[ 1923.446244][T19682] ==================================================================
[ 1923.446398][T19682] BUG: KASAN: slab-use-after-free in ip6_pol_route+0x78c/0x9c0
[ 1923.446526][T19682] Read of size 4 at addr ff110000167947d8 by task cmsg_sender/19682
[ 1923.446639][T19682]
[ 1923.446682][T19682] CPU: 3 UID: 0 PID: 19682 Comm: cmsg_sender Not tainted 7.0.0-virtme #1 PREEMPT(full)
[ 1923.446685][T19682] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1923.446687][T19682] Call Trace:
[ 1923.446688][T19682]
[ 1923.446689][T19682] dump_stack_lvl+0x6f/0xa0
[ 1923.446695][T19682] print_address_description.constprop.0+0x73/0x300
[ 1923.446700][T19682] print_report+0xfc/0x1fa
[ 1923.446702][T19682] ? __virt_addr_valid+0x102/0x440
[ 1923.446706][T19682] ? __virt_addr_valid+0x1da/0x440
[ 1923.446708][T19682] kasan_report+0x108/0x130
[ 1923.446712][T19682] ? ip6_pol_route+0x78c/0x9c0
[ 1923.446714][T19682] ? ip6_pol_route+0x78c/0x9c0
[ 1923.446716][T19682] ip6_pol_route+0x78c/0x9c0
[ 1923.446717][T19682] ? mark_usage+0x61/0x170
[ 1923.446721][T19682] ? ip6_pol_route_lookup+0x660/0x660
[ 1923.446723][T19682] ? mark_usage+0x61/0x170
[ 1923.446725][T19682] ? rcu_lockdep_current_cpu_online+0x39/0x1b0
[ 1923.446728][T19682] ? rcu_read_lock_any_held+0x3c/0x90
[ 1923.446730][T19682] ? validate_chain+0x38b/0xc20
[ 1923.446732][T19682] ? ip6_pol_route_input+0xa0/0xa0
[ 1923.446734][T19682] fib6_rule_lookup+0x40d/0x5b0
[ 1923.446737][T19682] ? mark_usage+0x61/0x170
[ 1923.446739][T19682] ? fib6_lookup+0x2f0/0x2f0
[ 1923.446742][T19682] ? lock_acquire.part.0+0xbc/0x260
[ 1923.446743][T19682] ? ip6_route_output_flags+0x36/0x4a0
[ 1923.446745][T19682] ? rcu_is_watching+0x15/0xd0
[ 1923.446747][T19682] ? lock_acquire+0x134/0x160
[ 1923.446749][T19682] ip6_route_output_flags+0x160/0x4a0
[ 1923.446751][T19682] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 1923.446753][T19682] ? lock_acquire.part.0+0xbc/0x260
[ 1923.446755][T19682] ip6_dst_lookup_flow+0xf9/0x260
[ 1923.446757][T19682] ? ip6_dst_lookup_tail.constprop.0+0x860/0x860
[ 1923.446759][T19682] ? sk_dst_check+0x2af/0x400
[ 1923.446762][T19682] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 1923.446764][T19682] ping_v6_sendmsg+0x997/0x1330
[ 1923.446767][T19682] ? validate_chain+0x38b/0xc20
[ 1923.446770][T19682] ? l3mdev_master_ifindex_by_index+0x120/0x120
[ 1923.446773][T19682] ? release_sock+0x21/0x240
[ 1923.446774][T19682] ? reacquire_held_locks+0xdc/0x210
[ 1923.446776][T19682] ? release_sock+0x21/0x240
[ 1923.446777][T19682] ? lock_acquire.part.0+0xbc/0x260
[ 1923.446779][T19682] ? __lock_release.isra.0+0x6b/0x1a0
[ 1923.446782][T19682] ? inet_autobind+0x110/0x170
[ 1923.446784][T19682] ? inet_send_prepare+0x1e6/0x440
[ 1923.446787][T19682] ____sys_sendmsg+0x419/0x850
[ 1923.446789][T19682] ? copy_msghdr_from_user+0x2a0/0x460
[ 1923.446790][T19682] ? get_timestamp.constprop.0+0x390/0x390
[ 1923.446792][T19682] ? move_addr_to_kernel+0x40/0x40
[ 1923.446795][T19682] ___sys_sendmsg+0x14e/0x1d0
[ 1923.446796][T19682] ? copy_msghdr_from_user+0x460/0x460
[ 1923.446798][T19682] ? do_fault_around+0x2f6/0x5a0
[ 1923.446802][T19682] ? do_pte_missing+0x7d4/0xcf0
[ 1923.446805][T19682] ? lock_vma_under_rcu+0x159/0x410
[ 1923.446808][T19682] __sys_sendmsg+0x145/0x1f0
