====================================== | xx__-> [ 36.162301][ T385] ================================================================== | [ 36.162633][ T385] BUG: KASAN: out-of-bounds in kobject_put (lib/kobject.c:733) | [ 36.162883][ T385] Read of size 1 at addr ffff88800cf506c4 by task tun/385 | [ 36.163106][ T385] [ 36.163210][ T385] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 36.163212][ T385] Call Trace: [ 36.163214][ T385] [ 36.163216][ T385] dump_stack_lvl (lib/dump_stack.c:123) [ 36.163223][ T385] print_address_description.constprop.0 (mm/kasan/report.c:379) [ 36.163231][ T385] ? kobject_put (lib/kobject.c:733) [ 36.163235][ T385] print_report (mm/kasan/report.c:483) [ 36.163239][ T385] ? kobject_put (lib/kobject.c:733) [ 36.163242][ T385] ? kasan_addr_to_slab (./include/linux/mm.h:1245 mm/kasan/../slab.h:191 mm/kasan/common.c:47) [ 36.163246][ T385] ? kobject_put (lib/kobject.c:733) [ 36.163249][ T385] kasan_report (mm/kasan/report.c:597) [ 36.163253][ T385] ? kobject_put (lib/kobject.c:733) [ 36.163258][ T385] kobject_put (lib/kobject.c:733) [ 36.163262][ T385] netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670) [ 36.163269][ T385] ? dev_ingress_queue_create (net/core/dev.c:12299) [ 36.163273][ T385] ? generic_xdp_install (net/core/dev.c:11630) [ 36.163277][ T385] ? unregister_netdevice_many (net/core/dev.c:12241) [ 36.163283][ T385] rtnl_dellink (net/core/rtnetlink.c:3580) [ 36.163289][ T385] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 36.163308][ T385] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 36.163317][ T385] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 36.163323][ T385] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 36.163327][ T385] ? rtnetlink_rcv_msg (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/core/rtnetlink.c:6956) [ 36.163330][ T385] ? __lock_release (kernel/locking/lockdep.c:5536) [ 36.163333][ T385] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 36.163337][ T385] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 36.163341][ T385] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 36.163345][ T385] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 36.163351][ T385] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 36.163356][ T385] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 36.163360][ T385] ? netlink_ack (net/netlink/af_netlink.c:2527) [ 36.163366][ T385] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/netlink/af_netlink.c:340) [ 36.163369][ T385] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 ./include/net/netns/generic.h:48 net/netlink/af_netlink.c:333) [ 36.163372][ T385] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 36.163376][ T385] ? netlink_attachskb (net/netlink/af_netlink.c:1329) [ 36.163379][ T385] ? netlink_insert (net/netlink/af_netlink.c:591 (discriminator 3)) [ 36.163382][ T385] ? netlink_autobind.isra.0 (net/netlink/af_netlink.c:804) [ 36.163385][ T385] ? netlink_autobind.isra.0 (net/netlink/af_netlink.c:827) [ 36.163389][ T385] netlink_sendmsg (net/netlink/af_netlink.c:1894) [ 36.163393][ T385] ? netlink_unicast (net/netlink/af_netlink.c:1813) [ 36.163399][ T385] __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2244) [ 36.163404][ T385] ? __ia32_sys_getpeername (net/socket.c:2211) [ 36.163409][ T385] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 36.163416][ T385] ? trace_rseq_update (./include/trace/events/rseq.h:11 (discriminator 21)) [ 36.163422][ T385] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) [ 36.163426][ T385] ? __rseq_handle_notify_resume (kernel/rseq.c:442) [ 36.163430][ T385] ? rseq_get_rseq_cs.isra.0 (kernel/rseq.c:425) [ 36.163432][ T385] ? __sys_socket (net/socket.c:516 net/socket.c:1756) [ 36.163435][ T385] ? update_socket_protocol+0x10/0x10 [ 36.163438][ T385] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:143 ./include/linux/mmap_lock.h:182 arch/x86/mm/fault.c:1338) [ 36.163444][ T385] __x64_sys_sendto (net/socket.c:2247) [ 36.163447][ T385] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:124 arch/x86/entry/syscall_64.c:90) [ 36.163452][ T385] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472) [ 36.163461][ T385] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) [ 