./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2649189779 <...> Warning: Permanently added '10.128.1.12' (ED25519) to the list of known hosts. execve("./syz-executor2649189779", ["./syz-executor2649189779"], 0x7ffdef4dabf0 /* 10 vars */) = 0 brk(NULL) = 0x55556d986000 brk(0x55556d986e00) = 0x55556d986e00 arch_prctl(ARCH_SET_FS, 0x55556d986480) = 0 set_tid_address(0x55556d986750) = 292 set_robust_list(0x55556d986760, 24) = 0 rseq(0x55556d986da0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2649189779", 4096) = 28 getrandom("\xc4\x3e\xe9\x69\x0d\x8b\xb2\x48", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556d986e00 brk(0x55556d9a7e00) = 0x55556d9a7e00 brk(0x55556d9a8000) = 0x55556d9a8000 mprotect(0x7f4163df8000, 16384, PROT_READ) = 0 mmap(0x3ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3ffffffff000 mmap(0x400000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000000000 mmap(0x400001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556d986750) = 293 ./strace-static-x86_64: Process 293 attached [pid 293] set_robust_list(0x55556d986760, 24) = 0 [pid 292] openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "10000000000", 11) = 11 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "20", 2) = 2 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "1", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "0", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "0", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "1", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "100", 3) = 3 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "0", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "0", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "7 4 1 3", 7) = 7 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "1", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "1", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "0", 1) = 1 [pid 292] close(3) = 0 [pid 292] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "293", 3) = 3 [pid 292] close(3) = 0 [pid 292] kill(293, SIGKILL) = 0 [pid 293] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=293, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- openat(AT_FDCWD, "/proc/self/make-it-fail", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f4163d52710, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f4163d598f0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f4163d52710, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f4163d598f0}, NULL, 8) = 0 mkdir("./syzkaller.d7pZVy", 0700) = 0 chmod("./syzkaller.d7pZVy", 0777) = 0 chdir("./syzkaller.d7pZVy") = 0 executing program write(1, "executing program\n", 18) = 18 [ 20.531973][ T30] audit: type=1400 audit(1741194322.673:66): avc: denied { execmem } for pid=292 comm="syz-executor264" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 20.537714][ T30] audit: type=1400 audit(1741194322.673:67): avc: denied { integrity } for pid=292 comm="syz-executor264" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 20.568542][ T30] audit: type=1400 audit(1741194322.713:68): avc: denied { prog_load } for pid=292 comm="syz-executor264" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 20.587725][ T30] audit: type=1400 audit(1741194322.713:69): avc: denied { bpf } for pid=292 