====================================== | [ 4143.488657][ C1] ================================================================== | [ 4143.488941][ C1] BUG: KASAN: slab-use-after-free in dst_dev_put (net/core/dst.c:146) | [ 4143.489192][ C1] Read of size 8 at addr ffff888011740c40 by task ksoftirqd/1/22 | [ 4143.489436][ C1] [ 4143.489526][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 4143.489529][ C1] Call Trace: [ 4143.489532][ C1] [ 4143.489534][ C1] dump_stack_lvl (lib/dump_stack.c:123) [ 4143.489542][ C1] print_address_description.constprop.0 (mm/kasan/report.c:379) [ 4143.489550][ C1] ? dst_dev_put (net/core/dst.c:146) [ 4143.489554][ C1] print_report (mm/kasan/report.c:483) [ 4143.489557][ C1] ? dst_dev_put (net/core/dst.c:146) [ 4143.489560][ C1] ? kasan_addr_to_slab (mm/kasan/../slab.h:178 mm/kasan/common.c:47) [ 4143.489564][ C1] ? dst_dev_put (net/core/dst.c:146) [ 4143.489567][ C1] kasan_report (mm/kasan/report.c:597) [ 4143.489571][ C1] ? dst_dev_put (net/core/dst.c:146) [ 4143.489576][ C1] dst_dev_put (net/core/dst.c:146) [ 4143.489580][ C1] rt_fibinfo_free_cpus.part.0 (net/ipv4/fib_semantics.c:196) [ 4143.489587][ C1] fib_nh_common_release (net/ipv4/fib_semantics.c:141 net/ipv4/fib_semantics.c:207) [ 4143.489591][ C1] free_fib_info_rcu (./include/net/nexthop.h:480 (discriminator 3) net/ipv4/fib_semantics.c:229 (discriminator 3)) [ 4143.489595][ C1] ? nexthop_mpath_fill_node.constprop.0 (net/ipv4/fib_semantics.c:223) [ 4143.489599][ C1] rcu_do_batch (./include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607) [ 4143.489605][ C1] ? trace_rcu_batch_end (kernel/rcu/tree.c:2529) [ 4143.489609][ C1] ? __lock_release (kernel/locking/lockdep.c:5536) [ 4143.489614][ C1] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 4143.489619][ C1] ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) [ 4143.489627][ C1] rcu_core (kernel/rcu/tree.c:2859) [ 4143.489632][ C1] handle_softirqs (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/irq.h:142 kernel/softirq.c:623) [ 4143.489639][ C1] ? __irq_exit_rcu (kernel/softirq.c:1056) [ 4143.489643][ C1] run_ksoftirqd (kernel/softirq.c:479 kernel/softirq.c:1064 kernel/softirq.c:1055) [ 4143.489646][ C1] smpboot_thread_fn (kernel/smpboot.c:160 (discriminator 3)) [ 4143.489652][ C1] ? sort_range (kernel/smpboot.c:103) [ 4143.489656][ C1] kthread (kernel/kthread.c:463) [ 4143.489662][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) [ 4143.489665][ C1] ? ret_from_fork (arch/x86/kernel/process.c:157) [ 4143.489677][ C1] ? __lock_release (kernel/locking/lockdep.c:5536) [ 4143.489680][ C1] ? lock_acquire (./include/trace/events/lock.h:24 kernel/locking/lockdep.c:5831) [ 4143.489683][ C1] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 4143.489686][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) [ 4143.489691][ C1] ret_from_fork (arch/x86/kernel/process.c:164) [ 4143.489694][ C1] ? arch_exit_to_user_mode_prepare.constprop.0 (arch/x86/entry/syscall_64.c:37) [ 4143.489698][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) [ 4143.489701][ C1] ? __switch_to (./include/linux/thread_info.h:140 arch/x86/kernel/process.h:16 arch/x86/kernel/process_64.c:676) [ 4143.489707][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) [ 4143.489711][ C1] ret_from_fork_asm (arch/x86/entry/entry_64.S:256) | [ 4143.510138][ C1] Disabling lock debugging due to kernel taint | [ 4143.510347][ C1] Oops: general protection fault, probably for non-canonical address 0xe0ca3c3800000009: 0000 [#1] SMP KASAN | [ 4143.510681][ C1] KASAN: maybe wild-memory-access in range [0x065201c000000048-0x065201c00000004f] | [ 4143.511254][ C1] Tainted: [B]=BAD_PAGE [ 4143.511371][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 4143.511563][ C1] RIP: 0010:dst_dev_put (net/core/dst.c:149) [ 4143.511726][ C1] Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 9c 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 6d 08 48 8d 7d 38 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 6f 01 00 00 48 8b 45 38 48 85 c0 74 08 4c 89 e6 All code ======== 0: fc cld 1: ff