Warning: Permanently added '10.128.0.249' (ED25519) to the list of known hosts.
2024/08/23 19:56:34 ignoring optional flag "sandboxArg"="0"
2024/08/23 19:56:34 parsed 1 programs
2024/08/23 19:56:35 executed programs: 0
[ 45.892254][ T30] kauditd_printk_skb: 19 callbacks suppressed
[ 45.892269][ T30] audit: type=1400 audit(1724442994.956:95): avc: denied { unlink } for pid=346 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[ 45.914902][ T346] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 45.976164][ T353] bridge0: port 1(bridge_slave_0) entered blocking state
[ 45.983044][ T353] bridge0: port 1(bridge_slave_0) entered disabled state
[ 45.990544][ T353] device bridge_slave_0 entered promiscuous mode
[ 45.997149][ T353] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.004027][ T353] bridge0: port 2(bridge_slave_1) entered disabled state
[ 46.011155][ T353] device bridge_slave_1 entered promiscuous mode
[ 46.054924][ T353] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.061789][ T353] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.068943][ T353] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.075778][ T353] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.095059][ T6] bridge0: port 1(bridge_slave_0) entered disabled state
[ 46.102210][ T6] bridge0: port 2(bridge_slave_1) entered disabled state
[ 46.109853][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 46.117109][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 46.126507][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 46.134526][ T309] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.141377][ T309] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.158387][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 46.166318][ T309] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.173259][ T309] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.180430][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 46.188721][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 46.198738][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 46.209755][ T353] device veth0_vlan entered promiscuous mode
[ 46.217618][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 46.225441][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 46.232830][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 46.243153][ T353] device veth1_macvtap entered promiscuous mode
[ 46.249995][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 46.262848][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 46.271349][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 46.290633][ T30] audit: type=1400 audit(1724442995.356:96): avc: denied { prog_load } for pid=358 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 46.311559][ T360] FAULT_INJECTION: forcing a failure.
[ 46.311559][ T360] name failslab, interval 1, probability 0, space 0, times 1
[ 46.314249][ T30] audit: type=1400 audit(1724442995.356:97): avc: denied { bpf } for pid=358 comm="syz-executor.0" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[ 46.324789][ T360] CPU: 1 PID: 360 Comm: syz-executor.0 Not tainted 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 46.344684][ T30] audit: type=1400 audit(1724442995.356:98): avc: denied { perfmon } for pid=358 comm="syz-executor.0" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[ 46.354515][ T360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 46.354538][ T360] Call Trace:
[ 46.354544][ T360]
[ 46.354551][ T360] dump_stack_lvl+0x151/0x1c0
[ 46.354583][ T360] ? io_uring_drop_tctx_refs+0x190/0x190
[ 46.354608][ T360] dump_stack+0x15/0x20
[ 46.354627][ T360] should_fail+0x3c6/0x510
[ 46.375757][ T30] audit: type=1400 audit(1724442995.376:99): avc: denied { prog_run } for pid=358 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 46.385157][ T360] __should_failslab+0xa4/0xe0
[ 46.385185][ T360] should_failslab+0x9/0x20
[ 46.388329][ T30] audit: type=1400 audit(1724442995.376:100): avc: denied { map_create } for pid=358 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 46.391051][ T360] slab_pre_alloc_hook+0x37/0xd0
[ 46.395574][ T30] audit: type=1400 audit(1724442995.376:101): avc: denied { map_read map_write } for pid=358 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 46.401033][ T360] kmem_cache_alloc_trace+0x48/0x210
[ 46.401057][ T360] ? sk_psock_skb_ingress_self+0x60/0x330
[ 46.491389][ T360] ? migrate_disable+0x190/0x190
[ 46.496160][ T360] sk_psock_skb_ingress_self+0x60/0x330
[ 46.501543][ T360] sk_psock_verdict_recv+0x66d/0x840
[ 46.506661][ T360] unix_read_sock+0x132/0x370
[ 46.511182][ T360] ? sk_psock_skb_redirect+0x440/0x440
[ 46.516467][ T360] ? unix_stream_splice_actor+0x120/0x120
[ 46.522110][ T360] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 46.527404][ T360] ? unix_stream_splice_actor+0x120/0x120
[ 46.532959][ T360] sk_psock_verdict_data_ready+0x147/0x1a0
[ 46.538601][ T360] ? sk_psock_start_verdict+0xc0/0xc0
[ 46.543810][ T360] ? _raw_spin_lock+0xa4/0x1b0
[ 46.548411][ T360] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 46.554052][ T360] ? skb_queue_tail+0xfb/0x120
[ 46.558655][ T360] unix_dgram_sendmsg+0x15fa/0x2090
[ 46.563689][ T360] ? unix_dgram_poll+0x710/0x710
[ 46.568461][ T360] ? security_socket_sendmsg+0x82/0xb0
[ 46.573750][ T360] ? unix_dgram_poll+0x710/0x710
[ 46.578529][ T360] ____sys_sendmsg+0x59e/0x8f0
[ 46.583125][ T360] ? __sys_sendmsg_sock+0x40/0x40
[ 46.587993][ T360] ? import_iovec+0xe5/0x120
[ 46.592413][ T360] ___sys_sendmsg+0x252/0x2e0
[ 46.596927][ T360] ? __sys_sendmsg+0x260/0x260
[ 46.601533][ T360] ? __fdget+0x1bc/0x240
[ 46.605610][ T360] __se_sys_sendmsg+0x19a/0x260
[ 46.610294][ T360] ? __x64_sys_sendmsg+0x90/0x90
[ 46.615066][ T360] ? ksys_write+0x260/0x2c0
[ 46.619405][ T360] ? debug_smp_processor_id+0x17/0x20
[ 46.624610][ T360] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 46.630514][ T360] __x64_sys_sendmsg+0x7b/0x90
[ 46.635114][ T360] x64_sys_call+0x16a/0x9a0
[ 46.639457][ T360] do_syscall_64+0x3b/0xb0
[ 46.643703][ T360] ? clear_bhb_loop+0x35/0x90
[ 46.648220][ T360] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 46.653947][ T360] RIP: 0033:0x7f3fa6c9bea9
[ 46.658210][ T360] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 46.677644][ T360] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 46.685889][ T360] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 46.693697][ T360] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 46.701510][ T360] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 46.709319][ T360] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 46.717133][ T360] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 46.724947][ T360]
[ 46.730365][ T358] ==================================================================
[ 46.738245][ T358] BUG: KASAN: use-after-free in consume_skb+0x3c/0x250
[ 46.744923][ T358] Read of size 4 at addr ffff88810cc704ac by task syz-executor.0/358
[ 46.752821][ T358]
[ 46.754994][ T358] CPU: 0 PID: 358 Comm: syz-executor.0 Not tainted 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 46.765144][ T358] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 46.775040][ T358] Call Trace:
[ 46.778167][ T358]
[ 46.780947][ T358] dump_stack_lvl+0x151/0x1c0
[ 46.785458][ T358] ? io_uring_drop_tctx_refs+0x190/0x190
[ 46.790925][ T358] ? panic+0x760/0x760
[ 46.794830][ T358] ? debug_smp_processor_id+0x17/0x20
[ 46.800038][ T358] print_address_description+0x87/0x3b0
[ 46.805419][ T358] kasan_report+0x179/0x1c0
[ 46.809757][ T358] ? consume_skb+0x3c/0x250
[ 46.814099][ T358] ? consume_skb+0x3c/0x250
[ 46.818437][ T358] kasan_check_range+0x293/0x2a0
[ 46.823212][ T358] __kasan_check_read+0x11/0x20
[ 46.827906][ T358] consume_skb+0x3c/0x250
[ 46.832075][ T358] __sk_msg_free+0x2dd/0x370
[ 46.836488][ T358] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 46.842139][ T358] sk_psock_stop+0x44c/0x4d0
[ 46.846745][ T358] ? unix_peer_get+0xe0/0xe0
[ 46.851158][ T358] sock_map_close+0x2b9/0x4c0
[ 46.855672][ T358] ? sock_map_remove_links+0x650/0x650
[ 46.860967][ T358] ? rwsem_mark_wake+0x770/0x770
[ 46.865749][ T358] unix_release+0x82/0xc0
[ 46.869907][ T358] sock_close+0xdf/0x270
[ 46.873987][ T358] ? sock_mmap+0xa0/0xa0
[ 46.878067][ T358] __fput+0x3fe/0x910
[ 46.881885][ T358] ____fput+0x15/0x20
[ 46.885700][ T358] task_work_run+0x129/0x190
[ 46.890128][ T358] exit_to_user_mode_loop+0xc4/0xe0
[ 46.895163][ T358] exit_to_user_mode_prepare+0x5a/0xa0
[ 46.900467][ T358] syscall_exit_to_user_mode+0x26/0x160
[ 46.905839][ T358] do_syscall_64+0x47/0xb0
[ 46.910091][ T358] ? clear_bhb_loop+0x35/0x90
[ 46.914601][ T358] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 46.920334][ T358] RIP: 0033:0x7f3fa6c9ad9a
[ 46.924586][ T358] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 46.944026][ T358] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 46.952269][ T358] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 46.960080][ T358] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 46.967892][ T358] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 46.975703][ T358] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000b801
[ 46.983514][ T358] R13: 000000000000b4d5 R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 46.991329][ T358]
[ 46.994190][ T358]
[ 46.996362][ T358] Allocated by task 360:
[ 47.000440][ T358] __kasan_slab_alloc+0xb1/0xe0
[ 47.005129][ T358] slab_post_alloc_hook+0x53/0x2c0
[ 47.010072][ T358] kmem_cache_alloc+0xf5/0x200
[ 47.014673][ T358] skb_clone+0x1d1/0x360
[ 47.018757][ T358] sk_psock_verdict_recv+0x53/0x840
[ 47.023791][ T358] unix_read_sock+0x132/0x370
[ 47.028301][ T358] sk_psock_verdict_data_ready+0x147/0x1a0
[ 47.033940][ T358] unix_dgram_sendmsg+0x15fa/0x2090
[ 47.038973][ T358] ____sys_sendmsg+0x59e/0x8f0
[ 47.043573][ T358] ___sys_sendmsg+0x252/0x2e0
[ 47.048087][ T358] __se_sys_sendmsg+0x19a/0x260
[ 47.052774][ T358] __x64_sys_sendmsg+0x7b/0x90
[ 47.057374][ T358] x64_sys_call+0x16a/0x9a0
[ 47.061713][ T358] do_syscall_64+0x3b/0xb0
[ 47.065967][ T358] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 47.071694][ T358]
[ 47.073865][ T358] Freed by task 309:
[ 47.077599][ T358] kasan_set_track+0x4b/0x70
[ 47.082026][ T358] kasan_set_free_info+0x23/0x40
[ 47.086797][ T358] ____kasan_slab_free+0x126/0x160
[ 47.091750][ T358] __kasan_slab_free+0x11/0x20
[ 47.096344][ T358] slab_free_freelist_hook+0xbd/0x190
[ 47.101552][ T358] kmem_cache_free+0x116/0x2e0
[ 47.106152][ T358] kfree_skbmem+0x104/0x170
[ 47.110492][ T358] kfree_skb+0xc2/0x360
[ 47.114485][ T358] sk_psock_backlog+0xc21/0xd90
[ 47.119170][ T358] process_one_work+0x6bb/0xc10
[ 47.123856][ T358] worker_thread+0xad5/0x12a0
[ 47.128372][ T358] kthread+0x421/0x510
[ 47.132276][ T358] ret_from_fork+0x1f/0x30
[ 47.136530][ T358]
[ 47.138699][ T358] The buggy address belongs to the object at ffff88810cc703c0
[ 47.138699][ T358] which belongs to the cache skbuff_head_cache of size 248
[ 47.153108][ T358] The buggy address is located 236 bytes inside of
[ 47.153108][ T358] 248-byte region [ffff88810cc703c0, ffff88810cc704b8)
[ 47.166213][ T358] The buggy address belongs to the page:
[ 47.171690][ T358] page:ffffea0004331c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cc70
[ 47.181750][ T358] flags: 0x4000000000000200(slab|zone=1)
[ 47.187222][ T358] raw: 4000000000000200 ffffea000432d5c0 0000000a0000000a ffff8881081b3e00
[ 47.195640][ T358] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 47.204055][ T358] page dumped because: kasan: bad access detected
[ 47.210308][ T358] page_owner tracks the page as allocated
[ 47.215856][ T358] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 89, ts 3790902794, free_ts 0
[ 47.230614][ T358] post_alloc_hook+0x1a3/0x1b0
[ 47.235213][ T358] prep_new_page+0x1b/0x110
[ 47.239555][ T358] get_page_from_freelist+0x3550/0x35d0
[ 47.244933][ T358] __alloc_pages+0x27e/0x8f0
[ 47.249361][ T358] new_slab+0x9a/0x4e0
[ 47.253268][ T358] ___slab_alloc+0x39e/0x830
[ 47.257692][ T358] __slab_alloc+0x4a/0x90
[ 47.261861][ T358] kmem_cache_alloc+0x134/0x200
[ 47.266548][ T358] __alloc_skb+0xbe/0x550
[ 47.270720][ T358] alloc_skb_with_frags+0xa6/0x680
[ 47.275661][ T358] sock_alloc_send_pskb+0x915/0xa50
[ 47.280693][ T358] unix_dgram_sendmsg+0x6fd/0x2090
[ 47.285642][ T358] __sys_sendto+0x564/0x720
[ 47.289984][ T358] __x64_sys_sendto+0xe5/0x100
[ 47.294578][ T358] x64_sys_call+0x15c/0x9a0
[ 47.298918][ T358] do_syscall_64+0x3b/0xb0
[ 47.303173][ T358] page_owner free stack trace missing
[ 47.308383][ T358]
[ 47.310561][ T358] Memory state around the buggy address:
[ 47.316023][ T358] ffff88810cc70380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 47.323922][ T358] ffff88810cc70400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.331817][ T358] >ffff88810cc70480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 47.339713][ T358] ^
[ 47.344922][ T358] ffff88810cc70500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.352818][ T358] ffff88810cc70580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 47.360716][ T358] ==================================================================
[ 47.368622][ T358] Disabling lock debugging due to kernel taint
[ 47.374653][ T358] ==================================================================
[ 47.382502][ T358] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 47.390849][ T358]
[ 47.393018][ T358] CPU: 0 PID: 358 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 47.404564][ T358] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 47.414457][ T358] Call Trace:
[ 47.417581][ T358]
[ 47.420358][ T358] dump_stack_lvl+0x151/0x1c0
[ 47.424870][ T358] ? io_uring_drop_tctx_refs+0x190/0x190
[ 47.430341][ T358] ? __wake_up_klogd+0xd5/0x110
[ 47.435030][ T358] ? panic+0x760/0x760
[ 47.438932][ T358] ? kmem_cache_free+0x116/0x2e0
[ 47.443708][ T358] print_address_description+0x87/0x3b0
[ 47.449086][ T358] ? asm_sysvec_call_function_single+0x1b/0x20
[ 47.455073][ T358] ? kmem_cache_free+0x116/0x2e0
[ 47.459850][ T358] ? kmem_cache_free+0x116/0x2e0
[ 47.464621][ T358] kasan_report_invalid_free+0x6b/0xa0
[ 47.469923][ T358] ____kasan_slab_free+0x13e/0x160
[ 47.474865][ T358] __kasan_slab_free+0x11/0x20
[ 47.479462][ T358] slab_free_freelist_hook+0xbd/0x190
[ 47.484670][ T358] ? kfree_skbmem+0x104/0x170
[ 47.489183][ T358] kmem_cache_free+0x116/0x2e0
[ 47.493786][ T358] kfree_skbmem+0x104/0x170
[ 47.498123][ T358] consume_skb+0xb4/0x250
[ 47.502294][ T358] __sk_msg_free+0x2dd/0x370
[ 47.506715][ T358] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 47.512358][ T358] sk_psock_stop+0x44c/0x4d0
[ 47.516785][ T358] ? unix_peer_get+0xe0/0xe0
[ 47.521210][ T358] sock_map_close+0x2b9/0x4c0
[ 47.525727][ T358] ? sock_map_remove_links+0x650/0x650
[ 47.531018][ T358] ? rwsem_mark_wake+0x770/0x770
[ 47.535792][ T358] unix_release+0x82/0xc0
