[ 846.887106][T21828] ==================================================================
[ 846.887269][T21828] BUG: KASAN: slab-use-after-free in ip6_pol_route+0x78c/0x9c0
[ 846.887401][T21828] Read of size 4 at addr ff11000019e11b18 by task cmsg_sender/21828
[ 846.887529][T21828]
[ 846.887573][T21828] CPU: 3 UID: 0 PID: 21828 Comm: cmsg_sender Not tainted 7.0.0-virtme #1 PREEMPT(full)
[ 846.887577][T21828] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 846.887579][T21828] Call Trace:
[ 846.887580][T21828]
[ 846.887581][T21828] dump_stack_lvl+0x6f/0xa0
[ 846.887588][T21828] print_address_description.constprop.0+0x73/0x300
[ 846.887593][T21828] print_report+0xfc/0x1fa
[ 846.887595][T21828] ? __virt_addr_valid+0x102/0x440
[ 846.887598][T21828] ? __virt_addr_valid+0x1da/0x440
[ 846.887601][T21828] kasan_report+0x108/0x130
[ 846.887604][T21828] ? ip6_pol_route+0x78c/0x9c0
[ 846.887606][T21828] ? ip6_pol_route+0x78c/0x9c0
[ 846.887609][T21828] ip6_pol_route+0x78c/0x9c0
[ 846.887610][T21828] ? mark_usage+0x61/0x170
[ 846.887614][T21828] ? ip6_pol_route_lookup+0x660/0x660
[ 846.887616][T21828] ? mark_usage+0x61/0x170
[ 846.887618][T21828] ? rcu_lockdep_current_cpu_online+0x39/0x1b0
[ 846.887621][T21828] ? rcu_read_lock_any_held+0x3c/0x90
[ 846.887624][T21828] ? validate_chain+0x38b/0xc20
[ 846.887626][T21828] ? ip6_pol_route_input+0xa0/0xa0
[ 846.887627][T21828] fib6_rule_lookup+0x40d/0x5b0
[ 846.887631][T21828] ? mark_usage+0x61/0x170
[ 846.887633][T21828] ? fib6_lookup+0x2f0/0x2f0
[ 846.887635][T21828] ? lock_acquire.part.0+0xbc/0x260
[ 846.887637][T21828] ? ip6_route_output_flags+0x36/0x4a0
[ 846.887639][T21828] ? rcu_is_watching+0x15/0xd0
[ 846.887641][T21828] ? lock_acquire+0x134/0x160
[ 846.887643][T21828] ip6_route_output_flags+0x160/0x4a0
[ 846.887645][T21828] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 846.887648][T21828] ? lock_acquire.part.0+0xbc/0x260
[ 846.887650][T21828] ip6_dst_lookup_flow+0xf9/0x260
[ 846.887652][T21828] ? ip6_dst_lookup_tail.constprop.0+0x860/0x860
[ 846.887654][T21828] ? sk_dst_check+0x2af/0x400
[ 846.887657][T21828] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 846.887659][T21828] ping_v6_sendmsg+0x997/0x1330
[ 846.887662][T21828] ? validate_chain+0x38b/0xc20
[ 846.887665][T21828] ? l3mdev_master_ifindex_by_index+0x120/0x120
[ 846.887668][T21828] ? release_sock+0x21/0x240
[ 846.887669][T21828] ? reacquire_held_locks+0xdc/0x210
[ 846.887671][T21828] ? release_sock+0x21/0x240
[ 846.887673][T21828] ? lock_acquire.part.0+0xbc/0x260
[ 846.887675][T21828] ? __lock_release.isra.0+0x6b/0x1a0
[ 846.887678][T21828] ? inet_autobind+0x110/0x170
[ 846.887680][T21828] ? inet_send_prepare+0x1e6/0x440
[ 846.887683][T21828] ____sys_sendmsg+0x419/0x850
[ 846.887685][T21828] ? copy_msghdr_from_user+0x2a0/0x460
[ 846.887686][T21828] ? get_timestamp.constprop.0+0x390/0x390
[ 846.887688][T21828] ? move_addr_to_kernel+0x40/0x40
[ 846.887690][T21828] ? mark_usage+0x61/0x170
[ 846.887693][T21828] ___sys_sendmsg+0x14e/0x1d0
[ 846.887694][T21828] ? copy_msghdr_from_user+0x460/0x460
[ 846.887696][T21828] ? insert_pfn+0x4b0/0x4b0
[ 846.887700][T21828] ? rcu_read_unlock+0x1b/0x70
[ 846.887702][T21828] ? do_pte_missing+0x54c/0xcf0
[ 846.887706][T21828] __sys_sendmsg+0x145/0x1f0
