./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor533546484
<...>
Warning: Permanently added '10.128.0.207' (ED25519) to the list of known hosts.
execve("./syz-executor533546484", ["./syz-executor533546484"], 0x7fff7072bfb0 /* 10 vars */) = 0
brk(NULL) = 0x555556e17000
brk(0x555556e17d00) = 0x555556e17d00
arch_prctl(ARCH_SET_FS, 0x555556e17380) = 0
set_tid_address(0x555556e17650) = 294
set_robust_list(0x555556e17660, 24) = 0
rseq(0x555556e17ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented)
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor533546484", 4096) = 27
getrandom("\xcb\x31\xf0\x19\xc9\x6d\x62\xf9", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555556e17d00
brk(0x555556e38d00) = 0x555556e38d00
brk(0x555556e39000) = 0x555556e39000
mprotect(0x7f0faf445000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/proc/self/make-it-fail", O_WRONLY) = 3
close(3) = 0
openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_WRONLY) = 3
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1executing program
) = 1
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 295
./strace-static-x86_64: Process 295 attached
[pid 295] set_robust_list(0x555556e17660, 24) = 0
[pid 295] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 295] setpgid(0, 0) = 0
[pid 295] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 295] write(3, "1000", 4) = 4
[pid 295] close(3) = 0
[pid 295] write(1, "executing program\n", 18) = 18
[ 23.507827][ T30] audit: type=1400 audit(1723232676.132:66): avc: denied { execmem } for pid=294 comm="syz-executor533" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 23.528191][ T30] audit: type=1400 audit(1723232676.132:67): avc: denied { integrity } for pid=294 comm="syz-executor533" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 23.551455][ T30] audit: type=1400 audit(1723232676.132:68): avc: denied { prog_load } for pid=295 comm="syz-executor533" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 23.571796][ T30] audit: type=1400 audit(1723232676.152:69): avc: denied { bpf } for pid=295 comm="syz-executor533" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[pid 295] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 295] close(3) = 0
[pid 295] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 295] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 295] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 295] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 295] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 295] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 295] write(7, "5", 1) = 1
[ 23.670684][ T30] audit: type=1400 audit(1723232676.292:70): avc: denied { perfmon } for pid=295 comm="syz-executor533" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[ 23.692368][ T30] audit: type=1400 audit(1723232676.312:71): avc: denied { prog_run } for pid=295 comm="syz-executor533" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 23.712529][ T30] audit: type=1400 audit(1723232676.332:72): avc: denied { map_create } for pid=295 comm="syz-executor533" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 23.714306][ T295] FAULT_INJECTION: forcing a failure.
[ 23.714306][ T295] name failslab, interval 1, probability 0, space 0, times 1
[ 23.732008][ T30] audit: type=1400 audit(1723232676.332:73): avc: denied { map_read map_write } for pid=295 comm="syz-executor533" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 23.764639][ T295] CPU: 1 PID: 295 Comm: syz-executor533 Not tainted 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 23.774780][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 23.785128][ T295] Call Trace:
[ 23.788334][ T295]
[ 23.791757][ T295] dump_stack_lvl+0x151/0x1b7
[ 23.796304][ T295] ? io_uring_drop_tctx_refs+0x190/0x190
[ 23.801767][ T295] dump_stack+0x15/0x17
[ 23.805839][ T295] should_fail+0x3c6/0x510
[ 23.810180][ T295] __should_failslab+0xa4/0xe0
[ 23.815001][ T295] should_failslab+0x9/0x20
[ 23.819520][ T295] slab_pre_alloc_hook+0x37/0xd0
[ 23.824270][ T295] kmem_cache_alloc_trace+0x48/0x210
[ 23.829389][ T295] ? sk_psock_skb_ingress_self+0x60/0x330
[ 23.835031][ T295] ? migrate_disable+0x190/0x190
[ 23.839802][ T295] sk_psock_skb_ingress_self+0x60/0x330
[ 23.845187][ T295] sk_psock_verdict_recv+0x66d/0x840
[ 23.850418][ T295] unix_read_sock+0x132/0x370
[ 23.855015][ T295] ? sk_psock_skb_redirect+0x440/0x440
[ 23.860286][ T295] ? unix_stream_splice_actor+0x120/0x120
[ 23.865841][ T295] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 23.871137][ T295] ? unix_stream_splice_actor+0x120/0x120
[ 23.876690][ T295] sk_psock_verdict_data_ready+0x147/0x1a0
[ 23.882331][ T295] ? sk_psock_start_verdict+0xc0/0xc0
[ 23.887535][ T295] ? _raw_spin_lock+0xa4/0x1b0
[ 23.892143][ T295] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 23.898042][ T295] ? skb_queue_tail+0xfb/0x120
[ 23.902664][ T295] unix_dgram_sendmsg+0x15fa/0x2090
[ 23.907680][ T295] ? unix_dgram_poll+0x710/0x710
[ 23.912708][ T295] ? security_socket_sendmsg+0x82/0xb0
[ 23.918004][ T295] ? unix_dgram_poll+0x710/0x710
[ 23.922977][ T295] ____sys_sendmsg+0x59e/0x8f0
[ 23.927553][ T295] ? __sys_sendmsg_sock+0x40/0x40
[ 23.932421][ T295] ? import_iovec+0xe5/0x120
[ 23.937024][ T295] ___sys_sendmsg+0x252/0x2e0
[ 23.941538][ T295] ? __sys_sendmsg+0x260/0x260
[ 23.946137][ T295] ? finish_task_switch+0x167/0x7b0
[ 23.951342][ T295] ? __schedule+0xcd4/0x1590
[ 23.955825][ T295] ? __kasan_check_write+0x14/0x20
[ 23.960746][ T295] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 23.965696][ T295] ? __kasan_check_read+0x11/0x20
[ 23.970557][ T295] ? __fdget+0x179/0x240
[ 23.974639][ T295] __se_sys_sendmsg+0x19a/0x260
[ 23.979299][ T295] ? _raw_spin_unlock_irq+0x4e/0x70
[ 23.984352][ T295] ? __x64_sys_sendmsg+0x90/0x90
[ 23.989653][ T295] ? __kasan_check_read+0x11/0x20
[ 23.994684][ T295] __x64_sys_sendmsg+0x7b/0x90
[ 23.999385][ T295] do_syscall_64+0x3d/0xb0
[ 24.003639][ T295] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 24.009441][ T295] RIP: 0033:0x7f0faf3d9b69
[ 24.013686][ T295] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 24.033212][ T295] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 24.041454][ T295] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[ 24.049263][ T295] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 24.057077][ T295] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[pid 295] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 295] exit_group(0) = ?
[pid 295] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=295, si_uid=0, si_status=0, si_utime=0, si_stime=21} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 297
./strace-static-x86_64: Process 297 attached
[pid 297] set_robust_list(0x555556e17660, 24) = 0
[pid 297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 297] setpgid(0, 0) = 0
[pid 297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 297] write(3, "1000", 4) = 4
[pid 297] close(3) = 0
[pid 297] write(1, "executing program\n", 18executing program
) = 18
[ 24.064906][ T295] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 24.072699][ T295] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 24.080550][ T295]
[ 24.084961][ T20] ==================================================================
[ 24.093183][ T20] BUG: KASAN: use-after-free in consume_skb+0x3c/0x250
[ 24.099873][ T20] Read of size 4 at addr ffff8881214344ac by task kworker/0:1/20
[ 24.107411][ T20]
[ 24.109587][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Not tainted 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 24.119213][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 24.129477][ T20] Workqueue: events bpf_map_free_deferred
[ 24.135114][ T20] Call Trace:
[ 24.138240][ T20]
[ 24.141010][ T20] dump_stack_lvl+0x151/0x1b7
[ 24.145599][ T20] ? io_uring_drop_tctx_refs+0x190/0x190
[ 24.151088][ T20] ? panic+0x751/0x751
[ 24.155063][ T20] print_address_description+0x87/0x3b0
[ 24.160446][ T20] kasan_report+0x179/0x1c0
[ 24.164781][ T20] ? consume_skb+0x3c/0x250
[ 24.169127][ T20] ? consume_skb+0x3c/0x250
[ 24.173468][ T20] kasan_check_range+0x293/0x2a0
[ 24.178255][ T20] __kasan_check_read+0x11/0x20
[ 24.183010][ T20] consume_skb+0x3c/0x250
[ 24.187366][ T20] __sk_msg_free+0x2dd/0x370
[ 24.191974][ T20] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 24.197682][ T20] sk_psock_stop+0x44c/0x4d0
[ 24.202101][ T20] sk_psock_drop+0x219/0x310
[ 24.206629][ T20] sock_map_unref+0x48f/0x4d0
[ 24.211224][ T20] sock_map_free+0x137/0x2b0
[ 24.215642][ T20] bpf_map_free_deferred+0x10d/0x1e0
[ 24.220774][ T20] process_one_work+0x6bb/0xc10
[ 24.225814][ T20] worker_thread+0xad5/0x12a0
[ 24.230417][ T20] ? _raw_spin_lock+0x1b0/0x1b0
[ 24.235207][ T20] kthread+0x421/0x510
[ 24.239106][ T20] ? worker_clr_flags+0x180/0x180
[ 24.243973][ T20] ? kthread_blkcg+0xd0/0xd0
[ 24.248393][ T20] ret_from_fork+0x1f/0x30
[ 24.252651][ T20]
[ 24.255503][ T20]
[ 24.257677][ T20] Allocated by task 295:
[ 24.261763][ T20] __kasan_slab_alloc+0xb1/0xe0
[ 24.266445][ T20] slab_post_alloc_hook+0x53/0x2c0
[ 24.271389][ T20] kmem_cache_alloc+0xf5/0x200
[ 24.276163][ T20] skb_clone+0x1d1/0x360
[ 24.280238][ T20] sk_psock_verdict_recv+0x53/0x840
[ 24.285273][ T20] unix_read_sock+0x132/0x370
[ 24.289786][ T20] sk_psock_verdict_data_ready+0x147/0x1a0
[ 24.295441][ T20] unix_dgram_sendmsg+0x15fa/0x2090
[ 24.300464][ T20] ____sys_sendmsg+0x59e/0x8f0
[ 24.305070][ T20] ___sys_sendmsg+0x252/0x2e0
[ 24.309580][ T20] __se_sys_sendmsg+0x19a/0x260
[ 24.314355][ T20] __x64_sys_sendmsg+0x7b/0x90
[ 24.318957][ T20] do_syscall_64+0x3d/0xb0
[ 24.323212][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 24.328950][ T20]
[ 24.331457][ T20] Freed by task 20:
[ 24.335092][ T20] kasan_set_track+0x4b/0x70
[ 24.339521][ T20] kasan_set_free_info+0x23/0x40
[ 24.344301][ T20] ____kasan_slab_free+0x126/0x160
[ 24.349235][ T20] __kasan_slab_free+0x11/0x20
[ 24.353839][ T20] slab_free_freelist_hook+0xbd/0x190
[ 24.359316][ T20] kmem_cache_free+0x116/0x2e0
[ 24.363915][ T20] kfree_skbmem+0x104/0x170
[ 24.368247][ T20] kfree_skb+0xc2/0x360
[ 24.372237][ T20] sk_psock_backlog+0xc21/0xd90
[ 24.376934][ T20] process_one_work+0x6bb/0xc10
[ 24.381614][ T20] worker_thread+0xad5/0x12a0
[ 24.386129][ T20] kthread+0x421/0x510
[ 24.390040][ T20] ret_from_fork+0x1f/0x30
[ 24.394282][ T20]
[ 24.396452][ T20] The buggy address belongs to the object at ffff8881214343c0
[ 24.396452][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 24.411045][ T20] The buggy address is located 236 bytes inside of
[ 24.411045][ T20] 248-byte region [ffff8881214343c0, ffff8881214344b8)
[ 24.424234][ T20] The buggy address belongs to the page:
[ 24.429719][ T20] page:ffffea0004850d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121434
[ 24.439780][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 24.445334][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 24.454184][ T20] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 24.462611][ T20] page dumped because: kasan: bad access detected
[ 24.468958][ T20] page_owner tracks the page as allocated
[ 24.474526][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 23692944849, free_ts 15604099573
[ 24.490474][ T20] post_alloc_hook+0x1a3/0x1b0
[ 24.495067][ T20] prep_new_page+0x1b/0x110
[ 24.499416][ T20] get_page_from_freelist+0x3550/0x35d0
[ 24.504793][ T20] __alloc_pages+0x27e/0x8f0
[ 24.509215][ T20] new_slab+0x9a/0x4e0
[ 24.513143][ T20] ___slab_alloc+0x39e/0x830
[ 24.517549][ T20] __slab_alloc+0x4a/0x90
[ 24.521801][ T20] kmem_cache_alloc+0x134/0x200
[ 24.526484][ T20] skb_clone+0x1d1/0x360
[ 24.530652][ T20] dev_queue_xmit_nit+0x25b/0xa40
[ 24.535614][ T20] dev_hard_start_xmit+0x149/0x620
[ 24.540646][ T20] sch_direct_xmit+0x298/0x9b0
[ 24.545332][ T20] __dev_queue_xmit+0x161e/0x2e70
[ 24.550455][ T20] dev_queue_xmit+0x17/0x20
[ 24.554783][ T20] ip_finish_output2+0xb9f/0xf60
[ 24.559607][ T20] __ip_finish_output+0x162/0x360
[ 24.564477][ T20] page last free stack trace:
[ 24.568942][ T20] free_unref_page_prepare+0x7c8/0x7d0
[ 24.574227][ T20] free_unref_page+0xe8/0x750
[ 24.578751][ T20] __put_page+0xb0/0xe0
[ 24.582844][ T20] anon_pipe_buf_release+0x187/0x200
[ 24.588047][ T20] pipe_read+0x5a6/0x1040
[ 24.592316][ T20] vfs_read+0xa7e/0xd40
[ 24.596301][ T20] ksys_read+0x199/0x2c0
[ 24.600378][ T20] __x64_sys_read+0x7b/0x90
[ 24.604825][ T20] do_syscall_64+0x3d/0xb0
[ 24.609058][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 24.614973][ T20]
[ 24.617234][ T20] Memory state around the buggy address:
[ 24.622837][ T20] ffff888121434380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 24.630933][ T20] ffff888121434400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.639173][ T20] >ffff888121434480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 24.647139][ T20] ^
[ 24.652341][ T20] ffff888121434500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.660787][ T20] ffff888121434580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 24.668781][ T20] ==================================================================
[ 24.677514][ T20] Disabling lock debugging due to kernel taint
[ 24.683557][ T20] ==================================================================
[ 24.691409][ T20] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 24.699642][ T20]
[ 24.701814][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 24.713380][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 24.723516][ T20] Workqueue: events bpf_map_free_deferred
[ 24.729068][ T20] Call Trace:
[ 24.732187][ T20]
[ 24.734971][ T20] dump_stack_lvl+0x151/0x1b7
[ 24.739508][ T20] ? io_uring_drop_tctx_refs+0x190/0x190
[ 24.744966][ T20] ? panic+0x751/0x751
[ 24.749422][ T20] ? irqentry_exit+0x30/0x40
[ 24.753970][ T20] ? kmem_cache_free+0x116/0x2e0
[ 24.759863][ T20] print_address_description+0x87/0x3b0
[ 24.766658][ T20] ? asm_common_interrupt+0x27/0x40
[ 24.772365][ T20] ? kmem_cache_free+0x116/0x2e0
[ 24.777406][ T20] ? kmem_cache_free+0x116/0x2e0
[ 24.782301][ T20] kasan_report_invalid_free+0x6b/0xa0
[ 24.787704][ T20] ____kasan_slab_free+0x13e/0x160
[ 24.792628][ T20] __kasan_slab_free+0x11/0x20
[ 24.797345][ T20] slab_free_freelist_hook+0xbd/0x190
[ 24.802552][ T20] ? kfree_skbmem+0x104/0x170
[ 24.807151][ T20] kmem_cache_free+0x116/0x2e0
[ 24.811840][ T20] kfree_skbmem+0x104/0x170
[ 24.816183][ T20] consume_skb+0xb4/0x250
[ 24.820351][ T20] __sk_msg_free+0x2dd/0x370
[ 24.824879][ T20] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 24.830502][ T20] sk_psock_stop+0x44c/0x4d0
[ 24.834924][ T20] sk_psock_drop+0x219/0x310
[ 24.839350][ T20] sock_map_unref+0x48f/0x4d0
[ 24.843870][ T20] sock_map_free+0x137/0x2b0
[ 24.848298][ T20] bpf_map_free_deferred+0x10d/0x1e0
[ 24.853409][ T20] process_one_work+0x6bb/0xc10
[ 24.858102][ T20] worker_thread+0xad5/0x12a0
[ 24.862610][ T20] ? _raw_spin_lock+0x1b0/0x1b0
[ 24.867386][ T20] kthread+0x421/0x510
[ 24.871288][ T20] ? worker_clr_flags+0x180/0x180
[ 24.876290][ T20] ? kthread_blkcg+0xd0/0xd0
[ 24.880669][ T20] ret_from_fork+0x1f/0x30
[ 24.884916][ T20]