lcall (bad) 2: df 48 c1 fisttps -0x3f(%rax) 5: ea (bad) 6: 03 80 3c 02 00 0f add 0xf00023c(%rax),%eax c: 85 9c 01 00 00 48 b8 test %ebx,-0x47b80000(%rcx,%rax,1) 13: 00 00 add %al,(%rax) 15: 00 00 add %al,(%rax) 17: 00 fc add %bh,%ah 19: ff lcall (bad) 1a: df 49 8b fisttps -0x75(%rcx) 1d: 6d insl (%dx),%es:(%rdi) 1e: 08 48 8d or %cl,-0x73(%rax) 21: 7d 38 jge 0x5b 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx 2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 6f 01 00 00 jne 0x1a3 34: 48 8b 45 38 mov 0x38(%rbp),%rax 38: 48 85 c0 test %rax,%rax 3b: 74 08 je 0x45 3d: 4c 89 e6 mov %r12,%rsi Code starting with the faulting instruction =========================================== 0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 4: 0f 85 6f 01 00 00 jne 0x179 a: 48 8b 45 38 mov 0x38(%rbp),%rax e: 48 85 c0 test %rax,%rax 11: 74 08 je 0x1b 13: 4c 89 e6 mov %r12,%rsi [ 4143.512269][ C1] RSP: 0000:ffffc90000197b18 EFLAGS: 00010207 [ 4143.512464][ C1] RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: ffffffffb7e8b428 [ 4143.512690][ C1] RDX: 00ca403800000009 RSI: 0000000000000008 RDI: 065201c00000004e [ 4143.512919][ C1] RBP: 065201c000000016 R08: 0000000000000001 R09: fffffbfff762a8c4 [ 4143.513151][ C1] R10: ffffffffbb154627 R11: ffffc90000197600 R12: ffff8880117401c0 [ 4143.513380][ C1] R13: ffff888011740c40 R14: 0000000000000000 R15: ffff888011740c40 [ 4143.513608][ C1] FS: 0000000000000000(0000) GS:ffff8880b1f98000(0000) knlGS:0000000000000000 [ 4143.513870][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4143.514067][ C1] CR2: 00007fdf33a0b5f4 CR3: 0000000027145006 CR4: 0000000000772ef0 [ 4143.514293][ C1] PKRU: 55555554 [ 4143.514410][ C1] Call Trace: [ 4143.514524][ C1] [ 4143.514604][ C1] rt_fibinfo_free_cpus.part.0 (net/ipv4/fib_semantics.c:196) [ 4143.514762][ C1] fib_nh_common_release (net/ipv4/fib_semantics.c:141 net/ipv4/fib_semantics.c:207) [ 4143.514913][ C1] free_fib_info_rcu (./include/net/nexthop.h:480 (discriminator 3) net/ipv4/fib_semantics.c:229 (discriminator 3)) [ 4143.515066][ C1] ? nexthop_mpath_fill_node.constprop.0 (net/ipv4/fib_semantics.c:223) [ 4143.515258][ C1] rcu_do_batch (./include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607) [ 4143.515410][ C1] ? trace_rcu_batch_end (kernel/rcu/tree.c:2529) [ 4143.515559][ C1] ? __lock_release (kernel/locking/lockdep.c:5536) [ 4143.515710][ C1] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 4143.515863][ C1] ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) [ 4143.516052][ C1] rcu_core (kernel/rcu/tree.c:2859) [ 4143.516172][ C1] handle_softirqs (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/irq.h:142 kernel/softirq.c:623) [ 4143.516323][ C1] ? __irq_exit_rcu (kernel/softirq.c:1056) [ 4143.516475][ C1] run_ksoftirqd (kernel/softirq.c:479 kernel/softirq.c:1064 kernel/softirq.c:1055) [ 4143.516623][ C1] smpboot_thread_fn (kernel/smpboot.c:160 (discriminator 3)) [ 4143.516775][ C1] ? sort_range (kernel/smpboot.c:103) [ 4143.516890][ C1] kthread (kernel/kthread.c:463) [ 4143.517005][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) [ 4143.517154][ C1] ? ret_from_fork (arch/x86/kernel/process.c:157) [ 4143.517304][ C1] ? __lock_release (kernel/locking/lockdep.c:5536) [ 4143.517458][ C1] ? lock_acquire (./include/trace/events/lock.h:24 kernel/locking/lockdep.c:5831) [ 4143.517607][ C1] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 4143.517760][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) [ 4143.517908][ C1] ret_from_fork (arch/x86/kernel/process.c:164) [ 4143.518059][ C1] ? arch_exit_to_user_mode_prepare.constprop.0 (arch/x86/entry/syscall_64.c:37) [ 4143.518280][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) [ 4143.518430][ C1] ? __switch_to (./include/linux/thread_info.h:140 arch/x86/kernel/process.h:16 arch/x86/kernel/process_64.c:676) [ 4143.518593][ C1] ? kthread_is_per_cpu (kernel/kthread.c:412) Finger prints: dst_dev_put:fib_nh_common_release:free_fib_info_rcu:rcu_do_batch:rcu_core print_report:kasan_report:dst_dev_put:fib_nh_common_release:free_fib_info_rcu