HARD STOP (0) WAIT TIMEOUT stderr Ctrl-C stderr Ctrl-C stderr [ 85.256935][ T481] ip (481) used greatest stack depth: 24800 bytes left [ 95.360457][ T514] ip (514) used greatest stack depth: 24736 bytes left [ 107.630977][ T544] eth0: renamed from tmp [ 107.671138][ T542] ip (542) used greatest stack depth: 24696 bytes left [ 115.126579][ T566] ip (566) used greatest stack depth: 24576 bytes left [ 126.999192][ T604] ip (604) used greatest stack depth: 24480 bytes left [ 128.790126][ T608] ================================================================== [ 128.790826][ T608] BUG: KASAN: slab-use-after-free in emit_its_trampoline+0xa5/0x300 [ 128.791280][ T608] Read of size 1 at addr ffff888001936720 by task modprobe/608 [ 128.791726][ T608] [ 128.791869][ T608] CPU: 3 UID: 0 PID: 608 Comm: modprobe Not tainted 6.16.0-rc2-virtme #1 PREEMPT(full) [ 128.791876][ T608] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 128.791879][ T608] Call Trace: [ 128.791881][ T608] [ 128.791884][ T608] dump_stack_lvl+0x82/0xd0 [ 128.791896][ T608] print_address_description.constprop.0+0x2c/0x400 [ 128.791904][ T608] ? emit_its_trampoline+0xa5/0x300 [ 128.791911][ T608] print_report+0xb4/0x270 [ 128.791915][ T608] ? emit_its_trampoline+0xa5/0x300 [ 128.791919][ T608] ? kasan_addr_to_slab+0x25/0x80 [ 128.791924][ T608] ? emit_its_trampoline+0xa5/0x300 [ 128.791927][ T608] kasan_report+0xca/0x100 [ 128.791933][ T608] ? emit_its_trampoline+0xa5/0x300 [ 128.791941][ T608] ? emit_its_trampoline+0xa5/0x300 [ 128.791945][ T608] __kasan_check_byte+0x3a/0x50 [ 128.791949][ T608] krealloc_noprof+0x3d/0x320 [ 128.791954][ T608] ? execmem_alloc+0xc0/0x240 [ 128.791962][ T608] emit_its_trampoline+0xa5/0x300 [ 128.791967][ T608] ? __x86_indirect_paranoid_thunk_rax+0x2/0x2 [ 128.791975][ T608] ? __do_softirq+0x10/0x10 [ 128.791979][ T608] apply_retpolines+0xcf/0x550 [ 128.791986][ T608] ? __pfx_apply_retpolines+0x10/0x10 [ 128.791990][ T608] ? __pfx___mutex_lock+0x10/0x10 [ 128.792006][ T608] module_finalize+0x3d5/0x9d0 [ 128.792014][ T608] ? add_kallsyms+0x7bf/0xf40 [ 128.792020][ T608] ? __pfx_module_finalize+0x10/0x10 [ 128.792026][ T608] ? __pfx_cmp_ex_sort+0x10/0x10 [ 128.792030][ T608] ? __pfx_swap_ex+0x10/0x10 [ 128.792036][ T608] load_module+0x139a/0x2660 [ 128.792046][ T608] ? __pfx_load_module+0x10/0x10 [ 128.792050][ T608] ? kernel_read_file+0x3f5/0x550 [ 128.792057][ T608] ? kernel_read_file+0x3d0/0x550 [ 128.792062][ T608] ? __pfx_kernel_read_file+0x10/0x10 [ 128.792066][ T608] ? add_chain_cache+0x110/0x370 [ 128.792073][ T608] ? init_module_from_file+0xe9/0x150 [ 128.792077][ T608] init_module_from_file+0xe9/0x150 [ 128.792082][ T608] ? __pfx_init_module_from_file+0x10/0x10 [ 128.792094][ T608] ? idempotent_init_module+0x31a/0x620 [ 128.792098][ T608] ? __lock_release+0x5d/0x170 [ 128.792105][ T608] ? do_raw_spin_unlock+0x58/0x220 [ 128.792111][ T608] idempotent_init_module+0x335/0x620 [ 128.792117][ T608] ? __pfx_idempotent_init_module+0x10/0x10 [ 128.792127][ T608] ? cap_capable+0x94/0x230 [ 128.792136][ T608] __x64_sys_finit_module+0xca/0x150 [ 128.792140][ T608] ? do_syscall_64+0x85/0x380 [ 128.792146][ T608] do_syscall_64+0xc1/0x380 [ 128.792151][ T608] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.792156][ T608] RIP: 0033:0x7ff5646aee5d [ 128.792162][ T608] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 [ 128.792165][ T608] RSP: 002b:00007fff6cf3b398 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 128.792172][ T608] RAX: ffffffffffffffda RBX: 00005601337bcbf0 RCX: 00007ff5646aee5d [ 128.792175][ T608] RDX: 0000000000000000 RSI: 0000560112d56a2a