[ 47.539962][ T358] sock_close+0xdf/0x270
[ 47.544039][ T358] ? sock_mmap+0xa0/0xa0
[ 47.548116][ T358] __fput+0x3fe/0x910
[ 47.551956][ T358] ____fput+0x15/0x20
[ 47.555756][ T358] task_work_run+0x129/0x190
[ 47.560181][ T358] exit_to_user_mode_loop+0xc4/0xe0
[ 47.565220][ T358] exit_to_user_mode_prepare+0x5a/0xa0
[ 47.570508][ T358] syscall_exit_to_user_mode+0x26/0x160
[ 47.575890][ T358] do_syscall_64+0x47/0xb0
[ 47.580143][ T358] ? clear_bhb_loop+0x35/0x90
[ 47.584654][ T358] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 47.590385][ T358] RIP: 0033:0x7f3fa6c9ad9a
[ 47.594641][ T358] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 47.614080][ T358] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 47.622334][ T358] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 47.630224][ T358] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 47.638032][ T358] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 47.645844][ T358] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000b801
[ 47.653657][ T358] R13: 000000000000b4d5 R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 47.661573][ T358]
[ 47.664435][ T358]
[ 47.666604][ T358] Allocated by task 360:
[ 47.670684][ T358] __kasan_slab_alloc+0xb1/0xe0
[ 47.675368][ T358] slab_post_alloc_hook+0x53/0x2c0
[ 47.680323][ T358] kmem_cache_alloc+0xf5/0x200
[ 47.684919][ T358] skb_clone+0x1d1/0x360
[ 47.689001][ T358] sk_psock_verdict_recv+0x53/0x840
[ 47.694029][ T358] unix_read_sock+0x132/0x370
[ 47.698543][ T358] sk_psock_verdict_data_ready+0x147/0x1a0
[ 47.704196][ T358] unix_dgram_sendmsg+0x15fa/0x2090
[ 47.709221][ T358] ____sys_sendmsg+0x59e/0x8f0
[ 47.713817][ T358] ___sys_sendmsg+0x252/0x2e0
[ 47.718335][ T358] __se_sys_sendmsg+0x19a/0x260
[ 47.723019][ T358] __x64_sys_sendmsg+0x7b/0x90
[ 47.727621][ T358] x64_sys_call+0x16a/0x9a0
[ 47.731967][ T358] do_syscall_64+0x3b/0xb0
[ 47.736297][ T358] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 47.742025][ T358]
[ 47.744198][ T358] Freed by task 309:
[ 47.747929][ T358] kasan_set_track+0x4b/0x70
[ 47.752364][ T358] kasan_set_free_info+0x23/0x40
[ 47.757128][ T358] ____kasan_slab_free+0x126/0x160
[ 47.762076][ T358] __kasan_slab_free+0x11/0x20
[ 47.766682][ T358] slab_free_freelist_hook+0xbd/0x190
[ 47.771896][ T358] kmem_cache_free+0x116/0x2e0
[ 47.776484][ T358] kfree_skbmem+0x104/0x170
[ 47.780821][ T358] kfree_skb+0xc2/0x360
[ 47.784814][ T358] sk_psock_backlog+0xc21/0xd90
[ 47.789502][ T358] process_one_work+0x6bb/0xc10
[ 47.794191][ T358] worker_thread+0xad5/0x12a0
[ 47.798702][ T358] kthread+0x421/0x510
[ 47.802607][ T358] ret_from_fork+0x1f/0x30
[ 47.806859][ T358]
[ 47.809029][ T358] The buggy address belongs to the object at ffff88810cc703c0
[ 47.809029][ T358] which belongs to the cache skbuff_head_cache of size 248
[ 47.823440][ T358] The buggy address is located 0 bytes inside of
[ 47.823440][ T358] 248-byte region [ffff88810cc703c0, ffff88810cc704b8)
[ 47.836368][ T358] The buggy address belongs to the page:
[ 47.841840][ T358] page:ffffea0004331c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cc70
[ 47.851917][ T358] flags: 0x4000000000000200(slab|zone=1)
[ 47.857394][ T358] raw: 4000000000000200 ffffea000432d5c0 0000000a0000000a ffff8881081b3e00
[ 47.865809][ T358] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 47.874216][ T358] page dumped because: kasan: bad access detected
[ 47.880464][ T358] page_owner tracks the page as allocated
[ 47.886014][ T358] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 89, ts 3790902794, free_ts 0
[ 47.900769][ T358] post_alloc_hook+0x1a3/0x1b0
[ 47.905371][ T358] prep_new_page+0x1b/0x110
[ 47.909710][ T358] get_page_from_freelist+0x3550/0x35d0
[ 47.915090][ T358] __alloc_pages+0x27e/0x8f0
[ 47.919519][ T358] new_slab+0x9a/0x4e0
[ 47.923424][ T358] ___slab_alloc+0x39e/0x830
[ 47.927851][ T358] __slab_alloc+0x4a/0x90
[ 47.932013][ T358] kmem_cache_alloc+0x134/0x200
[ 47.936701][ T358] __alloc_skb+0xbe/0x550
[ 47.940869][ T358] alloc_skb_with_frags+0xa6/0x680
[ 47.945815][ T358] sock_alloc_send_pskb+0x915/0xa50
[ 47.950849][ T358] unix_dgram_sendmsg+0x6fd/0x2090
[ 47.955794][ T358] __sys_sendto+0x564/0x720
[ 47.960136][ T358] __x64_sys_sendto+0xe5/0x100
[ 47.964733][ T358] x64_sys_call+0x15c/0x9a0
[ 47.969088][ T358] do_syscall_64+0x3b/0xb0
[ 47.973414][ T358] page_owner free stack trace missing
[ 47.978624][ T358]
[ 47.980791][ T358] Memory state around the buggy address:
[ 47.986266][ T358] ffff88810cc70280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.994162][ T358] ffff88810cc70300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 48.002058][ T358] >ffff88810cc70380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 48.010041][ T358] ^
[ 48.016034][ T358] ffff88810cc70400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.023930][ T358] ffff88810cc70480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 48.031828][ T358] ==================================================================
[ 48.042264][ T30] audit: type=1400 audit(1724442997.106:102): avc: denied { read } for pid=82 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 48.077437][ T364] FAULT_INJECTION: forcing a failure.
[ 48.077437][ T364] name failslab, interval 1, probability 0, space 0, times 0
[ 48.089994][ T364] CPU: 1 PID: 364 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 48.101524][ T364] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 48.111420][ T364] Call Trace:
[ 48.114546][ T364]
[ 48.117320][ T364] dump_stack_lvl+0x151/0x1c0
[ 48.121833][ T364] ? io_uring_drop_tctx_refs+0x190/0x190
[ 48.127304][ T364] dump_stack+0x15/0x20
[ 48.131292][ T364] should_fail+0x3c6/0x510
[ 48.135548][ T364] __should_failslab+0xa4/0xe0
[ 48.140148][ T364] should_failslab+0x9/0x20
[ 48.144484][ T364] slab_pre_alloc_hook+0x37/0xd0
[ 48.149260][ T364] kmem_cache_alloc_trace+0x48/0x210
[ 48.154380][ T364] ? sk_psock_skb_ingress_self+0x60/0x330
[ 48.159942][ T364] ? migrate_disable+0x190/0x190
[ 48.164707][ T364] sk_psock_skb_ingress_self+0x60/0x330
[ 48.170090][ T364] sk_psock_verdict_recv+0x66d/0x840
[ 48.175211][ T364] unix_read_sock+0x132/0x370
[ 48.179723][ T364] ? sk_psock_skb_redirect+0x440/0x440
[ 48.185018][ T364] ? unix_stream_splice_actor+0x120/0x120
[ 48.190574][ T364] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 48.195869][ T364] ? unix_stream_splice_actor+0x120/0x120
[ 48.201421][ T364] sk_psock_verdict_data_ready+0x147/0x1a0
[ 48.207063][ T364] ? sk_psock_start_verdict+0xc0/0xc0
[ 48.212270][ T364] ? _raw_spin_lock+0xa4/0x1b0
[ 48.216877][ T364] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 48.222517][ T364] ? skb_queue_tail+0xfb/0x120
[ 48.227121][ T364] unix_dgram_sendmsg+0x15fa/0x2090
[ 48.232154][ T364] ? unix_dgram_poll+0x710/0x710
[ 48.236924][ T364] ? security_socket_sendmsg+0x82/0xb0
[ 48.242212][ T364] ? unix_dgram_poll+0x710/0x710
[ 48.246987][ T364] ____sys_sendmsg+0x59e/0x8f0
[ 48.251589][ T364] ? __sys_sendmsg_sock+0x40/0x40
[ 48.256451][ T364] ? import_iovec+0xe5/0x120
[ 48.260874][ T364] ___sys_sendmsg+0x252/0x2e0
[ 48.265390][ T364] ? __sys_sendmsg+0x260/0x260
[ 48.269996][ T364] ? __fdget+0x1bc/0x240
[ 48.274071][ T364] __se_sys_sendmsg+0x19a/0x260
[ 48.278756][ T364] ? __x64_sys_sendmsg+0x90/0x90
[ 48.283526][ T364] ? ksys_write+0x260/0x2c0
[ 48.287979][ T364] ? debug_smp_processor_id+0x17/0x20
[ 48.293159][ T364] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 48.299063][ T364] __x64_sys_sendmsg+0x7b/0x90
[ 48.303666][ T364] x64_sys_call+0x16a/0x9a0
[ 48.308009][ T364] do_syscall_64+0x3b/0xb0
[ 48.312256][ T364] ? clear_bhb_loop+0x35/0x90
[ 48.316771][ T364] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 48.322498][ T364] RIP: 0033:0x7f3fa6c9bea9
[ 48.326749][ T364] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 48.346190][ T364] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 48.354438][ T364] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 48.362246][ T364] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 48.370062][ T364] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 48.377958][ T364] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 48.385770][ T364] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 48.393592][ T364]
[ 48.397807][ T363] ==================================================================
[ 48.405687][ T363] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 48.413930][ T363]
[ 48.416103][ T363] CPU: 0 PID: 363 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 48.427644][ T363] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 48.437538][ T363] Call Trace:
[ 48.440663][ T363]
[ 48.443441][ T363] dump_stack_lvl+0x151/0x1c0
[ 48.447955][ T363] ? io_uring_drop_tctx_refs+0x190/0x190
[ 48.453423][ T363] ? __wake_up_klogd+0xd5/0x110
[ 48.458106][ T363] ? panic+0x760/0x760
[ 48.462013][ T363] ? kmem_cache_free+0x116/0x2e0
[ 48.466785][ T363] print_address_description+0x87/0x3b0
[ 48.472170][ T363] ? kmem_cache_free+0x116/0x2e0
[ 48.476940][ T363] ? kmem_cache_free+0x116/0x2e0
[ 48.481713][ T363] kasan_report_invalid_free+0x6b/0xa0
[ 48.487010][ T363] ____kasan_slab_free+0x13e/0x160
[ 48.491956][ T363] __kasan_slab_free+0x11/0x20
[ 48.496562][ T363] slab_free_freelist_hook+0xbd/0x190
[ 48.501770][ T363] ? kfree_skbmem+0x104/0x170
[ 48.506280][ T363] kmem_cache_free+0x116/0x2e0
[ 48.510919][ T363] kfree_skbmem+0x104/0x170
[ 48.515216][ T363] consume_skb+0xb4/0x250
[ 48.519384][ T363] __sk_msg_free+0x2dd/0x370
[ 48.523809][ T363] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 48.529456][ T363] sk_psock_stop+0x44c/0x4d0
[ 48.533877][ T363] ? unix_peer_get+0xe0/0xe0
[ 48.538306][ T363] sock_map_close+0x2b9/0x4c0
[ 48.542821][ T363] ? sock_map_remove_links+0x650/0x650
[ 48.548117][ T363] ? rwsem_mark_wake+0x770/0x770
[ 48.552885][ T363] unix_release+0x82/0xc0
[ 48.557051][ T363] sock_close+0xdf/0x270
[ 48.561134][ T363] ? sock_mmap+0xa0/0xa0
[ 48.565296][ T363] __fput+0x3fe/0x910
[ 48.569121][ T363] ____fput+0x15/0x20
[ 48.572932][ T363] task_work_run+0x129/0x190
[ 48.577359][ T363] exit_to_user_mode_loop+0xc4/0xe0
[ 48.582392][ T363] exit_to_user_mode_prepare+0x5a/0xa0
[ 48.587691][ T363] syscall_exit_to_user_mode+0x26/0x160
[ 48.593072][ T363] do_syscall_64+0x47/0xb0
[ 48.597322][ T363] ? clear_bhb_loop+0x35/0x90
[ 48.601838][ T363] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 48.607563][ T363] RIP: 0033:0x7f3fa6c9ad9a
[ 48.611821][ T363] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 48.631258][ T363] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 48.639503][ T363] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 48.647312][ T363] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 48.655127][ T363] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 48.662937][ T363] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000befa
[ 48.670756][ T363] R13: 000000000000bbbb R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 48.678563][ T363]
[ 48.681424][ T363]
[ 48.683595][ T363] Allocated by task 364:
[ 48.687681][ T363] __kasan_slab_alloc+0xb1/0xe0
[ 48.692366][ T363] slab_post_alloc_hook+0x53/0x2c0
[ 48.697308][ T363] kmem_cache_alloc+0xf5/0x200
[ 48.701914][ T363] skb_clone+0x1d1/0x360
[ 48.705986][ T363] sk_psock_verdict_recv+0x53/0x840
[ 48.711025][ T363] unix_read_sock+0x132/0x370
[ 48.715534][ T363] sk_psock_verdict_data_ready+0x147/0x1a0
[ 48.721175][ T363] unix_dgram_sendmsg+0x15fa/0x2090
[ 48.726207][ T363] ____sys_sendmsg+0x59e/0x8f0
[ 48.730807][ T363] ___sys_sendmsg+0x252/0x2e0
[ 48.735323][ T363] __se_sys_sendmsg+0x19a/0x260
[ 48.740009][ T363] __x64_sys_sendmsg+0x7b/0x90
[ 48.744608][ T363] x64_sys_call+0x16a/0x9a0
[ 48.748948][ T363] do_syscall_64+0x3b/0xb0
[ 48.753201][ T363] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 48.758929][ T363]
[ 48.761100][ T363] Freed by task 6:
[ 48.764657][ T363] kasan_set_track+0x4b/0x70
[ 48.769088][ T363] kasan_set_free_info+0x23/0x40
[ 48.773859][ T363] ____kasan_slab_free+0x126/0x160
[ 48.778802][ T363] __kasan_slab_free+0x11/0x20
[ 48.783405][ T363] slab_free_freelist_hook+0xbd/0x190
[ 48.788619][ T363] kmem_cache_free+0x116/0x2e0
[ 48.793211][ T363] kfree_skbmem+0x104/0x170
[ 48.797549][ T363] kfree_skb+0xc2/0x360
[ 48.801543][ T363] sk_psock_backlog+0xc21/0xd90
[ 48.806231][ T363] process_one_work+0x6bb/0xc10
[ 48.810916][ T363] worker_thread+0xad5/0x12a0
[ 48.815437][ T363] kthread+0x421/0x510
[ 48.819336][ T363] ret_from_fork+0x1f/0x30
[ 48.823589][ T363]
[ 48.825765][ T363] The buggy address belongs to the object at ffff8881260eddc0
[ 48.825765][ T363] which belongs to the cache skbuff_head_cache of size 248
[ 48.840165][ T363] The buggy address is located 0 bytes inside of
[ 48.840165][ T363] 248-byte region [ffff8881260eddc0, ffff8881260edeb8)
[ 48.853103][ T363] The buggy address belongs to the page:
[ 48.858569][ T363] page:ffffea0004983b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1260ed
[ 48.868634][ T363] flags: 0x4000000000000200(slab|zone=1)
[ 48.874113][ T363] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 48.882680][ T363] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 48.891405][ T363] page dumped because: kasan: bad access detected
[ 48.897654][ T363] page_owner tracks the page as allocated
[ 48.903206][ T363] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6, ts 48067457889, free_ts 0
[ 48.917899][ T363] post_alloc_hook+0x1a3/0x1b0
[ 48.922475][ T363] prep_new_page+0x1b/0x110
[ 48.926815][ T363] get_page_from_freelist+0x3550/0x35d0
[ 48.932198][ T363] __alloc_pages+0x27e/0x8f0
[ 48.936631][ T363] new_slab+0x9a/0x4e0
[ 48.940529][ T363] ___slab_alloc+0x39e/0x830
[ 48.944955][ T363] __slab_alloc+0x4a/0x90
[ 48.949122][ T363] kmem_cache_alloc+0x134/0x200
[ 48.953835][ T363] __alloc_skb+0xbe/0x550
[ 48.957975][ T363] alloc_skb_with_frags+0xa6/0x680
[ 48.962921][ T363] sock_alloc_send_pskb+0x915/0xa50
[ 48.967957][ T363] sock_alloc_send_skb+0x32/0x40
[ 48.972733][ T363] mld_newpack+0x1b4/0xa20
[ 48.976986][ T363] add_grec+0xdc8/0x13a0
[ 48.981059][ T363] mld_ifc_work+0x72e/0xbb0
[ 48.985400][ T363] process_one_work+0x6bb/0xc10
[ 48.990086][ T363] page_owner free stack trace missing
[ 48.995295][ T363]
[ 48.997462][ T363] Memory state around the buggy address:
[ 49.002936][ T363] ffff8881260edc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 49.010851][ T363] ffff8881260edd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 49.018730][ T363] >ffff8881260edd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 49.026628][ T363] ^
[ 49.032619][ T363] ffff8881260ede00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 49.040515][ T363] ffff8881260ede80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 49.048410][ T363] ==================================================================
[ 49.067808][ T366] FAULT_INJECTION: forcing a failure.
