general protection fault in netif_napi_del (2)
6 views
Skip to first unread message
syzbot
Jun 13, 2022, 12:31:23 PM6/13/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15982a10080000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=0c692ad3fdee109cfb82
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c692a...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
MTD: Attempt to mount non-MTD device "/dev/loop4"
general protection fault: 0000 [#1] PREEMPT SMP KASAN
romfs: Mounting image 'rom 5f663c08' through the block layer
CPU: 1 PID: 8849 Comm: kworker/u4:5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:flush_gro_hash net/core/dev.c:6241 [inline]
RIP: 0010:netif_napi_del+0x1fe/0x380 net/core/dev.c:6256
Code: 28 00 0f 85 10 01 00 00 49 39 ec 48 8b 5d 00 75 05 eb 2d 48 89 c3 e8 c1 8d ec fa 48 89 ef e8 a9 bc fa ff 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 d6 00 00 00 49 39 dc 48 8b 03 48 89 dd 75 d3
IPVS: ftp: loaded support on port[0] = 21
RSP: 0018:ffff88809bcef9b8 EFLAGS: 00010203
RAX: 0b1ffffd1ffff952 RBX: 58ffffe8ffffca97 RCX: ffffffff8670b76b
RDX: 0000000000000000 RSI: ffffffff8675f7b7 RDI: 0000000000000001
RBP: ffffe8ffffca9759 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffe8ffffca9758
R13: dffffc0000000000 R14: 0000000000000000 R15: ffffe8ffffca9718
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4b048a5fc8 CR3: 000000008fa89000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'.
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
gro_cells_destroy net/core/gro_cells.c:102 [inline]
gro_cells_destroy+0x10b/0x340 net/core/gro_cells.c:92
ip_tunnel_dev_free+0x15/0x60 net/ipv4/ip_tunnel.c:975
netdev_run_todo+0x6d2/0xab0 net/core/dev.c:9000
ip_tunnel_delete_nets+0x3d8/0x580 net/ipv4/ip_tunnel.c:1089
ops_exit_list+0xf9/0x150 net/core/net_namespace.c:156
cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:554
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz"
gfs2: fsid=syz:syz: Now mounting FS...
gfs2: fsid=syz:syz.0: journal 0 mapped with 1 extents
gfs2: fsid=syz:syz.0: jid=0, already locked for use
gfs2: fsid=syz:syz.0: jid=0: Looking at journal...
gfs2: fsid=syz:syz.0: jid=0: Done
gfs2: fsid=syz:syz.0: first mount done, others may mount
gfs2: fsid=syz:syz.0: can't start logd thread: -4
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'.
gfs2: fsid=syz:syz.0: can't make FS RW: -4
---[ end trace 647e026c6230955e ]---
RIP: 0010:flush_gro_hash net/core/dev.c:6241 [inline]
RIP: 0010:netif_napi_del+0x1fe/0x380 net/core/dev.c:6256
Code: 28 00 0f 85 10 01 00 00 49 39 ec 48 8b 5d 00 75 05 eb 2d 48 89 c3 e8 c1 8d ec fa 48 89 ef e8 a9 bc fa ff 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 d6 00 00 00 49 39 dc 48 8b 03 48 89 dd 75 d3
RSP: 0018:ffff88809bcef9b8 EFLAGS: 00010203
RAX: 0b1ffffd1ffff952 RBX: 58ffffe8ffffca97 RCX: ffffffff8670b76b
RDX: 0000000000000000 RSI: ffffffff8675f7b7 RDI: 0000000000000001
RBP: ffffe8ffffca9759 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffe8ffffca9758
R13: dffffc0000000000 R14: 0000000000000000 R15: ffffe8ffffca9718
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c00ee7e408 CR3: 00000000b3e61000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 28 00 sub %al,(%rax)
2: 0f 85 10 01 00 00 jne 0x118
8: 49 39 ec cmp %rbp,%r12
b: 48 8b 5d 00 mov 0x0(%rbp),%rbx
f: 75 05 jne 0x16
11: eb 2d jmp 0x40
13: 48 89 c3 mov %rax,%rbx
16: e8 c1 8d ec fa callq 0xfaec8ddc
1b: 48 89 ef mov %rbp,%rdi
1e: e8 a9 bc fa ff callq 0xfffabccc
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 0f 85 d6 00 00 00 jne 0x10b
35: 49 39 dc cmp %rbx,%r12
38: 48 8b 03 mov (%rbx),%rax
3b: 48 89 dd mov %rbx,%rbp
3e: 75 d3 jne 0x13
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15982a10080000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=0c692ad3fdee109cfb82
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c692a...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
MTD: Attempt to mount non-MTD device "/dev/loop4"
general protection fault: 0000 [#1] PREEMPT SMP KASAN
romfs: Mounting image 'rom 5f663c08' through the block layer
CPU: 1 PID: 8849 Comm: kworker/u4:5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:flush_gro_hash net/core/dev.c:6241 [inline]
RIP: 0010:netif_napi_del+0x1fe/0x380 net/core/dev.c:6256
