KASAN: use-after-free Read in ucma_close (2)
Original report of the bug: https://syzkaller.appspot.com/bug?id=457491c4672d7b52c1007db213d93e47c711fae6
Our system SyzScope detected a control flow hijacking about this bug.
Fuzzer tested kernel version: 34d4ddd3
Upstream patch: RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
Primitive 1: Control flow hijacking in try_to_wake_up
Bug analysis:
The vulnerable object ctx was freed due to race condition,
static int ucma_free_ctx(struct ucma_context *ctx)
{
...
kfree(ctx);
return events_reported;
}
Meanwhile, another thread is executing wait_for_completion in ucma_close, then it encountered an UAF read because ctx was freed. Note that the race condition makes our Kasan report slightly different from the one on syzbot(The UAF was triggered at different sites)
static int ucma_close(struct inode *inode, struct file *filp)
{
xa_unlock(&ctx_table);
ucma_put_ctx(ctx);
wait_for_completion(&ctx->comp); // UAF read was triggered because another thread freed ctx
rdma_destroy_id(ctx->cm_id); // "ctx->cm_id" now can point to arbitrary memory in kernel space.
}
Then id_prive was retrieved from id, id came from the freed object ctx
void rdma_destroy_id(struct rdma_cm_id *id) // "id" == "ctx->cm_id"
{
struct rdma_id_private *id_priv =
container_of(id, struct rdma_id_private, id); // "id_prive" came from the freed object "id"
mutex_lock(&id_priv->handler_mutex);
destroy_id_handler_unlock(id_priv);
}
static void destroy_id_handler_unlock(struct rdma_id_private *id_priv)
__releases(&idprv->handler_mutex)
{
...
_destroy_id(id_priv, state); // Keep going
}
Eventually, id_prive came to _destroy_id
static void _destroy_id(struct rdma_id_private *id_priv,
enum rdma_cm_state state)
{
cma_cancel_operation(id_priv, state);
rdma_restrack_del(&id_priv->res);
if (id_priv->cma_dev) {
if (rdma_cap_ib_cm(id_priv->id.device, 1)) {
if (id_priv->cm_id.ib)
ib_destroy_cm_id(id_priv->cm_id.ib);
} else if (rdma_cap_iw_cm(id_priv->id.device, 1)) {
if (id_priv->cm_id.iw)
iw_destroy_cm_id(id_priv->cm_id.iw); // Here, since id_prive can point to arbitrary memory, id_priv->cm_id.iw also points to arbitrary memory
void iw_destroy_cm_id(struct iw_cm_id *cm_id)
{
destroy_cm_id(cm_id); // Keep goiong
}
After entering destroy_cm_id, the attacker could perform heap fengshui which fill cm_id_priv->state with IW_CM_STATE_CONN_RECV, then hijack the control flow
static void destroy_cm_id(struct iw_cm_id *cm_id)
{
struct iwcm_id_private *cm_id_priv;
cm_id_priv = container_of(cm_id, struct iwcm_id_private, id); // cm_id_prive came from cm_id, which can also point to arbitrary memory by attacker
switch (cm_id_priv->state) { // Heap spraying helps locate the correct branch
...