RDI: 0000000000000000 [ 128.792177][ T608] RBP: 0000000000040000 R08: 0000000000000000 R09: 00007fff6cf3b4d0 [ 128.792180][ T608] R10: 0000000000000000 R11: 0000000000000246 R12: 0000560112d56a2a [ 128.792182][ T608] R13: 00005601337bcb70 R14: 00005601337bd130 R15: 00005601337bcc62 [ 128.792192][ T608] [ 128.792194][ T608] [ 128.812982][ T608] Allocated by task 593: [ 128.813322][ T608] kasan_save_stack+0x24/0x50 [ 128.813806][ T608] kasan_save_track+0x14/0x30 [ 128.814134][ T608] __kasan_kmalloc+0x7f/0x90 [ 128.814523][ T608] __kmalloc_noprof+0x1d4/0x470 [ 128.814883][ T608] virtqueue_add_split+0x6a3/0x1920 [ 128.815154][ T608] virtqueue_add_sgs+0x143/0x270 [ 128.815408][ T608] virtio_fs_enqueue_req+0x58c/0xfe0 [ 128.815667][ T608] virtio_fs_send_req+0x13a/0x710 [ 128.815916][ T608] __fuse_simple_request+0x237/0xc20 [ 128.816166][ T608] fuse_readlink_folio+0x20b/0x400 [ 128.816429][ T608] fuse_get_link+0x12d/0x350 [ 128.816728][ T608] pick_link+0x7a2/0x1160 [ 128.816985][ T608] step_into+0x85a/0xfc0 [ 128.817509][ T608] link_path_walk+0x3c2/0xa10 [ 128.818827][ T608] path_openat+0x14d/0x380 [ 128.819173][ T608] do_filp_open+0x1d7/0x420 [ 128.819515][ T608] do_sys_openat2+0xd4/0x160 [ 128.819858][ T608] __x64_sys_openat+0x122/0x1e0 [ 128.820259][ T608] do_syscall_64+0xc1/0x380 [ 128.820624][ T608] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 128.821044][ T608] [ 128.821250][ T608] Freed by task 210: [ 128.821626][ T608] kasan_save_stack+0x24/0x50 [ 128.822068][ T608] kasan_save_track+0x14/0x30 [ 128.822398][ T608] kasan_save_free_info+0x3b/0x60 [ 128.822731][ T608] __kasan_slab_free+0x38/0x50 [ 128.823021][ T608] kfree+0x144/0x320 [ 128.823226][ T608] detach_buf_split+0x48d/0x6f0 [ 128.823511][ T608] virtqueue_get_buf_ctx_split+0x294/0x7f0 [ 128.823876][ T608] virtio_fs_requests_done_work+0x231/0x890 [ 128.824326][ T608] process_one_work+0xe43/0x1660 [ 128.824673][ T608] worker_thread+0x591/0xcf0 [ 128.825029][ T608] kthread+0x37e/0x600 [ 128.825245][ T608] ret_from_fork+0x243/0x320 [ 128.825509][ T608] ret_from_fork_asm+0x1a/0x30 [ 128.825805][ T608] [ 128.825989][ T608] The buggy address belongs to the object at ffff888001936720 [ 128.825989][ T608] which belongs to the cache kmalloc-96 of size 96 [ 128.827161][ T608] The buggy address is located 0 bytes inside of [ 128.827161][ T608] freed 96-byte region [ffff888001936720, ffff888001936780) [ 128.827971][ T608] [ 128.828170][ T608] The buggy address belongs to the physical page: [ 128.829864][ T608] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1936 [ 128.830364][ T608] flags: 0x80000000000000(node=0|zone=1) [ 128.830639][ T608] page_type: f5(slab) [ 128.830849][ T608] raw: 0080000000000000 ffff888001042340 ffffea0000098150 ffffea0000047250 [ 128.831388][ T608] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 128.831965][ T608] page dumped because: kasan: bad access detected [ 128.832498][ T608] [ 128.832662][ T608] Memory state around the buggy address: [ 128.832978][ T608] ffff888001936600: fc fc fc fc 00 00 00 00 00 00 00 00 00 fc fc fc [ 128.833550][ T608] ffff888001936680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 128.834197][ T608] >ffff888001936700: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb [ 128.834728][ T608] ^ [ 128.835057][ T608] ffff888001936780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 128.835749][ T608] ffff888001936800: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 fc [ 128.836238][ T608] ================================================================== [ 128.836904][ T608] Disabling lock debugging due to kernel taint