lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABWYdi1=CwMH1McYkVy+HOQcVHWqZerhjqyn8irQq10wee08Zg@mail.gmail.com>
Date:   Wed, 30 Jan 2019 14:26:32 -0800
From:   Ivan Babrou <ivan@...udflare.com>
To:     Linux Kernel Network Developers <netdev@...r.kernel.org>
Cc:     mkubecek@...e.cz, "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Ignat Korchagin <ignat@...udflare.com>,
        Shawn Bohrer <sbohrer@...udflare.com>,
        Jakub Sitnicki <jakub@...udflare.com>
Subject: BUG: KASAN: double-free or invalid-free in ip_defrag after upgrade
 from 4.19.13

Hey,

Continuing from this thread earlier today:

* https://marc.info/?t=154886729100001&r=1&w=2

We fired up KASAN enabled kernel one one of those machine and this is
what we saw:

$ /tmp/decode_stacktrace.sh
/usr/lib/debug/lib/modules/4.19.18-cloudflare-2019.1.8-1-gcabf55c/vmlinux
linux-4.19.18 < kasan.txt
[ 2300.250278] ==================================================================
[ 2300.266575] BUG: KASAN: double-free or invalid-free in ip_defrag
(net/ipv4/ip_fragment.c:507 net/ipv4/ip_fragment.c:699)
[ 2300.282860]
[ 2300.293415] CPU: 28 PID: 0 Comm: swapper/28 Tainted: G    B      O
    4.19.18-cloudflare-2019.1.8-1-gcabf55c #gcabf55c
[ 2300.313767] Hardware name: Quanta Computer Inc. QuantaPlex
T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018
[ 2300.332707] Call Trace:
[ 2300.344701]  <IRQ>
[ 2300.356188] dump_stack (lib/dump_stack.c:115)
[ 2300.368967] print_address_description (mm/kasan/report.c:257)
[ 2300.383192] ? ip_defrag (net/ipv4/ip_fragment.c:507
net/ipv4/ip_fragment.c:699)
[ 2300.396330] kasan_report_invalid_free (mm/kasan/report.c:337)
[ 2300.410448] ? ip_defrag (net/ipv4/ip_fragment.c:507
net/ipv4/ip_fragment.c:699)
[ 2300.423599] __kasan_slab_free (mm/kasan/kasan.c:502)
[ 2300.437165] ? ip_defrag (net/ipv4/ip_fragment.c:507
net/ipv4/ip_fragment.c:699)
[ 2300.450251] kmem_cache_free (mm/slub.c:1398 mm/slub.c:2953 mm/slub.c:2969)
[ 2300.463497] ip_defrag (net/ipv4/ip_fragment.c:507 net/ipv4/ip_fragment.c:699)
[ 2300.476352] ? ip4_obj_hashfn (net/ipv4/ip_fragment.c:684)
[ 2300.489711] ? ip_route_input_rcu (net/ipv4/route.c:2122)
[ 2300.503416] ip_local_deliver (net/ipv4/ip_input.c:252)
[ 2300.516739] ? ip_call_ra_chain (net/ipv4/ip_input.c:245)
[ 2300.530174] ? ip_rcv_finish_core.isra.19 (net/ipv4/ip_input.c:366)
[ 2300.544535] ? ip_local_deliver (net/ipv4/ip_input.c:518)
[ 2300.557862] ip_rcv (net/ipv4/ip_input.c:518)
[ 2300.569972] ? ip_local_deliver (net/ipv4/ip_input.c:518)
[ 2300.583216] ? ip_rcv_core.isra.20 (net/ipv4/ip_input.c:403)
[ 2300.596683] __netif_receive_skb_one_core (net/core/dev.c:4911)
[ 2300.610732] ? __netif_receive_skb_core (net/core/dev.c:4911)
[ 2300.624666] ? eth_gro_receive (net/ethernet/eth.c:157)
[ 2300.637374] ? recalibrate_cpu_khz (arch/x86/kernel/tsc.c:1066
arch/x86/kernel/tsc.c:1066)
[ 2300.650015] ? ktime_get_with_offset (kernel/time/timekeeping.c:267
kernel/time/timekeeping.c:371 kernel/time/timekeeping.c:799)
[ 2300.662708] ? __build_skb (include/linux/compiler.h:214
arch/x86/include/asm/atomic.h:43
include/asm-generic/atomic-instrumented.h:34 net/core/skbuff.c:300)
[ 2300.674529] netif_receive_skb_internal (net/core/dev.c:5097)
[ 2300.687430] ? dev_cpu_dead (net/core/dev.c:5097)
[ 2300.699351] ? efx_rx_mk_skb+0x5d0/0x1210 sfc]
[ 2300.711999] ? efx_time_sync_event+0x1b0/0x1b0 sfc]
[ 2300.725126] efx_rx_deliver+0x447/0x640 sfc]
[ 2300.737697] ? efx_free_rx_buffers+0x180/0x180 sfc]
[ 2300.750803] ? __efx_rx_packet+0x76e/0x23b0 sfc]
[ 2300.763572] ? efx_ssr+0x19c0/0x19c0 sfc]
[ 2300.775502] ? efx_ef10_ptp_set_ts_config+0x120/0x120 sfc]
[ 2300.788713] ? reweight_entity (kernel/sched/fair.c:2762
kernel/sched/fair.c:2830)
[ 2300.800224] ? efx_poll+0x991/0x12b0 sfc]
[ 2300.811467] ? net_rx_action (arch/x86/include/asm/jump_label.h:36
include/linux/jump_label.h:142 include/trace/events/napi.h:14
net/core/dev.c:6263 net/core/dev.c:6328)
[ 2300.822343] ? napi_complete_done (net/core/dev.c:6306)
[ 2300.833468] ? hrtimer_init (kernel/time/hrtimer.c:1430)
[ 2300.843830] ? recalibrate_cpu_khz (arch/x86/kernel/tsc.c:1066
arch/x86/kernel/tsc.c:1066)
[ 2300.854377] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:194
include/asm-generic/atomic-instrumented.h:58
include/asm-generic/qspinlock.h:85 include/linux/spinlock.h:180
include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:144)
[ 2300.864214] ? handle_irq_event (kernel/irq/handle.c:209)
[ 2300.874106] ? __do_softirq (arch/x86/include/asm/jump_label.h:36
include/linux/jump_label.h:142 include/trace/events/irq.h:142
kernel/softirq.c:293)
[ 2300.883609] ? handle_irq (arch/x86/kernel/irq_64.c:79)
[ 2300.892849] ? irq_exit (kernel/softirq.c:372 kernel/softirq.c:412)
[ 2300.901709] ? do_IRQ (arch/x86/include/asm/irq_regs.h:19
arch/x86/include/asm/irq_regs.h:26 arch/x86/kernel/irq.c:260)
[ 2300.910059] ? common_interrupt (arch/x86/entry/entry_64.S:646)
[ 2300.918862]  </IRQ>
[ 2300.925956] ? cpuidle_enter_state (drivers/cpuidle/cpuidle.c:251)
[ 2300.935470] ? do_idle (kernel/sched/idle.c:204 kernel/sched/idle.c:262)
[ 2300.943904] ? arch_cpu_idle_exit (??:?)
[ 2300.953108] ? cpu_startup_entry (kernel/sched/idle.c:368 (discriminator 1))
[ 2300.962229] ? cpu_in_idle (kernel/sched/idle.c:349)
[ 2300.970788] ? clockevents_config.part.12 (kernel/time/clockevents.c:503)
[ 2300.980788] ? start_secondary (arch/x86/kernel/smpboot.c:213)
[ 2300.989915] ? set_cpu_sibling_map (arch/x86/kernel/smpboot.c:213)
[ 2300.999569] ? secondary_startup_64 (arch/x86/kernel/head_64.S:243)
[ 2301.008969]
[ 2301.015480] Allocated by task 0:
[ 2301.023718] kasan_kmalloc (mm/kasan/kasan.c:460 mm/kasan/kasan.c:553)
[ 2301.032340] kmem_cache_alloc (arch/x86/include/asm/jump_label.h:36
include/linux/memcontrol.h:1292 mm/slab.h:447 mm/slub.c:2706
mm/slub.c:2714 mm/slub.c:2719)
[ 2301.041269] __build_skb (net/core/skbuff.c:282 (discriminator 4))
[ 2301.049724] __netdev_alloc_skb (net/core/skbuff.c:423)
[ 2301.058898] efx_rx_mk_skb+0x10e/0x1210 sfc]
[ 2301.068239]
[ 2301.074615] Freed by task 0:
[ 2301.082411] __kasan_slab_free (mm/kasan/kasan.c:522)
[ 2301.091429] kmem_cache_free (mm/slub.c:1398 mm/slub.c:2953 mm/slub.c:2969)
[ 2301.100160] ip_defrag (net/ipv4/ip_fragment.c:507 net/ipv4/ip_fragment.c:699)
[ 2301.108518] ipv4_conntrack_defrag+0x323/0x490 nf_defrag_ipv4]
[ 2301.119408] nf_hook_slow (net/netfilter/core.c:512)
[ 2301.127942] ip_rcv (include/linux/netfilter.h:288 net/ipv4/ip_input.c:524)
[ 2301.135977] __netif_receive_skb_one_core (net/core/dev.c:4911)
[ 2301.145905] netif_receive_skb_internal (net/core/dev.c:5097)
[ 2301.155687] efx_rx_deliver+0x447/0x640 sfc]
[ 2301.164986]
[ 2301.171326] The buggy address belongs to the object at ffff888bd8f543c0
[ 2301.171326]  which belongs to the cache skbuff_head_cache of size 232
[ 2301.194483] The buggy address is located 0 bytes inside of
[ 2301.194483]  232-byte region [ffff888bd8f543c0, ffff888bd8f544a8)
[ 2301.216346] The buggy address belongs to the page:
[ 2301.226355] page:ffffea002f63d500 count:1 mapcount:0
mapping:ffff88a03c294540 index:0xffff888bd8f561c0 compound_mapcount: 0
[ 2301.243024] flags: 0x2ffff800008100(slab|head)
[ 2301.253041] raw: 002ffff800008100 ffffea002341d300 0000002d00000002
ffff88a03c294540
[ 2301.266600] raw: ffff888bd8f561c0 0000000080330030 00000001ffffffff
0000000000000000
[ 2301.280190] page dumped because: kasan: bad access detected
[ 2301.291627]
[ 2301.298900] Memory state around the buggy address:
[ 2301.309617]  ffff888bd8f54280: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2301.322930]  ffff888bd8f54300: fb fb fb fb fb fb fb fb fb fb fb fb
fb fc fc fc
[ 2301.336183] >ffff888bd8f54380: fc fc fc fc fc fc fc fc fb fb fb fb
fb fb fb fb
[ 2301.349449]                                            ^
[ 2301.360817]  ffff888bd8f54400: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2301.374248]  ffff888bd8f54480: fb fb fb fb fb fc fc fc fc fc fc fc
fc fc fc fc
[ 2301.387663] ==================================================================
[ 2301.401334] ==================================================================
[ 2301.414780] BUG: KASAN: double-free or invalid-free in tcp_v4_rcv
(net/ipv4/tcp_ipv4.c:1693)
[ 2301.428222]
[ 2301.435965] CPU: 28 PID: 0 Comm: swapper/28 Tainted: G    B      O
    4.19.18-cloudflare-2019.1.8-1-gcabf55c #gcabf55c
[ 2301.453552] Hardware name: Quanta Computer Inc. QuantaPlex
T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018
[ 2301.469737] Call Trace:
[ 2301.478962]  <IRQ>
[ 2301.487699] dump_stack (lib/dump_stack.c:115)
[ 2301.497768] print_address_description (mm/kasan/report.c:257)
[ 2301.509256] ? tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1693)
[ 2301.519681] kasan_report_invalid_free (mm/kasan/report.c:337)
[ 2301.531138] ? tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1693)
[ 2301.541628] __kasan_slab_free (mm/kasan/kasan.c:502)
[ 2301.552571] ? tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1693)
[ 2301.563087] kmem_cache_free (mm/slub.c:1398 mm/slub.c:2953 mm/slub.c:2969)
[ 2301.573831] tcp_v4_rcv (net/ipv4/tcp_ipv4.c:1693)
[ 2301.584110] ? icmp_checkentry+0x70/0x70 ip_tables]
[ 2301.595966] ? tcp_v4_early_demux (net/ipv4/tcp_ipv4.c:1693)
[ 2301.607224] ip_local_deliver_finish (net/ipv4/ip_input.c:216)
[ 2301.618764] ip_local_deliver (net/ipv4/ip_input.c:245)
[ 2301.629636] ? ip_call_ra_chain (net/ipv4/ip_input.c:245)
[ 2301.640683] ? ip_sublist_rcv (net/ipv4/ip_input.c:192)
[ 2301.651493] ? ip_local_deliver (net/ipv4/ip_input.c:518)
[ 2301.662419] ip_rcv (net/ipv4/ip_input.c:518)
[ 2301.672198] ? ip_local_deliver (net/ipv4/ip_input.c:518)
[ 2301.683164] ? ip_rcv_core.isra.20 (net/ipv4/ip_input.c:403)
[ 2301.694340] __netif_receive_skb_one_core (net/core/dev.c:4911)
[ 2301.694344] ? __netif_receive_skb_core (net/core/dev.c:4911)
[ 2301.694361] ? eth_gro_receive (net/ethernet/eth.c:157)
[ 2301.694369] ? recalibrate_cpu_khz (arch/x86/kernel/tsc.c:1066
arch/x86/kernel/tsc.c:1066)
[ 2301.694375] ? ktime_get_with_offset (kernel/time/timekeeping.c:267
kernel/time/timekeeping.c:371 kernel/time/timekeeping.c:799)
