Hi Running the following script twice gave me a KASAN splat on net tree, (this is on commit f6454f80e8a965fca203dab28723f68ec78db608 )
ETH=eth0 tc qdisc del dev $ETH ingress 2>/dev/null tc qdisc add dev $ETH ingress tc filter add dev eth0 parent ffff: \ matchall action sample rate 12 group 4 [ 118.517005] ================================================================== [ 118.524253] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0xb8/0xe0 [ 118.530779] Read of size 8 at addr ffff881056a38f60 by task swapper/29/0 [ 118.538996] CPU: 29 PID: 0 Comm: swapper/29 Not tainted 4.14.0-smp-DEV #2 [ 118.538997] Hardware name: Intel RML,PCH/Ibis_QC_18, BIOS 2.40.0 06/22/2016 [ 118.538998] Call Trace: [ 118.539000] <IRQ> [ 118.539006] dump_stack+0x46/0x67 [ 118.539010] print_address_description+0x6a/0x260 [ 118.539012] ? rcu_cblist_dequeue+0xb8/0xe0 [ 118.539014] kasan_report+0x228/0x340 [ 118.539016] rcu_cblist_dequeue+0xb8/0xe0 [ 118.539018] rcu_process_callbacks+0x2d8/0x1430 [ 118.539020] ? __hrtimer_run_queues+0x2c3/0x620 [ 118.539022] ? note_gp_changes+0x190/0x190 [ 118.539025] __do_softirq+0x1d7/0x5c8 [ 118.539028] irq_exit+0x14e/0x180 [ 118.539030] smp_apic_timer_interrupt+0xbc/0x310 [ 118.539032] apic_timer_interrupt+0x89/0x90 [ 118.539041] </IRQ> [ 118.539044] RIP: 0010:cpuidle_enter_state+0xfa/0x740 [ 118.539045] RSP: 0018:ffff88105aa07eb0 EFLAGS: 00000212 ORIG_RAX: ffffffffffffff11 [ 118.539048] RAX: dffffc0000000000 RBX: ffffe8ffffd553d0 RCX: 000000000000001f [ 118.539049] RDX: 1ffff1020ffac84d RSI: fff3b038d885714d RDI: ffff88107fd64268 [ 118.539050] RBP: 00000000000f27d5 R08: ffff88107fd60704 R09: ffff88107fd606a0 [ 118.539051] R10: 071c71c71c71c71c R11: ffff88107fd606e4 R12: 0000000000000005 [ 118.539052] R13: 0000000000000005 R14: 0000000000000005 R15: 0000001b981aba1d [ 118.539055] ? rcu_eqs_exit_common.isra.51+0x26/0x140 [ 118.539058] do_idle+0x226/0x2a0 [ 118.539059] cpu_startup_entry+0x19/0x20 [ 118.539061] secondary_startup_64+0xa5/0xb0 [ 118.540556] Allocated by task 10820: [ 118.544135] kasan_kmalloc+0xa0/0xd0 [ 118.544137] __kmalloc+0xd4/0x570 [ 118.544139] tcf_idr_create+0xa2/0x6e0 [ 118.544142] tcf_sample_init+0x4bc/0x830 [act_sample] [ 118.544144] tcf_action_init_1+0x5c6/0x8f0 [ 118.544145] tcf_action_init+0x1ff/0x3e0 [ 118.544147] tcf_exts_validate+0x27c/0x500 [ 118.544149] mall_change+0x3c5/0xcbf [cls_matchall] [ 118.544150] tc_ctl_tfilter+0x1104/0x1c70 [ 118.544152] rtnetlink_rcv_msg+0x35a/0x680 [ 118.544153] netlink_rcv_skb+0x2a5/0x3d0 [ 118.544155] netlink_unicast+0x3f4/0x580 [ 118.544156] netlink_sendmsg+0x738/0xae0 [ 118.544159] sock_sendmsg+0xb1/0xe0 [ 118.544160] ___sys_sendmsg+0x658/0x870 [ 118.544162] __sys_sendmsg+0xb0/0x130 [ 118.544163] entry_SYSCALL_64_fastpath+0x13/0x6c [ 118.545658] Freed by task 5: [ 118.548537] kasan_slab_free+0x71/0xc0 [ 118.548538] kfree+0x75/0xe0 [ 118.548540] __tcf_idr_release+0x16e/0x220 [ 118.548541] tcf_action_destroy+0xcb/0x160 [ 118.548543] tcf_exts_destroy+0x177/0x350 [ 118.548544] __mall_destroy+0xe/0x60 [cls_matchall] [ 118.548546] mall_destroy_work+0x17/0x20 [cls_matchall] [ 118.548548] process_one_work+0x785/0x11c0 [ 118.548549] worker_thread+0xdf/0x12f0 [ 118.548551] kthread+0x29e/0x390 [ 118.548552] ret_from_fork+0x1f/0x30 [ 118.550044] The buggy address belongs to the object at ffff881056a38e80 which belongs to the cache kmalloc-256 of size 256 [ 118.562564] The buggy address is located 224 bytes inside of 256-byte region [ffff881056a38e80, ffff881056a38f80) [ 118.574281] The buggy address belongs to the page: [ 118.579074] page:ffffea00415a8e00 count:1 mapcount:0 mapping:ffff881056a380c0 index:0x0 [ 118.587075] flags: 0x2800000000000100(slab) [ 118.591262] raw: 2800000000000100 ffff881056a380c0 0000000000000000 000000010000000c [ 118.599000] raw: ffffea00414151e0 ffffea004126a520 ffff88081f400680 0000000000000000 [ 118.606737] page dumped because: kasan: bad access detected [ 118.613793] Memory state around the buggy address: [ 118.618575] ffff881056a38e00: 00 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc [ 118.625793] ffff881056a38e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.633006] >ffff881056a38f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.640225] ^ [ 118.646578] ffff881056a38f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 118.653808] ffff881056a39000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 118.661035] ================================================================== [ 118.668254] Disabling lock debugging due to kernel taint
