[ 721.896206][T25746] ==================================================================
[ 721.896365][T25746] BUG: KASAN: slab-use-after-free in ip6_pol_route+0x78c/0x9c0
[ 721.896488][T25746] Read of size 4 at addr ff1100001b1d4298 by task cmsg_sender/25746
[ 721.896602][T25746]
[ 721.896645][T25746] CPU: 2 UID: 0 PID: 25746 Comm: cmsg_sender Not tainted 7.0.0-virtme #1 PREEMPT(full)
[ 721.896649][T25746] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 721.896651][T25746] Call Trace:
[ 721.896652][T25746]
[ 721.896654][T25746] dump_stack_lvl+0x6f/0xa0
[ 721.896660][T25746] print_address_description.constprop.0+0x73/0x300
[ 721.896664][T25746] print_report+0xfc/0x1fa
[ 721.896666][T25746] ? __virt_addr_valid+0x102/0x440
[ 721.896670][T25746] ? __virt_addr_valid+0x1da/0x440
[ 721.896672][T25746] kasan_report+0x108/0x130
[ 721.896675][T25746] ? ip6_pol_route+0x78c/0x9c0
[ 721.896677][T25746] ? ip6_pol_route+0x78c/0x9c0
[ 721.896679][T25746] ip6_pol_route+0x78c/0x9c0
[ 721.896681][T25746] ? mark_usage+0x61/0x170
[ 721.896684][T25746] ? ip6_pol_route_lookup+0x660/0x660
[ 721.896687][T25746] ? mark_usage+0x61/0x170
[ 721.896689][T25746] ? rcu_lockdep_current_cpu_online+0x39/0x1b0
[ 721.896692][T25746] ? rcu_read_lock_any_held+0x3c/0x90
[ 721.896694][T25746] ? validate_chain+0x38b/0xc20
[ 721.896696][T25746] ? ip6_pol_route_input+0xa0/0xa0
[ 721.896698][T25746] fib6_rule_lookup+0x40d/0x5b0
[ 721.896701][T25746] ? mark_usage+0x61/0x170
[ 721.896703][T25746] ? fib6_lookup+0x2f0/0x2f0
[ 721.896706][T25746] ? lock_acquire.part.0+0xbc/0x260
[ 721.896707][T25746] ? ip6_route_output_flags+0x36/0x4a0
[ 721.896709][T25746] ? rcu_is_watching+0x15/0xd0
[ 721.896711][T25746] ? lock_acquire+0x134/0x160
[ 721.896713][T25746] ip6_route_output_flags+0x160/0x4a0
[ 721.896715][T25746] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 721.896717][T25746] ? lock_acquire.part.0+0xbc/0x260
[ 721.896719][T25746] ip6_dst_lookup_flow+0xf9/0x260
[ 721.896721][T25746] ? ip6_dst_lookup_tail.constprop.0+0x860/0x860
[ 721.896723][T25746] ? sk_dst_check+0x2af/0x400
[ 721.896726][T25746] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 721.896728][T25746] ping_v6_sendmsg+0x997/0x1330
[ 721.896731][T25746] ? validate_chain+0x38b/0xc20
[ 721.896733][T25746] ? l3mdev_master_ifindex_by_index+0x120/0x120
[ 721.896736][T25746] ? release_sock+0x21/0x240
[ 721.896737][T25746] ? reacquire_held_locks+0xdc/0x210
[ 721.896739][T25746] ? release_sock+0x21/0x240
[ 721.896740][T25746] ? lock_acquire.part.0+0xbc/0x260
[ 721.896743][T25746] ? __lock_release.isra.0+0x6b/0x1a0
[ 721.896747][T25746] ? inet_autobind+0x110/0x170
[ 721.896750][T25746] ? inet_send_prepare+0x1e6/0x440
[ 721.896752][T25746] ____sys_sendmsg+0x419/0x850
[ 721.896754][T25746] ? copy_msghdr_from_user+0x2a0/0x460
[ 721.896756][T25746] ? get_timestamp.constprop.0+0x390/0x390
[ 721.896757][T25746] ? move_addr_to_kernel+0x40/0x40
[ 721.896760][T25746] ___sys_sendmsg+0x14e/0x1d0
[ 721.896762][T25746] ? copy_msghdr_from_user+0x460/0x460
[ 721.896763][T25746] ? do_fault_around+0x2f6/0x5a0
[ 721.896767][T25746] ? do_pte_missing+0x7d4/0xcf0
[ 721.896770][T25746] ? lock_vma_under_rcu+0x159/0x410
[ 721.896773][T25746] __sys_sendmsg+0x145/0x1f0
