[ 8.503345][ T191] ==================================================================
[ 8.503486][ T191] BUG: KASAN: slab-use-after-free in neigh_dump_info+0x4fe/0x570
[ 8.503600][ T191] Read of size 1 at addr ff1100000203fbd0 by task netlink-dumps/191
[ 8.503707][ T191]
[ 8.503749][ T191] CPU: 1 UID: 0 PID: 191 Comm: netlink-dumps Not tainted 7.1.0-rc4-virtme #1 PREEMPT(full)
[ 8.503752][ T191] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 8.503754][ T191] Call Trace:
[ 8.503755][ T191]
[ 8.503756][ T191] dump_stack_lvl+0x6f/0xa0
[ 8.503762][ T191] print_address_description.constprop.0+0x56/0x2d0
[ 8.503767][ T191] print_report+0xfc/0x1fa
[ 8.503769][ T191] ? __virt_addr_valid+0x102/0x440
[ 8.503773][ T191] ? __virt_addr_valid+0x1da/0x440
[ 8.503775][ T191] kasan_report+0x108/0x130
[ 8.503778][ T191] ? neigh_dump_info+0x4fe/0x570
[ 8.503781][ T191] ? neigh_dump_info+0x4fe/0x570
[ 8.503783][ T191] neigh_dump_info+0x4fe/0x570
[ 8.503785][ T191] ? __alloc_skb+0x342/0x5f0
[ 8.503788][ T191] ? __alloc_skb+0x4c2/0x5f0
[ 8.503789][ T191] ? neigh_proc_base_reachable_time+0x1b0/0x1b0
[ 8.503792][ T191] netlink_dump+0x4b8/0x12b0
[ 8.503796][ T191] ? netlink_lookup+0x1a0/0x1a0
[ 8.503799][ T191] ? kmem_cache_free+0xf8/0x560
[ 8.503802][ T191] netlink_recvmsg+0x693/0x960
[ 8.503804][ T191] ? netlink_dump+0x12b0/0x12b0
[ 8.503807][ T191] __sys_recvfrom+0x255/0x370
[ 8.503810][ T191] ? __ia32_sys_send+0x120/0x120
[ 8.503814][ T191] ? exc_page_fault+0x87/0x100
[ 8.503818][ T191] __x64_sys_recvfrom+0xe4/0x1f0
[ 8.503819][ T191] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 8.503823][ T191] ? lockdep_hardirqs_on+0x8c/0x130
[ 8.503824][ T191] ? do_syscall_64+0x82/0xfc0
[ 8.503826][ T191] do_syscall_64+0x117/0xfc0
[ 8.503828][ T191] ? trace_hardirqs_off+0xd/0x30
[ 8.503830][ T191] ? exc_page_fault+0xee/0x100
[ 8.503831][ T191] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 8.503833][ T191] RIP: 0033:0x7f4100be408e
[ 8.503836][ T191] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 8.503838][ T191] RSP: 002b:00007ffef541ec10 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
[ 8.503841][ T191] RAX: ffffffffffffffda RBX: 00000000004062c0 RCX: 00007f4100be408e
[ 8.503843][ T191] RDX: 0000000000002000 RSI: 00007ffef541ec80 RDI: 0000000000000005
[ 8.503844][ T191] RBP: 00007ffef541ec20 R08: 0000000000000000 R09: 0000000000000000
[ 8.503845][ T191] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000005
[ 8.503845][ T191] R13: 0000000000000018 R14: 000000000000001c R15: 0000000000000003
[ 8.503848][ T191]
[ 8.503848][ T191]
[ 8.507249][ T191] Allocated by task 191:
[ 8.507305][ T191] kasan_save_stack+0x2f/0x50
[ 8.507414][ T191] kasan_save_track+0x14/0x30
[ 8.507489][ T191] __kasan_slab_alloc+0x60/0x70
[ 8.507560][ T191] kmem_cache_alloc_node_noprof+0x224/0x640
[ 8.507647][ T191] kmalloc_reserve+0x103/0x2d0
[ 8.507752][ T191] __alloc_skb+0x11e/0x5f0
