====================================== | xx__-> [ 17.145512][ T233] ================================================================== | [ 17.145830][ T233] BUG: KASAN: use-after-free in kobject_put (lib/kobject.c:733) | [ 17.146055][ T233] Read of size 1 at addr ffff888004e5068c by task packetdrill/233 | [ 17.146331][ T233] [ 17.146436][ T233] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 17.146438][ T233] Call Trace: [ 17.146439][ T233] [ 17.146442][ T233] dump_stack_lvl (lib/dump_stack.c:123) [ 17.146449][ T233] print_address_description.constprop.0 (mm/kasan/report.c:379) [ 17.146458][ T233] ? kobject_put (lib/kobject.c:733) [ 17.146462][ T233] print_report (mm/kasan/report.c:483) [ 17.146465][ T233] ? kobject_put (lib/kobject.c:733) [ 17.146468][ T233] ? kasan_addr_to_slab (./include/linux/mm.h:1245 mm/kasan/../slab.h:191 mm/kasan/common.c:47) [ 17.146472][ T233] ? kobject_put (lib/kobject.c:733) [ 17.146475][ T233] kasan_report (mm/kasan/report.c:597) [ 17.146479][ T233] ? kobject_put (lib/kobject.c:733) [ 17.146485][ T233] kobject_put (lib/kobject.c:733) [ 17.146488][ T233] netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670) [ 17.146495][ T233] ? rtnl_is_locked (net/core/rtnetlink.c:169) [ 17.146502][ T233] ? generic_xdp_install (net/core/dev.c:11630) [ 17.146508][ T233] ? kfree (mm/slub.c:6630 mm/slub.c:6837) [ 17.146519][ T233] tun_chr_close (./include/net/sock.h:1990 drivers/net/tun.c:643 drivers/net/tun.c:3436) [ 17.146528][ T233] __fput (fs/file_table.c:468) [ 17.146536][ T233] task_work_run (kernel/task_work.c:229 (discriminator 1)) [ 17.146544][ T233] ? task_work_cancel (kernel/task_work.c:195) [ 17.146547][ T233] ? kmem_cache_free (mm/slub.c:6630 mm/slub.c:6740) [ 17.146550][ T233] ? refcount_dec_and_lock (lib/refcount.c:146) [ 17.146557][ T233] ? do_exit (./include/linux/task_work.h:40 kernel/exit.c:966) [ 17.146564][ T233] do_exit (kernel/exit.c:967) [ 17.146567][ T233] ? stack_not_used (kernel/exit.c:898) [ 17.146569][ T233] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 17.146575][ T233] ? get_signal (./include/linux/cgroup.h:804 kernel/signal.c:2999) [ 17.146580][ T233] ? __lock_release (kernel/locking/lockdep.c:5536) [ 17.146584][ T233] do_group_exit (kernel/exit.c:1088) [ 17.146588][ T233] get_signal (kernel/signal.c:701 kernel/signal.c:2912) [ 17.146592][ T233] ? hrtimer_cb_get_time (kernel/time/hrtimer.c:2006) [ 17.146600][ T233] ? __might_fault (mm/memory.c:7081 mm/memory.c:7075) [ 17.146606][ T233] ? ptrace_signal (kernel/signal.c:2800) [ 17.146610][ T233] ? do_futex (kernel/futex/syscalls.c:130) [ 17.146617][ T233] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337) [ 17.146625][ T233] ? get_sigframe_size (arch/x86/kernel/signal.c:334) [ 17.146628][ T233] ? __x64_sys_futex (kernel/futex/syscalls.c:207 kernel/futex/syscalls.c:188 kernel/futex/syscalls.c:188) [ 17.146632][ T233] ? fput (./arch/x86/include/asm/preempt.h:104 ./include/linux/preempt.h:470 ./include/linux/file_ref.h:150 fs/file_table.c:544) [ 17.146636][ T233] ? do_futex (kernel/futex/syscalls.c:188) [ 17.146640][ T233] ? vfs_write (fs/read_write.c:705) [ 17.146643][ T233] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 17.146650][ T233] exit_to_user_mode_loop (kernel/entry/common.c:42) [ 17.146655][ T233] do_syscall_64 (./include/linux/irq-entry-common.h:225 ./include/linux/entry-common.h:175 ./include/linux/entry-common.h:210 arch/x86/entry/syscall_64.c:100) [ 17.146660][ T233] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 17.146664][ T233] RIP: 0033:0x4d7f9a [ 17.146667][ T233] Code: Unable to access opcode bytes at 0x4d7f70. Code starting with the faulting instruction =========================================== [ 17.146668][ T233] RSP: 002b:00007fffce746910 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 17.146672][ T233] RAX: fffffffffffffdfc RBX: 0000000000000000 RCX: 00000000004d7f9a [ 17.146674][ T233] RDX: 0000000000000000 RSI: 0000000000000189 RDI: 000000000e8c2350 [ 17.146676][ T233] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffffffff [ 17.146677][ T233] R10: 00007fffce746a20 R11: 0000000000000246 R12: 0000000000000000 [ 17.146679][ T233] R13: 00007fffce746980 R14: 000000000e8c2350 R15: 0000000000000000 | [ 17.161533][ T233] refcount_t: underflow; use-after-free. | [ 17.161734][ T233] WARNING: CPU: 0 PID: 233 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) | [ 17.162329][ T233] Modules linked in: | [ 17.163102][ T233] Tainted: [B]=BAD_PAGE [ 17.163485][ T233] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 17.163847][ T233] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) [ 17.164198][ T233] Code: 3f 92 02 80 fb 01 0f 87 bb b9 d9 fe 83 e3 01 0f 85 51 ff ff ff c6 05 5e 3f 92 02 01 90 48 c7 c7 20 8d 25 b1 e8 32 bf 18 ff 90 <0f> 0b 90 90 e9 33 ff ff ff 48 89 df e8 b0 63 a1 ff e9 ba fe ff ff All code ======== 0: 3f (bad) 1: 92 xchg %eax,%edx 2: 02 80 fb 01 0f 87 add -0x78f0fe05(%rax),%al 8: bb b9 d9 fe 83 mov $0x83fed9b9,%ebx d: e3 01 jrcxz 0x10 f: 0f 85 51 ff ff ff jne 0xffffffffffffff66 15: c6 05 5e 3f 92 02 01 movb $0x1,0x2923f5e(%rip) # 0x2923f7a 1c: 90 nop 1d: 48 c7 c7 20 8d 25 b1 mov $0xffffffffb1258d20,%rdi 24: e8 32 bf 18 ff call 0xffffffffff18bf5b 29: 90 nop 2a:* 0f 0b ud2 <-- trapping instruction 2c: 90 nop 2d: 90 nop 2e: e9 33 ff ff ff jmp 0xffffffffffffff66 33: 48 89 df mov %rbx,%rdi 36: e8 b0 63 a1 ff call 0xffffffffffa163eb 3b: e9 ba fe ff ff jmp 0xfffffffffffffefa Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 90 nop 3: 90 nop 4: e9 33 ff ff ff jmp 0xffffffffffffff3c 9: 48 89 df mov %rbx,%rdi c: e8 b0 63 a1 ff call 0xffffffffffa163c1 11: e9 ba fe ff ff jmp 0xfffffffffffffed0 [ 17.165410][ T233] RSP: 0018:ffffc90000b079f0 EFLAGS: 00010286 [ 17.165777][ T233] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 17.166397][ T233] RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000001 [ 17.166827][ T233] RBP: 0000000000000003 R08: 0000000000000000 R09: fffffbfff637e134 [ 17.167437][ T233] R10: 0000000000000003 R11: ffffc90000b07580 R12: 0000000000000001 [ 17.167874][ T233] R13: dffffc0000000000 R14: dead000000000122 R15: dead000000000100 [ 17.168307][ T233] FS: 0000000000000000(0000) GS:ffff88808321a000(0000) knlGS:0000000000000000 [ 17.168992][ T233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 17.169309][ T233] CR2: 00007f172d876000 CR3: 0000000030535006 CR4: 0000000000772ef0 [ 17.169717][ T233] PKRU: 55555554 [ 17.170100][ T233] Call Trace: [ 