[ 721.896775][T25746] ? __sys_sendmsg_sock+0x20/0x20
[ 721.896778][T25746] ? do_user_addr_fault+0x7a4/0xe30
[ 721.896780][T25746] ? rcu_is_watching+0x15/0xd0
[ 721.896781][T25746] ? rcu_is_watching+0x15/0xd0
[ 721.896782][T25746] do_syscall_64+0x117/0xfc0
[ 721.896785][T25746] ? trace_hardirqs_off+0xd/0x30
[ 721.896788][T25746] ? exc_page_fault+0xee/0x100
[ 721.896791][T25746] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 721.896793][T25746] RIP: 0033:0x7f7de834f22e
[ 721.896796][T25746] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 721.896798][T25746] RSP: 002b:00007ffc2e348be0 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 721.896802][T25746] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7de834f22e
[ 721.896803][T25746] RDX: 0000000000000000 RSI: 00007ffc2e348cb0 RDI: 0000000000000005
[ 721.896804][T25746] RBP: 00007ffc2e348bf0 R08: 0000000000000000 R09: 0000000000000000
[ 721.896805][T25746] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000005
[ 721.896805][T25746] R13: 0000000027b30010 R14: 00007f7de8521000 R15: 0000000000404e00
[ 721.896808][T25746]
[ 721.896809][T25746]
[ 721.902598][T25746] Allocated by task 25740:
[ 721.902677][T25746] kasan_save_stack+0x2f/0x50
[ 721.902756][T25746] kasan_save_track+0x14/0x30
[ 721.902831][T25746] __kasan_slab_alloc+0x60/0x70
[ 721.902909][T25746] kmem_cache_alloc_noprof+0x221/0x5f0
[ 721.902987][T25746] dst_alloc+0x79/0x160
[ 721.903045][T25746] ip6_rt_pcpu_alloc+0x21d/0x670
[ 721.903120][T25746] ip6_pol_route+0x634/0x9c0
[ 721.903196][T25746] fib6_rule_lookup+0x40d/0x5b0
[ 721.903276][T25746] ip6_route_output_flags+0x160/0x4a0
[ 721.903351][T25746] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 721.903445][T25746] ip6_dst_lookup_flow+0xf9/0x260
[ 721.903519][T25746] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 721.903595][T25746] udpv6_sendmsg+0x154e/0x2a00
[ 721.903670][T25746] ____sys_sendmsg+0x419/0x850
[ 721.903746][T25746] ___sys_sendmsg+0x14e/0x1d0
[ 721.903823][T25746] __sys_sendmsg+0x145/0x1f0
[ 721.903898][T25746] do_syscall_64+0x117/0xfc0
[ 721.903974][T25746] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 721.904069][T25746]
[ 721.904108][T25746] Freed by task 0:
[ 721.904166][T25746] kasan_save_stack+0x2f/0x50
[ 721.904247][T25746] kasan_save_track+0x14/0x30
[ 721.904323][T25746] kasan_save_free_info+0x3b/0x60
[ 721.904399][T25746] __kasan_slab_free+0x43/0x70
[ 721.904474][T25746] kmem_cache_free+0xf6/0x560
[ 721.904549][T25746] dst_destroy+0x239/0x360
[ 721.904624][T25746] rcu_do_batch+0x2b6/0x1010
[ 721.904699][T25746] rcu_core+0x2b7/0x630
[ 721.904757][T25746] handle_softirqs+0x1d8/0x930
[ 721.904834][T25746] __irq_exit_rcu+0x103/0x1c0
[ 721.904910][T25746] irq_exit_rcu+0xe/0x30
[ 721.904968][T25746] sysvec_apic_timer_interrupt+0x9d/0xe0
[ 721.905045][T25746] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 721.905137][T25746]
[ 721.905175][T25746] Last potentially related work creation:
[ 721.905255][T25746] kasan_save_stack+0x2f/0x50
[ 721.905333][T25746] kasan_record_aux_stack+0x9b/0xc0
[ 721.905409][T25746] __call_rcu_common.constprop.0+0xb2/0xa10
[ 721.905503][T25746] udpv6_sendmsg+0x2065/0x2a00
