From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53CB7C7618E for ; Wed, 26 Apr 2023 14:39:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241208AbjDZOi7 (ORCPT ); Wed, 26 Apr 2023 10:38:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240794AbjDZOi5 (ORCPT ); Wed, 26 Apr 2023 10:38:57 -0400 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2100.outbound.protection.outlook.com [40.107.236.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0964259FB for ; Wed, 26 Apr 2023 07:38:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FnHu/s0g9R57ALonPZYZBy/+6KrG3tpUAewHF69dBfyJ5YMBn45FMdtkTbbZcCJ+sAF4HRLHHVc6uyblhsm+866Bb9FCdgPjm+Yoqti9n//mm+TckcN9h/n59HgMYyZF2i3yMJ2+qwwxwYDBgHwfbMbgZMs8m+QZ5tYmU3I7mkbwuoaPkZT4BXF/3nbYENjVoq+BWJLcO0AkcGOn6wWlNgXMN0sbmrdf2/K1B8jQ12hanrMej3SkBvoUKLo52NNA1sjNGdSU4GqHy5mWPXyKj9gcX5oKIkYoqZ/BX0fVzKs95Zpp7rztcLpKXDEOQhAa9PM+0LBVvzxpCjShNAXl/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=quc5jeYl4myb2jF0SUo+5cwOyCJgZpa5+Jnr+wcQcLA=; b=P0/IPx/mnyb69IFN8prJHWIMoRpG0xwXZ0Fm4w2tgxioXeBexjqttyjIaSxZGatTn5gwuCskRtodn8+JDJja+dEmY9MnMxO4BxV0f7m5dIoon1NX4ErYNZt9PGYXV5hIStpEpm+F3H1dhUZfScs3dITsVXQgsL8VWUBwGZRjd2AkMPVXnMIfSD6gfYkaHu1VIgkVKZL484A2VOxwnVRwsROtNLpWjYC+oFdlog2qBh9XiObIW+NnD/ZSWJop/FSLjUvhFCdB0SIWxdFec77hfH29FguJwhvh7ayjf4FV+vc2LaxYNB0k2ylduwWJMk3BwMYbhcAqysz6OOLWLWYpVA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=corigine.com; dmarc=pass action=none header.from=corigine.com; dkim=pass header.d=corigine.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corigine.onmicrosoft.com; s=selector2-corigine-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=quc5jeYl4myb2jF0SUo+5cwOyCJgZpa5+Jnr+wcQcLA=; b=iUj68u1AV0WV6u07FD4E59kluG8BTQLEp7/Su7zHA1q6tT9kV3lSKOppIZDVrmsUAbEhnR/bAWj0UDxBIUSNq5snNhpG4lRe8W+a46v5K/fM4e0SMR6/EQ83BUo+auwxpXKXPW7rDwhx6kbjSqhav+6hwdSmhu2cF2cN6/+1QYM= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=corigine.com; Received: from PH0PR13MB4842.namprd13.prod.outlook.com (2603:10b6:510:78::6) by MN2PR13MB3791.namprd13.prod.outlook.com (2603:10b6:208:1e9::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6340.21; Wed, 26 Apr 2023 14:38:50 +0000 Received: from PH0PR13MB4842.namprd13.prod.outlook.com ([fe80::f416:544d:18b7:bb34]) by PH0PR13MB4842.namprd13.prod.outlook.com ([fe80::f416:544d:18b7:bb34%5]) with mapi id 15.20.6319.033; Wed, 26 Apr 2023 14:38:50 +0000 Date: Wed, 26 Apr 2023 16:38:42 +0200 From: Simon Horman To: Vlad Buslov Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, marcelo.leitner@gmail.com, pablo@netfilter.org Subject: Re: [PATCH net] net/sched: cls_api: remove block_cb from driver_list before freeing Message-ID: References: <20230426123111.2151294-1-vladbu@nvidia.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230426123111.2151294-1-vladbu@nvidia.com> X-ClientProxiedBy: AS4PR10CA0024.