case IW_CM_STATE_CONN_RECV:
cm_id_priv->state = IW_CM_STATE_DESTROYING;
spin_unlock_irqrestore(&cm_id_priv->lock, flags);
cm_id->device->ops.iw_reject(cm_id, NULL, 0); //0ops, control flow hijacking
spin_lock_irqsave(&cm_id_priv->lock, flags);
Trace in high level:
|__lock_acquire kernel/locking/lockdep.c:4450(Triggered the original UAF read)
|lock_acquire ./arch/x86/include/asm/current.h:15
|_raw_spin_lock_irq ./include/linux/spinlock_api_smp.h:129
|wait_for_completion kernel/sched/completion.c:106
|ucma_close drivers/infiniband/core/ucma.c:1846
|rdma_destroy_id drivers/infiniband/core/ucma.c:1846
|destroy_id_handler_unlock drivers/infiniband/core/cma.c:1886
|_destroy_id drivers/infiniband/core/cma.c:1877
|iw_destroy_cm_id drivers/infiniband/core/cma.c:1831
|destroy_cm_id drivers/infiniband/core/iwcm.c:455
|None drivers/infiniband/core/iwcm.c:426(Triggered a new impact: Control flow hijacking)
Trace in detail:
0xffffffff813df9e0
__lock_acquire kernel/locking/lockdep.c:4450(Triggered the original UAF read)
--------------------------------------
0xffffffff813df9ee
__lock_acquire kernel/locking/lockdep.c:4299
--------------------------------------
0xffffffff813df9f8
__lock_acquire kernel/locking/lockdep.c:4300
--------------------------------------
0xffffffff813dfa05
__lock_acquire kernel/locking/lockdep.c:4300
--------------------------------------
0xffffffff813dfa13
__lock_acquire kernel/locking/lockdep.c:4304
--------------------------------------
0xffffffff813df1af
__lock_acquire kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813e3690
register_lock_class kernel/locking/lockdep.c:1194
--------------------------------------
0xffffffff813e3715
register_lock_class kernel/locking/lockdep.c:1199
--------------------------------------
0xffffffff813e388b
register_lock_class ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff813e3897
register_lock_class ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff813e38a5
register_lock_class ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff811b2940
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff813e38ac
register_lock_class ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff813e3723
register_lock_class kernel/locking/lockdep.c:1201
--------------------------------------
0xffffffff813e372d
register_lock_class kernel/locking/lockdep.c:825
--------------------------------------
0xffffffff813e3735
register_lock_class kernel/locking/lockdep.c:825
--------------------------------------
0xffffffff813e3742
register_lock_class kernel/locking/lockdep.c:837
--------------------------------------
0xffffffff813e375e
register_lock_class ./include/linux/hash.h:81
--------------------------------------
0xffffffff813e38f6
register_lock_class ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff813e3902
register_lock_class ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff813e3910
register_lock_class ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff811b2940
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff813e3917
register_lock_class ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff813e377c
register_lock_class kernel/locking/lockdep.c:847
--------------------------------------
0xffffffff813e3784
register_lock_class kernel/locking/lockdep.c:847
--------------------------------------
0xffffffff813e3791
register_lock_class kernel/locking/lockdep.c:847
--------------------------------------
0xffffffff813e397b
register_lock_class kernel/locking/lockdep.c:1205
--------------------------------------
0xffffffff813e3983
register_lock_class kernel/locking/lockdep.c:1205
--------------------------------------
0xffffffff813e3990
register_lock_class kernel/locking/lockdep.c:1208
--------------------------------------
0xffffffff813d8f70
static_obj ./arch/x86/include/asm/sections.h:27
--------------------------------------
0xffffffff813d8f86
static_obj ./arch/x86/include/asm/sections.h:27
--------------------------------------
0xffffffff813d8f9a
static_obj ./arch/x86/include/asm/sections.h:34
--------------------------------------
0xffffffff813d8fa6
static_obj ./arch/x86/include/asm/sections.h:34
--------------------------------------
0xffffffff813d8fb5
static_obj kernel/locking/lockdep.c:761
--------------------------------------
0xffffffff813d8fbe
static_obj kernel/locking/lockdep.c:761
--------------------------------------
0xffffffff813d8fc2
static_obj kernel/locking/lockdep.c:761
--------------------------------------
0xffffffff813e3995
register_lock_class kernel/locking/lockdep.c:1208
--------------------------------------
0xffffffff813e39a0
register_lock_class kernel/locking/lockdep.c:1208
--------------------------------------
0xffffffff813e39a5
register_lock_class kernel/locking/lockdep.c:1208
--------------------------------------
0xffffffff813db510
lockdep_lock kernel/locking/lockdep.c:91
--------------------------------------
0xffffffff813db574
lockdep_lock kernel/locking/lockdep.c:92
--------------------------------------
0xffffffff813db617
lockdep_lock ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff813db623
lockdep_lock ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff813db631
lockdep_lock ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff811b2940
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff813db638