[ 2301.694385] ? __build_skb (include/linux/compiler.h:214
arch/x86/include/asm/atomic.h:43
include/asm-generic/atomic-instrumented.h:34 net/core/skbuff.c:300)
[ 2301.760745] netif_receive_skb_internal (net/core/dev.c:5097)
[ 2301.760750] ? dev_cpu_dead (net/core/dev.c:5097)
[ 2301.760786] ? efx_rx_mk_skb+0x5d0/0x1210 sfc]
[ 2301.760808] ? efx_time_sync_event+0x1b0/0x1b0 sfc]
[ 2301.760831] efx_rx_deliver+0x447/0x640 sfc]
[ 2301.760851] ? efx_free_rx_buffers+0x180/0x180 sfc]
[ 2301.760872] ? __efx_rx_packet+0x76e/0x23b0 sfc]
[ 2301.835110] ? efx_ssr+0x19c0/0x19c0 sfc]
[ 2301.835142] ? efx_ef10_ptp_set_ts_config+0x120/0x120 sfc]
[ 2301.835152] ? reweight_entity (kernel/sched/fair.c:2762
kernel/sched/fair.c:2830)
[ 2301.835186] ? efx_poll+0x991/0x12b0 sfc]
[ 2301.876013] ? net_rx_action (arch/x86/include/asm/jump_label.h:36
include/linux/jump_label.h:142 include/trace/events/napi.h:14
net/core/dev.c:6263 net/core/dev.c:6328)
[ 2301.876019] ? napi_complete_done (net/core/dev.c:6306)
[ 2301.895619] ? hrtimer_init (kernel/time/hrtimer.c:1430)
[ 2301.895630] ? recalibrate_cpu_khz (arch/x86/kernel/tsc.c:1066
arch/x86/kernel/tsc.c:1066)
[ 2301.914880] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:194
include/asm-generic/atomic-instrumented.h:58
include/asm-generic/qspinlock.h:85 include/linux/spinlock.h:180
include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:144)
[ 2301.914887] ? handle_irq_event (kernel/irq/handle.c:209)
[ 2301.914895] ? __do_softirq (arch/x86/include/asm/jump_label.h:36
include/linux/jump_label.h:142 include/trace/events/irq.h:142
kernel/softirq.c:293)
[ 2301.943072] ? handle_irq (arch/x86/kernel/irq_64.c:79)
[ 2301.943085] ? irq_exit (kernel/softirq.c:372 kernel/softirq.c:412)
[ 2301.960340] ? do_IRQ (arch/x86/include/asm/irq_regs.h:19
arch/x86/include/asm/irq_regs.h:26 arch/x86/kernel/irq.c:260)
[ 2301.960346] ? common_interrupt (arch/x86/entry/entry_64.S:646)
[ 2301.960348]  </IRQ>
[ 2301.960359] ? cpuidle_enter_state (drivers/cpuidle/cpuidle.c:251)
[ 2301.960380] ? do_idle (kernel/sched/idle.c:204 kernel/sched/idle.c:262)
[ 2301.960383] ? arch_cpu_idle_exit (??:?)
[ 2301.960389] ? cpu_startup_entry (kernel/sched/idle.c:368 (discriminator 1))
[ 2301.960392] ? cpu_in_idle (kernel/sched/idle.c:349)
[ 2301.960413] ? clockevents_config.part.12 (kernel/time/clockevents.c:503)
[ 2301.960420] ? start_secondary (arch/x86/kernel/smpboot.c:213)
[ 2301.960423] ? set_cpu_sibling_map (arch/x86/kernel/smpboot.c:213)
[ 2301.960430] ? secondary_startup_64 (arch/x86/kernel/head_64.S:243)
[ 2301.960435]
[ 2302.070728] Allocated by task 0:
[ 2302.070739] kasan_kmalloc (mm/kasan/kasan.c:460 mm/kasan/kasan.c:553)
[ 2302.070764] kmem_cache_alloc (arch/x86/include/asm/jump_label.h:36
include/linux/memcontrol.h:1292 mm/slab.h:447 mm/slub.c:2706
mm/slub.c:2714 mm/slub.c:2719)
[ 2302.095562] __build_skb (net/core/skbuff.c:282 (discriminator 4))
[ 2302.095565] __netdev_alloc_skb (net/core/skbuff.c:423)
[ 2302.095604] efx_rx_mk_skb+0x10e/0x1210 sfc]
[ 2302.095611]
[ 2302.127968] Freed by task 0:
[ 2302.127983] __kasan_slab_free (mm/kasan/kasan.c:522)
[ 2302.127993] kmem_cache_free (mm/slub.c:1398 mm/slub.c:2953 mm/slub.c:2969)
[ 2302.152762] ip_defrag (net/ipv4/ip_fragment.c:507 net/ipv4/ip_fragment.c:699)
[ 2302.152768] ipv4_conntrack_defrag+0x323/0x490 nf_defrag_ipv4]
[ 2302.152771] nf_hook_slow (net/netfilter/core.c:512)
[ 2302.152775] ip_rcv (include/linux/netfilter.h:288 net/ipv4/ip_input.c:524)
[ 2302.152779] __netif_receive_skb_one_core (net/core/dev.c:4911)
[ 2302.152782] netif_receive_skb_internal (net/core/dev.c:5097)
[ 2302.152808] efx_rx_deliver+0x447/0x640 sfc]
[ 2302.152810]
[ 2302.152813] The buggy address belongs to the object at ffff888bd8f543c0
[ 2302.152813]  which belongs to the cache skbuff_head_cache of size 232
[ 2302.152815] The buggy address is located 0 bytes inside of
[ 2302.152815]  232-byte region [ffff888bd8f543c0, ffff888bd8f544a8)
[ 2302.152816] The buggy address belongs to the page:
[ 2302.152819] page:ffffea002f63d500 count:1 mapcount:0
mapping:ffff88a03c294540 index:0xffff888bd8f561c0 compound_mapcount: 0
[ 2302.152822] flags: 0x2ffff800008100(slab|head)
[ 2302.152827] raw: 002ffff800008100 ffffea002341d300 0000002d00000002
ffff88a03c294540
[ 2302.152829] raw: ffff888bd8f561c0 0000000080330030 00000001ffffffff
0000000000000000
[ 2302.152830] page dumped because: kasan: bad access detected
[ 2302.152830]
[ 2302.152831] Memory state around the buggy address:
[ 2302.152833]  ffff888bd8f54280: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2302.152835]  ffff888bd8f54300: fb fb fb fb fb fb fb fb fb fb fb fb
fb fc fc fc
[ 2302.152836] >ffff888bd8f54380: fc fc fc fc fc fc fc fc fb fb fb fb
fb fb fb fb
[ 2302.152837]                                            ^
[ 2302.152839]  ffff888bd8f54400: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2302.152840]  ffff888bd8f54480: fb fb fb fb fb fc fc fc fc fc fc fc
fc fc fc fc
[ 2302.152841] ==================================================================
[ 2302.187379] BUG: Bad page state in process nginx-origin  pfn:28b7f8
[ 2302.462537] page:ffffea000a2dfe00 count:-1 mapcount:0
mapping:0000000000000000 index:0x0
[ 2302.462542] flags: 0x2ffff800000000()
[ 2302.462549] raw: 002ffff800000000 dead000000000100 dead000000000200
0000000000000000
[ 2302.462553] raw: 0000000000000000 0000000000000000 ffffffffffffffff
0000000000000000
[ 2302.462554] page dumped because: nonzero _count
[ 2302.462555] Modules linked in: tun xt_connlimit nf_conncount xt_bpf
xt_hashlimit iptable_security cls_flow cls_u32 sch_htb sch_fq md_mod
dm_crypt algif_skcipher af_alg dm_mod dax ip6table_nat nf_nat_ipv6
ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables xt_nat iptable_nat nf_nat_ipv4 nf_nat xt_TPROXY
nf_tproxy_ipv6 nf_tproxy_ipv4 xt_connmark iptable_mangle xt_owner
xt_CT xt_socket nf_socket_ipv4 nf_socket_ipv6 iptable_raw
nfnetlink_log xt_NFLOG xt_tcpudp xt_comment xt_conntrack nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 xt_mark xt_multiport xt_set
iptable_filter bpfilter ip_set_hash_netport ip_set_hash_net
ip_set_hash_ip ip_set nfnetlink 8021q garp mrp stp llc sb_edac
x86_pkg_temp_thermal kvm_intel kvm ipmi_ssif irqbypass crc32_pclmul
crc32c_intel sfc(O) pcbc aesni_intel aes_x86_64
[ 2302.650012]  crypto_simd igb cryptd i2c_algo_bit glue_helper mdio
dca ipmi_si ipmi_devintf ipmi_msghandler efivarfs ip_tables x_tables
[ 2302.650031] CPU: 1 PID: 74997 Comm: nginx-origin Tainted: G    B
  O      4.19.18-cloudflare-2019.1.8-1-gcabf55c #gcabf55c
[ 2302.650033] Hardware name: Quanta Computer Inc. QuantaPlex
T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018
[ 2302.650035] Call Trace:
[ 2302.650049] dump_stack (lib/dump_stack.c:115)
[ 2302.650062] bad_page.cold.116 (mm/page_alloc.c:542)
[ 2302.755115] ? si_mem_available (mm/page_alloc.c:507)
[ 2302.755119] ? ksys_write (fs/read_write.c:599)
[ 2302.755126] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:247)
[ 2302.755130] ? __switch_to_asm (arch/x86/entry/entry_64.S:373)
[ 2302.755135] get_page_from_freelist (mm/page_alloc.c:2997
mm/page_alloc.c:3342)
[ 2302.755140] ? __switch_to_asm (arch/x86/entry/entry_64.S:373)
[ 2302.755144] ? __switch_to_asm (arch/x86/entry/entry_64.S:373)
[ 2302.755153] ? kasan_unpoison_shadow (mm/kasan/kasan.c:71)
[ 2302.861765] ? __isolate_free_page (mm/page_alloc.c:3252)
[ 2302.861769] ? __kmalloc_node_track_caller (mm/slab.h:448
mm/slub.c:2706 mm/slub.c:4320)
[ 2302.861775] ? __alloc_skb (net/core/skbuff.c:206)
[ 2302.861783] __alloc_pages_nodemask (mm/page_alloc.c:4369)
[ 2302.915129] ? __alloc_pages_slowpath (mm/page_alloc.c:4345)
[ 2302.915135] skb_page_frag_refill (net/core/sock.c:2213)
[ 2302.915139] sk_page_frag_refill (net/core/sock.c:2234)
[ 2302.915144] tcp_sendmsg_locked (net/ipv4/tcp.c:1321)
[ 2302.915149] ? interrupt_entry (arch/x86/entry/entry_64.S:607)
[ 2302.915153] ? kasan_unpoison_shadow (mm/kasan/kasan.c:68)
[ 2302.915160] ? tcp_sendpage (net/ipv4/tcp.c:1175)
[ 2303.003254] ? selinux_secmark_relabel_packet (security/selinux/hooks.c:4532)
[ 2303.003260] ? release_pages (mm/swap.c:716)
[ 2303.028592] ? inet_sk_set_state (net/ipv4/af_inet.c:794)
[ 2303.028596] tcp_sendmsg (net/ipv4/tcp.c:1444)
[ 2303.028603] sock_sendmsg (net/socket.c:622 net/socket.c:631)
[ 2303.028609] sock_write_iter (net/socket.c:901)
[ 2303.075968] ? sock_sendmsg (net/socket.c:884)
[ 2303.075978] __vfs_write (fs/read_write.c:475 fs/read_write.c:487)
[ 2303.075986] ? __handle_mm_fault (mm/memory.c:3211 mm/memory.c:4030
mm/memory.c:4156)
[ 2303.111370] ? kernel_read (fs/read_write.c:483)
[ 2303.111375] ? file_has_perm (security/selinux/hooks.c:1919)
[ 2303.111379] ? bpf_fd_pass (security/selinux/hooks.c:1890)
[ 2303.111386] vfs_write (fs/read_write.c:550)
[ 2303.111389] ksys_write (fs/read_write.c:599)
[ 2303.111394] ? __ia32_sys_read (fs/read_write.c:592)
[ 2303.111401] do_syscall_64 (arch/x86/entry/common.c:290)
[ 2303.188508] ? page_fault (arch/x86/entry/entry_64.S:1161)
[ 2303.188513] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:247)
[ 2303.188517] RIP: 0033:0x7f53e469f190
[ 2303.188521] Code: 2e 0f 1f 84 00 00 00 00 00 90 48 8b 05 39 7e 20
00 c3 0f 1f 84 00 00 00 00 00 83 3d 39 c2 20 00 00 75 10 b8 01 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae fc ff ff 48 89
04 24
All code
========
   0: 2e 0f 1f 84 00 00 00 nopl   %cs:0x0(%rax,%rax,1)
   7: 00 00
   9: 90                    nop
   a: 48 8b 05 39 7e 20 00 mov    0x207e39(%rip),%rax        # 0x207e4a
  11: c3                    retq
  12: 0f 1f 84 00 00 00 00 nopl   0x0(%rax,%rax,1)
  19: 00
  1a: 83 3d 39 c2 20 00 00 cmpl   $0x0,0x20c239(%rip)        # 0x20c25a
  21: 75 10                jne    0x33
  23: b8 01 00 00 00        mov    $0x1,%eax
  28: 0f 05                syscall
  2a:* 48 3d 01 f0 ff ff    cmp    $0xfffffffffffff001,%rax <--
trapping instruction
  30: 73 31                jae    0x63
  32: c3                    retq
  33: 48 83 ec 08          sub    $0x8,%rsp
  37: e8 ae fc ff ff        callq  0xfffffffffffffcea
  3c: 48 89 04 24          mov    %rax,(%rsp)