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5d8::16) To PH0PR13MB4842.namprd13.prod.outlook.com (2603:10b6:510:78::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR13MB4842:EE_|MN2PR13MB3791:EE_ X-MS-Office365-Filtering-Correlation-Id: 5111c4c2-a250-4a4f-2a3e-08db4663f34b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: cxC8lk/aZIntBKbJ8JLc7pjHXOVM3xBKbUP3k6aBbbPc0mfl4kla2IxXkL4LAIcgCV3iU9ciCUywqwfJlux5dOayT8T6u0WphwOjWKWC8AaJMPc+fqe/6NeR4A6DZVau9BefdyhtsaiGZy9B0A37UvZ0pGhYx/+1HQNUX65B91YwX/MskBbJzMRE8mrW3nI1KM1Sj7RgpUFmJeTvbroAMQduWJgbGqbuV/u91yn1NArI+F4REZ6Yo+wJuBMMR3AKVHd5oqiIjgX3IgCEuvFhE0WIWFoiJlTZceDvEJ/K7F+s3rWKNvW05Ta1WdNnA1XDQJ8LkUojEciO47nbnV/Flgod3X6s3nB/3tzFef2aDBQ4IXUL1oSP+KGlZNordFUA96E5cr+a0noxVX7CprNwk+5cYpP4wP+ltfprCcDOVGIi+/tQRSkePW5MDgNdBGumbXBkYGpy1CHgUmV7KFOc5KXg3o3zrKK2WHxgZDSlmj8OpxQoz+mTcmxqLIoGIv1if2hJGSePK1Ud2XfcmNGX05oZPgeD8VS5pvdKWw0atmhQvKoIj1BYVNfK4vSLLkH+FF7wnqgtKYGHkUuslON1405DNdke4Y2L37b0UxsUVGs= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR13MB4842.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(366004)(136003)(396003)(376002)(346002)(39840400004)(451199021)(6486002)(6666004)(36756003)(83380400001)(2906002)(6506007)(186003)(6512007)(2616005)(478600001)(6916009)(8676002)(66899021)(316002)(4326008)(86362001)(41300700001)(5660300002)(38100700002)(66556008)(66476007)(8936002)(66946007)(44832011);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?nFzHYhm+JPfm8Cl5W1l1ys+yqEWYs4OtvTdjI4hBgyvJS7MPe2/0Bp4Uq4sB?= =?us-ascii?Q?XZSlFbyfS5P/q59w8iNmgFzp/+olcwvjaQVLUcAi/OJU5p3Ik8y0JeeSl3vL?= =?us-ascii?Q?8c2pQYPiMK+WfljhposLHoRsZHfddyltCN/Zgl3znwog99zjrmgtKR2et/RX?= =?us-ascii?Q?CBbzRiwNZbksBDG2rk4ULMBdsFle4tA1R6YcwnKxHifBpjSua48QrutNyp2/?= =?us-ascii?Q?ZgEShVoONjaQEziNEXgqnU3ice50RtAFhY952bj09xhtfVn1KrF6foOmkjIZ?= =?us-ascii?Q?ciup0TsesFGRrkwn0L8eVjmhOAmdCKCIHWPDYrglo6r5P3ZcvKXjRX4QYEp/?= =?us-ascii?Q?3dEEcubiOMsmYS4HA9j6mMUFrT9ujxj9ogh5A1bSa1O5pRSTcQxAdgcQ+mUC?= =?us-ascii?Q?HRuKVA/oGmbYgn9Nt3nFhxhPcBY5WsR719CUUW25IVAAhy9UwL0BOeyh1v2U?= =?us-ascii?Q?EFVB2JwJeDRMGgfIWTSxwy+LbhCymdjII9N/pjPZkf/jIrp7V9ZG/eJVWpw3?= =?us-ascii?Q?weEIn33u0HQdwjZ52dWsL0IsTKN7Qe5uvT0DrTjObYN4eQ7HZRSCgdvyLEvh?= =?us-ascii?Q?OiJ0cxlpkyY6cS0zfT9n0Ejmt4KQXguDLvWOs/4ZTbPyzHr3/WrPjtfwIpQy?= =?us-ascii?Q?1S89hW+05/bC7upmbArBGevuoPM0UotgRXbaKxumzn1vXbLP5qLbnOumCf12?= =?us-ascii?Q?4uEWB1zyX2Awd9QHyQ2cr/NqDJCxWL1EehBh20IHO3OotKtql4gHKTK7b0dO?= =?us-ascii?Q?+MUAjO9ofC1jL67J6dcZPyYsxCBQJhdGJyPZBing9zuRuKf7QwzJ9lBUblnk?= =?us-ascii?Q?9r+vf4rjnLudFbef8eYZZvJJQTuV1oLZ55DAuaJXHYxdJ+RYna8asWXkQtPf?= =?us-ascii?Q?X1U+2PH6wsZD4ErNqujg+6BxGsBzPJgKZDHO4gS6CTtngFUpDG1G04kPSK3V?= =?us-ascii?Q?kZs0baniSYmMnIhPTW+L6hYVqrfuucCR+nkLvzGbhiKZ/9js7iaClbzqhJwk?= =?us-ascii?Q?5hfsqGgcpbMQiFM2eS/B8MGe6ezOdAIFwkQ6xJFmiUqB+VjMQ1cYa1tCfJ05?= =?us-ascii?Q?BO6vD1N2RSaV/beIsxfekm4BrMUVwVUseRShK2tFusTu1OCnbcYuRxa75Ina?= =?us-ascii?Q?1lijEoemnTAobvIuzy7zGsfUa475l9LZHi4hGeDg7yi+GT1fyr17KWdbWO7W?= =?us-ascii?Q?qN4x6yBudjsK5VGsom+pwsVt6uB+LSv2kKtbN3KGdWli4Xvh23LRQ9J9o916?= =?us-ascii?Q?UM31SFUmpWt9SOw3tMR0okGadhBOqJTYpzP4dEDnR11oYi6GctCwPpYDqvV5?= =?us-ascii?Q?FxYHyh2WOXCsW4QDzbDObcdjBCe8hUeFMm7Z/AxLU95eMQtrpCVtaVVKWgGu?= =?us-ascii?Q?feE17u6z9tTtPb6OE2zoGZSYoLN4HimZzavf68YTnLSfIH/4038EYIavsLy4?