[ 24.887780][ T20]
[ 24.889956][ T20] Allocated by task 295:
[ 24.894125][ T20] __kasan_slab_alloc+0xb1/0xe0
[ 24.899251][ T20] slab_post_alloc_hook+0x53/0x2c0
[ 24.904541][ T20] kmem_cache_alloc+0xf5/0x200
[ 24.909318][ T20] skb_clone+0x1d1/0x360
[ 24.913401][ T20] sk_psock_verdict_recv+0x53/0x840
[ 24.918424][ T20] unix_read_sock+0x132/0x370
[ 24.923027][ T20] sk_psock_verdict_data_ready+0x147/0x1a0
[ 24.928667][ T20] unix_dgram_sendmsg+0x15fa/0x2090
[ 24.933713][ T20] ____sys_sendmsg+0x59e/0x8f0
[ 24.938298][ T20] ___sys_sendmsg+0x252/0x2e0
[ 24.942810][ T20] __se_sys_sendmsg+0x19a/0x260
[ 24.947507][ T20] __x64_sys_sendmsg+0x7b/0x90
[ 24.952202][ T20] do_syscall_64+0x3d/0xb0
[ 24.956449][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 24.962341][ T20]
[ 24.964518][ T20] Freed by task 20:
[ 24.968157][ T20] kasan_set_track+0x4b/0x70
[ 24.972594][ T20] kasan_set_free_info+0x23/0x40
[ 24.977355][ T20] ____kasan_slab_free+0x126/0x160
[ 24.982310][ T20] __kasan_slab_free+0x11/0x20
[ 24.986910][ T20] slab_free_freelist_hook+0xbd/0x190
[ 24.992112][ T20] kmem_cache_free+0x116/0x2e0
[ 24.996712][ T20] kfree_skbmem+0x104/0x170
[ 25.001052][ T20] kfree_skb+0xc2/0x360
[ 25.005041][ T20] sk_psock_backlog+0xc21/0xd90
[ 25.009813][ T20] process_one_work+0x6bb/0xc10
[ 25.014471][ T20] worker_thread+0xad5/0x12a0
[ 25.018928][ T20] kthread+0x421/0x510
[ 25.022934][ T20] ret_from_fork+0x1f/0x30
[ 25.027174][ T20]
[ 25.029352][ T20] The buggy address belongs to the object at ffff8881214343c0
[ 25.029352][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 25.043774][ T20] The buggy address is located 0 bytes inside of
[ 25.043774][ T20] 248-byte region [ffff8881214343c0, ffff8881214344b8)
[ 25.057218][ T20] The buggy address belongs to the page:
[ 25.062682][ T20] page:ffffea0004850d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121434
[ 25.072748][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 25.078221][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 25.086652][ T20] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 25.095063][ T20] page dumped because: kasan: bad access detected
[ 25.101307][ T20] page_owner tracks the page as allocated
[ 25.106878][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 23692944849, free_ts 15604099573
[ 25.122740][ T20] post_alloc_hook+0x1a3/0x1b0
[ 25.127338][ T20] prep_new_page+0x1b/0x110
[ 25.131691][ T20] get_page_from_freelist+0x3550/0x35d0
[ 25.137063][ T20] __alloc_pages+0x27e/0x8f0
[ 25.141485][ T20] new_slab+0x9a/0x4e0
[ 25.145515][ T20] ___slab_alloc+0x39e/0x830
[ 25.149978][ T20] __slab_alloc+0x4a/0x90
[ 25.154210][ T20] kmem_cache_alloc+0x134/0x200
[ 25.158980][ T20] skb_clone+0x1d1/0x360
[ 25.163050][ T20] dev_queue_xmit_nit+0x25b/0xa40
[ 25.167933][ T20] dev_hard_start_xmit+0x149/0x620
[ 25.173129][ T20] sch_direct_xmit+0x298/0x9b0
[ 25.177891][ T20] __dev_queue_xmit+0x161e/0x2e70
[ 25.182764][ T20] dev_queue_xmit+0x17/0x20
[ 25.187092][ T20] ip_finish_output2+0xb9f/0xf60
[ 25.191866][ T20] __ip_finish_output+0x162/0x360
[ 25.196836][ T20] page last free stack trace:
[ 25.201459][ T20] free_unref_page_prepare+0x7c8/0x7d0
[ 25.206803][ T20] free_unref_page+0xe8/0x750
[ 25.211318][ T20] __put_page+0xb0/0xe0
[ 25.215313][ T20] anon_pipe_buf_release+0x187/0x200
[ 25.220440][ T20] pipe_read+0x5a6/0x1040
[ 25.224738][ T20] vfs_read+0xa7e/0xd40
[ 25.228697][ T20] ksys_read+0x199/0x2c0
[ 25.232850][ T20] __x64_sys_read+0x7b/0x90
[ 25.237192][ T20] do_syscall_64+0x3d/0xb0
[ 25.241878][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 25.247717][ T20]
[ 25.249865][ T20] Memory state around the buggy address:
[ 25.255703][ T20] ffff888121434280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.263702][ T20] ffff888121434300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[pid 297] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 297] close(3) = 0
[pid 297] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 297] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 297] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 297] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 297] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 297] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 297] write(7, "5", 1) = 1
[ 25.271848][ T20] >ffff888121434380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 25.280088][ T20] ^
[ 25.286273][ T20] ffff888121434400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.294146][ T20] ffff888121434480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 25.302052][ T20] ==================================================================
[ 25.324197][ T297] FAULT_INJECTION: forcing a failure.
[ 25.324197][ T297] name failslab, interval 1, probability 0, space 0, times 0
[ 25.336854][ T297] CPU: 1 PID: 297 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 25.348295][ T297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 25.358361][ T297] Call Trace:
[ 25.361484][ T297]
[ 25.364263][ T297] dump_stack_lvl+0x151/0x1b7
[ 25.368791][ T297] ? io_uring_drop_tctx_refs+0x190/0x190
[ 25.374252][ T297] dump_stack+0x15/0x17
[ 25.378239][ T297] should_fail+0x3c6/0x510
[ 25.382498][ T297] __should_failslab+0xa4/0xe0
[ 25.387100][ T297] should_failslab+0x9/0x20
[ 25.391428][ T297] slab_pre_alloc_hook+0x37/0xd0
[ 25.396327][ T297] kmem_cache_alloc_trace+0x48/0x210
[ 25.401539][ T297] ? sk_psock_skb_ingress_self+0x60/0x330
[ 25.407086][ T297] ? migrate_disable+0x190/0x190
[ 25.411866][ T297] sk_psock_skb_ingress_self+0x60/0x330
[ 25.417323][ T297] sk_psock_verdict_recv+0x66d/0x840
[ 25.422462][ T297] unix_read_sock+0x132/0x370
[ 25.426960][ T297] ? sk_psock_skb_redirect+0x440/0x440
[ 25.432259][ T297] ? unix_stream_splice_actor+0x120/0x120
[ 25.437807][ T297] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 25.443110][ T297] ? unix_stream_splice_actor+0x120/0x120
[ 25.448764][ T297] sk_psock_verdict_data_ready+0x147/0x1a0
[ 25.454390][ T297] ? sk_psock_start_verdict+0xc0/0xc0
[ 25.459683][ T297] ? _raw_spin_lock+0xa4/0x1b0
[ 25.464296][ T297] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 25.469928][ T297] ? skb_queue_tail+0xfb/0x120
[ 25.474538][ T297] unix_dgram_sendmsg+0x15fa/0x2090
[ 25.479565][ T297] ? unix_dgram_poll+0x710/0x710
[ 25.484341][ T297] ? security_socket_sendmsg+0x82/0xb0
[ 25.489630][ T297] ? unix_dgram_poll+0x710/0x710
[ 25.494491][ T297] ____sys_sendmsg+0x59e/0x8f0
[ 25.499096][ T297] ? __sys_sendmsg_sock+0x40/0x40
[ 25.503951][ T297] ? import_iovec+0xe5/0x120
[ 25.508390][ T297] ___sys_sendmsg+0x252/0x2e0
[ 25.512886][ T297] ? __sys_sendmsg+0x260/0x260
[ 25.517492][ T297] ? finish_task_switch+0x167/0x7b0
[ 25.522532][ T297] ? __schedule+0xcd4/0x1590
[ 25.526957][ T297] ? __kasan_check_write+0x14/0x20
[ 25.531896][ T297] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 25.537176][ T297] ? __kasan_check_read+0x11/0x20
[ 25.542039][ T297] ? __fdget+0x179/0x240
[ 25.546206][ T297] __se_sys_sendmsg+0x19a/0x260
[ 25.550884][ T297] ? _raw_spin_unlock_irq+0x4e/0x70
[ 25.556153][ T297] ? __x64_sys_sendmsg+0x90/0x90
[ 25.560919][ T297] ? __kasan_check_read+0x11/0x20
[ 25.565777][ T297] __x64_sys_sendmsg+0x7b/0x90
[ 25.570588][ T297] do_syscall_64+0x3d/0xb0
[ 25.575109][ T297] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 25.580830][ T297] RIP: 0033:0x7f0faf3d9b69
[ 25.585582][ T297] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 25.605423][ T297] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 25.613755][ T297] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[pid 297] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 297] exit_group(0) = ?
[ 25.621555][ T297] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 25.629541][ T297] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 25.637355][ T297] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 25.645162][ T297] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 25.652977][ T297]
[ 25.658488][ T42] ==================================================================
[ 25.666528][ T42] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 25.674860][ T42]
[ 25.676959][ T42] CPU: 1 PID: 42 Comm: kworker/1:1 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 25.688148][ T42] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 25.698041][ T42] Workqueue: events bpf_map_free_deferred
[ 25.703597][ T42] Call Trace:
[ 25.706751][ T42]
[ 25.709667][ T42] dump_stack_lvl+0x151/0x1b7
[ 25.714193][ T42] ? io_uring_drop_tctx_refs+0x190/0x190
[ 25.719824][ T42] ? panic+0x751/0x751
[ 25.723723][ T42] ? call_rcu+0xd90/0x1310
[ 25.728067][ T42] ? kmem_cache_free+0x116/0x2e0
[ 25.732837][ T42] print_address_description+0x87/0x3b0
[ 25.738308][ T42] ? kmem_cache_free+0x116/0x2e0
[ 25.743225][ T42] ? kmem_cache_free+0x116/0x2e0
[ 25.748240][ T42] kasan_report_invalid_free+0x6b/0xa0
[ 25.753528][ T42] ____kasan_slab_free+0x13e/0x160
[ 25.758558][ T42] __kasan_slab_free+0x11/0x20
[ 25.763151][ T42] slab_free_freelist_hook+0xbd/0x190
[ 25.768378][ T42] ? kfree_skbmem+0x104/0x170
[ 25.772874][ T42] kmem_cache_free+0x116/0x2e0
[ 25.777492][ T42] kfree_skbmem+0x104/0x170
[ 25.782127][ T42] consume_skb+0xb4/0x250
[ 25.786555][ T42] __sk_msg_free+0x2dd/0x370
[ 25.790972][ T42] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 25.796895][ T42] sk_psock_stop+0x44c/0x4d0
[ 25.801302][ T42] sk_psock_drop+0x219/0x310
[ 25.805951][ T42] sock_map_unref+0x48f/0x4d0
[ 25.810455][ T42] sock_map_free+0x137/0x2b0
[ 25.814856][ T42] bpf_map_free_deferred+0x10d/0x1e0
[ 25.820055][ T42] process_one_work+0x6bb/0xc10
[ 25.824916][ T42] worker_thread+0xad5/0x12a0
[ 25.829420][ T42] ? _raw_spin_lock+0x1b0/0x1b0
[ 25.834380][ T42] kthread+0x421/0x510
[ 25.838273][ T42] ? worker_clr_flags+0x180/0x180
[ 25.843135][ T42] ? kthread_blkcg+0xd0/0xd0
[ 25.847559][ T42] ret_from_fork+0x1f/0x30
[ 25.851814][ T42]
[ 25.854681][ T42]
[ 25.856878][ T42] Allocated by task 297:
[ 25.861030][ T42] __kasan_slab_alloc+0xb1/0xe0
[ 25.865707][ T42] slab_post_alloc_hook+0x53/0x2c0
[ 25.870654][ T42] kmem_cache_alloc+0xf5/0x200
[ 25.875252][ T42] skb_clone+0x1d1/0x360
[ 25.879343][ T42] sk_psock_verdict_recv+0x53/0x840
[ 25.884369][ T42] unix_read_sock+0x132/0x370
[ 25.888871][ T42] sk_psock_verdict_data_ready+0x147/0x1a0
[ 25.894524][ T42] unix_dgram_sendmsg+0x15fa/0x2090
[ 25.899543][ T42] ____sys_sendmsg+0x59e/0x8f0
[ 25.904275][ T42] ___sys_sendmsg+0x252/0x2e0
[ 25.908860][ T42] __se_sys_sendmsg+0x19a/0x260
[ 25.913573][ T42] __x64_sys_sendmsg+0x7b/0x90
[ 25.918146][ T42] do_syscall_64+0x3d/0xb0
[ 25.922499][ T42] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 25.928205][ T42]
[ 25.930383][ T42] Freed by task 42:
[ 25.934222][ T42] kasan_set_track+0x4b/0x70
[ 25.938644][ T42] kasan_set_free_info+0x23/0x40
[ 25.943533][ T42] ____kasan_slab_free+0x126/0x160
[ 25.949160][ T42] __kasan_slab_free+0x11/0x20
[ 25.953849][ T42] slab_free_freelist_hook+0xbd/0x190
[ 25.959151][ T42] kmem_cache_free+0x116/0x2e0
[ 25.963748][ T42] kfree_skbmem+0x104/0x170
[ 25.968284][ T42] kfree_skb+0xc2/0x360
[ 25.972268][ T42] sk_psock_backlog+0xc21/0xd90
[ 25.976938][ T42] process_one_work+0x6bb/0xc10
[ 25.981623][ T42] worker_thread+0xad5/0x12a0
[ 25.986321][ T42] kthread+0x421/0x510
[ 25.990222][ T42] ret_from_fork+0x1f/0x30
[ 25.994466][ T42]
[ 25.996637][ T42] The buggy address belongs to the object at ffff8881215cdc80
[ 25.996637][ T42] which belongs to the cache skbuff_head_cache of size 248
[ 26.011045][ T42] The buggy address is located 0 bytes inside of
[ 26.011045][ T42] 248-byte region [ffff8881215cdc80, ffff8881215cdd78)
[ 26.023981][ T42] The buggy address belongs to the page:
[ 26.029548][ T42] page:ffffea0004857340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1215cd
[ 26.039880][ T42] flags: 0x4000000000000200(slab|zone=1)
[ 26.045270][ T42] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 26.053669][ T42] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 26.062087][ T42] page dumped because: kasan: bad access detected
[ 26.068329][ T42] page_owner tracks the page as allocated
[ 26.073980][ T42] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 291, ts 25323565622, free_ts 17883970598
[ 26.089857][ T42] post_alloc_hook+0x1a3/0x1b0
[ 26.094649][ T42] prep_new_page+0x1b/0x110
[ 26.098976][ T42] get_page_from_freelist+0x3550/0x35d0
[ 26.104361][ T42] __alloc_pages+0x27e/0x8f0
[ 26.108787][ T42] new_slab+0x9a/0x4e0
[ 26.113045][ T42] ___slab_alloc+0x39e/0x830
[ 26.117558][ T42] kmem_cache_alloc_bulk+0x104/0x360
[ 26.122681][ T42] napi_skb_cache_get+0x11f/0x1f0
[ 26.127638][ T42] __alloc_skb+0xd5/0x550
[ 26.131792][ T42] __napi_alloc_skb+0x167/0x2e0
[ 26.136469][ T42] page_to_skb+0x2a5/0xb40
[ 26.140806][ T42] receive_buf+0xed6/0x5720
[ 26.145252][ T42] virtnet_poll+0x628/0x1260
[ 26.149990][ T42] __napi_poll+0xc4/0x5a0
[ 26.154183][ T42] net_rx_action+0x47d/0xc50
[ 26.158687][ T42] __do_softirq+0x26d/0x5bf
[ 26.163099][ T42] page last free stack trace:
[ 26.167651][ T42] free_unref_page_prepare+0x7c8/0x7d0
[ 26.173013][ T42] free_unref_page+0xe8/0x750
[ 26.177521][ T42] __put_page+0xb0/0xe0
[ 26.181512][ T42] anon_pipe_buf_release+0x187/0x200
[ 26.186722][ T42] pipe_read+0x5a6/0x1040
[ 26.190891][ T42] vfs_read+0xa7e/0xd40
[ 26.194979][ T42] ksys_read+0x199/0x2c0
[ 26.199051][ T42] __x64_sys_read+0x7b/0x90
[ 26.203393][ T42] do_syscall_64+0x3d/0xb0
[ 26.207636][ T42] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 26.213372][ T42]
[ 26.215535][ T42] Memory state around the buggy address:
[ 26.221008][ T42] ffff8881215cdb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 297] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=0, si_utime=0, si_stime=114} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 299
./strace-static-x86_64: Process 299 attached
[pid 299] set_robust_list(0x555556e17660, 24) = 0
[pid 299] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 299] setpgid(0, 0) = 0
[pid 299] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 299] write(3, "1000", 4executing program
) = 4
[pid 299] close(3) = 0
[pid 299] write(1, "executing program\n", 18) = 18
[pid 299] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 299] close(3) = 0
[pid 299] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 299] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 299] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 299] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 299] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 299] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 299] write(7, "5", 1) = 1
[ 26.228906][ T42] ffff8881215cdc00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 26.236889][ T42] >ffff8881215cdc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 26.244976][ T42] ^
[ 26.248905][ T42] ffff8881215cdd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 26.256783][ T42] ffff8881215cdd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 26.265149][ T42] ==================================================================
[ 26.290928][ T299] FAULT_INJECTION: forcing a failure.
