[  835.734697] ==================================================================
[  835.735303] BUG: KASAN: slab-use-after-free in ingress_init (/home/petr/src/linux_mlxsw/./include/net/tcx.h:36 /home/petr/src/linux_mlxsw/./include/net/tcx.h:136 /home/petr/src/linux_mlxsw/net/sched/sch_ingress.c:94) sch_ingress
[  835.735840] Read of size 8 at addr ffff888008a7a208 by task tc/303
[  835.736187]
[  835.736761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
[  835.737244] Call Trace:
[  835.737394]  <TASK>
[  835.737524] dump_stack_lvl (/home/petr/src/linux_mlxsw/lib/dump_stack.c:107) 
[  835.737749] print_report (/home/petr/src/linux_mlxsw/mm/kasan/report.c:365 /home/petr/src/linux_mlxsw/mm/kasan/report.c:475) 
[  835.738015] ? __virt_addr_valid (/home/petr/src/linux_mlxsw/arch/x86/mm/physaddr.c:66) 
[  835.738265] kasan_report (/home/petr/src/linux_mlxsw/mm/kasan/report.c:590) 
[  835.738485] ? ingress_init (/home/petr/src/linux_mlxsw/./include/net/tcx.h:36 /home/petr/src/linux_mlxsw/./include/net/tcx.h:136 /home/petr/src/linux_mlxsw/net/sched/sch_ingress.c:94) sch_ingress
[  835.738783] ? ingress_init (/home/petr/src/linux_mlxsw/./include/net/tcx.h:36 /home/petr/src/linux_mlxsw/./include/net/tcx.h:136 /home/petr/src/linux_mlxsw/net/sched/sch_ingress.c:94) sch_ingress
[  835.739086] ingress_init (/home/petr/src/linux_mlxsw/./include/net/tcx.h:36 /home/petr/src/linux_mlxsw/./include/net/tcx.h:136 /home/petr/src/linux_mlxsw/net/sched/sch_ingress.c:94) sch_ingress
[  835.739393] ? ingress_dump (/home/petr/src/linux_mlxsw/net/sched/sch_ingress.c:79) sch_ingress
[  835.739703] qdisc_create (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1327) 
[  835.739929] ? tc_get_qdisc (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1228) 
[  835.740158] ? lock_is_held_type (/home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:467 (discriminator 4) /home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:5833 (discriminator 4)) 
[  835.740409] tc_modify_qdisc (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1703 (discriminator 1)) 
[  835.740651] ? qdisc_create (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1556) 
[  835.740886] ? rtnetlink_rcv_msg (/home/petr/src/linux_mlxsw/net/core/rtnetlink.c:6421) 
[  835.741144] ? cap_capable (/home/petr/src/linux_mlxsw/security/commoncap.c:102) 
[  835.741372] ? lock_is_held_type (/home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:467 (discriminator 4) /home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:5833 (discriminator 4)) 
[  835.741664] ? qdisc_create (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1556) 
[  835.741900] rtnetlink_rcv_msg (/home/petr/src/linux_mlxsw/net/core/rtnetlink.c:6423) 
[  835.742142] ? rtnl_dump_ifinfo (/home/petr/src/linux_mlxsw/net/core/rtnetlink.c:6319) 
[  835.742402] ? lockdep_hardirqs_on_prepare (/home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:5000) 
[  835.742702] ? lockdep_hardirqs_on_prepare (/home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:5000) 
[  835.742998] ? find_held_lock (/home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:5251 (discriminator 1)) 
[  835.743233] netlink_rcv_skb (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:2547) 
[  835.743481] ? rtnl_dump_ifinfo (/home/petr/src/linux_mlxsw/net/core/rtnetlink.c:6319) 
[  835.743732] ? netlink_ack (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:2523) 
[  835.743955] ? lock_sync (/home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:5729) 
[  835.744170] ? netlink_deliver_tap (/home/petr/src/linux_mlxsw/./include/linux/rcupdate.h:308 /home/petr/src/linux_mlxsw/./include/linux/rcupdate.h:782 /home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:340) 
[  835.744463] ? is_vmalloc_addr (/home/petr/src/linux_mlxsw/mm/vmalloc.c:83) 
[  835.744686] netlink_unicast (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1340 /home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1365) 
