[ 1365.350562][T21881] gre: GRE over IPv4 demultiplexer driver [ 1366.135028][T21904] ip_gre: GRE over IPv4 tunneling driver [ 1368.337110][ T12] ================================================================== [ 1368.337327][ T12] BUG: KASAN: slab-use-after-free in idr_for_each+0x1c1/0x1f0 [ 1368.337508][ T12] Read of size 8 at addr ff1100001bc5fb48 by task kworker/u16:0/12 [ 1368.337684][ T12] [ 1368.337747][ T12] CPU: 3 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted 6.19.0-rc7-virtme #1 PREEMPT(full) [ 1368.337751][ T12] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 1368.337754][ T12] Workqueue: netns cleanup_net [ 1368.337761][ T12] Call Trace: [ 1368.337763][ T12] [ 1368.337766][ T12] dump_stack_lvl+0x6f/0xa0 [ 1368.337772][ T12] print_address_description.constprop.0+0x6e/0x300 [ 1368.337778][ T12] print_report+0xfc/0x1fb [ 1368.337780][ T12] ? idr_for_each+0x1c1/0x1f0 [ 1368.337784][ T12] ? __virt_addr_valid+0x1da/0x430 [ 1368.337788][ T12] ? idr_for_each+0x1c1/0x1f0 [ 1368.337791][ T12] kasan_report+0xe8/0x120 [ 1368.337796][ T12] ? idr_for_each+0x1c1/0x1f0 [ 1368.337799][ T12] ? rtnl_net_notifyid+0x1a0/0x1a0 [ 1368.337802][ T12] idr_for_each+0x1c1/0x1f0 [ 1368.337805][ T12] ? idr_find+0x70/0x70 [ 1368.337808][ T12] ? __lock_release.isra.0+0x59/0x170 [ 1368.337813][ T12] ? __up_write+0x283/0x4f0 [ 1368.337816][ T12] ? cleanup_net+0x1f6/0x880 [ 1368.337819][ T12] cleanup_net+0x264/0x880 [ 1368.337822][ T12] ? lock_acquire.part.0+0xbc/0x260 [ 1368.337824][ T12] ? process_one_work+0xd16/0x1390 [ 1368.337828][ T12] ? net_passive_dec+0x190/0x190 [ 1368.337831][ T12] ? rcu_is_watching+0x15/0xd0 [ 1368.337835][ T12] ? process_one_work+0xd16/0x1390 [ 1368.337838][ T12] ? lock_acquire+0x10a/0x150 [ 1368.337840][ T12] ? rcu_is_watching+0x15/0xd0 [ 1368.337843][ T12] process_one_work+0xd57/0x1390 [ 1368.337848][ T12] ? pwq_dec_nr_in_flight+0x700/0x700 [ 1368.337851][ T12] ? lock_acquire.part.0+0xbc/0x260 [ 1368.337855][ T12] ? assign_work+0x152/0x380 [ 1368.337858][ T12] worker_thread+0x4d6/0xd40 [ 1368.337863][ T12] ? process_one_work+0x1390/0x1390 [ 1368.337866][ T12] kthread+0x355/0x5b0 [ 1368.337870][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 1368.337873][ T12] ? __lock_release.isra.0+0x59/0x170 [ 1368.337875][ T12] ? rcu_is_watching+0x15/0xd0 [ 1368.337878][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 1368.337881][ T12] ret_from_fork+0x3fb/0x510 [ 1368.337885][ T12] ? arch_exit_to_user_mode_prepare.isra.0+0x140/0x140 [ 1368.337889][ T12] ? __switch_to+0x53c/0xd00 [ 1368.337892][ T12] ? kthread_is_per_cpu+0xe0/0xe0 [ 1368.337895][ T12] ret_from_fork_asm+0x11/0x20 [ 1368.337901][ T12] [ 1368.337903][ T12] [ 1368.342942][ T12] Allocated by task 21950: [ 1368.343066][ T12] kasan_save_stack+0x30/0x50 [ 1368.343187][ T12] kasan_save_track+0x14/0x30 [ 1368.343306][ T12] __kasan_slab_alloc+0x5f/0x70 [ 1368.343423][ T12] kmem_cache_alloc_noprof+0x226/0x6e0 [ 1368.343538][ T12] radix_tree_node_alloc.constprop.0+0x176/0x340 [ 1368.343682][ T12] idr_get_free+0x326/0x840 [ 1368.343796][ T12] idr_alloc_u32+0x14a/0x2e0 [ 1368.343910][ T12] idr_alloc+0x7d/0xc0 [ 1368.344000][ T12] peernet2id_alloc+0x22c/0x340 [ 1368.344115][ T12] rtnl_fill_ifinfo.isra.0+0x1658/0x2e90 [ 1368.344235][ T12] rtnl_getlink+0x5aa/0x9a0 [ 1368.344350][ T12] rtnetlink_rcv_msg+0x2f3/0xb90 [ 1368.344463][ T12] netlink_rcv_skb+0x123/0x380 [ 1368.344577][ T12] netlink_unicast+0x4a3/0x770 [ 1368.344692][ T12] netlink_sendmsg+0x735/0xc60 [ 1368.344806][ T12] ____sys_sendmsg+0x419/0x850 [ 1368.344924][ T12] ___sys_sendmsg+0xfd/0x180 [ 1368.345039][ T12] __sys_sendmsg+0x124/0x1c0 [ 1368.345154][ T12] do_syscall_64+0xbd/0xfc0 [ 1368.345277][ T12] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 1368.345417][ T12] [ 1368.345476][ T12] Freed by task 12: [ 1368.345563][ T12] kasan_save_stack+0x30/0x50 [ 1368.345678][ T12] kasan_save_track+0x14/0x30 [ 1368.345793][ T12] kasan_save_free_info+0x3b/0x60 [ 1368.345909][ T12] __kasan_slab_free+0x43/0x70 [ 1368.346024][ T12] kmem_cache_free+0xfe/0x5e0 [ 1368.346138][ T12] rcu_do_batch+0x28b/0xfe0 [ 1368.346260][ T12] rcu_core+0x2b4/0x5f0 [ 1368.346346][ T12] handle_softirqs+0x1d7/0x840 [ 1368.346461][ T12] irq_exit_rcu+0xa2/0xf0 [ 1368.346547][ T12] sysvec_apic_timer_interrupt+0x9d/0xe0 [ 1368.346663][ T12] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 1368.346803][ T12] [ 1368.346862][ T12] Last potentially related work creation: [ 1368.346979][ T12] kasan_save_stack+0x30/0x50 [ 1368.347096][ T12] kasan_record_aux_stack+0x8c/0xa0 [ 1368.347212][ T12] __call_rcu_common.constprop.0+0xa6/0xa00 [ 1368.347359][ T12] delete_node+0x198/0x810 [ 1368.347475][ T12] radix_tree_delete_item+0xc5/0x1b0 [ 1368.347596][ T12] unhash_nsid_callback+0xb4/0x100 [ 1368.347712][ T12] idr_for_each+0x108/0x1f0 [ 1368.347828][ T12] cleanup_net+0x264/0x880 [ 1368.347945][ T12] process_one_work+0xd57/0x1390 [ 1368.348061][ T12] worker_thread+0x4d6/0xd40 [ 1368.348179][ T12] kthread+0x355/0x5b0 [ 1368.348269][ T12] ret_from_fork+0x3fb/0x510 [ 1368.348388][ T12] ret_from_fork_asm+0x11/0x20 [ 1368.348503][ T12] [ 1368.348563][ T12] The buggy address belongs to the object at ff1100001bc5fb18 [ 1368.348563][ T12] which belongs to the cache radix_tree_node of size 576 [ 1368.348867][ T12] The buggy address is located 48 bytes inside of [ 1368.348867][ T12] freed 576-byte region [ff1100001bc5fb18, ff1100001bc5fd58) [ 1368.349147][ T12] [ 1368.349205][ T12] The buggy address belongs to the physical page: [ 1368.349350][ T12] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bc5c [ 1368.349560][ T12] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 1368.349738][ T12] flags: 0x80000000000040(head|node=0|zone=1) [ 1368.349886][ T12] page_type: f5(slab) [ 1368.349978][ T12] raw: 0080000000000040 ff11000001043700 ffd400000028b710 ffd40000006f7810 [ 1368.350185][ T12] raw: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000 [ 1368.350393][ T12] head: 0080000000000040 ff11000001043700 ffd400000028b710 ffd40000006f7810 [ 1368.350602][ T12] head: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000 [ 1368.350804][ T12] head: 0080000000000002 ffd40000006f1701 00000000ffffffff 00000000ffffffff [ 1368.351007][ T12] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 1368.351209][ T12] page dumped because: kasan: bad access detected [ 1368.351363][ T12] [ 1368.351423][ T12] Memory state around the buggy address: [ 1368.351536][ T12] ff1100001bc5fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1368.351706][ T12] ff1100001bc5fa80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1368.351877][ T12] >ff1100001bc5fb00: fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb [ 1368.352048][ T12] ^ [ 1368.352185][ T12] ff1100001bc5fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1368.352356][ T12] ff1100001bc5fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1368.352521][ T12] ================================================================== [ 1368.352694][ T12] Disabling lock debugging due to kernel taint [ 1380.567117][T22477] ip6_gre: GRE over IPv6 tunneling driver [ 1389.313597][ C3] ip6_tunnel: tep0 xmit: Local address not yet configured! [ 1391.105585][ C0] ip6_tunnel: tep0 xmit: Local address not yet configured! [ 1392.769590][ C0] ip6_tunnel: tep0 xmit: Local address not yet configured! [ 1394.625566][ C2] ip6_tunnel: tep0 xmit: Local address not yet configured!