====================================== | [ 819.446633][T11719] ------------[ cut here ]------------ | [ 819.446893][T11719] rcuref - imbalanced put() | [ 819.446895][T11719] WARNING: lib/rcuref.c:266 at 0x0, CPU#3: mausezahn/11719 | [ 819.447279][T11719] Modules linked in: act_gact cls_flower sch_ingress vxlan ipt_REJECT nf_reject_ipv4 nft_compat nf_tables [ 819.447892][T11719] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 819.448088][T11719] RIP: 0010:rcuref_put_slowpath (lib/rcuref.c:266 (discriminator 4)) [ 819.448288][T11719] Code: c0 03 38 d0 7c 04 84 d2 75 6a c7 03 00 00 00 a0 31 c0 eb 8f 48 8d 7c 24 20 e8 3b c4 9a ff e9 6e ff ff ff 48 8d 3d 6f fd 40 03 <67> 48 0f b9 3a be 04 00 00 00 48 89 df e8 0d c9 9a ff 48 89 d8 48 All code ======== 0: c0 03 38 rolb $0x38,(%rbx) 3: d0 7c 04 84 sarb $1,-0x7c(%rsp,%rax,1) 7: d2 75 6a shlb %cl,0x6a(%rbp) a: c7 03 00 00 00 a0 movl $0xa0000000,(%rbx) 10: 31 c0 xor %eax,%eax 12: eb 8f jmp 0xffffffffffffffa3 14: 48 8d 7c 24 20 lea 0x20(%rsp),%rdi 19: e8 3b c4 9a ff call 0xffffffffff9ac459 1e: e9 6e ff ff ff jmp 0xffffffffffffff91 23: 48 8d 3d 6f fd 40 03 lea 0x340fd6f(%rip),%rdi # 0x340fd99 2a:* 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2f: be 04 00 00 00 mov $0x4,%esi 34: 48 89 df mov %rbx,%rdi 37: e8 0d c9 9a ff call 0xffffffffff9ac949 3c: 48 89 d8 mov %rbx,%rax 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 67 48 0f b9 3a ud1 (%edx),%rdi 5: be 04 00 00 00 mov $0x4,%esi a: 48 89 df mov %rbx,%rdi d: e8 0d c9 9a ff call 0xffffffffff9ac91f 12: 48 89 d8 mov %rbx,%rax 15: 48 rex.W [ 819.448812][T11719] RSP: 0018:ffa0000000657320 EFLAGS: 00010206 [ 819.449012][T11719] RAX: 0000000000000000 RBX: ff1100000ed52080 RCX: 0000000000000001 [ 819.449238][T11719] RDX: 0000000000000001 RSI: 00000000dfffffff RDI: ffffffffb46e0e20 [ 819.449457][T11719] RBP: dffffc0000000000 R08: ffffffffb1edc159 R09: ffe21c0001daa410 [ 819.449678][T11719] R10: ffe21c0001daa411 R11: 0000000000000001 R12: ff1100000ed52040 [ 819.449903][T11719] R13: 1ff40000000cae64 R14: ff1100000ed53b40 R15: ff1100000a2cf780 [ 819.450130][T11719] FS: 00007f4f6fcbdc40(0000) GS:ff110000b0b8b000(0000) knlGS:0000000000000000 [ 819.450385][T11719] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 819.450574][T11719] CR2: 000055c9c5001290 CR3: 000000000fd8d003 CR4: 0000000000771ef0 [ 819.450793][T11719] PKRU: 55555554 [ 819.450906][T11719] Call Trace: [ 819.451022][T11719] [ 819.451097][T11719] ? rcuref_get_slowpath (lib/rcuref.c:238) [ 819.451350][T11719] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536) [ 819.451496][T11719] dst_release (./include/linux/rcuref.h:117 ./include/linux/rcuref.h:173 net/core/dst.c:167) [ 819.451609][T11719] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:455) [ 819.451752][T11719] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:455) [ 819.451895][T11719] rt_cache_route (net/ipv4/route.c:1518) [ 819.452050][T11719] rt_set_nexthop.isra.0 (net/ipv4/route.c:1622 (discriminator 1)) [ 819.452196][T11719] __mkroute_output (./include/net/lwtunnel.h:140 net/ipv4/route.c:2682) [ 819.452341][T11719] ip_route_output_key_hash (net/ipv4/route.c:2705) [ 819.452485][T11719] ? ip_route_output_key_hash_rcu (net/ipv4/route.c:2693) [ 819.452669][T11719] ? mark_held_locks (kernel/locking/lockdep.c:4325 (discriminator 1)) [ 819.452814][T11719] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536) [ 