[ 8.507822][ T191] netlink_sendmsg+0x573/0xc60
[ 8.507892][ T191] __sys_sendto+0x2c9/0x400
[ 8.507971][ T191] __x64_sys_sendto+0xe4/0x1f0
[ 8.508076][ T191] do_syscall_64+0x117/0xfc0
[ 8.508147][ T191] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 8.508235][ T191]
[ 8.508272][ T191] Freed by task 191:
[ 8.508361][ T191] kasan_save_stack+0x2f/0x50
[ 8.508433][ T191] kasan_save_track+0x14/0x30
[ 8.508503][ T191] kasan_save_free_info+0x3b/0x60
[ 8.508573][ T191] __kasan_slab_free+0x43/0x70
[ 8.508679][ T191] kfree+0x123/0x5a0
[ 8.508732][ T191] skb_release_data+0x56c/0x8f0
[ 8.508805][ T191] consume_skb+0x8e/0xb0
[ 8.508861][ T191] netlink_unicast+0x48e/0x750
[ 8.508933][ T191] netlink_sendmsg+0x735/0xc60
[ 8.509047][ T191] __sys_sendto+0x2c9/0x400
[ 8.509117][ T191] __x64_sys_sendto+0xe4/0x1f0
[ 8.509191][ T191] do_syscall_64+0x117/0xfc0
[ 8.509263][ T191] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 8.509353][ T191]
[ 8.509390][ T191] The buggy address belongs to the object at ff1100000203fbc0
[ 8.509390][ T191] which belongs to the cache skbuff_small_head of size 640
[ 8.509616][ T191] The buggy address is located 16 bytes inside of
[ 8.509616][ T191] freed 640-byte region [ff1100000203fbc0, ff1100000203fe40)
[ 8.509791][ T191]
[ 8.509832][ T191] The buggy address belongs to the physical page:
[ 8.509956][ T191] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x203c
[ 8.510086][ T191] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 8.510195][ T191] flags: 0x80000000000040(head|node=0|zone=1)
[ 8.510325][ T191] page_type: f5(slab)
[ 8.510383][ T191] raw: 0080000000000040 ff11000001945e40 ffd4000000318310 ffd4000000335810
[ 8.510513][ T191] raw: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 8.510679][ T191] head: 0080000000000040 ff11000001945e40 ffd4000000318310 ffd4000000335810
[ 8.510806][ T191] head: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 8.510972][ T191] head: 0080000000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
[ 8.511097][ T191] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 8.511260][ T191] page dumped because: kasan: bad access detected
[ 8.511350][ T191]
[ 8.511387][ T191] Memory state around the buggy address:
[ 8.511457][ T191] ff1100000203fa80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 8.511601][ T191] ff1100000203fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 8.511705][ T191] >ff1100000203fb80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 8.511809][ T191] ^
[ 8.511929][ T191] ff1100000203fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 8.512035][ T191] ff1100000203fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 8.512140][ T191] ==================================================================
[ 8.512795][ T191] Disabling lock debugging due to kernel taint
[ 8.513010][ T191] ------------[ cut here ]------------
[ 8.513161][ T191] refcount_t: underflow; use-after-free.