[ 49.067808][ T366] name failslab, interval 1, probability 0, space 0, times 0
[ 49.080470][ T366] CPU: 1 PID: 366 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 49.091995][ T366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 49.101898][ T366] Call Trace:
[ 49.105003][ T366]
[ 49.107784][ T366] dump_stack_lvl+0x151/0x1c0
[ 49.112315][ T366] ? io_uring_drop_tctx_refs+0x190/0x190
[ 49.117772][ T366] dump_stack+0x15/0x20
[ 49.121758][ T366] should_fail+0x3c6/0x510
[ 49.126016][ T366] __should_failslab+0xa4/0xe0
[ 49.130609][ T366] should_failslab+0x9/0x20
[ 49.134950][ T366] slab_pre_alloc_hook+0x37/0xd0
[ 49.139720][ T366] kmem_cache_alloc_trace+0x48/0x210
[ 49.144842][ T366] ? sk_psock_skb_ingress_self+0x60/0x330
[ 49.150397][ T366] ? migrate_disable+0x190/0x190
[ 49.155169][ T366] sk_psock_skb_ingress_self+0x60/0x330
[ 49.160552][ T366] sk_psock_verdict_recv+0x66d/0x840
[ 49.165673][ T366] unix_read_sock+0x132/0x370
[ 49.170185][ T366] ? sk_psock_skb_redirect+0x440/0x440
[ 49.175478][ T366] ? unix_stream_splice_actor+0x120/0x120
[ 49.181032][ T366] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 49.186328][ T366] ? unix_stream_splice_actor+0x120/0x120
[ 49.191882][ T366] sk_psock_verdict_data_ready+0x147/0x1a0
[ 49.197527][ T366] ? sk_psock_start_verdict+0xc0/0xc0
[ 49.202728][ T366] ? _raw_spin_lock+0xa4/0x1b0
[ 49.207331][ T366] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 49.212978][ T366] ? skb_queue_tail+0xfb/0x120
[ 49.217578][ T366] unix_dgram_sendmsg+0x15fa/0x2090
[ 49.222622][ T366] ? unix_dgram_poll+0x710/0x710
[ 49.227388][ T366] ? security_socket_sendmsg+0x82/0xb0
[ 49.232675][ T366] ? unix_dgram_poll+0x710/0x710
[ 49.237450][ T366] ____sys_sendmsg+0x59e/0x8f0
[ 49.242050][ T366] ? __sys_sendmsg_sock+0x40/0x40
[ 49.246910][ T366] ? import_iovec+0xe5/0x120
[ 49.251341][ T366] ___sys_sendmsg+0x252/0x2e0
[ 49.255849][ T366] ? __sys_sendmsg+0x260/0x260
[ 49.260456][ T366] ? __fdget+0x1bc/0x240
[ 49.264526][ T366] __se_sys_sendmsg+0x19a/0x260
[ 49.269215][ T366] ? __x64_sys_sendmsg+0x90/0x90
[ 49.273986][ T366] ? ksys_write+0x260/0x2c0
[ 49.278453][ T366] ? debug_smp_processor_id+0x17/0x20
[ 49.283647][ T366] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 49.289549][ T366] __x64_sys_sendmsg+0x7b/0x90
[ 49.294152][ T366] x64_sys_call+0x16a/0x9a0
[ 49.298490][ T366] do_syscall_64+0x3b/0xb0
[ 49.302756][ T366] ? clear_bhb_loop+0x35/0x90
[ 49.307254][ T366] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 49.312983][ T366] RIP: 0033:0x7f3fa6c9bea9
[ 49.317236][ T366] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 49.336688][ T366] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 49.345064][ T366] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 49.352912][ T366] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 49.360807][ T366] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 49.368618][ T366] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 49.376429][ T366] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 49.384249][ T366]
[ 49.388926][ T365] ==================================================================
[ 49.396805][ T365] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 49.405050][ T365]
[ 49.407223][ T365] CPU: 1 PID: 365 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 49.418766][ T365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 49.428657][ T365] Call Trace:
[ 49.431782][ T365]
[ 49.434560][ T365] dump_stack_lvl+0x151/0x1c0
[ 49.439069][ T365] ? io_uring_drop_tctx_refs+0x190/0x190
[ 49.444711][ T365] ? __wake_up_klogd+0xd5/0x110
[ 49.449402][ T365] ? panic+0x760/0x760
[ 49.453312][ T365] ? kmem_cache_free+0x116/0x2e0
[ 49.458078][ T365] print_address_description+0x87/0x3b0
[ 49.463459][ T365] ? kmem_cache_free+0x116/0x2e0
[ 49.468232][ T365] ? kmem_cache_free+0x116/0x2e0
[ 49.473005][ T365] kasan_report_invalid_free+0x6b/0xa0
[ 49.478302][ T365] ____kasan_slab_free+0x13e/0x160
[ 49.483252][ T365] __kasan_slab_free+0x11/0x20
[ 49.487936][ T365] slab_free_freelist_hook+0xbd/0x190
[ 49.493149][ T365] ? kfree_skbmem+0x104/0x170
[ 49.497654][ T365] kmem_cache_free+0x116/0x2e0
[ 49.502255][ T365] kfree_skbmem+0x104/0x170
[ 49.506595][ T365] consume_skb+0xb4/0x250
[ 49.510761][ T365] __sk_msg_free+0x2dd/0x370
[ 49.515293][ T365] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 49.520917][ T365] sk_psock_stop+0x44c/0x4d0
[ 49.525351][ T365] ? unix_peer_get+0xe0/0xe0
[ 49.529765][ T365] sock_map_close+0x2b9/0x4c0
[ 49.534281][ T365] ? sock_map_remove_links+0x650/0x650
[ 49.539580][ T365] ? rwsem_mark_wake+0x770/0x770
[ 49.544350][ T365] unix_release+0x82/0xc0
[ 49.548516][ T365] sock_close+0xdf/0x270
[ 49.552593][ T365] ? sock_mmap+0xa0/0xa0
[ 49.556689][ T365] __fput+0x3fe/0x910
[ 49.560507][ T365] ____fput+0x15/0x20
[ 49.564309][ T365] task_work_run+0x129/0x190
[ 49.569196][ T365] exit_to_user_mode_loop+0xc4/0xe0
[ 49.574203][ T365] exit_to_user_mode_prepare+0x5a/0xa0
[ 49.579498][ T365] syscall_exit_to_user_mode+0x26/0x160
[ 49.584882][ T365] do_syscall_64+0x47/0xb0
[ 49.589131][ T365] ? clear_bhb_loop+0x35/0x90
[ 49.593645][ T365] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 49.599374][ T365] RIP: 0033:0x7f3fa6c9ad9a
[ 49.603628][ T365] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 49.623086][ T365] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 49.631410][ T365] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 49.639212][ T365] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 49.647062][ T365] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 49.654841][ T365] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000c2d7
[ 49.662734][ T365] R13: 000000000000bf9a R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 49.670552][ T365]
[ 49.673409][ T365]
[ 49.675582][ T365] Allocated by task 366:
[ 49.679837][ T365] __kasan_slab_alloc+0xb1/0xe0
[ 49.684516][ T365] slab_post_alloc_hook+0x53/0x2c0
[ 49.689465][ T365] kmem_cache_alloc+0xf5/0x200
[ 49.694064][ T365] skb_clone+0x1d1/0x360
[ 49.698146][ T365] sk_psock_verdict_recv+0x53/0x840
[ 49.703175][ T365] unix_read_sock+0x132/0x370
[ 49.707692][ T365] sk_psock_verdict_data_ready+0x147/0x1a0
[ 49.713331][ T365] unix_dgram_sendmsg+0x15fa/0x2090
[ 49.718452][ T365] ____sys_sendmsg+0x59e/0x8f0
[ 49.723050][ T365] ___sys_sendmsg+0x252/0x2e0
[ 49.727565][ T365] __se_sys_sendmsg+0x19a/0x260
[ 49.732252][ T365] __x64_sys_sendmsg+0x7b/0x90
[ 49.736852][ T365] x64_sys_call+0x16a/0x9a0
[ 49.741192][ T365] do_syscall_64+0x3b/0xb0
[ 49.745444][ T365] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 49.751178][ T365]
[ 49.753343][ T365] Freed by task 39:
[ 49.756992][ T365] kasan_set_track+0x4b/0x70
[ 49.761417][ T365] kasan_set_free_info+0x23/0x40
[ 49.766192][ T365] ____kasan_slab_free+0x126/0x160
[ 49.771136][ T365] __kasan_slab_free+0x11/0x20
[ 49.775736][ T365] slab_free_freelist_hook+0xbd/0x190
[ 49.781033][ T365] kmem_cache_free+0x116/0x2e0
[ 49.785631][ T365] kfree_skbmem+0x104/0x170
[ 49.789973][ T365] kfree_skb+0xc2/0x360
[ 49.793961][ T365] sk_psock_backlog+0xc21/0xd90
[ 49.798652][ T365] process_one_work+0x6bb/0xc10
[ 49.803336][ T365] worker_thread+0xad5/0x12a0
[ 49.807849][ T365] kthread+0x421/0x510
[ 49.811753][ T365] ret_from_fork+0x1f/0x30
[ 49.816005][ T365]
[ 49.818184][ T365] The buggy address belongs to the object at ffff88810cd44280
[ 49.818184][ T365] which belongs to the cache skbuff_head_cache of size 248
[ 49.832674][ T365] The buggy address is located 0 bytes inside of
[ 49.832674][ T365] 248-byte region [ffff88810cd44280, ffff88810cd44378)
[ 49.845706][ T365] The buggy address belongs to the page:
[ 49.851173][ T365] page:ffffea0004335100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cd44
[ 49.861354][ T365] flags: 0x4000000000000200(slab|zone=1)
[ 49.866828][ T365] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 49.875418][ T365] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 49.883832][ T365] page dumped because: kasan: bad access detected
[ 49.890082][ T365] page_owner tracks the page as allocated
[ 49.895723][ T365] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 100, ts 49062987132, free_ts 48398267038
[ 49.911657][ T365] post_alloc_hook+0x1a3/0x1b0
[ 49.916252][ T365] prep_new_page+0x1b/0x110
[ 49.920605][ T365] get_page_from_freelist+0x3550/0x35d0
[ 49.926056][ T365] __alloc_pages+0x27e/0x8f0
[ 49.930570][ T365] new_slab+0x9a/0x4e0
[ 49.934474][ T365] ___slab_alloc+0x39e/0x830
[ 49.938899][ T365] __slab_alloc+0x4a/0x90
[ 49.943161][ T365] kmem_cache_alloc+0x134/0x200
[ 49.947932][ T365] __alloc_skb+0xbe/0x550
[ 49.952096][ T365] alloc_uevent_skb+0x80/0x230
[ 49.956784][ T365] kobject_uevent_net_broadcast+0x311/0x590
[ 49.962508][ T365] kobject_uevent_env+0x525/0x700
[ 49.967458][ T365] kobject_synth_uevent+0x4eb/0xae0
[ 49.972501][ T365] uevent_store+0x25/0x60
[ 49.976751][ T365] dev_attr_store+0x5c/0x80
[ 49.981082][ T365] sysfs_kf_write+0x123/0x140
[ 49.985601][ T365] page last free stack trace:
[ 49.990460][ T365] free_unref_page_prepare+0x7c8/0x7d0
[ 49.995753][ T365] free_unref_page+0xe8/0x750
[ 50.000264][ T365] __free_pages+0x61/0xf0
[ 50.004430][ T365] __free_slab+0xec/0x1d0
[ 50.008595][ T365] discard_slab+0x29/0x40
[ 50.012760][ T365] __slab_free+0x205/0x290
[ 50.017012][ T365] ___cache_free+0x109/0x120
[ 50.021439][ T365] qlink_free+0x4d/0x90
[ 50.025432][ T365] qlist_free_all+0x44/0xb0
[ 50.029773][ T365] kasan_quarantine_reduce+0x15a/0x180
[ 50.035197][ T365] __kasan_slab_alloc+0x2f/0xe0
[ 50.039872][ T365] slab_post_alloc_hook+0x53/0x2c0
[ 50.044862][ T365] kmem_cache_alloc+0xf5/0x200
[ 50.049420][ T365] __alloc_skb+0xbe/0x550
[ 50.053587][ T365] alloc_skb_with_frags+0xa6/0x680
[ 50.058619][ T365] sock_alloc_send_pskb+0x915/0xa50
[ 50.063655][ T365]
[ 50.065934][ T365] Memory state around the buggy address:
[ 50.071413][ T365] ffff88810cd44180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.079303][ T365] ffff88810cd44200: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 50.087204][ T365] >ffff88810cd44280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.095187][ T365] ^
[ 50.099095][ T365] ffff88810cd44300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 50.106992][ T365] ffff88810cd44380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.114888][ T365] ==================================================================
[ 50.135472][ T370] FAULT_INJECTION: forcing a failure.