Code starting with the faulting instruction
===========================================
   0: 48 3d 01 f0 ff ff    cmp    $0xfffffffffffff001,%rax
   6: 73 31                jae    0x39
   8: c3                    retq
   9: 48 83 ec 08          sub    $0x8,%rsp
   d: e8 ae fc ff ff        callq  0xfffffffffffffcc0
  12: 48 89 04 24          mov    %rax,(%rsp)
[ 2303.188523] RSP: 002b:00007ffcc6a0c118 EFLAGS: 00000246 ORIG_RAX:
0000000000000001
[ 2303.188528] RAX: ffffffffffffffda RBX: 00005562df6160b3 RCX: 00007f53e469f190
[ 2303.188531] RDX: 000000000000401d RSI: 00005562df6160b3 RDI: 0000000000000d4f
[ 2303.188533] RBP: 00007ffcc6a0c150 R08: 0000000000000005 R09: 0000000060640d3e
[ 2303.188535] R10: 00005562d20f7b10 R11: 0000000000000246 R12: 000000000000401d
[ 2303.188541] R13: 000000000000401d R14: 00007ffcc6a0c3a8 R15: 00005562dc0e6ec8
[ 2303.407074] WARNING: CPU: 21 PID: 74997 at lib/iov_iter.c:825
copy_page_to_iter (lib/iov_iter.c:825 lib/iov_iter.c:832)
[ 2303.420983] Modules linked in: tun xt_connlimit nf_conncount xt_bpf
xt_hashlimit iptable_security cls_flow cls_u32 sch_htb sch_fq md_mod
dm_crypt algif_skcipher af_alg dm_mod dax ip6table_nat nf_nat_ipv6
ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables xt_nat iptable_nat nf_nat_ipv4 nf_nat xt_TPROXY
nf_tproxy_ipv6 nf_tproxy_ipv4 xt_connmark iptable_mangle xt_owner
xt_CT xt_socket nf_socket_ipv4 nf_socket_ipv6 iptable_raw
nfnetlink_log xt_NFLOG xt_tcpudp xt_comment xt_conntrack nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 xt_mark xt_multiport xt_set
iptable_filter bpfilter ip_set_hash_netport ip_set_hash_net
ip_set_hash_ip ip_set nfnetlink 8021q garp mrp stp llc sb_edac
x86_pkg_temp_thermal kvm_intel kvm ipmi_ssif irqbypass crc32_pclmul
crc32c_intel sfc(O) pcbc aesni_intel aes_x86_64
[ 2303.538009]  crypto_simd igb cryptd i2c_algo_bit glue_helper mdio
dca ipmi_si ipmi_devintf ipmi_msghandler efivarfs ip_tables x_tables
[ 2303.538034] CPU: 21 PID: 74997 Comm: nginx-origin Tainted: G    B
   O      4.19.18-cloudflare-2019.1.8-1-gcabf55c #gcabf55c
[ 2303.538037] Hardware name: Quanta Computer Inc. QuantaPlex
T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018
[ 2303.538050] RIP: 0010:copy_page_to_iter (??:?)
[ 2303.538055] Code: 07 00 00 4d 85 f6 4c 89 54 24 10 4d 8b 6f 18 4c
89 44 24 08 74 0c 4c 89 ff e8 65 43 ff ff 84 c0 75 12 45 31 f6 e9 d9
fe ff ff <0f> 0b 45 31 f6 e9 cf fe ff ff 49 8d 6f 08 4c 8b 44 24 08 48
b8 00
All code
========
   0: 07                    (bad)
   1: 00 00                add    %al,(%rax)
   3: 4d 85 f6              test   %r14,%r14
   6: 4c 89 54 24 10        mov    %r10,0x10(%rsp)
   b: 4d 8b 6f 18          mov    0x18(%r15),%r13
   f: 4c 89 44 24 08        mov    %r8,0x8(%rsp)
  14: 74 0c                je     0x22
  16: 4c 89 ff              mov    %r15,%rdi
  19: e8 65 43 ff ff        callq  0xffffffffffff4383
  1e: 84 c0                test   %al,%al
  20: 75 12                jne    0x34
  22: 45 31 f6              xor    %r14d,%r14d
  25: e9 d9 fe ff ff        jmpq   0xffffffffffffff03
  2a:* 0f 0b                ud2    <-- trapping instruction
  2c: 45 31 f6              xor    %r14d,%r14d
  2f: e9 cf fe ff ff        jmpq   0xffffffffffffff03
  34: 49 8d 6f 08          lea    0x8(%r15),%rbp
  38: 4c 8b 44 24 08        mov    0x8(%rsp),%r8
  3d: 48                    rex.W
  3e: b8                    .byte 0xb8
...