Code: 28 00 0f 85 10 01 00 00 49 39 ec 48 8b 5d 00 75 05 eb 2d 48 89 c3 e8 c1 8d ec fa 48 89 ef e8 a9 bc fa ff 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 d6 00 00 00 49 39 dc 48 8b 03 48 89 dd 75 d3
IPVS: ftp: loaded support on port[0] = 21
RSP: 0018:ffff88809bcef9b8 EFLAGS: 00010203
RAX: 0b1ffffd1ffff952 RBX: 58ffffe8ffffca97 RCX: ffffffff8670b76b
RDX: 0000000000000000 RSI: ffffffff8675f7b7 RDI: 0000000000000001
RBP: ffffe8ffffca9759 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffe8ffffca9758
R13: dffffc0000000000 R14: 0000000000000000 R15: ffffe8ffffca9718
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4b048a5fc8 CR3: 000000008fa89000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'.
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
gro_cells_destroy net/core/gro_cells.c:102 [inline]
gro_cells_destroy+0x10b/0x340 net/core/gro_cells.c:92
ip_tunnel_dev_free+0x15/0x60 net/ipv4/ip_tunnel.c:975
netdev_run_todo+0x6d2/0xab0 net/core/dev.c:9000
ip_tunnel_delete_nets+0x3d8/0x580 net/ipv4/ip_tunnel.c:1089
ops_exit_list+0xf9/0x150 net/core/net_namespace.c:156
cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:554
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz"
gfs2: fsid=syz:syz: Now mounting FS...
gfs2: fsid=syz:syz.0: journal 0 mapped with 1 extents
gfs2: fsid=syz:syz.0: jid=0, already locked for use
gfs2: fsid=syz:syz.0: jid=0: Looking at journal...
gfs2: fsid=syz:syz.0: jid=0: Done
gfs2: fsid=syz:syz.0: first mount done, others may mount
gfs2: fsid=syz:syz.0: can't start logd thread: -4
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'.
gfs2: fsid=syz:syz.0: can't make FS RW: -4
---[ end trace 647e026c6230955e ]---
RIP: 0010:flush_gro_hash net/core/dev.c:6241 [inline]
RIP: 0010:netif_napi_del+0x1fe/0x380 net/core/dev.c:6256
Code: 28 00 0f 85 10 01 00 00 49 39 ec 48 8b 5d 00 75 05 eb 2d 48 89 c3 e8 c1 8d ec fa 48 89 ef e8 a9 bc fa ff 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 d6 00 00 00 49 39 dc 48 8b 03 48 89 dd 75 d3
RSP: 0018:ffff88809bcef9b8 EFLAGS: 00010203
RAX: 0b1ffffd1ffff952 RBX: 58ffffe8ffffca97 RCX: ffffffff8670b76b
RDX: 0000000000000000 RSI: ffffffff8675f7b7 RDI: 0000000000000001
RBP: ffffe8ffffca9759 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffe8ffffca9758
R13: dffffc0000000000 R14: 0000000000000000 R15: ffffe8ffffca9718
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c00ee7e408 CR3: 00000000b3e61000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 28 00 sub %al,(%rax)
2: 0f 85 10 01 00 00 jne 0x118
8: 49 39 ec cmp %rbp,%r12
b: 48 8b 5d 00 mov 0x0(%rbp),%rbx
f: 75 05 jne 0x16
11: eb 2d jmp 0x40
13: 48 89 c3 mov %rax,%rbx
16: e8 c1 8d ec fa callq 0xfaec8ddc
1b: 48 89 ef mov %rbp,%rdi
1e: e8 a9 bc fa ff callq 0xfffabccc
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 0f 85 d6 00 00 00 jne 0x10b
35: 49 39 dc cmp %rbx,%r12
38: 48 8b 03 mov (%rbx),%rax
3b: 48 89 dd mov %rbx,%rbp
3e: 75 d3 jne 0x13
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 19, 2022, 12:26:28 PM6/19/22
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1112348ff00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11603bb0080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c692a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in flush_gro_hash net/core/dev.c:6241 [inline]
BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 net/core/dev.c:6256
Read of size 8 at addr ffff888095f305d8 by task syz-executor266/8112
CPU: 1 PID: 8112 Comm: syz-executor266 Not tainted 4.19.211-syzkaller #0
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
flush_gro_hash net/core/dev.c:6241 [inline]
netif_napi_del+0x301/0x380 net/core/dev.c:6256
free_netdev+0x21f/0x410 net/core/dev.c:9250
netdev_run_todo+0x89b/0xab0 net/core/dev.c:9002
rtnl_unlock net/core/rtnetlink.c:117 [inline]
rtnetlink_rcv_msg+0x460/0xb80 net/core/rtnetlink.c:4783
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:661
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
__sys_sendmsg net/socket.c:2265 [inline]
__do_sys_sendmsg net/socket.c:2274 [inline]
__se_sys_sendmsg net/socket.c:2272 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f76c2ef8da9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f76c2eaa308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f76c2f82428 RCX: 00007f76c2ef8da9
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004
