bisecting cause commit starting from 0f9ad4e7594419e906427bceba8e52467412895b
building syzkaller on 18d7d030e5660609a142ba7a2ea55d5e72fd23a2
testing commit 0f9ad4e7594419e906427bceba8e52467412895b with gcc (GCC) 8.1.0
kernel signature: 2fcba7ee17ea9a8384fbe5859cf4558691cb792b124b09f9bb74a0a0fd79b702
run #0: crashed: WARNING: refcount bug in __tcf_action_put
run #1: crashed: WARNING: refcount bug in __tcf_action_put
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: d4098c807c813c48f5a3d4da30985e6184cba02c03a062b74a9194991db8b5ee
run #0: crashed: WARNING: refcount bug in __tcf_action_put
run #1: crashed: WARNING: refcount bug in __tcf_action_put
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: c45fb0c5f840cb581a0323cf5202192e6f7a04667d6705a62888c0d10d75c6c2
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: e23ef798ef98b6a15b0f56ce218d06ad284752d0119b09a5aa8c8ada9268e0fa
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 7f1b23226fddebf567486e30dd1800aff32b0850ab38bca2be860aa93517ea0d
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 2756161651259dea327dfe041b7d23e13cb3fe47417d614fe587ef23f695d7ad
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: fa6718ab96dfedf5901bf97847cd20658ebed0a2739a6d210a3af71867ee5e1b
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: fe0e6ac2ecdfd763a6119b871a46bc6ec0807abbd31733611cfc44a1010491fd
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 0f4c3da14825d46395526c839c3b7d9a982cd4817e80f8880fa8b3f29841f22c
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 1f2a9703279c1a5dfffe45481ec4e40ed99cd9ef46f0c7e4da32515f908b08b2
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 6f4d941ccbc93c6ccc42112e2ea719b6a35c0fa617a0a977b25f3fb790a246cc
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: e99609d09151daa3900a2d9a5a4138b9df02e303f6e5c8783a0028f282623f6b
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: 56a2d2815ec424f88faf0de0dd75def59431d6cd9c8f11d4b35bc80ef7080596
all runs: OK
# git bisect start 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d 94710cac0ef4ee177a63b5227664b38c95bbf703
Bisecting: 7596 revisions left to test after this (roughly 13 steps)
[db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0
kernel signature: 4a98ec8e7be443ee8019a882de035ddf4d5a4803e52381124b3cc050221eb6a4
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad db06f826ec12bf0701ea7fc0a3c0aa00b84417c8
Bisecting: 4493 revisions left to test after this (roughly 12 steps)
[0a957467c5fd46142bc9c52758ffc552d4c5e2f7] x86: i8259: Add missing include file
testing commit 0a957467c5fd46142bc9c52758ffc552d4c5e2f7 with gcc (GCC) 8.1.0
kernel signature: 4c5dd8bf0a7ef3e92f89d1979758e13b4158b23fe9285657b34e67c078920c4f
all runs: OK
# git bisect good 0a957467c5fd46142bc9c52758ffc552d4c5e2f7
Bisecting: 2289 revisions left to test after this (roughly 11 steps)
[9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0
kernel signature: f4d347cb5e3525758bc5452596439334cd88fee745a8b9a6fd681e16f89e8383
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad 9a76aba02a37718242d7cdc294f0a3901928aa57
Bisecting: 1088 revisions left to test after this (roughly 10 steps)
[a527d3f728bfdb6c30c8ecc0b58e695d05d42fc8] Merge tag 'wireless-drivers-next-for-davem-2018-07-23' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit a527d3f728bfdb6c30c8ecc0b58e695d05d42fc8 with gcc (GCC) 8.1.0
kernel signature: 84bf49e083ff4b239cbbdbbe7c3f6844de793c061b8b074e4720f77ca5993ed7
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad a527d3f728bfdb6c30c8ecc0b58e695d05d42fc8
Bisecting: 557 revisions left to test after this (roughly 9 steps)
[f9520b86dc22b6ac0ad2926cfa334e9fecb68a12] be2net: remove unused tx_jiffies field from be_tx_stats
testing commit f9520b86dc22b6ac0ad2926cfa334e9fecb68a12 with gcc (GCC) 8.1.0
kernel signature: a35970acf47cce704503cbe8469c43b3c95857831e57e4033d88f702799e8cd6