= =?us-ascii?Q?t0nHjJ+o5GI5TTp2nXmfrX9o8Vt0sekVcmP42fkqIW15xiw7bgctnjDGXdO8?= =?us-ascii?Q?Sc4WATSHq8ISe770femPV5hIqOXv64bjGAF5cJQAq02nGLzXT38oG6InUy42?= =?us-ascii?Q?Le1Vb7gHvfUaPb8QOQlj60yAArhveIvajIXtF1pNDlqFXWop7HtGbcqcVlns?= =?us-ascii?Q?pWXwuO090oSJDZgTLN2bsuTLT2FiKhrgvMoednZtm2UFbSCyEFKz+JW1FUyA?= =?us-ascii?Q?u4/kSQ=3D=3D?= X-OriginatorOrg: corigine.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5111c4c2-a250-4a4f-2a3e-08db4663f34b X-MS-Exchange-CrossTenant-AuthSource: PH0PR13MB4842.namprd13.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 14:38:50.2262 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: fe128f2c-073b-4c20-818e-7246a585940c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Le04yddG4OXBY5c25/COrJNlNWrlQlMsiPqxS2zBb3jgRnGOj8O3dX6KSaIRvMUtUbXlYrPF6hAtkvgX62mrZJN567Qe6zbBZHNjuGrQtuc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3791 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Wed, Apr 26, 2023 at 02:31:11PM +0200, Vlad Buslov wrote: > Error handler of tcf_block_bind() frees the whole bo->cb_list on error. > However, by that time the flow_block_cb instances are already in the driver > list because driver ndo_setup_tc() callback is called before that up the > call chain in tcf_block_offload_cmd(). This leaves dangling pointers to > freed objects in the list and causes use-after-free[0]. Fix it by also > removing flow_block_cb instances from driver_list before deallocating them. > > [0]: > [ 279.868433] ================================================================== > [ 279.869964] BUG: KASAN: slab-use-after-free in flow_block_cb_setup_simple+0x631/0x7c0 > [ 279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963 > > [ 279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4 > [ 279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 > [ 279.876295] Call Trace: > [ 279.876882] > [ 279.877413] dump_stack_lvl+0x33/0x50 > [ 279.878198] print_report+0xc2/0x610 > [ 279.878987] ? flow_block_cb_setup_simple+0x631/0x7c0 > [ 279.879994] kasan_report+0xae/0xe0 > [ 279.880750] ? flow_block_cb_setup_simple+0x631/0x7c0 > [ 279.881744] ? mlx5e_tc_reoffload_flows_work+0x240/0x240 [mlx5_core] > [ 279.883047] flow_block_cb_setup_simple+0x631/0x7c0 > [ 279.884027] tcf_block_offload_cmd.isra.0+0x189/0x2d0 > [ 279.885037] ? tcf_block_setup+0x6b0/0x6b0 > [ 279.885901] ? mutex_lock+0x7d/0xd0 > [ 279.886669] ? __mutex_unlock_slowpath.constprop.0+0x2d0/0x2d0 > [ 279.887844] ? ingress_init+0x1c0/0x1c0 [sch_ingress] > [ 279.888846] tcf_block_get_ext+0x61c/0x1200 > [ 279.889711] ingress_init+0x112/0x1c0 [sch_ingress] > [ 279.890682] ? clsact_init+0x2b0/0x2b0 [sch_ingress] > [ 279.891701] qdisc_create+0x401/0xea0 > [ 279.892485] ? qdisc_tree_reduce_backlog+0x470/0x470 > [ 279.893473] tc_modify_qdisc+0x6f7/0x16d0 > [ 279.894344] ? tc_get_qdisc+0xac0/0xac0 > [ 279.895213] ? mutex_lock+0x7d/0xd0 > [ 279.896005] ? __mutex_lock_slowpath+0x10/0x10 > [ 279.896910] rtnetlink_rcv_msg+0x5fe/0x9d0 > [ 279.897770] ? rtnl_calcit.isra.0+0x2b0/0x2b0 > [ 