====================================== | [ 266.306139][ T2602] ================================================================== | [ 266.306618][ T2602] BUG: KASAN: slab-use-after-free in devl_rate_leaf_destroy (./arch/x86/include/asm/atomic.h:103 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:327 ./include/linux/refcount.h:348 net/devlink/rate.c:679) | [ 266.307059][ T2602] Write of size 4 at addr ffff888007ab4710 by task devlink.sh/2602 | [ 266.307525][ T2602] [ 266.308070][ T2602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 266.308778][ T2602] Call Trace: [ 266.308987][ T2602] [ 266.309153][ T2602] dump_stack_lvl (lib/dump_stack.c:107) [ 266.309396][ T2602] print_address_description.constprop.0 (mm/kasan/report.c:378) [ 266.309735][ T2602] ? devl_rate_leaf_destroy (./arch/x86/include/asm/atomic.h:103 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:327 ./include/linux/refcount.h:348 net/devlink/rate.c:679) [ 266.310013][ T2602] print_report (mm/kasan/report.c:489) [ 266.310241][ T2602] ? kasan_addr_to_slab (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/page-flags.h:481 mm/kasan/../slab.h:206 mm/kasan/common.c:38) [ 266.310528][ T2602] kasan_report (mm/kasan/report.c:603) [ 266.310751][ T2602] ? devl_rate_leaf_destroy (./arch/x86/include/asm/atomic.h:103 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:327 ./include/linux/refcount.h:348 net/devlink/rate.c:679) [ 266.311048][ T2602] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [ 266.311298][ T2602] devl_rate_leaf_destroy (./arch/x86/include/asm/atomic.h:103 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:327 ./include/linux/refcount.h:348 net/devlink/rate.c:679) [ 266.311603][ T2602] __nsim_dev_port_del (drivers/net/netdevsim/dev.c:1424) netdevsim [ 266.311984][ T2602] nsim_dev_reload_destroy (drivers/net/netdevsim/dev.c:591 drivers/net/netdevsim/dev.c:1655) netdevsim [ 266.312339][ T2602] nsim_drv_remove (drivers/net/netdevsim/dev.c:1675) netdevsim [ 266.312680][ T2602] device_release_driver_internal (drivers/base/dd.c:1276 drivers/base/dd.c:1297) [ 266.313025][ T2602] ? klist_put (lib/klist.c:220) [ 266.313253][ T2602] bus_remove_device (./include/linux/kobject.h:193 drivers/base/base.h:73 drivers/base/bus.c:581) [ 266.313542][ T2602] device_del (drivers/base/core.c:3815) [ 266.313766][ T2602] ? __pfx_device_del (drivers/base/core.c:3769) [ 266.314034][ T2602] ? lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5756) [ 266.314306][ T2602] ? kernfs_fop_write_iter (fs/kernfs/file.c:326) [ 266.314610][ T2602] device_unregister (drivers/base/core.c:3732 drivers/base/core.c:3856) [ 266.314895][ T2602] del_device_store (drivers/net/netdevsim/bus.c:230) netdevsim [ 266.315235][ T2602] ? __pfx_del_device_store (drivers/net/netdevsim/bus.c:197) netdevsim [ 266.315597][ T2602] ? __pfx_sysfs_kf_write (fs/sysfs/file.c:129) [ 266.315862][ T2602] ? sysfs_file_ops (fs/sysfs/file.c:31 (discriminator 1)) [ 266.316137][ T2602] ? __pfx_sysfs_kf_write (fs/sysfs/file.c:129) [ 266.316414][ T2602] kernfs_fop_write_iter (fs/kernfs/file.c:334) [ 266.316697][ T2602] vfs_write (./include/linux/fs.h:2085 fs/read_write.c:497 fs/read_write.c:590) [ 266.316940][ T2602] ? __pfx_vfs_write (fs/read_write.c:571) [ 266.317182][ T2602] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) [ 266.317431][ T2602] ? __pfx___lock_release (kernel/locking/lockdep.c:5406) [ 266.317706][ T2602] ? __fget_light (./include/linux/atomic/atomic-arch-fallback.h:479 ./include/linux/atomic/atomic-instrumented.h:50 fs/file.c:1145) [ 266.317961][ T2602] ksys_write (fs/read_write.c:643) [ 266.318178][ T2602] ? __pfx_ksys_write (fs/read_write.c:633) [ 266.318469][ T2602] ? do_user_addr_fault (./include/linux/rcupdate.h:784 ./include/linux/mm.h:688 arch/x86/mm/fault.c:1366) [ 266.318739][ T2602] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 266.319003][ T2602] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) [ 266.319318][ T2602] RIP: 0033:0x7f5ae23c2957 [ 266.319613][ T2602] Code: 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 