[ 50.135472][ T370] name failslab, interval 1, probability 0, space 0, times 0
[ 50.147993][ T370] CPU: 1 PID: 370 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 50.159498][ T370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 50.169392][ T370] Call Trace:
[ 50.172520][ T370]
[ 50.175301][ T370] dump_stack_lvl+0x151/0x1c0
[ 50.179809][ T370] ? io_uring_drop_tctx_refs+0x190/0x190
[ 50.185279][ T370] dump_stack+0x15/0x20
[ 50.189267][ T370] should_fail+0x3c6/0x510
[ 50.193610][ T370] __should_failslab+0xa4/0xe0
[ 50.198255][ T370] should_failslab+0x9/0x20
[ 50.202549][ T370] slab_pre_alloc_hook+0x37/0xd0
[ 50.207432][ T370] kmem_cache_alloc_trace+0x48/0x210
[ 50.212544][ T370] ? sk_psock_skb_ingress_self+0x60/0x330
[ 50.218106][ T370] ? migrate_disable+0x190/0x190
[ 50.222875][ T370] sk_psock_skb_ingress_self+0x60/0x330
[ 50.228258][ T370] sk_psock_verdict_recv+0x66d/0x840
[ 50.233379][ T370] unix_read_sock+0x132/0x370
[ 50.238035][ T370] ? sk_psock_skb_redirect+0x440/0x440
[ 50.243299][ T370] ? unix_stream_splice_actor+0x120/0x120
[ 50.248856][ T370] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 50.254146][ T370] ? unix_stream_splice_actor+0x120/0x120
[ 50.259700][ T370] sk_psock_verdict_data_ready+0x147/0x1a0
[ 50.265348][ T370] ? sk_psock_start_verdict+0xc0/0xc0
[ 50.270551][ T370] ? _raw_spin_lock+0xa4/0x1b0
[ 50.275153][ T370] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 50.280964][ T370] ? skb_queue_tail+0xfb/0x120
[ 50.285566][ T370] unix_dgram_sendmsg+0x15fa/0x2090
[ 50.290602][ T370] ? unix_dgram_poll+0x710/0x710
[ 50.295375][ T370] ? security_socket_sendmsg+0x82/0xb0
[ 50.300669][ T370] ? unix_dgram_poll+0x710/0x710
[ 50.305440][ T370] ____sys_sendmsg+0x59e/0x8f0
[ 50.310042][ T370] ? __sys_sendmsg_sock+0x40/0x40
[ 50.314905][ T370] ? import_iovec+0xe5/0x120
[ 50.319414][ T370] ___sys_sendmsg+0x252/0x2e0
[ 50.323937][ T370] ? __sys_sendmsg+0x260/0x260
[ 50.328643][ T370] ? __fdget+0x1bc/0x240
[ 50.332723][ T370] __se_sys_sendmsg+0x19a/0x260
[ 50.337408][ T370] ? __x64_sys_sendmsg+0x90/0x90
[ 50.342176][ T370] ? ksys_write+0x260/0x2c0
[ 50.346516][ T370] ? debug_smp_processor_id+0x17/0x20
[ 50.351722][ T370] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 50.357626][ T370] __x64_sys_sendmsg+0x7b/0x90
[ 50.362225][ T370] x64_sys_call+0x16a/0x9a0
[ 50.366566][ T370] do_syscall_64+0x3b/0xb0
[ 50.370818][ T370] ? clear_bhb_loop+0x35/0x90
[ 50.375335][ T370] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 50.381057][ T370] RIP: 0033:0x7f3fa6c9bea9
[ 50.385338][ T370] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 50.404841][ T370] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 50.413086][ T370] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 50.420912][ T370] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 50.428797][ T370] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 50.436607][ T370] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 50.444420][ T370] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 50.452356][ T370]
[ 50.456704][ T369] ==================================================================
[ 50.464684][ T369] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 50.472921][ T369]
[ 50.475094][ T369] CPU: 0 PID: 369 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 50.486633][ T369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 50.496547][ T369] Call Trace:
[ 50.499656][ T369]
[ 50.502432][ T369] dump_stack_lvl+0x151/0x1c0
[ 50.506943][ T369] ? io_uring_drop_tctx_refs+0x190/0x190
[ 50.512410][ T369] ? __wake_up_klogd+0xd5/0x110
[ 50.517098][ T369] ? panic+0x760/0x760
[ 50.521004][ T369] ? kmem_cache_free+0x116/0x2e0
[ 50.525778][ T369] print_address_description+0x87/0x3b0
[ 50.531158][ T369] ? kmem_cache_free+0x116/0x2e0
[ 50.535935][ T369] ? kmem_cache_free+0x116/0x2e0
[ 50.540794][ T369] kasan_report_invalid_free+0x6b/0xa0
[ 50.546176][ T369] ____kasan_slab_free+0x13e/0x160
[ 50.551122][ T369] __kasan_slab_free+0x11/0x20
[ 50.555722][ T369] slab_free_freelist_hook+0xbd/0x190
[ 50.560929][ T369] ? kfree_skbmem+0x104/0x170
[ 50.565446][ T369] kmem_cache_free+0x116/0x2e0
[ 50.570053][ T369] kfree_skbmem+0x104/0x170
[ 50.574389][ T369] consume_skb+0xb4/0x250
[ 50.578548][ T369] __sk_msg_free+0x2dd/0x370
[ 50.582975][ T369] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 50.588621][ T369] sk_psock_stop+0x44c/0x4d0
[ 50.593053][ T369] ? unix_peer_get+0xe0/0xe0
[ 50.597474][ T369] sock_map_close+0x2b9/0x4c0
[ 50.601981][ T369] ? sock_map_remove_links+0x650/0x650
[ 50.607277][ T369] ? rwsem_mark_wake+0x770/0x770
[ 50.612055][ T369] unix_release+0x82/0xc0
[ 50.616216][ T369] sock_close+0xdf/0x270
[ 50.620297][ T369] ? sock_mmap+0xa0/0xa0
[ 50.624376][ T369] __fput+0x3fe/0x910
[ 50.628199][ T369] ____fput+0x15/0x20
[ 50.632015][ T369] task_work_run+0x129/0x190
[ 50.636445][ T369] exit_to_user_mode_loop+0xc4/0xe0
[ 50.641476][ T369] exit_to_user_mode_prepare+0x5a/0xa0
[ 50.646773][ T369] syscall_exit_to_user_mode+0x26/0x160
[ 50.652156][ T369] do_syscall_64+0x47/0xb0
[ 50.656401][ T369] ? clear_bhb_loop+0x35/0x90
[ 50.661003][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 50.666745][ T369] RIP: 0033:0x7f3fa6c9ad9a
[ 50.670990][ T369] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 50.690424][ T369] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 50.698671][ T369] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 50.706479][ T369] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 50.714291][ T369] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 50.722373][ T369] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000c705
[ 50.730185][ T369] R13: 000000000000c3c5 R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 50.738175][ T369]
[ 50.741216][ T369]
[ 50.743389][ T369] Allocated by task 370:
[ 50.747559][ T369] __kasan_slab_alloc+0xb1/0xe0
[ 50.752245][ T369] slab_post_alloc_hook+0x53/0x2c0
[ 50.757193][ T369] kmem_cache_alloc+0xf5/0x200
[ 50.761795][ T369] skb_clone+0x1d1/0x360
[ 50.765873][ T369] sk_psock_verdict_recv+0x53/0x840
[ 50.770908][ T369] unix_read_sock+0x132/0x370
[ 50.775420][ T369] sk_psock_verdict_data_ready+0x147/0x1a0
[ 50.781066][ T369] unix_dgram_sendmsg+0x15fa/0x2090
[ 50.786094][ T369] ____sys_sendmsg+0x59e/0x8f0
[ 50.790697][ T369] ___sys_sendmsg+0x252/0x2e0
[ 50.795212][ T369] __se_sys_sendmsg+0x19a/0x260
[ 50.799896][ T369] __x64_sys_sendmsg+0x7b/0x90
[ 50.804494][ T369] x64_sys_call+0x16a/0x9a0
[ 50.808834][ T369] do_syscall_64+0x3b/0xb0
[ 50.813087][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 50.818820][ T369]
[ 50.820988][ T369] Freed by task 39:
[ 50.824736][ T369] kasan_set_track+0x4b/0x70
[ 50.829154][ T369] kasan_set_free_info+0x23/0x40
[ 50.833917][ T369] ____kasan_slab_free+0x126/0x160
[ 50.838866][ T369] __kasan_slab_free+0x11/0x20
[ 50.843557][ T369] slab_free_freelist_hook+0xbd/0x190
[ 50.848760][ T369] kmem_cache_free+0x116/0x2e0
[ 50.853359][ T369] kfree_skbmem+0x104/0x170
[ 50.857786][ T369] kfree_skb+0xc2/0x360
[ 50.861878][ T369] sk_psock_backlog+0xc21/0xd90
[ 50.866562][ T369] process_one_work+0x6bb/0xc10
[ 50.871239][ T369] worker_thread+0xad5/0x12a0
[ 50.875931][ T369] kthread+0x421/0x510
[ 50.879832][ T369] ret_from_fork+0x1f/0x30
[ 50.884087][ T369]
[ 50.886253][ T369] The buggy address belongs to the object at ffff88810cdd3640
[ 50.886253][ T369] which belongs to the cache skbuff_head_cache of size 248
[ 50.900766][ T369] The buggy address is located 0 bytes inside of
[ 50.900766][ T369] 248-byte region [ffff88810cdd3640, ffff88810cdd3738)
[ 50.913692][ T369] The buggy address belongs to the page:
[ 50.919150][ T369] page:ffffea00043374c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cdd3
[ 50.929304][ T369] flags: 0x4000000000000200(slab|zone=1)
[ 50.934781][ T369] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 50.943198][ T369] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 50.951619][ T369] page dumped because: kasan: bad access detected
[ 50.957946][ T369] page_owner tracks the page as allocated
[ 50.963604][ T369] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 89, ts 50127955453, free_ts 49063864590
[ 50.979210][ T369] post_alloc_hook+0x1a3/0x1b0
[ 50.983814][ T369] prep_new_page+0x1b/0x110
[ 50.988151][ T369] get_page_from_freelist+0x3550/0x35d0
[ 50.993529][ T369] __alloc_pages+0x27e/0x8f0
[ 50.997957][ T369] new_slab+0x9a/0x4e0
[ 51.001860][ T369] ___slab_alloc+0x39e/0x830
[ 51.006289][ T369] __slab_alloc+0x4a/0x90
[ 51.010568][ T369] kmem_cache_alloc+0x134/0x200
[ 51.015255][ T369] __alloc_skb+0xbe/0x550
[ 51.019422][ T369] alloc_skb_with_frags+0xa6/0x680
[ 51.024368][ T369] sock_alloc_send_pskb+0x915/0xa50
[ 51.029402][ T369] unix_dgram_sendmsg+0x6fd/0x2090
[ 51.034349][ T369] __sys_sendto+0x564/0x720
[ 51.038688][ T369] __x64_sys_sendto+0xe5/0x100
[ 51.043288][ T369] x64_sys_call+0x15c/0x9a0
[ 51.047627][ T369] do_syscall_64+0x3b/0xb0
[ 51.051882][ T369] page last free stack trace:
[ 51.056403][ T369] free_unref_page_prepare+0x7c8/0x7d0
[ 51.061689][ T369] free_unref_page+0xe8/0x750
[ 51.066201][ T369] __free_pages+0x61/0xf0
[ 51.070368][ T369] __free_slab+0xec/0x1d0
[ 51.074538][ T369] __unfreeze_partials+0x165/0x1a0
[ 51.079481][ T369] put_cpu_partial+0xc4/0x120
[ 51.083993][ T369] __slab_free+0x1c8/0x290
[ 51.088246][ T369] ___cache_free+0x109/0x120
[ 51.092686][ T369] qlink_free+0x4d/0x90
[ 51.096664][ T369] qlist_free_all+0x44/0xb0
[ 51.101003][ T369] kasan_quarantine_reduce+0x15a/0x180
[ 51.106298][ T369] __kasan_slab_alloc+0x2f/0xe0
[ 51.110985][ T369] slab_post_alloc_hook+0x53/0x2c0
[ 51.115933][ T369] kmem_cache_alloc+0xf5/0x200
[ 51.120533][ T369] getname_flags+0xba/0x520
[ 51.124873][ T369] user_path_at_empty+0x2d/0x1a0
[ 51.129651][ T369]
[ 51.131815][ T369] Memory state around the buggy address:
2024/08/23 19:56:40 executed programs: 4
[ 51.137292][ T369] ffff88810cdd3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.145186][ T369] ffff88810cdd3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 51.153082][ T369] >ffff88810cdd3600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 51.161006][ T369] ^
[ 51.166968][ T369] ffff88810cdd3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.174868][ T369] ffff88810cdd3700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 51.182763][ T369] ==================================================================
[ 51.204183][ T373] FAULT_INJECTION: forcing a failure.