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad f9520b86dc22b6ac0ad2926cfa334e9fecb68a12
Bisecting: 278 revisions left to test after this (roughly 8 steps)
[335c997dce5c448ee06b3fd4dfe49fc7279f73ce] r8169: remove old PHY reset hack
testing commit 335c997dce5c448ee06b3fd4dfe49fc7279f73ce with gcc (GCC) 8.1.0
kernel signature: 1d7749038b93f728f8ff7b77320836fc3ba31b92c35ecb87a9933cc5caa9998d
all runs: OK
# git bisect good 335c997dce5c448ee06b3fd4dfe49fc7279f73ce
Bisecting: 138 revisions left to test after this (roughly 7 steps)
[ab8565af68001ac5f9331daa311938ead3eb5636] Merge branch 'IP-listification-follow-ups'
testing commit ab8565af68001ac5f9331daa311938ead3eb5636 with gcc (GCC) 8.1.0
kernel signature: 22291aa1415b6ebcd1c4d6d0d2d7947b6086d0f5ddfe1450a9b607ab1cdd4415
all runs: OK
# git bisect good ab8565af68001ac5f9331daa311938ead3eb5636
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[d7be97756f8a4874ac17003de5843c742dd84153] net-sysfs: Drop support for XPS and traffic_class on single queue device
testing commit d7be97756f8a4874ac17003de5843c742dd84153 with gcc (GCC) 8.1.0
kernel signature: 4bcd4266a7ee9b2ab2ada060374089a3076df62e27449395e14249f05b61125d
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad d7be97756f8a4874ac17003de5843c742dd84153
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[d30695126f0ac5bca85d09c7946ad9a1deab5d25] net/sched: flower: Dump the ethertype encapsulated in vlan
testing commit d30695126f0ac5bca85d09c7946ad9a1deab5d25 with gcc (GCC) 8.1.0
kernel signature: 40ef84d582f295901c8d48ee3a18a055001c97d1b2baaddda493413fe1535f74
all runs: OK
# git bisect good d30695126f0ac5bca85d09c7946ad9a1deab5d25
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[b409074e6693bcdaa7abbee2a035f22a9eabda53] net: sched: add 'delete' function to action ops
testing commit b409074e6693bcdaa7abbee2a035f22a9eabda53 with gcc (GCC) 8.1.0
kernel signature: b5f7717f0212fd65bf0a2cd294f10ad4564bbcf581a1229f7782b58917e0ac74
all runs: OK
# git bisect good b409074e6693bcdaa7abbee2a035f22a9eabda53
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[45e0620d5eb15daa102e9212b92180adf2f4f0aa] mlxsw: reg: Introduce Flex2 key type for PTAR register
testing commit 45e0620d5eb15daa102e9212b92180adf2f4f0aa with gcc (GCC) 8.1.0
kernel signature: 50fcb2e8b2da1719b8957179b870559855c32918f45a275a6f1db317f0d5bac7
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad 45e0620d5eb15daa102e9212b92180adf2f4f0aa
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[0190c1d452a91c38a3462abdd81752be1b9006a8] net: sched: atomically check-allocate action
testing commit 0190c1d452a91c38a3462abdd81752be1b9006a8 with gcc (GCC) 8.1.0
kernel signature: afb754efe0b3522955cfb979e2ff0f17c18d65dec5a80846965a483b69a892e0
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad 0190c1d452a91c38a3462abdd81752be1b9006a8
Bisecting: 1 revision left to test after this (roughly 1 step)
[4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2] net: sched: don't release reference on action overwrite
testing commit 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2 with gcc (GCC) 8.1.0
kernel signature: cef679f03316d26f0be977217112ea0740d7737378eb948bcfc6c7bec937dbd6
all runs: crashed: KASAN: use-after-free Read in tcf_action_destroy
# git bisect bad 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[16af6067392c40e454e49eec834843ab03643d96] net: sched: implement reference counted action release
testing commit 16af6067392c40e454e49eec834843ab03643d96 with gcc (GCC) 8.1.0
kernel signature: d722b81c1934c37f860c6658958731a4f6996ea2743981732e6e8de8f06b1c72
all runs: OK
# git bisect good 16af6067392c40e454e49eec834843ab03643d96
4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2 is the first bad commit
commit 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2
Author: Vlad Buslov <vladbu@mellanox.com>
Date:   Thu Jul 5 17:24:30 2018 +0300