[ 26.290928][ T299] name failslab, interval 1, probability 0, space 0, times 0
[ 26.303486][ T299] CPU: 0 PID: 299 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 26.314914][ T299] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 26.324806][ T299] Call Trace:
[ 26.327932][ T299]
[ 26.330708][ T299] dump_stack_lvl+0x151/0x1b7
[ 26.335309][ T299] ? io_uring_drop_tctx_refs+0x190/0x190
[ 26.340770][ T299] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 26.346415][ T299] ? __skb_try_recv_datagram+0x495/0x6a0
[ 26.351896][ T299] dump_stack+0x15/0x17
[ 26.355971][ T299] should_fail+0x3c6/0x510
[ 26.360225][ T299] __should_failslab+0xa4/0xe0
[ 26.364953][ T299] ? skb_clone+0x1d1/0x360
[ 26.369204][ T299] should_failslab+0x9/0x20
[ 26.373538][ T299] slab_pre_alloc_hook+0x37/0xd0
[ 26.378331][ T299] ? skb_clone+0x1d1/0x360
[ 26.382562][ T299] kmem_cache_alloc+0x44/0x200
[ 26.387174][ T299] skb_clone+0x1d1/0x360
[ 26.391243][ T299] sk_psock_verdict_recv+0x53/0x840
[ 26.396278][ T299] ? avc_has_perm_noaudit+0x430/0x430
[ 26.401627][ T299] unix_read_sock+0x132/0x370
[ 26.406154][ T299] ? sk_psock_skb_redirect+0x440/0x440
[ 26.411427][ T299] ? unix_stream_splice_actor+0x120/0x120
[ 26.416988][ T299] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 26.422291][ T299] ? unix_stream_splice_actor+0x120/0x120
[ 26.427829][ T299] sk_psock_verdict_data_ready+0x147/0x1a0
[ 26.433563][ T299] ? sk_psock_start_verdict+0xc0/0xc0
[ 26.438772][ T299] ? _raw_spin_lock+0xa4/0x1b0
[ 26.443619][ T299] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 26.449400][ T299] ? skb_queue_tail+0xfb/0x120
[ 26.454082][ T299] unix_dgram_sendmsg+0x15fa/0x2090
[ 26.459133][ T299] ? unix_dgram_poll+0x710/0x710
[ 26.464030][ T299] ? security_socket_sendmsg+0x82/0xb0
[ 26.469319][ T299] ? unix_dgram_poll+0x710/0x710
[ 26.474188][ T299] ____sys_sendmsg+0x59e/0x8f0
[ 26.478874][ T299] ? __sys_sendmsg_sock+0x40/0x40
[ 26.483735][ T299] ? import_iovec+0xe5/0x120
[ 26.488264][ T299] ___sys_sendmsg+0x252/0x2e0
[ 26.492762][ T299] ? __sys_sendmsg+0x260/0x260
[ 26.497541][ T299] ? finish_task_switch+0x167/0x7b0
[ 26.502568][ T299] ? __schedule+0xcd4/0x1590
[ 26.507000][ T299] ? __kasan_check_write+0x14/0x20
[ 26.512031][ T299] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 26.517762][ T299] ? __kasan_check_read+0x11/0x20
[ 26.523704][ T299] ? __fdget+0x179/0x240
[ 26.527773][ T299] __se_sys_sendmsg+0x19a/0x260
[ 26.532549][ T299] ? _raw_spin_unlock_irq+0x4e/0x70
[ 26.537577][ T299] ? __x64_sys_sendmsg+0x90/0x90
[ 26.542469][ T299] ? __kasan_check_read+0x11/0x20
[ 26.547735][ T299] __x64_sys_sendmsg+0x7b/0x90
[ 26.552511][ T299] do_syscall_64+0x3d/0xb0
[ 26.557198][ T299] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 26.562921][ T299] RIP: 0033:0x7f0faf3d9b69
[ 26.567375][ T299] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 299] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 299] exit_group(0) = ?
[pid 299] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=299, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 301 attached
, child_tidptr=0x555556e17650) = 301
[pid 301] set_robust_list(0x555556e17660, 24) = 0
[pid 301] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 301] setpgid(0, 0) = 0
[pid 301] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 301] write(3, "1000", 4) = 4
[pid 301] close(3) = 0
[pid 301] write(1, "executing program\n", 18executing program
) = 18
[pid 301] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 301] close(3) = 0
[pid 301] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 301] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 301] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 301] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 301] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 301] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 301] write(7, "5", 1) = 1
[ 26.587597][ T299] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.595944][ T299] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[ 26.603826][ T299] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 26.611640][ T299] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 26.619449][ T299] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 26.628034][ T299] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 26.636117][ T299]
[ 26.651981][ T301] FAULT_INJECTION: forcing a failure.
[ 26.651981][ T301] name failslab, interval 1, probability 0, space 0, times 0
[ 26.664988][ T301] CPU: 0 PID: 301 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 26.676458][ T301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 26.686449][ T301] Call Trace:
[ 26.689605][ T301]
[ 26.692443][ T301] dump_stack_lvl+0x151/0x1b7
[ 26.696990][ T301] ? io_uring_drop_tctx_refs+0x190/0x190
[ 26.702416][ T301] dump_stack+0x15/0x17
[ 26.706499][ T301] should_fail+0x3c6/0x510
[ 26.710835][ T301] __should_failslab+0xa4/0xe0
[ 26.715437][ T301] should_failslab+0x9/0x20
[ 26.719775][ T301] slab_pre_alloc_hook+0x37/0xd0
[ 26.724733][ T301] kmem_cache_alloc_trace+0x48/0x210
[ 26.729845][ T301] ? sk_psock_skb_ingress_self+0x60/0x330
[ 26.735486][ T301] ? migrate_disable+0x190/0x190
[ 26.740271][ T301] sk_psock_skb_ingress_self+0x60/0x330
[ 26.745725][ T301] sk_psock_verdict_recv+0x66d/0x840
[ 26.750848][ T301] unix_read_sock+0x132/0x370
[ 26.755367][ T301] ? sk_psock_skb_redirect+0x440/0x440
[ 26.760913][ T301] ? unix_stream_splice_actor+0x120/0x120
[ 26.766472][ T301] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 26.772024][ T301] ? unix_stream_splice_actor+0x120/0x120
[ 26.777877][ T301] sk_psock_verdict_data_ready+0x147/0x1a0
[ 26.783687][ T301] ? sk_psock_start_verdict+0xc0/0xc0
[ 26.788907][ T301] ? _raw_spin_lock+0xa4/0x1b0
[ 26.793503][ T301] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 26.799150][ T301] ? skb_queue_tail+0xfb/0x120
[ 26.803822][ T301] unix_dgram_sendmsg+0x15fa/0x2090
[ 26.808956][ T301] ? unix_dgram_poll+0x710/0x710
[ 26.813732][ T301] ? security_socket_sendmsg+0x82/0xb0
[ 26.819016][ T301] ? unix_dgram_poll+0x710/0x710
[ 26.823895][ T301] ____sys_sendmsg+0x59e/0x8f0
[ 26.828571][ T301] ? __sys_sendmsg_sock+0x40/0x40
[ 26.833678][ T301] ? import_iovec+0xe5/0x120
[ 26.838376][ T301] ___sys_sendmsg+0x252/0x2e0
[ 26.842876][ T301] ? __sys_sendmsg+0x260/0x260
[ 26.847615][ T301] ? finish_task_switch+0x167/0x7b0
[ 26.852739][ T301] ? __schedule+0xcd4/0x1590
[ 26.857330][ T301] ? __kasan_check_write+0x14/0x20
[ 26.862294][ T301] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 26.867239][ T301] ? __kasan_check_read+0x11/0x20
[ 26.872790][ T301] ? __fdget+0x179/0x240
[ 26.876945][ T301] __se_sys_sendmsg+0x19a/0x260
[ 26.881799][ T301] ? _raw_spin_unlock_irq+0x4e/0x70
[ 26.886776][ T301] ? __x64_sys_sendmsg+0x90/0x90
[ 26.891545][ T301] ? __kasan_check_read+0x11/0x20
[ 26.896497][ T301] __x64_sys_sendmsg+0x7b/0x90
[ 26.901097][ T301] do_syscall_64+0x3d/0xb0
[ 26.905486][ T301] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 26.911193][ T301] RIP: 0033:0x7f0faf3d9b69
[ 26.915449][ T301] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 26.935699][ T301] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.944586][ T301] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[pid 301] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 301] exit_group(0) = ?
[pid 301] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=301, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 302
./strace-static-x86_64: Process 302 attached
[pid 302] set_robust_list(0x555556e17660, 24) = 0
[pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 302] setpgid(0, 0) = 0
[pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 302] write(3, "1000", 4) = 4
[pid 302] close(3) = 0
[pid 302] write(1, "executing program\n", 18executing program
) = 18
[ 26.952393][ T301] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 26.960207][ T301] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 26.968364][ T301] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 26.976179][ T301] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 26.984161][ T301]
[ 26.990143][ T42] ==================================================================
[ 26.998449][ T42] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 27.006701][ T42]
[ 27.008868][ T42] CPU: 1 PID: 42 Comm: kworker/1:1 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 27.020095][ T42] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 27.030140][ T42] Workqueue: events bpf_map_free_deferred
[ 27.036125][ T42] Call Trace:
[ 27.039259][ T42]
[ 27.042021][ T42] dump_stack_lvl+0x151/0x1b7
[ 27.046535][ T42] ? io_uring_drop_tctx_refs+0x190/0x190
[ 27.052132][ T42] ? panic+0x751/0x751
[ 27.055997][ T42] ? call_rcu+0xd90/0x1310
[ 27.060339][ T42] ? kmem_cache_free+0x116/0x2e0
[ 27.065110][ T42] print_address_description+0x87/0x3b0
[ 27.070495][ T42] ? kmem_cache_free+0x116/0x2e0
[ 27.075274][ T42] ? kmem_cache_free+0x116/0x2e0
[ 27.080234][ T42] kasan_report_invalid_free+0x6b/0xa0
[ 27.085689][ T42] ____kasan_slab_free+0x13e/0x160
[ 27.090639][ T42] __kasan_slab_free+0x11/0x20
[ 27.095497][ T42] slab_free_freelist_hook+0xbd/0x190
[ 27.100907][ T42] ? kfree_skbmem+0x104/0x170
[ 27.105395][ T42] kmem_cache_free+0x116/0x2e0
[ 27.110088][ T42] kfree_skbmem+0x104/0x170
[ 27.114811][ T42] consume_skb+0xb4/0x250
[ 27.119028][ T42] __sk_msg_free+0x2dd/0x370
[ 27.123455][ T42] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 27.129344][ T42] sk_psock_stop+0x44c/0x4d0
[ 27.133810][ T42] sk_psock_drop+0x219/0x310
[ 27.138258][ T42] sock_map_unref+0x48f/0x4d0
[ 27.142743][ T42] sock_map_free+0x137/0x2b0
[ 27.147279][ T42] bpf_map_free_deferred+0x10d/0x1e0
[ 27.152393][ T42] process_one_work+0x6bb/0xc10
[ 27.157085][ T42] worker_thread+0xad5/0x12a0
[ 27.161592][ T42] ? _raw_spin_lock+0x1b0/0x1b0
[ 27.166278][ T42] kthread+0x421/0x510
[ 27.170190][ T42] ? worker_clr_flags+0x180/0x180
[ 27.175178][ T42] ? kthread_blkcg+0xd0/0xd0
[ 27.179753][ T42] ret_from_fork+0x1f/0x30
[ 27.184157][ T42]
[ 27.187054][ T42]
[ 27.189189][ T42] Allocated by task 301:
[ 27.193280][ T42] __kasan_slab_alloc+0xb1/0xe0
[ 27.197957][ T42] slab_post_alloc_hook+0x53/0x2c0
[ 27.202903][ T42] kmem_cache_alloc+0xf5/0x200
[ 27.207500][ T42] skb_clone+0x1d1/0x360
[ 27.211583][ T42] sk_psock_verdict_recv+0x53/0x840
[ 27.216616][ T42] unix_read_sock+0x132/0x370
[ 27.221229][ T42] sk_psock_verdict_data_ready+0x147/0x1a0
[ 27.226861][ T42] unix_dgram_sendmsg+0x15fa/0x2090
[ 27.231895][ T42] ____sys_sendmsg+0x59e/0x8f0
[ 27.236496][ T42] ___sys_sendmsg+0x252/0x2e0
[ 27.241008][ T42] __se_sys_sendmsg+0x19a/0x260
[ 27.245783][ T42] __x64_sys_sendmsg+0x7b/0x90
[ 27.250393][ T42] do_syscall_64+0x3d/0xb0
[ 27.254636][ T42] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 27.260367][ T42]
[ 27.262539][ T42] Freed by task 20:
[ 27.266721][ T42] kasan_set_track+0x4b/0x70
[ 27.271302][ T42] kasan_set_free_info+0x23/0x40
[ 27.276877][ T42] ____kasan_slab_free+0x126/0x160
[ 27.281834][ T42] __kasan_slab_free+0x11/0x20
[ 27.286421][ T42] slab_free_freelist_hook+0xbd/0x190
[ 27.291636][ T42] kmem_cache_free+0x116/0x2e0
[ 27.296257][ T42] kfree_skbmem+0x104/0x170
[ 27.300665][ T42] kfree_skb+0xc2/0x360
[ 27.304661][ T42] sk_psock_backlog+0xc21/0xd90
[ 27.309333][ T42] process_one_work+0x6bb/0xc10
[ 27.314423][ T42] worker_thread+0xad5/0x12a0
[ 27.318887][ T42] kthread+0x421/0x510
[ 27.322874][ T42] ret_from_fork+0x1f/0x30
[ 27.327302][ T42]
[ 27.329460][ T42] The buggy address belongs to the object at ffff888120fdf780
[ 27.329460][ T42] which belongs to the cache skbuff_head_cache of size 248
[ 27.343885][ T42] The buggy address is located 0 bytes inside of
[ 27.343885][ T42] 248-byte region [ffff888120fdf780, ffff888120fdf878)
[ 27.356894][ T42] The buggy address belongs to the page:
[ 27.362367][ T42] page:ffffea000483f7c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x120fdf
[ 27.372428][ T42] flags: 0x4000000000000200(slab|zone=1)
[ 27.377901][ T42] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 27.386504][ T42] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 27.394904][ T42] page dumped because: kasan: bad access detected
[ 27.401241][ T42] page_owner tracks the page as allocated
[ 27.406797][ T42] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 26651054670, free_ts 26648243701
[ 27.422590][ T42] post_alloc_hook+0x1a3/0x1b0
[ 27.427189][ T42] prep_new_page+0x1b/0x110
[ 27.431528][ T42] get_page_from_freelist+0x3550/0x35d0
[ 27.436994][ T42] __alloc_pages+0x27e/0x8f0
[ 27.441421][ T42] new_slab+0x9a/0x4e0
[ 27.445338][ T42] ___slab_alloc+0x39e/0x830
[ 27.449767][ T42] __slab_alloc+0x4a/0x90
[ 27.454035][ T42] kmem_cache_alloc+0x134/0x200
[ 27.458895][ T42] skb_clone+0x1d1/0x360
[ 27.462973][ T42] dev_queue_xmit_nit+0x25b/0xa40
[ 27.467936][ T42] dev_hard_start_xmit+0x149/0x620
[ 27.472873][ T42] sch_direct_xmit+0x298/0x9b0
[ 27.477481][ T42] __dev_queue_xmit+0x161e/0x2e70
[ 27.482333][ T42] dev_queue_xmit+0x17/0x20
[ 27.486673][ T42] ip_finish_output2+0xb9f/0xf60
[ 27.491446][ T42] __ip_finish_output+0x162/0x360
[ 27.496310][ T42] page last free stack trace:
[ 27.500822][ T42] free_unref_page_prepare+0x7c8/0x7d0
[ 27.506202][ T42] free_unref_page+0xe8/0x750
[ 27.510715][ T42] __free_pages+0x61/0xf0
[ 27.515055][ T42] __vunmap+0x7bc/0x8f0
[ 27.519059][ T42] vfree+0x7f/0xb0
[ 27.522694][ T42] bpf_patch_insn_data+0x7f0/0xde0
[ 27.527684][ T42] bpf_check+0x6653/0x12bf0
[ 27.531980][ T42] bpf_prog_load+0x12ac/0x1b50
[ 27.536607][ T42] __sys_bpf+0x4bc/0x760
[ 27.540659][ T42] __x64_sys_bpf+0x7c/0x90
[ 27.544910][ T42] do_syscall_64+0x3d/0xb0
[ 27.549171][ T42] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[pid 302] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 302] close(3) = 0
[ 27.554992][ T42]
[ 27.557147][ T42] Memory state around the buggy address:
[ 27.562619][ T42] ffff888120fdf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.570530][ T42] ffff888120fdf700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 27.578599][ T42] >ffff888120fdf780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.586499][ T42] ^
[ 27.590403][ T42] ffff888120fdf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 27.598312][ T42] ffff888120fdf880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[pid 302] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 302] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 302] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 302] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 302] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 302] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 302] write(7, "5", 1) = 1
[ 27.606395][ T42] ==================================================================
[ 27.619145][ T302] FAULT_INJECTION: forcing a failure.