lockdep_lock ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff813db582
lockdep_lock ./include/asm-generic/qspinlock.h:80
--------------------------------------
0xffffffff813db59c
lockdep_lock ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff813db5ab
lockdep_lock ./arch/x86/include/asm/atomic.h:202
--------------------------------------
0xffffffff813db5c3
lockdep_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813db5e0
lockdep_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813db60e
lockdep_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813e39e7
register_lock_class kernel/locking/lockdep.c:126
--------------------------------------
0xffffffff813e39f3
register_lock_class kernel/locking/lockdep.c:126
--------------------------------------
0xffffffff813e3ee0
register_lock_class ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813e3ef5
register_lock_class ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813e3f13
register_lock_class ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813e3f21
register_lock_class ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813e3f2f
register_lock_class ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813e3e98
register_lock_class kernel/locking/lockdep.c:885
--------------------------------------
0xffffffff813e3839
register_lock_class kernel/locking/lockdep.c:1289
--------------------------------------
0xffffffff813e3865
register_lock_class kernel/locking/lockdep.c:1289
--------------------------------------
0xffffffff813df1bc
__lock_acquire kernel/locking/lockdep.c:4305
--------------------------------------
0xffffffff813dfb1e
__lock_acquire kernel/locking/lockdep.c:4446
--------------------------------------
0xffffffff813dfb54
__lock_acquire kernel/locking/lockdep.c:4446
--------------------------------------
0xffffffff813e3055
lock_acquire ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813e3061
lock_acquire ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813e3079
lock_acquire ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff813e3085
lock_acquire ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff813e3093
lock_acquire ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff811b2950
native_restore_fl arch/x86/kernel/irqflags.S:22
--------------------------------------
0xffffffff813e30a1
lock_acquire kernel/locking/lockdep.c:5009
--------------------------------------
0xffffffff813e30d4
lock_acquire kernel/locking/lockdep.c:5009
--------------------------------------
0xffffffff856f1407
_raw_spin_lock_irq ./include/linux/spinlock_api_smp.h:129
--------------------------------------
0xffffffff813eb940
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813eb9b0
do_raw_spin_lock kernel/locking/spinlock_debug.c:112
--------------------------------------
0xffffffff813eb9c0
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813eb9cd
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813eb9e4
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813eb9f1
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813eba05
do_raw_spin_lock ./include/asm-generic/qspinlock.h:80
--------------------------------------
0xffffffff813eba1a
do_raw_spin_lock ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff813eba28
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:202
--------------------------------------
0xffffffff813eba3d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813eba4d
do_raw_spin_lock kernel/locking/spinlock_debug.c:91
--------------------------------------
0xffffffff813eba5a
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813eba8d
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff856f140f
_raw_spin_lock_irq ./include/linux/spinlock_api_smp.h:129
--------------------------------------
0xffffffff856e918c
wait_for_completion kernel/sched/completion.c:106
--------------------------------------
0xffffffff856e9194
wait_for_completion kernel/sched/completion.c:106
--------------------------------------
0xffffffff856e924e
wait_for_completion kernel/sched/completion.c:92
--------------------------------------
0xffffffff856e9253
wait_for_completion kernel/sched/completion.c:93
--------------------------------------
0xffffffff856f10c0
_raw_spin_unlock_irq ./include/linux/spinlock_api_smp.h:166
--------------------------------------
0xffffffff813e29d0
lock_release kernel/locking/lockdep.c:5014
--------------------------------------
0xffffffff856f10d6
_raw_spin_unlock_irq ./include/linux/spinlock_api_smp.h:167
--------------------------------------
0xffffffff813ebc30
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813ebc46
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813ebc55
do_raw_spin_unlock ./include/linux/instrumented.h:56
--------------------------------------
0xffffffff813ebc62
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813ebc6a
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813ebc76
do_raw_spin_unlock kernel/locking/spinlock_debug.c:99
--------------------------------------
0xffffffff813ebc83
do_raw_spin_unlock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813ebc97
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813ebca4
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813ebcb6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813ebcbe
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813ebccf