[ 846.887708][T21828] ? __sys_sendmsg_sock+0x20/0x20
[ 846.887710][T21828] ? down_write_nested+0x200/0x200
[ 846.887712][T21828] ? __lock_release.isra.0+0x6b/0x1a0
[ 846.887715][T21828] ? do_user_addr_fault+0x325/0xe30
[ 846.887717][T21828] ? rcu_is_watching+0x15/0xd0
[ 846.887718][T21828] ? rcu_is_watching+0x15/0xd0
[ 846.887720][T21828] do_syscall_64+0x117/0xfc0
[ 846.887723][T21828] ? trace_hardirqs_off+0xd/0x30
[ 846.887726][T21828] ? exc_page_fault+0xee/0x100
[ 846.887728][T21828] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 846.887731][T21828] RIP: 0033:0x7fc10ff6622e
[ 846.887734][T21828] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 846.887736][T21828] RSP: 002b:00007ffe32ccc720 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 846.887740][T21828] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc10ff6622e
[ 846.887741][T21828] RDX: 0000000000000000 RSI: 00007ffe32ccc7f0 RDI: 0000000000000005
[ 846.887742][T21828] RBP: 00007ffe32ccc730 R08: 0000000000000000 R09: 0000000000000000
[ 846.887743][T21828] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000005
[ 846.887744][T21828] R13: 00000000124ee010 R14: 00007fc110138000 R15: 0000000000404e00
[ 846.887747][T21828]
[ 846.887747][T21828]
[ 846.894729][T21828] Allocated by task 21822:
[ 846.894816][T21828] kasan_save_stack+0x2f/0x50
[ 846.894898][T21828] kasan_save_track+0x14/0x30
[ 846.894984][T21828] __kasan_slab_alloc+0x60/0x70
[ 846.895071][T21828] kmem_cache_alloc_noprof+0x221/0x5f0
[ 846.895153][T21828] dst_alloc+0x79/0x160
[ 846.895214][T21828] ip6_rt_pcpu_alloc+0x21d/0x670
[ 846.895293][T21828] ip6_pol_route+0x634/0x9c0
[ 846.895377][T21828] fib6_rule_lookup+0x40d/0x5b0
[ 846.895459][T21828] ip6_route_output_flags+0x160/0x4a0
[ 846.895544][T21828] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 846.895643][T21828] ip6_dst_lookup_flow+0xf9/0x260
[ 846.895725][T21828] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 846.895833][T21828] udpv6_sendmsg+0x154e/0x2a00
[ 846.895920][T21828] ____sys_sendmsg+0x419/0x850
[ 846.896007][T21828] ___sys_sendmsg+0x14e/0x1d0
[ 846.896093][T21828] __sys_sendmsg+0x145/0x1f0
[ 846.896177][T21828] do_syscall_64+0x117/0xfc0
[ 846.896276][T21828] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 846.896375][T21828]
[ 846.896418][T21828] Freed by task 0:
[ 846.896480][T21828] kasan_save_stack+0x2f/0x50
[ 846.896563][T21828] kasan_save_track+0x14/0x30
[ 846.896644][T21828] kasan_save_free_info+0x3b/0x60
[ 846.896723][T21828] __kasan_slab_free+0x43/0x70
[ 846.896801][T21828] kmem_cache_free+0xf6/0x560
[ 846.896882][T21828] dst_destroy+0x239/0x360
[ 846.896969][T21828] rcu_do_batch+0x2b6/0x1010
[ 846.897056][T21828] rcu_core+0x2b7/0x630
[ 846.897118][T21828] handle_softirqs+0x1d8/0x930
[ 846.897200][T21828] __irq_exit_rcu+0x103/0x1c0
[ 846.897281][T21828] irq_exit_rcu+0xe/0x30
[ 846.897341][T21828] sysvec_apic_timer_interrupt+0x9d/0xe0
[ 846.897422][T21828] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 846.897522][T21828]
[ 846.897565][T21828] Last potentially related work creation:
[ 846.897648][T21828] kasan_save_stack+0x2f/0x50
[ 846.897731][T21828] kasan_record_aux_stack+0x9b/0xc0
[ 846.897810][T21828] __call_rcu_common.constprop.0+0xb2/0xa10