[  835.744912] ? netlink_attachskb (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1350) 
[  835.745156] ? __sanitizer_cov_trace_switch (/home/petr/src/linux_mlxsw/kernel/kcov.c:340 (discriminator 1)) 
[  835.745482] ? __check_object_size (/home/petr/src/linux_mlxsw/mm/usercopy.c:113 /home/petr/src/linux_mlxsw/mm/usercopy.c:145 /home/petr/src/linux_mlxsw/mm/usercopy.c:254 /home/petr/src/linux_mlxsw/mm/usercopy.c:213) 
[  835.745736] netlink_sendmsg (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1911) 
[  835.745967] ? netlink_unicast (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1830) 
[  835.746204] ? netlink_unicast (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1830) 
[  835.746481] ____sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:728 (discriminator 1) /home/petr/src/linux_mlxsw/net/socket.c:748 (discriminator 1) /home/petr/src/linux_mlxsw/net/socket.c:2494 (discriminator 1)) 
[  835.746705] ? copy_msghdr_from_user (/home/petr/src/linux_mlxsw/net/socket.c:2420) 
[  835.746987] ? sock_read_iter (/home/petr/src/linux_mlxsw/net/socket.c:2440) 
[  835.747225] ? __lock_acquire (/home/petr/src/linux_mlxsw/./arch/x86/include/asm/bitops.h:228 /home/petr/src/linux_mlxsw/./arch/x86/include/asm/bitops.h:240 /home/petr/src/linux_mlxsw/./include/asm-generic/bitops/instrumented-non-atomic.h:142 /home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:228 /home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:3788 /home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:3844 /home/petr/src/linux_mlxsw/kernel/locking/lockdep.c:5144) 
[  835.747495] ___sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:2550) 
[  835.747718] ? do_recvmmsg (/home/petr/src/linux_mlxsw/net/socket.c:2537) 
[  835.747958] ? local_clock_noinstr (/home/petr/src/linux_mlxsw/kernel/sched/clock.c:301 (discriminator 1)) 
[  835.748235] ? __fget_light (/home/petr/src/linux_mlxsw/fs/file.c:1027) 
[  835.748523] __sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:2579) 
[  835.748756] ? __sys_sendmsg_sock (/home/petr/src/linux_mlxsw/net/socket.c:2565) 
[  835.749004] ? __up_read (/home/petr/src/linux_mlxsw/./arch/x86/include/asm/preempt.h:104 (discriminator 1) /home/petr/src/linux_mlxsw/kernel/locking/rwsem.c:1354 (discriminator 1)) 
[  835.749229] ? syscall_enter_from_user_mode (/home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:42 /home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:77 /home/petr/src/linux_mlxsw/kernel/entry/common.c:111) 
[  835.749531] do_syscall_64 (/home/petr/src/linux_mlxsw/arch/x86/entry/common.c:50 (discriminator 1) /home/petr/src/linux_mlxsw/arch/x86/entry/common.c:80 (discriminator 1)) 
[  835.749755] entry_SYSCALL_64_after_hwframe (/home/petr/src/linux_mlxsw/arch/x86/entry/entry_64.S:120) 
[  835.750059] RIP: 0033:0x7f4a861c38b4
[ 835.750279] Code: 15 59 f5 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 00 f3 0f 1e fa 80 3d 2d 7d 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55
All code
========
   0:	15 59 f5 0b 00       	adc    $0xbf559,%eax
   5:	f7 d8                	neg    %eax
   7:	64 89 02             	mov    %eax,%fs:(%rdx)
   a:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
  11:	eb b5                	jmp    0xffffffffffffffc8
  13:	0f 1f 00             	nopl   (%rax)
  16:	f3 0f 1e fa          	endbr64
  1a:	80 3d 2d 7d 0c 00 00 	cmpb   $0x0,0xc7d2d(%rip)        # 0xc7d4e
  21:	74 13                	je     0x36
  23:	b8 2e 00 00 00       	mov    $0x2e,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 4c                	ja     0x7e
  32:	c3                   	ret
  33:	0f 1f 00             	nopl   (%rax)
  36:	55                   	push   %rbp
  37:	48 89 e5             	mov    %rsp,%rbp
  3a:	48 83 ec 20          	sub    $0x20,%rsp
  3e:	89                   	.byte 0x89
  3f:	55                   	push   %rbp

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 4c                	ja     0x54
   8:	c3                   	ret