do_raw_spin_unlock kernel/locking/spinlock_debug.c:103
--------------------------------------
0xffffffff813ebce4
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813ebcee
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813ebcf8
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff856f10de
_raw_spin_unlock_irq ./include/linux/spinlock_api_smp.h:168
--------------------------------------
0xffffffff8153ac20
trace_hardirqs_on kernel/trace/trace_preemptirq.c:42
--------------------------------------
0xffffffff8153ac32
trace_hardirqs_on kernel/trace/trace_preemptirq.c:42
--------------------------------------
0xffffffff8153ac42
trace_hardirqs_on kernel/trace/trace_preemptirq.c:42
--------------------------------------
0xffffffff8153ac46
trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8153ac4b
trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8153ac61
trace_hardirqs_on ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8153ac97
trace_hardirqs_on kernel/trace/trace_preemptirq.c:44
--------------------------------------
0xffffffff8153ac9c
trace_hardirqs_on kernel/trace/trace_preemptirq.c:44
--------------------------------------
0xffffffff8153acb2
trace_hardirqs_on ./arch/x86/include/asm/jump_label.h:34
--------------------------------------
0xffffffff8153ac65
trace_hardirqs_on kernel/trace/trace_preemptirq.c:45
--------------------------------------
0xffffffff8153ac6a
trace_hardirqs_on kernel/trace/trace_preemptirq.c:46
--------------------------------------
0xffffffff8153ac7a
trace_hardirqs_on kernel/trace/trace_preemptirq.c:49
--------------------------------------
0xffffffff813dee30
lockdep_hardirqs_on_prepare kernel/locking/lockdep.c:3651
--------------------------------------
0xffffffff813dee45
lockdep_hardirqs_on_prepare kernel/locking/lockdep.c:3651
--------------------------------------
0xffffffff813def64
lockdep_hardirqs_on_prepare kernel/locking/lockdep.c:398
--------------------------------------
0xffffffff8153ac83
trace_hardirqs_on kernel/trace/trace_preemptirq.c:50
--------------------------------------
0xffffffff856d2bd0
lockdep_hardirqs_on ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff856d2c4f
lockdep_hardirqs_on kernel/locking/lockdep.c:3762
--------------------------------------
0xffffffff8153ac8c
trace_hardirqs_on kernel/trace/trace_preemptirq.c:50
--------------------------------------
0xffffffff856f10e3
_raw_spin_unlock_irq ./arch/x86/include/asm/paravirt.h:780
--------------------------------------
0xffffffff856f10ef
_raw_spin_unlock_irq ./arch/x86/include/asm/paravirt.h:780
--------------------------------------
0xffffffff856f10f9
_raw_spin_unlock_irq ./arch/x86/include/asm/paravirt.h:780
--------------------------------------
0xffffffff8120e9d0
native_irq_enable ./arch/x86/include/asm/irqflags.h:54
--------------------------------------
0xffffffff8120e9d1
native_irq_enable ./arch/x86/include/asm/irqflags.h:54
--------------------------------------
0xffffffff856f1100
_raw_spin_unlock_irq ./include/linux/spinlock_api_smp.h:169
--------------------------------------
0xffffffff81383f40
preempt_count_sub kernel/sched/core.c:4211
--------------------------------------
0xffffffff81383f53
preempt_count_sub kernel/sched/core.c:4211
--------------------------------------
0xffffffff81383f5d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81383f70
preempt_count_sub kernel/sched/core.c:4216
--------------------------------------
0xffffffff81383fbd
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81383f78
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff856f110a
_raw_spin_unlock_irq ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff856f1115
_raw_spin_unlock_irq ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff856e9261
wait_for_completion kernel/sched/completion.c:111
--------------------------------------
0xffffffff856e928f
wait_for_completion kernel/sched/completion.c:111
--------------------------------------
0xffffffff8410561e
ucma_close drivers/infiniband/core/ucma.c:1846
--------------------------------------
0xffffffff84105628
ucma_close drivers/infiniband/core/ucma.c:1846
--------------------------------------
0xffffffff840c7350
rdma_destroy_id drivers/infiniband/core/cma.c:1885
--------------------------------------
0xffffffff840c735e
rdma_destroy_id drivers/infiniband/core/cma.c:1885
--------------------------------------
0xffffffff856eb130
mutex_lock_nested kernel/locking/mutex.c:1118
--------------------------------------
0xffffffff856ea5d0
__mutex_lock kernel/locking/mutex.c:1102
--------------------------------------
0xffffffff856eb146
mutex_lock_nested kernel/locking/mutex.c:1118
--------------------------------------
0xffffffff840c736d
rdma_destroy_id drivers/infiniband/core/cma.c:1886
--------------------------------------
0xffffffff840c7040
destroy_id_handler_unlock ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff840c7055
destroy_id_handler_unlock ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff840c705f
destroy_id_handler_unlock drivers/infiniband/core/cma_trace.h:104
--------------------------------------
0xffffffff840c7064
destroy_id_handler_unlock drivers/infiniband/core/cma_trace.h:104
--------------------------------------
0xffffffff840c7077
destroy_id_handler_unlock ./include/linux/cpumask.h:367
