Warning: Permanently added '10.128.1.28' (ED25519) to the list of known hosts. executing program [ 37.310257][ T4288] FAULT_INJECTION: forcing a failure. [ 37.310257][ T4288] name failslab, interval 1, probability 0, space 0, times 1 [ 37.312992][ T4288] CPU: 1 PID: 4288 Comm: syz-executor364 Not tainted 6.1.115-syzkaller #0 [ 37.314817][ T4288] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 37.316995][ T4288] Call trace: [ 37.317684][ T4288] dump_backtrace+0x1c8/0x1f4 [ 37.318763][ T4288] show_stack+0x2c/0x3c [ 37.319630][ T4288] dump_stack_lvl+0x108/0x170 [ 37.320655][ T4288] dump_stack+0x1c/0x58 [ 37.321618][ T4288] should_fail_ex+0x3c0/0x51c [ 37.322663][ T4288] __should_failslab+0xc8/0x128 [ 37.323727][ T4288] should_failslab+0x10/0x28 [ 37.324785][ T4288] __kmem_cache_alloc_node+0x80/0x388 [ 37.325899][ T4288] kmalloc_trace+0x48/0x94 [ 37.326802][ T4288] dccp_feat_entry_new+0x188/0x38c [ 37.327892][ T4288] dccp_feat_parse_options+0xd5c/0x2380 [ 37.329117][ T4288] dccp_parse_options+0xb54/0x192c [ 37.330288][ T4288] dccp_rcv_established+0x68/0x2d8 [ 37.331347][ T4288] dccp_v6_do_rcv+0x248/0x938 [ 37.332357][ T4288] __release_sock+0x1a8/0x408 [ 37.333381][ T4288] release_sock+0x68/0x1cc [ 37.334344][ T4288] dccp_sendmsg+0x46c/0xb80 [ 37.335433][ T4288] inet_sendmsg+0x15c/0x290 [ 37.336419][ T4288] ____sys_sendmsg+0x55c/0x848 [ 37.337620][ T4288] __sys_sendmmsg+0x318/0x7d8 [ 37.338698][ T4288] __arm64_sys_sendmmsg+0xa0/0xbc [ 37.339748][ T4288] invoke_syscall+0x98/0x2c0 [ 37.340821][ T4288] el0_svc_common+0x138/0x258 [ 37.341805][ T4288] do_el0_svc+0x64/0x218 [ 37.342936][ T4288] el0_svc+0x58/0x168 [ 37.343840][ T4288] el0t_64_sync_handler+0x84/0xf0 [ 37.344939][ T4288] el0t_64_sync+0x18c/0x190 [ 37.346183][ T4288] dccp_parse_options: DCCP(000000001b4e11fb): Option 32 (len=7) error=9 [ 37.349794][ T4288] ================================================================== [ 37.351434][ T4288] BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x1498/0x1af0 [ 37.353358][ T4288] Read of size 1 at addr ffff0000cf91d494 by task syz-executor364/4288 [ 37.355052][ T4288] [ 37.355639][ T4288] CPU: 1 PID: 4288 Comm: syz-executor364 Not tainted 6.1.115-syzkaller #0 [ 37.357417][ T4288] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 37.359565][ T4288] Call trace: [ 37.360283][ T4288] dump_backtrace+0x1c8/0x1f4 [ 37.361283][ T4288] show_stack+0x2c/0x3c [ 37.362144][ T4288] dump_stack_lvl+0x108/0x170 [ 37.363123][ T4288] print_report+0x174/0x4c0 [ 37.364149][ T4288] kasan_report+0xd4/0x130 [ 37.365046][ T4288] __asan_report_load1_noabort+0x2c/0x38 [ 37.366153][ T4288] ccid2_hc_tx_packet_recv+0x1498/0x1af0 [ 37.367432][ T4288] dccp_rcv_established+0x26c/0x2d8 [ 37.368578][ T4288] dccp_v6_do_rcv+0x248/0x938 [ 37.369608][ T4288] __release_sock+0x1a8/0x408 [ 37.370629][ T4288] release_sock+0x68/0x1cc [ 37.371522][ T4288] dccp_sendmsg+0x46c/0xb80 [ 37.372561][ T4288] inet_sendmsg+0x15c/0x290 [ 37.373553][ T4288] ____sys_sendmsg+0x55c/0x848 [ 37.374655][ T4288] __sys_sendmmsg+0x318/0x7d8 [ 37.375697][ T4288] __arm64_sys_sendmmsg+0xa0/0xbc [ 37.376807][ T4288] invoke_syscall+0x98/0x2c0 [ 37.377779][ T4288] el0_svc_common+0x138/0x258 [ 37.378702][ T4288] do_el0_svc+0x64/0x218 [ 37.379670][ T4288] el0_svc+0x58/0x168 [ 37.380583][ T4288] el0t_64_sync_handler+0x84/0xf0 [ 37.381687][ T4288] el0t_64_sync+0x18c/0x190 [ 37.382574][ T4288] [ 37.383017][ T4288] Allocated by task 4288: [ 37.383920][ T4288] kasan_set_track+0x4c/0x80 [ 37.384935][ T4288] kasan_save_alloc_info+0x24/0x30 [ 37.385966][ T4288] __kasan_kmalloc+0xac/0xc4 [ 37.386881][ T4288] __kmalloc_node_track_caller+0xd0/0x1c0 [ 37.388138][ T4288] __alloc_skb+0x180/0x580 [ 37.389015][ T4288] dccp_send_ack+0xa4/0x2bc [ 37.389981][ T4288] ccid2_hc_rx_packet_recv+0x114/0x1b8 [ 37.391190][ T4288] dccp_rcv_established+0x1ac/0x2d8 [ 37.392290][ T4288] dccp_v6_do_rcv+0x248/0x938 [ 37.393243][ T4288] __sk_receive_skb+0x3f8/0x900 [ 37.394288][ T4288] dccp_v6_rcv+0xbac/0x10b8 [ 