    net: sched: don't release reference on action overwrite
    
    Return from action init function with reference to action taken,
    even when overwriting existing action.
    
    Action init API initializes its fourth argument (pointer to pointer to tc
    action) to either existing action with same index or newly created action.
    In case of existing index(and bind argument is zero), init function returns
    without incrementing action reference counter. Caller of action init then
    proceeds working with action, without actually holding reference to it.
    This means that action could be deleted concurrently.
    
    Change action init behavior to always take reference to action before
    returning successfully, in order to protect from concurrent deletion.
    
    Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/act_api.c        |  2 --
 net/sched/act_bpf.c        |  8 ++++----
 net/sched/act_connmark.c   |  5 +++--
 net/sched/act_csum.c       |  8 ++++----
 net/sched/act_gact.c       |  5 +++--
 net/sched/act_ife.c        | 10 +++++-----
 net/sched/act_ipt.c        |  5 +++--
 net/sched/act_mirred.c     |  5 ++---
 net/sched/act_nat.c        |  5 +++--
 net/sched/act_pedit.c      |  2 +-
 net/sched/act_police.c     |  8 +++-----
 net/sched/act_sample.c     |  8 +++-----
 net/sched/act_simple.c     |  5 +++--
 net/sched/act_skbedit.c    |  5 +++--
 net/sched/act_skbmod.c     |  8 +++-----
 net/sched/act_tunnel_key.c | 11 ++++-------
 net/sched/act_vlan.c       |  8 +++-----
 17 files changed, 50 insertions(+), 58 deletions(-)
culprit signature: cef679f03316d26f0be977217112ea0740d7737378eb948bcfc6c7bec937dbd6
parent  signature: d722b81c1934c37f860c6658958731a4f6996ea2743981732e6e8de8f06b1c72
revisions tested: 27, total time: 5h13m43.936550427s (build: 2h38m9.920259766s, test: 2h32m12.700924129s)
first bad commit: 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2 net: sched: don't release reference on action overwrite
recipients (to): ["davem@davemloft.net" "jiri@mellanox.com" "marcelo.leitner@gmail.com" "vladbu@mellanox.com"]
recipients (cc): []
crash: KASAN: use-after-free Read in tcf_action_destroy
netlink: 32 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor.1'.
==================================================================
BUG: KASAN: use-after-free in tcf_action_destroy+0x139/0x160 net/sched/act_api.c:614
Read of size 8 at addr ffff8800958c1410 by task syz-executor.2/10957

CPU: 1 PID: 10957 Comm: syz-executor.2 Not tainted 4.18.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x15a/0x20d lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 tcf_action_destroy+0x139/0x160 net/sched/act_api.c:614
 tcf_action_init+0x42d/0x5c0 net/sched/act_api.c:885
 tcf_action_add net/sched/act_api.c:1250 [inline]
 tc_ctl_action+0x375/0x63d net/sched/act_api.c:1299
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:641 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:651
 ___sys_sendmsg+0x647/0x950 net/socket.c:2125
 __sys_sendmsg+0xd9/0x180 net/socket.c:2163
 __do_sys_sendmsg net/socket.c:2172 [inline]
 __se_sys_sendmsg net/socket.c:2170 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2170
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5f9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007f9abceb5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002cf40 RCX: 000000000045d5f9
RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffd28470f8f R14: 00007f9abceb69c0 R15: 000000000118cf4c

Allocated by task 10957:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x151/0x400 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 tcf_idr_create+0xaf/0x720 net/sched/act_api.c:372
 tcf_connmark_init+0x3db/0x6e0 net/sched/act_connmark.c:122
 tcf_action_init_1+0x657/0xb30 net/sched/act_api.c:796
 tcf_action_init+0x189/0x5c0 net/sched/act_api.c:865
 tcf_action_add net/sched/act_api.c:1250 [inline]
 tc_ctl_action+0x375/0x63d net/sched/act_api.c:1299
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:641 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:651
 ___sys_sendmsg+0x647/0x950 net/socket.c:2125
 __sys_sendmsg+0xd9/0x180 net/socket.c:2163
 __do_sys_sendmsg net/socket.c:2172 [inline]
 __se_sys_sendmsg net/socket.c:2170 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2170
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10969:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x280 mm/slab.c:3813
 free_tcf net/sched/act_api.c:90 [inline]
 tcf_action_cleanup+0x110/0x150 net/sched/act_api.c:99
 __tcf_action_put+0xbe/0x100 net/sched/act_api.c:112
 __tcf_idr_release+0x6a/0x90 net/sched/act_api.c:142
 tcf_del_walker net/sched/act_api.c:261 [inline]
 tcf_generic_walker+0x588/0x950 net/sched/act_api.c:287
 tcf_connmark_walker+0x113/0x1d0 net/sched/act_connmark.c:186
 tca_action_flush.isra.11+0x424/0xaf0 net/sched/act_api.c:1078
 tca_action_gd+0x5aa/0xe70 net/sched/act_api.c:1184
 tc_ctl_action+0x4cf/0x63d net/sched/act_api.c:1309
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:641 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:651
 ___sys_sendmsg+0x647/0x950 net/socket.c:2125
 __sys_sendmsg+0xd9/0x180 net/socket.c:2163
 __do_sys_sendmsg net/socket.c:2172 [inline]
 __se_sys_sendmsg net/socket.c:2170 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2170
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8800958c1400
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 16 bytes inside of
 256-byte region [ffff8800958c1400, ffff8800958c1500)
The buggy address belongs to the page:
page:ffffea0002563040 count:1 mapcount:0 mapping:ffff8800aa8007c0 index:0xffff8800958c1e00
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002540b08 ffffea000250b308 ffff8800aa8007c0
raw: ffff8800958c1e00 ffff8800958c1040 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8800958c1300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800958c1380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800958c1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8800958c1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800958c1500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================