279.898672] ? __sys_sendmsg+0xb5/0x140 > [ 279.899494] ? do_syscall_64+0x3d/0x90 > [ 279.900302] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 > [ 279.901337] ? kasan_save_stack+0x2e/0x40 > [ 279.902177] ? kasan_save_stack+0x1e/0x40 > [ 279.903058] ? kasan_set_track+0x21/0x30 > [ 279.903913] ? kasan_save_free_info+0x2a/0x40 > [ 279.904836] ? ____kasan_slab_free+0x11a/0x1b0 > [ 279.905741] ? kmem_cache_free+0x179/0x400 > [ 279.906599] netlink_rcv_skb+0x12c/0x360 > [ 279.907450] ? rtnl_calcit.isra.0+0x2b0/0x2b0 > [ 279.908360] ? netlink_ack+0x1550/0x1550 > [ 279.909192] ? rhashtable_walk_peek+0x170/0x170 > [ 279.910135] ? kmem_cache_alloc_node+0x1af/0x390 > [ 279.911086] ? _copy_from_iter+0x3d6/0xc70 > [ 279.912031] netlink_unicast+0x553/0x790 > [ 279.912864] ? netlink_attachskb+0x6a0/0x6a0 > [ 279.913763] ? netlink_recvmsg+0x416/0xb50 > [ 279.914627] netlink_sendmsg+0x7a1/0xcb0 > [ 279.915473] ? netlink_unicast+0x790/0x790 > [ 279.916334] ? iovec_from_user.part.0+0x4d/0x220 > [ 279.917293] ? netlink_unicast+0x790/0x790 > [ 279.918159] sock_sendmsg+0xc5/0x190 > [ 279.918938] ____sys_sendmsg+0x535/0x6b0 > [ 279.919813] ? import_iovec+0x7/0x10 > [ 279.920601] ? kernel_sendmsg+0x30/0x30 > [ 279.921423] ? __copy_msghdr+0x3c0/0x3c0 > [ 279.922254] ? import_iovec+0x7/0x10 > [ 279.923041] ___sys_sendmsg+0xeb/0x170 > [ 279.923854] ? copy_msghdr_from_user+0x110/0x110 > [ 279.924797] ? ___sys_recvmsg+0xd9/0x130 > [ 279.925630] ? __perf_event_task_sched_in+0x183/0x470 > [ 279.926656] ? ___sys_sendmsg+0x170/0x170 > [ 279.927529] ? ctx_sched_in+0x530/0x530 > [ 279.928369] ? update_curr+0x283/0x4f0 > [ 279.929185] ? perf_event_update_userpage+0x570/0x570 > [ 279.930201] ? __fget_light+0x57/0x520 > [ 279.931023] ? __switch_to+0x53d/0xe70 > [ 279.931846] ? sockfd_lookup_light+0x1a/0x140 > [ 279.932761] __sys_sendmsg+0xb5/0x140 > [ 279.933560] ? __sys_sendmsg_sock+0x20/0x20 > [ 279.934436] ? fpregs_assert_state_consistent+0x1d/0xa0 > [ 279.935490] do_syscall_64+0x3d/0x90 > [ 279.936300] entry_SYSCALL_64_after_hwframe+0x46/0xb0 > [ 279.937311] RIP: 0033:0x7f21c814f887 > [ 279.938085] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 > [ 279.941448] RSP: 002b:00007fff11efd478 EFLAGS: 00000246 ORIG_RAX: 000000000000002e > [ 279.942964] RAX: ffffffffffffffda RBX: 0000000064401979 RCX: 00007f21c814f887 > [ 279.944337] RDX: 0000000000000000 RSI: 00007fff11efd4e0 RDI: 0000000000000003 > [ 279.945660] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 > [ 279.947003] R10: 00007f21c8008708 R11: 0000000000000246 R12: 0000000000000001 > [ 279.948345] R13: 0000000000409980 R14: 000000000047e538 R15: 0000000000485400 > [ 279.949690] > > [ 279.950706] Allocated by task 2960: > [ 279.951471] kasan_save_stack+0x1e/0x40 > [ 279.952338] kasan_set_track+0x21/0x30 > [ 279.953165] __kasan_kmalloc+0x77/0x90 > [ 279.954006] flow_block_cb_setup_simple+0x3dd/0x7c0 > [ 279.955001] tcf_block_offload_cmd.isra.0+0x189/0x2d0 > [ 279.956020] tcf_block_get_ext+0x61c/0x1200 > [ 279.956881] ingress_init+0x112/0x1c0 [sch_ingress] > [ 