819.452959][T11719] ip_route_output_flow (net/ipv4/route.c:2934 (discriminator 1)) [ 819.453110][T11719] ? __asan_memset (mm/kasan/shadow.c:84 (discriminator 2)) [ 819.453254][T11719] udp_tunnel_dst_lookup (net/ipv4/udp_tunnel_core.c:261 (discriminator 1)) [ 819.453400][T11719] ? udp_tunnel_sock_release (net/ipv4/udp_tunnel_core.c:237) [ 819.453575][T11719] ? vxlan_xmit_one (./include/linux/rcupdate.h:331 (discriminator 1) ./include/linux/rcupdate.h:867 (discriminator 1) drivers/net/vxlan/vxlan_core.c:2455 (discriminator 1)) vxlan [ 819.453763][T11719] ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 1) kernel/rcu/tree.c:751 (discriminator 1)) [ 819.453959][T11719] vxlan_xmit_one (drivers/net/vxlan/vxlan_core.c:2472 (discriminator 4)) vxlan [ 819.454162][T11719] ? arch_stack_walk (arch/x86/kernel/stacktrace.c:24 (discriminator 3)) [ 819.454367][T11719] ? vxlan_fdb_delete (drivers/net/vxlan/vxlan_core.c:2337) vxlan [ 819.454564][T11719] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 (discriminator 1) kernel/rcu/update.c:380 (discriminator 1)) [ 819.454757][T11719] ? vxlan_find_mac_rcu (./include/linux/rhashtable.h:632 (discriminator 4) ./include/linux/rhashtable.h:670 (discriminator 4) drivers/net/vxlan/vxlan_core.c:392 (discriminator 4)) vxlan [ 819.455001][T11719] ? vxlan_find_sock (drivers/net/vxlan/vxlan_core.c:382) vxlan [ 819.455200][T11719] ? rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 1) kernel/rcu/tree.c:751 (discriminator 1)) [ 819.455395][T11719] ? vxlan_xmit (drivers/net/vxlan/vxlan_core.c:2829) vxlan [ 819.455598][T11719] vxlan_xmit (drivers/net/vxlan/vxlan_core.c:2829) vxlan [ 819.455792][T11719] dev_hard_start_xmit (./include/linux/netdevice.h:5272 ./include/linux/netdevice.h:5281 net/core/dev.c:3853 net/core/dev.c:3869) [ 819.455986][T11719] __dev_queue_xmit (net/core/dev.h:381 net/core/dev.c:4818) [ 819.456180][T11719] ? _copy_from_iter (./arch/x86/include/asm/smap.h:47 ./arch/x86/include/asm/uaccess_64.h:121 ./arch/x86/include/asm/uaccess_64.h:141 lib/iov_iter.c:67 ./include/linux/iov_iter.h:30 ./include/linux/iov_iter.h:302 ./include/linux/iov_iter.h:330 lib/iov_iter.c:261 lib/iov_iter.c:272) [ 819.456373][T11719] ? __alloc_skb (./include/linux/bottom_half.h:20 (discriminator 1) net/core/skbuff.c:672 (discriminator 1)) [ 819.456569][T11719] ? napi_skb_cache_get (net/core/skbuff.c:650) [ 819.456746][T11719] ? __hrtimer_start_range_ns (kernel/time/hrtimer.c:212 kernel/time/hrtimer.c:283 kernel/time/hrtimer.c:1257) [ 819.456926][T11719] ? _copy_from_iter_flushcache (lib/iov_iter.c:266) [ 819.457150][T11719] ? netdev_core_pick_tx (net/core/dev.c:4725) [ 819.457339][T11719] ? packet_parse_headers (./include/linux/skbuff.h:3180 (discriminator 1) net/packet/af_packet.c:1938 (discriminator 1)) [ 819.457541][T11719] ? sock_alloc_send_pskb (net/core/sock.c:2998) [ 819.457738][T11719] packet_snd (net/packet/af_packet.c:3076 (discriminator 1)) [ 819.457935][T11719] ? tpacket_snd (net/packet/af_packet.c:2940) [ 819.458128][T11719] ? __might_fault (mm/memory.c:7129 (discriminator 4)) [ 819.458320][T11719] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) [ 819.458517][T11719] ? __might_fault (mm/memory.c:7129 (discriminator 4)) [ 819.458716][T11719] __sys_sendto (net/socket.c:721 (discriminator 1) net/socket.c:733 (discriminator 1) net/socket.c:2222 (discriminator 1)) [ 819.458909][T11719] ? __ia32_sys_getpeername (net/socket.c:2189) [ 819.459092][T11719] ? sock_ioctl (net/socket.c:1367) [ 819.459272][T11719] ? __x64_sys_clock_gettime (kernel/time/posix-timers.c:1146 (discriminator 2) kernel/time/posix-timers.c:1134 (discriminator 2) kernel/time/posix-timers.c:1134 (discriminator 2)) [ 819.459436][T11719] __x64_sys_sendto (net/socket.c:2229 (discriminator 1) net/socket.c:2225 (discriminator 1) net/socket.c:2225 (discriminator 1)) [ 819.459615][T11719] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4473) [ 819.459813][T11719] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:108 arch/x86/entry/syscall_64.c:90) [ 819.459997][T11719] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 819.460177][T11719] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) [ 819.460406][T11719] RIP: 0033:0x7f4f6fe70c5e [ 819.460614][T11719] Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa All code ======== 0: 4d 89 d8 mov %r11,%r8 3: e8 14 bd 00 00 call 0xbd1c 8: 4c 8b 5d f8 mov -0x8(%rbp),%r11 c: 41 8b 93 08 03 00 00 mov 0x308(%r11),%edx 13: 59 pop %rcx 14: 5e pop %rsi 15: 48 83 f8 fc cmp $0xfffffffffffffffc,%rax 19: 74 11 je 0x2c 1b: c9 leave 1c: c3 ret 1d: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 24: 48 8b 45 10 mov 0x10(%rbp),%rax 28: 0f 05 syscall 2a:* c9 leave <-- trapping instruction 2b: c3 ret 2c: 83 e2 39 and $0x39,%edx 2f: 83 fa 08 cmp $0x8,%edx 32: 75 e7 jne 0x1b 34: e8 13 ff ff ff call 0xffffffffffffff4c 39: 0f 1f 00 nopl (%rax) 3c: f3 0f 1e fa endbr64 Code starting with the faulting instruction =========================================== 0: c9 leave 1: c3 ret 2: 83 e2 39 and $0x39,%edx 5: 83 fa 08 cmp $0x8,%edx 8: 75 e7 jne 0xfffffffffffffff1 a: e8 13 ff ff ff call 0xffffffffffffff22 f: 0f 1f 00 nopl (%rax) 12: f3 0f 1e fa endbr64 [ 819.461286][T11719] RSP: 002b:00007ffd918446d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 819.461580][T11719] RAX: ffffffffffffffda RBX: 000055c9e99a8830 RCX: 00007f4f6fe70c5e [ 819.461869][T11719] RDX: 0000000000000064 RSI: 000055c9e99a8ac2 RDI: 0000000000000005 [ 819.462166][T11719] RBP: 00007ffd918446e0 R08: 00007ffd91844730 R09: 0000000000000014 [ 819.462458][T11719] R10: 0000000000000000 R11: 0000000000000202 R12: 000055c9e99a8ac2 [ 819.462730][T11719] R13: 0000000000000064 R14: 0000000000000005 R15: 000055c9c5020890 | [ 819.758397][ C2] BUG: KASAN: slab-use-after-free in dst_dev_put (net/core/dst.c:146) | [ 819.758562][ C2] Read of size 8 at addr ff1100000ed53b40 by task test_vxlan_nolo/11731 | [ 819.758714][ C2] | [ 819.758774][ C2] Tainted: [W]=WARN [ 819.758775][ C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 819.758776][ C2] Call Trace: [ 819.758778][ C2] [ 819.758779][ C2] dump_stack_lvl (lib/dump_stack.c:122) [ 819.758786][ C2] print_address_description.constprop.0 (mm/kasan/report.c:379) [ 819.758790][ C2] print_report (mm/kasan/report.c:483) [ 819.758792][ C2] ? dst_dev_put (net/core/dst.c:146) [ 819.758794][ C2] ? __virt_addr_valid (./include/linux/rcupdate.h:981 (discriminator 3) ./include/linux/mmzone.h:2197 (discriminator 3) arch/x86/mm/physaddr.c:54 (discriminator 3)) [ 819.758798][ C2] ? dst_dev_put (net/core/dst.c:146) [ 819.758800][ C2] kasan_report (mm/kasan/report.c:597) [ 819.758803][ C2] ? dst_dev_put (net/core/dst.c:146) [ 819.758806][ C2] dst_dev_put (net/core/dst.c:146) [ 819.758808][ C2] rt_fibinfo_free_cpus.part.0 (net/ipv4/fib_semantics.c:196) [ 819.758811][ C2] fib_nh_common_release (net/ipv4/fib_semantics.c:141 net/ipv4/fib_semantics.c:207) [ 819.758813][ C2] free_fib_info_rcu (./include/net/nexthop.h:480 net/ipv4/fib_semantics.c:229) [ 819.758815][ C2] ? rcu_do_batch (kernel/rcu/tree.c:2605) [ 819.758819][ C2] rcu_do_batch (./include/linux/rcupdate.h:341 (discriminator 1) kernel/rcu/tree.c:2607 (discriminator 1)) [ 819.758821][ C2] ? rcu_start_this_gp (kernel/rcu/tree.c:1053) [ 819.758824][ C2] ? trace_rcu_batch_end (kernel/rcu/tree.c:2529) [ 819.758826][ C2] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:4411 (discriminator 6)) [ 819.758829][ C2] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4473) [ 819.758833][ C2] rcu_core (kernel/rcu/tree.c:2859) [ 819.758835][ C2] handle_softirqs (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/irq.h:142 kernel/softirq.c:623) [ 819.758838][ C2] ? tasklet_unlock_wait (kernel/softirq.c:580) [ 819.758840][ C2] irq_exit_rcu (kernel/softirq.c:657 kernel/softirq.c:496 kernel/softirq.c:723 kernel/softirq.c:739) [ 819.758842][ C2] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1056 (discriminator 47) arch/x86/kernel/apic/apic.c:1056 (discriminator 47)) [ 819.758844][ C2] [ 819.758844][ C2] [ 819.758845][ C2] ? __lock_acquire (kernel/locking/lockdep.c:5237 (discriminator 1)) [ 819.758848][ C2] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:697) [ 819.758850][ C2] RIP: 0010:rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 1) kernel/rcu/tree.c:751 (discriminator 1)) [ 819.758853][ C2] Code: 44 00 00 48 c7 c7 40 0e ae b2 e8 eb ea 39 02 65 0f b6 05 57 c1 ac 04 c3 66 90 f3 0f 1e fa 53 48 83 ec 08 65 ff 05 00 3e ab 04 ab ea 39 02 48 c7 c3 90 68 02 b5 89 c2 89 c0 83 fa 3f 0f 87 88 All code ======== 0: 44 00 00 add %r8b,(%rax) 3: 48 c7 c7 40 0e ae b2 mov $0xffffffffb2ae0e40,%rdi a: e8 eb ea 39 02 call 0x239eafa f: 65 0f b6 05 57 c1 ac movzbl %gs:0x4acc157(%rip),%eax # 0x4acc16e 16: 04 17: c3 ret 18: 66 90 xchg %ax,%ax 1a: f3 0f 1e fa endbr64 1e: 53 push %rbx 1f: 48 83 ec 08 sub $0x8,%rsp 23: 65 ff 05 00 3e ab 04 incl %gs:0x4ab3e00(%rip) # 0x4ab3e2a 2a:* e8 ab ea 39 02 call 0x239eada <-- trapping instruction 2f: 48 c7 c3 90 68 02 b5 mov $0xffffffffb5026890,%rbx 36: 89 c2 mov %eax,%edx 38: 89 c0 mov %eax,%eax 3a: 83 fa 3f cmp $0x3f,%edx 3d: 0f .byte 0xf 3e: 87 .byte 0x87 3f: 88 .byte 0x88 Code starting with the faulting instruction =========================================== 0: e8 ab ea 39 02 call 0x239eab0 5: 48 c7 c3 90 68 02 b5 mov $0xffffffffb5026890,%rbx c: 89 c2 mov %eax,%edx e: 89 c0 mov %eax,%eax 10: 83 fa 3f cmp $0x3f,%edx 13: 0f .byte 0xf 14: 87 .byte 0x87 15: 88 .byte 0x88 [ 819.758855][ C2] RSP: 0018:ffa00000008ef9b0 EFLAGS: 00000282 [ 819.758858][ C2] RAX: 0000000000000002 RBX: ffffffffb3d84c20 RCX: 0000000000000000 [ 819.758860][ C2] RDX: 0000000000000003 RSI: ffffffffb030908f RDI: ffffffffb3d84c20 [ 819.758860][ C2] RBP: ffa00000008efe18 R08: ffffffffb4a8b7d8 R09: ffffffffb47be0a4 [ 819.758861][ C2] R10: 0000000000000002 R11: 0000000000000002 R12: 0000000000000001 [ 819.758862][ C2] R13: ffa00000008efae8 R14: ffffffffb030908f R15: ff1100000bcac540 [ 819.758863][ C2] ? unwind_next_frame (./include/linux/rcupdate.h:341 (discriminator 1) ./include/linux/rcupdate.h:897 (discriminator 1) ./include/linux/rcupdate.h:1195 (discriminator 1) arch/x86/kernel/unwind_orc.c:479 (discriminator 