Code starting with the faulting instruction
===========================================
   0: 0f 0b                ud2
   2: 45 31 f6              xor    %r14d,%r14d
   5: e9 cf fe ff ff        jmpq   0xfffffffffffffed9
   a: 49 8d 6f 08          lea    0x8(%r15),%rbp
   e: 4c 8b 44 24 08        mov    0x8(%rsp),%r8
  13: 48                    rex.W
  14: b8                    .byte 0xb8
...
[ 2303.538057] RSP: 0018:ffff88a005e0f7c0 EFLAGS: 00010293
[ 2303.538061] RAX: 0000000000001000 RBX: 000000000000168d RCX: 002ffff800000000
[ 2303.538064] RDX: ffffffffa66bdcb0 RSI: ffffffffa66bdca0 RDI: ffffea000a2dfe00
[ 2303.538066] RBP: 0000000000000005 R08: ffffea000a2dfe00 R09: dffffc0000000000
[ 2303.538069] R10: 0000000000001688 R11: 0000000000000004 R12: ffffea000a2dfe08
[ 2303.538071] R13: ffffea000a2dfe00 R14: ffffea0000000000 R15: ffff88a005e0fc40
[ 2303.538075] FS:  00007f53e4ac0740(0000) GS:ffff888c3f4c0000(0000)
knlGS:0000000000000000
[ 2303.538077] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2303.538079] CR2: 00005562d36cc000 CR3: 0000002015486001 CR4: 00000000003606e0
[ 2303.538081] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2303.538083] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2303.538085] Call Trace:
[ 2303.538099] skb_copy_datagram_iter (net/core/datagram.c:453)
[ 2303.538108] tcp_recvmsg (net/ipv4/tcp.c:2104)
[ 2303.538115] ? tcp_get_md5sig_pool (net/ipv4/tcp.c:1917)
[ 2303.538119] ? tcp_poll (include/net/sock.h:1204
include/net/sock.h:1210 net/ipv4/tcp.c:569)
[ 2303.538123] ? tcp_splice_read (net/ipv4/tcp.c:504)
[ 2303.538131] ? bad_area_access_error (arch/x86/mm/fault.c:1213)
[ 2303.538134] ? tcp_splice_read (net/ipv4/tcp.c:504)
[ 2303.538144] ? ep_item_poll.isra.20 (fs/eventpoll.c:892)
[ 2303.538151] ? selinux_secmark_relabel_packet (security/selinux/hooks.c:4532)
[ 2303.538159] inet_recvmsg (net/ipv4/af_inet.c:838)
[ 2303.538164] ? inet_sendpage (net/ipv4/af_inet.c:828)
[ 2303.538172] sock_read_iter (net/socket.c:879)
[ 2303.538177] ? sock_recvmsg (net/socket.c:862)
[ 2303.538187] __vfs_read (fs/read_write.c:407 fs/read_write.c:418)
[ 2303.538193] ? __switch_to_asm (arch/x86/entry/entry_64.S:373)
[ 2303.538197] ? __switch_to_asm (arch/x86/entry/entry_64.S:373)
[ 2303.538202] ? __x64_sys_copy_file_range (fs/read_write.c:414)
[ 2303.538208] ? file_has_perm (security/selinux/hooks.c:1919)
[ 2303.538216] vfs_read (fs/read_write.c:453)
[ 2303.538221] ksys_read (fs/read_write.c:579)
[ 2303.538225] ? kernel_write (fs/read_write.c:572)
[ 2303.538232] do_syscall_64 (arch/x86/entry/common.c:290)
[ 2303.538236] ? prepare_exit_to_usermode (arch/x86/entry/common.c:197)
[ 2303.538240] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:247)
[ 2303.538245] RIP: 0033:0x7f53e469f1f0
[ 2303.538249] Code: 73 01 c3 48 8b 0d b8 7d 20 00 f7 d8 64 89 01 48
83 c8 ff c3 66 0f 1f 44 00 00 83 3d d9 c1 20 00 00 75 10 b8 00 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 4e fc ff ff 48 89
04 24
All code
========
   0: 73 01                jae    0x3
   2: c3                    retq
   3: 48 8b 0d b8 7d 20 00 mov    0x207db8(%rip),%rcx        # 0x207dc2
   a: f7 d8                neg    %eax
   c: 64 89 01              mov    %eax,%fs:(%rcx)
   f: 48 83 c8 ff          or     $0xffffffffffffffff,%rax
  13: c3                    retq
  14: 66 0f 1f 44 00 00    nopw   0x0(%rax,%rax,1)
  1a: 83 3d d9 c1 20 00 00 cmpl   $0x0,0x20c1d9(%rip)        # 0x20c1fa
  21: 75 10                jne    0x33
  23: b8 00 00 00 00        mov    $0x0,%eax
  28: 0f 05                syscall
  2a:* 48 3d 01 f0 ff ff    cmp    $0xfffffffffffff001,%rax <--
trapping instruction
  30: 73 31                jae    0x63
  32: c3                    retq
  33: 48 83 ec 08          sub    $0x8,%rsp
  37: e8 4e fc ff ff        callq  0xfffffffffffffc8a
  3c: 48 89 04 24          mov    %rax,(%rsp)

