857) [ 143.173976][ C0] __common_interrupt (./include/asm-generic/irq_regs.h:28 arch/x86/kernel/irq.c:328) [ 143.173994][ C0] common_interrupt (arch/x86/kernel/irq.c:318 (discriminator 14)) [ 143.174000][ C0] [ 143.174001][ C0] [ 143.174005][ C0] asm_common_interrupt (./arch/x86/include/asm/idtentry.h:688) [ 143.174014][ C0] RIP: 0010:_raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) [ 143.174030][ C0] Code: 74 24 10 e8 51 2a ff fd 48 89 ef e8 79 79 ff fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 0a b2 f3 fd 65 8b 05 b3 8b 07 02 85 c0 74 0a 5b 5d c3 e8 87 3e All code ======== 0: 74 24 je 0x26 2: 10 e8 adc %ch,%al 4: 51 push %rcx 5: 2a ff sub %bh,%bh 7: fd std 8: 48 89 ef mov %rbp,%rdi b: e8 79 79 ff fd call 0xfffffffffdff7989 10: 81 e3 00 02 00 00 and $0x200,%ebx 16: 75 25 jne 0x3d 18: 9c pushf 19: 58 pop %rax 1a: f6 c4 02 test $0x2,%ah 1d: 75 2d jne 0x4c 1f: 48 85 db test %rbx,%rbx 22: 74 01 je 0x25 24: fb sti 25: bf 01 00 00 00 mov $0x1,%edi 2a:* e8 0a b2 f3 fd call 0xfffffffffdf3b239 <-- trapping instruction 2f: 65 8b 05 b3 8b 07 02 mov %gs:0x2078bb3(%rip),%eax # 0x2078be9 36: 85 c0 test %eax,%eax 38: 74 0a je 0x44 3a: 5b pop %rbx 3b: 5d pop %rbp 3c: c3 ret 3d: e8 .byte 0xe8 3e: 87 3e xchg %edi,(%rsi) Code starting with the faulting instruction =========================================== 0: e8 0a b2 f3 fd call 0xfffffffffdf3b20f 5: 65 8b 05 b3 8b 07 02 mov %gs:0x2078bb3(%rip),%eax # 0x2078bbf c: 85 c0 test %eax,%eax e: 74 0a je 0x1a 10: 5b pop %rbx 11: 5d pop %rbp 12: c3 ret 13: e8 .byte 0xe8 14: 87 3e xchg %edi,(%rsi) [ 143.174035][ C0] RSP: 0018:ffffc90000ab7a88 EFLAGS: 00000206 [ 143.174040][ C0] RAX: 0000000000000006 RBX: 0000000000000200 RCX: 0000000000000040 [ 143.174042][ C0] RDX: 0000000000000000 RSI: ffffffff87b86a11 RDI: 0000000000000001 [ 143.174044][ C0] RBP: ffffffff8a46e560 R08: 0000000000000001 R09: 0000000000000001 [ 143.174046][ C0] R10: ffffffff88a24157 R11: ffff8880058a8970 R12: 00000000ffffffff [ 143.174047][ C0] R13: 0000000000000001 R14: ffffffff8a46e668 R15: 00000000ffffffff [ 143.174065][ C0] uart_write (drivers/tty/serial/serial_core.c:74 drivers/tty/serial/serial_core.c:92 drivers/tty/serial/serial_core.c:88 drivers/tty/serial/serial_core.c:634) [ 143.174082][ C0] process_output_block (drivers/tty/n_tty.c:561) [ 143.174095][ C0] ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) [ 143.174102][ C0] n_tty_write (drivers/tty/n_tty.c:2378) [ 143.174105][ C0] ? _copy_from_iter (./arch/x86/include/asm/uaccess_64.h:126 ./arch/x86/include/asm/uaccess_64.h:141 lib/iov_iter.c:55 ./include/linux/iov_iter.h:30 ./include/linux/iov_iter.h:302 ./include/linux/iov_iter.h:330 lib/iov_iter.c:249 lib/iov_iter.c:260) [ 143.174122][ C0] ? n_tty_receive_signal_char (drivers/tty/n_tty.c:2348) [ 143.174129][ C0] ? __init_waitqueue_head (kernel/sched/wait.c:458) [ 143.174139][ C0] ? lock_acquire (./include/trace/events/lock.h:24 kernel/locking/lockdep.c:5831) [ 143.174145][ C0] ? iterate_tty_write (drivers/tty/tty_io.c:939 drivers/tty/tty_io.c:958) [ 143.174156][ C0] iterate_tty_write (drivers/tty/tty_io.c:1007) [ 143.174162][ C0] ? tty_ldisc_ref_wait (drivers/tty/tty_ldisc.c:244) [ 143.174170][ C0] file_tty_write.constprop.0 (drivers/tty/tty_io.c:1081) [ 143.174177][ C0] vfs_write (fs/read_write.c:594 fs/read_write.c:686) [ 143.174189][ C0] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 143.174193][ C0] ? kernel_write (fs/read_write.c:667) [ 143.174201][ C0] ? clockevents_program_event (kernel/time/clockevents.c:326) [ 143.174219][ C0] ? clockevents_program_event (kernel/time/clockevents.c:336 (discriminator 3)) [ 