[ 721.905582][T25746] ____sys_sendmsg+0x419/0x850
[ 721.905658][T25746] ___sys_sendmsg+0x14e/0x1d0
[ 721.905735][T25746] __sys_sendmsg+0x145/0x1f0
[ 721.905811][T25746] do_syscall_64+0x117/0xfc0
[ 721.905888][T25746] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 721.905981][T25746]
[ 721.906020][T25746] The buggy address belongs to the object at ff1100001b1d4200
[ 721.906020][T25746] which belongs to the cache ip6_dst_cache of size 232
[ 721.906225][T25746] The buggy address is located 152 bytes inside of
[ 721.906225][T25746] freed 232-byte region [ff1100001b1d4200, ff1100001b1d42e8)
[ 721.906408][T25746]
[ 721.906447][T25746] The buggy address belongs to the physical page:
[ 721.906541][T25746] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff1100001b1d4ac0 pfn:0x1b1d4
[ 721.906695][T25746] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 721.906811][T25746] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 721.906909][T25746] page_type: f5(slab)
[ 721.906970][T25746] raw: 0080000000000240 ff11000008f5c040 ffd4000000463190 ff110000060ad208
[ 721.907105][T25746] raw: ff1100001b1d4ac0 0000000000120009 00000000f5000000 0000000000000000
[ 721.907240][T25746] head: 0080000000000240 ff11000008f5c040 ffd4000000463190 ff110000060ad208
[ 721.907374][T25746] head: ff1100001b1d4ac0 0000000000120009 00000000f5000000 0000000000000000
[ 721.907507][T25746] head: 0080000000000001 ffd40000006c7501 00000000ffffffff 00000000ffffffff
[ 721.907641][T25746] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 721.907774][T25746] page dumped because: kasan: bad access detected
[ 721.907870][T25746]
[ 721.907909][T25746] Memory state around the buggy address:
[ 721.907984][T25746] ff1100001b1d4180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 721.908135][T25746] ff1100001b1d4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 721.908251][T25746] >ff1100001b1d4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[ 721.908399][T25746] ^
[ 721.908474][T25746] ff1100001b1d4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 721.908585][T25746] ff1100001b1d4380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 721.908732][T25746] ==================================================================
[ 721.908888][T25746] Disabling lock debugging due to kernel taint
[ 726.243775][T25989] Oops: general protection fault, probably for non-canonical address 0xed6d696d6d6d6d8e: 0000 [#1] SMP KASAN
[ 726.243992][T25989] KASAN: maybe wild-memory-access in range [0x6b6b6b6b6b6b6c70-0x6b6b6b6b6b6b6c77]
[ 726.244126][T25989] CPU: 2 UID: 0 PID: 25989 Comm: cmsg_sender Tainted: G B 7.0.0-virtme #1 PREEMPT(full)
[ 726.244286][T25989] Tainted: [B]=BAD_PAGE
[ 726.244347][T25989] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 726.244444][T25989] RIP: 0010:ip6_pol_route+0x529/0x9c0
[ 726.244533][T25989] Code: 80 3c 02 00 0f 85 80 04 00 00 4c 8b 3b e8 7f 5e 40 00 48 b8 00 00 00 00 00 fc ff df 49 8d bf 08 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4c 04 00 00 49 8b 97 08 01 00 00 be 04 00 00 00
[ 726.244806][T25989] RSP: 0018:ffa000000278f388 EFLAGS: 00010216
[ 726.244905][T25989] RAX: dffffc0000000000 RBX: ff1100001b1d4200 RCX: ffffffff92f4dee1