[ 27.619145][ T302] name failslab, interval 1, probability 0, space 0, times 0
[ 27.632376][ T302] CPU: 1 PID: 302 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 27.644368][ T302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 27.655923][ T302] Call Trace:
[ 27.659919][ T302]
[ 27.662687][ T302] dump_stack_lvl+0x151/0x1b7
[ 27.667308][ T302] ? io_uring_drop_tctx_refs+0x190/0x190
[ 27.672779][ T302] dump_stack+0x15/0x17
[ 27.676767][ T302] should_fail+0x3c6/0x510
[ 27.681098][ T302] __should_failslab+0xa4/0xe0
[ 27.685705][ T302] should_failslab+0x9/0x20
[ 27.690077][ T302] slab_pre_alloc_hook+0x37/0xd0
[ 27.694840][ T302] kmem_cache_alloc_trace+0x48/0x210
[ 27.700230][ T302] ? sk_psock_skb_ingress_self+0x60/0x330
[ 27.705788][ T302] ? migrate_disable+0x190/0x190
[ 27.710531][ T302] sk_psock_skb_ingress_self+0x60/0x330
[ 27.715922][ T302] sk_psock_verdict_recv+0x66d/0x840
[ 27.721291][ T302] unix_read_sock+0x132/0x370
[ 27.725802][ T302] ? sk_psock_skb_redirect+0x440/0x440
[ 27.731097][ T302] ? unix_stream_splice_actor+0x120/0x120
[ 27.736671][ T302] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 27.741953][ T302] ? unix_stream_splice_actor+0x120/0x120
[ 27.747504][ T302] sk_psock_verdict_data_ready+0x147/0x1a0
[ 27.753143][ T302] ? sk_psock_start_verdict+0xc0/0xc0
[ 27.758366][ T302] ? _raw_spin_lock+0xa4/0x1b0
[ 27.762960][ T302] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 27.768594][ T302] ? skb_queue_tail+0xfb/0x120
[ 27.773192][ T302] unix_dgram_sendmsg+0x15fa/0x2090
[ 27.778248][ T302] ? unix_dgram_poll+0x710/0x710
[ 27.783252][ T302] ? security_socket_sendmsg+0x82/0xb0
[ 27.788538][ T302] ? unix_dgram_poll+0x710/0x710
[ 27.793406][ T302] ____sys_sendmsg+0x59e/0x8f0
[ 27.798014][ T302] ? __sys_sendmsg_sock+0x40/0x40
[ 27.802860][ T302] ? import_iovec+0xe5/0x120
[ 27.807284][ T302] ___sys_sendmsg+0x252/0x2e0
[ 27.811799][ T302] ? __sys_sendmsg+0x260/0x260
[ 27.816494][ T302] ? finish_task_switch+0x167/0x7b0
[ 27.821526][ T302] ? __schedule+0xcd4/0x1590
[ 27.825954][ T302] ? __kasan_check_write+0x14/0x20
[ 27.830909][ T302] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 27.835953][ T302] ? __kasan_check_read+0x11/0x20
[ 27.840794][ T302] ? __fdget+0x179/0x240
[ 27.844980][ T302] __se_sys_sendmsg+0x19a/0x260
[ 27.849821][ T302] ? _raw_spin_unlock_irq+0x4e/0x70
[ 27.854938][ T302] ? __x64_sys_sendmsg+0x90/0x90
[ 27.859819][ T302] ? __kasan_check_read+0x11/0x20
[ 27.864693][ T302] __x64_sys_sendmsg+0x7b/0x90
[ 27.869260][ T302] do_syscall_64+0x3d/0xb0
[ 27.873509][ T302] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 27.879326][ T302] RIP: 0033:0x7f0faf3d9b69
[ 27.883587][ T302] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 302] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 302] exit_group(0) = ?
[pid 302] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=302, si_uid=0, si_status=0, si_utime=0, si_stime=62} ---
[ 27.903195][ T302] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 27.911540][ T302] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[ 27.919614][ T302] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 27.927552][ T302] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 27.935357][ T302] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 27.943175][ T302] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 27.951073][ T302]
[ 27.956316][ T20] ==================================================================
[ 27.964482][ T20] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 27.972725][ T20]
[ 27.974899][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 27.986123][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 27.996019][ T20] Workqueue: events bpf_map_free_deferred
[ 28.001659][ T20] Call Trace:
[ 28.004790][ T20]
[ 28.007575][ T20] dump_stack_lvl+0x151/0x1b7
[ 28.012389][ T20] ? io_uring_drop_tctx_refs+0x190/0x190
[ 28.017859][ T20] ? panic+0x751/0x751
[ 28.021836][ T20] ? kasan_set_free_info+0x23/0x40
[ 28.026875][ T20] ? ____kasan_slab_free+0x126/0x160
[ 28.032365][ T20] ? kmem_cache_free+0x116/0x2e0
[ 28.037121][ T20] print_address_description+0x87/0x3b0
[ 28.042497][ T20] ? worker_thread+0xad5/0x12a0
[ 28.047315][ T20] ? kthread+0x421/0x510
[ 28.051446][ T20] ? kmem_cache_free+0x116/0x2e0
[ 28.056583][ T20] ? kmem_cache_free+0x116/0x2e0
[ 28.061515][ T20] kasan_report_invalid_free+0x6b/0xa0
[ 28.066826][ T20] ____kasan_slab_free+0x13e/0x160
[ 28.071759][ T20] __kasan_slab_free+0x11/0x20
[ 28.076366][ T20] slab_free_freelist_hook+0xbd/0x190
[ 28.081702][ T20] ? kfree_skbmem+0x104/0x170
[ 28.086209][ T20] kmem_cache_free+0x116/0x2e0
[ 28.090820][ T20] kfree_skbmem+0x104/0x170
[ 28.095149][ T20] consume_skb+0xb4/0x250
[ 28.099327][ T20] __sk_msg_free+0x2dd/0x370
[ 28.103741][ T20] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 28.109381][ T20] sk_psock_stop+0x44c/0x4d0
[ 28.113826][ T20] sk_psock_drop+0x219/0x310
[ 28.119015][ T20] sock_map_unref+0x48f/0x4d0
[ 28.123527][ T20] sock_map_free+0x137/0x2b0
[ 28.127955][ T20] bpf_map_free_deferred+0x10d/0x1e0
[ 28.133076][ T20] process_one_work+0x6bb/0xc10
[ 28.137764][ T20] worker_thread+0xad5/0x12a0
[ 28.142360][ T20] ? _raw_spin_lock+0x1b0/0x1b0
[ 28.147049][ T20] kthread+0x421/0x510
[ 28.150953][ T20] ? worker_clr_flags+0x180/0x180
[ 28.155813][ T20] ? kthread_blkcg+0xd0/0xd0
[ 28.160239][ T20] ret_from_fork+0x1f/0x30
[ 28.164493][ T20]
[ 28.167378][ T20]
[ 28.169542][ T20] Allocated by task 302:
[ 28.173611][ T20] __kasan_slab_alloc+0xb1/0xe0
[ 28.178290][ T20] slab_post_alloc_hook+0x53/0x2c0
[ 28.183283][ T20] kmem_cache_alloc+0xf5/0x200
[ 28.188006][ T20] skb_clone+0x1d1/0x360
[ 28.192078][ T20] sk_psock_verdict_recv+0x53/0x840
[ 28.197136][ T20] unix_read_sock+0x132/0x370
[ 28.201625][ T20] sk_psock_verdict_data_ready+0x147/0x1a0
[ 28.207387][ T20] unix_dgram_sendmsg+0x15fa/0x2090
[ 28.212414][ T20] ____sys_sendmsg+0x59e/0x8f0
[ 28.217098][ T20] ___sys_sendmsg+0x252/0x2e0
[ 28.221682][ T20] __se_sys_sendmsg+0x19a/0x260
[ 28.226378][ T20] __x64_sys_sendmsg+0x7b/0x90
[ 28.230968][ T20] do_syscall_64+0x3d/0xb0
[ 28.235229][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 28.240956][ T20]
[ 28.243147][ T20] Freed by task 60:
[ 28.246764][ T20] kasan_set_track+0x4b/0x70
[ 28.251189][ T20] kasan_set_free_info+0x23/0x40
[ 28.255962][ T20] ____kasan_slab_free+0x126/0x160
[ 28.261197][ T20] __kasan_slab_free+0x11/0x20
[ 28.265867][ T20] slab_free_freelist_hook+0xbd/0x190
[ 28.271068][ T20] kmem_cache_free+0x116/0x2e0
[ 28.275668][ T20] kfree_skbmem+0x104/0x170
[ 28.280022][ T20] kfree_skb+0xc2/0x360
[ 28.284104][ T20] sk_psock_backlog+0xc21/0xd90
[ 28.288968][ T20] process_one_work+0x6bb/0xc10
[ 28.293730][ T20] worker_thread+0xad5/0x12a0
[ 28.298248][ T20] kthread+0x421/0x510
[ 28.302476][ T20] ret_from_fork+0x1f/0x30
[ 28.306717][ T20]
[ 28.308894][ T20] The buggy address belongs to the object at ffff8881214308c0
[ 28.308894][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 28.323480][ T20] The buggy address is located 0 bytes inside of
[ 28.323480][ T20] 248-byte region [ffff8881214308c0, ffff8881214309b8)
[ 28.336670][ T20] The buggy address belongs to the page:
[ 28.342233][ T20] page:ffffea0004850c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121430
[ 28.352431][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 28.357954][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 28.366363][ T20] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 28.375046][ T20] page dumped because: kasan: bad access detected
[ 28.381627][ T20] page_owner tracks the page as allocated
[ 28.387167][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 27617150598, free_ts 27616573314
[ 28.402973][ T20] post_alloc_hook+0x1a3/0x1b0
[ 28.407561][ T20] prep_new_page+0x1b/0x110
[ 28.411909][ T20] get_page_from_freelist+0x3550/0x35d0
[ 28.417281][ T20] __alloc_pages+0x27e/0x8f0
[ 28.421714][ T20] new_slab+0x9a/0x4e0
[ 28.425713][ T20] ___slab_alloc+0x39e/0x830
[ 28.430137][ T20] __slab_alloc+0x4a/0x90
[ 28.434292][ T20] kmem_cache_alloc+0x134/0x200
[ 28.438979][ T20] skb_clone+0x1d1/0x360
[ 28.443062][ T20] dev_queue_xmit_nit+0x25b/0xa40
[ 28.447917][ T20] dev_hard_start_xmit+0x149/0x620
[ 28.452865][ T20] sch_direct_xmit+0x298/0x9b0
[ 28.457466][ T20] __dev_queue_xmit+0x161e/0x2e70
[ 28.462324][ T20] dev_queue_xmit+0x17/0x20
[ 28.466670][ T20] ip_finish_output2+0xb9f/0xf60
[ 28.471438][ T20] __ip_finish_output+0x162/0x360
[ 28.476311][ T20] page last free stack trace:
[ 28.480812][ T20] free_unref_page_prepare+0x7c8/0x7d0
[ 28.486106][ T20] free_unref_page+0xe8/0x750
[ 28.490620][ T20] __free_pages+0x61/0xf0
[ 28.494796][ T20] __vunmap+0x7bc/0x8f0
[ 28.498959][ T20] vfree+0x7f/0xb0
[ 28.502529][ T20] bpf_patch_insn_data+0x7f0/0xde0
[ 28.507534][ T20] bpf_check+0x6653/0x12bf0
[ 28.511804][ T20] bpf_prog_load+0x12ac/0x1b50
[ 28.516515][ T20] __sys_bpf+0x4bc/0x760
[ 28.520766][ T20] __x64_sys_bpf+0x7c/0x90
[ 28.525013][ T20] do_syscall_64+0x3d/0xb0
[ 28.529271][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 28.535626][ T20]
[ 28.537768][ T20] Memory state around the buggy address:
[ 28.543327][ T20] ffff888121430780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.551237][ T20] ffff888121430800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 304
./strace-static-x86_64: Process 304 attached
[pid 304] set_robust_list(0x555556e17660, 24) = 0
[pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 304] setpgid(0, 0) = 0
[pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 304] write(3, "1000", 4) = 4
[pid 304] close(3) = 0
[pid 304] write(1, "executing program\n", 18executing program
) = 18
[pid 304] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 304] close(3) = 0
[pid 304] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 304] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 304] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 304] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 304] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 304] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 304] write(7, "5", 1) = 1
[ 28.559126][ T20] >ffff888121430880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 28.567133][ T20] ^
[ 28.573112][ T20] ffff888121430900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.581435][ T20] ffff888121430980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 28.589533][ T20] ==================================================================
[ 28.606484][ T304] FAULT_INJECTION: forcing a failure.
[ 28.606484][ T304] name failslab, interval 1, probability 0, space 0, times 0
[ 28.619728][ T304] CPU: 0 PID: 304 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 28.631268][ T304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 28.642308][ T304] Call Trace:
[ 28.645511][ T304]
[ 28.648298][ T304] dump_stack_lvl+0x151/0x1b7
[ 28.652825][ T304] ? io_uring_drop_tctx_refs+0x190/0x190
[ 28.661148][ T304] dump_stack+0x15/0x17
[ 28.665417][ T304] should_fail+0x3c6/0x510
[ 28.669812][ T304] __should_failslab+0xa4/0xe0
[ 28.675113][ T304] should_failslab+0x9/0x20
[ 28.679449][ T304] slab_pre_alloc_hook+0x37/0xd0
[ 28.684326][ T304] kmem_cache_alloc_trace+0x48/0x210
[ 28.689445][ T304] ? sk_psock_skb_ingress_self+0x60/0x330
[ 28.695009][ T304] ? migrate_disable+0x190/0x190
[ 28.699785][ T304] sk_psock_skb_ingress_self+0x60/0x330
[ 28.705242][ T304] sk_psock_verdict_recv+0x66d/0x840
[ 28.710359][ T304] unix_read_sock+0x132/0x370
[ 28.714875][ T304] ? sk_psock_skb_redirect+0x440/0x440
[ 28.720243][ T304] ? unix_stream_splice_actor+0x120/0x120
[ 28.725731][ T304] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 28.731032][ T304] ? unix_stream_splice_actor+0x120/0x120
[ 28.736668][ T304] sk_psock_verdict_data_ready+0x147/0x1a0
[ 28.742314][ T304] ? sk_psock_start_verdict+0xc0/0xc0
[ 28.747548][ T304] ? _raw_spin_lock+0xa4/0x1b0
[ 28.752399][ T304] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 28.758239][ T304] ? skb_queue_tail+0xfb/0x120
[ 28.763253][ T304] unix_dgram_sendmsg+0x15fa/0x2090
[ 28.768367][ T304] ? unix_dgram_poll+0x710/0x710
[ 28.773242][ T304] ? security_socket_sendmsg+0x82/0xb0
[ 28.778794][ T304] ? unix_dgram_poll+0x710/0x710
[ 28.783558][ T304] ____sys_sendmsg+0x59e/0x8f0
[ 28.788446][ T304] ? __sys_sendmsg_sock+0x40/0x40
[ 28.793594][ T304] ? import_iovec+0xe5/0x120
[ 28.798232][ T304] ___sys_sendmsg+0x252/0x2e0
[ 28.802824][ T304] ? __sys_sendmsg+0x260/0x260
[ 28.807526][ T304] ? finish_task_switch+0x167/0x7b0
[ 28.812553][ T304] ? __schedule+0xcd4/0x1590
[ 28.817117][ T304] ? __kasan_check_write+0x14/0x20
[ 28.822047][ T304] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 28.826984][ T304] ? __kasan_check_read+0x11/0x20
[ 28.831871][ T304] ? __fdget+0x179/0x240
[ 28.835933][ T304] __se_sys_sendmsg+0x19a/0x260
[ 28.840616][ T304] ? _raw_spin_unlock_irq+0x4e/0x70
[ 28.845667][ T304] ? __x64_sys_sendmsg+0x90/0x90
[ 28.850430][ T304] ? __kasan_check_read+0x11/0x20
[ 28.855386][ T304] __x64_sys_sendmsg+0x7b/0x90
[ 28.859968][ T304] do_syscall_64+0x3d/0xb0
[ 28.864462][ T304] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 28.870182][ T304] RIP: 0033:0x7f0faf3d9b69
[ 28.874436][ T304] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 28.894737][ T304] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 28.903070][ T304] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[pid 304] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 304] exit_group(0) = ?
