./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1872212133 <...> Warning: Permanently added '10.128.0.222' (ED25519) to the list of known hosts. execve("./syz-executor1872212133", ["./syz-executor1872212133"], 0x7ffd465ef660 /* 10 vars */) = 0 brk(NULL) = 0x5555623f0000 brk(0x5555623f0d40) = 0x5555623f0d40 arch_prctl(ARCH_SET_FS, 0x5555623f03c0) = 0 set_tid_address(0x5555623f0690) = 5090 set_robust_list(0x5555623f06a0, 24) = 0 rseq(0x5555623f0ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1872212133", 4096) = 28 getrandom("\x81\x2e\x75\xab\x74\x11\x49\x18", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555623f0d40 brk(0x555562411d40) = 0x555562411d40 brk(0x555562412000) = 0x555562412000 mprotect(0x7f4a7aae8000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 5090 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "5090", 4) = 4 close(3) = 0 openat(AT_FDCWD, "/proc/self/make-it-fail", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5091 attached , child_tidptr=0x5555623f0690) = 5091 [pid 5091] set_robust_list(0x5555623f06a0, 24) = 0 [pid 5091] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5091] setpgid(0, 0) = 0 [pid 5091] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5091] write(3, "1000", 4) = 4 [pid 5091] close(3) = 0 executing program [pid 5091] write(1, "executing program\n", 18) = 18 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] rt_sigaction(SIGRT_1, {sa_handler=0x7f4a7aa91060, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f4a7aa82e70}, NULL, 8) = 0 [pid 5091] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f4a7a9fe000 [pid 5091] mprotect(0x7f4a7a9ff000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5091] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f4a7aa1e990, parent_tid=0x7f4a7aa1e990, exit_signal=0, stack=0x7f4a7a9fe000, stack_size=0x20300, tls=0x7f4a7aa1e6c0} => {parent_tid=[5092]}, 88) = 5092 ./strace-static-x86_64: Process 5092 attached [pid 5092] rseq(0x7f4a7aa1efe0, 0x20, 0, 0x53053053) = 0 [pid 5091] rt_sigprocmask(SIG_SETMASK, [], [pid 5092] set_robust_list(0x7f4a7aa1e9a0, 24 [pid 5091] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5092] <... set_robust_list resumed>) = 0 [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] rt_sigprocmask(SIG_SETMASK, [], [pid 5091] <... futex resumed>) = 0 [pid 5092] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] socket(AF_INET6, SOCK_DCCP|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3 [pid 5092] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5092] futex(0x7f4a7aaee3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] <... futex resumed>) = 0 [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] <... futex resumed>) = 0 [pid 5092] bind(3, {sa_family=AF_INET6, sin6_port=htons(20000), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28 [pid 5091] <... futex resumed>) = 1 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] <... bind resumed>) = 0 [pid 5092] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5092] futex(0x7f4a7aaee3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] <... futex resumed>) = 0 [pid 5092] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] listen(3, 536870917) = 0 [pid 5091] <... futex