[ 846.897914][T21828] udpv6_sendmsg+0x2065/0x2a00
[ 846.898000][T21828] ____sys_sendmsg+0x419/0x850
[ 846.898084][T21828] ___sys_sendmsg+0x14e/0x1d0
[ 846.898165][T21828] __sys_sendmsg+0x145/0x1f0
[ 846.898245][T21828] do_syscall_64+0x117/0xfc0
[ 846.898328][T21828] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 846.898428][T21828]
[ 846.898471][T21828] The buggy address belongs to the object at ff11000019e11a80
[ 846.898471][T21828] which belongs to the cache ip6_dst_cache of size 232
[ 846.898688][T21828] The buggy address is located 152 bytes inside of
[ 846.898688][T21828] freed 232-byte region [ff11000019e11a80, ff11000019e11b68)
[ 846.898886][T21828]
[ 846.898933][T21828] The buggy address belongs to the physical page:
[ 846.899034][T21828] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff11000019e10740 pfn:0x19e10
[ 846.899200][T21828] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 846.899323][T21828] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 846.899430][T21828] page_type: f5(slab)
[ 846.899496][T21828] raw: 0080000000000240 ff11000009004040 ffd4000000711510 ff11000005f6b208
[ 846.899641][T21828] raw: ff11000019e10740 0000000000120003 00000000f5000000 0000000000000000
[ 846.899785][T21828] head: 0080000000000240 ff11000009004040 ffd4000000711510 ff11000005f6b208
[ 846.899936][T21828] head: ff11000019e10740 0000000000120003 00000000f5000000 0000000000000000
[ 846.900085][T21828] head: 0080000000000001 ffd4000000678401 00000000ffffffff 00000000ffffffff
[ 846.900228][T21828] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 846.900371][T21828] page dumped because: kasan: bad access detected
[ 846.900471][T21828]
[ 846.900511][T21828] Memory state around the buggy address:
[ 846.900592][T21828] ff11000019e11a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 846.900712][T21828] ff11000019e11a80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 846.900829][T21828] >ff11000019e11b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[ 846.900950][T21828] ^
[ 846.901030][T21828] ff11000019e11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 846.901153][T21828] ff11000019e11c00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 846.901269][T21828] ==================================================================
[ 846.901395][T21828] Disabling lock debugging due to kernel taint
[ 851.703370][T22070] Oops: general protection fault, probably for non-canonical address 0xed6d696d6d6d6d8e: 0000 [#1] SMP KASAN
[ 851.703595][T22070] KASAN: maybe wild-memory-access in range [0x6b6b6b6b6b6b6c70-0x6b6b6b6b6b6b6c77]
[ 851.703731][T22070] CPU: 3 UID: 0 PID: 22070 Comm: cmsg_sender Tainted: G B 7.0.0-virtme #1 PREEMPT(full)
[ 851.703893][T22070] Tainted: [B]=BAD_PAGE
[ 851.703953][T22070] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 851.704068][T22070] RIP: 0010:ip6_pol_route+0x529/0x9c0
[ 851.704155][T22070] Code: 80 3c 02 00 0f 85 80 04 00 00 4c 8b 3b e8 7f 5e 40 00 48 b8 00 00 00 00 00 fc ff df 49 8d bf 08 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4c 04 00 00 49 8b 97 08 01 00 00 be 04 00 00 00
[ 851.704423][T22070] RSP: 0018:ffa0000009d67388 EFLAGS: 00010216
[ 851.704526][T22070] RAX: dffffc0000000000 RBX: ff11000019e11a80 RCX: ffffffff9174dee1