comm="syz-executor264" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x400000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3 close(3) = 0 socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x400000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5 [ 20.777453][ T30] audit: type=1400 audit(1741194322.913:70): avc: denied { perfmon } for pid=292 comm="syz-executor264" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [ 20.798457][ T30] audit: type=1400 audit(1741194322.943:71): avc: denied { prog_run } for pid=292 comm="syz-executor264" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6 bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x400000000000, value=0x400000000080, flags=BPF_ANY}, 32) = 0 openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7 write(7, "5", 1) = 1 [ 20.818118][ T30] audit: type=1400 audit(1741194322.963:72): avc: denied { map_create } for pid=292 comm="syz-executor264" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 20.819067][ T292] FAULT_INJECTION: forcing a failure. [ 20.819067][ T292] name failslab, interval 1, probability 0, space 0, times 1 [ 20.837774][ T30] audit: type=1400 audit(1741194322.963:73): avc: denied { map_read map_write } for pid=292 comm="syz-executor264" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 20.850190][ T292] CPU: 1 PID: 292 Comm: syz-executor264 Not tainted 5.15.178-syzkaller-00013-g7d1f9b5c2ff5 #0 [ 20.879643][ T292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 20.889544][ T292] Call Trace: [ 20.892659][ T292] [ 20.895435][ T292] dump_stack_lvl+0x151/0x1c0 [ 20.899952][ T292] ? io_uring_drop_tctx_refs+0x190/0x190 [ 20.905432][ T292] dump_stack+0x15/0x20 [ 20.909408][ T292] should_fail+0x3c6/0x510 [ 20.913664][ T292] __should_failslab+0xa4/0xe0 [ 20.918261][ T292] should_failslab+0x9/0x20 [ 20.922604][ T292] slab_pre_alloc_hook+0x37/0xd0 [ 20.927376][ T292] kmem_cache_alloc_trace+0x48/0x270 [ 20.932495][ T292] ? sk_psock_skb_ingress_self+0x60/0x330 [ 20.938049][ T292] ? migrate_disable+0x190/0x190 [ 20.942825][ T292] sk_psock_skb_ingress_self+0x60/0x330 [ 20.948208][ T292] sk_psock_verdict_recv+0x66d/0x840 [ 20.953329][ T292] unix_read_sock+0x132/0x370 [ 20.957982][ T292] ? sk_psock_skb_redirect+0x440/0x440 [ 20.963274][ T292] ? unix_stream_splice_actor+0x120/0x120 [ 20.968825][ T292] ? _raw_spin_lock_irqsave+0xf9/0x210 [ 20.974134][ T292] ? unix_stream_splice_actor+0x120/0x120 [ 20.979682][ T292] sk_psock_verdict_data_ready+0x147/0x1a0 [ 20.985326][ T292] ? sk_psock_start_verdict+0xc0/0xc0 [ 20.990528][ T292] ? _raw_spin_lock+0xa4/0x1b0 [ 20.995133][ T292] ? _raw_spin_unlock_irqrestore+0x5c/0x80 [ 21.000774][ T292] ? skb_queue_tail+0xfb/0x120 [ 21.005381][ T292] unix_dgram_sendmsg+0x15fa/0x2090 [ 21.010493][ T292] ? unix_dgram_poll+0x690/0x690 [ 21.015282][ T292] ? kasan_set_track+0x5d/0x70 [ 21.019972][ T292] ? security_socket_sendmsg+0x82/0xb0 [ 21.025262][ T292] ? unix_dgram_poll+0x690/0x690 [ 21.030035][ T292] ____sys_sendmsg+0x59e/0x8f0 [ 21.034644][ T292] ? __sys_sendmsg_sock+0x40/0x40 [ 21.039499][ T292] ? __switch_to+0x62a/0x1190 [ 21.044009][ T292] ? import_iovec+0xe5/0x120 [ 21.048440][ T292] ___sys_sendmsg+0x252/0x2e0 [ 21.052955][ T292] ? __sys_sendmsg+0x260/0x260 [ 21.057554][ T292] ? cgroup_leave_frozen+0x164/0x2c0 [ 21.062675][ T292] ? __kasan_check_read+0x11/0x20 [ 21.067527][ T292] ? __fdget+0x179/0x240 [ 21.071610][ T292] __se_sys_sendmsg+0x19a/0x260 [ 21.076303][ T292] ? __x64_sys_sendmsg+0x90/0x90 [ 21.081072][ T292] ? ptrace_notify+0x24c/0x350 [ 21.085671][ T292] ? __kasan_check_write+0x14/0x20 [ 21.090615][ T292] __x64_sys_sendmsg+0x7b/0x90 [ 21.095216][ T292] x64_sys_call+0x16a/0x9a0 [ 21.099553][ T292] do_syscall_64+0x3b/0xb0 [ 21.103805][ T292] ? clear_bhb_loop+0x35/0x90 [ 21.108320][ T292] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 21.114059][ T292] RIP: 0033:0x7f4163d8b419 [ 21.118311][ T292] Code: d8 5b c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 21.137878][ T292] RSP: 002b:00007ffd7309ffa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 21.146121][ T292] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4163d8b419 [ 21.153933][ T292] RDX: 0000000000044000 RSI: 0000400000000080 RDI: 0000000000000004 [ 21.161744][ T292] RBP: 00007ffd730a0050 R08: 00007ffd7309fd47 R09: 00007f4163dcd0e8 [ 21.169559][ T292] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=MSG_PEEK|MSG_DONTROUTE|MSG_CTRUNC|MSG_NOSIGNAL|MSG_MORE|MSG_ZEROCOPY|0x1b000000}, MSG_NOSIGNAL|MSG_BATCH) = 0 exit_group(0) = ? [ 21.177369][ T292] R13: 00007ffd730a0348 R14: 0000000000000001 R15: 0000000000000001 [ 21.185187][ T292] [ 21.189911][ T292] ================================================================== [ 21.197787][ T292] BUG: KASAN: use-after-free in consume_skb+0x3c/0x250 [ 21.204472][ T292] Read of size 4 at addr ffff8881230eaeac by task syz-executor264/292 [ 21.212549][ T292] [ 21.214711][ T292] CPU: 0 PID: 292 Comm: syz-executor264 Not tainted 5.15.178-syzkaller-00013-g7d1f9b5c2ff5 #0 [ 21.224780][ T292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 21.234675][ T292] Call Trace: [ 21.237802][ T292] [ 21.240580][ T292] dump_stack_lvl+0x151/0x1c0 [ 21.245090][ T292] ? io_uring_drop_tctx_refs+0x190/0x190 [ 21.250556][ T292] ? panic+0x760/0x760 [ 21.254463][ T292] print_address_description+0x87/0x3b0 [ 21.259841][ T292] ? bpf_ksym_del+0x145/0x150 [ 21.264360][ T292] kasan_report+0x179/0x1c0 [ 21.268694][ T292] ? consume_skb+0x3c/0x250 [ 21.273036][ T292] ? consume_skb+0x3c/0x250 [ 21.277380][ T292] kasan_check_range+0x293/0x2a0 [ 21.282149][ T292] __kasan_check_read+0x11/0x20 [ 21.286835][ T292] consume_skb+0x3c/0x250 [ 21.291004][ T292] __sk_msg_free+0x2dd/0x370 [ 21.295519][ T292] ? _raw_spin_unlock_irqrestore+0x5c/0x80 [ 21.301157][ T292] sk_psock_stop+0x4e3/0x580 [ 21.305586][ T292] sk_psock_drop+0x219/0x310 [ 21.310008][ T292] sock_map_unref+0x3c6/0x430 [ 21.314522][ T292] ? _raw_spin_unlock_bh+0x51/0x60 [ 21.319471][ T292] sock_map_remove_links+0x41c/0x650 [ 21.324592][ T292] ? sock_map_unhash+0x120/0x120 [ 21.329363][ T292] ? locks_remove_posix+0x610/0x610 [ 21.334402][ T292] sock_map_close+0x114/0x530 [ 21.338912][ T292] ? unix_peer_get+0xe0/0xe0 [ 21.343338][ T292] ? sock_map_remove_links+0x650/0x650 [ 21.348631][ T292] ? rwsem_mark_wake+0x770/0x770 [ 21.353404][ T292] unix_release+0x82/0xc0 [ 21.357589][ T292] sock_close+0xdf/0x270 [ 21.361650][ T292] ? sock_mmap+0xa0/0xa0 [ 21.365730][ T292] __fput+0x228/0x8c0 [ 21.369549][ T292] ____fput+0x15/0x20 [ 21.373367][ T292] task_work_run+0x129/0x190 [ 21.377810][ T292] do_exit+0xc48/0x2ca0 [ 21.381789][ T292] ? put_task_struct+0x80/0x80 [ 21.386407][ T292] ? _raw_spin_unlock_irq+0x4e/0x70 [ 21.391421][ T292] ? ptrace_notify+0x24c/0x350 [ 21.396029][ T292] ? do_notify_parent+0xa30/0xa30 [ 21.400884][ T292] do_group_exit+0x141/0x310 [ 21.405308][ T292] __x64_sys_exit_group+0x3f/0x40 [ 21.410171][ T292] x64_sys_call+0x610/0x9a0 [ 21.414509][ T292] do_syscall_64+0x3b/0xb0 [ 21.418760][ T292] ? clear_bhb_loop+0x35/0x90 [ 21.423287][ T292] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 21.429003][ T292] RIP: 0033:0x7f4163d895e9 [ 21.433262][ T292] Code: Unable to access opcode bytes at RIP 0x7f4163d895bf. [ 21.440466][ T292] RSP: 002b:00007ffd730a0138 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 21.448807][ T292] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4163d895e9 [ 21.456611][ T292] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 21.464420][ T292] RBP: 00007f4163dfe390 R08: ffffffffffffffb8 R09: 00007f4163dcd0e8 [ 21.472235][ T292] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f4163dfe390 [ 21.480042][ T292] R13: 0000000000000000 R14: 00007f4163dfede0 R15: 00007f4163d529f0 [ 21.488031][ T292] [ 21.490895][ T292] [ 21.493065][ T292] Allocated by task 292: [ 21.497142][ T292] __kasan_slab_alloc+0xb1/0xe0 [ 21.501830][ T292] slab_post_alloc_hook+0x53/0x2c0 [ 21.506776][ T292] kmem_cache_alloc+0xf5/0x250 [ 21.511376][ T292] skb_clone+0x1d1/0x360 [ 21.515455][ T292] sk_psock_verdict_recv+0x53/0x840 [ 21.520490][ T292] unix_read_sock+0x132/0x370 [ 21.525002][ T292] sk_psock_verdict_data_ready+0x147/0x1a0 [ 21.530644][ T292] unix_dgram_sendmsg+0x15fa/0x2090 [ 21.535765][ T292] ____sys_sendmsg+0x59e/0x8f0 [ 21.540365][ T292] ___sys_sendmsg+0x252/0x2e0 [ 21.544878][ T292] __se_sys_sendmsg+0x19a/0x260 [ 21.549564][ T292] __x64_sys_sendmsg+0x7b/0x90 [ 21.554175][ T292] x64_sys_call+0x16a/0x9a0 [ 21.558513][ T292] do_syscall_64+0x3b/0xb0 [ 21.562758][ T292] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 21.568485][ T292] [ 21.570657][ T292] Freed by task 20: [ 21.574303][ T292] kasan_set_track+0x4b/0x70 [ 21.578729][ T292] kasan_set_free_info+0x23/0x40 [ 21.583499][ T292] ____kasan_slab_free+0x126/0x160 [ 21.588447][ T292] __kasan_slab_free+0x11/0x20 [ 21.593047][ T292] slab_free_freelist_hook+0xbd/0x190 [ 21.598259][ T292] kmem_cache_free+0x115/0x330 [ 21.602854][ T292] kfree_skbmem+0x104/0x170 [ 21.607194][ T292] kfree_skb+0xc2/0x360 [ 21.611190][ T292] sk_psock_backlog+0xad1/0xdc0 [ 21.615873][ T292] process_one_work+0x6bb/0xc10 [ 21.620561][ T292] worker_thread+0xad5/0x12a0 [ 21.625073][ T292] kthread+0x421/0x510 [ 21.628982][ T292] ret_from_fork+0x1f/0x30 [ 21.633235][ T292] [ 21.635403][ T292] The buggy address belongs to the object at ffff8881230eadc0 [ 21.635403][ T292] which belongs to the cache skbuff_head_cache of size 248 [ 21.649811][ T292] The buggy address is located 236 bytes inside of [ 21.649811][ T292] 248-byte region [ffff8881230eadc0, ffff8881230eaeb8) [ 21.662917][ T292] The buggy address belongs to the page: [ 21.668396][ T292] page:ffffea00048c3a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1230ea [ 21.678454][ T292] flags: 0x4000000000000200(slab|zone=1) [ 21.683930][ T292] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab200 [ 21.692370][ T292] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 21.700846][ T292] page dumped because: kasan: bad access detected [ 21.707102][ T292] page_owner tracks the page as allocated [ 21.712648][ T292] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 90, ts 20544030520, free_ts 20289930694 [ 21.728363][ T292] post_alloc_hook+0x1a3/0x1b0 [ 21.732957][ T292] prep_new_page+0x1b/0x110 [ 21.737297][ T292] get_page_from_freelist+0x3550/0x35d0 [ 21.742680][ T292] __alloc_pages+0x27e/0x8f0 [ 21.747105][ T292] new_slab+0x9a/0x4e0 [ 21.751010][ T292] ___slab_alloc+0x39e/0x830 [ 21.755436][ T292] __slab_alloc+0x4a/0x90 [ 21.759603][ T292] kmem_cache_alloc+0x139/0x250 [ 21.764291][ T292] __alloc_skb+0xbe/0x550 [ 21.768456][ T292] alloc_skb_with_frags+0xa6/0x680 [ 21.773402][ T292] sock_alloc_send_pskb+0x915/0xa50 [ 21.778440][ T292] unix_dgram_sendmsg+0x6fd/0x2090 [ 21.783386][ T292] __sys_sendto+0x564/0x720 [ 21.787725][ T292] __x64_sys_sendto+0xe5/0x100 [ 21.792332][ T292] x64_sys_call+0x15c/0x9a0 [ 21.796664][ T292] do_syscall_64+0x3b/0xb0 [ 21.800920][ T292] page last free stack trace: [ 21.805438][ T292] free_unref_page_prepare+0x7c8/0x7d0 [ 21.810727][ T292] free_unref_page+0xe8/0x750 [ 21.815243][ T292] __free_pages+0x61/0xf0 [ 21.819406][ T292] free_pages+0x7c/0x90 [ 21.823403][ T292] kasan_depopulate_vmalloc_pte+0x6a/0x90 [ 21.828951][ T292] __apply_to_page_range+0x8dd/0xbe0 [ 21.834077][ T292] apply_to_existing_page_range+0x38/0x50 [ 21.839629][ T292] kasan_release_vmalloc+0x9a/0xb0 [ 21.844580][ T292] __purge_vmap_area_lazy+0x154a/0x1690 [ 21.849958][ T292] _vm_unmap_aliases+0x339/0x3b0 [ 21.854734][ T292] vm_unmap_aliases+0x19/0x20 [ 21.859241][ T292] change_page_attr_set_clr+0x308/0x1050 [ 21.864711][ T292] set_memory_ro+0xa1/0xe0 [ 21.868968][ T292] bpf_int_jit_compile+0xbf21/0xc6b0 [ 21.874083][ T292] bpf_prog_select_runtime+0x724/0xa10 [ 21.879378][ T292] bpf_prepare_filter+0x10d0/0x13d0 [ 21.884610][ T292] [ 21.886771][ T292] Memory state around the buggy address: [ 21.892248][ T292] ffff8881230ead80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.900142][ T292] ffff8881230eae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.908045][ T292] >ffff8881230eae80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 21.915934][ T292] ^ [ 21.921148][ T292] ffff8881230eaf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.929040][ T292] ffff8881230eaf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.936936][ T292] ================================================================== [ 21.944852][ T292] Disabling lock debugging due to kernel taint [ 21.950886][ T292] ================================================================== [ 21.958726][ T292] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330 [ 21.966969][ T292] [ 21.969149][ T292] CPU: 0 PID: 292 Comm: syz-executor264 Tainted: G B 5.15.178-syzkaller-00013-g7d1f9b5c2ff5 #0 [ 21.980600][ T292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 21.990500][ T292] Call Trace: [ 21.993614][ T292] [ 21.996394][ T292] dump_stack_lvl+0x151/0x1c0 [ 22.000906][ T292] ? io_uring_drop_tctx_refs+0x190/0x190 [ 22.006380][ T292] ? __wake_up_klogd+0xd5/0x110 [ 22.011066][ T292] ? panic+0x760/0x760 [ 22.014963][ T292] ? kmem_cache_free+0x115/0x330 [ 22.019744][ T292] print_address_description+0x87/0x3b0 [ 22.025122][ T292] ? asm_common_interrupt+0x27/0x40 [ 22.030154][ T292] ? kmem_cache_free+0x115/0x330 [ 22.034929][ T292] ? kmem_cache_free+0x115/0x330 [ 22.039703][ T292] kasan_report_invalid_free+0x6b/0xa0 [ 