[pid 304] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=304, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 306
./strace-static-x86_64: Process 306 attached
[pid 306] set_robust_list(0x555556e17660, 24) = 0
[pid 306] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 306] setpgid(0, 0) = 0
[pid 306] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 306] write(3, "1000", 4) = 4
[pid 306] close(3) = 0
[pid 306] write(1, "executing program\n", 18executing program
) = 18
[ 28.910869][ T304] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 28.918703][ T304] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 28.926680][ T304] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 28.934651][ T304] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 28.942479][ T304]
[ 28.946899][ T20] ==================================================================
[ 28.954842][ T20] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 28.963111][ T20]
[ 28.965279][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 28.976297][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 28.986189][ T20] Workqueue: events bpf_map_free_deferred
[ 28.991743][ T20] Call Trace:
[ 28.994869][ T20]
[ 28.997644][ T20] dump_stack_lvl+0x151/0x1b7
[ 29.002156][ T20] ? io_uring_drop_tctx_refs+0x190/0x190
[ 29.008055][ T20] ? panic+0x751/0x751
[ 29.011964][ T20] ? kasan_set_free_info+0x23/0x40
[ 29.016911][ T20] ? ____kasan_slab_free+0x126/0x160
[ 29.022102][ T20] ? kmem_cache_free+0x116/0x2e0
[ 29.026806][ T20] print_address_description+0x87/0x3b0
[ 29.032202][ T20] ? worker_thread+0xad5/0x12a0
[ 29.036885][ T20] ? kthread+0x421/0x510
[ 29.040957][ T20] ? kmem_cache_free+0x116/0x2e0
[ 29.045737][ T20] ? kmem_cache_free+0x116/0x2e0
[ 29.050498][ T20] kasan_report_invalid_free+0x6b/0xa0
[ 29.055795][ T20] ____kasan_slab_free+0x13e/0x160
[ 29.060742][ T20] __kasan_slab_free+0x11/0x20
[ 29.065349][ T20] slab_free_freelist_hook+0xbd/0x190
[ 29.070691][ T20] ? kfree_skbmem+0x104/0x170
[ 29.075148][ T20] kmem_cache_free+0x116/0x2e0
[ 29.079836][ T20] kfree_skbmem+0x104/0x170
[ 29.084348][ T20] consume_skb+0xb4/0x250
[ 29.088601][ T20] __sk_msg_free+0x2dd/0x370
[ 29.093031][ T20] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 29.098709][ T20] sk_psock_stop+0x44c/0x4d0
[ 29.103103][ T20] sk_psock_drop+0x219/0x310
[ 29.107523][ T20] sock_map_unref+0x48f/0x4d0
[ 29.112187][ T20] sock_map_free+0x137/0x2b0
[ 29.116601][ T20] bpf_map_free_deferred+0x10d/0x1e0
[ 29.121721][ T20] process_one_work+0x6bb/0xc10
[ 29.126408][ T20] worker_thread+0xad5/0x12a0
[ 29.131031][ T20] ? _raw_spin_lock+0x1b0/0x1b0
[ 29.135791][ T20] kthread+0x421/0x510
[ 29.139687][ T20] ? worker_clr_flags+0x180/0x180
[ 29.144649][ T20] ? kthread_blkcg+0xd0/0xd0
[ 29.149088][ T20] ret_from_fork+0x1f/0x30
[ 29.153409][ T20]
[ 29.156263][ T20]
[ 29.158433][ T20] Allocated by task 304:
[ 29.162522][ T20] __kasan_slab_alloc+0xb1/0xe0
[ 29.167198][ T20] slab_post_alloc_hook+0x53/0x2c0
[ 29.172148][ T20] kmem_cache_alloc+0xf5/0x200
[ 29.176747][ T20] skb_clone+0x1d1/0x360
[ 29.180937][ T20] sk_psock_verdict_recv+0x53/0x840
[ 29.186043][ T20] unix_read_sock+0x132/0x370
[ 29.190551][ T20] sk_psock_verdict_data_ready+0x147/0x1a0
[ 29.196219][ T20] unix_dgram_sendmsg+0x15fa/0x2090
[ 29.201309][ T20] ____sys_sendmsg+0x59e/0x8f0
[ 29.205908][ T20] ___sys_sendmsg+0x252/0x2e0
[ 29.210565][ T20] __se_sys_sendmsg+0x19a/0x260
[ 29.215375][ T20] __x64_sys_sendmsg+0x7b/0x90
[ 29.219973][ T20] do_syscall_64+0x3d/0xb0
[ 29.224228][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 29.229954][ T20]
[ 29.232125][ T20] Freed by task 20:
[ 29.235770][ T20] kasan_set_track+0x4b/0x70
[ 29.240284][ T20] kasan_set_free_info+0x23/0x40
[ 29.245055][ T20] ____kasan_slab_free+0x126/0x160
[ 29.250004][ T20] __kasan_slab_free+0x11/0x20
[ 29.254615][ T20] slab_free_freelist_hook+0xbd/0x190
[ 29.259817][ T20] kmem_cache_free+0x116/0x2e0
[ 29.264417][ T20] kfree_skbmem+0x104/0x170
[ 29.268844][ T20] kfree_skb+0xc2/0x360
[ 29.272844][ T20] sk_psock_backlog+0xc21/0xd90
[ 29.277716][ T20] process_one_work+0x6bb/0xc10
[ 29.282385][ T20] worker_thread+0xad5/0x12a0
[ 29.286895][ T20] kthread+0x421/0x510
[ 29.290799][ T20] ret_from_fork+0x1f/0x30
[ 29.295048][ T20]
[ 29.297221][ T20] The buggy address belongs to the object at ffff88812180cb40
[ 29.297221][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 29.311924][ T20] The buggy address is located 0 bytes inside of
[ 29.311924][ T20] 248-byte region [ffff88812180cb40, ffff88812180cc38)
[ 29.324932][ T20] The buggy address belongs to the page:
[ 29.330413][ T20] page:ffffea0004860300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12180c
[ 29.340468][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 29.345939][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 29.354368][ T20] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 29.362859][ T20] page dumped because: kasan: bad access detected
[ 29.369113][ T20] page_owner tracks the page as allocated
[ 29.374660][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 28604664201, free_ts 17191196134
[ 29.390458][ T20] post_alloc_hook+0x1a3/0x1b0
[ 29.395058][ T20] prep_new_page+0x1b/0x110
[ 29.399446][ T20] get_page_from_freelist+0x3550/0x35d0
[ 29.404800][ T20] __alloc_pages+0x27e/0x8f0
[ 29.409206][ T20] new_slab+0x9a/0x4e0
[ 29.413141][ T20] ___slab_alloc+0x39e/0x830
[ 29.417628][ T20] __slab_alloc+0x4a/0x90
[ 29.421888][ T20] kmem_cache_alloc+0x134/0x200
[ 29.426756][ T20] skb_clone+0x1d1/0x360
[ 29.430826][ T20] dev_queue_xmit_nit+0x25b/0xa40
[ 29.435784][ T20] dev_hard_start_xmit+0x149/0x620
[ 29.440724][ T20] sch_direct_xmit+0x298/0x9b0
[ 29.445324][ T20] __dev_queue_xmit+0x161e/0x2e70
[ 29.450285][ T20] dev_queue_xmit+0x17/0x20
[ 29.454633][ T20] ip_finish_output2+0xb9f/0xf60
[ 29.459384][ T20] __ip_finish_output+0x162/0x360
[ 29.464244][ T20] page last free stack trace:
[ 29.468759][ T20] free_unref_page_prepare+0x7c8/0x7d0
[ 29.474061][ T20] free_unref_page+0xe8/0x750
[ 29.478564][ T20] __put_page+0xb0/0xe0
[ 29.482559][ T20] anon_pipe_buf_release+0x187/0x200
[ 29.487684][ T20] pipe_read+0x5a6/0x1040
[ 29.491842][ T20] vfs_read+0xa7e/0xd40
[ 29.495843][ T20] ksys_read+0x199/0x2c0
[ 29.499918][ T20] __x64_sys_read+0x7b/0x90
[ 29.504253][ T20] do_syscall_64+0x3d/0xb0
[ 29.508534][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 29.514335][ T20]
[ 29.516498][ T20] Memory state around the buggy address:
[ 29.521976][ T20] ffff88812180ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 29.530379][ T20] ffff88812180ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 29.538291][ T20] >ffff88812180cb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 29.546176][ T20] ^
[ 29.552171][ T20] ffff88812180cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 306] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 306] close(3) = 0
[pid 306] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 306] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 306] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 306] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 306] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 306] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 306] write(7, "5", 1) = 1
[ 29.560078][ T20] ffff88812180cc00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 29.567968][ T20] ==================================================================
[ 29.582316][ T306] FAULT_INJECTION: forcing a failure.
[ 29.582316][ T306] name failslab, interval 1, probability 0, space 0, times 0
[ 29.595289][ T306] CPU: 1 PID: 306 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 29.606724][ T306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 29.616769][ T306] Call Trace:
[ 29.619927][ T306]
[ 29.622761][ T306] dump_stack_lvl+0x151/0x1b7
[ 29.627378][ T306] ? io_uring_drop_tctx_refs+0x190/0x190
[ 29.632928][ T306] dump_stack+0x15/0x17
[ 29.636907][ T306] should_fail+0x3c6/0x510
[ 29.641358][ T306] __should_failslab+0xa4/0xe0
[ 29.645983][ T306] should_failslab+0x9/0x20
[ 29.650291][ T306] slab_pre_alloc_hook+0x37/0xd0
[ 29.655177][ T306] kmem_cache_alloc_trace+0x48/0x210
[ 29.660364][ T306] ? sk_psock_skb_ingress_self+0x60/0x330
[ 29.665908][ T306] ? migrate_disable+0x190/0x190
[ 29.670683][ T306] sk_psock_skb_ingress_self+0x60/0x330
[ 29.676064][ T306] sk_psock_verdict_recv+0x66d/0x840
[ 29.681391][ T306] unix_read_sock+0x132/0x370
[ 29.686325][ T306] ? __sched_text_start+0x8/0x8
[ 29.691129][ T306] ? sk_psock_skb_redirect+0x440/0x440
[ 29.696494][ T306] ? unix_stream_splice_actor+0x120/0x120
[ 29.702156][ T306] ? preempt_schedule_common+0xbe/0xf0
[ 29.707455][ T306] ? unix_stream_splice_actor+0x120/0x120
[ 29.712996][ T306] sk_psock_verdict_data_ready+0x147/0x1a0
[ 29.718638][ T306] ? sk_psock_start_verdict+0xc0/0xc0
[ 29.723855][ T306] ? _raw_spin_lock+0xa4/0x1b0
[ 29.728449][ T306] ? preempt_schedule_thunk+0x16/0x18
[ 29.733741][ T306] unix_dgram_sendmsg+0x15fa/0x2090
[ 29.738964][ T306] ? unix_dgram_poll+0x710/0x710
[ 29.743731][ T306] ? security_socket_sendmsg+0x82/0xb0
[ 29.749115][ T306] ? unix_dgram_poll+0x710/0x710
[ 29.754043][ T306] ____sys_sendmsg+0x59e/0x8f0
[ 29.758640][ T306] ? __sys_sendmsg_sock+0x40/0x40
[ 29.763490][ T306] ? import_iovec+0xe5/0x120
[ 29.767913][ T306] ___sys_sendmsg+0x252/0x2e0
[ 29.772428][ T306] ? __sys_sendmsg+0x260/0x260
[ 29.777025][ T306] ? finish_task_switch+0x167/0x7b0
[ 29.782240][ T306] ? __schedule+0xcd4/0x1590
[ 29.786669][ T306] ? __kasan_check_write+0x14/0x20
[ 29.791744][ T306] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 29.796669][ T306] ? __kasan_check_read+0x11/0x20
[ 29.801810][ T306] ? __fdget+0x179/0x240
[ 29.805878][ T306] __se_sys_sendmsg+0x19a/0x260
[ 29.810677][ T306] ? _raw_spin_unlock_irq+0x4e/0x70
[ 29.815794][ T306] ? __x64_sys_sendmsg+0x90/0x90
[ 29.820608][ T306] ? __kasan_check_read+0x11/0x20
[ 29.825430][ T306] __x64_sys_sendmsg+0x7b/0x90
[ 29.830024][ T306] do_syscall_64+0x3d/0xb0
[ 29.834289][ T306] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 29.840098][ T306] RIP: 0033:0x7f0faf3d9b69
[ 29.844360][ T306] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 306] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 306] exit_group(0) = ?
[ 29.863960][ T306] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 29.872288][ T306] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[ 29.880104][ T306] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 29.887909][ T306] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 29.895737][ T306] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 29.903534][ T306] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 29.911703][ T306]
[ 29.916146][ T30] audit: type=1400 audit(1723232682.532:74): avc: denied { remove_name } for pid=82 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 29.938584][ T30] audit: type=1400 audit(1723232682.532:75): avc: denied { rename } for pid=82 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 29.939030][ T306] ==================================================================
[ 29.968254][ T306] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 29.976633][ T306]
[ 29.978808][ T306] CPU: 1 PID: 306 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 29.990337][ T306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 30.000233][ T306] Call Trace:
[ 30.003355][ T306]
[ 30.006131][ T306] dump_stack_lvl+0x151/0x1b7
[ 30.010656][ T306] ? io_uring_drop_tctx_refs+0x190/0x190
[ 30.016242][ T306] ? __wake_up_klogd+0xd5/0x110
[ 30.021010][ T306] ? panic+0x751/0x751
[ 30.024918][ T306] ? kmem_cache_free+0x116/0x2e0
[ 30.029692][ T306] print_address_description+0x87/0x3b0
[ 30.035076][ T306] ? kmem_cache_free+0x116/0x2e0
[ 30.039846][ T306] ? kmem_cache_free+0x116/0x2e0
[ 30.044623][ T306] kasan_report_invalid_free+0x6b/0xa0
[ 30.049914][ T306] ____kasan_slab_free+0x13e/0x160
[ 30.054870][ T306] __kasan_slab_free+0x11/0x20
[ 30.059462][ T306] slab_free_freelist_hook+0xbd/0x190
[ 30.064679][ T306] ? kfree_skbmem+0x104/0x170
[ 30.069177][ T306] kmem_cache_free+0x116/0x2e0
[ 30.073796][ T306] kfree_skbmem+0x104/0x170
[ 30.078121][ T306] consume_skb+0xb4/0x250
[ 30.082302][ T306] __sk_msg_free+0x2dd/0x370
[ 30.086712][ T306] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 30.092351][ T306] sk_psock_stop+0x44c/0x4d0
[ 30.096777][ T306] ? unix_peer_get+0xe0/0xe0
[ 30.101291][ T306] sock_map_close+0x2b9/0x4c0
[ 30.105818][ T306] ? sock_map_remove_links+0x570/0x570
[ 30.111099][ T306] ? rwsem_mark_wake+0x770/0x770
[ 30.115872][ T306] ? security_file_free+0xc6/0xe0
[ 30.120734][ T306] unix_release+0x82/0xc0
[ 30.124899][ T306] sock_close+0xdf/0x270
[ 30.128987][ T306] ? sock_mmap+0xa0/0xa0
[ 30.133146][ T306] __fput+0x3fe/0x910
[ 30.136976][ T306] ____fput+0x15/0x20
[ 30.140779][ T306] task_work_run+0x129/0x190
[ 30.145217][ T306] do_exit+0xc48/0x2ca0
[ 30.149212][ T306] ? put_task_struct+0x80/0x80
[ 30.153811][ T306] ? ptrace_notify+0x24c/0x350
[ 30.158408][ T306] ? do_notify_parent+0xa30/0xa30
[ 30.163271][ T306] do_group_exit+0x141/0x310
[ 30.167864][ T306] __x64_sys_exit_group+0x3f/0x40
[ 30.172721][ T306] do_syscall_64+0x3d/0xb0
[ 30.176985][ T306] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 30.182709][ T306] RIP: 0033:0x7f0faf3d7cb9
[ 30.186970][ T306] Code: Unable to access opcode bytes at RIP 0x7f0faf3d7c8f.