RBP: 00007f76c2f82420 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76c2f8242c
R13: 00007f76c2f4f174 R14: 74656e2f7665642f R15: 0000000000022000
Allocated by task 8117:
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0xb4/0xf0 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
kvzalloc include/linux/mm.h:585 [inline]
alloc_netdev_mqs+0x97/0xd50 net/core/dev.c:9152
__tun_chr_ioctl.isra.0+0x2184/0x3d00 drivers/net/tun.c:2628
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888095f30680
which belongs to the cache kmalloc-16384 of size 16384
The buggy address is located 168 bytes to the left of
16384-byte region [ffff888095f30680, ffff888095f34680)
The buggy address belongs to the page:
page:ffffea000257cc00 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea000255ea08 ffff88813bff1c48 ffff88813bff2200
raw: 0000000000000000 ffff888095f30680 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888095f30480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888095f30500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888095f30580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888095f30600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888095f30680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=0c692ad3fdee109cfb82
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=168501f8080000
dashboard link: https://syzkaller.appspot.com/bug?extid=0c692ad3fdee109cfb82
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11603bb0080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c692a...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
netlink: 20 bytes leftover after parsing attributes in process `syz-executor266'.
==================================================================
BUG: KASAN: slab-out-of-bounds in flush_gro_hash net/core/dev.c:6241 [inline]
BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 net/core/dev.c:6256
Read of size 8 at addr ffff888095f305d8 by task syz-executor266/8112
CPU: 1 PID: 8112 Comm: syz-executor266 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
flush_gro_hash net/core/dev.c:6241 [inline]
netif_napi_del+0x301/0x380 net/core/dev.c:6256
free_netdev+0x21f/0x410 net/core/dev.c:9250
netdev_run_todo+0x89b/0xab0 net/core/dev.c:9002
rtnl_unlock net/core/rtnetlink.c:117 [inline]
rtnetlink_rcv_msg+0x460/0xb80 net/core/rtnetlink.c:4783
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:661
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
__sys_sendmsg net/socket.c:2265 [inline]
__do_sys_sendmsg net/socket.c:2274 [inline]
__se_sys_sendmsg net/socket.c:2272 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f76c2ef8da9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f76c2eaa308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f76c2f82428 RCX: 00007f76c2ef8da9
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004
RBP: 00007f76c2f82420 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76c2f8242c
R13: 00007f76c2f4f174 R14: 74656e2f7665642f R15: 0000000000022000
Allocated by task 8117:
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0xb4/0xf0 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
kvzalloc include/linux/mm.h:585 [inline]
alloc_netdev_mqs+0x97/0xd50 net/core/dev.c:9152
__tun_chr_ioctl.isra.0+0x2184/0x3d00 drivers/net/tun.c:2628
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888095f30680
which belongs to the cache kmalloc-16384 of size 16384
The buggy address is located 168 bytes to the left of
16384-byte region [ffff888095f30680, ffff888095f34680)
The buggy address belongs to the page:
page:ffffea000257cc00 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea000255ea08 ffff88813bff1c48 ffff88813bff2200
raw: 0000000000000000 ffff888095f30680 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888095f30480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888095f30500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888095f30580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888095f30600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888095f30680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
Reply all
Reply to author
Forward
0 new messages