[ 726.245023][T25989] RDX: 0d6d6d6d6d6d6d8e RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6c73
[ 726.245139][T25989] RBP: 1ff40000004f1e74 R08: 0000000000000000 R09: 0000000000000000
[ 726.245257][T25989] R10: 0000000000000000 R11: ff110000245788c0 R12: ff110000099d0040
[ 726.245372][T25989] R13: 000000006b6b6b6b R14: 0000000000000080 R15: 6b6b6b6b6b6b6b6b
[ 726.245489][T25989] FS: 00007f9444672740(0000) GS:ff110000d67cc000(0000) knlGS:0000000000000000
[ 726.245627][T25989] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 726.245725][T25989] CR2: 00007f944487a000 CR3: 000000001185e005 CR4: 0000000000771ef0
[ 726.245839][T25989] PKRU: 55555554
[ 726.245900][T25989] Call Trace:
[ 726.245959][T25989]
[ 726.246000][T25989] ? ip6_pol_route_lookup+0x660/0x660
[ 726.246081][T25989] ? unwind_next_frame+0x69b/0x1ea0
[ 726.246161][T25989] ? lock_acquire+0x134/0x160
[ 726.246244][T25989] ? rcu_is_watching+0x15/0xd0
[ 726.246323][T25989] ? lock_release+0x17c/0x1f0
[ 726.246401][T25989] ? ip6_pol_route_input+0xa0/0xa0
[ 726.246477][T25989] __fib6_rule_action+0x2c2/0x710
[ 726.246556][T25989] fib_rules_lookup+0x869/0xc80
[ 726.246634][T25989] ? fib_nl_dumprule+0x810/0x810
[ 726.246712][T25989] ? rcu_is_watching+0x15/0xd0
[ 726.246788][T25989] ? lock_release+0x17c/0x1f0
[ 726.246866][T25989] ? ip6_pol_route_input+0xa0/0xa0
[ 726.246943][T25989] fib6_rule_lookup+0x35a/0x5b0
[ 726.247021][T25989] ? lock_acquire+0x134/0x160
[ 726.247098][T25989] ? fib6_lookup+0x2f0/0x2f0
[ 726.247176][T25989] ? lock_release+0x17c/0x1f0
[ 726.247255][T25989] ? rcu_is_watching+0x15/0xd0
[ 726.247333][T25989] ? ip6_pol_route_input+0xa0/0xa0
[ 726.247410][T25989] ? rcu_is_watching+0x15/0xd0
[ 726.247488][T25989] ? lock_acquire+0x134/0x160
[ 726.247567][T25989] ip6_route_output_flags+0x160/0x4a0
[ 726.247644][T25989] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 726.247741][T25989] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 726.247838][T25989] ip6_dst_lookup_flow+0xf9/0x260
[ 726.247918][T25989] ? ip6_dst_lookup_tail.constprop.0+0x860/0x860
[ 726.248014][T25989] ? lock_release+0x17c/0x1f0
[ 726.248092][T25989] ? sk_dst_check+0x4e/0x400
[ 726.248174][T25989] ? sk_dst_check+0x2af/0x400
[ 726.248255][T25989] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 726.248330][T25989] udpv6_sendmsg+0x154e/0x2a00
[ 726.248408][T25989] ? lock_acquire+0x134/0x160
[ 726.248485][T25989] ? udpv6_splice_eof+0x1a0/0x1a0
[ 726.248563][T25989] ? trace_hardirqs_on+0x36/0x40
[ 726.248640][T25989] ? __local_bh_enable_ip+0xa5/0x140
[ 726.248720][T25989] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 726.248816][T25989] ? trace_irq_disable.constprop.0+0x9b/0x180
[ 726.248911][T25989] ? trace_hardirqs_on+0x36/0x40
[ 726.248987][T25989] ? __local_bh_enable_ip+0xa5/0x140
[ 726.249064][T25989] ? inet_autobind+0x110/0x170
[ 726.249142][T25989] ? ____sys_sendmsg+0x419/0x850
[ 726.249219][T25989] ____sys_sendmsg+0x419/0x850
[ 726.249300][T25989] ? copy_msghdr_from_user+0x2a0/0x460
[ 726.249377][T25989] ? get_timestamp.constprop.0+0x390/0x390
[ 726.249472][T25989] ? move_addr_to_kernel+0x40/0x40
[ 726.249551][T25989] ? rcu_is_watching+0x15/0xd0
[ 726.249627][T25989] ___sys_sendmsg+0x14e/0x1d0