   9:	0f 1f 00             	nopl   (%rax)
   c:	55                   	push   %rbp
   d:	48 89 e5             	mov    %rsp,%rbp
  10:	48 83 ec 20          	sub    $0x20,%rsp
  14:	89                   	.byte 0x89
  15:	55                   	push   %rbp
[  835.751300] RSP: 002b:00007fff3b43db58 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[  835.751739] RAX: ffffffffffffffda RBX: 000055dc998edf80 RCX: 00007f4a861c38b4
[  835.752143] RDX: 0000000000000000 RSI: 00007fff3b43dbd0 RDI: 0000000000000003
[  835.752553] RBP: 00007fff3b43dc40 R08: 0000000064bab53c R09: 0000000000000001
[  835.752962] R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff3b43dcc0
[  835.753367] R13: 0000000064bab53d R14: 000055dc998edf80 R15: 0000000000000000
[  835.753784]  </TASK>
[  835.753923]
[  835.754017] Allocated by task 165:
[  835.754220] kasan_save_stack (/home/petr/src/linux_mlxsw/mm/kasan/common.c:46) 
[  835.754466] kasan_set_track (/home/petr/src/linux_mlxsw/mm/kasan/common.c:52 (discriminator 1)) 
[  835.754705] __kasan_kmalloc (/home/petr/src/linux_mlxsw/mm/kasan/common.c:374 /home/petr/src/linux_mlxsw/mm/kasan/common.c:383) 
[  835.754937] ingress_init (/home/petr/src/linux_mlxsw/./include/linux/slab.h:582 /home/petr/src/linux_mlxsw/./include/linux/slab.h:703 /home/petr/src/linux_mlxsw/./include/net/tcx.h:85 /home/petr/src/linux_mlxsw/./include/net/tcx.h:106 /home/petr/src/linux_mlxsw/./include/net/tcx.h:100 /home/petr/src/linux_mlxsw/net/sched/sch_ingress.c:91) sch_ingress
[  835.755240] qdisc_create (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1327) 
[  835.755481] tc_modify_qdisc (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1703 (discriminator 1)) 
[  835.755721] rtnetlink_rcv_msg (/home/petr/src/linux_mlxsw/net/core/rtnetlink.c:6423) 
[  835.755964] netlink_rcv_skb (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:2547) 
[  835.756197] netlink_unicast (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1340 /home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1365) 
[  835.756445] netlink_sendmsg (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1911) 
[  835.756675] ____sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:728 (discriminator 1) /home/petr/src/linux_mlxsw/net/socket.c:748 (discriminator 1) /home/petr/src/linux_mlxsw/net/socket.c:2494 (discriminator 1)) 
[  835.756906] ___sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:2550) 
[  835.757133] __sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:2579) 
[  835.757360] do_syscall_64 (/home/petr/src/linux_mlxsw/arch/x86/entry/common.c:50 (discriminator 1) /home/petr/src/linux_mlxsw/arch/x86/entry/common.c:80 (discriminator 1)) 
[  835.757574] entry_SYSCALL_64_after_hwframe (/home/petr/src/linux_mlxsw/arch/x86/entry/entry_64.S:120) 
[  835.757866]
[  835.757964] Last potentially related work creation:
[  835.758236] kasan_save_stack (/home/petr/src/linux_mlxsw/mm/kasan/common.c:46) 
[  835.758473] __kasan_record_aux_stack (/home/petr/src/linux_mlxsw/mm/kasan/generic.c:492 (discriminator 1)) 
[  835.758752] kvfree_call_rcu (/home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:26 /home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:67 /home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:103 /home/petr/src/linux_mlxsw/kernel/rcu/tree.c:2883 /home/petr/src/linux_mlxsw/kernel/rcu/tree.c:3284 /home/petr/src/linux_mlxsw/kernel/rcu/tree.c:3369) 
[  835.758994] ingress_destroy (/home/petr/src/linux_mlxsw/net/sched/sch_ingress.c:131) sch_ingress
[  835.759321] __qdisc_destroy (/home/petr/src/linux_mlxsw/net/sched/sch_generic.c:1065) 
[  835.759551] qdisc_destroy (/home/petr/src/linux_mlxsw/net/sched/sch_generic.c:1079) 
[  835.759769] qdisc_graft (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1134) 
[  835.759994] tc_get_qdisc (/home/petr/src/linux_mlxsw/net/sched/sch_api.c:1541) 
[  835.760219] rtnetlink_rcv_msg (/home/petr/src/linux_mlxsw/net/core/rtnetlink.c:6423) 
