ci starts bisection 2025-07-15 18:39:45.857656496 +0000 UTC m=+105172.198383730 bisecting cause commit starting from 55e8757c696210292cfda6f1464991d6f5c4300f building syzkaller on 03fcfc4b7385b545a89a3fc62bef4e1ec7532e0d ensuring issue is reproducible on original commit 55e8757c696210292cfda6f1464991d6f5c4300f testing commit 55e8757c696210292cfda6f1464991d6f5c4300f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 984876dae52ac118db007b17dff5190282c3ad7776131104c3376f082f1817a0 all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 55e8757c696210292cfda6f1464991d6f5c4300f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 670c440c1a390dd9b731b9f51adaf72a184b309eff3e195324afc0defa741184 all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed kconfig minimization: base=4095 full=8485 leaves diff=2185 split chunks (needed=false): <2185> split chunk #0 of len 2185 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 55e8757c696210292cfda6f1464991d6f5c4300f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: c0b5de9ace628bff99f8d14badaca016ae0c727a59039692278ef241a31ce56e all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 55e8757c696210292cfda6f1464991d6f5c4300f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: bd7213e59de9941030479d28ac4746872d7eba1ec51149166998e3a2953015ae all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 55e8757c696210292cfda6f1464991d6f5c4300f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 6ae5404a0025536fd0eed00b04d462bf407f3d4ce35d518768f7e6640bbee9fc all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 55e8757c696210292cfda6f1464991d6f5c4300f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b28561451cf3d682e7c4adef6aa40173b49eef172ee389d4b2d97d964bed4c61 all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 55e8757c696210292cfda6f1464991d6f5c4300f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ddc8540828c502ef3343b3aa543d32451560b41bf6042a7dd9b8ec6b3ba1e3df all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a4ff9df5eb2535631fa8fbf377d1cb71aa311e6c328d6686977e97ba12863b7f all runs: OK false negative chance: 0.000 # git bisect start 55e8757c696210292cfda6f1464991d6f5c4300f 0ff41df1cb268fc69e703a08a57ee14ae967d0ca Bisecting: 8275 revisions left to test after this (roughly 13 steps) [1193e205dbb6feca917dc8e1862ffcdf2194234b] Merge tag 'platform-drivers-x86-v6.16-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 testing commit 1193e205dbb6feca917dc8e1862ffcdf2194234b gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 6fb7c75f73a79ee53538259871bbe402f3ffc8022efed1e936d9a7e0e0155173 all runs: OK false negative chance: 0.000 # git bisect good 1193e205dbb6feca917dc8e1862ffcdf2194234b Bisecting: 4139 revisions left to test after this (roughly 12 steps) [e271ed52b344ac02d4581286961d0c40acc54c03] Merge tag 'pm-6.16-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit e271ed52b344ac02d4581286961d0c40acc54c03 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: f470024a76f62a8f71fdc80bcbbc40a4d6aafddba1f0ae674b6a3d0df2667d1f all runs: OK false negative chance: 0.000 # git bisect good e271ed52b344ac02d4581286961d0c40acc54c03 Bisecting: 2069 revisions left to test after this (roughly 11 steps) [ee88bddf7f2f5d1f1da87dd7bedc734048b70e88] Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit ee88bddf7f2f5d1f1da87dd7bedc734048b70e88 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: de3b7e7a30833313af671894521af4457645a6bda5ead3da727ff819a0a21d2d all runs: OK false negative chance: 0.000 # git bisect good ee88bddf7f2f5d1f1da87dd7bedc734048b70e88 Bisecting: 1131 revisions left to test after this (roughly 10 steps) [a31cb447b5473cdc08732ec6362202a1ba8e2fe1] igbvf: add tx_timeout_count to ethtool statistics testing commit a31cb447b5473cdc08732ec6362202a1ba8e2fe1 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ccacd61df62b3a1ae1e5f04a54b647fbe83d9ba300cc8385288ffc3993a7b91a all runs: OK false negative chance: 0.000 # git bisect good a31cb447b5473cdc08732ec6362202a1ba8e2fe1 Bisecting: 566 revisions left to test after