[ 851.704639][T22070] RDX: 0d6d6d6d6d6d6d8e RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6c73
[ 851.704751][T22070] RBP: 1ff40000013ace74 R08: 0000000000000000 R09: 0000000000000000
[ 851.704865][T22070] R10: 0000000000000000 R11: ff1100001bec02c0 R12: ff1100000fc83e40
[ 851.704983][T22070] R13: 000000006b6b6b6b R14: 0000000000000080 R15: 6b6b6b6b6b6b6b6b
[ 851.705102][T22070] FS: 00007fa1385b9740(0000) GS:ff110000d0e4c000(0000) knlGS:0000000000000000
[ 851.705235][T22070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 851.705333][T22070] CR2: 00007fa13862c240 CR3: 00000000100b7006 CR4: 0000000000771ef0
[ 851.705449][T22070] PKRU: 55555554
[ 851.705508][T22070] Call Trace:
[ 851.705566][T22070]
[ 851.705606][T22070] ? ip6_pol_route_lookup+0x660/0x660
[ 851.705683][T22070] ? unwind_next_frame+0x69b/0x1ea0
[ 851.705762][T22070] ? lock_acquire+0x134/0x160
[ 851.705840][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.705916][T22070] ? lock_release+0x17c/0x1f0
[ 851.705996][T22070] ? ip6_pol_route_input+0xa0/0xa0
[ 851.706073][T22070] __fib6_rule_action+0x2c2/0x710
[ 851.706150][T22070] fib_rules_lookup+0x869/0xc80
[ 851.706226][T22070] ? fib_nl_dumprule+0x810/0x810
[ 851.706303][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.706378][T22070] ? lock_release+0x17c/0x1f0
[ 851.706455][T22070] ? ip6_pol_route_input+0xa0/0xa0
[ 851.706530][T22070] fib6_rule_lookup+0x35a/0x5b0
[ 851.706605][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.706679][T22070] ? fib6_lookup+0x2f0/0x2f0
[ 851.706752][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.706825][T22070] ? lock_acquire+0x134/0x160
[ 851.706904][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.706989][T22070] ? ip6_pol_route_input+0xa0/0xa0
[ 851.707070][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.707145][T22070] ? lock_acquire+0x134/0x160
[ 851.707223][T22070] ? lock_release+0x17c/0x1f0
[ 851.707298][T22070] ip6_route_output_flags+0x160/0x4a0
[ 851.707373][T22070] ip6_dst_lookup_tail.constprop.0+0xb0/0x860
[ 851.707467][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.707542][T22070] ? lock_release+0x17c/0x1f0
[ 851.707618][T22070] ip6_dst_lookup_flow+0xf9/0x260
[ 851.707695][T22070] ? ip6_dst_lookup_tail.constprop.0+0x860/0x860
[ 851.707788][T22070] ? lock_release+0x17c/0x1f0
[ 851.707864][T22070] ? sk_dst_check+0x4e/0x400
[ 851.707940][T22070] ? sk_dst_check+0x2af/0x400
[ 851.708021][T22070] ip6_sk_dst_lookup_flow+0x391/0x7b0
[ 851.708106][T22070] udpv6_sendmsg+0x154e/0x2a00
[ 851.708182][T22070] ? lock_acquire+0x134/0x160
[ 851.708262][T22070] ? udpv6_splice_eof+0x1a0/0x1a0
[ 851.708338][T22070] ? trace_hardirqs_on+0x36/0x40
[ 851.708415][T22070] ? __local_bh_enable_ip+0xa5/0x140
[ 851.708494][T22070] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 851.708587][T22070] ? trace_irq_disable.constprop.0+0x9b/0x180
[ 851.708682][T22070] ? trace_hardirqs_on+0x36/0x40
[ 851.708758][T22070] ? __local_bh_enable_ip+0xa5/0x140
[ 851.708835][T22070] ? inet_autobind+0x110/0x170
[ 851.708911][T22070] ? ____sys_sendmsg+0x419/0x850
[ 851.708990][T22070] ____sys_sendmsg+0x419/0x850
[ 851.709070][T22070] ? copy_msghdr_from_user+0x2a0/0x460
[ 851.709145][T22070] ? get_timestamp.constprop.0+0x390/0x390
