Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: allow ext4_get_group_info() to fail<br /> <br /> Previously, ext4_get_group_info() would treat an invalid group number<br /> as BUG(), since in theory it should never happen. However, if a<br /> malicious attaker (or fuzzer) modifies the superblock via the block<br /> device while it is the file system is mounted, it is possible for<br /> s_first_data_block to get set to a very large number. In that case,<br /> when calculating the block group of some block number (such as the<br /> starting block of a preallocation region), could result in an<br /> underflow and very large block group number. Then the BUG_ON check in<br /> ext4_get_group_info() would fire, resutling in a denial of service<br /> attack that can be triggered by root or someone with write access to<br /> the block device.<br /> <br /> For a quality of implementation perspective, it&amp;#39;s best that even if<br /> the system administrator does something that they shouldn&amp;#39;t, that it<br /> will not trigger a BUG. So instead of BUG&amp;#39;ing, ext4_get_group_info()<br /> will call ext4_error and return NULL. We also add fallback code in<br /> all of the callers of ext4_get_group_info() that it might NULL.<br /> <br /> Also, since ext4_get_group_info() was already borderline to be an<br /> inline function, un-inline it. The results in a next reduction of the<br /> compiled text size of ext4 by roughly 2k.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix disconnect vs accept race<br /> <br /> Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in<br /> recvmsg()"), the mptcp protocol is still prone to a race between<br /> disconnect() (or shutdown) and accept.<br /> <br /> The root cause is that the mentioned commit checks the msk-level<br /> flag, but mptcp_stream_accept() does acquire the msk-level lock,<br /> as it can rely directly on the first subflow lock.<br /> <br /> As reported by Christoph than can lead to a race where an msk<br /> socket is accepted after that mptcp_subflow_queue_clean() releases<br /> the listener socket lock and just before it takes destructive<br /> actions leading to the following splat:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000012<br /> PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014<br /> RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330<br /> Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89<br /> RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300<br /> RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a<br /> RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020<br /> R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880<br /> FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> do_accept+0x1ae/0x260 net/socket.c:1872<br /> __sys_accept4+0x9b/0x110 net/socket.c:1913<br /> __do_sys_accept4 net/socket.c:1954 [inline]<br /> __se_sys_accept4 net/socket.c:1951 [inline]<br /> __x64_sys_accept4+0x20/0x30 net/socket.c:1951<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> Address the issue by temporary removing the pending request socket<br /> from the accept queue, so that racing accept() can&amp;#39;t touch them.<br /> <br /> After depleting the msk - the ssk still exists, as plain TCP sockets,<br /> re-insert them into the accept queue, so that later inet_csk_listen_stop()<br /> will complete the tcp socket disposal.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> start_kernel: Add __no_stack_protector function attribute<br /> <br /> Back during the discussion of<br /> commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try")<br /> we discussed the need for a function attribute to control the omission<br /> of stack protectors on a per-function basis; at the time Clang had<br /> support for no_stack_protector but GCC did not. This was fixed in<br /> gcc-11. Now that the function attribute is available, let&amp;#39;s start using<br /> it.<br /> <br /> Callers of boot_init_stack_canary need to use this function attribute<br /> unless they&amp;#39;re compiled with -fno-stack-protector, otherwise the canary<br /> stored in the stack slot of the caller will differ upon the call to<br /> boot_init_stack_canary. This will lead to a call to __stack_chk_fail()<br /> then panic.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: do not ignore genmask when looking up chain by id<br /> <br /> When adding a rule to a chain referring to its ID, if that chain had been<br /> deleted on the same batch, the rule might end up referring to a deleted<br /> chain.<br /> <br /> This will lead to a WARNING like following:<br /> <br /> [ 33.098431] ------------[ cut here ]------------<br /> [ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.099217] Modules linked in:<br /> [ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409<br /> [ 33.099726] Workqueue: events nf_tables_trans_destroy_work<br /> [ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7<br /> [ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202<br /> [ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000<br /> [ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000<br /> [ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500<br /> [ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10<br /> [ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000<br /> [ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0<br /> [ 33.104872] PKRU: 55555554<br /> [ 33.104999] Call Trace:<br /> [ 33.105113] <br /> [ 33.105214] ? show_regs+0x72/0x90<br /> [ 33.105371] ? __warn+0xa5/0x210<br /> [ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.105732] ? report_bug+0x1f2/0x200<br /> [ 33.105902] ? handle_bug+0x46/0x90<br /> [ 33.106546] ? exc_invalid_op+0x19/0x50<br /> [ 33.106762] ? asm_exc_invalid_op+0x1b/0x20<br /> [ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.107249] ? nf_tables_chain_destroy+0x30/0x260<br /> [ 33.107506] nf_tables_trans_destroy_work+0x669/0x680<br /> [ 33.107782] ? mark_held_locks+0x28/0xa0<br /> [ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10<br /> [ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70<br /> [ 33.108538] process_one_work+0x68c/0xb70<br /> [ 33.108755] ? lock_acquire+0x17f/0x420<br /> [ 33.108977] ? __pfx_process_one_work+0x10/0x10<br /> [ 33.109218] ? do_raw_spin_lock+0x128/0x1d0<br /> [ 33.109435] ? _raw_spin_lock_irq+0x71/0x80<br /> [ 33.109634] worker_thread+0x2bd/0x700<br /> [ 33.109817] ? __pfx_worker_thread+0x10/0x10<br /> [ 33.110254] kthread+0x18b/0x1d0<br /> [ 33.110410] ? __pfx_kthread+0x10/0x10<br /> [ 33.110581] ret_from_fork+0x29/0x50<br /> [ 33.110757] <br /> [ 33.110866] irq event stamp: 1651<br /> [ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0<br /> [ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0<br /> [ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112453] ---[ end trace 0000000000000000 ]---<br /> <br /> This is due to the nft_chain_lookup_byid ignoring the genmask. After this<br /> change, adding the new rule will fail as it will not find the chain.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/qaic: tighten bounds checking in decode_message()<br /> <br /> Copy the bounds checking from encode_message() to decode_message().<br /> <br /> This patch addresses the following concerns. Ensure that there is<br /> enough space for at least one header so that we don&amp;#39;t have a negative<br /> size later.<br /> <br /> if (msg_hdr_len data.<br /> <br /> if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))<br /> return -EINVAL;<br /> <br /> Check that the trans_hdr-&gt;len is not below the minimum size:<br /> <br /> if (hdr_len data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));<br /> <br /> And finally, use size_add() to prevent an integer overflow:<br /> <br /> if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: xts - Handle EBUSY correctly<br /> <br /> As it is xts only handles the special return value of EINPROGRESS,<br /> which means that in all other cases it will free data related to the<br /> request.<br /> <br /> However, as the caller of xts may specify MAY_BACKLOG, we also need<br /> to expect EBUSY and treat it in the same way. Otherwise backlogged<br /> requests will trigger a use-after-free.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()<br /> <br /> rules is allocated in ethtool_get_rxnfc and the size is determined by<br /> rule_cnt from user space. So rule_cnt needs to be check before using<br /> rules to avoid OOB writing or NULL pointer dereference.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/platform/uv: Use alternate source for socket to node data<br /> <br /> The UV code attempts to build a set of tables to allow it to do<br /> bidirectional socketnode lookups.<br /> <br /> But when nr_cpus is set to a smaller number than actually present, the<br /> cpu_to_node() mapping information for unused CPUs is not available to<br /> build_socket_tables(). This results in skipping some nodes or sockets<br /> when creating the tables and leaving some -1&amp;#39;s for later code to trip.<br /> over, causing oopses.<br /> <br /> The problem is that the socketnode lookups are created by doing a<br /> loop over all CPUs, then looking up the CPU&amp;#39;s APICID and socket. But<br /> if a CPU is not present, there is no way to start this lookup.<br /> <br /> Instead of looping over all CPUs, take CPUs out of the equation<br /> entirely. Loop over all APICIDs which are mapped to a valid NUMA node.<br /> Then just extract the socket-id from the APICID.<br /> <br /> This avoid tripping over disabled CPUs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()<br /> <br /> devm_kzalloc() may fail, clk_data-&gt;name might be NULL and will<br /> cause a NULL pointer dereference later.<br /> <br /> [ rjw: Subject and changelog edits ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib: cpu_rmap: Avoid use after free on rmap-&gt;obj array entries<br /> <br /> When calling irq_set_affinity_notifier() with NULL at the notify<br /> argument, it will cause freeing of the glue pointer in the<br /> corresponding array entry but will leave the pointer in the array. A<br /> subsequent call to free_irq_cpu_rmap() will try to free this entry again<br /> leading to possible use after free.<br /> <br /> Fix that by setting NULL to the array entry and checking that we have<br /> non-zero at the array entry when iterating over the array in<br /> free_irq_cpu_rmap().<br /> <br /> The current code does not suffer from this since there are no cases<br /> where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the<br /> notify arg) is called, followed by a call to free_irq_cpu_rmap() so we<br /> don&amp;#39;t hit and issue. Subsequent patches in this series excersize this<br /> flow, hence the required fix.