All code ======== 0: 0b 00 or (%rax),%eax 2: f7 d8 neg %eax 4: 64 89 02 mov %eax,%fs:(%rdx) 7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax e: eb b7 jmp 0xffffffffffffffc7 10: 0f 1f 00 nopl (%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 ret 33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64 Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 ret 9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a [ 266.320619][ T2602] RSP: 002b:00007ffea7cb5e98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 266.321087][ T2602] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5ae23c2957 [ 266.321530][ T2602] RDX: 0000000000000003 RSI: 000055afd5c1f530 RDI: 0000000000000001 [ 266.321976][ T2602] RBP: 000055afd5c1f530 R08: 0000000000000000 R09: 00007f5ae24354e0 [ 266.322400][ T2602] R10: 00007f5ae24353e0 R11: 0000000000000246 R12: 0000000000000003 [ 266.322831][ T2602] R13: 00007f5ae247e760 R14: 0000000000000003 R15: 00007f5ae24799c0 | [ 266.341642][ T2602] ------------[ cut here ]------------ | [ 266.341960][ T2602] refcount_t: decrement hit 0; leaking memory. | [ 266.342343][ T2602] WARNING: CPU: 3 PID: 2602 at lib/refcount.c:31 refcount_warn_saturate (lib/refcount.c:31 (discriminator 3)) | [ 266.342823][ T2602] Modules linked in: netdevsim geneve vxlan ip6_udp_tunnel udp_tunnel [last unloaded: netdevsim] [ 266.343891][ T2602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 266.344573][ T2602] RIP: 0010:refcount_warn_saturate (lib/refcount.c:31 (discriminator 3)) [ 266.344953][ T2602] Code: 0f b6 1d 61 c0 5c 03 80 fb 01 0f 87 9b dd 8f 01 83 e3 01 75 38 c6 05 4c c0 5c 03 01 90 48 c7 c7 20 58 02 88 e8 59 4f 2b ff 90 <0f> 0b 90 90 eb 1d 85 ed 74 50 0f b6 1d 30 c0 5c 03 80 fb 01 0f 87 All code ======== 0: 0f b6 1d 61 c0 5c 03 movzbl 0x35cc061(%rip),%ebx # 0x35cc068 7: 80 fb 01 cmp $0x1,%bl a: 0f 87 9b dd 8f 01 ja 0x18fddab 10: 83 e3 01 and $0x1,%ebx 13: 75 38 jne 0x4d 15: c6 05 4c c0 5c 03 01 movb $0x1,0x35cc04c(%rip) # 0x35cc068 1c: 90 nop 1d: 48 c7 c7 20 58 02 88 mov $0xffffffff88025820,%rdi 24: e8 59 4f 2b ff call 0xffffffffff2b4f82 29: 90 nop 2a:* 0f 0b ud2 <-- trapping instruction 2c: 90 nop 2d: 90 nop 2e: eb 1d jmp 0x4d 30: 85 ed test %ebp,%ebp 32: 74 50 je 0x84 34: 0f b6 1d 30 c0 5c 03 movzbl 0x35cc030(%rip),%ebx # 0x35cc06b 3b: 80 fb 01 cmp $0x1,%bl 3e: 0f .byte 0xf 3f: 87 .byte 0x87 Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 90 nop 3: 90 nop 4: eb 1d jmp 0x23 6: 85 ed test %ebp,%ebp 8: 74 50 je 0x5a a: 0f b6 1d 30 c0 5c 03 movzbl 0x35cc030(%rip),%ebx # 0x35cc041 11: 80 fb 01 cmp $0x1,%bl 14: 0f .byte 0xf 15: 87 .byte 0x87 [ 266.345965][ T2602] RSP: 0018:ffffc9000063fa00 EFLAGS: 00010282 [ 266.346304][ T2602] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8550e74f [ 266.346723][ T2602] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000001 [ 266.347133][ T2602] RBP: 0000000000000004 R08: 0000000000000000 R09: fffff520000c7ee5 [ 266.347559][ T2602] R10: ffffc9000063f72f R11: 205d323036325420 R12: ffff888007ab46c8 [ 266.347986][ T2602] R13: ffff888007ab4710 R14: ffff888006ce15c0 R15: dffffc0000000000 [ 266.348417][ T2602] FS: 00007f5ae2281740(0000) GS:ffff888035e00000(0000) knlGS:0000000000000000 [ 266.348894][ T2602] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 266.349267][ T2602] CR2: 000055afd5c1f530 CR3: 0000000007a54002 CR4: 0000000000770ef0 [ 266.349685][ T2602] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 266.350101][ T2602] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 266.350542][ T2602] PKRU: 55555554 [ 266.350748][ T2602] Call Trace: [ 266.350919][ T2602] [ 266.351089][ T2602] ? __warn (kernel/panic.c:677) [ 266.351315][ T2602] ? console_trylock (kernel/printk/printk.c:2659 kernel/printk/printk.c:2654) [ 266.351567][ T2602] ? refcount_warn_saturate (lib/refcount.c:31 (discriminator 3)) [ 266.351858][ T2602] ? report_bug (lib/bug.c:201 lib/bug.c:219) [ 266.352108][ T2602] ? handle_bug (arch/x86/kernel/traps.c:238) [ 266.352347][ T2602] ? exc_invalid_op (arch/x86/kernel/traps.c:259 (discriminator 1)) [ 