[ 51.204183][ T373] name failslab, interval 1, probability 0, space 0, times 0
[ 51.216622][ T373] CPU: 1 PID: 373 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 51.228129][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 51.238031][ T373] Call Trace:
[ 51.241147][ T373]
[ 51.243924][ T373] dump_stack_lvl+0x151/0x1c0
[ 51.248439][ T373] ? io_uring_drop_tctx_refs+0x190/0x190
[ 51.253908][ T373] dump_stack+0x15/0x20
[ 51.257899][ T373] should_fail+0x3c6/0x510
[ 51.262151][ T373] __should_failslab+0xa4/0xe0
[ 51.266751][ T373] should_failslab+0x9/0x20
[ 51.271090][ T373] slab_pre_alloc_hook+0x37/0xd0
[ 51.275867][ T373] kmem_cache_alloc_trace+0x48/0x210
[ 51.280984][ T373] ? sk_psock_skb_ingress_self+0x60/0x330
[ 51.286541][ T373] ? migrate_disable+0x190/0x190
[ 51.291312][ T373] sk_psock_skb_ingress_self+0x60/0x330
[ 51.296698][ T373] sk_psock_verdict_recv+0x66d/0x840
[ 51.301821][ T373] unix_read_sock+0x132/0x370
[ 51.306330][ T373] ? sk_psock_skb_redirect+0x440/0x440
[ 51.311622][ T373] ? unix_stream_splice_actor+0x120/0x120
[ 51.317177][ T373] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 51.322473][ T373] ? unix_stream_splice_actor+0x120/0x120
[ 51.328026][ T373] sk_psock_verdict_data_ready+0x147/0x1a0
[ 51.333667][ T373] ? sk_psock_start_verdict+0xc0/0xc0
[ 51.338876][ T373] ? _raw_spin_lock+0xa4/0x1b0
[ 51.343477][ T373] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 51.349118][ T373] ? skb_queue_tail+0xfb/0x120
[ 51.353721][ T373] unix_dgram_sendmsg+0x15fa/0x2090
[ 51.358756][ T373] ? unix_dgram_poll+0x710/0x710
[ 51.363529][ T373] ? security_socket_sendmsg+0x82/0xb0
[ 51.368827][ T373] ? unix_dgram_poll+0x710/0x710
[ 51.373594][ T373] ____sys_sendmsg+0x59e/0x8f0
[ 51.378195][ T373] ? __sys_sendmsg_sock+0x40/0x40
[ 51.383053][ T373] ? import_iovec+0xe5/0x120
[ 51.387483][ T373] ___sys_sendmsg+0x252/0x2e0
[ 51.391993][ T373] ? __sys_sendmsg+0x260/0x260
[ 51.396598][ T373] ? __fdget+0x1bc/0x240
[ 51.400671][ T373] __se_sys_sendmsg+0x19a/0x260
[ 51.405360][ T373] ? __x64_sys_sendmsg+0x90/0x90
[ 51.410131][ T373] ? ksys_write+0x260/0x2c0
[ 51.414474][ T373] ? debug_smp_processor_id+0x17/0x20
[ 51.419704][ T373] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 51.425757][ T373] __x64_sys_sendmsg+0x7b/0x90
[ 51.430370][ T373] x64_sys_call+0x16a/0x9a0
[ 51.434700][ T373] do_syscall_64+0x3b/0xb0
[ 51.439036][ T373] ? clear_bhb_loop+0x35/0x90
[ 51.443545][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 51.449275][ T373] RIP: 0033:0x7f3fa6c9bea9
[ 51.453531][ T373] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 51.472972][ T373] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 51.481220][ T373] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 51.489027][ T373] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 51.496838][ T373] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 51.504741][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 51.512549][ T373] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 51.520453][ T373]
[ 51.524996][ T372] ==================================================================
[ 51.526368][ T30] audit: type=1400 audit(1724443000.586:103): avc: denied { remove_name } for pid=82 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 51.532877][ T372] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 51.532906][ T372]
[ 51.532911][ T372] CPU: 1 PID: 372 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 51.555249][ T30] audit: type=1400 audit(1724443000.586:104): avc: denied { rename } for pid=82 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 51.563428][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 51.563441][ T372] Call Trace:
[ 51.563446][ T372]
[ 51.563453][ T372] dump_stack_lvl+0x151/0x1c0
[ 51.563478][ T372] ? io_uring_drop_tctx_refs+0x190/0x190
[ 51.563499][ T372] ? __wake_up_klogd+0xd5/0x110
[ 51.563521][ T372] ? panic+0x760/0x760
[ 51.633470][ T372] ? kmem_cache_free+0x116/0x2e0
[ 51.638240][ T372] print_address_description+0x87/0x3b0
[ 51.643623][ T372] ? kmem_cache_free+0x116/0x2e0
[ 51.648394][ T372] ? kmem_cache_free+0x116/0x2e0
[ 51.653169][ T372] kasan_report_invalid_free+0x6b/0xa0
[ 51.658463][ T372] ____kasan_slab_free+0x13e/0x160
[ 51.663412][ T372] __kasan_slab_free+0x11/0x20
[ 51.668014][ T372] slab_free_freelist_hook+0xbd/0x190
[ 51.673220][ T372] ? kfree_skbmem+0x104/0x170
[ 51.677744][ T372] kmem_cache_free+0x116/0x2e0
[ 51.682334][ T372] kfree_skbmem+0x104/0x170
[ 51.686683][ T372] consume_skb+0xb4/0x250
[ 51.690840][ T372] __sk_msg_free+0x2dd/0x370
[ 51.695261][ T372] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 51.700907][ T372] sk_psock_stop+0x44c/0x4d0
[ 51.705334][ T372] ? unix_peer_get+0xe0/0xe0
[ 51.709760][ T372] sock_map_close+0x2b9/0x4c0
[ 51.714361][ T372] ? sock_map_remove_links+0x650/0x650
[ 51.719653][ T372] ? rwsem_mark_wake+0x770/0x770
[ 51.724516][ T372] unix_release+0x82/0xc0
[ 51.728684][ T372] sock_close+0xdf/0x270
[ 51.732760][ T372] ? sock_mmap+0xa0/0xa0
[ 51.736838][ T372] __fput+0x3fe/0x910
[ 51.740661][ T372] ____fput+0x15/0x20
[ 51.744492][ T372] task_work_run+0x129/0x190
[ 51.748990][ T372] exit_to_user_mode_loop+0xc4/0xe0
[ 51.754023][ T372] exit_to_user_mode_prepare+0x5a/0xa0
[ 51.759319][ T372] syscall_exit_to_user_mode+0x26/0x160
[ 51.764730][ T372] do_syscall_64+0x47/0xb0
[ 51.769037][ T372] ? clear_bhb_loop+0x35/0x90
[ 51.773639][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 51.779366][ T372] RIP: 0033:0x7f3fa6c9ad9a
[ 51.783632][ T372] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 51.803180][ T372] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 51.811422][ T372] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 51.819231][ T372] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 51.827043][ T372] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 51.834857][ T372] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000cb31
[ 51.842669][ T372] R13: 000000000000c7f2 R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 51.850496][ T372]
[ 51.853343][ T372]
[ 51.855513][ T372] Allocated by task 373:
[ 51.859593][ T372] __kasan_slab_alloc+0xb1/0xe0
[ 51.864280][ T372] slab_post_alloc_hook+0x53/0x2c0
[ 51.869227][ T372] kmem_cache_alloc+0xf5/0x200
[ 51.873914][ T372] skb_clone+0x1d1/0x360
[ 51.878000][ T372] sk_psock_verdict_recv+0x53/0x840
[ 51.883037][ T372] unix_read_sock+0x132/0x370
[ 51.887544][ T372] sk_psock_verdict_data_ready+0x147/0x1a0
[ 51.893355][ T372] unix_dgram_sendmsg+0x15fa/0x2090
[ 51.898511][ T372] ____sys_sendmsg+0x59e/0x8f0
[ 51.903114][ T372] ___sys_sendmsg+0x252/0x2e0
[ 51.907624][ T372] __se_sys_sendmsg+0x19a/0x260
[ 51.912322][ T372] __x64_sys_sendmsg+0x7b/0x90
[ 51.917095][ T372] x64_sys_call+0x16a/0x9a0
[ 51.921535][ T372] do_syscall_64+0x3b/0xb0
[ 51.925788][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 51.931516][ T372]
[ 51.933684][ T372] Freed by task 309:
[ 51.937417][ T372] kasan_set_track+0x4b/0x70
[ 51.941844][ T372] kasan_set_free_info+0x23/0x40
[ 51.946619][ T372] ____kasan_slab_free+0x126/0x160
[ 51.951568][ T372] __kasan_slab_free+0x11/0x20
[ 51.956163][ T372] slab_free_freelist_hook+0xbd/0x190
[ 51.961375][ T372] kmem_cache_free+0x116/0x2e0
[ 51.965973][ T372] kfree_skbmem+0x104/0x170
[ 51.970314][ T372] kfree_skb+0xc2/0x360
[ 51.974303][ T372] sk_psock_backlog+0xc21/0xd90
[ 51.978991][ T372] process_one_work+0x6bb/0xc10
[ 51.983677][ T372] worker_thread+0xad5/0x12a0
[ 51.988194][ T372] kthread+0x421/0x510
[ 51.992096][ T372] ret_from_fork+0x1f/0x30
[ 51.996349][ T372]
[ 51.998519][ T372] The buggy address belongs to the object at ffff88810cd4f500
[ 51.998519][ T372] which belongs to the cache skbuff_head_cache of size 248
[ 52.012926][ T372] The buggy address is located 0 bytes inside of
[ 52.012926][ T372] 248-byte region [ffff88810cd4f500, ffff88810cd4f5f8)
[ 52.025861][ T372] The buggy address belongs to the page:
[ 52.031333][ T372] page:ffffea00043353c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cd4f
[ 52.041396][ T372] flags: 0x4000000000000200(slab|zone=1)
[ 52.046869][ T372] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 52.055305][ T372] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 52.063699][ T372] page dumped because: kasan: bad access detected
[ 52.069949][ T372] page_owner tracks the page as allocated
[ 52.075502][ T372] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 89, ts 51193927074, free_ts 48398257033
[ 52.091132][ T372] post_alloc_hook+0x1a3/0x1b0
[ 52.095727][ T372] prep_new_page+0x1b/0x110
[ 52.100064][ T372] get_page_from_freelist+0x3550/0x35d0
[ 52.105446][ T372] __alloc_pages+0x27e/0x8f0
[ 52.109874][ T372] new_slab+0x9a/0x4e0
[ 52.113782][ T372] ___slab_alloc+0x39e/0x830
[ 52.118303][ T372] __slab_alloc+0x4a/0x90
[ 52.122467][ T372] kmem_cache_alloc+0x134/0x200
[ 52.127153][ T372] __alloc_skb+0xbe/0x550
[ 52.131319][ T372] alloc_skb_with_frags+0xa6/0x680
[ 52.136271][ T372] sock_alloc_send_pskb+0x915/0xa50
[ 52.141302][ T372] unix_dgram_sendmsg+0x6fd/0x2090
[ 52.146251][ T372] __sys_sendto+0x564/0x720
[ 52.150661][ T372] __x64_sys_sendto+0xe5/0x100
[ 52.155187][ T372] x64_sys_call+0x15c/0x9a0
[ 52.159528][ T372] do_syscall_64+0x3b/0xb0
[ 52.163784][ T372] page last free stack trace:
[ 52.168298][ T372] free_unref_page_prepare+0x7c8/0x7d0
[ 52.173586][ T372] free_unref_page+0xe8/0x750
[ 52.178099][ T372] __free_pages+0x61/0xf0
[ 52.182266][ T372] __free_slab+0xec/0x1d0
[ 52.186522][ T372] discard_slab+0x29/0x40
[ 52.190686][ T372] __slab_free+0x205/0x290
[ 52.195025][ T372] ___cache_free+0x109/0x120
[ 52.199452][ T372] qlink_free+0x4d/0x90
[ 52.203444][ T372] qlist_free_all+0x44/0xb0
[ 52.207786][ T372] kasan_quarantine_reduce+0x15a/0x180
[ 52.213078][ T372] __kasan_slab_alloc+0x2f/0xe0
[ 52.217767][ T372] slab_post_alloc_hook+0x53/0x2c0
[ 52.222721][ T372] kmem_cache_alloc+0xf5/0x200
[ 52.227312][ T372] __alloc_skb+0xbe/0x550
[ 52.231476][ T372] alloc_skb_with_frags+0xa6/0x680
[ 52.236424][ T372] sock_alloc_send_pskb+0x915/0xa50
[ 52.241461][ T372]
[ 52.243626][ T372] Memory state around the buggy address:
[ 52.249098][ T372] ffff88810cd4f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.256996][ T372] ffff88810cd4f480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 52.264895][ T372] >ffff88810cd4f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.272791][ T372] ^
[ 52.276697][ T372] ffff88810cd4f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 52.284597][ T372] ffff88810cd4f600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 52.292502][ T372] ==================================================================
[ 52.313743][ T376] FAULT_INJECTION: forcing a failure.