Code starting with the faulting instruction
===========================================
   0: 48 3d 01 f0 ff ff    cmp    $0xfffffffffffff001,%rax
   6: 73 31                jae    0x39
   8: c3                    retq
   9: 48 83 ec 08          sub    $0x8,%rsp
   d: e8 4e fc ff ff        callq  0xfffffffffffffc60
  12: 48 89 04 24          mov    %rax,(%rsp)
[ 2303.538251] RSP: 002b:00007ffcc6a0c188 EFLAGS: 00000246 ORIG_RAX:
0000000000000000
[ 2303.538254] RAX: ffffffffffffffda RBX: 00005562d5f89883 RCX: 00007f53e469f1f0
[ 2303.538256] RDX: 0000000000000005 RSI: 00005562d5f89883 RDI: 0000000000000dfb
[ 2303.538258] RBP: 00007ffcc6a0c1c0 R08: 0000000000000032 R09: 0000000000000020
[ 2303.538260] R10: 00005562d20944de R11: 0000000000000246 R12: 0000000000000005
[ 2303.538262] R13: 00005562dbb17f60 R14: 00005562d2570e80 R15: 00007f53c5866d98
[ 2303.538268] ---[ end trace d791391e77eef582 ]---
[ 2330.200708] kasan: CONFIG_KASAN_INLINE enabled
[ 2330.211020] kasan: GPF could be caused by NULL-ptr deref or user
memory access
[ 2330.224169] general protection fault: 0000 [#1] SMP KASAN PTI
[ 2330.235791] CPU: 28 PID: 69371 Comm: nginx-fl Tainted: G    B   W
O      4.19.18-cloudflare-2019.1.8-1-gcabf55c #gcabf55c
[ 2330.253036] Hardware name: Quanta Computer Inc. QuantaPlex
T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018
[ 2330.268679] RIP: 0010:rb_replace_node (??:?)
[ 2330.279645] Code: 55 48 89 f5 53 48 89 fb 48 83 ec 08 80 3c 01 00
0f 85 64 02 00 00 48 b9 00 00 00 00 00 fc ff df 48 89 e8 4c 8b 23 48
c1 e8 03 <0f> b6 34 08 48 8d 45 17 48 89 c7 83 e0 07 48 c1 ef 03 49 83
e4 fc
All code
========
   0: 55                    push   %rbp
   1: 48 89 f5              mov    %rsi,%rbp
   4: 53                    push   %rbx
   5: 48 89 fb              mov    %rdi,%rbx
   8: 48 83 ec 08          sub    $0x8,%rsp
   c: 80 3c 01 00          cmpb   $0x0,(%rcx,%rax,1)
  10: 0f 85 64 02 00 00    jne    0x27a
  16: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
  1d: fc ff df
  20: 48 89 e8              mov    %rbp,%rax
  23: 4c 8b 23              mov    (%rbx),%r12
  26: 48 c1 e8 03          shr    $0x3,%rax
  2a:* 0f b6 34 08          movzbl (%rax,%rcx,1),%esi <-- trapping instruction
  2e: 48 8d 45 17          lea    0x17(%rbp),%rax
  32: 48 89 c7              mov    %rax,%rdi
  35: 83 e0 07              and    $0x7,%eax
  38: 48 c1 ef 03          shr    $0x3,%rdi
  3c: 49 83 e4 fc          and    $0xfffffffffffffffc,%r12