266.352595][ T2602] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:568) [ 266.352873][ T2602] ? desc_read (./arch/x86/include/asm/atomic64_64.h:20 ./include/linux/atomic/atomic-arch-fallback.h:2615 ./include/linux/atomic/atomic-long.h:79 ./include/linux/atomic/atomic-instrumented.h:3196 kernel/printk/printk_ringbuffer.c:534) [ 266.353102][ T2602] ? refcount_warn_saturate (lib/refcount.c:31 (discriminator 3)) [ 266.353387][ T2602] devl_rate_leaf_destroy (./include/linux/refcount.h:333 ./include/linux/refcount.h:348 net/devlink/rate.c:679) [ 266.353670][ T2602] __nsim_dev_port_del (drivers/net/netdevsim/dev.c:1424) netdevsim [ 266.354005][ T2602] nsim_dev_reload_destroy (drivers/net/netdevsim/dev.c:591 drivers/net/netdevsim/dev.c:1655) netdevsim [ 266.354356][ T2602] nsim_drv_remove (drivers/net/netdevsim/dev.c:1675) netdevsim [ 266.354658][ T2602] device_release_driver_internal (drivers/base/dd.c:1276 drivers/base/dd.c:1297) [ 266.354981][ T2602] ? klist_put (lib/klist.c:220) [ 266.355208][ T2602] bus_remove_device (./include/linux/kobject.h:193 drivers/base/base.h:73 drivers/base/bus.c:581) [ 266.355462][ T2602] device_del (drivers/base/core.c:3815) [ 266.355691][ T2602] ? __pfx_device_del (drivers/base/core.c:3769) [ 266.355939][ T2602] ? lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5756) [ 266.356212][ T2602] ? kernfs_fop_write_iter (fs/kernfs/file.c:326) [ 266.356492][ T2602] device_unregister (drivers/base/core.c:3732 drivers/base/core.c:3856) [ 266.356738][ T2602] del_device_store (drivers/net/netdevsim/bus.c:230) netdevsim [ 266.357049][ T2602] ? __pfx_del_device_store (drivers/net/netdevsim/bus.c:197) netdevsim [ 266.357389][ T2602] ? __pfx_sysfs_kf_write (fs/sysfs/file.c:129) [ 266.357671][ T2602] ? sysfs_file_ops (fs/sysfs/file.c:31 (discriminator 1)) [ 266.357920][ T2602] ? __pfx_sysfs_kf_write (fs/sysfs/file.c:129) [ 266.358189][ T2602] kernfs_fop_write_iter (fs/kernfs/file.c:334) [ 266.358460][ T2602] vfs_write (./include/linux/fs.h:2085 fs/read_write.c:497 fs/read_write.c:590) [ 266.358691][ T2602] ? __pfx_vfs_write (fs/read_write.c:571) [ 266.358933][ T2602] ? hlock_class (./arch/x86/include/asm/bitops.h:227 ./arch/x86/include/asm/bitops.h:239 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228) [ 266.359175][ T2602] ? __pfx___lock_release (kernel/locking/lockdep.c:5406) [ 266.359443][ T2602] ? __fget_light (./include/linux/atomic/atomic-arch-fallback.h:479 ./include/linux/atomic/atomic-instrumented.h:50 fs/file.c:1145) [ 266.359680][ T2602] ksys_write (fs/read_write.c:643) [ 266.359896][ T2602] ? __pfx_ksys_write (fs/read_write.c:633) [ 266.360144][ T2602] ? do_user_addr_fault (./include/linux/rcupdate.h:784 ./include/linux/mm.h:688 arch/x86/mm/fault.c:1366) [ 266.360418][ T2602] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 266.360652][ T2602] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) [ 266.360967][ T2602] RIP: 0033:0x7f5ae23c2957 [ 266.361198][ T2602] Code: 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 All code ======== 0: 0b 00 or (%rax),%eax 2: f7 d8 neg %eax 4: 64 89 02 mov %eax,%fs:(%rdx) 7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax e: eb b7 jmp 0xffffffffffffffc7 10: 0f 1f 00 nopl (%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 ret 33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64 Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 ret 9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a [ 266.362181][ T2602] RSP: 002b:00007ffea7cb5e98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 266.362603][ T2602] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5ae23c2957 [ 266.363007][ T2602] RDX: 0000000000000003 RSI: 000055afd5c1f530 RDI: 0000000000000001 [ 266.363411][ T2602] RBP: 000055afd5c1f530 R08: 0000000000000000 R09: 00007f5ae24354e0 [ 266.363819][ T2602] R10: 00007f5ae24353e0 R11: 0000000000000246 R12: 0000000000000003 Finger prints: dump_stack_lvl:print_report:kasan_report:kasan_check_range refcount_warn_saturate:devl_rate_leaf_destroy:__nsim_dev_port_del:nsim_dev_reload_destroy