1)) [ 819.758866][ C2] ? unwind_next_frame (./include/linux/rcupdate.h:341 (discriminator 1) ./include/linux/rcupdate.h:897 (discriminator 1) ./include/linux/rcupdate.h:1195 (discriminator 1) arch/x86/kernel/unwind_orc.c:479 (discriminator 1)) [ 819.758868][ C2] lock_release (./include/trace/events/lock.h:69 (discriminator 33) kernel/locking/lockdep.c:5879 (discriminator 33)) [ 819.758869][ C2] unwind_next_frame (./include/linux/rcupdate.h:899 ./include/linux/rcupdate.h:1195 arch/x86/kernel/unwind_orc.c:479) [ 819.758871][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.758874][ C2] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536) [ 819.758876][ C2] ? stack_access_ok (arch/x86/kernel/unwind_orc.c:469) [ 819.758878][ C2] ? __unwind_start (./arch/x86/include/asm/unwind.h:50 arch/x86/kernel/unwind_orc.c:755) [ 819.758879][ C2] ? write_profile (kernel/stacktrace.c:83) [ 819.758883][ C2] arch_stack_walk (arch/x86/kernel/stacktrace.c:24 (discriminator 3)) [ 819.758887][ C2] ? create_init_stack_vma (mm/vma_exec.c:113) [ 819.758890][ C2] stack_trace_save (kernel/stacktrace.c:123) [ 819.758892][ C2] ? stack_trace_snprint (kernel/stacktrace.c:114) [ 819.758894][ C2] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536) [ 819.758896][ C2] set_track_prepare (mm/slub.c:1047) [ 819.758899][ C2] ? kmem_cache_alloc_noprof (mm/slub.c:4850 mm/slub.c:5246 mm/slub.c:5265) [ 819.758900][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.758903][ C2] ___slab_alloc (mm/slub.c:1078 mm/slub.c:4640) [ 819.758904][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.758906][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.758908][ C2] __slab_alloc.isra.0 (mm/slub.c:4774) [ 819.758910][ C2] kmem_cache_alloc_noprof (mm/slub.c:4850 mm/slub.c:5246 mm/slub.c:5265) [ 819.758911][ C2] ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 kernel/locking/lockdep.c:5870) [ 819.758912][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.758914][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.758916][ C2] vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.758917][ C2] create_init_stack_vma (mm/vma_exec.c:113) [ 819.758919][ C2] alloc_bprm (fs/exec.c:274 fs/exec.c:1465) [ 819.758923][ C2] do_execveat_common.isra.0 (fs/exec.c:1810) [ 819.758925][ C2] __x64_sys_execve (fs/exec.c:2004) [ 819.758927][ C2] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 819.758930][ C2] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) [ 819.758932][ C2] RIP: 0033:0x7f3323d3fd4b [ 819.758934][ C2] Code: 0f 1e fa 48 8b 05 7d 92 12 00 48 8b 10 e9 0d 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 90 12 00 f7 d8 64 89 01 48 All code ======== 0: 0f 1e fa nop %edx 3: 48 8b 05 7d 92 12 00 mov 0x12927d(%rip),%rax # 0x129287 a: 48 8b 10 mov (%rax),%rdx d: e9 0d 00 00 00 jmp 0x1f 12: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 19: 00 00 00 1c: 0f 1f 00 nopl (%rax) 1f: f3 0f 1e fa endbr64 23: b8 3b 00 00 00 mov $0x3b,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 85 90 12 00 mov 0x129085(%rip),%rcx # 0x1290bf 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 85 90 12 00 mov 0x129085(%rip),%rcx # 0x129095 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 819.758935][ C2] RSP: 002b:00007ffc126c7c48 EFLAGS: 00000206 ORIG_RAX: 000000000000003b [ 819.758937][ C2] RAX: ffffffffffffffda RBX: 000055a9a5d10220 RCX: 00007f3323d3fd4b [ 819.758938][ C2] RDX: 000055a9a5d1d030 RSI: 000055a9a5d0d7f0 RDI: 000055a9a5d10220 [ 819.758939][ C2] RBP: 00007ffc126c7d40 R08: 00007ffc126c7b70 R09: 0000000000000000 [ 819.758940][ C2] R10: 0000000000000008 R11: 0000000000000206 R12: 000055a9a5d10220 [ 819.758940][ C2] R13: 0000000000000020 R14: 000055a9a5d0d7f0 R15: 000055a9a5d1d030 | [ 819.776367][ C2] Disabling lock debugging due to kernel taint | [ 819.776558][ C2] Oops: general protection fault, probably for non-canonical address 0xe0a5fc3580000009: 0000 [#1] SMP KASAN | [ 819.776794][ C2] KASAN: maybe wild-memory-access in range [0x053001ac00000048-0x053001ac0000004f] | [ 819.777183][ C2] Tainted: [B]=BAD_PAGE, [W]=WARN [ 819.777280][ C2] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 819.777404][ C2] RIP: 0010:dst_dev_put (net/core/dst.c:149) [ 819.777506][ C2] Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 2c 02 00 00 48 ba 00 00 00 00 00 fc ff df 48 8b 43 08 48 8d 78 38 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 d8 01 00 00 48 8b 40 38 48 85 c0 74 08 48 89 ee All code ======== 0: fc cld 1: ff lcall (bad) 2: df 48 c1 fisttps -0x3f(%rax) 5: ea (bad) 6: 03 80 3c 02 00 0f add 0xf00023c(%rax),%eax c: 85 2c 02 test %ebp,(%rdx,%rax,1) f: 00 00 add %al,(%rax) 11: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx 18: fc ff df 1b: 48 8b 43 08 mov 0x8(%rbx),%rax 1f: 48 8d 78 38 lea 0x38(%rax),%rdi 23: 48 89 f9 mov %rdi,%rcx 26: 48 c1 e9 03 shr $0x3,%rcx 2a:* 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) <-- trapping instruction 2e: 0f 85 d8 01 00 00 jne 0x20c 34: 48 8b 40 38 mov 0x38(%rax),%rax 38: 48 85 c0 test %rax,%rax 3b: 74 08 je 0x45 3d: 48 89 ee mov %rbp,%rsi Code starting with the faulting instruction =========================================== 0: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) 4: 0f 85 d8 01 00 00 jne 0x1e2 a: 48 8b 40 38 mov 0x38(%rax),%rax e: 48 85 c0 test %rax,%rax 11: 74 08 je 0x1b 13: 48 89 ee mov %rbp,%rsi [ 819.777855][ C2] RSP: 0018:ffa0000000218d10 EFLAGS: 00010217 [ 819.777978][ C2] RAX: 053001ac00000016 RBX: ff1100000ed53b40 RCX: 00a6003580000009 [ 819.778120][ C2] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 053001ac0000004e [ 819.778263][ C2] RBP: ff1100000d28cc38 R08: 0000000000000008 R09: fffffbfff6a0c2c4 [ 819.778405][ C2] R10: fffffbfff6a0c2c5 R11: 0000000000000000 R12: 1fe2200001459eed [ 819.778554][ C2] R13: 0000000000000003 R14: 0000000000000001 R15: ff1100000a2cf770 [ 819.778698][ C2] FS: 00007f3323c7db80(0000) GS:ff110000b0b0b000(0000) knlGS:0000000000000000 [ 819.778864][ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 819.778984][ C2] CR2: 00007f3323e3ba88 CR3: 00000000158a6006 CR4: 0000000000771ef0 [ 819.779128][ C2] PKRU: 55555554 [ 819.779203][ C2] Call Trace: [ 819.779277][ C2] [ 819.779328][ C2] rt_fibinfo_free_cpus.part.0 (net/ipv4/fib_semantics.c:196) [ 819.779429][ C2] fib_nh_common_release (net/ipv4/fib_semantics.c:141 net/ipv4/fib_semantics.c:207) [ 819.779527][ C2] free_fib_info_rcu (./include/net/nexthop.h:480 net/ipv4/fib_semantics.c:229) [ 819.779634][ C2] ? rcu_do_batch (kernel/rcu/tree.c:2605) [ 819.779735][ C2] rcu_do_batch (./include/linux/rcupdate.h:341 (discriminator 1) kernel/rcu/tree.c:2607 (discriminator 1)) [ 819.779832][ C2] ? rcu_start_this_gp (kernel/rcu/tree.c:1053) [ 819.779932][ C2] ? trace_rcu_batch_end (kernel/rcu/tree.c:2529) [ 819.780030][ C2] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:4411 (discriminator 6)) [ 819.780150][ C2] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4473) [ 819.780247][ C2] rcu_core (kernel/rcu/tree.c:2859) [ 819.780320][ C2] handle_softirqs (./arch/x86/include/asm/jump_label.h:37 ./include/trace/events/irq.h:142 kernel/softirq.c:623) [ 819.780420][ C2] ? tasklet_unlock_wait (kernel/softirq.c:580) [ 819.780520][ C2] irq_exit_rcu (kernel/softirq.c:657 kernel/softirq.c:496 kernel/softirq.c:723 kernel/softirq.c:739) [ 819.780599][ C2] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1056 (discriminator 47) arch/x86/kernel/apic/apic.c:1056 (discriminator 47)) [ 819.780698][ C2] [ 819.780752][ C2] [ 819.780803][ C2] ? __lock_acquire (kernel/locking/lockdep.c:5237 (discriminator 1)) [ 819.780901][ C2] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:697) [ 819.781020][ C2] RIP: 0010:rcu_is_watching (./include/linux/context_tracking.h:128 (discriminator 1) kernel/rcu/tree.c:751 (discriminator 1)) [ 819.781121][ C2] Code: 44 00 00 48 c7 c7 40 0e ae b2 e8 eb ea 39 02 65 0f b6 05 57 c1 ac 04 c3 66 90 f3 0f 1e fa 53 48 83 ec 08 65 ff 05 00 3e ab 04 ab ea 39 02 48 c7 c3 90 68 02 b5 89 c2 89 c0 83 fa 3f 0f 87 88 All code ======== 0: 44 00 00 add %r8b,(%rax) 3: 48 c7 c7 40 0e ae b2 mov $0xffffffffb2ae0e40,%rdi a: e8 eb ea 39 02 call 0x239eafa f: 65 0f b6 05 57 c1 ac movzbl %gs:0x4acc157(%rip),%eax # 0x4acc16e 16: 04 17: c3 ret 18: 66 90 xchg %ax,%ax 1a: f3 0f 1e fa endbr64 1e: 53 push %rbx 1f: 48 83 ec 08 sub $0x8,%rsp 23: 65 ff 05 00 3e ab 04 incl %gs:0x4ab3e00(%rip) # 0x4ab3e2a 2a:* e8 ab ea 39 02 call 0x239eada <-- trapping instruction 2f: 48 c7 c3 90 68 02 b5 mov $0xffffffffb5026890,%rbx 36: 89 c2 mov %eax,%edx 38: 89 c0 mov %eax,%eax 3a: 83 fa 3f cmp $0x3f,%edx 3d: 0f .byte 0xf 3e: 87 .byte 0x87 3f: 88 .byte 0x88 Code starting with the faulting instruction =========================================== 0: e8 ab ea 39 02 call 0x239eab0 5: 48 c7 c3 90 68 02 b5 mov $0xffffffffb5026890,%rbx c: 89 c2 mov %eax,%edx e: 89 c0 mov %eax,%eax 10: 83 fa 3f cmp $0x3f,%edx 13: 0f .byte 0xf 14: 87 .byte 0x87 15: 88 .byte 0x88 [ 819.781457][ C2] RSP: 0018:ffa00000008ef9b0 EFLAGS: 00000282 [ 819.781583][ C2] RAX: 0000000000000002 RBX: ffffffffb3d84c20 RCX: 0000000000000000 [ 819.781726][ C2] RDX: 0000000000000003 RSI: ffffffffb030908f RDI: ffffffffb3d84c20 [ 819.781871][ C2] RBP: ffa00000008efe18 R08: ffffffffb4a8b7d8 R09: ffffffffb47be0a4 [ 819.782015][ C2] R10: 0000000000000002 R11: 0000000000000002 R12: 0000000000000001 [ 819.782160][ C2] R13: ffa00000008efae8 R14: ffffffffb030908f R15: ff1100000bcac540 [ 819.782304][ C2] ? unwind_next_frame (./include/linux/rcupdate.h:341 (discriminator 1) ./include/linux/rcupdate.h:897 (discriminator 1) ./include/linux/rcupdate.h:1195 (discriminator 1) arch/x86/kernel/unwind_orc.c:479 (discriminator 1)) [ 819.782402][ C2] ? unwind_next_frame (./include/linux/rcupdate.h:341 (discriminator 1) ./include/linux/rcupdate.h:897 (discriminator 1) ./include/linux/rcupdate.h:1195 (discriminator 1) arch/x86/kernel/unwind_orc.c:479 (discriminator 1)) [ 819.782503][ C2] lock_release (./include/trace/events/lock.h:69 (discriminator 33) kernel/locking/lockdep.c:5879 (discriminator 33)) [ 819.782602][ C2] unwind_next_frame (./include/linux/rcupdate.h:899 ./include/linux/rcupdate.h:1195 arch/x86/kernel/unwind_orc.c:479) [ 