zhaiyan920/gist:8fbac245b261fe316a7ef04c9b1eba48 Secret

## gistfile1.txt
[   59.517224][  T938] ==================================================================
[ 59.518510][ T938] BUG: KASAN: use-after-free in ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
[   59.519682][  T938] Read of size 8 at addr ffff888007e1d848 by task ping/938
[   59.520753][  T938]
[   59.521088][  T938] CPU: 0 PID: 938 Comm: ping Not tainted 6.1.38 #7
[   59.521693][  T938] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   59.522070][  T938] Call Trace:
[   59.522207][  T938]  <TASK>
[ 59.522332][ T938] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 59.522525][ T938] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395)
[ 59.522718][ T938] ? __virt_addr_valid (./include/linux/mmzone.h:1759 ./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65)
[ 59.522929][ T938] ? ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
[ 59.523144][ T938] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497)
[ 59.523333][ T938] ? ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
[ 59.523549][ T938] ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
[ 59.523757][ T938] ? get_random_u32 (./arch/x86/include/asm/irqflags.h:137 (discriminator 21) drivers/char/random.c:513 (discriminator 21))
[ 59.523962][ T938] ? ip_fraglist_init (net/ipv4/ip_output.c:195)
[ 59.524173][ T938] ? ip_skb_dst_mtu (./include/net/lwtunnel.h:105 ./include/net/ip.h:490 ./include/net/ip.h:478)
[ 59.524375][ T938] ip_output (net/ipv4/ip_output.c:422)
[ 59.524554][ T938] ? ip_finish_output (net/ipv4/ip_output.c:422)
[ 59.524825][ T938] ? icmp_out_count (net/ipv4/icmp.c:337)
[ 59.525202][ T938] ? __ip_make_skb (net/ipv4/ip_output.c:1482 net/ipv4/ip_output.c:1587)
[ 59.525453][ T938] ? raw_destroy (net/ipv4/raw.c:441)
[ 59.525688][ T938] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1596 net/ipv4/ip_output.c:1616)
[ 59.525990][ T938] raw_sendmsg (net/ipv4/raw.c:648)
[ 59.526233][ T938] ? raw_recvmsg (net/ipv4/raw.c:471)
[ 59.526500][ T938] ? prepare_creds (kernel/cred.c:261)
[ 59.526744][ T938] ? kasan_save_stack (mm/kasan/common.c:47)
[ 59.526999][ T938] ? kasan_save_stack (mm/kasan/common.c:46)
[ 59.527254][ T938] ? kasan_set_track (mm/kasan/common.c:52)
[ 59.527506][ T938] ? try_charge_memcg (./arch/x86/include/asm/irqflags.h:137 mm/memcontrol.c:2240 mm/memcontrol.c:2642)
[ 59.527775][ T938] ? mem_cgroup_handle_over_high (mm/memcontrol.c:2629)
[ 59.528089][ T938] ? mod_objcg_state (./arch/x86/include/asm/irqflags.h:137 mm/memcontrol.c:3213)
[ 59.528346][ T938] ? find_mergeable_anon_vma (mm/mmap.c:1093 mm/mmap.c:1123 mm/mmap.c:1159)
[ 59.528639][ T938] ? cgroup_rstat_updated (kernel/cgroup/rstat.c:42)
[ 59.528919][ T938] ? __mod_memcg_lruvec_state (mm/memcontrol.c:613 mm/memcontrol.c:799)
[ 59.529214][ T938] ? check_stack_object (./include/linux/sched/task_stack.h:21 mm/usercopy.c:38)
[ 59.529475][ T938] ? inet_send_prepare (net/ipv4/af_inet.c:815)
[ 59.529737][ T938] ? inet_send_prepare (net/ipv4/af_inet.c:824)
[ 59.530003][ T938] ? sock_sendmsg (net/socket.c:716 net/socket.c:736)
[ 59.530242][ T938] sock_sendmsg (net/socket.c:716 net/socket.c:736)
[ 59.530495][ T938] __sys_sendto (net/socket.c:2117)
[ 59.530731][ T938] ? __x64_sys_getpeername (net/socket.c:2087)
[ 59.531006][ T938] ? copy_page_range (mm/memory.c:5028)
[ 59.531273][ T938] ? handle_mm_fault (mm/memory.c:5166 mm/memory.c:5255)
[ 59.531530][ T938] ? preempt_count_sub (kernel/sched/core.c:5731)