143.174227][ C0] ksys_write (fs/read_write.c:738) [ 143.174232][ C0] ? __ia32_sys_read (fs/read_write.c:728) [ 143.174243][ C0] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) [ 143.174249][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 143.174252][ C0] RIP: 0033:0x7f499173f257 [ 143.174259][ C0] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 All code ======== 0: 0f 00 (bad) 2: f7 d8 neg %eax 4: 64 89 02 mov %eax,%fs:(%rdx) 7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax e: eb b7 jmp 0xffffffffffffffc7 10: 0f 1f 00 nopl (%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 ret 33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64 Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 ret 9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a [ 143.174261][ C0] RSP: 002b:00007ffec4a634a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 143.174265][ C0] RAX: ffffffffffffffda RBX: 000056269b9152e0 RCX: 00007f499173f257 [ 143.174267][ C0] RDX: 0000000000000001 RSI: 000056269b9152e0 RDI: 0000000000000001 [ 143.174268][ C0] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000002000 [ 143.174270][ C0] R10: 0000000000000001 R11: 0000000000000246 R12: 000056269b900600 [ 143.174271][ C0] R13: 000056269b8e12a0 R14: 0000000000000001 R15: 000056269b900600 | [ 148.514990][ T694] ================================================================== | [ 148.515325][ T694] BUG: KASAN: slab-use-after-free in kobject_put (lib/kobject.c:733) | [ 148.515614][ T694] Read of size 1 at addr ffff88800bbfc6ac by task ip/694 | [ 148.515854][ T694] [ 148.515977][ T694] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 148.515979][ T694] Call Trace: [ 148.515981][ T694] [ 148.515983][ T694] dump_stack_lvl (lib/dump_stack.c:123) [ 148.515991][ T694] print_address_description.constprop.0 (mm/kasan/report.c:379) [ 148.516002][ T694] ? kobject_put (lib/kobject.c:733) [ 148.516006][ T694] print_report (mm/kasan/report.c:483) [ 148.516009][ T694] ? kobject_put (lib/kobject.c:733) [ 148.516012][ T694] ? kasan_addr_to_slab (./include/linux/mm.h:1245 mm/kasan/../slab.h:191 mm/kasan/common.c:47) [ 148.516015][ T694] ? kobject_put (lib/kobject.c:733) [ 148.516018][ T694] kasan_report (mm/kasan/report.c:597) [ 148.516022][ T694] ? kobject_put (lib/kobject.c:733) [ 148.516027][ T694] kobject_put (lib/kobject.c:733) [ 148.516031][ T694] netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670) [ 148.516040][ T694] ? dev_ingress_queue_create (net/core/dev.c:12299) [ 148.516043][ T694] ? generic_xdp_install (net/core/dev.c:11630) [ 148.516048][ T694] ? vrf_dellink (drivers/net/vrf.c:1667) vrf [ 148.516055][ T694] ? vrf_map_unregister_dev (drivers/net/vrf.c:1667) vrf [ 148.516060][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.516069][ T694] rtnl_dellink (net/core/rtnetlink.c:3580) [ 148.516075][ T694] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 148.516094][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.516098][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.516105][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.516108][ T694] ? rtnetlink_rcv_msg (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/core/rtnetlink.c:6956) [ 148.516111][ T694] ? __lock_release (kernel/locking/lockdep.c:5536) [ 148.516116][ T694] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 148.516119][ T694] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 148.516122][ T694] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 148.516125][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.516134][ T694] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 