this (roughly 9 steps) [c92bda4cb96970b78037d52cfae43844044744b1] Merge tag 'edac_urgent_for_v6.16_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras testing commit c92bda4cb96970b78037d52cfae43844044744b1 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 6cd8e6e3ee739d9ff97ed61b31f1300c88acfec42368672c5418db0ee8ab227c all runs: OK false negative chance: 0.000 # git bisect good c92bda4cb96970b78037d52cfae43844044744b1 Bisecting: 234 revisions left to test after this (roughly 8 steps) [3321e97eab71df7d632b35276da9f8503e6e040f] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 3321e97eab71df7d632b35276da9f8503e6e040f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 793961d77a85a41b2ad98b5a1982767b0754f7ad2f8846d54075488ee920ce91 all runs: OK false negative chance: 0.000 # git bisect good 3321e97eab71df7d632b35276da9f8503e6e040f Bisecting: 140 revisions left to test after this (roughly 7 steps) [a339dd699a7aa01bce4b38c8d81def310cf2bca0] selftests: drv-net: Add bpftool util testing commit a339dd699a7aa01bce4b38c8d81def310cf2bca0 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: fb016a51988689ee029dd04312df24d8e57b807e216136d91ee06d51201311f2 all runs: OK false negative chance: 0.000 # git bisect good a339dd699a7aa01bce4b38c8d81def310cf2bca0 Bisecting: 70 revisions left to test after this (roughly 6 steps) [d300335b4e18672913dd792ff9f49e6cccf41d26] net_sched: act_ctinfo: use atomic64_t for three counters testing commit d300335b4e18672913dd792ff9f49e6cccf41d26 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 76ebbca776e1b021b13bd0a197c6470b47c45b639eb49db87c6fccc7855d7553 all runs: OK false negative chance: 0.000 # git bisect good d300335b4e18672913dd792ff9f49e6cccf41d26 Bisecting: 35 revisions left to test after this (roughly 5 steps) [c0a3923adafa79bebaac9a5d0b1fbfdbf2ea1d9b] Merge branch 'net-fec-add-some-optimizations' testing commit c0a3923adafa79bebaac9a5d0b1fbfdbf2ea1d9b gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 6b2252959dd6c8cb8dfca24c20e38021fcbcf3970bee45a70df4cad6e36a82a3 all runs: OK false negative chance: 0.000 # git bisect good c0a3923adafa79bebaac9a5d0b1fbfdbf2ea1d9b Bisecting: 17 revisions left to test after this (roughly 4 steps) [9ca48d616ed76b284f946667a3cb7961205c8ee3] tcp: do not accept packets beyond window testing commit 9ca48d616ed76b284f946667a3cb7961205c8ee3 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 327fc33dc083434150ed609a7cc3821c73d9658ffc87e93383649e5c696e908b all runs: OK false negative chance: 0.000 # git bisect good 9ca48d616ed76b284f946667a3cb7961205c8ee3 Bisecting: 8 revisions left to test after this (roughly 3 steps) [a8594c956cc9dc6799554a554bc422d1ffd4c46b] ipv6: mcast: Avoid a duplicate pointer check in mld_del_delrec() testing commit a8594c956cc9dc6799554a554bc422d1ffd4c46b gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 3b33eb1a338d7e6fa05149f0d1ce71d810c43f7c267115620c8ddd11e54cb7dc all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad a8594c956cc9dc6799554a554bc422d1ffd4c46b Bisecting: 4 revisions left to test after this (roughly 2 steps) [445e0cc38d498e341f36f2e3a9cacf1ddf0b09b6] selftests/net: packetdrill: add tcp_ooo_rcv_mss.pkt testing commit 445e0cc38d498e341f36f2e3a9cacf1ddf0b09b6 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 5a1e3e349a651bd9f4df4ebeada4a4d583ace3a333eacde9e68b1703138517c1 all runs: OK false negative chance: 0.000 # git bisect good 445e0cc38d498e341f36f2e3a9cacf1ddf0b09b6 Bisecting: 2 revisions left to test after this (roughly 1 step) [1d2fbaad7cd8cc96899179f9898ad2787a15f0a0] tcp: stronger sk_rcvbuf checks testing commit 1d2fbaad7cd8cc96899179f9898ad2787a15f0a0 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 9f1988955dab25578df743669cb92faa890e4e0d07283594b654fdf957721e67 all runs: crashed: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue representative crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 1d2fbaad7cd8cc96899179f9898ad2787a15f0a0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [75dff0584cce79203ee9968c66c7589150fed591] tcp: add const to tcp_try_rmem_schedule() and sk_rmem_schedule() skb testing commit 75dff0584cce79203ee9968c66c7589150fed591 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b8ebe0e478edf172bff56741f993861511bf0467eebf47059e2914c02c6c6a7f all runs: OK false negative chance: 0.000 # git bisect good 75dff0584cce79203ee9968c66c7589150fed591 1d2fbaad7cd8cc96899179f9898ad2787a15f0a0 is the first bad commit commit 1d2fbaad7cd8cc96899179f9898ad2787a15f0a0 Author: Eric Dumazet Date: Fri Jul 11 11:40:05 2025 +0000 tcp: stronger sk_rcvbuf checks Currently, TCP stack accepts incoming packet if sizes of receive queues are below sk->sk_rcvbuf limit. This can cause memory overshoot if the packet is big, like an 1/2 MB BIG TCP one. Refine the check to take into account the incoming skb truesize. Note that we still accept the packet if the receive queue is empty, to not completely freeze TCP flows in pathological conditions. Signed-off-by: Eric Dumazet Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20250711114006.480026-8-edumazet@google.com Signed-off-by: Jakub Kicinski net/ipv4/tcp_input.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) accumulated error probability: 0.00 culprit signature: 9f1988955dab25578df743669cb92faa890e4e0d07283594b654fdf957721e67 parent signature: b8ebe0e478edf172bff56741f993861511bf0467eebf47059e2914c02c6c6a7f revisions tested: 22, total time: 6h15m7.318984967s (build: 2h26m57.802096699s, test: 3h21m28.84609703s) first bad commit: 1d2fbaad7cd8cc96899179f9898ad2787a15f0a0 tcp: stronger sk_rcvbuf checks recipients (to): ["edumazet@google.com" "kuba@kernel.org" "kuniyu@google.com"] recipients (cc): [] crash: KASAN: slab-use-after-free Read in tcp_prune_ofo_queue ================================================================== BUG: KASAN: slab-use-after-free in tcp_can_ingest net/ipv4/tcp_input.c:4896 [inline] BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue+0x316/0x5f0 net/ipv4/tcp_input.c:5520 Read of size 4 at addr ffff888126122430 by task syz.6.43/2614 CPU: 0 UID: 0 PID: 2614 Comm: syz.6.43 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 tcp_can_ingest net/ipv4/tcp_input.c:4896 [inline] tcp_prune_ofo_queue+0x316/0x5f0 net/ipv4/tcp_input.c:5520 tcp_prune_queue net/ipv4/tcp_input.c:5575 [inline] tcp_try_rmem_schedule+0xaf1/0x1640 net/ipv4/tcp_input.c:4907 tcp_data_queue+0x38e/0x6420 net/ipv4/tcp_input.c:5192 tcp_rcv_established+0xf15/0x2060 net/ipv4/tcp_input.c:6208 tcp_v4_do_rcv+0x239/0xab0 net/ipv4/tcp_ipv4.c:1925 __release_sock+0x96/0x180 net/core/sock.c:3188 release_sock+0x54/0x160 net/core/sock.c:3742 tcp_sendmsg+0x31/0x40 net/ipv4/tcp.c:1394 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x163/0x220 net/socket.c:729 __sys_sendto+0x31a/0x430 net/socket.c:2228 __do_sys_sendto net/socket.c:2235 [inline] __se_sys_sendto net/socket.c:2231 [inline] __x64_sys_sendto+0xd9/0xf0 net/socket.c:2231 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe3ec14e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe3ebbbf038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fe3ec375fa0 RCX: 00007fe3ec14e929 RDX: 000000000000059a RSI: 0000200000000580 RDI: 0000000000000003 RBP: 00007fe3ec1d0b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000010008095 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fe3ec375fa0 R15: 00007ffd4c938d38 Allocated by task 2614: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_node_noprof+0x1a9/0x400 mm/slub.c:4249 __alloc_skb+0xc4/0x250 net/core/skbuff.c:659 alloc_skb_fclone include/linux/skbuff.h:1386 [inline] tcp_stream_alloc_skb+0x34/0x2f0 net/ipv4/tcp.c:892 tso_fragment net/ipv4/tcp_output.c:2174 [inline] tcp_write_xmit+0x1683/0x6840 net/ipv4/tcp_output.c:2819 __tcp_push_pending_frames+0x79/0x2f0 net/ipv4/tcp_output.c:3016 tcp_sendmsg_locked+0x3a37/0x4230 net/ipv4/tcp.c:1356 tcp_sendmsg+0x27/0x40 net/ipv4/tcp.c:1393 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x163/0x220 net/socket.c:729 __sys_sendto+0x31a/0x430 net/socket.c:2228 __do_sys_sendto net/socket.c:2235 [inline] __se_sys_sendto net/socket.c:2231 [inline] __x64_sys_sendto+0xd9/0xf0 net/socket.c:2231 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 2614: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kmem_cache_free+0x175/0x460 mm/slub.c:4745 tcp_prune_ofo_queue+0x182/0x5f0 net/ipv4/tcp_input.c:5517 tcp_prune_queue net/ipv4/tcp_input.c:5575 [inline] tcp_try_rmem_schedule+0xaf1/0x1640 net/ipv4/tcp_input.c:4907 tcp_data_queue+0x38e/0x6420 net/ipv4/tcp_input.c:5192 tcp_rcv_established+0xf15/0x2060 net/ipv4/tcp_input.c:6208 tcp_v4_do_rcv+0x239/0xab0 net/ipv4/tcp_ipv4.c:1925 __release_sock+0x96/0x180 net/core/sock.c:3188 release_sock+0x54/0x160 net/core/sock.c:3742 tcp_sendmsg+0x31/0x40 net/ipv4/tcp.c:1394 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x163/0x220 net/socket.c:729 __sys_sendto+0x31a/0x430 net/socket.c:2228 __do_sys_sendto net/socket.c:2235 [inline] __se_sys_sendto net/socket.c:2231 [inline] __x64_sys_sendto+0xd9/0xf0 net/socket.c:2231 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888126122280 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 432 bytes inside of freed 456-byte region [ffff888126122280, ffff888126122448) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126122 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: f5(slab) raw: 0200000000000040 ffff8881026c9b40 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 head: 0200000000000040 ffff8881026c9b40 dead000000000122 0000000000000000 head: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 head: 0200000000000001 ffffea0004984881 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2614, tgid 2611 (syz.6.43), ts 90875663640, free_ts 90851698454 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x168/0x1a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x2cc3/0x2e80 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:4959 alloc_pages_mpol+0xcb/0x270 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab+0x8a/0x350 mm/slub.c:2619 new_slab mm/slub.c:2673 [inline] ___slab_alloc+0x9dc/0x10e0 mm/slub.c:3859 __slab_alloc mm/slub.c:3949 [inline] __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] kmem_cache_alloc_node_noprof+0x26b/0x400 mm/slub.c:4249 __alloc_skb+0xc4/0x250 net/core/skbuff.c:659 alloc_skb_fclone include/linux/skbuff.h:1386 [inline] tcp_stream_alloc_skb+0x34/0x2f0 net/ipv4/tcp.c:892 tso_fragment net/ipv4/tcp_output.c:2174 [inline] tcp_write_xmit+0x1683/0x6840 net/ipv4/tcp_output.c:2819 __tcp_push_pending_frames+0x79/0x2f0 net/ipv4/tcp_output.c:3016 tcp_sendmsg_locked+0x3a37/0x4230 net/ipv4/tcp.c:1356 tcp_sendmsg+0x27/0x40 net/ipv4/tcp.c:1393 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x163/0x220 net/socket.c:729 __sys_sendto+0x31a/0x430 net/socket.c:2228 __do_sys_sendto net/socket.c:2235 [inline] __se_sys_sendto net/socket.c:2231 [inline] __x64_sys_sendto+0xd9/0xf0 net/socket.c:2231 page last free pid 2462 tgid 2462 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0xa2e/0xc00 mm/page_alloc.c:2706 __slab_free+0x2d6/0x3a0 mm/slub.c:4554 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x20d/0x500 mm/slub.c:4340 kmalloc_noprof include/linux/slab.h:909 [inline] tomoyo_realpath_from_path+0xf5/0x550 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x1d3/0x460 security/tomoyo/file.c:822 security_file_truncate+0x40/0xb0 security/security.c:3146 handle_truncate fs/namei.c:3515 [inline] do_open fs/namei.c:3900 [inline] path_openat+0x2582/0x2bb0 fs/namei.c:4055 do_filp_open+0x1e4/0x3c0 fs/namei.c:4082 do_sys_openat2+0xfa/0x180 fs/open.c:1437 do_sys_open fs/open.c:1452 [inline] __do_sys_openat fs/open.c:1468 [inline] __se_sys_openat fs/open.c:1463 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1463 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888126122300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888126122380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888126122400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ^ ffff888126122480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888126122500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================