[ 1923.446810][T19682] ? __sys_sendmsg_sock+0x20/0x20
[ 1923.446813][T19682] ? do_user_addr_fault+0x7a4/0xe30
[ 1923.446815][T19682] ? rcu_is_watching+0x15/0xd0
[ 1923.446816][T19682] ? rcu_is_watching+0x15/0xd0
[ 1923.446818][T19682] do_syscall_64+0x117/0xfc0
[ 1923.446820][T19682] ? trace_hardirqs_off+0xd/0x30
[ 1923.446825][T19682] ? exc_page_fault+0xee/0x100
[ 1923.446828][T19682] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1923.446830][T19682] RIP: 0033:0x7fe7a9d8f22e
[ 1923.446833][T19682] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 1923.446835][T19682] RSP: 002b:00007fff0da75200 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 1923.446839][T19682] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe7a9d8f22e
[ 1923.446840][T19682] RDX: 0000000000000000 RSI: 00007fff0da752d0 RDI: 0000000000000005
[ 1923.446841][T19682] RBP: 00007fff0da75210 R08: 0000000000000000 R09: 0000000000000000
[ 1923.446842][T19682] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000005
[ 1923.446843][T19682] R13: 000000002ccd1010 R14: 00007fe7a9f61000 R15: 0000000000404e00
[ 1923.446845][T19682]
[ 1923.446846][T19682]
[ 1923.452810][T19682] Allocated by task 19678:
[ 1923.452889][T19682] kasan_save_stack+0x2f/0x50
[ 1923.452974][T19682] kasan_save_track+0x14/0x30
[ 1923.453052][T19682] __kasan_slab_alloc+0x60/0x70
[ 1923.453133][T19682] kmem_cache_alloc_noprof+0x221/0x5f0
[ 1923.453211][T19682] dst_alloc+0x79/0x160
[ 1923.453271][T19682] ip6_rt_pcpu_alloc+0x21d/0x670
[ 1923.453348][T19682] ip6_pol_route+0x634/0x9c0
[ 1923.453425][T19682] fib6_rule_lookup+0x40d/0x5b0
[ 1923.453504][T19682] ip6_route_output_flags+0x160/0x4a0
[ 1923.453580][T19682] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 1923.453678][T19682] ip6_dst_lookup_flow+0xf9/0x260
[ 1923.453755][T19682] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 1923.453832][T19682] ping_v6_sendmsg+0x997/0x1330
[ 1923.453910][T19682] ____sys_sendmsg+0x419/0x850
[ 1923.453993][T19682] ___sys_sendmsg+0x14e/0x1d0
[ 1923.454070][T19682] __sys_sendmsg+0x145/0x1f0
[ 1923.454148][T19682] do_syscall_64+0x117/0xfc0
[ 1923.454226][T19682] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1923.454320][T19682]
[ 1923.454360][T19682] Freed by task 0:
[ 1923.454420][T19682] kasan_save_stack+0x2f/0x50
[ 1923.454508][T19682] kasan_save_track+0x14/0x30
[ 1923.454585][T19682] kasan_save_free_info+0x3b/0x60
[ 1923.454662][T19682] __kasan_slab_free+0x43/0x70
[ 1923.454740][T19682] kmem_cache_free+0xf6/0x560
[ 1923.454819][T19682] dst_destroy+0x239/0x360
[ 1923.454895][T19682] rcu_do_batch+0x2b6/0x1010
[ 1923.454976][T19682] rcu_core+0x2b7/0x630
[ 1923.455035][T19682] handle_softirqs+0x1d8/0x930
[ 1923.455113][T19682] __irq_exit_rcu+0x103/0x1c0
[ 1923.455190][T19682] irq_exit_rcu+0xe/0x30
[ 1923.455248][T19682] sysvec_apic_timer_interrupt+0x9d/0xe0
[ 1923.455324][T19682] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 1923.455420][T19682]
[ 1923.455460][T19682] Last potentially related work creation:
[ 1923.455538][T19682] kasan_save_stack+0x2f/0x50
[ 1923.455618][T19682] kasan_record_aux_stack+0x9b/0xc0
[ 1923.455694][T19682] __call_rcu_common.constprop.0+0xb2/0xa10
[ 1923.455793][T19682] udpv6_sendmsg+0x2065/0x2a00
[ 1923.455871][T19682] ____sys_sendmsg+0x419/0x850
[ 1923.455956][T19682] ___sys_sendmsg+0x14e/0x1d0