[ 52.313743][ T376] name failslab, interval 1, probability 0, space 0, times 0
[ 52.326289][ T376] CPU: 0 PID: 376 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 52.338094][ T376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 52.347989][ T376] Call Trace:
[ 52.351112][ T376]
[ 52.353896][ T376] dump_stack_lvl+0x151/0x1c0
[ 52.358407][ T376] ? io_uring_drop_tctx_refs+0x190/0x190
[ 52.363877][ T376] dump_stack+0x15/0x20
[ 52.367864][ T376] should_fail+0x3c6/0x510
[ 52.372121][ T376] __should_failslab+0xa4/0xe0
[ 52.376719][ T376] should_failslab+0x9/0x20
[ 52.381060][ T376] slab_pre_alloc_hook+0x37/0xd0
[ 52.385831][ T376] kmem_cache_alloc_trace+0x48/0x210
[ 52.390947][ T376] ? sk_psock_skb_ingress_self+0x60/0x330
[ 52.396505][ T376] ? migrate_disable+0x190/0x190
[ 52.401277][ T376] sk_psock_skb_ingress_self+0x60/0x330
[ 52.406659][ T376] sk_psock_verdict_recv+0x66d/0x840
[ 52.411786][ T376] unix_read_sock+0x132/0x370
[ 52.416292][ T376] ? sk_psock_skb_redirect+0x440/0x440
[ 52.421584][ T376] ? unix_stream_splice_actor+0x120/0x120
[ 52.427140][ T376] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 52.432440][ T376] ? unix_stream_splice_actor+0x120/0x120
[ 52.437991][ T376] sk_psock_verdict_data_ready+0x147/0x1a0
[ 52.443633][ T376] ? sk_psock_start_verdict+0xc0/0xc0
[ 52.448846][ T376] ? _raw_spin_lock+0xa4/0x1b0
[ 52.453439][ T376] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 52.459084][ T376] ? skb_queue_tail+0xfb/0x120
[ 52.463684][ T376] unix_dgram_sendmsg+0x15fa/0x2090
[ 52.468718][ T376] ? unix_dgram_poll+0x710/0x710
[ 52.473490][ T376] ? security_socket_sendmsg+0x82/0xb0
[ 52.478894][ T376] ? unix_dgram_poll+0x710/0x710
[ 52.483676][ T376] ____sys_sendmsg+0x59e/0x8f0
[ 52.488272][ T376] ? __sys_sendmsg_sock+0x40/0x40
[ 52.493128][ T376] ? import_iovec+0xe5/0x120
[ 52.497554][ T376] ___sys_sendmsg+0x252/0x2e0
[ 52.502071][ T376] ? __sys_sendmsg+0x260/0x260
[ 52.506674][ T376] ? __fdget+0x1bc/0x240
[ 52.510748][ T376] __se_sys_sendmsg+0x19a/0x260
[ 52.515436][ T376] ? __x64_sys_sendmsg+0x90/0x90
[ 52.520220][ T376] ? ksys_write+0x260/0x2c0
[ 52.524549][ T376] ? debug_smp_processor_id+0x17/0x20
[ 52.529762][ T376] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 52.535659][ T376] __x64_sys_sendmsg+0x7b/0x90
[ 52.540256][ T376] x64_sys_call+0x16a/0x9a0
[ 52.544595][ T376] do_syscall_64+0x3b/0xb0
[ 52.548847][ T376] ? clear_bhb_loop+0x35/0x90
[ 52.553360][ T376] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 52.559094][ T376] RIP: 0033:0x7f3fa6c9bea9
[ 52.563348][ T376] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 52.582788][ T376] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 52.591030][ T376] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 52.598843][ T376] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 52.606653][ T376] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 52.614468][ T376] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 52.622274][ T376] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 52.630089][ T376]
[ 52.633977][ T375] ==================================================================
[ 52.641856][ T375] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 52.650121][ T375]
[ 52.652266][ T375] CPU: 0 PID: 375 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 52.663922][ T375] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 52.673816][ T375] Call Trace:
[ 52.676939][ T375]
[ 52.679720][ T375] dump_stack_lvl+0x151/0x1c0
[ 52.684324][ T375] ? io_uring_drop_tctx_refs+0x190/0x190
[ 52.689782][ T375] ? __wake_up_klogd+0xd5/0x110
[ 52.694470][ T375] ? panic+0x760/0x760
[ 52.698488][ T375] ? kmem_cache_free+0x116/0x2e0
[ 52.703257][ T375] print_address_description+0x87/0x3b0
[ 52.708647][ T375] ? kmem_cache_free+0x116/0x2e0
[ 52.713416][ T375] ? kmem_cache_free+0x116/0x2e0
[ 52.718189][ T375] kasan_report_invalid_free+0x6b/0xa0
[ 52.723481][ T375] ____kasan_slab_free+0x13e/0x160
[ 52.728429][ T375] __kasan_slab_free+0x11/0x20
[ 52.733027][ T375] slab_free_freelist_hook+0xbd/0x190
[ 52.738239][ T375] ? kfree_skbmem+0x104/0x170
[ 52.742747][ T375] kmem_cache_free+0x116/0x2e0
[ 52.747356][ T375] kfree_skbmem+0x104/0x170
[ 52.751693][ T375] consume_skb+0xb4/0x250
[ 52.756006][ T375] __sk_msg_free+0x2dd/0x370
[ 52.760420][ T375] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 52.766064][ T375] sk_psock_stop+0x44c/0x4d0
[ 52.770489][ T375] ? unix_peer_get+0xe0/0xe0
[ 52.774916][ T375] sock_map_close+0x2b9/0x4c0
[ 52.779427][ T375] ? sock_map_remove_links+0x650/0x650
[ 52.784722][ T375] ? rwsem_mark_wake+0x770/0x770
[ 52.789495][ T375] unix_release+0x82/0xc0
[ 52.793660][ T375] sock_close+0xdf/0x270
[ 52.797742][ T375] ? sock_mmap+0xa0/0xa0
[ 52.801821][ T375] __fput+0x3fe/0x910
[ 52.805640][ T375] ____fput+0x15/0x20
[ 52.809456][ T375] task_work_run+0x129/0x190
[ 52.813884][ T375] exit_to_user_mode_loop+0xc4/0xe0
[ 52.818920][ T375] exit_to_user_mode_prepare+0x5a/0xa0
[ 52.824210][ T375] syscall_exit_to_user_mode+0x26/0x160
[ 52.829592][ T375] do_syscall_64+0x47/0xb0
[ 52.833845][ T375] ? clear_bhb_loop+0x35/0x90
[ 52.838358][ T375] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 52.844085][ T375] RIP: 0033:0x7f3fa6c9ad9a
[ 52.848343][ T375] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 52.867783][ T375] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 52.876027][ T375] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 52.883838][ T375] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 52.891649][ T375] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 52.899460][ T375] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000cf86
[ 52.907274][ T375] R13: 000000000000cc48 R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 52.915087][ T375]
[ 52.917948][ T375]
[ 52.920117][ T375] Allocated by task 376:
[ 52.924197][ T375] __kasan_slab_alloc+0xb1/0xe0
[ 52.928890][ T375] slab_post_alloc_hook+0x53/0x2c0
[ 52.933836][ T375] kmem_cache_alloc+0xf5/0x200
[ 52.938429][ T375] skb_clone+0x1d1/0x360
[ 52.942508][ T375] sk_psock_verdict_recv+0x53/0x840
[ 52.947553][ T375] unix_read_sock+0x132/0x370
[ 52.952054][ T375] sk_psock_verdict_data_ready+0x147/0x1a0
[ 52.957702][ T375] unix_dgram_sendmsg+0x15fa/0x2090
[ 52.962730][ T375] ____sys_sendmsg+0x59e/0x8f0
[ 52.967333][ T375] ___sys_sendmsg+0x252/0x2e0
[ 52.971845][ T375] __se_sys_sendmsg+0x19a/0x260
[ 52.976539][ T375] __x64_sys_sendmsg+0x7b/0x90
[ 52.981131][ T375] x64_sys_call+0x16a/0x9a0
[ 52.985472][ T375] do_syscall_64+0x3b/0xb0
[ 52.989728][ T375] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 52.995453][ T375]
[ 52.997624][ T375] Freed by task 20:
[ 53.001265][ T375] kasan_set_track+0x4b/0x70
[ 53.005694][ T375] kasan_set_free_info+0x23/0x40
[ 53.010484][ T375] ____kasan_slab_free+0x126/0x160
[ 53.015415][ T375] __kasan_slab_free+0x11/0x20
[ 53.020020][ T375] slab_free_freelist_hook+0xbd/0x190
[ 53.025221][ T375] kmem_cache_free+0x116/0x2e0
[ 53.029823][ T375] kfree_skbmem+0x104/0x170
[ 53.034162][ T375] kfree_skb+0xc2/0x360
[ 53.038157][ T375] sk_psock_backlog+0xc21/0xd90
[ 53.042858][ T375] process_one_work+0x6bb/0xc10
[ 53.047531][ T375] worker_thread+0xad5/0x12a0
[ 53.052040][ T375] kthread+0x421/0x510
[ 53.055948][ T375] ret_from_fork+0x1f/0x30
[ 53.060200][ T375]
[ 53.062371][ T375] The buggy address belongs to the object at ffff8881260f53c0
[ 53.062371][ T375] which belongs to the cache skbuff_head_cache of size 248
[ 53.076778][ T375] The buggy address is located 0 bytes inside of
[ 53.076778][ T375] 248-byte region [ffff8881260f53c0, ffff8881260f54b8)
[ 53.089710][ T375] The buggy address belongs to the page:
[ 53.095181][ T375] page:ffffea0004983d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1260f5
[ 53.105245][ T375] flags: 0x4000000000000200(slab|zone=1)
[ 53.110842][ T375] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 53.119258][ T375] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 53.127676][ T375] page dumped because: kasan: bad access detected
[ 53.133915][ T375] page_owner tracks the page as allocated
[ 53.139469][ T375] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 89, ts 52305966262, free_ts 50125922829
[ 53.155092][ T375] post_alloc_hook+0x1a3/0x1b0
[ 53.159692][ T375] prep_new_page+0x1b/0x110
[ 53.164028][ T375] get_page_from_freelist+0x3550/0x35d0
[ 53.169418][ T375] __alloc_pages+0x27e/0x8f0
[ 53.173837][ T375] new_slab+0x9a/0x4e0
[ 53.177746][ T375] ___slab_alloc+0x39e/0x830
[ 53.182172][ T375] __slab_alloc+0x4a/0x90
[ 53.186335][ T375] kmem_cache_alloc+0x134/0x200
[ 53.191022][ T375] __alloc_skb+0xbe/0x550
[ 53.195186][ T375] alloc_skb_with_frags+0xa6/0x680
[ 53.200138][ T375] sock_alloc_send_pskb+0x915/0xa50
[ 53.205171][ T375] unix_dgram_sendmsg+0x6fd/0x2090
[ 53.210116][ T375] __sys_sendto+0x564/0x720
[ 53.214459][ T375] __x64_sys_sendto+0xe5/0x100
[ 53.219057][ T375] x64_sys_call+0x15c/0x9a0
[ 53.223432][ T375] do_syscall_64+0x3b/0xb0
[ 53.227658][ T375] page last free stack trace:
[ 53.232161][ T375] free_unref_page_prepare+0x7c8/0x7d0
[ 53.237462][ T375] free_unref_page_list+0x14b/0xa60
[ 53.242490][ T375] release_pages+0x1310/0x1370
[ 53.247093][ T375] free_pages_and_swap_cache+0x8a/0xa0
[ 53.252383][ T375] tlb_finish_mmu+0x177/0x320
[ 53.256898][ T375] exit_mmap+0x40d/0x940
[ 53.260978][ T375] __mmput+0x95/0x310
[ 53.264795][ T375] mmput+0x5b/0x170
[ 53.268439][ T375] do_exit+0xb9c/0x2ca0
[ 53.272431][ T375] do_group_exit+0x141/0x310
[ 53.276857][ T375] get_signal+0x7a3/0x1630
[ 53.281111][ T375] arch_do_signal_or_restart+0xbd/0x1680
[ 53.286592][ T375] exit_to_user_mode_loop+0xa0/0xe0
[ 53.291614][ T375] exit_to_user_mode_prepare+0x5a/0xa0
[ 53.296909][ T375] syscall_exit_to_user_mode+0x26/0x160
[ 53.302290][ T375] do_syscall_64+0x47/0xb0
[ 53.306986][ T375]
[ 53.309149][ T375] Memory state around the buggy address:
[ 53.314616][ T375] ffff8881260f5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.322517][ T375] ffff8881260f5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 53.330422][ T375] >ffff8881260f5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 53.338312][ T375] ^
[ 53.344302][ T375] ffff8881260f5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.352199][ T375] ffff8881260f5480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 53.360096][ T375] ==================================================================
[ 53.377598][ T379] FAULT_INJECTION: forcing a failure.
[ 53.377598][ T379] name failslab, interval 1, probability 0, space 0, times 0
[ 53.390115][ T379] CPU: 1 PID: 379 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 53.401566][ T379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 53.411461][ T379] Call Trace:
[ 53.414583][ T379]
[ 53.417362][ T379] dump_stack_lvl+0x151/0x1c0
[ 53.421874][ T379] ? io_uring_drop_tctx_refs+0x190/0x190
[ 53.427348][ T379] dump_stack+0x15/0x20
[ 53.431335][ T379] should_fail+0x3c6/0x510
[ 53.435590][ T379] __should_failslab+0xa4/0xe0
[ 53.440190][ T379] should_failslab+0x9/0x20
[ 53.444528][ T379] slab_pre_alloc_hook+0x37/0xd0
[ 53.449301][ T379] kmem_cache_alloc_trace+0x48/0x210
[ 53.454430][ T379] ? sk_psock_skb_ingress_self+0x60/0x330
[ 53.459977][ T379] ? migrate_disable+0x190/0x190
[ 53.464758][ T379] sk_psock_skb_ingress_self+0x60/0x330
[ 53.470132][ T379] sk_psock_verdict_recv+0x66d/0x840
[ 53.475259][ T379] unix_read_sock+0x132/0x370
[ 53.479772][ T379] ? sk_psock_skb_redirect+0x440/0x440
[ 53.485066][ T379] ? unix_stream_splice_actor+0x120/0x120
[ 53.490614][ T379] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 53.495913][ T379] ? unix_stream_splice_actor+0x120/0x120
[ 53.501463][ T379] sk_psock_verdict_data_ready+0x147/0x1a0
[ 53.507110][ T379] ? sk_psock_start_verdict+0xc0/0xc0
[ 53.512317][ T379] ? _raw_spin_lock+0xa4/0x1b0
[ 53.516912][ T379] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 53.522555][ T379] ? skb_queue_tail+0xfb/0x120
[ 53.527155][ T379] unix_dgram_sendmsg+0x15fa/0x2090
[ 53.532191][ T379] ? unix_dgram_poll+0x710/0x710
[ 53.536964][ T379] ? security_socket_sendmsg+0x82/0xb0