--------------------------------------
0xffffffff840c7080
destroy_id_handler_unlock ./include/linux/cpumask.h:145
--------------------------------------
0xffffffff840c7085
destroy_id_handler_unlock ./include/linux/cpumask.h:145
--------------------------------------
0xffffffff840c70a0
destroy_id_handler_unlock ./arch/x86/include/asm/bitops.h:214
--------------------------------------
0xffffffff840c70b4
destroy_id_handler_unlock ./arch/x86/include/asm/bitops.h:219
--------------------------------------
0xffffffff840c726d
destroy_id_handler_unlock ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff840c7272
destroy_id_handler_unlock ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff840c7285
destroy_id_handler_unlock drivers/infiniband/core/cma_trace.h:104
--------------------------------------
0xffffffff856d2ee0
debug_lockdep_rcu_enabled kernel/rcu/update.c:291
--------------------------------------
0xffffffff840c7291
destroy_id_handler_unlock drivers/infiniband/core/cma_trace.h:104
--------------------------------------
0xffffffff840c729c
destroy_id_handler_unlock drivers/infiniband/core/cma_trace.h:104
--------------------------------------
0xffffffff840c72b9
destroy_id_handler_unlock ./include/linux/rcupdate.h:772
--------------------------------------
0xffffffff840c72be
destroy_id_handler_unlock ./arch/x86/include/asm/preempt.h:94
--------------------------------------
0xffffffff840c72d1
destroy_id_handler_unlock ./arch/x86/include/asm/preempt.h:94
--------------------------------------
0xffffffff840c70bc
destroy_id_handler_unlock drivers/infiniband/core/cma.c:1871
--------------------------------------
0xffffffff840c70c1
destroy_id_handler_unlock drivers/infiniband/core/cma.c:1871
--------------------------------------
0xffffffff840c70cd
destroy_id_handler_unlock drivers/infiniband/core/cma.c:1871
--------------------------------------
0xffffffff840c70dc
destroy_id_handler_unlock drivers/infiniband/core/cma.c:1871
--------------------------------------
0xffffffff840c70e4
destroy_id_handler_unlock ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff840c70e9
destroy_id_handler_unlock ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff856f1750
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:787
--------------------------------------
0xffffffff856f1767
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:787
--------------------------------------
0xffffffff856f1771
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff811b2940
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff856f1778
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff856f1787
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:788
--------------------------------------
0xffffffff856f1791
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:775
--------------------------------------
0xffffffff8120e9c0
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff8120e9c1
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff856f1798
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff856f17a1
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:109
--------------------------------------
0xffffffff81384b90
preempt_count_add kernel/sched/core.c:4179
--------------------------------------
0xffffffff81384ba5
preempt_count_add ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff81384bb6
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81384bc7
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81384bdc
preempt_count_add ./include/linux/ftrace.h:820
--------------------------------------
0xffffffff813e7fa0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813e7fab
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff81384be8
preempt_count_add ./include/linux/ftrace.h:822
--------------------------------------
0xffffffff81384c0f
preempt_count_add ./include/linux/ftrace.h:824
--------------------------------------
0xffffffff813e7fa0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813e7fb7
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff81384c1f
preempt_count_add ./include/linux/ftrace.h:825
--------------------------------------
0xffffffff81384bec
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff81384c02
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff856f17ab
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:110
--------------------------------------
0xffffffff813e2ec0
lock_acquire kernel/locking/lockdep.c:4977
--------------------------------------
0xffffffff856f17c7
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:117
--------------------------------------
0xffffffff813eb940
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813eb9b0
do_raw_spin_lock kernel/locking/spinlock_debug.c:112
--------------------------------------
0xffffffff813eb9c0
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813eb9cd
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813eb9e4
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813eb9f1
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813eba05
do_raw_spin_lock ./include/asm-generic/qspinlock.h:80
--------------------------------------
0xffffffff813eba1a
do_raw_spin_lock ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff813eba28
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:202
--------------------------------------