[ 30.194157][ T306] RSP: 002b:00007fff53268a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 30.202405][ T306] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0faf3d7cb9
[ 30.210215][ T306] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 30.218034][ T306] RBP: 00007f0faf44b390 R08: ffffffffffffffb8 R09: 00000000000000a0
[ 30.225926][ T306] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f0faf44b390
[ 30.233825][ T306] R13: 0000000000000000 R14: 00007f0faf44bde0 R15: 00007f0faf3a1360
[ 30.241637][ T306]
[ 30.244591][ T306]
[ 30.246790][ T306] Allocated by task 306:
[ 30.250836][ T306] __kasan_slab_alloc+0xb1/0xe0
[ 30.255545][ T306] slab_post_alloc_hook+0x53/0x2c0
[ 30.260470][ T306] kmem_cache_alloc+0xf5/0x200
[ 30.265175][ T306] skb_clone+0x1d1/0x360
[ 30.269274][ T306] sk_psock_verdict_recv+0x53/0x840
[ 30.274444][ T306] unix_read_sock+0x132/0x370
[ 30.278969][ T306] sk_psock_verdict_data_ready+0x147/0x1a0
[ 30.284594][ T306] unix_dgram_sendmsg+0x15fa/0x2090
[ 30.289641][ T306] ____sys_sendmsg+0x59e/0x8f0
[ 30.294244][ T306] ___sys_sendmsg+0x252/0x2e0
[ 30.298758][ T306] __se_sys_sendmsg+0x19a/0x260
[ 30.303429][ T306] __x64_sys_sendmsg+0x7b/0x90
[ 30.308039][ T306] do_syscall_64+0x3d/0xb0
[ 30.312301][ T306] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 30.318012][ T306]
[ 30.320188][ T306] Freed by task 42:
[ 30.323912][ T306] kasan_set_track+0x4b/0x70
[ 30.328341][ T306] kasan_set_free_info+0x23/0x40
[ 30.333115][ T306] ____kasan_slab_free+0x126/0x160
[ 30.338067][ T306] __kasan_slab_free+0x11/0x20
[ 30.342671][ T306] slab_free_freelist_hook+0xbd/0x190
[ 30.347865][ T306] kmem_cache_free+0x116/0x2e0
[ 30.352464][ T306] kfree_skbmem+0x104/0x170
[ 30.356807][ T306] kfree_skb+0xc2/0x360
[ 30.360801][ T306] sk_psock_backlog+0xc21/0xd90
[ 30.365484][ T306] process_one_work+0x6bb/0xc10
[ 30.370171][ T306] worker_thread+0xad5/0x12a0
[ 30.374780][ T306] kthread+0x421/0x510
[ 30.378678][ T306] ret_from_fork+0x1f/0x30
[ 30.382929][ T306]
[ 30.385100][ T306] The buggy address belongs to the object at ffff88810819a3c0
[ 30.385100][ T306] which belongs to the cache skbuff_head_cache of size 248
[ 30.399601][ T306] The buggy address is located 0 bytes inside of
[ 30.399601][ T306] 248-byte region [ffff88810819a3c0, ffff88810819a4b8)
[ 30.412623][ T306] The buggy address belongs to the page:
[ 30.418097][ T306] page:ffffea0004206680 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10819a
[ 30.428159][ T306] flags: 0x4000000000000200(slab|zone=1)
[ 30.433644][ T306] raw: 4000000000000200 0000000000000000 0000000100000001 ffff8881081b3380
[ 30.442152][ T306] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 30.450553][ T306] page dumped because: kasan: bad access detected
[ 30.456890][ T306] page_owner tracks the page as allocated
[ 30.462443][ T306] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 1183667535, free_ts 0
[ 30.477293][ T306] post_alloc_hook+0x1a3/0x1b0
[ 30.481904][ T306] prep_new_page+0x1b/0x110
[ 30.486336][ T306] get_page_from_freelist+0x3550/0x35d0
[ 30.491691][ T306] __alloc_pages+0x27e/0x8f0
[ 30.496127][ T306] new_slab+0x9a/0x4e0
[ 30.500024][ T306] ___slab_alloc+0x39e/0x830
[ 30.504457][ T306] __slab_alloc+0x4a/0x90
[ 30.508612][ T306] kmem_cache_alloc+0x134/0x200
[ 30.513299][ T306] __alloc_skb+0xbe/0x550
[ 30.517482][ T306] audit_log_start+0x456/0xa80
[ 30.522187][ T306] audit_log+0xad/0x150
[ 30.526152][ T306] audit_init+0x1d3/0x1f7
[ 30.530401][ T306] do_one_initcall+0x182/0x610
[ 30.535068][ T306] do_initcall_level+0x186/0x304
[ 30.539871][ T306] do_initcalls+0x4e/0x8e
[ 30.544030][ T306] do_basic_setup+0x81/0x8a
[ 30.548385][ T306] page_owner free stack trace missing
[ 30.553700][ T306]
[ 30.555848][ T306] Memory state around the buggy address:
[ 30.561664][ T306] ffff88810819a280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 306] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=306, si_uid=0, si_status=0, si_utime=0, si_stime=66} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 309
./strace-static-x86_64: Process 309 attached
[pid 309] set_robust_list(0x555556e17660, 24) = 0
[pid 309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 309] setpgid(0, 0) = 0
[pid 309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 309] write(3, "1000", 4executing program
) = 4
[pid 309] close(3) = 0
[pid 309] write(1, "executing program\n", 18) = 18
[pid 309] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 309] close(3) = 0
[pid 309] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 309] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 309] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 309] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 309] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 309] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 309] write(7, "5", 1) = 1
[ 30.569568][ T306] ffff88810819a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 30.577467][ T306] >ffff88810819a380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 30.585624][ T306] ^
[ 30.591886][ T306] ffff88810819a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.599946][ T306] ffff88810819a480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 30.608194][ T306] ==================================================================
[ 30.623250][ T309] FAULT_INJECTION: forcing a failure.
[ 30.623250][ T309] name failslab, interval 1, probability 0, space 0, times 0
[ 30.636027][ T309] CPU: 1 PID: 309 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 30.647478][ T309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 30.657723][ T309] Call Trace:
[ 30.660854][ T309]
[ 30.663614][ T309] dump_stack_lvl+0x151/0x1b7
[ 30.668124][ T309] ? io_uring_drop_tctx_refs+0x190/0x190
[ 30.673594][ T309] dump_stack+0x15/0x17
[ 30.677687][ T309] should_fail+0x3c6/0x510
[ 30.681932][ T309] __should_failslab+0xa4/0xe0
[ 30.686536][ T309] should_failslab+0x9/0x20
[ 30.690972][ T309] slab_pre_alloc_hook+0x37/0xd0
[ 30.695756][ T309] kmem_cache_alloc_trace+0x48/0x210
[ 30.700939][ T309] ? sk_psock_skb_ingress_self+0x60/0x330
[ 30.706659][ T309] ? migrate_disable+0x190/0x190
[ 30.711406][ T309] sk_psock_skb_ingress_self+0x60/0x330
[ 30.716776][ T309] sk_psock_verdict_recv+0x66d/0x840
[ 30.722107][ T309] unix_read_sock+0x132/0x370
[ 30.726599][ T309] ? sk_psock_skb_redirect+0x440/0x440
[ 30.732081][ T309] ? unix_stream_splice_actor+0x120/0x120
[ 30.737623][ T309] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 30.743123][ T309] ? unix_stream_splice_actor+0x120/0x120
[ 30.748685][ T309] sk_psock_verdict_data_ready+0x147/0x1a0
[ 30.754333][ T309] ? sk_psock_start_verdict+0xc0/0xc0
[ 30.759524][ T309] ? _raw_spin_lock+0xa4/0x1b0
[ 30.764120][ T309] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 30.769767][ T309] ? skb_queue_tail+0xfb/0x120
[ 30.774367][ T309] unix_dgram_sendmsg+0x15fa/0x2090
[ 30.779493][ T309] ? unix_dgram_poll+0x710/0x710
[ 30.784259][ T309] ? security_socket_sendmsg+0x82/0xb0
[ 30.789561][ T309] ? unix_dgram_poll+0x710/0x710
[ 30.794651][ T309] ____sys_sendmsg+0x59e/0x8f0
[ 30.799424][ T309] ? __sys_sendmsg_sock+0x40/0x40
[ 30.804572][ T309] ? import_iovec+0xe5/0x120
[ 30.808993][ T309] ___sys_sendmsg+0x252/0x2e0
[ 30.813641][ T309] ? __sys_sendmsg+0x260/0x260
[ 30.818201][ T309] ? finish_task_switch+0x167/0x7b0
[ 30.823510][ T309] ? __schedule+0xcd4/0x1590
[ 30.827948][ T309] ? __kasan_check_write+0x14/0x20
[ 30.832875][ T309] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 30.837998][ T309] ? __kasan_check_read+0x11/0x20
[ 30.843073][ T309] ? __fdget+0x179/0x240
[ 30.847130][ T309] __se_sys_sendmsg+0x19a/0x260
[ 30.851810][ T309] ? _raw_spin_unlock_irq+0x4e/0x70
[ 30.856846][ T309] ? __x64_sys_sendmsg+0x90/0x90
[ 30.861624][ T309] ? __kasan_check_read+0x11/0x20
[ 30.866479][ T309] __x64_sys_sendmsg+0x7b/0x90
[ 30.871077][ T309] do_syscall_64+0x3d/0xb0
[ 30.875332][ T309] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 30.881060][ T309] RIP: 0033:0x7f0faf3d9b69
[ 30.885307][ T309] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 30.904751][ T309] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 30.912994][ T309] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[pid 309] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 309] exit_group(0) = ?
[ 30.920940][ T309] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 30.928709][ T309] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 30.936533][ T309] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 30.944328][ T309] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 30.952140][ T309]
[ 30.956060][ T42] ==================================================================
[ 30.964252][ T42] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 30.972589][ T42]
[ 30.974737][ T42] CPU: 1 PID: 42 Comm: kworker/1:1 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 30.985852][ T42] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 30.995742][ T42] Workqueue: events bpf_map_free_deferred
[ 31.001477][ T42] Call Trace:
[ 31.004858][ T42]
[ 31.007647][ T42] dump_stack_lvl+0x151/0x1b7
[ 31.012316][ T42] ? io_uring_drop_tctx_refs+0x190/0x190
[ 31.017878][ T42] ? panic+0x751/0x751
[ 31.021774][ T42] ? kasan_set_free_info+0x23/0x40
[ 31.026735][ T42] ? ____kasan_slab_free+0x126/0x160
[ 31.031930][ T42] ? kmem_cache_free+0x116/0x2e0
[ 31.036808][ T42] print_address_description+0x87/0x3b0
[ 31.042607][ T42] ? worker_thread+0xad5/0x12a0
[ 31.047292][ T42] ? kthread+0x421/0x510
[ 31.051377][ T42] ? kmem_cache_free+0x116/0x2e0
[ 31.056143][ T42] ? kmem_cache_free+0x116/0x2e0
[ 31.060936][ T42] kasan_report_invalid_free+0x6b/0xa0
[ 31.066301][ T42] ____kasan_slab_free+0x13e/0x160
[ 31.071252][ T42] __kasan_slab_free+0x11/0x20
[ 31.075845][ T42] slab_free_freelist_hook+0xbd/0x190
[ 31.081055][ T42] ? kfree_skbmem+0x104/0x170
[ 31.085577][ T42] kmem_cache_free+0x116/0x2e0
[ 31.090168][ T42] kfree_skbmem+0x104/0x170
[ 31.094506][ T42] consume_skb+0xb4/0x250
[ 31.099028][ T42] __sk_msg_free+0x2dd/0x370
[ 31.103457][ T42] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 31.109092][ T42] sk_psock_stop+0x44c/0x4d0
[ 31.113525][ T42] sk_psock_drop+0x219/0x310
[ 31.117949][ T42] sock_map_unref+0x48f/0x4d0
[ 31.122456][ T42] sock_map_free+0x137/0x2b0
[ 31.126893][ T42] bpf_map_free_deferred+0x10d/0x1e0
[ 31.132090][ T42] process_one_work+0x6bb/0xc10
[ 31.136773][ T42] worker_thread+0xad5/0x12a0
[ 31.141289][ T42] ? _raw_spin_lock+0x1b0/0x1b0
[ 31.145974][ T42] kthread+0x421/0x510
[ 31.149887][ T42] ? worker_clr_flags+0x180/0x180
[ 31.154755][ T42] ? kthread_blkcg+0xd0/0xd0
[ 31.159167][ T42] ret_from_fork+0x1f/0x30
[ 31.163683][ T42]
[ 31.166558][ T42]
[ 31.168897][ T42] Allocated by task 309:
[ 31.172969][ T42] __kasan_slab_alloc+0xb1/0xe0
[ 31.177657][ T42] slab_post_alloc_hook+0x53/0x2c0
[ 31.182697][ T42] kmem_cache_alloc+0xf5/0x200
[ 31.187287][ T42] skb_clone+0x1d1/0x360
[ 31.191367][ T42] sk_psock_verdict_recv+0x53/0x840
[ 31.196596][ T42] unix_read_sock+0x132/0x370
[ 31.201085][ T42] sk_psock_verdict_data_ready+0x147/0x1a0
[ 31.206729][ T42] unix_dgram_sendmsg+0x15fa/0x2090
[ 31.211777][ T42] ____sys_sendmsg+0x59e/0x8f0
[ 31.216373][ T42] ___sys_sendmsg+0x252/0x2e0
[ 31.220881][ T42] __se_sys_sendmsg+0x19a/0x260
[ 31.225562][ T42] __x64_sys_sendmsg+0x7b/0x90
[ 31.230439][ T42] do_syscall_64+0x3d/0xb0
[ 31.234683][ T42] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 31.240403][ T42]
[ 31.242583][ T42] Freed by task 42:
[ 31.246326][ T42] kasan_set_track+0x4b/0x70
[ 31.250905][ T42] kasan_set_free_info+0x23/0x40
[ 31.255777][ T42] ____kasan_slab_free+0x126/0x160
[ 31.260739][ T42] __kasan_slab_free+0x11/0x20
[ 31.265339][ T42] slab_free_freelist_hook+0xbd/0x190
[ 31.270612][ T42] kmem_cache_free+0x116/0x2e0
[ 31.275738][ T42] kfree_skbmem+0x104/0x170
[ 31.280075][ T42] kfree_skb+0xc2/0x360
[ 31.284156][ T42] sk_psock_backlog+0xc21/0xd90
[ 31.288875][ T42] process_one_work+0x6bb/0xc10
[ 31.293803][ T42] worker_thread+0xad5/0x12a0
[ 31.298306][ T42] kthread+0x421/0x510
[ 31.302313][ T42] ret_from_fork+0x1f/0x30
[ 31.306647][ T42]
[ 31.308782][ T42] The buggy address belongs to the object at ffff8881218458c0
[ 31.308782][ T42] which belongs to the cache skbuff_head_cache of size 248
[ 31.323510][ T42] The buggy address is located 0 bytes inside of
[ 31.323510][ T42] 248-byte region [ffff8881218458c0, ffff8881218459b8)
[ 31.336444][ T42] The buggy address belongs to the page:
[ 31.341980][ T42] page:ffffea0004861140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121845
[ 31.353108][ T42] flags: 0x4000000000000200(slab|zone=1)
[ 31.358563][ T42] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 31.367080][ T42] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 31.375490][ T42] page dumped because: kasan: bad access detected
[ 31.382005][ T42] page_owner tracks the page as allocated
[ 31.387830][ T42] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 309, ts 30620141302, free_ts 17189224364
[ 31.403718][ T42] post_alloc_hook+0x1a3/0x1b0
[ 31.408318][ T42] prep_new_page+0x1b/0x110
[ 31.412723][ T42] get_page_from_freelist+0x3550/0x35d0
[ 31.418105][ T42] __alloc_pages+0x27e/0x8f0
[ 31.422528][ T42] new_slab+0x9a/0x4e0
[ 31.426447][ T42] ___slab_alloc+0x39e/0x830
[ 31.430890][ T42] kmem_cache_alloc_bulk+0x104/0x360
[ 31.435997][ T42] napi_skb_cache_get+0x11f/0x1f0
[ 31.441044][ T42] __alloc_skb+0xd5/0x550
[ 31.445189][ T42] __napi_alloc_skb+0x167/0x2e0
[ 31.449878][ T42] page_to_skb+0x2a5/0xb40
[ 31.454129][ T42] receive_buf+0xed6/0x5720
[ 31.458565][ T42] virtnet_poll+0x628/0x1260
[ 31.462981][ T42] __napi_poll+0xc4/0x5a0
[ 31.467422][ T42] net_rx_action+0x47d/0xc50
[ 31.471848][ T42] __do_softirq+0x26d/0x5bf
[ 31.476176][ T42] page last free stack trace:
[ 31.480700][ T42] free_unref_page_prepare+0x7c8/0x7d0
[ 31.486007][ T42] free_unref_page+0xe8/0x750
[ 31.490494][ T42] __put_page+0xb0/0xe0
[ 31.495497][ T42] anon_pipe_buf_release+0x187/0x200
[ 31.501020][ T42] pipe_read+0x5a6/0x1040
[ 31.505696][ T42] vfs_read+0xa7e/0xd40
[ 31.509765][ T42] ksys_read+0x199/0x2c0
[ 31.513853][ T42] __x64_sys_read+0x7b/0x90
[ 31.518182][ T42] do_syscall_64+0x3d/0xb0
[ 31.522603][ T42] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 31.528530][ T42]
[ 31.530677][ T42] Memory state around the buggy address:
[ 31.536258][ T42] ffff888121845780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.544527][ T42] ffff888121845800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 31.552532][ T42] >ffff888121845880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 31.560393][ T42] ^
[ 31.566477][ T42] ffff888121845900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 309] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=309, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 310
./strace-static-x86_64: Process 310 attached
[pid 310] set_robust_list(0x555556e17660, 24) = 0
[pid 310] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 310] setpgid(0, 0) = 0
[pid 310] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 310] write(3, "1000", 4) = 4
[pid 310] close(3) = 0
executing program
[pid 310] write(1, "executing program\n", 18) = 18
[pid 310] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 310] close(3) = 0
[pid 310] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 310] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 310] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 310] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 310] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 310] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 310] write(7, "5", 1) = 1
[ 31.574459][ T42] ffff888121845980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 31.582359][ T42] ==================================================================
[ 31.609557][ T310] FAULT_INJECTION: forcing a failure.