17.170306][ T233] [ 17.170458][ T233] netdev_run_todo (./include/linux/list.h:381 net/core/dev.c:11670) [ 17.170721][ T233] ? rtnl_is_locked (net/core/rtnetlink.c:169) [ 17.171010][ T233] ? generic_xdp_install (net/core/dev.c:11630) [ 17.171454][ T233] ? kfree (mm/slub.c:6630 mm/slub.c:6837) [ 17.171666][ T233] tun_chr_close (./include/net/sock.h:1990 drivers/net/tun.c:643 drivers/net/tun.c:3436) [ 17.171935][ T233] __fput (fs/file_table.c:468) [ 17.172155][ T233] task_work_run (kernel/task_work.c:229 (discriminator 1)) [ 17.172447][ T233] ? task_work_cancel (kernel/task_work.c:195) [ 17.172722][ T233] ? kmem_cache_free (mm/slub.c:6630 mm/slub.c:6740) [ 17.173003][ T233] ? refcount_dec_and_lock (lib/refcount.c:146) [ 17.173293][ T233] ? do_exit (./include/linux/task_work.h:40 kernel/exit.c:966) [ 17.173723][ T233] do_exit (kernel/exit.c:967) [ 17.173945][ T233] ? stack_not_used (kernel/exit.c:898) [ 17.174225][ T233] ? find_held_lock (kernel/locking/lockdep.c:5350) [ 17.174516][ T233] ? get_signal (./include/linux/cgroup.h:804 kernel/signal.c:2999) [ 17.174797][ T233] ? __lock_release (kernel/locking/lockdep.c:5536) [ 17.175260][ T233] do_group_exit (kernel/exit.c:1088) [ 17.175595][ T233] get_signal (kernel/signal.c:701 kernel/signal.c:2912) [ 17.175888][ T233] ? hrtimer_cb_get_time (kernel/time/hrtimer.c:2006) [ 17.176161][ T233] ? __might_fault (mm/memory.c:7081 mm/memory.c:7075) [ 17.176650][ T233] ? ptrace_signal (kernel/signal.c:2800) [ 17.176901][ T233] ? do_futex (kernel/futex/syscalls.c:130) [ 17.177102][ T233] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337) [ 17.177380][ T233] ? get_sigframe_size (arch/x86/kernel/signal.c:334) [ 17.177665][ T233] ? __x64_sys_futex (kernel/futex/syscalls.c:207 kernel/futex/syscalls.c:188 kernel/futex/syscalls.c:188) [ 17.177845][ T233] ? fput (./arch/x86/include/asm/preempt.h:104 ./include/linux/preempt.h:470 ./include/linux/file_ref.h:150 fs/file_table.c:544) [ 17.177996][ T233] ? do_futex (kernel/futex/syscalls.c:188) [ 17.178127][ T233] ? vfs_write (fs/read_write.c:705) [ 17.178303][ T233] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 17.178595][ T233] exit_to_user_mode_loop (kernel/entry/common.c:42) [ 17.178773][ T233] do_syscall_64 (./include/linux/irq-entry-common.h:225 ./include/linux/entry-common.h:175 ./include/linux/entry-common.h:210 arch/x86/entry/syscall_64.c:100) [ 17.179009][ T233] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 17.179320][ T233] RIP: 0033:0x4d7f9a [ 17.179475][ T233] Code: Unable to access opcode bytes at 0x4d7f70. Code starting with the faulting instruction =========================================== [ 17.179707][ T233] RSP: 002b:00007fffce746910 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 17.179980][ T233] RAX: fffffffffffffdfc RBX: 0000000000000000 RCX: 00000000004d7f9a [ 17.180341][ T233] RDX: 0000000000000000 RSI: 0000000000000189 RDI: 000000000e8c2350 [ 17.180611][ T233] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffffffff [ 17.180987][ T233] R10: 00007fffce746a20 R11: 0000000000000246 R12: 0000000000000000 Finger prints: print_report:kasan_report:kobject_put:netdev_run_todo:tun_chr_close refcount_warn_saturate:netdev_run_todo:tun_chr_close:__fput:task_work_run