36.163465][ T385] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 36.163468][ T385] RIP: 0033:0x7f7210386120 [ 36.163474][ T385] Code: ff ff 64 89 02 eb bd 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20 All code ======== 0: ff (bad) 1: ff 64 89 02 jmp *0x2(%rcx,%rcx,4) 5: eb bd jmp 0xffffffffffffffc4 7: 0f 1f 00 nopl (%rax) a: f3 0f 1e fa endbr64 e: 41 89 ca mov %ecx,%r10d 11: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 18: 00 19: 85 c0 test %eax,%eax 1b: 75 1d jne 0x3a 1d: 45 31 c9 xor %r9d,%r9d 20: 45 31 c0 xor %r8d,%r8d 23: b8 2c 00 00 00 mov $0x2c,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 68 ja 0x9a 32: c3 ret 33: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 3a: 41 54 push %r12 3c: 48 83 ec 20 sub $0x20,%rsp Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 68 ja 0x70 8: c3 ret 9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 10: 41 54 push %r12 12: 48 83 ec 20 sub $0x20,%rsp [ 36.163476][ T385] RSP: 002b:00007fff0b9ca208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 36.163480][ T385] RAX: ffffffffffffffda RBX: 00007fff0b9ca2a0 RCX: 00007f7210386120 [ 36.163483][ T385] RDX: 0000000000000034 RSI: 00007fff0b9ca210 RDI: 0000000000000007 [ 36.163484][ T385] RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000 [ 36.163486][ T385] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 36.163487][ T385] R13: 00007fff0b9ca2a0 R14: 00007f7210272000 R15: 0000000000406140 | [ 36.179443][ T385] refcount_t: underflow; use-after-free. | [ 36.179675][ T385] WARNING: CPU: 1 PID: 385 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) | [ 36.180199][ T385] Modules linked in: | [ 36.180655][ T385] Tainted: [B]=BAD_PAGE [ 36.180778][ T385] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 36.180982][ T385] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) [ 36.181274][ T385] Code: cc 38 03 80 fb 01 0f 87 29 33 d7 fe 83 e3 01 0f 85 51 ff ff ff c6 05 17 cc 38 03 01 90 48 c7 c7 40 ba e5 88 e8 62 d6 16 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 c0 9d a0 ff e9 ba fe ff ff All code ======== 0: cc int3 1: 38 03 cmp %al,(%rbx) 3: 80 fb 01 cmp $0x1,%bl 6: 0f 87 29 33 d7 fe ja 0xfffffffffed73335 c: 83 e3 01 and $0x1,%ebx f: 0f 85 51 ff ff ff jne 0xffffffffffffff66 15: c6 05 17 cc 38 03 01 movb $0x1,0x338cc17(%rip) # 0x338cc33 1c: 90 nop 1d: 48 c7 c7 40 ba e5 88 mov $0xffffffff88e5ba40,%rdi 24: e8 62 d6 16 ff call 0xffffffffff16d68b 29: 90 nop 2a:* 0f 0b ud2 <-- trapping instruction 2c: 90 nop 2d: 90 nop 2e: e9 33 ff ff ff jmp 0xffffffffffffff66 33: 48 89 df mov %rbx,%rdi 36: e8 c0 9d a0 ff call 0xffffffffffa09dfb 3b: e9 ba fe ff ff jmp 0xfffffffffffffefa Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 90 nop 3: 90 nop 4: e9 33 ff ff ff jmp 0xffffffffffffff3c 9: 48 89 df mov %rbx,%rdi c: e8 c0 9d a0 ff call 0xffffffffffa09dd1 11: e9 ba fe ff ff jmp 0xfffffffffffffed0 [ 36.181846][ T385] RSP: 0018:ffffc90000f073f0 EFLAGS: 00010286 [ 36.182120][ T385] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 36.182382][ T385] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001 [ 36.182616][ T385] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff13c0934 [ 36.182942][ T385] R10: 0000000000000003 R11: ffffc90000f06f80 R12: 0000000000000001 [ 36.183271][ T385] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100 [ 36.183525][ T385] FS: 00007f7210273b80(0000) GS:ffff8880e1d88000(0000) knlGS:0000000000000000 [ 36.183808][ T385] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.184172][ T385] CR2: 00007f72103863a0 CR3: 00000000097d2003 CR4: 0000000000772ef0 [ 36.184424][ T385] PKRU: 55555554 [ 36.184543][ T385] Call Trace: [ 36.184663][ T385] [ 36.184747][ T385] netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670) [ 36.184911][ T385] ? dev_ingress_queue_create (net/core/dev.c:12299) [ 36.185141][ T385] ? generic_xdp_install (net/core/dev.c:11630) [ 36.185302][ T385] ? unregister_netdevice_many (net/core/dev.c:12241) [ 36.185470][ T385] rtnl_dellink (net/core/rtnetlink.c:3580) [ 36.185629][ T385] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 36.185932][ T385] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 36.186156][ T385] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 36.186313][ T385] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 36.186481][ T385] ? rtnetlink_rcv_msg (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/core/rtnetlink.c:6956) [ 36.186635][ T385] ? __lock_release (kernel/locking/lockdep.c:5536) [ 36.186792][ T385] ? valid_bridge_getlink_req.constprop.0 (net/core/rtnetlink.c:3536) [ 36.187142][ T385] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 36.187298][ T385] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 36.187463][ T385] ? __lock_acquire (kernel/locking/lockdep.c:5237) [ 36.187622][ T385] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 36.187781][ T385] ? rtnl_port_fill (net/core/rtnetlink.c:6861) [ 36.187936][ T385] ? netlink_ack (net/netlink/af_netlink.c:2527) [ 36.188199][ T385] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 net/netlink/af_netlink.c:340) [ 36.188357][ T385] ? netlink_deliver_tap (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:897 ./include/net/netns/generic.h:48 net/netlink/af_netlink.c:333) [ 36.188529][ T385] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 36.188683][ T385] ? netlink_attachskb (net/netlink/af_netlink.c:1329) [ 36.188929][ T385] ? netlink_insert (net/netlink/af_netlink.c:591 (discriminator 3)) [ 36.189089][ T385] ? netlink_autobind.isra.0 (net/netlink/af_netlink.c:804) [ 36.189245][ T385] ? netlink_autobind.isra.0 (net/netlink/af_netlink.c:827) [ 36.189401][ T385] netlink_sendmsg (net/netlink/af_netlink.c:1894) [ 36.189678][ T385] ? netlink_unicast (net/netlink/af_netlink.c:1813) [ 36.189845][ T385] __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2244) [ 36.190002][ T385] ? __ia32_sys_getpeername (net/socket.c:2211) [ 36.190167][ T385] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 36.190416][ T385] ? trace_rseq_update (./include/trace/events/rseq.h:11 (discriminator 21)) [ 36.190587][ T385] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) [ 36.190742][ T385] ? __rseq_handle_notify_resume (kernel/rseq.c:442) [ 36.190936][ T385] ? rseq_get_rseq_cs.isra.0 (kernel/rseq.c:425) [ 36.191193][ T385] ? __sys_socket (net/socket.c:516 net/socket.c:1756) [ 36.191356][ T385] ? update_socket_protocol+0x10/0x10 [ 36.191524][ T385] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:143 ./include/linux/mmap_lock.h:182 arch/x86/mm/fault.c:1338) [ 36.191685][ T385] __x64_sys_sendto (net/socket.c:2247) [ 36.191938][ T385] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:124 arch/x86/entry/syscall_64.c:90) [ 36.192101][ T385] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472) [ 36.192262][ T385] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) [ 36.192429][ T385] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 36.192735][ T385] RIP: 0033:0x7f7210386120 [ 36.192905][ T385] Code: ff ff 64 89 02 eb bd 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20 All code ======== 0: ff (bad) 1: ff 64 89 02 jmp *0x2(%rcx,%rcx,4) 5: eb bd jmp 0xffffffffffffffc4 7: 0f 1f 00 nopl (%rax) a: f3 0f 1e fa endbr64 e: 41 89 ca mov %ecx,%r10d 11: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 18: 00 19: 85 c0 test %eax,%eax 1b: 75 1d jne 0x3a 1d: 45 31 c9 xor %r9d,%r9d 20: 45 31 c0 xor %r8d,%r8d 23: b8 2c 00 00 00 mov $0x2c,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 68 ja 0x9a 32: c3 ret 33: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 3a: 41 54 push %r12 3c: 48 83 ec 20 sub $0x20,%rsp Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 68 ja 0x70 8: c3 ret 9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 10: 41 54 push %r12 12: 48 83 ec 20 sub $0x20,%rsp [ 36.193591][ T385] RSP: 002b:00007fff0b9ca208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 36.193840][ T385] RAX: ffffffffffffffda RBX: 00007fff0b9ca2a0 RCX: 00007f7210386120 [ 36.194081][ T385] RDX: 0000000000000034 RSI: 00007fff0b9ca210 RDI: 0000000000000007 [ 36.194315][ T385] RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000 [ 36.194558][ T385] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Finger prints: print_report:kasan_report:kobject_put:netdev_run_todo:rtnl_dellink refcount_warn_saturate:netdev_run_todo:rtnl_dellink:rtnetlink_rcv_msg:netlink_rcv_skb