resumed>) = 0 [pid 5092] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] <... futex resumed>) = 0 [pid 5091] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5092] futex(0x7f4a7aaee3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5092] socket(AF_INET6, SOCK_DCCP, IPPROTO_IP [pid 5091] <... futex resumed>) = 0 [pid 5092] <... socket resumed>) = 4 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5091] <... futex resumed>) = 0 [pid 5092] futex(0x7f4a7aaee3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5091] <... futex resumed>) = 0 [pid 5092] connect(4, {sa_family=AF_INET6, sin6_port=htons(20000), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_scope_id=0}, 28 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] <... connect resumed>) = 0 [pid 5092] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5092] futex(0x7f4a7aaee3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] <... futex resumed>) = 0 [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] <... futex resumed>) = 0 [pid 5091] <... futex resumed>) = 1 [pid 5092] accept4(3, NULL, NULL, 0 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] <... accept4 resumed>) = 5 [pid 5092] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5091] <... futex resumed>) = 0 [pid 5092] sendmmsg(4, [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}, {msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}, {msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}, {msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 4, 0) = 4 [pid 5092] futex(0x7f4a7aaee3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5091] <... futex resumed>) = 0 [pid 5092] futex(0x7f4a7aaee3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] futex(0x7f4a7aaee3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5091] <... futex resumed>) = 0 [pid 5092] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5091] futex(0x7f4a7aaee3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] <... openat resumed>) = 6 [pid 5092] write(6, "12", 2) = 2 [ 57.926959][ T5092] FAULT_INJECTION: forcing a failure. [ 57.926959][ T5092] name failslab, interval 1, probability 0, space 0, times 1 [ 57.939720][ T5092] CPU: 0 PID: 5092 Comm: syz-executor187 Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 57.950203][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 57.960246][ T5092] Call Trace: [ 57.963517][ T5092] [ 57.966430][ T5092] dump_stack_lvl+0x241/0x360 [ 57.971130][ T5092] ? __pfx_dump_stack_lvl+0x10/0x10 [ 57.976332][ T5092] ? __pfx__printk+0x10/0x10 [ 57.980918][ T5092] ? __pfx___might_resched+0x10/0x10 [ 57.986187][ T5092] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 57.992249][ T5092] should_fail_ex+0x3b0/0x4e0 [ 57.996923][ T5092] ? dccp_feat_entry_new+0x173/0x3a0 [ 58.002206][ T5092] should_failslab+0x9/0x20 [ 58.006693][ T5092] kmalloc_trace_noprof+0x6c/0x2c0 [ 58.011789][ T5092] dccp_feat_entry_new+0x173/0x3a0 [ 58.016884][ T5092] dccp_feat_parse_options+0xeac/0x2c30 [ 58.022426][ T5092] ? __pfx_dccp_feat_parse_options+0x10/0x10 [ 58.028394][ T5092] ? kmalloc_trace_noprof+0x19c/0x2c0 [ 58.033765][ T5092] dccp_parse_options+0x13bd/0x2670 [ 58.038956][ T5092] dccp_rcv_established+0x55/0x320 [ 58.044055][ T5092] dccp_v6_do_rcv+0x28c/0xb10 [ 58.048733][ T5092] ? __pfx_dccp_v6_do_rcv+0x10/0x10 [ 58.053917][ T5092] __release_sock+0x243/0x350 [ 58.058590][ T5092] release_sock+0x61/0x1f0 [ 58.062993][ T5092] dccp_sendmsg+0x4ee/0xba0 [ 58.067490][ T5092] ? __pfx_dccp_sendmsg+0x10/0x10 [ 58.072501][ T5092] ? sock_rps_record_flow+0x1a/0x400 [ 58.077774][ T5092] ? inet_sendmsg+0x330/0x390 [ 58.082433][ T5092] ? bpf_lsm_socket_sendmsg+0x9/0x10 [ 58.087704][ T5092] ? security_socket_sendmsg+0x87/0xb0 [ 58.093153][ T5092] __sock_sendmsg+0x1a6/0x270 [ 58.097825][ T5092] ____sys_sendmsg+0x525/0x7d0 [ 58.102588][ T5092] ? __pfx_____sys_sendmsg+0x10/0x10 [ 58.107873][ T5092] ? __might_fault+0xaa/0x120 [ 58.112543][ T5092] __sys_sendmmsg+0x3b2/0x740 [ 58.117215][ T5092] ? __pfx___sys_sendmmsg+0x10/0x10 [ 58.122430][ T5092] ? do_raw_spin_lock+0x14f/0x370 [ 58.127474][ T5092] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 58.133462][ T5092] ? _raw_spin_unlock_irq+0x23/0x50 [ 58.138651][ T5092] ? lockdep_hardirqs_on+0x99/0x150 [ 58.143857][ T5092] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 58.150169][ T5092] ? do_syscall_64+0x100/0x230 [ 58.154924][ T5092] __x64_sys_sendmmsg+0xa0/0xb0 [ 58.159764][ T5092] do_syscall_64+0xf3/0x230 [ 58.164255][ T5092] ? clear_bhb_loop+0x35/0x90 [ 58.168917][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.174805][ T5092] RIP: 0033:0x7f4a7aa6b5d9 [ 58.179220][ T5092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.198811][ T5092] RSP: 002b:00007f4a7aa1e208 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 58.207214][ T5092] RAX: ffffffffffffffda RBX: 00007f4a7aaee3e8 RCX: 00007f4a7aa6b5d9 [ 58.215171][ T5092] RDX: 0000000000000500 RSI: 00000000200001c0 RDI: 0000000000000005 [pid 5092] sendmmsg(5, [pid 5091] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 58.223124][ T5092] RBP: 00007f4a7aaee3e0 R08: 00007f4a7aa1dfa6 R09: 0000000000003231 [ 58.231081][ T5092] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4a7aabb47c [ 58.239034][ T5092] R13: 00007f4a7aa1e210 R14: 0000000000000002 R15: 0100000000000000 [ 58.247002][ T5092] [ 58.250980][ T5092] dccp_parse_options: DCCP(ffff88802aff8ac0): Option 32 (len=7) error=9 [ 58.260376][ T5092] ================================================================== [ 58.268429][ T5092] BUG: KASAN: slab-use-after-free in ccid2_hc_tx_packet_recv+0x1902/0x2070 [ 58.276999][ T5092] Read of size 1 at addr ffff88807542a4a2 by task syz-executor187/5092 [ 58.285211][ T5092] [ 58.287511][ T5092] CPU: 1 PID: 5092 Comm: syz-executor187 Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 58.298008][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 58.308046][ T5092] Call Trace: [ 58.311316][ T5092] [ 58.314248][ T5092] dump_stack_lvl+0x241/0x360 [ 58.318907][ T5092] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.324086][ T5092] ? __pfx__printk+0x10/0x10 [ 58.328660][ T5092] ? _printk+0xd5/0x120 [ 58.332793][ T5092] ? __virt_addr_valid+0x183/0x520 [ 58.337884][ T5092] ? __virt_addr_valid+0x183/0x520 [ 58.342982][ T5092] print_report+0x169/0x550 [ 58.347468][ T5092] ? __virt_addr_valid+0x183/0x520 [ 58.352566][ T5092] ? __virt_addr_valid+0x183/0x520 [ 58.357660][ T5092] ? __virt_addr_valid+0x44e/0x520 [ 58.362749][ T5092] ? __phys_addr+0xba/0x170 [ 58.367234][ T5092] ? ccid2_hc_tx_packet_recv+0x1902/0x2070 [ 58.373022][ T5092] kasan_report+0x143/0x180 [ 58.377509][ T5092] ? ccid2_hc_tx_packet_recv+0x1902/0x2070 [ 58.383313][ T5092] ccid2_hc_tx_packet_recv+0x1902/0x2070 [ 58.388931][ T5092] ? lockdep_hardirqs_on+0x99/0x150 [ 58.394113][ T5092] ? dccp_ackvec_clear_state+0x5dd/0x8b0 [ 58.399731][ T5092] ? dccp_ackvec_input+0x1d5/0xf60 [ 58.404826][ T5092] ? ccid2_hc_rx_packet_recv+0x12e/0x1c0 [ 58.410441][ T5092] ? __pfx_ccid2_hc_tx_packet_recv+0x10/0x10 [ 58.416402][ T5092] dccp_rcv_established+0x295/0x320 [ 58.421579][ T5092] dccp_v6_do_rcv+0x28c/0xb10 [ 58.426240][ T5092] ? __pfx_dccp_v6_do_rcv+0x10/0x10 [ 58.431436][ T5092] __release_sock+0x243/0x350 [ 58.436098][ T5092] release_sock+0x61/0x1f0 [ 58.440491][ T5092] dccp_sendmsg+0x4ee/0xba0 [ 58.444973][ T5092] ? __pfx_dccp_sendmsg+0x10/0x10 [ 58.449976][ T5092] ? sock_rps_record_flow+0x1a/0x400 [ 58.455240][ T5092] ? inet_sendmsg+0x330/0x390 [ 58.459906][ T5092] ? bpf_lsm_socket_sendmsg+0x9/0x10 [ 58.465170][ T5092] ? security_socket_sendmsg+0x87/0xb0 [ 58.470609][ T5092] __sock_sendmsg+0x1a6/0x270 [ 58.475272][ T5092] ____sys_sendmsg+0x525/0x7d0 [ 58.480021][ T5092] ? __pfx_____sys_sendmsg+0x10/0x10 [ 58.485299][ T5092] ? __might_fault+0xaa/0x120 [ 58.489988][ T5092] __sys_sendmmsg+0x3b2/0x740 [ 58.494673][ T5092] ? __pfx___sys_sendmmsg+0x10/0x10 [ 58.499862][ T5092] ? do_raw_spin_lock+0x14f/0x370 [ 58.504904][ T5092] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 58.510872][ T5092] ? _raw_spin_unlock_irq+0x23/0x50 [ 58.516051][ T5092] ? lockdep_hardirqs_on+0x99/0x150 [ 58.521242][ T5092] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 58.527550][ T5092] ? do_syscall_64+0x100/0x230 [ 58.532304][ T5092] __x64_sys_sendmmsg+0xa0/0xb0 [ 58.537141][ T5092] do_syscall_64+0xf3/0x230 [ 58.541628][ T5092] ? clear_bhb_loop+0x35/0x90 [ 58.546286][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.552166][ T5092] RIP: 0033:0x7f4a7aa6b5d9 [ 58.556583][ T5092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.576184][ T5092] RSP: 002b:00007f4a7aa1e208 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 58.584577][ T5092] RAX: ffffffffffffffda RBX: 00007f4a7aaee3e8 RCX: 00007f4a7aa6b5d9 [ 58.592528][ T5092] RDX: 0000000000000500 RSI: 00000000200001c0 RDI: 0000000000000005 [ 58.600489][ T5092] RBP: 00007f4a7aaee3e0 R08: 00007f4a7aa1dfa6 R09: 0000000000003231 [ 58.608474][ T5092] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4a7aabb47c [ 58.616430][ T5092] R13: 00007f4a7aa1e210 R14: 0000000000000002 R15: 0100000000000000 [ 58.624396][ T5092] [ 58.627394][ T5092] [ 58.629704][ T5092] Allocated by task 5092: [ 58.634016][ T5092] kasan_save_track+0x3f/0x80 [ 58.638678][ T5092] __kasan_kmalloc+0x98/0xb0 [ 58.643246][ T5092] kmalloc_node_track_caller_noprof+0x225/0x440 [ 58.649477][ T5092] kmalloc_reserve+0x111/0x2a0 [ 58.654230][ T5092] __alloc_skb+0x1f3/0x440 [ 58.658623][ T5092] dccp_send_ack+0xaa/0x310 [ 58.663104][ T5092] ccid2_hc_rx_packet_recv+0x10c/0x1c0 [ 58.668549][ T5092] dccp_rcv_established+0x1bb/0x320 [ 58.673728][ T5092] dccp_v6_do_rcv+0x28c/0xb10 [pid 5091] exit_group(0) = ? [ 58.678402][ T5092] __sk_receive_skb+0x823/0x8a0 [ 58.683235][ T5092] dccp_v6_rcv+0x123b/0x1710 [ 58.687807][ T5092] ip6_protocol_deliver_rcu+0x1058/0x1570 [ 58.693512][ T5092] ip6_input_finish+0x186/0x2d0 [ 58.698352][ T5092] NF_HOOK+0x3a4/0x450 [ 58.702407][ T5092] NF_HOOK+0x3a4/0x450 [ 58.706464][ T5092] __netif_receive_skb+0x1ea/0x650 [ 58.711566][ T5092] process_backlog+0x391/0x7d0 [ 58.716323][ T5092] __napi_poll+0xcb/0x490 [ 58.720638][ T5092] net_rx_action+0x7bb/0x10a0 [ 58.725294][ T5092] handle_softirqs+0x2c4/0x970 [ 58.730031][ T5092] do_softirq+0x11b/0x1e0 [ 58.734349][ T5092] __local_bh_enable_ip+0x1bb/0x200 [ 58.739524][ T5092] __dev_queue_xmit+0x16c9/0x3d30 [ 58.744562][ T5092] ip6_finish_output2+0xfc0/0x1670 [ 58.749659][ T5092] ip6_finish_output+0x41e/0x810 [ 58.754586][ T5092] ip6_xmit+0xefe/0x17f0 [ 58.758815][ T5092] inet6_csk_xmit+0x466/0x700 [ 58.763467][ T5092] dccp_transmit_skb+0xf3f/0x16a0 [ 58.768469][ T5092] dccp_xmit_packet+0x376/0x610 [ 58.773294][ T5092] dccp_write_xmit+0x138/0x220 [ 58.778029][ T5092] dccp_sendmsg+0x76d/0xba0 [ 58.782506][ T5092] __sock_sendmsg+0x1a6/0x270 [ 58.787161][ T5092] ____sys_sendmsg+0x525/0x7d0 [ 58.791902][ T5092] __sys_sendmmsg+0x3b2/0x740 [ 58.796556][ T5092] __x64_sys_sendmmsg+0xa0/0xb0 [ 58.801396][ T5092] do_syscall_64+0xf3/0x230 [ 58.805900][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.811774][ T5092] [ 58.814084][ T5092] Freed by task 5092: [ 58.818037][ T5092] kasan_save_track+0x3f/0x80 [ 58.822810][ T5092] kasan_save_free_info+0x40/0x50 [ 58.827812][ T5092] poison_slab_object+0xe0/0x150 [ 58.832723][ T5092] __kasan_slab_free+0x37/0x60 [ 58.837461][ T5092] kfree+0x149/0x360 [ 58.841335][ T5092] skb_release_data+0x676/0x880 [ 58.846158][ T5092] kfree_skb_reason+0x1a3/0x3b0 [ 58.850982][ T5092] dccp_v6_do_rcv+0x131/0xb10 [ 58.855633][ T5092] __release_sock+0x243/0x350 [ 58.860285][ T5092] release_sock+0x61/0x1f0 [ 58.864672][ T5092] dccp_sendmsg+0x4ee/0xba0 [ 58.869149][ T5092] __sock_sendmsg+0x1a6/0x270 [ 58.873805][ T5092] ____sys_sendmsg+0x525/0x7d0 [ 58.878543][ T5092] __sys_sendmmsg+0x3b2/0x740 [ 58.883193][ T5092] __x64_sys_sendmmsg+0xa0/0xb0 [ 58.888016][ T5092] do_syscall_64+0xf3/0x230 [ 58.892498][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.898367][ T5092] [ 58.900665][ T5092] The buggy address belongs to the object at ffff88807542a000 [ 58.900665][ T5092] which belongs to the cache kmalloc-2k of size 2048 [ 58.914690][ T5092] The buggy address is located 1186 bytes inside of [ 58.914690][ T5092] freed 2048-byte region [ffff88807542a000, ffff88807542a800) [ 58.928630][ T5092] [ 58.930928][ T5092] The buggy address belongs to the physical page: [ 58.937326][ T5092] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75428 [ 58.946054][ T5092] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 58.954522][ T5092] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 58.962055][ T5092] page_type: 0xffffefff(slab) [ 58.966702][ T5092] raw: 00fff00000000040 ffff888015042000 dead000000000122 0000000000000000 [ 58.975256][ T5092] raw: 0000000000000000 0000000080080008 00000001ffffefff 0000000000000000 [ 58.983826][ T5092] head: 00fff00000000040 ffff888015042000 dead000000000122 0000000000000000 [ 58.992470][ T5092] head: 