819.782700][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.782799][ C2] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536) [ 819.782895][ C2] ? stack_access_ok (arch/x86/kernel/unwind_orc.c:469) [ 819.782991][ C2] ? __unwind_start (./arch/x86/include/asm/unwind.h:50 arch/x86/kernel/unwind_orc.c:755) [ 819.783088][ C2] ? write_profile (kernel/stacktrace.c:83) [ 819.783187][ C2] arch_stack_walk (arch/x86/kernel/stacktrace.c:24 (discriminator 3)) [ 819.783287][ C2] ? create_init_stack_vma (mm/vma_exec.c:113) [ 819.783384][ C2] stack_trace_save (kernel/stacktrace.c:123) [ 819.783481][ C2] ? stack_trace_snprint (kernel/stacktrace.c:114) [ 819.783634][ C2] ? __lock_release.isra.0 (kernel/locking/lockdep.c:5536) [ 819.783729][ C2] set_track_prepare (mm/slub.c:1047) [ 819.783829][ C2] ? kmem_cache_alloc_noprof (mm/slub.c:4850 mm/slub.c:5246 mm/slub.c:5265) [ 819.783926][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.784074][ C2] ___slab_alloc (mm/slub.c:1078 mm/slub.c:4640) [ 819.784171][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.784267][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.784364][ C2] __slab_alloc.isra.0 (mm/slub.c:4774) [ 819.784510][ C2] kmem_cache_alloc_noprof (mm/slub.c:4850 mm/slub.c:5246 mm/slub.c:5265) [ 819.784610][ C2] ? lock_acquire.part.0 (kernel/locking/lockdep.c:470 kernel/locking/lockdep.c:5870) [ 819.784706][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.784804][ C2] ? vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.784951][ C2] vm_area_alloc (mm/vma_init.c:32 (discriminator 4)) [ 819.785049][ C2] create_init_stack_vma (mm/vma_exec.c:113) [ 819.785147][ C2] alloc_bprm (fs/exec.c:274 fs/exec.c:1465) [ 819.785221][ C2] do_execveat_common.isra.0 (fs/exec.c:1810) [ 819.785366][ C2] __x64_sys_execve (fs/exec.c:2004) [ 819.785463][ C2] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 819.785566][ C2] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) [ 819.785686][ C2] RIP: 0033:0x7f3323d3fd4b [ 819.785835][ C2] Code: 0f 1e fa 48 8b 05 7d 92 12 00 48 8b 10 e9 0d 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 90 12 00 f7 d8 64 89 01 48 All code ======== 0: 0f 1e fa nop %edx 3: 48 8b 05 7d 92 12 00 mov 0x12927d(%rip),%rax # 0x129287 a: 48 8b 10 mov (%rax),%rdx d: e9 0d 00 00 00 jmp 0x1f 12: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 19: 00 00 00 1c: 0f 1f 00 nopl (%rax) 1f: f3 0f 1e fa endbr64 23: b8 3b 00 00 00 mov $0x3b,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 85 90 12 00 mov 0x129085(%rip),%rcx # 0x1290bf 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 85 90 12 00 mov 0x129085(%rip),%rcx # 0x129095 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 819.786219][ C2] RSP: 002b:00007ffc126c7c48 EFLAGS: 00000206 ORIG_RAX: 000000000000003b [ 819.786365][ C2] RAX: ffffffffffffffda RBX: 000055a9a5d10220 RCX: 00007f3323d3fd4b [ 819.786511][ C2] RDX: 000055a9a5d1d030 RSI: 000055a9a5d0d7f0 RDI: 000055a9a5d10220 [ 819.786708][ C2] RBP: 00007ffc126c7d40 R08: 00007ffc126c7b70 R09: 0000000000000000 [ 819.786854][ C2] R10: 0000000000000008 R11: 0000000000000206 R12: 000055a9a5d10220 Finger prints: print_report:kasan_report:dst_dev_put:fib_nh_common_release:free_fib_info_rcu rcuref_put_slowpath:dst_release:rt_cache_route:__mkroute_output:ip_route_output_key_hash dst_dev_put:fib_nh_common_release:free_fib_info_rcu:rcu_do_batch:rcu_core