148.516140][ T694] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 148.516144][ T694] ? netlink_ack (net/netlink/af_netlink.c:2527) [ 148.516150][ T694] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/netlink/af_netlink.c:340) [ 148.516153][ T694] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 ./include/net/netns/generic.h:48 net/netlink/af_netlink.c:333) [ 148.516157][ T694] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 148.516162][ T694] ? netlink_attachskb (net/netlink/af_netlink.c:1329) [ 148.516165][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.516171][ T694] netlink_sendmsg (net/netlink/af_netlink.c:1894) [ 148.516175][ T694] ? netlink_unicast (net/netlink/af_netlink.c:1813) [ 148.516179][ T694] ? __import_iovec (lib/iov_iter.c:1346 lib/iov_iter.c:1361) [ 148.516187][ T694] ? netlink_unicast (net/netlink/af_netlink.c:1813) [ 148.516190][ T694] ____sys_sendmsg (net/socket.c:727 net/socket.c:742 net/socket.c:2630) [ 148.516202][ T694] ? get_timestamp.constprop.0 (net/socket.c:2576) [ 148.516205][ T694] ? __copy_msghdr (net/socket.c:2556) [ 148.516214][ T694] ___sys_sendmsg (net/socket.c:2686) [ 148.516217][ T694] ? kasan_record_aux_stack (mm/kasan/generic.c:559) [ 148.516220][ T694] ? __call_rcu_common.constprop.0 (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:127 kernel/rcu/tree.c:3125) [ 148.516230][ T694] ? copy_msghdr_from_user (net/socket.c:2673) [ 148.516235][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.516240][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.516246][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.516249][ T694] ? __virt_addr_valid (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:979 ./include/linux/mmzone.h:2197 arch/x86/mm/physaddr.c:65) [ 148.516260][ T694] ? __lock_release (kernel/locking/lockdep.c:5536) [ 148.516267][ T694] __sys_sendmsg (net/socket.c:2716) [ 148.516270][ T694] ? __call_rcu_common.constprop.0 (kernel/rcu/tree.c:3148) [ 148.516274][ T694] ? __sys_sendmsg_sock (net/socket.c:2701) [ 148.516281][ T694] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 148.516285][ T694] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) [ 148.516291][ T694] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 148.516295][ T694] RIP: 0033:0x7efda6d621d7 [ 148.516299][ T694] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 All code ======== 0: 0e (bad) 1: 00 f7 add %dh,%bh 3: d8 64 89 02 fsubs 0x2(%rcx,%rcx,4) 7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax e: eb b9 jmp 0xffffffffffffffc9 10: 0f 1f 00 nopl (%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 2e 00 00 00 mov $0x2e,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 ret 33: 48 83 ec 28 sub $0x28,%rsp 37: 89 54 24 1c mov %edx,0x1c(%rsp) 3b: 48 89 74 24 10 mov %rsi,0x10(%rsp) Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 ret 9: 48 83 ec 28 sub $0x28,%rsp d: 89 54 24 1c mov %edx,0x1c(%rsp) 11: 48 89 74 24 10 mov %rsi,0x10(%rsp) [ 148.516302][ T694] RSP: 002b:00007fff11e6b278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 148.516307][ T694] RAX: ffffffffffffffda RBX: 00007fff11e6b9a0 RCX: 00007efda6d621d7 [ 148.516309][ T694] RDX: 0000000000000000 RSI: 00007fff11e6b2e0 RDI: 0000000000000005 [ 148.516310][ T694] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078 [ 148.516312][ T694] R10: 00007efda6c5ef60 R11: 0000000000000246 R12: 0000000000000002 [ 148.516314][ T694] R13: 00000000690df584 R14: 0000000000499600 R15: 0000000000000000 | [ 148.549689][ T694] refcount_t: underflow; use-after-free. | [ 148.550136][ T694] WARNING: CPU: 2 PID: 694 