[ 59.531787][ T938] ? up_read (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1356 kernel/locking/rwsem.c:1616)
[ 59.532000][ T938] ? __audit_syscall_entry (kernel/auditsc.c:2041)
[ 59.532284][ T938] __x64_sys_sendto (net/socket.c:2125)
[ 59.532528][ T938] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 59.532759][ T938] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[   59.533148][  T938] RIP: 0033:0x7fb4091fa973
[ 59.533488][ T938] Code: 8b 15 91 74 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 80 3d 71 fc 0c 00 00 41 89 ca 74 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 55 48 83 ec 30 44 89 4c 24
All code
========
   0:	8b 15 91 74 0c 00    	mov    0xc7491(%rip),%edx        # 0xc7497
   6:	f7 d8                	neg    %eax
   8:	64 89 02             	mov    %eax,%fs:(%rdx)
   b:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
  12:	eb b8                	jmp    0xffffffffffffffcc
  14:	0f 1f 00             	nopl   (%rax)
  17:	80 3d 71 fc 0c 00 00 	cmpb   $0x0,0xcfc71(%rip)        # 0xcfc8f
  1e:	41 89 ca             	mov    %ecx,%r10d
  21:	74 14                	je     0x37
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 75                	ja     0xa7
  32:	c3                   	ret
  33:	0f 1f 40 00          	nopl   0x0(%rax)
  37:	55                   	push   %rbp
  38:	48 83 ec 30          	sub    $0x30,%rsp
  3c:	44                   	rex.R
  3d:	89                   	.byte 0x89
  3e:	4c                   	rex.WR
  3f:	24                   	.byte 0x24

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 75                	ja     0x7d
   8:	c3                   	ret
   9:	0f 1f 40 00          	nopl   0x0(%rax)
   d:	55                   	push   %rbp
   e:	48 83 ec 30          	sub    $0x30,%rsp
  12:	44                   	rex.R
  13:	89                   	.byte 0x89
  14:	4c                   	rex.WR
  15:	24                   	.byte 0x24
	[ 59.517224][ T938] ==================================================================
	[ 59.518510][ T938] BUG: KASAN: use-after-free in ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
	[ 59.519682][ T938] Read of size 8 at addr ffff888007e1d848 by task ping/938
	[ 59.520753][ T938]
	[ 59.521088][ T938] CPU: 0 PID: 938 Comm: ping Not tainted 6.1.38 #7
	[ 59.521693][ T938] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	[ 59.522070][ T938] Call Trace:
	[ 59.522207][ T938] <TASK>
	[ 59.522332][ T938] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
	[ 59.522525][ T938] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395)
	[ 59.522718][ T938] ? __virt_addr_valid (./include/linux/mmzone.h:1759 ./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65)
	[ 59.522929][ T938] ? ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
	[ 59.523144][ T938] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497)
	[ 59.523333][ T938] ? ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
	[ 59.523549][ T938] ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222)
	[ 59.523757][ T938] ? get_random_u32 (./arch/x86/include/asm/irqflags.h:137 (discriminator 21) drivers/char/random.c:513 (discriminator 21))
	[ 59.523962][ T938] ? ip_fraglist_init (net/ipv4/ip_output.c:195)
	[ 59.524173][ T938] ? ip_skb_dst_mtu (./include/net/lwtunnel.h:105 ./include/net/ip.h:490 ./include/net/ip.h:478)
	[ 59.524375][ T938] ip_output (net/ipv4/ip_output.c:422)
	[ 59.524554][ T938] ? ip_finish_output (net/ipv4/ip_output.c:422)