[ 53.542256][ T379] ? unix_dgram_poll+0x710/0x710
[ 53.547029][ T379] ____sys_sendmsg+0x59e/0x8f0
[ 53.551636][ T379] ? __sys_sendmsg_sock+0x40/0x40
[ 53.556490][ T379] ? import_iovec+0xe5/0x120
[ 53.560918][ T379] ___sys_sendmsg+0x252/0x2e0
[ 53.565439][ T379] ? __sys_sendmsg+0x260/0x260
[ 53.570036][ T379] ? __fdget+0x1bc/0x240
[ 53.574109][ T379] __se_sys_sendmsg+0x19a/0x260
[ 53.578796][ T379] ? __x64_sys_sendmsg+0x90/0x90
[ 53.583566][ T379] ? ksys_write+0x260/0x2c0
[ 53.587912][ T379] ? debug_smp_processor_id+0x17/0x20
[ 53.593117][ T379] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 53.599028][ T379] __x64_sys_sendmsg+0x7b/0x90
[ 53.603625][ T379] x64_sys_call+0x16a/0x9a0
[ 53.607956][ T379] do_syscall_64+0x3b/0xb0
[ 53.612238][ T379] ? clear_bhb_loop+0x35/0x90
[ 53.616723][ T379] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 53.622454][ T379] RIP: 0033:0x7f3fa6c9bea9
[ 53.626704][ T379] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 53.646148][ T379] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 53.654395][ T379] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 53.662214][ T379] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 53.670016][ T379] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 53.677822][ T379] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 53.685637][ T379] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 53.693460][ T379]
[ 53.697111][ T378] ==================================================================
[ 53.704987][ T378] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 53.713235][ T378]
[ 53.715401][ T378] CPU: 1 PID: 378 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 53.726945][ T378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 53.736838][ T378] Call Trace:
[ 53.739968][ T378]
[ 53.742742][ T378] dump_stack_lvl+0x151/0x1c0
[ 53.747254][ T378] ? io_uring_drop_tctx_refs+0x190/0x190
[ 53.752722][ T378] ? __wake_up_klogd+0xd5/0x110
[ 53.757410][ T378] ? panic+0x760/0x760
[ 53.761312][ T378] ? kmem_cache_free+0x116/0x2e0
[ 53.766085][ T378] print_address_description+0x87/0x3b0
[ 53.771468][ T378] ? kmem_cache_free+0x116/0x2e0
[ 53.776241][ T378] ? kmem_cache_free+0x116/0x2e0
[ 53.781017][ T378] kasan_report_invalid_free+0x6b/0xa0
[ 53.786312][ T378] ____kasan_slab_free+0x13e/0x160
[ 53.791357][ T378] __kasan_slab_free+0x11/0x20
[ 53.795945][ T378] slab_free_freelist_hook+0xbd/0x190
[ 53.801325][ T378] ? kfree_skbmem+0x104/0x170
[ 53.808790][ T378] kmem_cache_free+0x116/0x2e0
[ 53.813388][ T378] kfree_skbmem+0x104/0x170
[ 53.817730][ T378] consume_skb+0xb4/0x250
[ 53.821894][ T378] __sk_msg_free+0x2dd/0x370
[ 53.826326][ T378] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 53.831964][ T378] sk_psock_stop+0x44c/0x4d0
[ 53.836389][ T378] ? unix_peer_get+0xe0/0xe0
[ 53.840819][ T378] sock_map_close+0x2b9/0x4c0
[ 53.845328][ T378] ? sock_map_remove_links+0x650/0x650
[ 53.850723][ T378] ? rwsem_mark_wake+0x770/0x770
[ 53.855500][ T378] unix_release+0x82/0xc0
[ 53.859663][ T378] sock_close+0xdf/0x270
[ 53.863742][ T378] ? sock_mmap+0xa0/0xa0
[ 53.867823][ T378] __fput+0x3fe/0x910
[ 53.871653][ T378] ____fput+0x15/0x20
[ 53.875463][ T378] task_work_run+0x129/0x190
[ 53.879891][ T378] exit_to_user_mode_loop+0xc4/0xe0
[ 53.884927][ T378] exit_to_user_mode_prepare+0x5a/0xa0
[ 53.890377][ T378] syscall_exit_to_user_mode+0x26/0x160
[ 53.895756][ T378] do_syscall_64+0x47/0xb0
[ 53.900011][ T378] ? clear_bhb_loop+0x35/0x90
[ 53.904520][ T378] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 53.910251][ T378] RIP: 0033:0x7f3fa6c9ad9a
[ 53.914506][ T378] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 53.933943][ T378] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 53.942187][ T378] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 53.949999][ T378] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 53.957811][ T378] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 53.965624][ T378] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000d3af
[ 53.973435][ T378] R13: 000000000000d06f R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 53.981250][ T378]
[ 53.984108][ T378]
[ 53.986281][ T378] Allocated by task 379:
[ 53.990450][ T378] __kasan_slab_alloc+0xb1/0xe0
[ 53.995146][ T378] slab_post_alloc_hook+0x53/0x2c0
[ 54.000084][ T378] kmem_cache_alloc+0xf5/0x200
[ 54.004683][ T378] skb_clone+0x1d1/0x360
[ 54.008763][ T378] sk_psock_verdict_recv+0x53/0x840
[ 54.013798][ T378] unix_read_sock+0x132/0x370
[ 54.018312][ T378] sk_psock_verdict_data_ready+0x147/0x1a0
[ 54.023950][ T378] unix_dgram_sendmsg+0x15fa/0x2090
[ 54.028986][ T378] ____sys_sendmsg+0x59e/0x8f0
[ 54.033588][ T378] ___sys_sendmsg+0x252/0x2e0
[ 54.038099][ T378] __se_sys_sendmsg+0x19a/0x260
[ 54.042786][ T378] __x64_sys_sendmsg+0x7b/0x90
[ 54.047386][ T378] x64_sys_call+0x16a/0x9a0
[ 54.051725][ T378] do_syscall_64+0x3b/0xb0
[ 54.056067][ T378] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 54.061793][ T378]
[ 54.064072][ T378] Freed by task 309:
[ 54.067799][ T378] kasan_set_track+0x4b/0x70
[ 54.072222][ T378] kasan_set_free_info+0x23/0x40
[ 54.076999][ T378] ____kasan_slab_free+0x126/0x160
[ 54.082053][ T378] __kasan_slab_free+0x11/0x20
[ 54.086646][ T378] slab_free_freelist_hook+0xbd/0x190
[ 54.091858][ T378] kmem_cache_free+0x116/0x2e0
[ 54.096459][ T378] kfree_skbmem+0x104/0x170
[ 54.100794][ T378] kfree_skb+0xc2/0x360
[ 54.104788][ T378] sk_psock_backlog+0xc21/0xd90
[ 54.109476][ T378] process_one_work+0x6bb/0xc10
[ 54.114164][ T378] worker_thread+0xad5/0x12a0
[ 54.118671][ T378] kthread+0x421/0x510
[ 54.122578][ T378] ret_from_fork+0x1f/0x30
[ 54.126833][ T378]
[ 54.129001][ T378] The buggy address belongs to the object at ffff88810cd13140
[ 54.129001][ T378] which belongs to the cache skbuff_head_cache of size 248
[ 54.143409][ T378] The buggy address is located 0 bytes inside of
[ 54.143409][ T378] 248-byte region [ffff88810cd13140, ffff88810cd13238)
[ 54.156343][ T378] The buggy address belongs to the page:
[ 54.161811][ T378] page:ffffea00043344c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cd13
[ 54.171878][ T378] flags: 0x4000000000000200(slab|zone=1)
[ 54.177354][ T378] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 54.185859][ T378] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 54.194269][ T378] page dumped because: kasan: bad access detected
[ 54.200521][ T378] page_owner tracks the page as allocated
[ 54.206077][ T378] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 89, ts 53369633411, free_ts 52633647716
[ 54.221698][ T378] post_alloc_hook+0x1a3/0x1b0
[ 54.226302][ T378] prep_new_page+0x1b/0x110
[ 54.230634][ T378] get_page_from_freelist+0x3550/0x35d0
[ 54.236015][ T378] __alloc_pages+0x27e/0x8f0
[ 54.240447][ T378] new_slab+0x9a/0x4e0
[ 54.244369][ T378] ___slab_alloc+0x39e/0x830
[ 54.248778][ T378] __slab_alloc+0x4a/0x90
[ 54.252941][ T378] kmem_cache_alloc+0x134/0x200
[ 54.257726][ T378] __alloc_skb+0xbe/0x550
[ 54.261879][ T378] alloc_skb_with_frags+0xa6/0x680
[ 54.266834][ T378] sock_alloc_send_pskb+0x915/0xa50
[ 54.271860][ T378] unix_dgram_sendmsg+0x6fd/0x2090
[ 54.276808][ T378] __sys_sendto+0x564/0x720
[ 54.281148][ T378] __x64_sys_sendto+0xe5/0x100
[ 54.285746][ T378] x64_sys_call+0x15c/0x9a0
[ 54.290097][ T378] do_syscall_64+0x3b/0xb0
[ 54.294449][ T378] page last free stack trace:
[ 54.298961][ T378] free_unref_page_prepare+0x7c8/0x7d0
[ 54.304253][ T378] free_unref_page+0xe8/0x750
[ 54.308764][ T378] __free_pages+0x61/0xf0
[ 54.312934][ T378] free_pages+0x7c/0x90
[ 54.316926][ T378] kasan_depopulate_vmalloc_pte+0x6a/0x90
[ 54.322478][ T378] __apply_to_page_range+0x8dd/0xbe0
[ 54.327602][ T378] apply_to_existing_page_range+0x38/0x50
[ 54.333154][ T378] kasan_release_vmalloc+0x9a/0xb0
[ 54.338203][ T378] __purge_vmap_area_lazy+0x154a/0x1690
[ 54.343582][ T378] _vm_unmap_aliases+0x339/0x3b0
[ 54.348410][ T378] __vunmap+0x617/0x8f0
[ 54.352351][ T378] vfree+0x7f/0xb0
[ 54.355909][ T378] module_memfree+0x17/0x30
[ 54.360245][ T378] bpf_jit_free_exec+0x15/0x20
[ 54.364846][ T378] bpf_jit_free+0x98/0x240
[ 54.369098][ T378] bpf_prog_free_deferred+0x61e/0x730
[ 54.374307][ T378]
[ 54.376474][ T378] Memory state around the buggy address:
[ 54.381948][ T378] ffff88810cd13000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.389848][ T378] ffff88810cd13080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 54.397827][ T378] >ffff88810cd13100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 54.405728][ T378] ^
[ 54.411721][ T378] ffff88810cd13180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.419618][ T378] ffff88810cd13200: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 54.427512][ T378] ==================================================================
[ 54.449841][ T382] FAULT_INJECTION: forcing a failure.
[ 54.449841][ T382] name failslab, interval 1, probability 0, space 0, times 0
[ 54.462694][ T382] CPU: 0 PID: 382 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 54.474237][ T382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 54.484133][ T382] Call Trace:
[ 54.487252][ T382]
[ 54.490031][ T382] dump_stack_lvl+0x151/0x1c0
[ 54.494545][ T382] ? io_uring_drop_tctx_refs+0x190/0x190
[ 54.500015][ T382] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 54.505655][ T382] ? __skb_try_recv_datagram+0x495/0x6a0
[ 54.511122][ T382] dump_stack+0x15/0x20
[ 54.515114][ T382] should_fail+0x3c6/0x510
[ 54.519369][ T382] __should_failslab+0xa4/0xe0
[ 54.523965][ T382] ? skb_clone+0x1d1/0x360
[ 54.528218][ T382] should_failslab+0x9/0x20
[ 54.532560][ T382] slab_pre_alloc_hook+0x37/0xd0
[ 54.537333][ T382] ? skb_clone+0x1d1/0x360
[ 54.541586][ T382] kmem_cache_alloc+0x44/0x200
[ 54.546184][ T382] skb_clone+0x1d1/0x360
[ 54.550266][ T382] sk_psock_verdict_recv+0x53/0x840
[ 54.555300][ T382] ? avc_has_perm_noaudit+0x430/0x430
[ 54.560515][ T382] unix_read_sock+0x132/0x370
[ 54.565018][ T382] ? sk_psock_skb_redirect+0x440/0x440
[ 54.570315][ T382] ? unix_stream_splice_actor+0x120/0x120
[ 54.575868][ T382] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 54.581166][ T382] ? unix_stream_splice_actor+0x120/0x120
[ 54.586717][ T382] sk_psock_verdict_data_ready+0x147/0x1a0
[ 54.592360][ T382] ? sk_psock_start_verdict+0xc0/0xc0
[ 54.597570][ T382] ? _raw_spin_lock+0xa4/0x1b0
[ 54.602165][ T382] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 54.607807][ T382] ? skb_queue_tail+0xfb/0x120
[ 54.612414][ T382] unix_dgram_sendmsg+0x15fa/0x2090
[ 54.617450][ T382] ? unix_dgram_poll+0x710/0x710
[ 54.622226][ T382] ? security_socket_sendmsg+0x82/0xb0
[ 54.627508][ T382] ? unix_dgram_poll+0x710/0x710
[ 54.632283][ T382] ____sys_sendmsg+0x59e/0x8f0
[ 54.636886][ T382] ? __sys_sendmsg_sock+0x40/0x40
[ 54.641751][ T382] ? import_iovec+0xe5/0x120
[ 54.646169][ T382] ___sys_sendmsg+0x252/0x2e0
[ 54.650685][ T382] ? __sys_sendmsg+0x260/0x260
[ 54.655315][ T382] ? __fdget+0x1bc/0x240
[ 54.659362][ T382] __se_sys_sendmsg+0x19a/0x260
[ 54.664050][ T382] ? __x64_sys_sendmsg+0x90/0x90
[ 54.668820][ T382] ? ksys_write+0x260/0x2c0
[ 54.673165][ T382] ? debug_smp_processor_id+0x17/0x20
[ 54.678385][ T382] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 54.684275][ T382] __x64_sys_sendmsg+0x7b/0x90
[ 54.688873][ T382] x64_sys_call+0x16a/0x9a0
[ 54.693212][ T382] do_syscall_64+0x3b/0xb0
[ 54.697463][ T382] ? clear_bhb_loop+0x35/0x90
[ 54.701976][ T382] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 54.708054][ T382] RIP: 0033:0x7f3fa6c9bea9
[ 54.712308][ T382] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 54.731747][ T382] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 54.740078][ T382] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 54.747890][ T382] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 54.755702][ T382] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 54.763519][ T382] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 54.771325][ T382] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 54.779139][ T382]
[ 54.790968][ T384] FAULT_INJECTION: forcing a failure.