[ 1923.456034][T19682] __sys_sendmsg+0x145/0x1f0
[ 1923.456112][T19682] do_syscall_64+0x117/0xfc0
[ 1923.456189][T19682] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1923.456293][T19682]
[ 1923.456332][T19682] The buggy address belongs to the object at ff11000016794740
[ 1923.456332][T19682] which belongs to the cache ip6_dst_cache of size 232
[ 1923.456539][T19682] The buggy address is located 152 bytes inside of
[ 1923.456539][T19682] freed 232-byte region [ff11000016794740, ff11000016794828)
[ 1923.456727][T19682]
[ 1923.456767][T19682] The buggy address belongs to the physical page:
[ 1923.456862][T19682] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff11000016795700 pfn:0x16794
[ 1923.457024][T19682] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1923.457148][T19682] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 1923.457248][T19682] page_type: f5(slab)
[ 1923.457310][T19682] raw: 0080000000000240 ff11000008fce040 ffd40000002fee10 ff11000005fbf208
[ 1923.457449][T19682] raw: ff11000016795700 0000000000120008 00000000f5000000 0000000000000000
[ 1923.457589][T19682] head: 0080000000000240 ff11000008fce040 ffd40000002fee10 ff11000005fbf208
[ 1923.457728][T19682] head: ff11000016795700 0000000000120008 00000000f5000000 0000000000000000
[ 1923.457864][T19682] head: 0080000000000001 ffd400000059e501 00000000ffffffff 00000000ffffffff
[ 1923.458006][T19682] head: ff11000016902440 0000000000000000 00000000ffffffff 0000000000000000
[ 1923.458141][T19682] page dumped because: kasan: bad access detected
[ 1923.458278][T19682]
[ 1923.458318][T19682] Memory state around the buggy address:
[ 1923.458394][T19682] ff11000016794680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1923.458545][T19682] ff11000016794700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1923.458657][T19682] >ff11000016794780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1923.458779][T19682] ^
[ 1923.458873][T19682] ff11000016794800: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[ 1923.458990][T19682] ff11000016794880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1923.459101][T19682] ==================================================================
[ 1923.459255][T19682] Disabling lock debugging due to kernel taint
[ 1927.734258][T19926] Oops: general protection fault, probably for non-canonical address 0xed6d696d6d6d6d8e: 0000 [#1] SMP KASAN
[ 1927.734474][T19926] KASAN: maybe wild-memory-access in range [0x6b6b6b6b6b6b6c70-0x6b6b6b6b6b6b6c77]
[ 1927.734611][T19926] CPU: 2 UID: 0 PID: 19926 Comm: cmsg_sender Tainted: G B 7.0.0-virtme #1 PREEMPT(full)
[ 1927.734768][T19926] Tainted: [B]=BAD_PAGE
[ 1927.734829][T19926] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1927.734929][T19926] RIP: 0010:ip6_pol_route+0x529/0x9c0
[ 1927.735018][T19926] Code: 80 3c 02 00 0f 85 80 04 00 00 4c 8b 3b e8 7f 4e 40 00 48 b8 00 00 00 00 00 fc ff df 49 8d bf 08 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4c 04 00 00 49 8b 97 08 01 00 00 be 04 00 00 00
[ 1927.735288][T19926] RSP: 0018:ffa0000002557388 EFLAGS: 00010216
[ 1927.735387][T19926] RAX: dffffc0000000000 RBX: ff11000016795a80 RCX: ffffffff9054dee1
[ 1927.735506][T19926] RDX: 0d6d6d6d6d6d6d8e RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6c73