22.044996][ T292] ____kasan_slab_free+0x13e/0x160 [ 22.049943][ T292] __kasan_slab_free+0x11/0x20 [ 22.054543][ T292] slab_free_freelist_hook+0xbd/0x190 [ 22.059751][ T292] kmem_cache_free+0x115/0x330 [ 22.064350][ T292] ? kfree_skbmem+0x104/0x170 [ 22.068864][ T292] kfree_skbmem+0x104/0x170 [ 22.073216][ T292] consume_skb+0xb4/0x250 [ 22.077368][ T292] __sk_msg_free+0x2dd/0x370 [ 22.081795][ T292] ? _raw_spin_unlock_irqrestore+0x5c/0x80 [ 22.087438][ T292] sk_psock_stop+0x4e3/0x580 [ 22.091865][ T292] sk_psock_drop+0x219/0x310 [ 22.096294][ T292] sock_map_unref+0x3c6/0x430 [ 22.100804][ T292] ? _raw_spin_unlock_bh+0x51/0x60 [ 22.105752][ T292] sock_map_remove_links+0x41c/0x650 [ 22.110873][ T292] ? sock_map_unhash+0x120/0x120 [ 22.115645][ T292] ? locks_remove_posix+0x610/0x610 [ 22.120681][ T292] sock_map_close+0x114/0x530 [ 22.125199][ T292] ? unix_peer_get+0xe0/0xe0 [ 22.129617][ T292] ? sock_map_remove_links+0x650/0x650 [ 22.134911][ T292] ? rwsem_mark_wake+0x770/0x770 [ 22.139688][ T292] unix_release+0x82/0xc0 [ 22.143853][ T292] sock_close+0xdf/0x270 [ 22.147932][ T292] ? sock_mmap+0xa0/0xa0 [ 22.152010][ T292] __fput+0x228/0x8c0 [ 22.155830][ T292] ____fput+0x15/0x20 [ 22.159649][ T292] task_work_run+0x129/0x190 [ 22.164074][ T292] do_exit+0xc48/0x2ca0 [ 22.168113][ T292] ? put_task_struct+0x80/0x80 [ 22.172666][ T292] ? _raw_spin_unlock_irq+0x4e/0x70 [ 22.177701][ T292] ? ptrace_notify+0x24c/0x350 [ 22.182303][ T292] ? do_notify_parent+0xa30/0xa30 [ 22.187167][ T292] do_group_exit+0x141/0x310 [ 22.191588][ T292] __x64_sys_exit_group+0x3f/0x40 [ 22.196451][ T292] x64_sys_call+0x610/0x9a0 [ 22.200790][ T292] do_syscall_64+0x3b/0xb0 [ 22.205041][ T292] ? clear_bhb_loop+0x35/0x90 [ 22.209564][ T292] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 22.215283][ T292] RIP: 0033:0x7f4163d895e9 [ 22.219536][ T292] Code: Unable to access opcode bytes at RIP 0x7f4163d895bf. [ 22.226739][ T292] RSP: 002b:00007ffd730a0138 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 22.234985][ T292] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4163d895e9 [ 22.242796][ T292] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 22.250606][ T292] RBP: 00007f4163dfe390 R08: ffffffffffffffb8 R09: 00007f4163dcd0e8 [ 22.258417][ T292] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f4163dfe390 [ 22.266229][ T292] R13: 0000000000000000 R14: 00007f4163dfede0 R15: 00007f4163d529f0 [ 22.274046][ T292] [ 22.276905][ T292] [ 22.279078][ T292] Allocated by task 292: [ 22.283165][ T292] __kasan_slab_alloc+0xb1/0xe0 [ 22.287843][ T292] slab_post_alloc_hook+0x53/0x2c0 [ 22.292789][ T292] kmem_cache_alloc+0xf5/0x250 [ 22.297386][ T292] skb_clone+0x1d1/0x360 [ 22.301471][ T292] sk_psock_verdict_recv+0x53/0x840 [ 22.306500][ T292] unix_read_sock+0x132/0x370 [ 22.311015][ T292] sk_psock_verdict_data_ready+0x147/0x1a0 [ 22.316658][ T292] unix_dgram_sendmsg+0x15fa/0x2090 [ 22.321690][ T292] ____sys_sendmsg+0x59e/0x8f0 [ 22.326290][ T292] ___sys_sendmsg+0x252/0x2e0 [ 22.330802][ T292] __se_sys_sendmsg+0x19a/0x260 [ 22.335490][ T292] __x64_sys_sendmsg+0x7b/0x90 [ 22.340089][ T292] x64_sys_call+0x16a/0x9a0 [ 22.344430][ T292] do_syscall_64+0x3b/0xb0 [ 22.348681][ T292] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 22.354409][ T292] [ 22.356582][ T292] Freed by task 20: [ 22.360226][ T292] kasan_set_track+0x4b/0x70 [ 22.364654][ T292] kasan_set_free_info+0x23/0x40 [ 22.369427][ T292] ____kasan_slab_free+0x126/0x160 [ 22.374377][ T292] __kasan_slab_free+0x11/0x20 [ 22.378972][ T292] slab_free_freelist_hook+0xbd/0x190 [ 22.384187][ T292] kmem_cache_free+0x115/0x330 [ 22.388782][ T292] kfree_skbmem+0x104/0x170 [ 22.393122][ T292] kfree_skb+0xc2/0x360 [ 22.397111][ T292] sk_psock_backlog+0xad1/0xdc0 [ 22.401801][ T292] process_one_work+0x6bb/0xc10 [ 22.406486][ T292] worker_thread+0xad5/0x12a0 [ 22.411001][ T292] kthread+0x421/0x510 [ 22.414908][ T292] ret_from_fork+0x1f/0x30 [ 22.419158][ T292] [ 22.421329][ T292] The buggy address belongs to the object at ffff8881230eadc0 [ 22.421329][ T292] which belongs to the cache skbuff_head_cache of size 248 [ 22.435736][ T292] The buggy address is located 0 bytes inside of [ 22.435736][ T292] 248-byte region [ffff8881230eadc0, ffff8881230eaeb8) [ 22.448674][ T292] The buggy address belongs to the page: [ 22.454139][ T292] page:ffffea00048c3a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1230ea [ 22.464203][ T292] flags: 0x4000000000000200(slab|zone=1) [ 22.469682][ T292] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab200 [ 22.478105][ T292] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 22.486517][ T292] page dumped because: kasan: bad access detected [ 22.492760][ T292] page_owner tracks the page as allocated [ 22.498314][ T292] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 90, ts 20544030520, free_ts 20289930694 [ 22.514023][ T292] post_alloc_hook+0x1a3/0x1b0 [ 22.518625][ T292] prep_new_page+0x1b/0x110 [ 22.523049][ T292] get_page_from_freelist+0x3550/0x35d0 [ 22.528431][ T292] __alloc_pages+0x27e/0x8f0 [ 22.532856][ T292] new_slab+0x9a/0x4e0 [ 22.536763][ T292] ___slab_alloc+0x39e/0x830 [ 22.541191][ T292] __slab_alloc+0x4a/0x90 [ 22.545356][ T292] kmem_cache_alloc+0x139/0x250 [ 22.550044][ T292] __alloc_skb+0xbe/0x550 [ 22.554209][ T292] alloc_skb_with_frags+0xa6/0x680 [ 22.559156][ T292] sock_alloc_send_pskb+0x915/0xa50 [ 22.564193][ T292] unix_dgram_sendmsg+0x6fd/0x2090 [ 22.569139][ T292] __sys_sendto+0x564/0x720 [ 22.573476][ T292] __x64_sys_sendto+0xe5/0x100 [ 22.578076][ T292] x64_sys_call+0x15c/0x9a0 [ 22.582415][ T292] do_syscall_64+0x3b/0xb0 [ 22.586672][ T292] page last free stack trace: [ 22.591183][ T292] free_unref_page_prepare+0x7c8/0x7d0 [ 22.596479][ T292] free_unref_page+0xe8/0x750 [ 22.600999][ T292] __free_pages+0x61/0xf0 [ 22.605159][ T292] free_pages+0x7c/0x90 [ 22.609148][ T292] kasan_depopulate_vmalloc_pte+0x6a/0x90 [ 22.614705][ T292] __apply_to_page_range+0x8dd/0xbe0 [ 22.619823][ T292] apply_to_existing_page_range+0x38/0x50 [ 22.625380][ T292] kasan_release_vmalloc+0x9a/0xb0 [ 22.630327][ T292] __purge_vmap_area_lazy+0x154a/0x1690 [ 22.635709][ T292] _vm_unmap_aliases+0x339/0x3b0 [ 22.640483][ T292] vm_unmap_aliases+0x19/0x20 [ 22.644996][ T292] change_page_attr_set_clr+0x308/0x1050 [ 22.650461][ T292] set_memory_ro+0xa1/0xe0 [ 22.654716][ T292] bpf_int_jit_compile+0xbf21/0xc6b0 [ 22.659837][ T292] bpf_prog_select_runtime+0x724/0xa10 [ 22.665130][ T292] bpf_prepare_filter+0x10d0/0x13d0 [ 22.670166][ T292] [ 22.672333][ T292] Memory state around the buggy address: [ 22.677805][ T292] ffff8881230eac80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +++ exited with 0 +++ [ 22.6857