	[ 59.524825][ T938] ? icmp_out_count (net/ipv4/icmp.c:337)
	[ 59.525202][ T938] ? __ip_make_skb (net/ipv4/ip_output.c:1482 net/ipv4/ip_output.c:1587)
	[ 59.525453][ T938] ? raw_destroy (net/ipv4/raw.c:441)
	[ 59.525688][ T938] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1596 net/ipv4/ip_output.c:1616)
	[ 59.525990][ T938] raw_sendmsg (net/ipv4/raw.c:648)
	[ 59.526233][ T938] ? raw_recvmsg (net/ipv4/raw.c:471)
	[ 59.526500][ T938] ? prepare_creds (kernel/cred.c:261)
	[ 59.526744][ T938] ? kasan_save_stack (mm/kasan/common.c:47)
	[ 59.526999][ T938] ? kasan_save_stack (mm/kasan/common.c:46)
	[ 59.527254][ T938] ? kasan_set_track (mm/kasan/common.c:52)
	[ 59.527506][ T938] ? try_charge_memcg (./arch/x86/include/asm/irqflags.h:137 mm/memcontrol.c:2240 mm/memcontrol.c:2642)
	[ 59.527775][ T938] ? mem_cgroup_handle_over_high (mm/memcontrol.c:2629)
	[ 59.528089][ T938] ? mod_objcg_state (./arch/x86/include/asm/irqflags.h:137 mm/memcontrol.c:3213)
	[ 59.528346][ T938] ? find_mergeable_anon_vma (mm/mmap.c:1093 mm/mmap.c:1123 mm/mmap.c:1159)
	[ 59.528639][ T938] ? cgroup_rstat_updated (kernel/cgroup/rstat.c:42)
	[ 59.528919][ T938] ? __mod_memcg_lruvec_state (mm/memcontrol.c:613 mm/memcontrol.c:799)
	[ 59.529214][ T938] ? check_stack_object (./include/linux/sched/task_stack.h:21 mm/usercopy.c:38)
	[ 59.529475][ T938] ? inet_send_prepare (net/ipv4/af_inet.c:815)
	[ 59.529737][ T938] ? inet_send_prepare (net/ipv4/af_inet.c:824)
	[ 59.530003][ T938] ? sock_sendmsg (net/socket.c:716 net/socket.c:736)
	[ 59.530242][ T938] sock_sendmsg (net/socket.c:716 net/socket.c:736)
	[ 59.530495][ T938] __sys_sendto (net/socket.c:2117)
	[ 59.530731][ T938] ? __x64_sys_getpeername (net/socket.c:2087)
	[ 59.531006][ T938] ? copy_page_range (mm/memory.c:5028)
	[ 59.531273][ T938] ? handle_mm_fault (mm/memory.c:5166 mm/memory.c:5255)
	[ 59.531530][ T938] ? preempt_count_sub (kernel/sched/core.c:5731)
	[ 59.531787][ T938] ? up_read (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1356 kernel/locking/rwsem.c:1616)
	[ 59.532000][ T938] ? __audit_syscall_entry (kernel/auditsc.c:2041)
	[ 59.532284][ T938] __x64_sys_sendto (net/socket.c:2125)
	[ 59.532528][ T938] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
	[ 59.532759][ T938] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
	[ 59.533148][ T938] RIP: 0033:0x7fb4091fa973
	[ 59.533488][ T938] Code: 8b 15 91 74 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 80 3d 71 fc 0c 00 00 41 89 ca 74 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 55 48 83 ec 30 44 89 4c 24
	All code
	========
	0: 8b 15 91 74 0c 00 mov 0xc7491(%rip),%edx # 0xc7497
	6: f7 d8 neg %eax
	8: 64 89 02 mov %eax,%fs:(%rdx)
	b: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
	12: eb b8 jmp 0xffffffffffffffcc
	14: 0f 1f 00 nopl (%rax)
	17: 80 3d 71 fc 0c 00 00 cmpb $0x0,0xcfc71(%rip) # 0xcfc8f
	1e: 41 89 ca mov %ecx,%r10d
	21: 74 14 je 0x37
	23: b8 2c 00 00 00 mov $0x2c,%eax
	28: 0f 05 syscall
	2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
	30: 77 75 ja 0xa7
	32: c3 ret
	33: 0f 1f 40 00 nopl 0x0(%rax)
	37: 55 push %rbp
	38: 48 83 ec 30 sub $0x30,%rsp
	3c: 44 rex.R
	3d: 89 .byte 0x89
	3e: 4c rex.WR
	3f: 24 .byte 0x24

	Code starting with the faulting instruction
	===========================================
	0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
	6: 77 75 ja 0x7d
	8: c3 ret
	9: 0f 1f 40 00 nopl 0x0(%rax)
	d: 55 push %rbp
	e: 48 83 ec 30 sub $0x30,%rsp
	12: 44 rex.R
	13: 89 .byte 0x89
	14: 4c rex.WR
	15: 24 .byte 0x24