0xffffffff813eba3d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813eba4d
do_raw_spin_lock kernel/locking/spinlock_debug.c:91
--------------------------------------
0xffffffff813eba5a
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813eba8d
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff856f17cf
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:121
--------------------------------------
0xffffffff840c70f9
destroy_id_handler_unlock ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff840c7109
destroy_id_handler_unlock drivers/infiniband/core/cma.c:1873
--------------------------------------
0xffffffff856f11b0
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:158
--------------------------------------
0xffffffff813e29d0
lock_release kernel/locking/lockdep.c:5014
--------------------------------------
0xffffffff856f11ca
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:159
--------------------------------------
0xffffffff813ebc30
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813ebc46
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813ebc55
do_raw_spin_unlock ./include/linux/instrumented.h:56
--------------------------------------
0xffffffff813ebc62
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813ebc6a
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813ebc76
do_raw_spin_unlock kernel/locking/spinlock_debug.c:99
--------------------------------------
0xffffffff813ebc83
do_raw_spin_unlock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813ebc97
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813ebca4
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813ebcb6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813ebcbe
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813ebccf
do_raw_spin_unlock kernel/locking/spinlock_debug.c:103
--------------------------------------
0xffffffff813ebce4
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813ebcee
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813ebcf8
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff856f11d2
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff856f11d7
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff856f11e3
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff856f11ed
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff811b2950
native_restore_fl arch/x86/kernel/irqflags.S:22
--------------------------------------
0xffffffff856f11f7
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:161
--------------------------------------
0xffffffff81383f40
preempt_count_sub kernel/sched/core.c:4211
--------------------------------------
0xffffffff81383f53
preempt_count_sub kernel/sched/core.c:4211
--------------------------------------
0xffffffff81383f5d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81383f70
preempt_count_sub kernel/sched/core.c:4216
--------------------------------------
0xffffffff81383fbd
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81383f78
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff856f1201
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff856f120c
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff840c7128
destroy_id_handler_unlock drivers/infiniband/core/cma.c:1876
--------------------------------------
0xffffffff856e96c0
mutex_unlock kernel/locking/mutex.c:740
--------------------------------------
0xffffffff840c7135
destroy_id_handler_unlock drivers/infiniband/core/cma.c:1877
--------------------------------------
0xffffffff840c6a10
_destroy_id drivers/infiniband/core/cma.c:1822
--------------------------------------
0xffffffff840c6a2c
_destroy_id drivers/infiniband/core/cma.c:1822
--------------------------------------
0xffffffff840c9480
cma_cancel_operation drivers/infiniband/core/cma.c:1753
--------------------------------------
0xffffffff840c949c
cma_cancel_operation drivers/infiniband/core/cma.c:1753
--------------------------------------
0xffffffff840c94ab
cma_cancel_operation drivers/infiniband/core/cma.c:1753
--------------------------------------
0xffffffff840c94b1
cma_cancel_operation drivers/infiniband/core/cma.c:1753
--------------------------------------
0xffffffff840c94bb
cma_cancel_operation drivers/infiniband/core/cma.c:1753
--------------------------------------
0xffffffff840c94c5
cma_cancel_operation drivers/infiniband/core/cma.c:1753
--------------------------------------
0xffffffff840c94ca
cma_cancel_operation drivers/infiniband/core/cma.c:1753
--------------------------------------
0xffffffff840c6a37
_destroy_id drivers/infiniband/core/cma.c:1824
--------------------------------------
0xffffffff8408fe60
rdma_restrack_del drivers/infiniband/core/restrack.c:323
--------------------------------------
0xffffffff8408fe75
rdma_restrack_del drivers/infiniband/core/restrack.c:323
--------------------------------------
0xffffffff8408fe7d
rdma_restrack_del drivers/infiniband/core/restrack.c:323
--------------------------------------
0xffffffff8408fe8b
rdma_restrack_del drivers/infiniband/core/restrack.c:323
--------------------------------------
0xffffffff8408fe94
rdma_restrack_del drivers/infiniband/core/restrack.c:340
--------------------------------------
0xffffffff8408fe99
rdma_restrack_del drivers/infiniband/core/restrack.c:340
--------------------------------------
0xffffffff8408fea5