[ 1927.735623][T19926] RBP: 1ff40000004aae74 R08: 0000000000000000 R09: 0000000000000000
[ 1927.735739][T19926] R10: 0000000000000000 R11: ff11000016b2c4c0 R12: ff1100000f260040
[ 1927.735855][T19926] R13: 000000006b6b6b6b R14: 0000000000000080 R15: 6b6b6b6b6b6b6b6b
[ 1927.735976][T19926] FS: 00007ff0207d1740(0000) GS:ff110000d91cc000(0000) knlGS:0000000000000000
[ 1927.736112][T19926] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1927.736211][T19926] CR2: 00007ff0209d9000 CR3: 00000000142ef003 CR4: 0000000000771ef0
[ 1927.736326][T19926] PKRU: 55555554
[ 1927.736385][T19926] Call Trace:
[ 1927.736443][T19926]
[ 1927.736483][T19926] ? ip6_pol_route_lookup+0x660/0x660
[ 1927.736559][T19926] ? unwind_next_frame+0x69b/0x1ea0
[ 1927.736642][T19926] ? lock_acquire+0x134/0x160
[ 1927.736721][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.736798][T19926] ? lock_release+0x17c/0x1f0
[ 1927.736876][T19926] ? ip6_pol_route_input+0xa0/0xa0
[ 1927.736952][T19926] __fib6_rule_action+0x2c2/0x710
[ 1927.737033][T19926] fib_rules_lookup+0x869/0xc80
[ 1927.737110][T19926] ? fib_nl_dumprule+0x810/0x810
[ 1927.737186][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.737261][T19926] ? lock_release+0x17c/0x1f0
[ 1927.737338][T19926] ? ip6_pol_route_input+0xa0/0xa0
[ 1927.737414][T19926] fib6_rule_lookup+0x35a/0x5b0
[ 1927.737490][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.737566][T19926] ? fib6_lookup+0x2f0/0x2f0
[ 1927.737643][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.737718][T19926] ? lock_acquire+0x134/0x160
[ 1927.737793][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.737869][T19926] ? ip6_pol_route_input+0xa0/0xa0
[ 1927.737945][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.738025][T19926] ? lock_acquire+0x134/0x160
[ 1927.738100][T19926] ? lock_release+0x17c/0x1f0
[ 1927.738175][T19926] ip6_route_output_flags+0x160/0x4a0
[ 1927.738251][T19926] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 1927.738346][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.738421][T19926] ? lock_release+0x17c/0x1f0
[ 1927.738497][T19926] ip6_dst_lookup_flow+0xf9/0x260
[ 1927.738574][T19926] ? ip6_dst_lookup_tail.constprop.0+0x860/0x860
[ 1927.738669][T19926] ? lock_release+0x17c/0x1f0
[ 1927.738746][T19926] ? sk_dst_check+0x4e/0x400
[ 1927.738823][T19926] ? sk_dst_check+0x2af/0x400
[ 1927.738900][T19926] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 1927.738978][T19926] udpv6_sendmsg+0x154e/0x2a00
[ 1927.739056][T19926] ? lock_acquire+0x134/0x160
[ 1927.739134][T19926] ? udpv6_splice_eof+0x1a0/0x1a0
[ 1927.739209][T19926] ? trace_hardirqs_on+0x36/0x40
[ 1927.739286][T19926] ? __local_bh_enable_ip+0xa5/0x140
[ 1927.739365][T19926] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 1927.739458][T19926] ? trace_irq_disable.constprop.0+0x9b/0x180
[ 1927.739551][T19926] ? trace_hardirqs_on+0x36/0x40
[ 1927.739626][T19926] ? __local_bh_enable_ip+0xa5/0x140
[ 1927.739703][T19926] ? inet_autobind+0x110/0x170
[ 1927.739780][T19926] ? ____sys_sendmsg+0x419/0x850
[ 1927.739857][T19926] ____sys_sendmsg+0x419/0x850
[ 1927.739932][T19926] ? copy_msghdr_from_user+0x2a0/0x460
[ 1927.740011][T19926] ? get_timestamp.constprop.0+0x390/0x390
[ 1927.740105][T19926] ? move_addr_to_kernel+0x40/0x40
[ 1927.740181][T19926] ___sys_sendmsg+0x14e/0x1d0