[  835.760477] netlink_rcv_skb (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:2547) 
[  835.760710] netlink_unicast (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1340 /home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1365) 
[  835.760941] netlink_sendmsg (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:1911) 
[  835.761170] ____sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:728 (discriminator 1) /home/petr/src/linux_mlxsw/net/socket.c:748 (discriminator 1) /home/petr/src/linux_mlxsw/net/socket.c:2494 (discriminator 1)) 
[  835.761423] ___sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:2550) 
[  835.761646] __sys_sendmsg (/home/petr/src/linux_mlxsw/net/socket.c:2579) 
[  835.761864] do_syscall_64 (/home/petr/src/linux_mlxsw/arch/x86/entry/common.c:50 (discriminator 1) /home/petr/src/linux_mlxsw/arch/x86/entry/common.c:80 (discriminator 1)) 
[  835.762072] entry_SYSCALL_64_after_hwframe (/home/petr/src/linux_mlxsw/arch/x86/entry/entry_64.S:120) 
[  835.762398]
[  835.762490] Second to last potentially related work creation:
[  835.762802] kasan_save_stack (/home/petr/src/linux_mlxsw/mm/kasan/common.c:46) 
[  835.763067] __kasan_record_aux_stack (/home/petr/src/linux_mlxsw/mm/kasan/generic.c:492 (discriminator 1)) 
[  835.763340] __call_rcu_common.constprop.0 (/home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:26 /home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:67 /home/petr/src/linux_mlxsw/./arch/x86/include/asm/irqflags.h:103 /home/petr/src/linux_mlxsw/kernel/rcu/tree.c:2650) 
[  835.763631] netlink_release (/home/petr/src/linux_mlxsw/net/netlink/af_netlink.c:829) 
[  835.763865] __sock_release (/home/petr/src/linux_mlxsw/net/socket.c:655) 
[  835.764085] sock_close (/home/petr/src/linux_mlxsw/net/socket.c:1388) 
[  835.764282] __fput (/home/petr/src/linux_mlxsw/fs/file_table.c:385) 
[  835.764493] task_work_run (/home/petr/src/linux_mlxsw/kernel/task_work.c:181) 
[  835.764715] do_exit (/home/petr/src/linux_mlxsw/kernel/exit.c:875) 
[  835.764915] do_group_exit (/home/petr/src/linux_mlxsw/kernel/exit.c:1005) 
[  835.765132] __x64_sys_exit_group (/home/petr/src/linux_mlxsw/kernel/exit.c:1033) 
[  835.765382] do_syscall_64 (/home/petr/src/linux_mlxsw/arch/x86/entry/common.c:50 (discriminator 1) /home/petr/src/linux_mlxsw/arch/x86/entry/common.c:80 (discriminator 1)) 
[  835.765596] entry_SYSCALL_64_after_hwframe (/home/petr/src/linux_mlxsw/arch/x86/entry/entry_64.S:120) 
[  835.765891]
[  835.765988] The buggy address belongs to the object at ffff888008a7a000
[  835.765988]  which belongs to the cache kmalloc-2k of size 2048
[  835.766668] The buggy address is located 520 bytes inside of
[  835.766668]  freed 2048-byte region [ffff888008a7a000, ffff888008a7a800)
[  835.767340]
[  835.767438] The buggy address belongs to the physical page:
[  835.767750] page:ffffea0000229e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888008a7a000 pfn:0x8a78
[  835.768391] head:ffffea0000229e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  835.768837] flags: 0x100000000010200(slab|head|node=0|zone=1)
[  835.769170] page_type: 0xffffffff()
[  835.769385] raw: 0100000000010200 ffff888006842340 ffffea0000241a10 ffffea000022a010
[  835.769861] raw: ffff888008a7a000 0000000000050001 00000001ffffffff 0000000000000000
[  835.770622] page dumped because: kasan: bad access detected
[  835.771278]
[  835.771540] Memory state around the buggy address:
[  835.772029]  ffff888008a7a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  835.772980]  ffff888008a7a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  835.773813] >ffff888008a7a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  835.774506]                       ^
[  835.774844]  ffff888008a7a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  835.775524]  ffff888008a7a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  835.776185] ==================================================================