Code starting with the faulting instruction
===========================================
   0: 0f b6 34 08          movzbl (%rax,%rcx,1),%esi
   4: 48 8d 45 17          lea    0x17(%rbp),%rax
   8: 48 89 c7              mov    %rax,%rdi
   b: 83 e0 07              and    $0x7,%eax
   e: 48 c1 ef 03          shr    $0x3,%rdi
  12: 49 83 e4 fc          and    $0xfffffffffffffffc,%r12
[ 2330.311757] RSP: 0018:ffff888c3f687d88 EFLAGS: 00010206
[ 2330.323631] RAX: 0000000000000003 RBX: ffff888c081fc000 RCX: dffffc0000000000
[ 2330.323634] RDX: ffff888c0a5c38e0 RSI: 000000000000001a RDI: ffff888c081fc000
[ 2330.323636] RBP: 000000000000001a R08: fffffbfff4d88d09 R09: fffffbfff4d88d08
[ 2330.323639] R10: fffffbfff4d88d08 R11: ffffffffa6c46847 R12: 0000000030747865
[ 2330.323641] R13: ffff888c0a5c3910 R14: ffff888c0a5c3870 R15: ffff888c0a5c38e0
[ 2330.323644] FS:  00007f3375a30780(0000) GS:ffff888c3f680000(0000)
knlGS:0000000000000000
[ 2330.323647] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2330.323649] CR2: 00007f19d3da5000 CR3: 0000000bee77a001 CR4: 00000000003606e0
[ 2330.323651] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2330.323653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2330.323655] Call Trace:
[ 2330.323658]  <IRQ>
[ 2330.323673] ip_expire (net/ipv4/ip_fragment.c:223)
[ 2330.323680] ? ip_check_defrag (net/ipv4/ip_fragment.c:187)
[ 2330.323686] call_timer_fn (arch/x86/include/asm/jump_label.h:36
include/linux/jump_label.h:142 include/trace/events/timer.h:121
kernel/time/timer.c:1327)
[ 2330.323691] run_timer_softirq (kernel/time/timer.c:1364
kernel/time/timer.c:1682 kernel/time/timer.c:1695)
[ 2330.323695] ? add_timer (kernel/time/timer.c:1692)
[ 2330.323699] ? hrtimer_init (kernel/time/hrtimer.c:1430)
[ 2330.323705] ? recalibrate_cpu_khz (arch/x86/kernel/tsc.c:1066
arch/x86/kernel/tsc.c:1066)
[ 2330.323709] ? recalibrate_cpu_khz (arch/x86/kernel/tsc.c:1066
arch/x86/kernel/tsc.c:1066)
[ 2330.323713] ? ktime_get (kernel/time/timekeeping.c:267
kernel/time/timekeeping.c:371 kernel/time/timekeeping.c:756)
[ 2330.323720] ? lapic_timer_set_oneshot (arch/x86/kernel/apic/apic.c:467)
[ 2330.323727] ? clockevents_program_event (kernel/time/clockevents.c:346)
[ 2330.323733] __do_softirq (arch/x86/include/asm/jump_label.h:36
include/linux/jump_label.h:142 include/trace/events/irq.h:142
kernel/softirq.c:293)
[ 2330.323741] irq_exit (kernel/softirq.c:372 kernel/softirq.c:412)
[ 2330.323744] smp_apic_timer_interrupt
(arch/x86/include/asm/irq_regs.h:19 arch/x86/include/asm/irq_regs.h:26
arch/x86/kernel/apic/apic.c:1058)
[ 2330.323751] apic_timer_interrupt (arch/x86/entry/entry_64.S:864)
[ 2330.323753]  </IRQ>
[ 2330.323760] RIP: 0010:check_memory_region (??:?)
[ 2330.323765] Code: ff 41 54 49 b9 00 00 00 00 00 fc ff df 4d 89 da
55 49 c1 ea 03 53 48 89 fb 4d 01 ca 48 c1 eb 03 49 8d 6a 01 49 01 d9
49 89 e8 <4c> 89 c8 4d 29 c8 49 83 f8 10 0f 8e 98 00 00 00 44 89 cb 83
e3 07
All code
========
   0: ff 41 54              incl   0x54(%rcx)
   3: 49 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%r9
   a: fc ff df
   d: 4d 89 da              mov    %r11,%r10
  10: 55                    push   %rbp
  11: 49 c1 ea 03          shr    $0x3,%r10
  15: 53                    push   %rbx
  16: 48 89 fb              mov    %rdi,%rbx
  19: 4d 01 ca              add    %r9,%r10
  1c: 48 c1 eb 03          shr    $0x3,%rbx
  20: 49 8d 6a 01          lea    0x1(%r10),%rbp
  24: 49 01 d9              add    %rbx,%r9
  27: 49 89 e8              mov    %rbp,%r8
  2a:* 4c 89 c8              mov    %r9,%rax <-- trapping instruction
  2d: 4d 29 c8              sub    %r9,%r8
  30: 49 83 f8 10          cmp    $0x10,%r8
  34: 0f 8e 98 00 00 00    jle    0xd2
  3a: 44 89 cb              mov    %r9d,%ebx
  3d: 83 e3 07              and    $0x7,%ebx

