root@localhost:~# ================================================================== [1739/1771] BUG: KASAN: use-after-free in _batadv_purge_orig+0x298/0x920 [batman_adv] at addr ffff88000b9ac7c0 Read of size 8 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G O ): kasan: bad access detected ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=633 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=16 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ................ Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 01 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12fa40 ffffffff81322869 ffff88000d12fa70 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa98 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] ? mark_held_locks+0x96/0xc0 [] ? __local_bh_enable_ip+0x66/0xb0 [] kasan_report+0x52/0x60 [] ? _batadv_purge_orig+0x298/0x920 [batman_adv] [] __asan_load8+0x5d/0x70 [] _batadv_purge_orig+0x298/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: ffff88000b9ac680: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== [1651/1771] BUG: KASAN: use-after-free in _batadv_purge_orig+0x2a5/0x920 [batman_adv] at addr ffff88000b9ac838 Read of size 8 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G B O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=634 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=17 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ................ Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 01 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12fa40 ffffffff81322869 ffff88000d12fa70 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa98 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] kasan_report+0x52/0x60 [1590/1771] [] ? _batadv_purge_orig+0x2a5/0x920 [batman_adv] [] __asan_load8+0x5d/0x70 [] _batadv_purge_orig+0x2a5/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in _batadv_purge_orig+0x2b2/0x920 [batman_adv] at addr ffff88000b9ac830 Read of size 8 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G B O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=635 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=18 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ............[1529/1771] Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 01 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12fa40 ffffffff81322869 ffff88000d12fa70 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa98 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] kasan_report+0x52/0x60 [] ? _batadv_purge_orig+0x2b2/0x920 [batman_adv] [] __asan_load8+0x5d/0x70 [] _batadv_purge_orig+0x2b2/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in do_raw_spin_trylock+0x11/0x80 at addr ffff88000b9ac7e8 Read of size 4 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G B O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=636 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] [1468/1771] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=19 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ................ Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 01 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12f9f0 ffffffff81322869 ffff88000d12fa20 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa48 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] ? _raw_spin_unlock_irqrestore+0x36/0x60 [] kasan_report+0x52/0x60 [] ? do_raw_spin_trylock+0x11/0x80 [] __asan_load4+0x60/0x70 [] do_raw_spin_trylock+0x11/0x80 [] _raw_spin_lock_bh+0x48/0x80 [] ? _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [1407/1771] [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: ffff88000b9ac680: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in do_raw_spin_trylock+0x1c/0x80 at addr ffff88000b9ac7e8 Write of size 4 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G B O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=637 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=20 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ................ Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 01 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ..............[1346/1771] Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12f9f0 ffffffff81322869 ffff88000d12fa20 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa48 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] kasan_report+0x52/0x60 [] ? do_raw_spin_trylock+0x1c/0x80 [] __asan_store4+0x63/0x80 [] do_raw_spin_trylock+0x1c/0x80 [] _raw_spin_lock_bh+0x48/0x80 [] ? _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: ffff88000b9ac680: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in do_raw_spin_trylock+0x3f/0x80 at addr ffff88000b9ac7f0 Write of size 4 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G B O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=638 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 [1285/1771] net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=21 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ................ Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 00 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12f9f0 ffffffff81322869 ffff88000d12fa20 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa48 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] kasan_report+0x52/0x60 [] ? do_raw_spin_trylock+0x3f/0x80 [] __asan_store4+0x63/0x80 [] do_raw_spin_trylock+0x3f/0x80 [] _raw_spin_lock_bh+0x48/0x80 [] ? _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: [1224/1771] ffff88000b9ac680: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in do_raw_spin_trylock+0x4f/0x80 at addr ffff88000b9ac7f8 Write of size 8 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G B O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=639 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=22 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ................ Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 00 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12f9f0 ffffffff81322869 [1163/1771] ffff88000d12fa20 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa48 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] kasan_report+0x52/0x60 [] ? do_raw_spin_trylock+0x4f/0x80 [] __asan_store8+0x60/0x70 [] do_raw_spin_trylock+0x4f/0x80 [] _raw_spin_lock_bh+0x48/0x80 [] ? _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] _batadv_purge_orig+0x2fc/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: ffff88000b9ac680: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in _batadv_purge_orig+0x305/0x920 [batman_adv] at addr ffff88000b9ac7e0 Read of size 8 by task kworker/u2:0/6 ============================================================================= BUG kmalloc-192 (Tainted: G B O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in batadv_neigh_node_new+0x24b/0x780 [batman_adv] age=640 cpu=0 pid=1 ___slab_alloc.constprop.28+0x37c/0x3a0 __slab_alloc.constprop.27+0x40/0x90 kmem_cache_alloc+0x117/0x150 batadv_neigh_node_new+0x24b/0x780 [batman_adv] batadv_v_elp_packet_recv+0x22f/0x3e0 [batman_adv] batadv_batman_skb_recv+0x1e7/0x210 [batman_adv] __netif_receive_skb_core+0x8d9/0xb60 __netif_receive_skb+0x32/0xc0 netif_receive_skb_internal+0x65/0x150 napi_gro_receive+0xa3/0x110 virtnet_receive+0x414/0xe40 virtnet_poll+0x1d/0xa0 net_rx_action+0x3a6/0x500 __do_softirq+0x168/0x2e9 irq_exit+0x90/0xa0 do_IRQ+0x6d/0x130 INFO: Freed in __rcu_process_callbacks+0xaa/0x1f0 age=23 cpu=0 pid=3 __slab_free+0x247/0x3a0 kfree+0x1a2/0x1c0 [1102/1771] __rcu_process_callbacks+0xaa/0x1f0 rcu_process_callbacks+0x10/0x20 __do_softirq+0x168/0x2e9 run_ksoftirqd+0x1f/0x60 smpboot_thread_fn+0x1d2/0x2f0 kthread+0x193/0x1b0 ret_from_fork+0x22/0x50 INFO: Slab 0xffffea00002e6b00 objects=8 used=6 fp=0xffff88000b9ac7c0 flags=0x4000000000000080 INFO: Object 0xffff88000b9ac7c0 @offset=1984 fp=0xffff88000b9ac5d0 Bytes b4 ffff88000b9ac7b0: 00 00 00 00 03 00 00 00 03 e5 fe ff 00 00 00 00 ................ Object ffff88000b9ac7c0: d0 c5 9a 0b 00 88 ff ff f0 b1 1a 09 00 88 ff ff ................ Object ffff88000b9ac7d0: 80 c9 8a 0b 00 88 ff ff 00 ad be ef 02 02 00 00 ................ Object ffff88000b9ac7e0: 20 e3 12 0a 00 88 ff ff 00 00 00 00 ad 4e ad de ............N.. Object ffff88000b9ac7f0: 00 00 00 00 00 00 00 00 00 00 12 0d 00 88 ff ff ................ Object ffff88000b9ac800: 60 43 05 a0 ff ff ff ff 50 6e 81 82 ff ff ff ff `C......Pn...... Object ffff88000b9ac810: 00 00 00 00 00 00 00 00 00 fd 03 a0 ff ff ff ff ................ Object ffff88000b9ac820: 00 00 00 00 00 00 00 00 d3 04 02 a0 ff ff ff ff ................ Object ffff88000b9ac830: f0 59 1f 0c 00 88 ff ff 02 e5 fe ff 00 00 00 00 .Y.............. Object ffff88000b9ac840: d0 c5 9a 0b 00 88 ff ff 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac850: 00 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 ................ Object ffff88000b9ac860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88000b9ac870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G B O 4.6.0-rc5+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191116- 04/01/2014 Workqueue: bat_events batadv_purge_orig [batman_adv] ffffea00002e6b00 0000000042350634 ffff88000d12fa40 ffffffff81322869 ffff88000d12fa70 ffffffff8116f06d ffff88000d002000 ffffea00002e6b00 ffff88000b9ac7c0 0000000000000000 ffff88000d12fa98 ffffffff81170fdf Call Trace: [] dump_stack+0x19/0x20 [] print_trailer+0x10d/0x1a0 [] object_err+0x2f/0x40 [] kasan_report_error+0x22c/0x550 [] ? kasan_report+0x52/0x60 [] kasan_report+0x52/0x60 [] ? _batadv_purge_orig+0x305/0x920 [batman_adv] [] __asan_load8+0x5d/0x70 [] _batadv_purge_orig+0x305/0x920 [batman_adv] [] batadv_purge_orig+0x14/0x40 [batman_adv] [] process_one_work+0x3e2/0x7e0 [] ? process_one_work+0x34c/0x7e0 [] ? cancel_delayed_work_sync+0x10/0x10 [] ? check_flags.part.26+0x65/0x280 [] worker_thread+0x85/0x720 [] ? process_one_work+0x7e0/0x7e0 [] kthread+0x193/0x1b0 [] ? kthread_create_on_node+0x340/0x340 [] ? finish_task_switch+0xdc/0x280 [] ret_from_fork+0x22/0x50 [] ? kthread_create_on_node+0x340/0x340 Memory state around the buggy address: ffff88000b9ac680: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88000b9ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88000b9ac780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88000b9ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88000b9ac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================