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) | [ 148.550648][ T694] Modules linked in: act_vlan act_skbedit act_ct nf_flow_table nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 cls_matchall act_mirred act_gact cls_flower sch_ingress vrf veth | [ 148.552256][ T694] Tainted: [B]=BAD_PAGE [ 148.552515][ T694] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 148.552946][ T694] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) [ 148.553384][ T694] Code: 7d 93 02 80 fb 01 0f 87 bb 99 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 a8 7d 93 02 01 90 48 c7 c7 60 8d 65 87 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff All code ======== 0: 7d 93 jge 0xffffffffffffff95 2: 02 80 fb 01 0f 87 add -0x78f0fe05(%rax),%al 8: bb 99 d9 fe 83 mov $0x83fed999,%ebx d: e3 01 jrcxz 0x10 f: 0f 85 51 ff ff ff jne 0xffffffffffffff66 15: c6 05 a8 7d 93 02 01 movb $0x1,0x2937da8(%rip) # 0x2937dc4 1c: 90 nop 1d: 48 c7 c7 60 8d 65 87 mov $0xffffffff87658d60,%rdi 24: e8 32 bf 18 ff call 0xffffffffff18bf5b 29: 90 nop 2a:* 0f 0b ud2 <-- trapping instruction 2c: 90 nop 2d: 90 nop 2e: e9 33 ff ff ff jmp 0xffffffffffffff66 33: 48 89 df mov %rbx,%rdi 36: e8 b0 63 a1 ff call 0xffffffffffa163eb 3b: e9 ba fe ff ff jmp 0xfffffffffffffefa Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 90 nop 3: 90 nop 4: e9 33 ff ff ff jmp 0xffffffffffffff3c 9: 48 89 df mov %rbx,%rdi c: e8 b0 63 a1 ff call 0xffffffffffa163c1 11: e9 ba fe ff ff jmp 0xfffffffffffffed0 [ 148.554457][ T694] RSP: 0018:ffffc900005771f0 EFLAGS: 00010286 [ 148.554821][ T694] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 148.555266][ T694] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001 [ 148.555738][ T694] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff0ffe134 [ 148.556215][ T694] R10: 0000000000000003 R11: ffffc90000576d80 R12: 0000000000000001 [ 148.556682][ T694] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100 [ 148.557170][ T694] FS: 00007efda6b94800(0000) GS:ffff8880acef2000(0000) knlGS:0000000000000000 [ 148.557712][ T694] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 148.558117][ T694] CR2: 0000561ead3bedec CR3: 000000000bc91001 CR4: 0000000000772ef0 [ 148.558596][ T694] PKRU: 55555554 [ 148.558842][ T694] Call Trace: [ 148.559108][ T694] [ 148.559309][ T694] netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670) [ 148.559649][ T694] ? dev_ingress_queue_create (net/core/dev.c:12299) [ 148.559978][ T694] ? generic_xdp_install (net/core/dev.c:11630) [ 148.560297][ T694] ? vrf_dellink (drivers/net/vrf.c:1667) vrf [ 148.560635][ T694] ? vrf_map_unregister_dev (drivers/net/vrf.c:1667) vrf [ 148.561037][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.561377][ T694] rtnl_dellink (net/core/rtnetlink.c:3580) [ 148.561714][ T694] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 148.562134][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.562474][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.562838][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.563157][ T694] ? rtnetlink_rcv_msg (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/core/rtnetlink.c:6956) [ 148.563464][ T694] ? __lock_release (kernel/locking/lockdep.c:5536) [ 148.563774][ T694] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 148.564154][ T694] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 148.564439][ T694] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 148.564740][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.565066][ T694] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 148.565378][ T694] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 