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev<br /> <br /> Syzkaller reported the following issue:<br /> <br /> UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6<br /> index -84 is out of range for type &amp;#39;s8[341]&amp;#39; (aka &amp;#39;signed char[341]&amp;#39;)<br /> CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106<br /> ubsan_epilogue lib/ubsan.c:217 [inline]<br /> __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348<br /> dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965<br /> dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809<br /> dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350<br /> dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874<br /> dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]<br /> dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863<br /> jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137<br /> lookup_open fs/namei.c:3492 [inline]<br /> open_last_lookups fs/namei.c:3560 [inline]<br /> path_openat+0x13df/0x3170 fs/namei.c:3788<br /> do_filp_open+0x234/0x490 fs/namei.c:3818<br /> do_sys_openat2+0x13f/0x500 fs/open.c:1356<br /> do_sys_open fs/open.c:1372 [inline]<br /> __do_sys_openat fs/open.c:1388 [inline]<br /> __se_sys_openat fs/open.c:1383 [inline]<br /> __x64_sys_openat+0x247/0x290 fs/open.c:1383<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f1f4e33f7e9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9<br /> RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c<br /> RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> <br /> <br /> The bug occurs when the dbAllocDmapLev()function attempts to access<br /> dp-&gt;tree.stree[leafidx + LEAFIND] while the leafidx value is negative.<br /> <br /> To rectify this, the patch introduces a safeguard within the<br /> dbAllocDmapLev() function. A check has been added to verify if leafidx is<br /> negative. If it is, the function immediately returns an I/O error, preventing<br /> any further execution that could potentially cause harm.<br /> <br /> Tested via syzbot.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Enhance the attribute size check<br /> <br /> This combines the overflow and boundary check so that all attribute size<br /> will be properly examined while enumerating them.<br /> <br /> [ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570<br /> [ 169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247<br /> [ 169.184046]<br /> [ 169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3<br /> [ 169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br /> [ 169.187066] Call Trace:<br /> [ 169.187492] <br /> [ 169.188049] dump_stack_lvl+0x49/0x63<br /> [ 169.188495] print_report.cold+0xf5/0x689<br /> [ 169.188964] ? run_unpack+0x2e3/0x570<br /> [ 169.189331] kasan_report+0xa7/0x130<br /> [ 169.189714] ? run_unpack+0x2e3/0x570<br /> [ 169.190079] __asan_load1+0x51/0x60<br /> [ 169.190634] run_unpack+0x2e3/0x570<br /> [ 169.191290] ? run_pack+0x840/0x840<br /> [ 169.191569] ? run_lookup_entry+0xb3/0x1f0<br /> [ 169.192443] ? mi_enum_attr+0x20a/0x230<br /> [ 169.192886] run_unpack_ex+0xad/0x3e0<br /> [ 169.193276] ? run_unpack+0x570/0x570<br /> [ 169.193557] ? ni_load_mi+0x80/0x80<br /> [ 169.193889] ? debug_smp_processor_id+0x17/0x20<br /> [ 169.194236] ? mi_init+0x4a/0x70<br /> [ 169.194496] attr_load_runs_vcn+0x166/0x1c0<br /> [ 169.194851] ? attr_data_write_resident+0x250/0x250<br /> [ 169.195188] mi_read+0x133/0x2c0<br /> [ 169.195481] ntfs_iget5+0x277/0x1780<br /> [ 169.196017] ? call_rcu+0x1c7/0x330<br /> [ 169.196392] ? ntfs_get_block_bmap+0x70/0x70<br /> [ 169.196708] ? evict+0x223/0x280<br /> [ 169.197014] ? __kmalloc+0x33/0x540<br /> [ 169.197305] ? wnd_init+0x15b/0x1b0<br /> [ 169.197599] ntfs_fill_super+0x1026/0x1ba0<br /> [ 169.197994] ? put_ntfs+0x1d0/0x1d0<br /> [ 169.198299] ? vsprintf+0x20/0x20<br /> [ 169.198583] ? mutex_unlock+0x81/0xd0<br /> [ 169.198930] ? set_blocksize+0x95/0x150<br /> [ 169.199269] get_tree_bdev+0x232/0x370<br /> [ 169.199750] ? put_ntfs+0x1d0/0x1d0<br /> [ 169.200094] ntfs_fs_get_tree+0x15/0x20<br /> [ 169.200431] vfs_get_tree+0x4c/0x130<br /> [ 169.200714] path_mount+0x654/0xfe0<br /> [ 169.201067] ? putname+0x80/0xa0<br /> [ 169.201358] ? finish_automount+0x2e0/0x2e0<br /> [ 169.201965] ? putname+0x80/0xa0<br /> [ 169.202445] ? kmem_cache_free+0x1c4/0x440<br /> [ 169.203075] ? putname+0x80/0xa0<br /> [ 169.203414] do_mount+0xd6/0xf0<br /> [ 169.203719] ? path_mount+0xfe0/0xfe0<br /> [ 169.203977] ? __kasan_check_write+0x14/0x20<br /> [ 169.204382] __x64_sys_mount+0xca/0x110<br /> [ 169.204711] do_syscall_64+0x3b/0x90<br /> [ 169.205059] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [ 169.205571] RIP: 0033:0x7f67a80e948a<br /> [ 169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008<br /> [ 169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5<br /> [ 169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a<br /> [ 169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0<br /> [ 169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020<br /> [ 169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0<br /> [ 169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff<br /> [ 169.211913] <br /> [ 169.212304]<br /> [ 169.212680] Allocated by task 0:<br /> [ 169.212963] (stack is not available)<br /> [ 169.213200]<br /> [ 169.213472] The buggy address belongs to the object at ffff8880094b5e00<br /> [ 169.213472] which belongs to the cache UDP of size 1152<br /> [ 169.214095] The buggy address is located 1088 bytes inside of<br /> [ 169.214095] 1152-byte region [ffff8880094b5e00, ffff8880094b6280)<br /> [ 169.214639]<br /> [ 169.215004] The buggy address belongs to the physical page:<br /> [ 169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4<br /> [ 169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0<br /> [ 169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)<br /> [ 169.220272] raw: 000fffffc0010200<br /> ---truncated---