rdma_restrack_del drivers/infiniband/core/restrack.c:340
--------------------------------------
0xffffffff8408ff2c
rdma_restrack_del drivers/infiniband/core/restrack.c:342
--------------------------------------
0xffffffff8408ff31
rdma_restrack_del drivers/infiniband/core/restrack.c:342
--------------------------------------
0xffffffff840c6a44
_destroy_id drivers/infiniband/core/cma.c:1825
--------------------------------------
0xffffffff840c6a58
_destroy_id drivers/infiniband/core/cma.c:1825
--------------------------------------
0xffffffff840c6a67
_destroy_id drivers/infiniband/core/cma.c:1826
--------------------------------------
0xffffffff840c6a6c
_destroy_id drivers/infiniband/core/cma.c:1826
--------------------------------------
0xffffffff840c6a74
_destroy_id drivers/infiniband/core/cma.c:1826
--------------------------------------
0xffffffff840c6a84
_destroy_id ./include/rdma/ib_verbs.h:3184
--------------------------------------
0xffffffff840c6a97
_destroy_id ./include/rdma/ib_verbs.h:3184
--------------------------------------
0xffffffff840c6aae
_destroy_id ./include/rdma/ib_verbs.h:3184
--------------------------------------
0xffffffff840c6f6b
_destroy_id ./include/rdma/ib_verbs.h:3202
--------------------------------------
0xffffffff840c6f70
_destroy_id ./include/rdma/ib_verbs.h:3202
--------------------------------------
0xffffffff840c6f7c
_destroy_id ./include/rdma/ib_verbs.h:3202
--------------------------------------
0xffffffff840c6f84
_destroy_id drivers/infiniband/core/cma.c:1830
--------------------------------------
0xffffffff840c6f89
_destroy_id drivers/infiniband/core/cma.c:1830
--------------------------------------
0xffffffff840c6f96
_destroy_id drivers/infiniband/core/cma.c:1830
--------------------------------------
0xffffffff840c6fa7
_destroy_id drivers/infiniband/core/cma.c:1831
--------------------------------------
0xffffffff840c6fac
_destroy_id drivers/infiniband/core/cma.c:1831
--------------------------------------
0xffffffff840ae470
iw_destroy_cm_id drivers/infiniband/core/iwcm.c:455
--------------------------------------
0xffffffff840ae47e
iw_destroy_cm_id drivers/infiniband/core/iwcm.c:455
--------------------------------------
0xffffffff840ae080
destroy_cm_id drivers/infiniband/core/iwcm.c:375
--------------------------------------
0xffffffff840ae10e
destroy_cm_id drivers/infiniband/core/iwcm.c:385
--------------------------------------
0xffffffff81388750
__might_sleep ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff840ae121
destroy_cm_id ./include/linux/instrumented.h:56
--------------------------------------
0xffffffff840ae12e
destroy_cm_id ./arch/x86/include/asm/bitops.h:206
--------------------------------------
0xffffffff840ae136
destroy_cm_id ./arch/x86/include/asm/bitops.h:206
--------------------------------------
0xffffffff840ae150
destroy_cm_id ./arch/x86/include/asm/bitops.h:206
--------------------------------------
0xffffffff840ae159
destroy_cm_id ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff840ae15e
destroy_cm_id ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff840ae16b
destroy_cm_id ./arch/x86/include/asm/bitops.h:55
--------------------------------------
0xffffffff856f1750
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:787
--------------------------------------
0xffffffff856f1767
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:787
--------------------------------------
0xffffffff856f1771
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff811b2940
native_save_fl arch/x86/kernel/irqflags.S:11
--------------------------------------
0xffffffff856f1778
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:765
--------------------------------------
0xffffffff856f1787
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:788
--------------------------------------
0xffffffff856f1791
_raw_spin_lock_irqsave ./arch/x86/include/asm/paravirt.h:775
--------------------------------------
0xffffffff8120e9c0
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff8120e9c1
native_irq_disable ./arch/x86/include/asm/irqflags.h:49
--------------------------------------
0xffffffff856f1798
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff856f17a1
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:109
--------------------------------------
0xffffffff81384b90
preempt_count_add kernel/sched/core.c:4179
--------------------------------------
0xffffffff81384ba5
preempt_count_add ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff81384bb6
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81384bc7
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81384bdc
preempt_count_add ./include/linux/ftrace.h:820
--------------------------------------
0xffffffff813e7fa0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813e7fab
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff81384be8
preempt_count_add ./include/linux/ftrace.h:822
--------------------------------------
0xffffffff81384c0f
preempt_count_add ./include/linux/ftrace.h:824
--------------------------------------
0xffffffff813e7fa0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813e7fb7
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff81384c1f
preempt_count_add ./include/linux/ftrace.h:825
--------------------------------------
0xffffffff81384bec