0000000000000000 0000000080080008 00000001ffffefff 0000000000000000 [ 59.001127][ T5092] head: 00fff00000000003 ffffea0001d50a01 ffffffffffffffff 0000000000000000 [ 59.009768][ T5092] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 59.018406][ T5092] page dumped because: kasan: bad access detected [ 59.024794][ T5092] page_owner tracks the page as allocated [ 59.030478][ T5092] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5092, tgid 5091 (syz-executor187), ts 57926422058, free_ts 51601885564 [ 59.052061][ T5092] post_alloc_hook+0x1f3/0x230 [ 59.056805][ T5092] get_page_from_freelist+0x2e4c/0x2f10 [ 59.062332][ T5092] __alloc_pages_noprof+0x256/0x6c0 [ 59.067507][ T5092] alloc_slab_page+0x5f/0x120 [ 59.072173][ T5092] allocate_slab+0x5a/0x2f0 [ 59.076649][ T5092] ___slab_alloc+0xcd1/0x14b0 [ 59.081295][ T5092] __slab_alloc+0x58/0xa0 [ 59.085602][ T5092] kmalloc_node_track_caller_noprof+0x281/0x440 [ 59.091817][ T5092] kmalloc_reserve+0x111/0x2a0 [ 59.096556][ T5092] __alloc_skb+0x1f3/0x440 [ 59.100942][ T5092] alloc_skb_with_frags+0xc3/0x770 [ 59.106027][ T5092] sock_alloc_send_pskb+0x91a/0xa60 [ 59.111198][ T5092] dccp_sendmsg+0x3f1/0xba0 [ 59.115676][ T5092] __sock_sendmsg+0x1a6/0x270 [ 59.120343][ T5092] ____sys_sendmsg+0x525/0x7d0 [ 59.125079][ T5092] __sys_sendmmsg+0x3b2/0x740 [ 59.129729][ T5092] page last free pid 5082 tgid 5082 stack trace: [ 59.136023][ T5092] free_unref_page+0xd22/0xea0 [ 59.140766][ T5092] __put_partials+0xeb/0x130 [ 59.145329][ T5092] put_cpu_partial+0x17c/0x250 [ 59.150067][ T5092] __slab_free+0x2ea/0x3d0 [ 59.154455][ T5092] qlist_free_all+0x9e/0x140 [ 59.159015][ T5092] kasan_quarantine_reduce+0x14f/0x170 [ 59.164450][ T5092] __kasan_slab_alloc+0x23/0x80 [ 59.169274][ T5092] kmem_cache_alloc_node_noprof+0x16b/0x320 [ 59.175142][ T5092] __alloc_skb+0x1c3/0x440 [ 59.179531][ T5092] alloc_skb_with_frags+0xc3/0x770 [ 59.184615][ T5092] sock_alloc_send_pskb+0x91a/0xa60 [ 59.189786][ T5092] unix_stream_sendmsg+0x51a/0xf80 [ 59.194866][ T5092] __sock_sendmsg+0x221/0x270 [ 59.199516][ T5092] sock_write_iter+0x2dd/0x400 [ 59.204253][ T5092] vfs_write+0xa72/0xc90 [ 59.208470][ T5092] ksys_write+0x1a0/0x2c0 [ 59.212773][ T5092] [ 59.215074][ T5092] Memory state around the buggy address: [ 59.220674][ T5092] ffff88807542a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.228704][ T5092] ffff88807542a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.236735][ T5092] >ffff88807542a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.244763][ T5092] ^ [ 59.249838][ T5092] ffff88807542a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.257866][ T5092] ffff88807542a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.265892][ T5092] ================================================================== [ 59.275566][ T5092] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.282772][ T5092] CPU: 1 PID: 5092 Comm: syz-executor187 Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 59.293268][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 59.303318][ T5092] Call Trace: [ 59.306580][ T5092] [ 59.309496][ T5092] dump_stack_lvl+0x241/0x360 [ 59.314159][ T5092] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.319348][ T5092] ? __pfx__printk+0x10/0x10 [ 59.323923][ T5092] ? preempt_schedule+0xe1/0xf0 [ 59.328756][ T5092] ? vscnprintf+0x5d/0x90 [ 59.333065][ T5092] panic+0x349/0x860 [ 59.336944][ T5092] ? check_panic_on_warn+0x21/0xb0 [ 59.342037][ T5092] ? __pfx_panic+0x10/0x10 [ 59.346449][ T5092] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 59.352417][ T5092] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.358733][ T5092] ? print_report+0x502/0x550 [ 59.363393][ T5092] check_panic_on_warn+0x86/0xb0 [ 59.368317][ T5092] ? ccid2_hc_tx_packet_recv+0x1902/0x2070 [ 59.374108][ T5092] end_report+0x77/0x160 [ 59.378337][ T5092] kasan_report+0x154/0x180 [ 59.382836][ T5092] ? ccid2_hc_tx_packet_recv+0x1902/0x2070 [ 59.388641][ T5092] ccid2_hc_tx_packet_recv+0x1902/0x2070 [ 59.394271][ T5092] ? lockdep_hardirqs_on+0x99/0x150 [ 59.399459][ T5092] ? dccp_ackvec_clear_state+0x5dd/0x8b0 [ 59.405080][ T5092] ? dccp_ackvec_input+0x1d5/0xf60 [ 59.410181][ T5092] ? ccid2_hc_rx_packet_recv+0x12e/0x1c0 [ 59.415799][ T5092] ? __pfx_ccid2_hc_tx_packet_recv+0x10/0x10 [ 59.421764][ T5092] dccp_rcv_established+0x295/0x320 [ 59.426946][ T5092] dccp_v6_do_rcv+0x28c/0xb10 [ 59.431609][ T5092] ? __pfx_dccp_v6_do_rcv+0x10/0x10 [ 59.436790][ T5092] __release_sock+0x243/0x350 [ 59.441453][ T5092] release_sock+0x61/0x1f0 [ 59.445852][ T5092] dccp_sendmsg+0x4ee/0xba0 [ 59.450341][ T5092] ? __pfx_dccp_sendmsg+0x10/0x10 [ 59.455344][ T5092] ? sock_rps_record_flow+0x1a/0x400 [ 59.460612][ T5092] ? inet_sendmsg+0x330/0x390 [ 59.465267][ T5092] ? bpf_lsm_socket_sendmsg+0x9/0x10 [ 59.470531][ T5092] ? security_socket_sendmsg+0x87/0xb0 [ 59.475968][ T5092] __sock_sendmsg+0x1a6/0x270 [ 59.480634][ T5092] ____sys_sendmsg+0x525/0x7d0 [ 59.485383][ T5092] ? __pfx_____sys_sendmsg+0x10/0x10 [ 59.490662][ T5092] ? __might_fault+0xaa/0x120 [ 59.495339][ T5092] __sys_sendmmsg+0x3b2/0x740 [ 59.499999][ T5092] ? __pfx___sys_sendmmsg+0x10/0x10 [ 59.505185][ T5092] ? do_raw_spin_lock+0x14f/0x370 [ 59.510210][ T5092] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 59.516182][ T5092] ? _raw_spin_unlock_irq+0x23/0x50 [ 59.521369][ T5092] ? lockdep_hardirqs_on+0x99/0x150 [ 59.526578][ T5092] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 59.532892][ T5092] ? do_syscall_64+0x100/0x230 [ 59.537644][ T5092] __x64_sys_sendmmsg+0xa0/0xb0 [ 59.542486][ T5092] do_syscall_64+0xf3/0x230 [ 59.546977][ T5092] ? clear_bhb_loop+0x35/0x90 [ 59.551632][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.557510][ T5092] RIP: 0033:0x7f4a7aa6b5d9 [ 59.561902][ T5092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 59.581492][ T5092] RSP: 002b:00007f4a7aa1e208 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 59.589887][ T5092] RAX: ffffffffffffffda RBX: 00007f4a7aaee3e8 RCX: 00007f4a7aa6b5d9 [ 59.597839][ T5092] RDX: 0000000000000500 RSI: 00000000200001c0 RDI: 0000000000000005 [ 59.605793][ T5092] RBP: 00007f4a7aaee3e0 R08: 00007f4a7aa1dfa6 R09: 0000000000003231 [ 59.613749][ T5092] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4a7aabb47c [ 59.621729][ T5092] R13: 00007f4a7aa1e210 R14: 0000000000000002 R15: 0100000000000000 [ 59.629687][ T5092] [ 59.632807][ T5092] Kernel Offset: disabled [ 59.637116][ T5092] Rebooting in 86400 seconds..