37.395234][ T4288] ip6_protocol_deliver_rcu+0x958/0x1214 [ 37.396393][ T4288] ip6_input_finish+0x164/0x298 [ 37.397348][ T4288] NF_HOOK+0x328/0x3d4 [ 37.398225][ T4288] ip6_input+0x70/0x84 [ 37.399053][ T4288] ip6_rcv_finish+0x1f4/0x220 [ 37.400032][ T4288] NF_HOOK+0x328/0x3d4 [ 37.400954][ T4288] ipv6_rcv+0x98/0xb8 [ 37.401774][ T4288] __netif_receive_skb+0x18c/0x400 [ 37.402943][ T4288] process_backlog+0x410/0x784 [ 37.403918][ T4288] __napi_poll+0xb4/0x3f0 [ 37.404825][ T4288] net_rx_action+0x5cc/0xd3c [ 37.405878][ T4288] handle_softirqs+0x318/0xd58 [ 37.406826][ T4288] __do_softirq+0x14/0x20 [ 37.407690][ T4288] [ 37.408143][ T4288] Freed by task 4288: [ 37.408950][ T4288] kasan_set_track+0x4c/0x80 [ 37.409878][ T4288] kasan_save_free_info+0x38/0x5c [ 37.410993][ T4288] ____kasan_slab_free+0x144/0x1c0 [ 37.412042][ T4288] __kasan_slab_free+0x18/0x28 [ 37.413122][ T4288] __kmem_cache_free+0x2c0/0x4b4 [ 37.414205][ T4288] kfree+0xcc/0x1b8 [ 37.415018][ T4288] skb_release_data+0x488/0x6b0 [ 37.416035][ T4288] kfree_skb_reason+0x1a4/0x47c [ 37.417246][ T4288] dccp_v6_do_rcv+0x12c/0x938 [ 37.418336][ T4288] __release_sock+0x1a8/0x408 [ 37.419315][ T4288] release_sock+0x68/0x1cc [ 37.420323][ T4288] dccp_sendmsg+0x46c/0xb80 [ 37.421223][ T4288] inet_sendmsg+0x15c/0x290 [ 37.422251][ T4288] ____sys_sendmsg+0x55c/0x848 [ 37.423311][ T4288] __sys_sendmmsg+0x318/0x7d8 [ 37.424429][ T4288] __arm64_sys_sendmmsg+0xa0/0xbc [ 37.425573][ T4288] invoke_syscall+0x98/0x2c0 [ 37.426490][ T4288] el0_svc_common+0x138/0x258 [ 37.427404][ T4288] do_el0_svc+0x64/0x218 [ 37.428250][ T4288] el0_svc+0x58/0x168 [ 37.429042][ T4288] el0t_64_sync_handler+0x84/0xf0 [ 37.430175][ T4288] el0t_64_sync+0x18c/0x190 [ 37.431171][ T4288] [ 37.431702][ T4288] Last potentially related work creation: [ 37.433063][ T4288] kasan_save_stack+0x40/0x70 [ 37.434092][ T4288] __kasan_record_aux_stack+0xcc/0xe8 [ 37.435366][ T4288] kasan_record_aux_stack_noalloc+0x14/0x20 [ 37.436780][ T4288] call_rcu+0xfc/0xa40 [ 37.437662][ T4288] netlink_release+0x11d0/0x16e0 [ 37.438683][ T4288] sock_close+0xb8/0x1fc [ 37.439616][ T4288] __fput+0x1c8/0x7c8 [ 37.440414][ T4288] ____fput+0x20/0x30 [ 37.441258][ T4288] task_work_run+0x240/0x2f0 [ 37.442265][ T4288] do_notify_resume+0x2148/0x3474 [ 37.443434][ T4288] el0_svc+0x9c/0x168 [ 37.444247][ T4288] el0t_64_sync_handler+0x84/0xf0 [ 37.445380][ T4288] el0t_64_sync+0x18c/0x190 [ 37.446380][ T4288] [ 37.446895][ T4288] The buggy address belongs to the object at ffff0000cf91d000 [ 37.446895][ T4288] which belongs to the cache kmalloc-2k of size 2048 [ 37.450014][ T4288] The buggy address is located 1172 bytes inside of [ 37.450014][ T4288] 2048-byte region [ffff0000cf91d000, ffff0000cf91d800) [ 37.452919][ T4288] [ 37.453435][ T4288] The buggy address belongs to the physical page: [ 37.454776][ T4288] page:000000000699280c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f918 [ 37.457137][ T4288] head:000000000699280c order:3 compound_mapcount:0 compound_pincount:0 [ 37.459054][ T4288] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 37.460720][ T4288] raw: 05ffc00000010200 fffffc0003288000 dead000000000002 ffff0000c0002900 [ 37.462531][ T4288] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 37.464339][ T4288] page dumped because: kasan: bad access detected [ 37.465703][ T4288] [ 37.466207][ T4288] Memory state around the buggy address: [ 37.467501][ T4288] ffff0000cf91d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.469346][ T4288] ffff0000cf91d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.470953][ T4288] >ffff0000cf91d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.472861][ T4288] ^ [ 37.474050][ T4288] ffff0000cf91d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.475820][ T4288] ffff0000cf91d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.477582][ T4288] ================================================================== [ 37.480244][ T4288] Disabling lock debugging due to kernel taint