279.957873] qdisc_create+0x401/0xea0 > [ 279.958656] tc_modify_qdisc+0x6f7/0x16d0 > [ 279.959506] rtnetlink_rcv_msg+0x5fe/0x9d0 > [ 279.960392] netlink_rcv_skb+0x12c/0x360 > [ 279.961216] netlink_unicast+0x553/0x790 > [ 279.962044] netlink_sendmsg+0x7a1/0xcb0 > [ 279.962906] sock_sendmsg+0xc5/0x190 > [ 279.963702] ____sys_sendmsg+0x535/0x6b0 > [ 279.964534] ___sys_sendmsg+0xeb/0x170 > [ 279.965343] __sys_sendmsg+0xb5/0x140 > [ 279.966132] do_syscall_64+0x3d/0x90 > [ 279.966908] entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > [ 279.968407] Freed by task 2960: > [ 279.969114] kasan_save_stack+0x1e/0x40 > [ 279.969929] kasan_set_track+0x21/0x30 > [ 279.970729] kasan_save_free_info+0x2a/0x40 > [ 279.971603] ____kasan_slab_free+0x11a/0x1b0 > [ 279.972483] __kmem_cache_free+0x14d/0x280 > [ 279.973337] tcf_block_setup+0x29d/0x6b0 > [ 279.974173] tcf_block_offload_cmd.isra.0+0x226/0x2d0 > [ 279.975186] tcf_block_get_ext+0x61c/0x1200 > [ 279.976080] ingress_init+0x112/0x1c0 [sch_ingress] > [ 279.977065] qdisc_create+0x401/0xea0 > [ 279.977857] tc_modify_qdisc+0x6f7/0x16d0 > [ 279.978695] rtnetlink_rcv_msg+0x5fe/0x9d0 > [ 279.979562] netlink_rcv_skb+0x12c/0x360 > [ 279.980388] netlink_unicast+0x553/0x790 > [ 279.981214] netlink_sendmsg+0x7a1/0xcb0 > [ 279.982043] sock_sendmsg+0xc5/0x190 > [ 279.982827] ____sys_sendmsg+0x535/0x6b0 > [ 279.983703] ___sys_sendmsg+0xeb/0x170 > [ 279.984510] __sys_sendmsg+0xb5/0x140 > [ 279.985298] do_syscall_64+0x3d/0x90 > [ 279.986076] entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > [ 279.987532] The buggy address belongs to the object at ffff888147e2bf00 > which belongs to the cache kmalloc-192 of size 192 > [ 279.989747] The buggy address is located 32 bytes inside of > freed 192-byte region [ffff888147e2bf00, ffff888147e2bfc0) > > [ 279.992367] The buggy address belongs to the physical page: > [ 279.993430] page:00000000550f405c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147e2a > [ 279.995182] head:00000000550f405c order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > [ 279.996713] anon flags: 0x200000000010200(slab|head|node=0|zone=2) > [ 279.997878] raw: 0200000000010200 ffff888100042a00 0000000000000000 dead000000000001 > [ 279.999384] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 > [ 280.000894] page dumped because: kasan: bad access detected > > [ 280.002386] Memory state around the buggy address: > [ 280.003338] ffff888147e2be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 280.004781] ffff888147e2be80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > [ 280.006224] >ffff888147e2bf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 280.007700] ^ > [ 280.008592] ffff888147e2bf80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > [ 280.010035] ffff888147e2c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 280.011564] ================================================================== > > Fixes: 59094b1e5094 ("net: sched: use flow block API") > Signed-off-by: Vlad Buslov Reviewed-by: Simon Horman