[ 726.249705][T25989] ? copy_msghdr_from_user+0x460/0x460
[ 726.249782][T25989] ? insert_pfn+0x4b0/0x4b0
[ 726.249861][T25989] ? lock_release+0x17c/0x1f0
[ 726.249938][T25989] ? do_pte_missing+0x54c/0xcf0
[ 726.250015][T25989] ? lock_release+0x17c/0x1f0
[ 726.250094][T25989] __sys_sendmsg+0x145/0x1f0
[ 726.250170][T25989] ? __sys_sendmsg_sock+0x20/0x20
[ 726.250250][T25989] ? down_write_nested+0x200/0x200
[ 726.250329][T25989] ? do_user_addr_fault+0x325/0xe30
[ 726.250407][T25989] ? rcu_is_watching+0x15/0xd0
[ 726.250482][T25989] ? rcu_is_watching+0x15/0xd0
[ 726.250558][T25989] do_syscall_64+0x117/0xfc0
[ 726.250636][T25989] ? trace_hardirqs_off+0xd/0x30
[ 726.250713][T25989] ? exc_page_fault+0xee/0x100
[ 726.250791][T25989] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 726.250889][T25989] RIP: 0033:0x7f94446e522e
[ 726.250971][T25989] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 726.251245][T25989] RSP: 002b:00007ffc94398c90 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 726.251360][T25989] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f94446e522e
[ 726.251479][T25989] RDX: 0000000000000000 RSI: 00007ffc94398d60 RDI: 0000000000000005
[ 726.251593][T25989] RBP: 00007ffc94398ca0 R08: 0000000000000000 R09: 0000000000000000
[ 726.251709][T25989] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000005
[ 726.251825][T25989] R13: 0000000015edf010 R14: 00007f94448b7000 R15: 0000000000404e00
[ 726.251942][T25989]
[ 726.252001][T25989] Modules linked in: netdevsim psample ipt_rpfilter nft_compat nf_tables l2tp_ip6 l2tp_eth l2tp_ip l2tp_netlink l2tp_core xfrm_interface xfrm_user cls_bpf sch_ingress ipvtap ipvlan vxlan chacha libchacha chacha20poly1305 libpoly1305 tls [last unloaded: ila]
[ 726.252409][T25989] ---[ end trace 0000000000000000 ]---
[ 726.252534][T25989] RIP: 0010:ip6_pol_route+0x529/0x9c0
[ 726.252658][T25989] Code: 80 3c 02 00 0f 85 80 04 00 00 4c 8b 3b e8 7f 5e 40 00 48 b8 00 00 00 00 00 fc ff df 49 8d bf 08 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4c 04 00 00 49 8b 97 08 01 00 00 be 04 00 00 00
[ 726.252976][T25989] RSP: 0018:ffa000000278f388 EFLAGS: 00010216
[ 726.253117][T25989] RAX: dffffc0000000000 RBX: ff1100001b1d4200 RCX: ffffffff92f4dee1
[ 726.253284][T25989] RDX: 0d6d6d6d6d6d6d8e RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6c73
[ 726.253441][T25989] RBP: 1ff40000004f1e74 R08: 0000000000000000 R09: 0000000000000000
[ 726.253597][T25989] R10: 0000000000000000 R11: ff110000245788c0 R12: ff110000099d0040
[ 726.253763][T25989] R13: 000000006b6b6b6b R14: 0000000000000080 R15: 6b6b6b6b6b6b6b6b
[ 726.253925][T25989] FS: 00007f9444672740(0000) GS:ff110000d67cc000(0000) knlGS:0000000000000000
[ 726.254103][T25989] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 726.254248][T25989] CR2: 00007f944487a000 CR3: 000000001185e005 CR4: 0000000000771ef0
[ 726.254407][T25989] PKRU: 55555554
[ 726.254508][T25989] Kernel panic - not syncing: Fatal exception in interrupt
[ 726.254710][T25989] Kernel Offset: 0xf400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 726.254892][T25989] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
WAIT TIMEOUT stderr
Ctrl-C stderr
Ctrl-C stderr
WAIT TIMEOUT stderr