148.565685][ T694] ? netlink_ack (net/netlink/af_netlink.c:2527) [ 148.566025][ T694] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/netlink/af_netlink.c:340) [ 148.566333][ T694] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 ./include/net/netns/generic.h:48 net/netlink/af_netlink.c:333) [ 148.566651][ T694] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 148.566969][ T694] ? netlink_attachskb (net/netlink/af_netlink.c:1329) [ 148.567274][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.567593][ T694] netlink_sendmsg (net/netlink/af_netlink.c:1894) [ 148.567906][ T694] ? netlink_unicast (net/netlink/af_netlink.c:1813) [ 148.568220][ T694] ? __import_iovec (lib/iov_iter.c:1346 lib/iov_iter.c:1361) [ 148.568529][ T694] ? netlink_unicast (net/netlink/af_netlink.c:1813) [ 148.568841][ T694] ____sys_sendmsg (net/socket.c:727 net/socket.c:742 net/socket.c:2630) [ 148.569215][ T694] ? get_timestamp.constprop.0 (net/socket.c:2576) [ 148.569599][ T694] ? __copy_msghdr (net/socket.c:2556) [ 148.569943][ T694] ___sys_sendmsg (net/socket.c:2686) [ 148.570269][ T694] ? kasan_record_aux_stack (mm/kasan/generic.c:559) [ 148.570757][ T694] ? __call_rcu_common.constprop.0 (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:127 kernel/rcu/tree.c:3125) [ 148.571164][ T694] ? copy_msghdr_from_user (net/socket.c:2673) [ 148.571495][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.571818][ T694] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 148.572155][ T694] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 148.572670][ T694] ? __virt_addr_valid (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:979 ./include/linux/mmzone.h:2197 arch/x86/mm/physaddr.c:65) [ 148.573026][ T694] ? __lock_release (kernel/locking/lockdep.c:5536) [ 148.573344][ T694] __sys_sendmsg (net/socket.c:2716) [ 148.573664][ T694] ? __call_rcu_common.constprop.0 (kernel/rcu/tree.c:3148) [ 148.574069][ T694] ? __sys_sendmsg_sock (net/socket.c:2701) [ 148.574411][ T694] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 148.574935][ T694] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) [ 148.575267][ T694] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 148.575658][ T694] RIP: 0033:0x7efda6d621d7 [ 148.576012][ T694] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 All code ======== 0: 0e (bad) 1: 00 f7 add %dh,%bh 3: d8 64 89 02 fsubs 0x2(%rcx,%rcx,4) 7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax e: eb b9 jmp 0xffffffffffffffc9 10: 0f 1f 00 nopl (%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 2e 00 00 00 mov $0x2e,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 ret 33: 48 83 ec 28 sub $0x28,%rsp 37: 89 54 24 1c mov %edx,0x1c(%rsp) 3b: 48 89 74 24 10 mov %rsi,0x10(%rsp) Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 ret 9: 48 83 ec 28 sub $0x28,%rsp d: 89 54 24 1c mov %edx,0x1c(%rsp) 11: 48 89 74 24 10 mov %rsi,0x10(%rsp) [ 148.576693][ T694] RSP: 002b:00007fff11e6b278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 148.577035][ T694] RAX: ffffffffffffffda RBX: 00007fff11e6b9a0 RCX: 00007efda6d621d7 [ 148.577329][ T694] RDX: 0000000000000000 RSI: 00007fff11e6b2e0 RDI: 0000000000000005 [ 148.577629][ T694] RBP: 0000000000000002 R08: 0000000000000003 R09: 0000000000000078 [ 148.577946][ T694] R10: 00007efda6c5ef60 R11: 0000000000000246 R12: 0000000000000002 Finger prints: __report_bad_irq:note_interrupt:handle_irq_event:handle_edge_irq:__common_interrupt print_report:kasan_report:kobject_put:netdev_run_todo:rtnl_dellink refcount_warn_saturate:netdev_run_todo:rtnl_dellink:rtnetlink_rcv_msg:netlink_rcv_skb