Object 0x00000000640d33cb @offset=384
Object 0x0000000050bdc312 @offset=576
Slab 0x00000000e04f3eb3 objects=21 used=4 fp=0x00000000f1d8fe07 flags=0x100000000000200(workingset|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40 mm/slub.c:1249
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40 mm/slub.c:1249
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda8 EFLAGS: 00010082
RAX: 0000000000011460 RBX: ffff88800469f980 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff888003b80000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880019013c0
R13: ffff88800469f980 R14: ffff888003b80fc0 R15: ffff88800469f980
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd313bee6f4 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
list_slab_objects mm/slub.c:7936 [inline]
free_partial mm/slub.c:7957 [inline]
__kmem_cache_shutdown+0x20f/0x300 mm/slub.c:7995
kmem_cache_destroy mm/slab_common.c:529 [inline]
kmem_cache_destroy+0x60/0x190 mm/slab_common.c:487
exit_nfsd+0x58/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfsd_cacherep: Slab cache still has objects when called from exit_nfsd+0x58/0xe10 fs/nfsd/trace.c:91 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy mm/slab_common.c:531 [inline]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy mm/slab_common.c:531 [inline]
RIP: 0010:kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe08 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880019013c0 RCX: ffffffff81394b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: ffffed100da047d9
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd313bee6f4 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
exit_nfsd+0x58/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: slab-use-after-free in nfsd_inet6addr_event+0x39f/0x430 fs/nfsd/nfssvc.c:489 [nfsd]
Read of size 8 at addr ffff888004e3c180 by task kworker/u4:1/25
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xd0/0x610 mm/kasan/report.c:482
kasan_report+0xce/0x100 mm/kasan/report.c:595
nfsd_inet6addr_event+0x39f/0x430 fs/nfsd/nfssvc.c:489 [nfsd]
notifier_call_chain+0x101/0x2f0 kernel/notifier.c:85
atomic_notifier_call_chain+0x32/0x50 kernel/notifier.c:223
addrconf_ifdown.isra.0+0xd44/0x1700 net/ipv6/addrconf.c:3978
addrconf_notify+0x362/0x1730 net/ipv6/addrconf.c:3776
notifier_call_chain+0x101/0x2f0 kernel/notifier.c:85
call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:2229
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
netif_close_many+0x27f/0x4b0 net/core/dev.c:1784
unregister_netdevice_many_notify+0x59c/0x1e30 net/core/dev.c:12224
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x65a/0x810 net/core/net_namespace.c:248
cleanup_net+0x378/0x670 net/core/net_namespace.c:695
process_one_work+0x66c/0x10c0 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x91a/0x1230 kernel/workqueue.c:3427
kthread+0x365/0x700 kernel/kthread.c:463
ret_from_fork+0x17e/0x260 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Allocated by task 288 on cpu 0 at 23.285783s:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x17/0x60 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__do_kmalloc_node mm/slub.c:5603 [inline]
__kmalloc_noprof+0x1a8/0x5b0 mm/slub.c:5615
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ops_init+0x77/0x460 net/core/net_namespace.c:127
setup_net+0x100/0x310 net/core/net_namespace.c:445
copy_net_ns+0x31b/0x420 net/core/net_namespace.c:580
create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc7/0x170 kernel/nsproxy.c:218
ksys_unshare+0x3fb/0x980 kernel/fork.c:3129
__do_sys_unshare kernel/fork.c:3200 [inline]
__se_sys_unshare kernel/fork.c:3198 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3198
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 3875 on cpu 0 at 48.578264s:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x17/0x60 mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x43/0x70 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2514 [inline]
slab_free mm/slub.c:6566 [inline]
kfree+0x1a8/0x420 mm/slub.c:6773
ops_free_list net/core/net_namespace.c:215 [inline]
ops_undo_list+0x48f/0x810 net/core/net_namespace.c:256
ops_undo_single net/core/net_namespace.c:265 [inline]
__unregister_pernet_operations net/core/net_namespace.c:1339 [inline]
unregister_pernet_operations+0x1ca/0x3d0 net/core/net_namespace.c:1403
unregister_pernet_subsys+0x21/0x30 net/core/net_namespace.c:1450
exit_nfsd+0x53/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888004e3c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 384 bytes inside of
freed 8192-byte region [ffff888004e3c000, ffff888004e3e000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea0000138e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888004e3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888004e3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888004e3c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
=============================================================================
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40 mm/slub.c:1249
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40 mm/slub.c:1249
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
list_slab_objects mm/slub.c:7936 [inline]
free_partial mm/slub.c:7957 [inline]
__kmem_cache_shutdown+0x20f/0x300 mm/slub.c:7995
kmem_cache_destroy mm/slab_common.c:529 [inline]
kmem_cache_destroy+0x60/0x190 mm/slab_common.c:487
nfsd4_free_slabs+0x15/0x60 fs/nfsd/nfs4state.c:4808 [nfsd]
exit_nfsd+0x62/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 fs/nfsd/nfs4state.c:4808 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy mm/slab_common.c:531 [inline]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy mm/slab_common.c:531 [inline]
RIP: 0010:kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
nfsd4_free_slabs+0x15/0x60 fs/nfsd/nfs4state.c:4808 [nfsd]