[ 1927.740258][T19926] ? copy_msghdr_from_user+0x460/0x460
[ 1927.740334][T19926] ? insert_pfn+0x4b0/0x4b0
[ 1927.740412][T19926] ? lock_release+0x17c/0x1f0
[ 1927.740488][T19926] ? do_pte_missing+0x54c/0xcf0
[ 1927.740562][T19926] ? lock_release+0x17c/0x1f0
[ 1927.740639][T19926] __sys_sendmsg+0x145/0x1f0
[ 1927.740714][T19926] ? __sys_sendmsg_sock+0x20/0x20
[ 1927.740790][T19926] ? down_write_nested+0x200/0x200
[ 1927.740868][T19926] ? do_user_addr_fault+0x325/0xe30
[ 1927.740947][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.741027][T19926] ? rcu_is_watching+0x15/0xd0
[ 1927.741104][T19926] do_syscall_64+0x117/0xfc0
[ 1927.741182][T19926] ? trace_hardirqs_off+0xd/0x30
[ 1927.741258][T19926] ? exc_page_fault+0xee/0x100
[ 1927.741335][T19926] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1927.741431][T19926] RIP: 0033:0x7ff02084422e
[ 1927.741514][T19926] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 1927.741784][T19926] RSP: 002b:00007ffc86237db0 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 1927.741902][T19926] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff02084422e
[ 1927.742019][T19926] RDX: 0000000000000000 RSI: 00007ffc86237e80 RDI: 0000000000000005
[ 1927.742134][T19926] RBP: 00007ffc86237dc0 R08: 0000000000000000 R09: 0000000000000000
[ 1927.742247][T19926] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000005
[ 1927.742361][T19926] R13: 000000002288d010 R14: 00007ff020a16000 R15: 0000000000404e00
[ 1927.742477][T19926]
[ 1927.742537][T19926] Modules linked in: nft_chain_nat xt_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 cls_u32 ifb ipvtap ipvlan unix_diag chacha libchacha chacha20poly1305 libpoly1305 tls sch_prio xt_mark nft_compat nf_tables act_mirred cls_basic sch_fq_codel act_gact cls_flower sch_ingress vxlan [last unloaded: ila]
[ 1927.743002][T19926] ---[ end trace 0000000000000000 ]---
[ 1927.743127][T19926] RIP: 0010:ip6_pol_route+0x529/0x9c0
[ 1927.743259][T19926] Code: 80 3c 02 00 0f 85 80 04 00 00 4c 8b 3b e8 7f 4e 40 00 48 b8 00 00 00 00 00 fc ff df 49 8d bf 08 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4c 04 00 00 49 8b 97 08 01 00 00 be 04 00 00 00
[ 1927.743565][T19926] RSP: 0018:ffa0000002557388 EFLAGS: 00010216
[ 1927.743706][T19926] RAX: dffffc0000000000 RBX: ff11000016795a80 RCX: ffffffff9054dee1
[ 1927.743874][T19926] RDX: 0d6d6d6d6d6d6d8e RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6c73
[ 1927.744037][T19926] RBP: 1ff40000004aae74 R08: 0000000000000000 R09: 0000000000000000
[ 1927.744191][T19926] R10: 0000000000000000 R11: ff11000016b2c4c0 R12: ff1100000f260040
[ 1927.744349][T19926] R13: 000000006b6b6b6b R14: 0000000000000080 R15: 6b6b6b6b6b6b6b6b
[ 1927.744509][T19926] FS: 00007ff0207d1740(0000) GS:ff110000d91cc000(0000) knlGS:0000000000000000
[ 1927.744686][T19926] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1927.744835][T19926] CR2: 00007ff0209d9000 CR3: 00000000142ef003 CR4: 0000000000771ef0
[ 1927.744994][T19926] PKRU: 55555554
[ 1927.745095][T19926] Kernel panic - not syncing: Fatal exception in interrupt
[ 1927.745362][T19926] Kernel Offset: 0xca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1927.745541][T19926] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
WAIT TIMEOUT stderr
Ctrl-C stderr
Ctrl-C stderr
WAIT TIMEOUT stderr