Warning: Permanently added '10.128.0.139' (ED25519) to the list of known hosts. 2025/08/28 06:53:07 parsed 1 programs [ 69.171289][ T1939] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/08/28 06:53:15 executed programs: 0 2025/08/28 06:53:21 executed programs: 2 [ 82.785931][ T2938] netlink: 40 bytes leftover after parsing attributes in process `syz.3.17'. [ 82.809895][ T2941] netlink: 40 bytes leftover after parsing attributes in process `syz.3.18'. [ 82.831523][ T2943] netlink: 40 bytes leftover after parsing attributes in process `syz.3.19'. [ 82.850687][ T2945] netlink: 40 bytes leftover after parsing attributes in process `syz.3.20'. [ 82.870149][ T2947] netlink: 40 bytes leftover after parsing attributes in process `syz.3.21'. [ 82.890433][ T2949] netlink: 40 bytes leftover after parsing attributes in process `syz.3.22'. [ 82.911145][ T2951] netlink: 40 bytes leftover after parsing attributes in process `syz.3.23'. [ 82.930610][ T2953] netlink: 40 bytes leftover after parsing attributes in process `syz.3.24'. [ 82.946427][ T2955] netlink: 40 bytes leftover after parsing attributes in process `syz.3.25'. [ 82.978493][ T2957] netlink: 40 bytes leftover after parsing attributes in process `syz.3.26'. 2025/08/28 06:53:26 executed programs: 294 [ 87.808455][ T3527] __nla_validate_parse: 284 callbacks suppressed [ 87.808463][ T3527] netlink: 40 bytes leftover after parsing attributes in process `syz.3.311'. [ 87.832365][ T3529] netlink: 40 bytes leftover after parsing attributes in process `syz.3.312'. [ 87.848475][ T3531] netlink: 40 bytes leftover after parsing attributes in process `syz.3.313'. [ 87.877604][ T3533] netlink: 40 bytes leftover after parsing attributes in process `syz.3.314'. [ 87.895644][ T3535] netlink: 40 bytes leftover after parsing attributes in process `syz.3.315'. [ 87.912219][ T3537] netlink: 40 bytes leftover after parsing attributes in process `syz.3.316'. [ 87.937381][ T3539] netlink: 40 bytes leftover after parsing attributes in process `syz.3.317'. [ 87.955704][ T3541] netlink: 40 bytes leftover after parsing attributes in process `syz.3.318'. [ 87.972596][ T3543] netlink: 40 bytes leftover after parsing attributes in process `syz.3.319'. [ 87.996928][ T3545] netlink: 40 bytes leftover after parsing attributes in process `syz.3.320'. 2025/08/28 06:53:31 executed programs: 593 [ 92.815810][ T4123] __nla_validate_parse: 288 callbacks suppressed [ 92.815819][ T4123] netlink: 40 bytes leftover after parsing attributes in process `syz.3.609'. [ 92.839234][ T4125] netlink: 40 bytes leftover after parsing attributes in process `syz.3.610'. [ 92.857945][ T4127] netlink: 40 bytes leftover after parsing attributes in process `syz.3.611'. [ 92.874882][ T4129] netlink: 40 bytes leftover after parsing attributes in process `syz.3.612'. [ 92.892870][ T4131] netlink: 40 bytes leftover after parsing attributes in process `syz.3.613'. [ 92.916616][ T4133] netlink: 40 bytes leftover after parsing attributes in process `syz.3.614'. [ 92.933431][ T4135] netlink: 40 bytes leftover after parsing attributes in process `syz.3.615'. [ 92.950815][ T4137] netlink: 40 bytes leftover after parsing attributes in process `syz.3.616'. [ 93.093665][ T47] ================================================================== [ 93.101759][ T47] BUG: KASAN: slab-use-after-free in __xfrm_state_delete+0x528/0x740 [ 93.109815][ T47] Write of size 8 at addr ffff88810f745128 by task kworker/u8:3/47 [ 93.117682][ T47] [ 93.120014][ T47] CPU: 1 UID: 0 PID: 47 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(undef) [ 