exit_nfsd+0x62/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0 kernel/notifier.c:75
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
atomic_notifier_call_chain+0x32/0x50 kernel/notifier.c:223
addrconf_ifdown.isra.0+0xd44/0x1700 net/ipv6/addrconf.c:3978
addrconf_notify+0x362/0x1730 net/ipv6/addrconf.c:3776
notifier_call_chain+0x101/0x2f0 kernel/notifier.c:85
call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:2229
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
netif_close_many+0x27f/0x4b0 net/core/dev.c:1784
unregister_netdevice_many_notify+0x59c/0x1e30 net/core/dev.c:12224
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x65a/0x810 net/core/net_namespace.c:248
cleanup_net+0x378/0x670 net/core/net_namespace.c:695
process_one_work+0x66c/0x10c0 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x91a/0x1230 kernel/workqueue.c:3427
kthread+0x365/0x700 kernel/kthread.c:463
ret_from_fork+0x17e/0x260 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0 kernel/notifier.c:75
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
----------------
Code disassembly (best guess):
0: 00 e8 add %ch,%al
2: 90 nop
3: a6 cmpsb %es:(%rdi),%ds:(%rsi)
4: 2a 00 sub (%rax),%al
6: 31 ff xor %edi,%edi
8: 89 ee mov %ebp,%esi
a: e8 37 9f 2a 00 call 0x2a9f46
f: 85 ed test %ebp,%ebp
11: 0f 84 a2 00 00 00 je 0xb9
17: 4c 89 eb mov %r13,%rbx
1a: e8 77 a6 2a 00 call 0x2aa696
1f: 48 8d 7b 08 lea 0x8(%rbx),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction
2f: 0f 85 df 01 00 00 jne 0x214
35: 48 89 d8 mov %rbx,%rax
38: 4c 8b 6b 08 mov 0x8(%rbx),%r13
3c: 48 c1 e8 03 shr $0x3,%rax
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfsd_cacherep: Slab cache still has objects when called from exit_nfsd+0x58/0xe10 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe08 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880019013c0 RCX: ffffffff81394b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: ffffed100da047d9
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd313bee6f4 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
exit_nfsd+0x58/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: slab-use-after-free in nfsd_inet6addr_event+0x39f/0x430 [nfsd]
Read of size 8 at addr ffff888004e3c180 by task kworker/u4:1/25
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
dump_stack_lvl+0xab/0xe0
print_report+0xd0/0x610
kasan_report+0xce/0x100
nfsd_inet6addr_event+0x39f/0x430 [nfsd]
notifier_call_chain+0x101/0x2f0
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
Allocated by task 288 on cpu 0 at 23.285783s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_kmalloc+0x8f/0xa0
__kmalloc_noprof+0x1a8/0x5b0
ops_init+0x77/0x460
setup_net+0x100/0x310
copy_net_ns+0x31b/0x420
create_new_namespaces+0x3ea/0xa90
unshare_nsproxy_namespaces+0xc7/0x170
ksys_unshare+0x3fb/0x980
__x64_sys_unshare+0x31/0x40
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 3875 on cpu 0 at 48.578264s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kfree+0x1a8/0x420
ops_undo_list+0x48f/0x810
unregister_pernet_operations+0x1ca/0x3d0
unregister_pernet_subsys+0x21/0x30
exit_nfsd+0x53/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888004e3c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 384 bytes inside of
freed 8192-byte region [ffff888004e3c000, ffff888004e3e000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea0000138e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888004e3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888004e3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888004e3c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
=============================================================================
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
__kmem_cache_shutdown+0x20f/0x300
kmem_cache_destroy+0x60/0x190
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
==================================================================
BUG: KASAN: slab-use-after-free in nfsd_inet6addr_event+0x39f/0x430 [nfsd]
Read of size 8 at addr ffff888004e3c180 by task kworker/u4:1/25
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
dump_stack_lvl+0xab/0xe0
print_report+0xd0/0x610
kasan_report+0xce/0x100
nfsd_inet6addr_event+0x39f/0x430 [nfsd]
notifier_call_chain+0x101/0x2f0
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
Allocated by task 288 on cpu 0 at 23.285783s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_kmalloc+0x8f/0xa0
__kmalloc_noprof+0x1a8/0x5b0
ops_init+0x77/0x460
setup_net+0x100/0x310
copy_net_ns+0x31b/0x420
create_new_namespaces+0x3ea/0xa90
unshare_nsproxy_namespaces+0xc7/0x170
ksys_unshare+0x3fb/0x980
__x64_sys_unshare+0x31/0x40
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 3875 on cpu 0 at 48.578264s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kfree+0x1a8/0x420
ops_undo_list+0x48f/0x810
unregister_pernet_operations+0x1ca/0x3d0
unregister_pernet_subsys+0x21/0x30
exit_nfsd+0x53/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888004e3c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 384 bytes inside of
freed 8192-byte region [ffff888004e3c000, ffff888004e3e000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea0000138e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888004e3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888004e3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888004e3c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
=============================================================================
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
__kmem_cache_shutdown+0x20f/0x300
kmem_cache_destroy+0x60/0x190
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
__kmem_cache_shutdown+0x20f/0x300
kmem_cache_destroy+0x60/0x190
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>