[ 44.096996][ T301] veth1: entered promiscuous mode [ 44.540284][ T305] veth1: left promiscuous mode [ 45.796699][ T312] ip (312) used greatest stack depth: 24232 bytes left [ 48.507239][ T328] veth1: entered promiscuous mode [ 64.697674][ T369] ================================================================== [ 64.697903][ T369] BUG: KASAN: slab-use-after-free in ___neigh_create+0xd58/0xf30 [ 64.698106][ T369] Write of size 8 at addr ffff888006532818 by task ip/369 [ 64.698297][ T369] [ 64.698370][ T369] CPU: 1 UID: 0 PID: 369 Comm: ip Not tainted 6.12.0-rc3-virtme #1 [ 64.698596][ T369] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 64.698884][ T369] Call Trace: [ 64.698990][ T369] <TASK> [ 64.699068][ T369] dump_stack_lvl+0x82/0xd0 [ 64.699240][ T369] print_address_description.constprop.0+0x2c/0x3b0 [ 64.699477][ T369] ? ___neigh_create+0xd58/0xf30 [ 64.699622][ T369] print_report+0xb4/0x270 [ 64.699748][ T369] ? kasan_addr_to_slab+0x25/0x80 [ 64.699876][ T369] kasan_report+0xbd/0xf0 [ 64.699974][ T369] ? ___neigh_create+0xd58/0xf30 [ 64.700104][ T369] ___neigh_create+0xd58/0xf30 [ 64.700252][ T369] neigh_add+0x8f8/0xdd0 [ 64.700349][ T369] ? __pfx_neigh_add+0x10/0x10 [ 64.700480][ T369] ? __mutex_lock+0x170/0xac0 [ 64.700624][ T369] rtnetlink_rcv_msg+0x2fb/0xc10 [ 64.700758][ T369] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 64.700916][ T369] ? hlock_class+0x4e/0x130 [ 64.701065][ T369] ? mark_lock+0x38/0x3e0 [ 64.701169][ T369] ? __lock_acquire+0xb3f/0x1580 [ 64.701316][ T369] netlink_rcv_skb+0x130/0x360 [ 64.701452][ T369] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 64.701595][ T369] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 64.701746][ T369] ? netlink_deliver_tap+0x13e/0x340 [ 64.701888][ T369] ? netlink_deliver_tap+0xc3/0x340 [ 64.702026][ T369] netlink_unicast+0x44b/0x710 [ 64.702168][ T369] ? __pfx_netlink_unicast+0x10/0x10 [ 64.702319][ T369] ? find_held_lock+0x2c/0x110 [ 64.702463][ T369] netlink_sendmsg+0x723/0xbe0 [ 64.702608][ T369] ? __pfx_netlink_sendmsg+0x10/0x10 [ 64.702749][ T369] ? __might_fault+0xc3/0x170 [ 64.702898][ T369] ? __import_iovec+0x35d/0x5d0 [ 64.703044][ T369] ____sys_sendmsg+0x7ac/0xa10 [ 64.703198][ T369] ? __pfx_____sys_sendmsg+0x10/0x10 [ 64.703340][ T369] ? __pfx_copy_msghdr_from_user+0x10/0x10 [ 64.703523][ T369] ___sys_sendmsg+0xee/0x170 [ 64.703668][ T369] ? __pfx____sys_sendmsg+0x10/0x10 [ 64.703812][ T369] ? ___sys_recvmsg+0xe0/0x150 [ 64.703952][ T369] ? __pfx____sys_recvmsg+0x10/0x10 [ 64.704099][ T369] ? reacquire_held_locks+0x22f/0x4f0 [ 64.704256][ T369] ? do_user_addr_fault+0x8fd/0xe30 [ 64.704400][ T369] ? fdget+0x52/0x1e0 [ 64.704511][ T369] __sys_sendmsg+0xcd/0x170 [ 64.704651][ T369] ? __pfx___sys_sendmsg+0x10/0x10 [ 64.704794][ T369] ? __pfx___up_read+0x10/0x10 [ 64.704944][ T369] do_syscall_64+0xc1/0x1d0 [ 64.705092][ T369] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.705293][ T369] RIP: 0033:0x7f7dc1fbc7b7 [ 64.705499][ T369] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 64.706004][ T369] RSP: 002b:00007ffdb2901e58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 64.706232][ T369] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dc1fbc7b7 [ 64.706461][ T369] RDX: 0000000000000000 RSI: 00007ffdb2901ec0 RDI: 0000000000000005 [ 64.706671][ T369] RBP: 0000000000000001 R08: 0000000000000014 R09: 0000000000000000 [ 64.706889][ T369] R10: 00007f7dc1e75708 R11: 0000000000000246 R12: 00007ffdb290396f [ 64.707103][ T369] R13: 0000000067169a14 R14: 0000000000496600 R15: 00007ffdb29023e8 [ 64.707344][ T369] </TASK> [ 64.707486][ T369] [ 64.707567][ T369] Allocated by task 362: [ 64.707680][ T369] kasan_save_stack+0x24/0x50 [ 64.707830][ T369] kasan_save_track+0x14/0x30 [ 64.707971][ T369] __kasan_kmalloc+0x7f/0x90 [ 64.708111][ T369] __kmalloc_noprof+0x1ab/0x3a0 [ 64.708278][ T369] neigh_alloc+0xc4/0x9d0 [ 64.708392][ T369] ___neigh_create+0x6d/0xf30 [ 64.708533][ T369] neigh_add+0x8f8/0xdd0 [ 64.708638][ T369] rtnetlink_rcv_msg+0x2fb/0xc10 [ 64.708786][ T369] netlink_rcv_skb+0x130/0x360 [ 64.708931][ T369] netlink_unicast+0x44b/0x710 [ 64.709073][ T369] netlink_sendmsg+0x723/0xbe0 [ 64.709228][ T369] ____sys_sendmsg+0x7ac/0xa10 [ 64.709379][ T369] ___sys_sendmsg+0xee/0x170 [ 64.709523][ T369] __sys_sendmsg+0xcd/0x170 [ 64.709667][ T369] do_syscall_64+0xc1/0x1d0 [ 64.709811][ T369] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.709986][ T369] [ 64.710058][ T369] Freed by task 38: [ 64.710171][ T369] kasan_save_stack+0x24/0x50 [ 64.710338][ T369] kasan_save_track+0x14/0x30 [ 64.710479][ T369] kasan_save_free_info+0x3b/0x60 [ 64.710618][ T369] __kasan_slab_free+0x38/0x50 [ 64.710760][ T369] kmem_cache_free_bulk.part.0+0x1f2/0x5b0 [ 64.710937][ T369] kvfree_rcu_bulk+0x4b9/0x5d0 [ 64.711080][ T369] kvfree_rcu_drain_ready+0x2ab/0x860 [ 64.711230][ T369] kfree_rcu_monitor+0x26/0xe0 [ 64.711384][ T369] process_one_work+0xe55/0x16d0 [ 64.711530][ T369] worker_thread+0x58c/0xce0 [ 64.711672][ T369] kthread+0x28a/0x350 [ 64.711780][ T369] ret_from_fork+0x31/0x70 [ 64.711926][ T369] ret_from_fork_asm+0x1a/0x30 [ 64.712072][ T369] [ 64.712144][ T369] Last potentially related work creation: [ 64.712306][ T369] kasan_save_stack+0x24/0x50 [ 64.712453][ T369] __kasan_record_aux_stack+0x8e/0xa0 [ 64.712600][ T369] kvfree_call_rcu+0x114/0x4b0 [ 64.712746][ T369] neigh_remove_one+0x1a3/0x200 [ 64.712886][ T369] neigh_delete+0x29f/0x490 [ 64.713037][ T369] rtnetlink_rcv_msg+0x2fb/0xc10 [ 64.713168][ T369] netlink_rcv_skb+0x130/0x360 [ 64.713395][ T369] netlink_unicast+0x44b/0x710 [ 64.713525][ T369] netlink_sendmsg+0x723/0xbe0 [ 64.713659][ T369] ____sys_sendmsg+0x7ac/0xa10 [ 64.713790][ T369] ___sys_sendmsg+0xee/0x170 [ 64.713945][ T369] __sys_sendmsg+0xcd/0x170 [ 64.714162][ T369] do_syscall_64+0xc1/0x1d0 [ 64.714318][ T369] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.714494][ T369] [ 64.714572][ T369] The buggy address belongs to the object at ffff888006532800 [ 64.714572][ T369] which belongs to the cache kmalloc-1k of size 1024 [ 64.714980][ T369] The buggy address is located 24 bytes inside of [ 64.714980][ T369] freed 1024-byte region [ffff888006532800, ffff888006532c00) [ 64.715410][ T369] [ 64.715499][ T369] The buggy address belongs to the physical page: [ 64.715661][ T369] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6530 [ 64.715889][ T369] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 64.716156][ T369] flags: 0x80000000000040(head|node=0|zone=1) [ 64.716346][ T369] page_type: f5(slab) [ 64.716458][ T369] raw: 0080000000000040 ffff8880010430c0 ffffea00001baa10 ffffea0000086010 [ 64.716770][ T369] raw: 0000000000000000 00000000000a000a 00000001f5000000 0000000000000000 [ 64.716998][ T369] head: 0080000000000040 ffff8880010430c0 ffffea00001baa10 ffffea0000086010 [ 64.717233][ T369] head: 0000000000000000 00000000000a000a 00000001f5000000 0000000000000000 [ 64.717485][ T369] head: 0080000000000003 ffffea0000194c01 ffffffffffffffff 0000000000000000 [ 64.717716][ T369] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 64.718018][ T369] page dumped because: kasan: bad access detected [ 64.718177][ T369] [ 64.718259][ T369] Memory state around the buggy address: [ 64.718390][ T369] ffff888006532700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.718651][ T369] ffff888006532780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.718842][ T369] >ffff888006532800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.719026][ T369] ^ [ 64.719231][ T369] ffff888006532880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.719423][ T369] ffff888006532900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.719606][ T369] ================================================================== [ 64.719880][ T369] Disabling lock debugging due to kernel taint [ 75.856047][ T410] veth1: entered allmulticast mode [ 82.693384][ T425] veth1: left allmulticast mode [ 107.627322][ T589] veth1: left promiscuous mode [ 108.121373][ T38] Oops: general protection fault, probably for non-canonical address 0xe0793c2d40000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 108.121776][ T38] KASAN: maybe wild-memory-access in range [0x03ca016a00000000-0x03ca016a00000007] [ 108.121993][ T38] CPU: 3 UID: 0 PID: 38 Comm: kworker/u18:0 Tainted: G B 6.12.0-rc3-virtme #1 [ 108.122262][ T38] Tainted: [B]=BAD_PAGE [ 108.122363][ T38] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 108.122666][ T38] Workqueue: events_unbound linkwatch_event [ 108.122852][ T38] RIP: 0010:neigh_flush_dev.isra.0+0x10a/0x650 [ 108.123025][ T38] Code: 0f 85 ef 04 00 00 49 8d 7f 08 49 8b 1f 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 cc 04 00 00 49 8b 6f 08 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 19 05 00 00 48 89 5d 00 48 85 db 74 1a 48 8d [ 108.123537][ T38] RSP: 0018:ffffc900002b7a08 EFLAGS: 00010206 [ 108.123709][ T38] RAX: 0079402d40000000 RBX: ffff88800553d800 RCX: ffffffffa38796f0 [ 108.123918][ T38] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888005539c08 [ 108.124104][ T38] RBP: 03ca016a00000000 R08: 0000000000000000 R09: 0000000000000000 [ 108.124290][ T38] R10: ffffffffa5d71f0f R11: ffffffffa16c2ce1 R12: ffff888005539d3c [ 108.124482][ T38] R13: dffffc0000000000 R14: ffff8880057f1000 R15: ffff888005539c00 [ 108.124696][ T38] FS: 0000000000000000(0000) GS:ffff888036180000(0000) knlGS:0000000000000000 [ 108.124916][ T38] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 108.125082][ T38] CR2: 000055901540edec CR3: 0000000005e34002 CR4: 0000000000772ef0 [ 108.125273][ T38] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 108.125468][ T38] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 108.125689][ T38] PKRU: 55555554 [ 108.125785][ T38] Call Trace: [ 108.125880][ T38] <TASK> [ 108.125948][ T38] ? die_addr+0x41/0xa0 [ 108.126075][ T38] ? exc_general_protection+0x14d/0x230 [ 108.126208][ T38] ? asm_exc_general_protection+0x26/0x30 [ 108.126335][ T38] ? ret_from_fork+0x31/0x70 [ 108.126464][ T38] ? neigh_flush_dev.isra.0+0x5d0/0x650 [ 108.126616][ T38] ? neigh_flush_dev.isra.0+0x10a/0x650 [ 108.126764][ T38] ? neigh_flush_dev.isra.0+0x5d0/0x650 [ 108.126898][ T38] ? lock_acquire+0x32/0xc0 [ 108.127030][ T38] __neigh_ifdown.isra.0+0x74/0x440 [ 108.127205][ T38] neigh_carrier_down+0x13/0x20 [ 108.127332][ T38] arp_netdev_event+0x238/0x330 [ 108.127460][ T38] ? trace_notifier_run+0xe2/0x140 [ 108.127626][ T38] notifier_call_chain+0xcd/0x150 [ 108.127769][ T38] netdev_state_change+0xf5/0x120 [ 108.127919][ T38] ? __pfx_netdev_state_change+0x10/0x10 [ 108.128061][ T38] ? dev_deactivate+0xc1/0x1b0 [ 108.128206][ T38] ? veth_get_iflink+0xd2/0x210 [veth] [ 108.128353][ T38] linkwatch_do_dev+0xd2/0x100 [ 108.128497][ T38] __linkwatch_run_queue+0x1df/0x650 [ 108.128638][ T38] ? trace_lock_acquire+0x14d/0x1f0 [ 108.128800][ T38] ? __pfx___linkwatch_run_queue+0x10/0x10 [ 108.128975][ T38] ? process_one_work+0xe0b/0x16d0 [ 108.129120][ T38] ? lock_acquire+0x32/0xc0 [ 108.129269][ T38] linkwatch_event+0x40/0x60 [ 108.129414][ T38] process_one_work+0xe55/0x16d0 [ 108.129568][ T38] ? __pfx___lock_release+0x10/0x10 [ 108.129722][ T38] ? __pfx_process_one_work+0x10/0x10 [ 108.129883][ T38] ? assign_work+0x16c/0x240 [ 108.130032][ T38] worker_thread+0x58c/0xce0 [ 108.130177][ T38] ? __pfx_worker_thread+0x10/0x10 [ 108.130329][ T38] kthread+0x28a/0x350 [ 108.130452][ T38] ? __pfx_kthread+0x10/0x10 [ 108.130616][ T38] ret_from_fork+0x31/0x70 [ 108.130772][ T38] ? __pfx_kthread+0x10/0x10 [ 108.130926][ T38] ret_from_fork_asm+0x1a/0x30 [ 108.131069][ T38] </TASK> [ 108.131175][ T38] Modules linked in: vrf macvlan veth [ 108.131369][ T38] ---[ end trace 0000000000000000 ]--- [ 108.131513][ T38] RIP: 0010:neigh_flush_dev.isra.0+0x10a/0x650 [ 108.131739][ T38] Code: 0f 85 ef 04 00 00 49 8d 7f 08 49 8b 1f 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 cc 04 00 00 49 8b 6f 08 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 19 05 00 00 48 89 5d 00 48 85 db 74 1a 48 8d [ 108.132270][ T38] RSP: 0018:ffffc900002b7a08 EFLAGS: 00010206 [ 108.132477][ T38] RAX: 0079402d40000000 RBX: ffff88800553d800 RCX: ffffffffa38796f0 [ 108.132728][ T38] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888005539c08 [ 108.132954][ T38] RBP: 03ca016a00000000 R08: 0000000000000000 R09: 0000000000000000 [ 108.133175][ T38] R10: ffffffffa5d71f0f R11: ffffffffa16c2ce1 R12: ffff888005539d3c [ 108.133404][ T38] R13: dffffc0000000000 R14: ffff8880057f1000 R15: ffff888005539c00 [ 108.133615][ T38] FS: 0000000000000000(0000) GS:ffff888036180000(0000) knlGS:0000000000000000 [ 108.133892][ T38] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 108.134081][ T38] CR2: 000055901540edec CR3: 0000000005e34002 CR4: 0000000000772ef0 [ 108.134299][ T38] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 108.134534][ T38] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 108.134771][ T38] PKRU: 55555554 [ 108.134902][ T38] Kernel panic - not syncing: Fatal exception in interrupt [ 108.135202][ T38] Kernel Offset: 0x20400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 108.135519][ T38] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- WAIT TIMEOUT stderr Ctrl-C stderr Ctrl-C stderr WAIT TIMEOUT stderr