93.120021][ T47] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 93.120026][ T47] Workqueue: netns cleanup_net [ 93.120043][ T47] Call Trace: [ 93.120049][ T47] [ 93.120053][ T47] dump_stack_lvl+0xf4/0x170 [ 93.120063][ T47] ? __pfx_dump_stack_lvl+0x10/0x10 [ 93.120069][ T47] ? rcu_is_watching+0x1f/0xa0 [ 93.120075][ T47] ? __virt_addr_valid+0x176/0x2b0 [ 93.120081][ T47] ? lock_release+0x42/0x2f0 [ 93.120086][ T47] ? lock_acquire+0x69/0x210 [ 93.120090][ T47] ? _raw_spin_lock_irqsave+0xa5/0xe0 [ 93.120096][ T47] ? __virt_addr_valid+0x176/0x2b0 [ 93.120100][ T47] ? __virt_addr_valid+0x262/0x2b0 [ 93.120105][ T47] print_report+0xd2/0x2b0 [ 93.120110][ T47] ? __xfrm_state_delete+0x528/0x740 [ 93.120117][ T47] kasan_report+0x118/0x150 [ 93.120124][ T47] ? __xfrm_state_delete+0x528/0x740 [ 93.120131][ T47] __xfrm_state_delete+0x528/0x740 [ 93.120137][ T47] xfrm_state_flush+0x1fe/0x460 [ 93.120144][ T47] xfrm_state_fini+0x49/0x1f0 [ 93.120150][ T47] ops_undo_list+0x49d/0x720 [ 93.120156][ T47] ? __pfx_ops_undo_list+0x10/0x10 [ 93.120161][ T47] ? do_raw_spin_unlock+0x122/0x240 [ 93.120166][ T47] cleanup_net+0x45a/0x720 [ 93.120171][ T47] ? __pfx_cleanup_net+0x10/0x10 [ 93.120177][ T47] ? process_scheduled_works+0x90e/0x12d0 [ 93.120183][ T47] process_scheduled_works+0x995/0x12d0 [ 93.120191][ T47] ? __pfx_process_scheduled_works+0x10/0x10 [ 93.120197][ T47] ? assign_work+0x25f/0x380 [ 93.120202][ T47] worker_thread+0x850/0xc60 [ 93.120211][ T47] kthread+0x59b/0x690 [ 93.120218][ T47] ? __pfx_worker_thread+0x10/0x10 [ 93.120222][ T47] ? __pfx_kthread+0x10/0x10 [ 93.120228][ T47] ? do_raw_spin_unlock+0x122/0x240 [ 93.120232][ T47] ? __pfx_kthread+0x10/0x10 [ 93.120237][ T47] ret_from_fork+0x139/0x2d0 [ 93.120242][ T47] ? __pfx_kthread+0x10/0x10 [ 93.120247][ T47] ret_from_fork_asm+0x1a/0x30 [ 93.120253][ T47] [ 93.120256][ T47] [ 93.322186][ T47] Allocated by task 3963: [ 93.326494][ T47] kasan_save_track+0x3e/0x80 [ 93.331176][ T47] __kasan_slab_alloc+0x6c/0x80 [ 93.335997][ T47] kmem_cache_alloc_noprof+0x1b1/0x400 [ 93.341447][ T47] xfrm_state_alloc+0x1f/0x2d0 [ 93.346190][ T47] __find_acq_core+0x1a0/0x1a20 [ 93.351022][ T47] xfrm_find_acq+0x73/0xa0 [ 93.355413][ T47] xfrm_alloc_userspi+0x557/0xaa0 [ 93.360414][ T47] xfrm_user_rcv_msg+0x461/0x730 [ 93.365330][ T47] netlink_rcv_skb+0x1e6/0x3b0 [ 93.370504][ T47] xfrm_netlink_rcv+0x6f/0x80 [ 93.375149][ T47] netlink_unicast+0x551/0x770 [ 93.379878][ T47] netlink_sendmsg+0x60d/0x920 [ 93.384608][ T47] __sock_sendmsg+0x1dd/0x220 [ 93.389252][ T47] ____sys_sendmsg+0x4ac/0x710 [ 93.393983][ T47] ___sys_sendmsg+0x1d7/0x250 [ 93.398711][ T47] __x64_sys_sendmsg+0x175/0x200 [ 93.403719][ T47] do_syscall_64+0x8f/0x250 [ 93.408187][ T47] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.414073][ T47] [ 93.416377][ T47] Freed by task 47: [ 93.420153][ T47] kasan_save_track+0x3e/0x80 [ 93.424898][ T47] kasan_save_free_info+0x46/0x50 [ 93.429907][ T47] __kasan_slab_free+0x62/0x70 [ 93.434645][ T47] kmem_cache_free+0x175/0x460 [ 93.439393][ T47] xfrm_state_flush+0x264/0x460 [ 93.444233][ T47] xfrm_state_fini+0x49/0x1f0 [ 93.448935][ T47] ops_undo_list+0x49d/0x720 [ 93.453586][ T47] cleanup_net+0x45a/0x720 [ 93.458066][ T47] process_scheduled_works+0x995/0x12d0 [ 93.463581][ T47] worker_thread+0x850/0xc60 [ 93.468237][ T47] kthread+0x59b/0x690 [ 93.472275][ T47] ret_from_fork+0x139/0x2d0 [ 93.476844][ T47] ret_from_fork_asm+0x1a/0x30 [ 93.481854][ T47] [ 93.484158][ T47] The buggy address belongs to the object at ffff88810f745100 [ 