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff81384c02
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff856f17ab
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:110
--------------------------------------
0xffffffff813e2ec0
lock_acquire kernel/locking/lockdep.c:4977
--------------------------------------
0xffffffff856f17c7
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:117
--------------------------------------
0xffffffff813eb940
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813eb9b0
do_raw_spin_lock kernel/locking/spinlock_debug.c:112
--------------------------------------
0xffffffff813eb9c0
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813eb9cd
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813eb9e4
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813eb9f1
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813eba05
do_raw_spin_lock ./include/asm-generic/qspinlock.h:80
--------------------------------------
0xffffffff813eba1a
do_raw_spin_lock ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff813eba28
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:202
--------------------------------------
0xffffffff813eba3d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813eba4d
do_raw_spin_lock kernel/locking/spinlock_debug.c:91
--------------------------------------
0xffffffff813eba5a
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813eba8d
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff856f17cf
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:121
--------------------------------------
0xffffffff840ae185
destroy_cm_id ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff840ae195
destroy_cm_id drivers/infiniband/core/iwcm.c:395
--------------------------------------
0xffffffff840ae1b6
destroy_cm_id drivers/infiniband/core/iwcm.c:398
--------------------------------------
0xffffffff840ae1da
destroy_cm_id drivers/infiniband/core/iwcm.c:398
--------------------------------------
0xffffffff840ae1e9
destroy_cm_id drivers/infiniband/core/iwcm.c:398
--------------------------------------
0xffffffff840ae302
destroy_cm_id drivers/infiniband/core/iwcm.c:424
--------------------------------------
0xffffffff840ae307
destroy_cm_id drivers/infiniband/core/iwcm.c:424
--------------------------------------
0xffffffff856f11b0
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:158
--------------------------------------
0xffffffff813e29d0
lock_release kernel/locking/lockdep.c:5014
--------------------------------------
0xffffffff856f11ca
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:159
--------------------------------------
0xffffffff813ebc30
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813ebc46
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813ebc55
do_raw_spin_unlock ./include/linux/instrumented.h:56
--------------------------------------
0xffffffff813ebc62
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813ebc6a
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813ebc76
do_raw_spin_unlock kernel/locking/spinlock_debug.c:99
--------------------------------------
0xffffffff813ebc83
do_raw_spin_unlock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813ebc97
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813ebca4
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813ebcb6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813ebcbe
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813ebccf
do_raw_spin_unlock kernel/locking/spinlock_debug.c:103
--------------------------------------
0xffffffff813ebce4
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813ebcee
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff813ebcf8
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:661
--------------------------------------
0xffffffff856f11d2
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff856f11d7
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff856f11e3
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff856f11ed
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/paravirt.h:770
--------------------------------------
0xffffffff811b2950
native_restore_fl arch/x86/kernel/irqflags.S:22
--------------------------------------
0xffffffff856f11f7
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:161
--------------------------------------
0xffffffff81383f40
preempt_count_sub kernel/sched/core.c:4211
--------------------------------------
0xffffffff81383f53
preempt_count_sub kernel/sched/core.c:4211
--------------------------------------
0xffffffff81383f5d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81383f70
preempt_count_sub kernel/sched/core.c:4216
--------------------------------------
0xffffffff81383fbd
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff81383f78
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff856f1201
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff856f120c
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff840ae31e
destroy_cm_id drivers/infiniband/core/iwcm.c:426
--------------------------------------
0xffffffff840ae328
destroy_cm_id drivers/infiniband/core/iwcm.c:426
--------------------------------------
0xffffffff840ae339
destroy_cm_id drivers/infiniband/core/iwcm.c:426(Triggered a new impact: Control flow hijacking)
--------------------------------------
Total 541 basic block