Code starting with the faulting instruction
===========================================
   0: 4c 89 c8              mov    %r9,%rax
   3: 4d 29 c8              sub    %r9,%r8
   6: 49 83 f8 10          cmp    $0x10,%r8
   a: 0f 8e 98 00 00 00    jle    0xa8
  10: 44 89 cb              mov    %r9d,%ebx
  13: 83 e3 07              and    $0x7,%ebx
[ 2330.323767] RSP: 0018:ffff888bcb66f830 EFLAGS: 00000286 ORIG_RAX:
ffffffffffffff13
[ 2330.323771] RAX: ffff7fffffffffff RBX: 1ffffd400601a58e RCX: ffffffffa5591192
[ 2330.323772] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffea00300d2c74
[ 2330.323775] RBP: fffff9400601a58f R08: fffff9400601a58f R09: fffff9400601a58e
[ 2330.323777] R10: fffff9400601a58e R11: ffffea00300d2c77 R12: dffffc0000000000
[ 2330.323779] R13: ffff888bf01d0500 R14: ffff88826902a7c0 R15: ffffea00300d2c40
[ 2330.323787] ? skb_release_data (arch/x86/include/asm/atomic.h:125
(discriminator 3) include/asm-generic/atomic-instrumented.h:260
(discriminator 3) include/linux/page_ref.h:139 (discriminator 3)
include/linux/mm.h:520 (discriminator 3) include/linux/mm.h:942
(discriminator 3) include/linux/skbuff.h:2795 (discriminator 3)
net/core/skbuff.c:564 (discriminator 3))
[ 2330.323793] skb_release_data (arch/x86/include/asm/atomic.h:125
(discriminator 3) include/asm-generic/atomic-instrumented.h:260
(discriminator 3) include/linux/page_ref.h:139 (discriminator 3)
include/linux/mm.h:520 (discriminator 3) include/linux/mm.h:942
(discriminator 3) include/linux/skbuff.h:2795 (discriminator 3)
net/core/skbuff.c:564 (discriminator 3))
[ 2330.323798] __kfree_skb (net/core/skbuff.c:642)
[ 2330.323804] tcp_recvmsg (include/net/sock.h:2405 net/ipv4/tcp.c:2134)
[ 2330.323808] ? sock_def_readable (arch/x86/include/asm/bitops.h:328
include/net/sock.h:828 include/net/sock.h:2181 net/core/sock.c:2698)
[ 2330.323814] ? tcp_get_md5sig_pool (net/ipv4/tcp.c:1917)
[ 2330.323817] ? tcp_poll (include/net/sock.h:1204
include/net/sock.h:1210 net/ipv4/tcp.c:569)
[ 2330.323825] ? unix_stream_sendpage (net/unix/af_unix.c:1829)
[ 2330.323831] ? sock_sendmsg (net/socket.c:622 net/socket.c:631)
[ 2330.323834] ? sock_write_iter (net/socket.c:901)
[ 2330.323838] ? sock_sendmsg (net/socket.c:884)
[ 2330.323846] inet_recvmsg (net/ipv4/af_inet.c:838)
[ 2330.323851] ? inet_sendpage (net/ipv4/af_inet.c:828)
[ 2330.323856] sock_read_iter (net/socket.c:879)
[ 2330.323860] ? sock_recvmsg (net/socket.c:862)
[ 2330.323870] __vfs_read (fs/read_write.c:407 fs/read_write.c:418)
[ 2330.323874] ? __switch_to_asm (arch/x86/entry/entry_64.S:373)
[ 2330.323878] ? __switch_to_asm (arch/x86/entry/entry_64.S:373)
[ 2330.323883] ? __x64_sys_copy_file_range (fs/read_write.c:414)
[ 2330.323890] ? file_has_perm (security/selinux/hooks.c:1919)
[ 2330.323898] vfs_read (fs/read_write.c:453)
[ 2330.323903] ksys_read (fs/read_write.c:579)
[ 2330.323908] ? kernel_write (fs/read_write.c:572)
[ 2330.323911] ? fput (arch/x86/include/asm/atomic64_64.h:118
include/asm-generic/atomic-instrumented.h:269
include/asm-generic/atomic-long.h:218 fs/file_table.c:331)
[ 2330.323918] do_syscall_64 (arch/x86/entry/common.c:290)
[ 2330.323921] ? prepare_exit_to_usermode (arch/x86/entry/common.c:197)
[ 2330.323926] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:247)
[ 2330.323930] RIP: 0033:0x7f337540b20d
[ 2330.323934] Code: c1 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01
f0 ff ff 73 31 c3 48 83 ec 08 e8 4e fc ff ff 48 89 04 24 b8 00 00 00
00 0f 05 <48> 8b 3c 24 48 89 c2 e8 97 fc ff ff 48 89 d0 48 83 c4 08 48
3d 01
All code
========
   0: c1 20 00              shll   $0x0,(%rax)
   3: 00 75 10              add    %dh,0x10(%rbp)
   6: b8 00 00 00 00        mov    $0x0,%eax
   b: 0f 05                syscall
   d: 48 3d 01 f0 ff ff    cmp    $0xfffffffffffff001,%rax
  13: 73 31                jae    0x46
  15: c3                    retq
  16: 48 83 ec 08          sub    $0x8,%rsp
  1a: e8 4e fc ff ff        callq  0xfffffffffffffc6d
  1f: 48 89 04 24          mov    %rax,(%rsp)
  23: b8 00 00 00 00        mov    $0x0,%eax
  28: 0f 05                syscall
  2a:* 48 8b 3c 24          mov    (%rsp),%rdi <-- trapping instruction
  2e: 48 89 c2              mov    %rax,%rdx
  31: e8 97 fc ff ff        callq  0xfffffffffffffccd
  36: 48 89 d0              mov    %rdx,%rax
  39: 48 83 c4 08          add    $0x8,%rsp
  3d: 48                    rex.W
  3e: 3d                    .byte 0x3d
  3f: 01                    .byte 0x1