93.484158][ T47] which belongs to the cache xfrm_state of size 928 [ 93.498112][ T47] The buggy address is located 40 bytes inside of [ 93.498112][ T47] freed 928-byte region [ffff88810f745100, ffff88810f7454a0) [ 93.511798][ T47] [ 93.514168][ T47] The buggy address belongs to the physical page: [ 93.520559][ T47] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f744 [ 93.529379][ T47] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 93.538019][ T47] flags: 0x200000000000040(head|node=0|zone=2) [ 93.544245][ T47] page_type: f5(slab) [ 93.548193][ T47] raw: 0200000000000040 ffff8881072b73c0 dead000000000122 0000000000000000 [ 93.556743][ T47] raw: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000 [ 93.565292][ T47] head: 0200000000000040 ffff8881072b73c0 dead000000000122 0000000000000000 [ 93.573941][ T47] head: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000 [ 93.582592][ T47] head: 0200000000000002 ffffea00043dd101 00000000ffffffff 00000000ffffffff [ 93.591248][ T47] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 [ 93.599891][ T47] page dumped because: kasan: bad access detected [ 93.606285][ T47] page_owner tracks the page as allocated [ 93.612025][ T47] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3947, tgid 3946 (syz.3.521), ts 91357951899, free_ts 75037225975 [ 93.631354][ T47] post_alloc_hook+0x168/0x1a0 [ 93.636112][ T47] get_page_from_freelist+0x2cf9/0x2eb0 [ 93.641647][ T47] __alloc_frozen_pages_noprof+0x26b/0x460 [ 93.647422][ T47] alloc_pages_mpol+0xcb/0x270 [ 93.652155][ T47] allocate_slab+0x8a/0x350 [ 93.656730][ T47] ___slab_alloc+0x9dc/0x10e0 [ 93.661378][ T47] kmem_cache_alloc_noprof+0x26e/0x400 [ 93.666802][ T47] xfrm_state_alloc+0x1f/0x2d0 [ 93.671621][ T47] __find_acq_core+0x1a0/0x1a20 [ 93.676440][ T47] xfrm_find_acq+0x73/0xa0 [ 93.680825][ T47] xfrm_alloc_userspi+0x557/0xaa0 [ 93.685821][ T47] xfrm_user_rcv_msg+0x461/0x730 [ 93.690729][ T47] netlink_rcv_skb+0x1e6/0x3b0 [ 93.695486][ T47] xfrm_netlink_rcv+0x6f/0x80 [ 93.700130][ T47] netlink_unicast+0x551/0x770 [ 93.705065][ T47] netlink_sendmsg+0x60d/0x920 [ 93.709797][ T47] page last free pid 2349 tgid 2349 stack trace: [ 93.716174][ T47] __free_frozen_pages+0xa6d/0xc50 [ 93.721253][ T47] __put_partials+0x157/0x1b0 [ 93.725896][ T47] put_cpu_partial+0x154/0x1c0 [ 93.730630][ T47] __slab_free+0x2a5/0x3a0 [ 93.735012][ T47] qlist_free_all+0x97/0x140 [ 93.739571][ T47] kasan_quarantine_reduce+0x148/0x160 [ 93.745111][ T47] __kasan_slab_alloc+0x22/0x80 [ 93.749934][ T47] kmem_cache_alloc_noprof+0x1b1/0x400 [ 93.755360][ T47] __anon_vma_prepare+0x84/0x3f0 [ 93.760266][ T47] handle_mm_fault+0x202e/0x2450 [ 93.765244][ T47] do_user_addr_fault+0x31a/0xc30 [ 93.770247][ T47] exc_page_fault+0x62/0xa0 [ 93.774743][ T47] asm_exc_page_fault+0x26/0x30 [ 93.779559][ T47] [ 93.781856][ T47] Memory state around the buggy address: [ 93.787477][ T47] ffff88810f745000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 93.795506][ T47] ffff88810f745080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.803537][ T47] >ffff88810f745100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.811564][ T47] ^ [ 93.816999][ T47] ffff88810f745180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.825053][ T47] ffff88810f745200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.833104][ T47] ================================================================== [ 93.841206][ T47] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 93.848768][ T47] Kernel Offset: disabled [ 93.853081][ T47] Rebooting in 86400 seconds..