[ 8.513247][ T191] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x99/0xc0, CPU#1: netlink-dumps/191
[ 8.513403][ T191] Modules linked in:
[ 8.513462][ T191] CPU: 1 UID: 0 PID: 191 Comm: netlink-dumps Tainted: G B 7.1.0-rc4-virtme #1 PREEMPT(full)
[ 8.513627][ T191] Tainted: [B]=BAD_PAGE
[ 8.513682][ T191] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 8.513771][ T191] RIP: 0010:refcount_warn_saturate+0x99/0xc0
[ 8.513865][ T191] Code: b9 3a 5b 5d c3 48 8d 3d 35 ba 50 03 67 48 0f b9 3a 5b 5d c3 48 8d 3d 36 ba 50 03 67 48 0f b9 3a 5b 5d c3 48 8d 3d 37 ba 50 03 <67> 48 0f b9 3a 5b 5d c3 48 8d 3d 38 ba 50 03 67 48 0f b9 3a 5b 5d
[ 8.514125][ T191] RSP: 0018:ffa00000008b7a80 EFLAGS: 00010246
[ 8.514215][ T191] RAX: 0000000000000000 RBX: ff1100000d88bedc RCX: ffffffffa15fec28
[ 8.514322][ T191] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffa4b0a640
[ 8.514436][ T191] RBP: 0000000000000003 R08: ffffffffa15feb85 R09: 1fe2200001b117db
[ 8.514544][ T191] R10: 0000000000000007 R11: ffe21c0001b117dc R12: 0000000000000000
[ 8.514649][ T191] R13: ff11000002998800 R14: ff1100000bcf4eb4 R15: ff1100000bcf4e40
[ 8.514758][ T191] FS: 00007f4100b71740(0000) GS:ff110000bfb45000(0000) knlGS:0000000000000000
[ 8.514886][ T191] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.514983][ T191] CR2: 00007f4100b77a00 CR3: 000000000ffef002 CR4: 0000000000771ef0
[ 8.515090][ T191] PKRU: 55555554
[ 8.515144][ T191] Call Trace:
[ 8.515199][ T191]
[ 8.515236][ T191] netlink_dump+0xe60/0x12b0
[ 8.515309][ T191] ? netlink_lookup+0x1a0/0x1a0
[ 8.515385][ T191] ? kmem_cache_free+0xf8/0x560
[ 8.515457][ T191] netlink_recvmsg+0x693/0x960
[ 8.515529][ T191] ? netlink_dump+0x12b0/0x12b0
[ 8.515601][ T191] __sys_recvfrom+0x255/0x370
[ 8.515672][ T191] ? __ia32_sys_send+0x120/0x120
[ 8.515744][ T191] ? exc_page_fault+0x87/0x100
[ 8.515815][ T191] __x64_sys_recvfrom+0xe4/0x1f0
[ 8.515886][ T191] ? trace_irq_enable.constprop.0+0x9b/0x180
[ 8.515980][ T191] ? lockdep_hardirqs_on+0x8c/0x130
[ 8.516088][ T191] ? do_syscall_64+0x82/0xfc0
[ 8.516159][ T191] do_syscall_64+0x117/0xfc0
[ 8.516230][ T191] ? trace_hardirqs_off+0xd/0x30
[ 8.516301][ T191] ? exc_page_fault+0xee/0x100
[ 8.516417][ T191] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 8.516504][ T191] RIP: 0033:0x7f4100be408e
[ 8.516579][ T191] Code: 4d 89 d8 e8 94 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
[ 8.516865][ T191] RSP: 002b:00007ffef541ec10 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
[ 8.516974][ T191] RAX: ffffffffffffffda RBX: 00000000004062c0 RCX: 00007f4100be408e
[ 8.517117][ T191] RDX: 0000000000002000 RSI: 00007ffef541ec80 RDI: 0000000000000005
[ 8.517225][ T191] RBP: 00007ffef541ec20 R08: 0000000000000000 R09: 0000000000000000
[ 8.517331][ T191] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000005
[ 8.517480][ T191] R13: 0000000000000018 R14: 000000000000001c R15: 0000000000000003
[ 8.517592][ T191]
[ 8.517647][ T191] irq event stamp: 8361
[ 8.517735][ T191] hardirqs last enabled at (8361): [] finish_task_switch.isra.0+0x216/0x990
[ 8.517883][ T191] hardirqs last disabled at (8360): [] __schedule+0x1015/0x1a70
[ 8.518046][ T191] softirqs last enabled at (8318): [] __alloc_skb+0x4c2/0x5f0
[ 8.518169][ T191] softirqs last disabled at (8316): [] __alloc_skb+0x4c2/0x5f0
[ 8.518292][ T191] ---[ end trace 0000000000000000 ]---