ereshetova
commented
1 year ago Likely related one:
[hcat] udhcpc: sending discover general protection fault, probably for non-canonical address 0xf8b09de000479014: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: maybe wild-memory-access in range [0xc5850f00023c80a0-0xc5850f00023c80a7] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:virtio_check_driver_offered_feature (drivers/virtio/virtio.c:114) Code: 48 83 ec 08 80 3c 02 00 0f 85 a6 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 70 49 8d bf a0 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 35 01 00 00 45 8b af a0 00 00
All code
0: 48 83 ec 08 sub $0x8,%rsp 4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 8: 0f 85 a6 01 00 00 jne 0x1b4 e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 15: fc ff df 18: 4c 8b 7b 70 mov 0x70(%rbx),%r15 1c: 49 8d bf a0 00 00 00 lea 0xa0(%r15),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx 2a:* 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction 2e: 84 c0 test %al,%al 30: 74 08 je 0x3a 32: 3c 03 cmp $0x3,%al 34: 0f 8e 35 01 00 00 jle 0x16f 3a: 45 rex.RB 3b: 8b .byte 0x8b 3c: af scas %es:(%rdi),%eax 3d: a0 .byte 0xa0 ...
Code starting with the faulting instruction
0: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax 4: 84 c0 test %al,%al 6: 74 08 je 0x10 8: 3c 03 cmp $0x3,%al a: 0f 8e 35 01 00 00 jle 0x145 10: 45 rex.RB 11: 8b .byte 0x8b 12: af scas %es:(%rdi),%eax 13: a0 .byte 0xa0 ... RSP: 0018:ffffc9000017f808 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffff888002d6ea99 RCX: ffffc9000017fa08 RDX: 18b0a1e000479014 RSI: 0000000000000011 RDI: c5850f00023c80a3 RBP: ffffc9000017f830 R08: 0000000000000001 R09: 0000000000000000 R10: ffffc9000017fa18 R11: fffff5200002ff44 R12: ffffc9000017f978 R13: ffffc9000017fa08 R14: 0000000000000000 R15: c5850f00023c8003 FS: 0000000000000000(0000) GS:ffffffff83cac000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000615060 CR3: 0000000009927003 CR4: 00000000001706f0 Call Trace:
Modules linked in: ---[ end trace 0000000000000000 ]---
Found on 6.0.0-rc2 via US_DHCP harness.
[hcat] udhcpc: sending discover
BUG: KASAN: slab-out-of-bounds in virtio_check_driver_offered_feature (drivers/virtio/virtio.c:112) Read of size 8 at addr ffff888007de0070 by task kworker/0:1/23
CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace: dump_stack_lvl (arch/x86/include/asm/irqflags.h:137 lib/dump_stack.c:107) print_report.cold (mm/kasan/report.c:325 mm/kasan/report.c:440) ? virtio_check_driver_offered_feature (drivers/virtio/virtio.c:112) kasan_report (mm/kasan/report.c:504) ? virtio_check_driver_offered_feature (drivers/virtio/virtio.c:112) asan_report_load8_noabort (mm/kasan/report_generic.c:307) virtio_check_driver_offered_feature (drivers/virtio/virtio.c:112) virtnet_send_command (include/linux/virtio_config.h:143 include/linux/virtio_config.h:191 drivers/net/virtio_net.c:1974) ? ret_from_fork (arch/x86/entry/entry_64.S:312) ? trace_xdp_exception (drivers/net/virtio_net.c:1968) ? dev_printk (drivers/base/core.c:4772) ? _dev_warn (drivers/base/core.c:4816) ? uevent_store.cold (drivers/base/core.c:4816) ? alloc_debug_processing (mm/slub.c:1340) ? memset (mm/kasan/shadow.c:48) virtnet_set_rx_mode (drivers/net/virtio_net.c:2189) ? ipv6_dev_mc_inc (include/linux/slab.h:600 include/linux/slab.h:733 net/ipv6/mcast.c:880 net/ipv6/mcast.c:936) ? kasan_poison (mm/kasan/shadow.c:99) ? free_receive_page_frags (drivers/net/virtio_net.c:2163) ? __hw_addr_add_ex (include/linux/rculist.h:128 net/core/dev_addr_lists.c:125) dev_set_rx_mode (net/core/dev.c:8478) dev_mc_add (include/linux/spinlock.h:392 include/linux/netdevice.h:4419 net/core/dev_addr_lists.c:872) dev_mc_add (net/core/dev_addr_lists.c:886) igmp6_group_added (net/ipv6/mcast.c:680) ? igmp6_join_group (net/ipv6/mcast.c:669) ? kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) ? kmem_cache_alloc_trace (mm/slub.c:3286) ipv6_dev_mc_inc (net/ipv6/mcast.c:950) ? __kasan_check_write (mm/kasan/shadow.c:38) ? mutex_unlock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:449 include/linux/atomic/atomic-instrumented.h:1790 kernel/locking/mutex.c:181 kernel/locking/mutex.c:540) ipv6_dev_mc_inc (net/ipv6/mcast.c:958) addrconf_join_solict (net/ipv6/addrconf.c:2173) ? mutex_lock_slowpath (kernel/locking/mutex.c:282) ? addrconf_dad_failure (net/ipv6/addrconf.c:2173) addrconf_dad_work (include/linux/bottom_half.h:13 net/ipv6/addrconf.c:3989 net/ipv6/addrconf.c:4112) ? __kasan_check_write (mm/kasan/shadow.c:38) ? addrconf_ifdown (net/ipv6/addrconf.c:4065) ? kasan_check_read (mm/kasan/shadow.c:32) ? read_word_at_a_time (include/asm-generic/rwonce.h:86) ? strscpy (lib/string.c:204) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) ? mutex_unlock_slowpath (kernel/locking/mutex.c:538) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) ? pci_mmcfg_check_reserved (kernel/sched/core.c:6376) ? process_one_work (kernel/workqueue.c:2379) kthread (kernel/kthread.c:376) ? calculate_sigpending (arch/x86/include/asm/preempt.h:103 include/linux/spinlock.h:399 kernel/signal.c:198) ? kthread_complete_and_exit (kernel/kthread.c:335) ret_from_fork (arch/x86/entry/entry_64.S:312)
Allocated by task 1: kasan_save_stack (mm/kasan/common.c:39) __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) kmem_cache_alloc_trace (mm/slub.c:3286) kobject_uevent_env (lib/kobject_uevent.c:525) kobject_uevent (lib/kobject_uevent.c:643) tty_register_device_attr (drivers/tty/tty_io.c:3221) tty_register_driver (drivers/tty/tty_io.c:3454) pty_init (drivers/tty/pty.c:579 drivers/tty/pty.c:943) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)
Freed by task 1: kasan_save_stack (mm/kasan/common.c:39) kasan_set_track (mm/kasan/common.c:45) kasan_set_free_info (mm/kasan/generic.c:372) __kasan_slab_free (mm/kasan/common.c:369 mm/kasan/common.c:375) kfree (mm/slub.c:1780 mm/slub.c:3534 mm/slub.c:4562) kobject_uevent_env (lib/kobject_uevent.c:627) kobject_uevent (lib/kobject_uevent.c:643) tty_register_device_attr (drivers/tty/tty_io.c:3221) tty_register_driver (drivers/tty/tty_io.c:3454) pty_init (drivers/tty/pty.c:579 drivers/tty/pty.c:943) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)
The buggy address belongs to the object at ffff888007de1000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3984 bytes to the left of 4096-byte region [ffff888007de1000, ffff888007de2000)
The buggy address belongs to the physical page: page:ffffea00001f7800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7de0 head:ffffea00001f7800 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 ffffea00001f7c08 ffffea00001f7608 ffff888005c424c0 raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff888007ddff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888007ddff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Disabling lock debugging due to kernel taint