[ 851.709238][T22070] ? move_addr_to_kernel+0x40/0x40
[ 851.709315][T22070] ___sys_sendmsg+0x14e/0x1d0
[ 851.709391][T22070] ? copy_msghdr_from_user+0x460/0x460
[ 851.709467][T22070] ? lock_acquire+0x134/0x160
[ 851.709541][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.709618][T22070] ? do_pte_missing+0x7d4/0xcf0
[ 851.709694][T22070] ? lock_release+0x17c/0x1f0
[ 851.709770][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.709845][T22070] __sys_sendmsg+0x145/0x1f0
[ 851.709922][T22070] ? __sys_sendmsg_sock+0x20/0x20
[ 851.710006][T22070] ? do_user_addr_fault+0x7a4/0xe30
[ 851.710088][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.710164][T22070] ? rcu_is_watching+0x15/0xd0
[ 851.710239][T22070] do_syscall_64+0x117/0xfc0
[ 851.710315][T22070] ? trace_hardirqs_off+0xd/0x30
[ 851.710390][T22070] ? exc_page_fault+0xee/0x100
[ 851.710467][T22070] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 851.710562][T22070] RIP: 0033:0x7fa13862c22e
[ 851.710643][T22070] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 851.710910][T22070] RSP: 002b:00007ffeccf8bff0 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 851.711034][T22070] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa13862c22e
[ 851.711153][T22070] RDX: 0000000000000000 RSI: 00007ffeccf8c0c0 RDI: 0000000000000005
[ 851.711267][T22070] RBP: 00007ffeccf8c000 R08: 0000000000000000 R09: 0000000000000000
[ 851.711378][T22070] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000005
[ 851.711491][T22070] R13: 000000000e935010 R14: 00007fa1387fe000 R15: 0000000000404e00
[ 851.711606][T22070]
[ 851.711664][T22070] Modules linked in: xfrm_user openvswitch psample nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nsh geneve vxlan act_csum act_pedit cls_flower sch_prio
[ 851.711905][T22070] ---[ end trace 0000000000000000 ]---
[ 851.711993][T22070] RIP: 0010:ip6_pol_route+0x529/0x9c0
[ 851.712115][T22070] Code: 80 3c 02 00 0f 85 80 04 00 00 4c 8b 3b e8 7f 5e 40 00 48 b8 00 00 00 00 00 fc ff df 49 8d bf 08 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4c 04 00 00 49 8b 97 08 01 00 00 be 04 00 00 00
[ 851.712462][T22070] RSP: 0018:ffa0000009d67388 EFLAGS: 00010216
[ 851.712561][T22070] RAX: dffffc0000000000 RBX: ff11000019e11a80 RCX: ffffffff9174dee1
[ 851.712674][T22070] RDX: 0d6d6d6d6d6d6d8e RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6c73
[ 851.712791][T22070] RBP: 1ff40000013ace74 R08: 0000000000000000 R09: 0000000000000000
[ 851.712910][T22070] R10: 0000000000000000 R11: ff1100001bec02c0 R12: ff1100000fc83e40
[ 851.713033][T22070] R13: 000000006b6b6b6b R14: 0000000000000080 R15: 6b6b6b6b6b6b6b6b
[ 851.713157][T22070] FS: 00007fa1385b9740(0000) GS:ff110000d0e4c000(0000) knlGS:0000000000000000
[ 851.713295][T22070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 851.713399][T22070] CR2: 00007fa13862c240 CR3: 00000000100b7006 CR4: 0000000000771ef0
[ 851.713513][T22070] PKRU: 55555554
[ 851.713572][T22070] Kernel panic - not syncing: Fatal exception in interrupt
[ 851.713821][T22070] Kernel Offset: 0xdc00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 851.714010][T22070] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
WAIT TIMEOUT stderr
Ctrl-C stderr
Ctrl-C stderr
WAIT TIMEOUT stderr