[ 31.609557][ T310] name failslab, interval 1, probability 0, space 0, times 0
[ 31.622379][ T310] CPU: 1 PID: 310 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 31.634016][ T310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 31.644593][ T310] Call Trace:
[ 31.647714][ T310]
[ 31.650753][ T310] dump_stack_lvl+0x151/0x1b7
[ 31.655263][ T310] ? io_uring_drop_tctx_refs+0x190/0x190
[ 31.660990][ T310] dump_stack+0x15/0x17
[ 31.665244][ T310] should_fail+0x3c6/0x510
[ 31.669595][ T310] __should_failslab+0xa4/0xe0
[ 31.674311][ T310] should_failslab+0x9/0x20
[ 31.678841][ T310] slab_pre_alloc_hook+0x37/0xd0
[ 31.683824][ T310] kmem_cache_alloc_trace+0x48/0x210
[ 31.688927][ T310] ? sk_psock_skb_ingress_self+0x60/0x330
[ 31.694524][ T310] ? migrate_disable+0x190/0x190
[ 31.699242][ T310] sk_psock_skb_ingress_self+0x60/0x330
[ 31.704721][ T310] sk_psock_verdict_recv+0x66d/0x840
[ 31.709835][ T310] unix_read_sock+0x132/0x370
[ 31.714349][ T310] ? sk_psock_skb_redirect+0x440/0x440
[ 31.719741][ T310] ? unix_stream_splice_actor+0x120/0x120
[ 31.725284][ T310] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 31.730581][ T310] ? unix_stream_splice_actor+0x120/0x120
[ 31.736363][ T310] sk_psock_verdict_data_ready+0x147/0x1a0
[ 31.742171][ T310] ? sk_psock_start_verdict+0xc0/0xc0
[ 31.747461][ T310] ? _raw_spin_lock+0xa4/0x1b0
[ 31.752072][ T310] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 31.757706][ T310] ? skb_queue_tail+0xfb/0x120
[ 31.762658][ T310] unix_dgram_sendmsg+0x15fa/0x2090
[ 31.767770][ T310] ? unix_dgram_poll+0x710/0x710
[ 31.772542][ T310] ? security_socket_sendmsg+0x82/0xb0
[ 31.777835][ T310] ? unix_dgram_poll+0x710/0x710
[ 31.782612][ T310] ____sys_sendmsg+0x59e/0x8f0
[ 31.787210][ T310] ? __sys_sendmsg_sock+0x40/0x40
[ 31.792070][ T310] ? import_iovec+0xe5/0x120
[ 31.796494][ T310] ___sys_sendmsg+0x252/0x2e0
[ 31.801011][ T310] ? __sys_sendmsg+0x260/0x260
[ 31.805607][ T310] ? finish_task_switch+0x167/0x7b0
[ 31.810644][ T310] ? __schedule+0xcd4/0x1590
[ 31.815071][ T310] ? __kasan_check_write+0x14/0x20
[ 31.820017][ T310] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 31.825053][ T310] ? __kasan_check_read+0x11/0x20
[ 31.829997][ T310] ? __fdget+0x179/0x240
[ 31.834074][ T310] __se_sys_sendmsg+0x19a/0x260
[ 31.838945][ T310] ? _raw_spin_unlock_irq+0x4e/0x70
[ 31.844161][ T310] ? __x64_sys_sendmsg+0x90/0x90
[ 31.849005][ T310] ? __kasan_check_read+0x11/0x20
[ 31.854047][ T310] __x64_sys_sendmsg+0x7b/0x90
[ 31.858630][ T310] do_syscall_64+0x3d/0xb0
[ 31.862884][ T310] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 31.868616][ T310] RIP: 0033:0x7f0faf3d9b69
[ 31.872875][ T310] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 31.892395][ T310] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 31.900638][ T310] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[ 31.908452][ T310] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 31.916806][ T310] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[pid 310] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 310] exit_group(0) = ?
[pid 310] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=310, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 312
./strace-static-x86_64: Process 312 attached
[pid 312] set_robust_list(0x555556e17660, 24) = 0
[pid 312] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 312] setpgid(0, 0) = 0
[pid 312] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 312] write(3, "1000", 4) = 4
[pid 312] close(3) = 0
executing program
[pid 312] write(1, "executing program\n", 18) = 18
[ 31.924850][ T310] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 31.932735][ T310] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 31.940566][ T310]
[ 31.944538][ T42] ==================================================================
[ 31.952426][ T42] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 31.960657][ T42]
[ 31.962839][ T42] CPU: 1 PID: 42 Comm: kworker/1:1 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 31.974451][ T42] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 31.984522][ T42] Workqueue: events bpf_map_free_deferred
[ 31.990074][ T42] Call Trace:
[ 31.993204][ T42]
[ 31.995979][ T42] dump_stack_lvl+0x151/0x1b7
[ 32.000756][ T42] ? io_uring_drop_tctx_refs+0x190/0x190
[ 32.006218][ T42] ? panic+0x751/0x751
[ 32.010123][ T42] ? kasan_set_free_info+0x23/0x40
[ 32.015454][ T42] ? ____kasan_slab_free+0x126/0x160
[ 32.020553][ T42] ? kmem_cache_free+0x116/0x2e0
[ 32.025315][ T42] print_address_description+0x87/0x3b0
[ 32.030801][ T42] ? worker_thread+0xad5/0x12a0
[ 32.035577][ T42] ? kthread+0x421/0x510
[ 32.039637][ T42] ? kmem_cache_free+0x116/0x2e0
[ 32.044405][ T42] ? kmem_cache_free+0x116/0x2e0
[ 32.049188][ T42] kasan_report_invalid_free+0x6b/0xa0
[ 32.054471][ T42] ____kasan_slab_free+0x13e/0x160
[ 32.059537][ T42] __kasan_slab_free+0x11/0x20
[ 32.064108][ T42] slab_free_freelist_hook+0xbd/0x190
[ 32.069317][ T42] ? kfree_skbmem+0x104/0x170
[ 32.073837][ T42] kmem_cache_free+0x116/0x2e0
[ 32.078428][ T42] kfree_skbmem+0x104/0x170
[ 32.082769][ T42] consume_skb+0xb4/0x250
[ 32.086935][ T42] __sk_msg_free+0x2dd/0x370
[ 32.091374][ T42] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 32.097003][ T42] sk_psock_stop+0x44c/0x4d0
[ 32.101437][ T42] sk_psock_drop+0x219/0x310
[ 32.105858][ T42] sock_map_unref+0x48f/0x4d0
[ 32.110456][ T42] sock_map_free+0x137/0x2b0
[ 32.114882][ T42] bpf_map_free_deferred+0x10d/0x1e0
[ 32.120003][ T42] process_one_work+0x6bb/0xc10
[ 32.124690][ T42] worker_thread+0xad5/0x12a0
[ 32.129202][ T42] ? _raw_spin_lock+0x1b0/0x1b0
[ 32.133898][ T42] kthread+0x421/0x510
[ 32.137801][ T42] ? worker_clr_flags+0x180/0x180
[ 32.142661][ T42] ? kthread_blkcg+0xd0/0xd0
[ 32.147097][ T42] ret_from_fork+0x1f/0x30
[ 32.151437][ T42]
[ 32.154312][ T42]
[ 32.156467][ T42] Allocated by task 310:
[ 32.160839][ T42] __kasan_slab_alloc+0xb1/0xe0
[ 32.165695][ T42] slab_post_alloc_hook+0x53/0x2c0
[ 32.171067][ T42] kmem_cache_alloc+0xf5/0x200
[ 32.175667][ T42] skb_clone+0x1d1/0x360
[ 32.180016][ T42] sk_psock_verdict_recv+0x53/0x840
[ 32.185051][ T42] unix_read_sock+0x132/0x370
[ 32.189563][ T42] sk_psock_verdict_data_ready+0x147/0x1a0
[ 32.195202][ T42] unix_dgram_sendmsg+0x15fa/0x2090
[ 32.200228][ T42] ____sys_sendmsg+0x59e/0x8f0
[ 32.204827][ T42] ___sys_sendmsg+0x252/0x2e0
[ 32.209425][ T42] __se_sys_sendmsg+0x19a/0x260
[ 32.214143][ T42] __x64_sys_sendmsg+0x7b/0x90
[ 32.218724][ T42] do_syscall_64+0x3d/0xb0
[ 32.222966][ T42] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 32.228805][ T42]
[ 32.230975][ T42] Freed by task 42:
[ 32.234604][ T42] kasan_set_track+0x4b/0x70
[ 32.239055][ T42] kasan_set_free_info+0x23/0x40
[ 32.243794][ T42] ____kasan_slab_free+0x126/0x160
[ 32.248820][ T42] __kasan_slab_free+0x11/0x20
[ 32.253344][ T42] slab_free_freelist_hook+0xbd/0x190
[ 32.258555][ T42] kmem_cache_free+0x116/0x2e0
[ 32.263171][ T42] kfree_skbmem+0x104/0x170
[ 32.267855][ T42] kfree_skb+0xc2/0x360
[ 32.272560][ T42] sk_psock_backlog+0xc21/0xd90
[ 32.277410][ T42] process_one_work+0x6bb/0xc10
[ 32.282193][ T42] worker_thread+0xad5/0x12a0
[ 32.286959][ T42] kthread+0x421/0x510
[ 32.290942][ T42] ret_from_fork+0x1f/0x30
[ 32.295210][ T42]
[ 32.297541][ T42] The buggy address belongs to the object at ffff888107df4140
[ 32.297541][ T42] which belongs to the cache skbuff_head_cache of size 248
[ 32.311949][ T42] The buggy address is located 0 bytes inside of
[ 32.311949][ T42] 248-byte region [ffff888107df4140, ffff888107df4238)
[ 32.324893][ T42] The buggy address belongs to the page:
[ 32.330349][ T42] page:ffffea00041f7d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107df4
[ 32.340426][ T42] flags: 0x4000000000000200(slab|zone=1)
[ 32.345888][ T42] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 32.354430][ T42] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 32.363888][ T42] page dumped because: kasan: bad access detected
[ 32.370184][ T42] page_owner tracks the page as allocated
[ 32.375737][ T42] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 31609089303, free_ts 31608119030
[ 32.391537][ T42] post_alloc_hook+0x1a3/0x1b0
[ 32.396132][ T42] prep_new_page+0x1b/0x110
[ 32.400473][ T42] get_page_from_freelist+0x3550/0x35d0
[ 32.406027][ T42] __alloc_pages+0x27e/0x8f0
[ 32.410460][ T42] new_slab+0x9a/0x4e0
[ 32.414356][ T42] ___slab_alloc+0x39e/0x830
[ 32.418881][ T42] __slab_alloc+0x4a/0x90
[ 32.423075][ T42] kmem_cache_alloc+0x134/0x200
[ 32.427726][ T42] skb_clone+0x1d1/0x360
[ 32.431894][ T42] dev_queue_xmit_nit+0x25b/0xa40
[ 32.436799][ T42] dev_hard_start_xmit+0x149/0x620
[ 32.441783][ T42] sch_direct_xmit+0x298/0x9b0
[ 32.446396][ T42] __dev_queue_xmit+0x161e/0x2e70
[ 32.451290][ T42] dev_queue_xmit+0x17/0x20
[ 32.455592][ T42] ip_finish_output2+0xb9f/0xf60
[ 32.460359][ T42] __ip_finish_output+0x162/0x360
[ 32.465236][ T42] page last free stack trace:
[ 32.469739][ T42] free_unref_page_prepare+0x7c8/0x7d0
[ 32.475038][ T42] free_unref_page+0xe8/0x750
[ 32.479628][ T42] __free_pages+0x61/0xf0
[ 32.483812][ T42] __free_slab+0xec/0x1d0
[ 32.487958][ T42] discard_slab+0x29/0x40
[ 32.492125][ T42] __slab_free+0x205/0x290
[ 32.496387][ T42] ___cache_free+0x109/0x120
[ 32.500806][ T42] qlink_free+0x4d/0x90
[ 32.504811][ T42] qlist_free_all+0x44/0xb0
[ 32.509161][ T42] kasan_quarantine_reduce+0x15a/0x180
[ 32.514473][ T42] __kasan_slab_alloc+0x2f/0xe0
[ 32.519223][ T42] slab_post_alloc_hook+0x53/0x2c0
[ 32.524337][ T42] kmem_cache_alloc+0xf5/0x200
[ 32.528953][ T42] __alloc_skb+0xbe/0x550
[ 32.533107][ T42] sk_stream_alloc_skb+0x1f8/0xad0
[ 32.538155][ T42] tcp_sendmsg_locked+0xd34/0x3a90
[ 32.543099][ T42]
[ 32.545321][ T42] Memory state around the buggy address:
[ 32.551350][ T42] ffff888107df4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 32.559417][ T42] ffff888107df4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 32.568042][ T42] >ffff888107df4100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[pid 312] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 312] close(3) = 0
[pid 312] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 312] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 312] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 312] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 312] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 312] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 312] write(7, "5", 1) = 1
[ 32.575950][ T42] ^
[ 32.582049][ T42] ffff888107df4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 32.589951][ T42] ffff888107df4200: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 32.598005][ T42] ==================================================================
[ 32.610986][ T312] FAULT_INJECTION: forcing a failure.
[ 32.610986][ T312] name failslab, interval 1, probability 0, space 0, times 0
[ 32.624296][ T312] CPU: 0 PID: 312 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 32.635851][ T312] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 32.646266][ T312] Call Trace:
[ 32.649378][ T312]
[ 32.652165][ T312] dump_stack_lvl+0x151/0x1b7
[ 32.656678][ T312] ? io_uring_drop_tctx_refs+0x190/0x190
[ 32.662147][ T312] dump_stack+0x15/0x17
[ 32.666299][ T312] should_fail+0x3c6/0x510
[ 32.670554][ T312] __should_failslab+0xa4/0xe0
[ 32.675164][ T312] should_failslab+0x9/0x20
[ 32.679502][ T312] slab_pre_alloc_hook+0x37/0xd0
[ 32.684268][ T312] kmem_cache_alloc_trace+0x48/0x210
[ 32.689476][ T312] ? sk_psock_skb_ingress_self+0x60/0x330
[ 32.695036][ T312] ? migrate_disable+0x190/0x190
[ 32.699805][ T312] sk_psock_skb_ingress_self+0x60/0x330
[ 32.705374][ T312] sk_psock_verdict_recv+0x66d/0x840
[ 32.710487][ T312] unix_read_sock+0x132/0x370
[ 32.714991][ T312] ? sk_psock_skb_redirect+0x440/0x440
[ 32.720506][ T312] ? unix_stream_splice_actor+0x120/0x120
[ 32.726209][ T312] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 32.731615][ T312] ? unix_stream_splice_actor+0x120/0x120
[ 32.737146][ T312] sk_psock_verdict_data_ready+0x147/0x1a0
[ 32.743004][ T312] ? sk_psock_start_verdict+0xc0/0xc0
[ 32.748910][ T312] ? _raw_spin_lock+0xa4/0x1b0
[ 32.753610][ T312] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 32.759517][ T312] ? skb_queue_tail+0xfb/0x120
[ 32.764131][ T312] unix_dgram_sendmsg+0x15fa/0x2090
[ 32.769172][ T312] ? unix_dgram_poll+0x710/0x710
[ 32.773929][ T312] ? security_socket_sendmsg+0x82/0xb0
[ 32.779232][ T312] ? unix_dgram_poll+0x710/0x710
[ 32.784141][ T312] ____sys_sendmsg+0x59e/0x8f0
[ 32.788862][ T312] ? __sys_sendmsg_sock+0x40/0x40
[ 32.793802][ T312] ? import_iovec+0xe5/0x120
[ 32.798222][ T312] ___sys_sendmsg+0x252/0x2e0
[ 32.802746][ T312] ? __sys_sendmsg+0x260/0x260
[ 32.807338][ T312] ? finish_task_switch+0x167/0x7b0
[ 32.812388][ T312] ? __schedule+0xcd4/0x1590
[ 32.816816][ T312] ? __kasan_check_write+0x14/0x20
[ 32.821839][ T312] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 32.826945][ T312] ? __kasan_check_read+0x11/0x20
[ 32.831785][ T312] ? __fdget+0x179/0x240
[ 32.835860][ T312] __se_sys_sendmsg+0x19a/0x260
[ 32.840733][ T312] ? _raw_spin_unlock_irq+0x4e/0x70
[ 32.845768][ T312] ? __x64_sys_sendmsg+0x90/0x90
[ 32.850537][ T312] ? __kasan_check_read+0x11/0x20
[ 32.855398][ T312] __x64_sys_sendmsg+0x7b/0x90
[ 32.859997][ T312] do_syscall_64+0x3d/0xb0
[ 32.864246][ T312] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 32.869978][ T312] RIP: 0033:0x7f0faf3d9b69
[ 32.874243][ T312] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 32.893686][ T312] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 32.901916][ T312] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[ 32.910002][ T312] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 32.917905][ T312] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[pid 312] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 312] exit_group(0) = ?