Code starting with the faulting instruction
===========================================
   0: 48 8b 3c 24          mov    (%rsp),%rdi
   4: 48 89 c2              mov    %rax,%rdx
   7: e8 97 fc ff ff        callq  0xfffffffffffffca3
   c: 48 89 d0              mov    %rdx,%rax
   f: 48 83 c4 08          add    $0x8,%rsp
  13: 48                    rex.W
  14: 3d                    .byte 0x3d
  15: 01                    .byte 0x1
[ 2330.323936] RSP: 002b:00007ffe077a9510 EFLAGS: 00000293 ORIG_RAX:
0000000000000000
[ 2330.323940] RAX: ffffffffffffffda RBX: 00005640dee9dcb8 RCX: 00007f337540b20d
[ 2330.323942] RDX: 0000000000004018 RSI: 00005640dee9dcb8 RDI: 0000000000000185
[ 2330.323945] RBP: 00007ffe077a9550 R08: 00005640dd627720 R09: 0000000000004000
[ 2330.323947] R10: 0000000000000300 R11: 0000000000000293 R12: 0000000000004018
[ 2330.323949] R13: 00005640dddcb4c0 R14: 0000000000004000 R15: 00007f32435090e0
[ 2330.323954] Modules linked in: tun xt_connlimit nf_conncount xt_bpf
xt_hashlimit iptable_security cls_flow cls_u32 sch_htb sch_fq md_mod
dm_crypt algif_skcipher af_alg dm_mod dax ip6table_nat nf_nat_ipv6
ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables xt_nat iptable_nat nf_nat_ipv4 nf_nat xt_TPROXY
nf_tproxy_ipv6 nf_tproxy_ipv4 xt_connmark iptable_mangle xt_owner
xt_CT xt_socket nf_socket_ipv4 nf_socket_ipv6 iptable_raw
nfnetlink_log xt_NFLOG xt_tcpudp xt_comment xt_conntrack nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 xt_mark xt_multiport xt_set
iptable_filter bpfilter ip_set_hash_netport ip_set_hash_net
ip_set_hash_ip ip_set nfnetlink 8021q garp mrp stp llc sb_edac
x86_pkg_temp_thermal kvm_intel kvm ipmi_ssif irqbypass crc32_pclmul
crc32c_intel sfc(O) pcbc aesni_intel aes_x86_64
[ 2330.324038]  crypto_simd igb cryptd i2c_algo_bit glue_helper mdio
dca ipmi_si ipmi_devintf ipmi_msghandler efivarfs ip_tables x_tables
[ 2330.324111] ---[ end trace d791391e77eef583 ]---
[ 2330.324118] RIP: 0010:rb_replace_node (??:?)
[ 2330.324122] Code: 55 48 89 f5 53 48 89 fb 48 83 ec 08 80 3c 01 00
0f 85 64 02 00 00 48 b9 00 00 00 00 00 fc ff df 48 89 e8 4c 8b 23 48
c1 e8 03 <0f> b6 34 08 48 8d 45 17 48 89 c7 83 e0 07 48 c1 ef 03 49 83
e4 fc
All code
========
   0: 55                    push   %rbp
   1: 48 89 f5              mov    %rsi,%rbp
   4: 53                    push   %rbx
   5: 48 89 fb              mov    %rdi,%rbx
   8: 48 83 ec 08          sub    $0x8,%rsp
   c: 80 3c 01 00          cmpb   $0x0,(%rcx,%rax,1)
  10: 0f 85 64 02 00 00    jne    0x27a
  16: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
  1d: fc ff df
  20: 48 89 e8              mov    %rbp,%rax
  23: 4c 8b 23              mov    (%rbx),%r12
  26: 48 c1 e8 03          shr    $0x3,%rax
  2a:* 0f b6 34 08          movzbl (%rax,%rcx,1),%esi <-- trapping instruction
  2e: 48 8d 45 17          lea    0x17(%rbp),%rax
  32: 48 89 c7              mov    %rax,%rdi
  35: 83 e0 07              and    $0x7,%eax
  38: 48 c1 ef 03          shr    $0x3,%rdi
  3c: 49 83 e4 fc          and    $0xfffffffffffffffc,%r12

Code starting with the faulting instruction
===========================================
   0: 0f b6 34 08          movzbl (%rax,%rcx,1),%esi
   4: 48 8d 45 17          lea    0x17(%rbp),%rax
   8: 48 89 c7              mov    %rax,%rdi
   b: 83 e0 07              and    $0x7,%eax
   e: 48 c1 ef 03          shr    $0x3,%rdi
  12: 49 83 e4 fc          and    $0xfffffffffffffffc,%r12
[ 2330.324129] RSP: 0018:ffff888c3f687d88 EFLAGS: 00010206
[ 2330.324133] RAX: 0000000000000003 RBX: ffff888c081fc000 RCX: dffffc0000000000
[ 2330.324135] RDX: ffff888c0a5c38e0 RSI: 000000000000001a RDI: ffff888c081fc000
[ 2330.324137] RBP: 000000000000001a R08: fffffbfff4d88d09 R09: fffffbfff4d88d08
[ 2330.324140] R10: fffffbfff4d88d08 R11: ffffffffa6c46847 R12: 0000000030747865
[ 2330.324142] R13: ffff888c0a5c3910 R14: ffff888c0a5c3870 R15: ffff888c0a5c38e0
[ 2330.324151] FS:  00007f3375a30780(0000) GS:ffff888c3f680000(0000)
knlGS:0000000000000000
[ 2330.324154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2330.324156] CR2: 00007f19d3da5000 CR3: 0000000bee77a001 CR4: 00000000003606e0
[ 2330.324158] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2330.324161] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2330.324163] Kernel panic - not syncing: Fatal exception in interrupt
[ 2330.324214] Kernel Offset: 0x23000000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)

This commit from 4.19.14 seems relevant:

* https://github.com/torvalds/linux/commit/d5f9565c8d5ad3cf94982223cfcef1169b0bb60f

As a reminder, we upgraded from 4.19.13 and started seeing crashes.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