[pid 312] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=312, si_uid=0, si_status=0, si_utime=0, si_stime=65} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 314
./strace-static-x86_64: Process 314 attached
[pid 314] set_robust_list(0x555556e17660, 24) = 0
[pid 314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 314] setpgid(0, 0) = 0
[pid 314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 314] write(3, "1000", 4) = 4
[pid 314] close(3) = 0
[pid 314] write(1, "executing program\n", 18executing program
) = 18
[ 32.925719][ T312] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 32.933782][ T312] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 32.941773][ T312]
[ 32.946560][ T307] ==================================================================
[ 32.954439][ T307] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 32.962681][ T307]
[ 32.964848][ T307] CPU: 0 PID: 307 Comm: kworker/0:2 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 32.975961][ T307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 32.985862][ T307] Workqueue: events bpf_map_free_deferred
[ 32.991404][ T307] Call Trace:
[ 32.994791][ T307]
[ 32.997566][ T307] dump_stack_lvl+0x151/0x1b7
[ 33.002089][ T307] ? io_uring_drop_tctx_refs+0x190/0x190
[ 33.007546][ T307] ? panic+0x751/0x751
[ 33.011461][ T307] ? kasan_set_free_info+0x23/0x40
[ 33.016413][ T307] ? ____kasan_slab_free+0x126/0x160
[ 33.021537][ T307] ? kmem_cache_free+0x116/0x2e0
[ 33.026298][ T307] print_address_description+0x87/0x3b0
[ 33.031950][ T307] ? worker_thread+0xad5/0x12a0
[ 33.036886][ T307] ? kthread+0x421/0x510
[ 33.041339][ T307] ? kmem_cache_free+0x116/0x2e0
[ 33.046838][ T307] ? kmem_cache_free+0x116/0x2e0
[ 33.051860][ T307] kasan_report_invalid_free+0x6b/0xa0
[ 33.057122][ T307] ____kasan_slab_free+0x13e/0x160
[ 33.062082][ T307] __kasan_slab_free+0x11/0x20
[ 33.066666][ T307] slab_free_freelist_hook+0xbd/0x190
[ 33.072060][ T307] ? kfree_skbmem+0x104/0x170
[ 33.076574][ T307] kmem_cache_free+0x116/0x2e0
[ 33.081277][ T307] kfree_skbmem+0x104/0x170
[ 33.085599][ T307] consume_skb+0xb4/0x250
[ 33.089763][ T307] __sk_msg_free+0x2dd/0x370
[ 33.094188][ T307] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 33.099843][ T307] sk_psock_stop+0x44c/0x4d0
[ 33.104257][ T307] sk_psock_drop+0x219/0x310
[ 33.108753][ T307] sock_map_unref+0x48f/0x4d0
[ 33.113336][ T307] sock_map_free+0x137/0x2b0
[ 33.117922][ T307] bpf_map_free_deferred+0x10d/0x1e0
[ 33.123132][ T307] process_one_work+0x6bb/0xc10
[ 33.127817][ T307] worker_thread+0xad5/0x12a0
[ 33.132332][ T307] ? _raw_spin_lock+0x1b0/0x1b0
[ 33.137215][ T307] kthread+0x421/0x510
[ 33.141089][ T307] ? worker_clr_flags+0x180/0x180
[ 33.146121][ T307] ? kthread_blkcg+0xd0/0xd0
[ 33.150546][ T307] ret_from_fork+0x1f/0x30
[ 33.154888][ T307]
[ 33.157749][ T307]
[ 33.159921][ T307] Allocated by task 312:
[ 33.164017][ T307] __kasan_slab_alloc+0xb1/0xe0
[ 33.168685][ T307] slab_post_alloc_hook+0x53/0x2c0
[ 33.173634][ T307] kmem_cache_alloc+0xf5/0x200
[ 33.178259][ T307] skb_clone+0x1d1/0x360
[ 33.182410][ T307] sk_psock_verdict_recv+0x53/0x840
[ 33.187438][ T307] unix_read_sock+0x132/0x370
[ 33.192049][ T307] sk_psock_verdict_data_ready+0x147/0x1a0
[ 33.197849][ T307] unix_dgram_sendmsg+0x15fa/0x2090
[ 33.202886][ T307] ____sys_sendmsg+0x59e/0x8f0
[ 33.207580][ T307] ___sys_sendmsg+0x252/0x2e0
[ 33.212083][ T307] __se_sys_sendmsg+0x19a/0x260
[ 33.216859][ T307] __x64_sys_sendmsg+0x7b/0x90
[ 33.221462][ T307] do_syscall_64+0x3d/0xb0
[ 33.225714][ T307] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 33.231442][ T307]
[ 33.233615][ T307] Freed by task 307:
[ 33.237344][ T307] kasan_set_track+0x4b/0x70
[ 33.241783][ T307] kasan_set_free_info+0x23/0x40
[ 33.246540][ T307] ____kasan_slab_free+0x126/0x160
[ 33.251499][ T307] __kasan_slab_free+0x11/0x20
[ 33.256187][ T307] slab_free_freelist_hook+0xbd/0x190
[ 33.261402][ T307] kmem_cache_free+0x116/0x2e0
[ 33.266157][ T307] kfree_skbmem+0x104/0x170
[ 33.270501][ T307] kfree_skb+0xc2/0x360
[ 33.274577][ T307] sk_psock_backlog+0xc21/0xd90
[ 33.279267][ T307] process_one_work+0x6bb/0xc10
[ 33.284112][ T307] worker_thread+0xad5/0x12a0
[ 33.288658][ T307] kthread+0x421/0x510
[ 33.292589][ T307] ret_from_fork+0x1f/0x30
[ 33.296974][ T307]
[ 33.299146][ T307] The buggy address belongs to the object at ffff888107de1780
[ 33.299146][ T307] which belongs to the cache skbuff_head_cache of size 248
[ 33.313667][ T307] The buggy address is located 0 bytes inside of
[ 33.313667][ T307] 248-byte region [ffff888107de1780, ffff888107de1878)
[ 33.326574][ T307] The buggy address belongs to the page:
[ 33.332046][ T307] page:ffffea00041f7840 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107de1
[ 33.342107][ T307] flags: 0x4000000000000200(slab|zone=1)
[ 33.347581][ T307] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3380
[ 33.356002][ T307] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 33.364411][ T307] page dumped because: kasan: bad access detected
[ 33.370764][ T307] page_owner tracks the page as allocated
[ 33.376315][ T307] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 32608976463, free_ts 32608388482
[ 33.392187][ T307] post_alloc_hook+0x1a3/0x1b0
[ 33.396786][ T307] prep_new_page+0x1b/0x110
[ 33.401301][ T307] get_page_from_freelist+0x3550/0x35d0
[ 33.406686][ T307] __alloc_pages+0x27e/0x8f0
[ 33.411122][ T307] new_slab+0x9a/0x4e0
[ 33.415024][ T307] ___slab_alloc+0x39e/0x830
[ 33.419441][ T307] __slab_alloc+0x4a/0x90
[ 33.423609][ T307] kmem_cache_alloc+0x134/0x200
[ 33.428391][ T307] skb_clone+0x1d1/0x360
[ 33.432547][ T307] dev_queue_xmit_nit+0x25b/0xa40
[ 33.437503][ T307] dev_hard_start_xmit+0x149/0x620
[ 33.442438][ T307] sch_direct_xmit+0x298/0x9b0
[ 33.447039][ T307] __dev_queue_xmit+0x161e/0x2e70
[ 33.451899][ T307] dev_queue_xmit+0x17/0x20
[ 33.456238][ T307] ip_finish_output2+0xb9f/0xf60
[ 33.461024][ T307] __ip_finish_output+0x162/0x360
[ 33.465873][ T307] page last free stack trace:
[ 33.470472][ T307] free_unref_page_prepare+0x7c8/0x7d0
[ 33.475764][ T307] free_unref_page+0xe8/0x750
[ 33.480365][ T307] __free_pages+0x61/0xf0
[ 33.484542][ T307] __vunmap+0x7bc/0x8f0
[ 33.488616][ T307] vfree+0x7f/0xb0
[ 33.492175][ T307] bpf_patch_insn_data+0x7f0/0xde0
[ 33.497211][ T307] bpf_check+0x6653/0x12bf0
[ 33.501550][ T307] bpf_prog_load+0x12ac/0x1b50
[ 33.506259][ T307] __sys_bpf+0x4bc/0x760
[ 33.510320][ T307] __x64_sys_bpf+0x7c/0x90
[ 33.514567][ T307] do_syscall_64+0x3d/0xb0
[ 33.518837][ T307] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 33.524553][ T307]
[ 33.526808][ T307] Memory state around the buggy address:
[pid 314] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x20000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 314] close(3) = 0
[pid 314] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 314] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 314] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 314] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 314] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x20000000, value=0x20000080, flags=BPF_ANY}, 32) = 0
[pid 314] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 314] write(7, "5", 1) = 1
[ 33.532300][ T307] ffff888107de1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.540289][ T307] ffff888107de1700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 33.548233][ T307] >ffff888107de1780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.556262][ T307] ^
[ 33.560247][ T307] ffff888107de1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 33.568327][ T307] ffff888107de1880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 33.576211][ T307] ==================================================================
[ 33.589823][ T314] FAULT_INJECTION: forcing a failure.
[ 33.589823][ T314] name failslab, interval 1, probability 0, space 0, times 0
[ 33.603663][ T314] CPU: 1 PID: 314 Comm: syz-executor533 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 33.616146][ T314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 33.626561][ T314] Call Trace:
[ 33.630283][ T314]
[ 33.633387][ T314] dump_stack_lvl+0x151/0x1b7
[ 33.639707][ T314] ? io_uring_drop_tctx_refs+0x190/0x190
[ 33.646560][ T314] dump_stack+0x15/0x17
[ 33.650897][ T314] should_fail+0x3c6/0x510
[ 33.655210][ T314] __should_failslab+0xa4/0xe0
[ 33.660476][ T314] should_failslab+0x9/0x20
[ 33.664810][ T314] slab_pre_alloc_hook+0x37/0xd0
[ 33.672534][ T314] kmem_cache_alloc_trace+0x48/0x210
[ 33.677722][ T314] ? sk_psock_skb_ingress_self+0x60/0x330
[ 33.683638][ T314] ? migrate_disable+0x190/0x190
[ 33.688410][ T314] sk_psock_skb_ingress_self+0x60/0x330
[ 33.693910][ T314] sk_psock_verdict_recv+0x66d/0x840
[ 33.699083][ T314] unix_read_sock+0x132/0x370
[ 33.704191][ T314] ? sk_psock_skb_redirect+0x440/0x440
[ 33.709673][ T314] ? unix_stream_splice_actor+0x120/0x120
[ 33.715327][ T314] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 33.720699][ T314] ? unix_stream_splice_actor+0x120/0x120
[ 33.726779][ T314] sk_psock_verdict_data_ready+0x147/0x1a0
[ 33.733759][ T314] ? sk_psock_start_verdict+0xc0/0xc0
[ 33.739708][ T314] ? _raw_spin_lock+0xa4/0x1b0
[ 33.744464][ T314] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 33.751079][ T314] ? skb_queue_tail+0xfb/0x120
[ 33.755830][ T314] unix_dgram_sendmsg+0x15fa/0x2090
[ 33.760917][ T314] ? unix_dgram_poll+0x710/0x710
[ 33.766063][ T314] ? security_socket_sendmsg+0x82/0xb0
[ 33.771427][ T314] ? unix_dgram_poll+0x710/0x710
[ 33.776197][ T314] ____sys_sendmsg+0x59e/0x8f0
[ 33.780974][ T314] ? __sys_sendmsg_sock+0x40/0x40
[ 33.785830][ T314] ? import_iovec+0xe5/0x120
[ 33.790265][ T314] ___sys_sendmsg+0x252/0x2e0
[ 33.794776][ T314] ? __sys_sendmsg+0x260/0x260
[ 33.799369][ T314] ? finish_task_switch+0x167/0x7b0
[ 33.804404][ T314] ? __schedule+0xcd4/0x1590
[ 33.808831][ T314] ? __kasan_check_write+0x14/0x20
[ 33.814094][ T314] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 33.819011][ T314] ? __kasan_check_read+0x11/0x20
[ 33.823874][ T314] ? __fdget+0x179/0x240
[ 33.827943][ T314] __se_sys_sendmsg+0x19a/0x260
[ 33.832729][ T314] ? _raw_spin_unlock_irq+0x4e/0x70
[ 33.837761][ T314] ? __x64_sys_sendmsg+0x90/0x90
[ 33.842614][ T314] ? __kasan_check_read+0x11/0x20
[ 33.847558][ T314] __x64_sys_sendmsg+0x7b/0x90
[ 33.852185][ T314] do_syscall_64+0x3d/0xb0
[ 33.856523][ T314] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 33.862623][ T314] RIP: 0033:0x7f0faf3d9b69
[ 33.866871][ T314] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 314] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 314] exit_group(0) = ?
[pid 314] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=314, si_uid=0, si_status=0, si_utime=0, si_stime=65} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556e17650) = 317
./strace-static-x86_64: Process 317 attached
[pid 317] set_robust_list(0x555556e17660, 24) = 0
[pid 317] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 317] setpgid(0, 0) = 0
[pid 317] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 317] write(3, "1000", 4) = 4
[pid 317] close(3) = 0
[pid 317] write(1, "executing program\n", 18executing program
) = 18
[ 33.886394][ T314] RSP: 002b:00007fff53268ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 33.894631][ T314] RAX: ffffffffffffffda RBX: 00007fff53268ae0 RCX: 00007f0faf3d9b69
[ 33.902441][ T314] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 33.910810][ T314] RBP: 0000000000000001 R08: 00007fff53268867 R09: 00000000000000a0
[ 33.918887][ T314] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 33.926685][ T314] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 33.934507][ T314]
[ 33.938660][ T6] ==================================================================
[ 33.946651][ T6] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 33.954889][ T6]
[ 33.957069][ T6] CPU: 0 PID: 6 Comm: kworker/0:0 Tainted: G B 5.15.152-syzkaller-00143-g70e1a731d986 #0
[ 33.968009][ T6] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 33.977905][ T6] Workqueue: events bpf_map_free_deferred
[ 33.983441][ T6] Call Trace:
[ 33.986574][ T6]
[ 33.989341][ T6] dump_stack_lvl+0x151/0x1b7
[ 33.993853][ T6] ? io_uring_drop_tctx_refs+0x190/0x190
[ 33.999352][ T6] ? panic+0x751/0x751
[ 34.003228][ T6] ? call_rcu+0xd90/0x1310
[ 34.007482][ T6] ? kmem_cache_free+0x116/0x2e0
[ 34.012256][ T6] print_address_description+0x87/0x3b0
[ 34.017720][ T6] ? kmem_cache_free+0x116/0x2e0
[ 34.022509][ T6] ? kmem_cache_free+0x116/0x2e0
[ 34.027274][ T6] kasan_report_invalid_free+0x6b/0xa0
[ 34.032566][ T6] ____kasan_slab_free+0x13e/0x160
[ 34.037507][ T6] __kasan_slab_free+0x11/0x20
[ 34.042118][ T6] slab_free_freelist_hook+0xbd/0x190
[ 34.047498][ T6] ? kfree_skbmem+0x104/0x170
[ 34.052099][ T6] kmem_cache_free+0x116/0x2e0
[ 34.056701][ T6] kfree_skbmem+0x104/0x170
[ 34.061168][ T6] consume_skb+0xb4/0x250
[ 34.065328][ T6] __sk_msg_free+0x2dd/0x370
[ 34.069755][ T6] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 34.075399][ T6] sk_psock_stop+0x44c/0x4d0
[ 34.079831][ T6] sk_psock_drop+0x219/0x310
[ 34.084266][ T6] sock_map_unref+0x48f/0x4d0