[ 54.790968][ T384] name failslab, interval 1, probability 0, space 0, times 0
[ 54.803441][ T384] CPU: 0 PID: 384 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 54.814917][ T384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 54.824812][ T384] Call Trace:
[ 54.827938][ T384]
[ 54.830717][ T384] dump_stack_lvl+0x151/0x1c0
[ 54.835229][ T384] ? io_uring_drop_tctx_refs+0x190/0x190
[ 54.840695][ T384] dump_stack+0x15/0x20
[ 54.844687][ T384] should_fail+0x3c6/0x510
[ 54.848942][ T384] __should_failslab+0xa4/0xe0
[ 54.853548][ T384] should_failslab+0x9/0x20
[ 54.857888][ T384] slab_pre_alloc_hook+0x37/0xd0
[ 54.862652][ T384] kmem_cache_alloc_trace+0x48/0x210
[ 54.867776][ T384] ? sk_psock_skb_ingress_self+0x60/0x330
[ 54.873333][ T384] ? migrate_disable+0x190/0x190
[ 54.878101][ T384] sk_psock_skb_ingress_self+0x60/0x330
[ 54.883483][ T384] sk_psock_verdict_recv+0x66d/0x840
[ 54.888605][ T384] unix_read_sock+0x132/0x370
[ 54.893125][ T384] ? sk_psock_skb_redirect+0x440/0x440
[ 54.898416][ T384] ? unix_stream_splice_actor+0x120/0x120
[ 54.903966][ T384] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 54.909262][ T384] ? unix_stream_splice_actor+0x120/0x120
[ 54.914816][ T384] sk_psock_verdict_data_ready+0x147/0x1a0
[ 54.920458][ T384] ? sk_psock_start_verdict+0xc0/0xc0
[ 54.925669][ T384] ? _raw_spin_lock+0xa4/0x1b0
[ 54.930263][ T384] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 54.935912][ T384] ? skb_queue_tail+0xfb/0x120
[ 54.940509][ T384] unix_dgram_sendmsg+0x15fa/0x2090
[ 54.945543][ T384] ? unix_dgram_poll+0x710/0x710
[ 54.950317][ T384] ? security_socket_sendmsg+0x82/0xb0
[ 54.955608][ T384] ? unix_dgram_poll+0x710/0x710
[ 54.960383][ T384] ____sys_sendmsg+0x59e/0x8f0
[ 54.964982][ T384] ? __sys_sendmsg_sock+0x40/0x40
[ 54.969844][ T384] ? import_iovec+0xe5/0x120
[ 54.974270][ T384] ___sys_sendmsg+0x252/0x2e0
[ 54.978782][ T384] ? __sys_sendmsg+0x260/0x260
[ 54.983396][ T384] ? __fdget+0x1bc/0x240
[ 54.987460][ T384] __se_sys_sendmsg+0x19a/0x260
[ 54.992154][ T384] ? __x64_sys_sendmsg+0x90/0x90
[ 54.996933][ T384] ? ksys_write+0x260/0x2c0
[ 55.001267][ T384] ? debug_smp_processor_id+0x17/0x20
[ 55.006469][ T384] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 55.012374][ T384] __x64_sys_sendmsg+0x7b/0x90
[ 55.017060][ T384] x64_sys_call+0x16a/0x9a0
[ 55.021401][ T384] do_syscall_64+0x3b/0xb0
[ 55.025653][ T384] ? clear_bhb_loop+0x35/0x90
[ 55.030163][ T384] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.035891][ T384] RIP: 0033:0x7f3fa6c9bea9
[ 55.040147][ T384] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 55.059600][ T384] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 55.067830][ T384] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 55.075641][ T384] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 55.083452][ T384] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 55.091267][ T384] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 55.099074][ T384] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 55.106891][ T384]
[ 55.111381][ T383] ==================================================================
[ 55.119347][ T383] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 55.127588][ T383]
[ 55.129760][ T383] CPU: 0 PID: 383 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 55.141312][ T383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 55.151197][ T383] Call Trace:
[ 55.154382][ T383]
[ 55.157099][ T383] dump_stack_lvl+0x151/0x1c0
[ 55.161610][ T383] ? io_uring_drop_tctx_refs+0x190/0x190
[ 55.167079][ T383] ? __wake_up_klogd+0xd5/0x110
[ 55.171764][ T383] ? panic+0x760/0x760
[ 55.175675][ T383] ? kmem_cache_free+0x116/0x2e0
[ 55.180447][ T383] print_address_description+0x87/0x3b0
[ 55.185827][ T383] ? kmem_cache_free+0x116/0x2e0
[ 55.190600][ T383] ? kmem_cache_free+0x116/0x2e0
[ 55.195376][ T383] kasan_report_invalid_free+0x6b/0xa0
[ 55.200680][ T383] ____kasan_slab_free+0x13e/0x160
[ 55.205627][ T383] __kasan_slab_free+0x11/0x20
[ 55.210221][ T383] slab_free_freelist_hook+0xbd/0x190
[ 55.215427][ T383] ? kfree_skbmem+0x104/0x170
[ 55.219935][ T383] kmem_cache_free+0x116/0x2e0
[ 55.224536][ T383] kfree_skbmem+0x104/0x170
[ 55.228877][ T383] consume_skb+0xb4/0x250
[ 55.233041][ T383] __sk_msg_free+0x2dd/0x370
[ 55.237474][ T383] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 55.243110][ T383] sk_psock_stop+0x44c/0x4d0
[ 55.247625][ T383] ? unix_peer_get+0xe0/0xe0
[ 55.252050][ T383] sock_map_close+0x2b9/0x4c0
[ 55.256564][ T383] ? sock_map_remove_links+0x650/0x650
[ 55.261863][ T383] ? rwsem_mark_wake+0x770/0x770
[ 55.266718][ T383] unix_release+0x82/0xc0
[ 55.270883][ T383] sock_close+0xdf/0x270
[ 55.274961][ T383] ? sock_mmap+0xa0/0xa0
[ 55.279048][ T383] __fput+0x3fe/0x910
[ 55.282864][ T383] ____fput+0x15/0x20
[ 55.286681][ T383] task_work_run+0x129/0x190
[ 55.291108][ T383] exit_to_user_mode_loop+0xc4/0xe0
[ 55.296138][ T383] exit_to_user_mode_prepare+0x5a/0xa0
[ 55.301439][ T383] syscall_exit_to_user_mode+0x26/0x160
[ 55.306820][ T383] do_syscall_64+0x47/0xb0
[ 55.311067][ T383] ? clear_bhb_loop+0x35/0x90
[ 55.315580][ T383] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.321394][ T383] RIP: 0033:0x7f3fa6c9ad9a
[ 55.325650][ T383] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 55.345098][ T383] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 55.353336][ T383] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 55.361147][ T383] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 55.368975][ T383] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 55.376767][ T383] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000d934
[ 55.384579][ T383] R13: 000000000000d5f5 R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 55.392394][ T383]
[ 55.395261][ T383]
[ 55.397425][ T383] Allocated by task 384:
[ 55.401504][ T383] __kasan_slab_alloc+0xb1/0xe0
[ 55.406194][ T383] slab_post_alloc_hook+0x53/0x2c0
[ 55.411141][ T383] kmem_cache_alloc+0xf5/0x200
[ 55.415740][ T383] skb_clone+0x1d1/0x360
[ 55.419817][ T383] sk_psock_verdict_recv+0x53/0x840
[ 55.424852][ T383] unix_read_sock+0x132/0x370
[ 55.429367][ T383] sk_psock_verdict_data_ready+0x147/0x1a0
[ 55.435006][ T383] unix_dgram_sendmsg+0x15fa/0x2090
[ 55.440040][ T383] ____sys_sendmsg+0x59e/0x8f0
[ 55.444640][ T383] ___sys_sendmsg+0x252/0x2e0
[ 55.449152][ T383] __se_sys_sendmsg+0x19a/0x260
[ 55.453859][ T383] __x64_sys_sendmsg+0x7b/0x90
[ 55.458444][ T383] x64_sys_call+0x16a/0x9a0
[ 55.462779][ T383] do_syscall_64+0x3b/0xb0
[ 55.467035][ T383] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.472768][ T383]
[ 55.474945][ T383] Freed by task 20:
[ 55.478576][ T383] kasan_set_track+0x4b/0x70
[ 55.482999][ T383] kasan_set_free_info+0x23/0x40
[ 55.487777][ T383] ____kasan_slab_free+0x126/0x160
[ 55.492725][ T383] __kasan_slab_free+0x11/0x20
[ 55.497346][ T383] slab_free_freelist_hook+0xbd/0x190
[ 55.502533][ T383] kmem_cache_free+0x116/0x2e0
[ 55.507130][ T383] kfree_skbmem+0x104/0x170
[ 55.511479][ T383] kfree_skb+0xc2/0x360
[ 55.515463][ T383] sk_psock_backlog+0xc21/0xd90
[ 55.520155][ T383] process_one_work+0x6bb/0xc10
[ 55.524842][ T383] worker_thread+0xad5/0x12a0
[ 55.529351][ T383] kthread+0x421/0x510
[ 55.533260][ T383] ret_from_fork+0x1f/0x30
[ 55.537507][ T383]
[ 55.539678][ T383] The buggy address belongs to the object at ffff8881262f2780
[ 55.539678][ T383] which belongs to the cache skbuff_head_cache of size 248
[ 55.554091][ T383] The buggy address is located 0 bytes inside of
[ 55.554091][ T383] 248-byte region [ffff8881262f2780, ffff8881262f2878)
[ 55.567017][ T383] The buggy address belongs to the page:
[ 55.572496][ T383] page:ffffea000498bc80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1262f2
[ 55.582552][ T383] flags: 0x4000000000000200(slab|zone=1)
[ 55.588121][ T383] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 55.596532][ T383] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 55.604945][ T383] page dumped because: kasan: bad access detected
[ 55.611195][ T383] page_owner tracks the page as allocated
[ 55.616854][ T383] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 382, ts 54449827583, free_ts 54449299913
[ 55.632566][ T383] post_alloc_hook+0x1a3/0x1b0
[ 55.637169][ T383] prep_new_page+0x1b/0x110
[ 55.641506][ T383] get_page_from_freelist+0x3550/0x35d0
[ 55.646885][ T383] __alloc_pages+0x27e/0x8f0
[ 55.651318][ T383] new_slab+0x9a/0x4e0
[ 55.655305][ T383] ___slab_alloc+0x39e/0x830
[ 55.659919][ T383] __slab_alloc+0x4a/0x90
[ 55.664078][ T383] kmem_cache_alloc+0x134/0x200
[ 55.668759][ T383] __alloc_skb+0xbe/0x550
[ 55.672925][ T383] alloc_skb_with_frags+0xa6/0x680
[ 55.677877][ T383] sock_alloc_send_pskb+0x915/0xa50
[ 55.682908][ T383] unix_dgram_sendmsg+0x6fd/0x2090
[ 55.687850][ T383] ____sys_sendmsg+0x59e/0x8f0
[ 55.692453][ T383] ___sys_sendmsg+0x252/0x2e0
[ 55.696967][ T383] __se_sys_sendmsg+0x19a/0x260
[ 55.701653][ T383] __x64_sys_sendmsg+0x7b/0x90
[ 55.706252][ T383] page last free stack trace:
[ 55.710764][ T383] free_unref_page_prepare+0x7c8/0x7d0
[ 55.716144][ T383] free_unref_page+0xe8/0x750
[ 55.720660][ T383] __free_pages+0x61/0xf0
[ 55.724823][ T383] __vunmap+0x7bc/0x8f0
[ 55.728816][ T383] vfree+0x7f/0xb0
[ 55.732375][ T383] bpf_patch_insn_data+0x7f0/0xde0
[ 55.737326][ T383] bpf_check+0x65bc/0x12b20
[ 55.741665][ T383] bpf_prog_load+0x12ac/0x1b50
[ 55.746261][ T383] __sys_bpf+0x4bc/0x760
[ 55.750361][ T383] __x64_sys_bpf+0x7c/0x90
[ 55.754592][ T383] x64_sys_call+0x87f/0x9a0
[ 55.758938][ T383] do_syscall_64+0x3b/0xb0
[ 55.763195][ T383] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.768918][ T383]
[ 55.771090][ T383] Memory state around the buggy address:
[ 55.776555][ T383] ffff8881262f2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.784457][ T383] ffff8881262f2700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 55.792351][ T383] >ffff8881262f2780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.800246][ T383] ^
[ 55.804160][ T383] ffff8881262f2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 55.812054][ T383] ffff8881262f2880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 55.819947][ T383] ==================================================================
[ 55.840036][ T387] FAULT_INJECTION: forcing a failure.
[ 55.840036][ T387] name failslab, interval 1, probability 0, space 0, times 0
[ 55.852493][ T387] CPU: 1 PID: 387 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 55.863995][ T387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 55.873888][ T387] Call Trace:
[ 55.877010][ T387]
[ 55.879793][ T387] dump_stack_lvl+0x151/0x1c0
[ 55.884302][ T387] ? io_uring_drop_tctx_refs+0x190/0x190
[ 55.889770][ T387] dump_stack+0x15/0x20
[ 55.893765][ T387] should_fail+0x3c6/0x510
[ 55.898015][ T387] __should_failslab+0xa4/0xe0
[ 55.902613][ T387] should_failslab+0x9/0x20
[ 55.906955][ T387] slab_pre_alloc_hook+0x37/0xd0
[ 55.911729][ T387] kmem_cache_alloc_trace+0x48/0x210
[ 55.916849][ T387] ? sk_psock_skb_ingress_self+0x60/0x330
[ 55.922409][ T387] ? migrate_disable+0x190/0x190
[ 55.927179][ T387] sk_psock_skb_ingress_self+0x60/0x330
[ 55.932562][ T387] sk_psock_verdict_recv+0x66d/0x840
[ 55.937680][ T387] unix_read_sock+0x132/0x370
[ 55.942197][ T387] ? sk_psock_skb_redirect+0x440/0x440
[ 55.947486][ T387] ? unix_stream_splice_actor+0x120/0x120
[ 55.953039][ T387] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 55.958337][ T387] ? unix_stream_splice_actor+0x120/0x120
[ 55.963892][ T387] sk_psock_verdict_data_ready+0x147/0x1a0
[ 55.969539][ T387] ? sk_psock_start_verdict+0xc0/0xc0
[ 55.974739][ T387] ? _raw_spin_lock+0xa4/0x1b0
[ 55.979341][ T387] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 55.984981][ T387] ? skb_queue_tail+0xfb/0x120
[ 55.989588][ T387] unix_dgram_sendmsg+0x15fa/0x2090
[ 55.994630][ T387] ? unix_dgram_poll+0x710/0x710
[ 55.999391][ T387] ? security_socket_sendmsg+0x82/0xb0
[ 56.004681][ T387] ? unix_dgram_poll+0x710/0x710
[ 56.009458][ T387] ____sys_sendmsg+0x59e/0x8f0
[ 56.014070][ T387] ? __sys_sendmsg_sock+0x40/0x40
[ 56.018918][ T387] ? import_iovec+0xe5/0x120
[ 56.023344][ T387] ___sys_sendmsg+0x252/0x2e0
[ 56.027855][ T387] ? __sys_sendmsg+0x260/0x260
[ 56.032906][ T387] ? __fdget+0x1bc/0x240
[ 56.036972][ T387] __se_sys_sendmsg+0x19a/0x260
[ 56.041657][ T387] ? __x64_sys_sendmsg+0x90/0x90
[ 56.046429][ T387] ? ksys_write+0x260/0x2c0
[ 56.050770][ T387] ? debug_smp_processor_id+0x17/0x20
[ 56.055977][ T387] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 56.061879][ T387] __x64_sys_sendmsg+0x7b/0x90
[ 56.066479][ T387] x64_sys_call+0x16a/0x9a0
[ 56.070817][ T387] do_syscall_64+0x3b/0xb0
[ 56.075071][ T387] ? clear_bhb_loop+0x35/0x90
[ 56.079619][ T387] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 56.085311][ T387] RIP: 0033:0x7f3fa6c9bea9
[ 56.089567][ T387] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 56.109007][ T387] RSP: 002b:00007f3fa681d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 56.117253][ T387] RAX: ffffffffffffffda RBX: 00007f3fa6dc9f80 RCX: 00007f3fa6c9bea9
[ 56.125063][ T387] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 56.132873][ T387] RBP: 00007f3fa681d120 R08: 0000000000000000 R09: 0000000000000000
[ 56.140777][ T387] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 56.148583][ T387] R13: 000000000000000b R14: 00007f3fa6dc9f80 R15: 00007ffdfb3e2148
[ 56.156406][ T387]
[ 56.160467][ T386] ==================================================================
[ 56.168340][ T386] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 56.176594][ T386]
[ 56.178754][ T386] CPU: 1 PID: 386 Comm: syz-executor.0 Tainted: G B 5.15.156-syzkaller-1070798-g29d153aabd54 #0
[ 56.190297][ T386] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 56.200277][ T386] Call Trace:
[ 56.203401][ T386]
[ 56.206180][ T386] dump_stack_lvl+0x151/0x1c0
[ 56.210692][ T386] ? io_uring_drop_tctx_refs+0x190/0x190
[ 56.216160][ T386] ? __wake_up_klogd+0xd5/0x110
[ 56.220848][ T386] ? panic+0x760/0x760
[ 56.224757][ T386] ? kmem_cache_free+0x116/0x2e0
[ 56.229528][ T386] print_address_description+0x87/0x3b0
[ 56.234907][ T386] ? kmem_cache_free+0x116/0x2e0
[ 56.239680][ T386] ? kmem_cache_free+0x116/0x2e0
[ 56.244470][ T386] kasan_report_invalid_free+0x6b/0xa0
[ 56.249750][ T386] ____kasan_slab_free+0x13e/0x160
[ 56.254697][ T386] __kasan_slab_free+0x11/0x20
[ 56.259384][ T386] slab_free_freelist_hook+0xbd/0x190
[ 56.264682][ T386] ? kfree_skbmem+0x104/0x170
[ 56.269196][ T386] kmem_cache_free+0x116/0x2e0
[ 56.273793][ T386] kfree_skbmem+0x104/0x170
[ 56.278133][ T386] consume_skb+0xb4/0x250
[ 56.282341][ T386] __sk_msg_free+0x2dd/0x370
[ 56.286730][ T386] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 56.292367][ T386] sk_psock_stop+0x44c/0x4d0
[ 56.296796][ T386] ? unix_peer_get+0xe0/0xe0
[ 56.301253][ T386] sock_map_close+0x2b9/0x4c0
[ 56.305733][ T386] ? sock_map_remove_links+0x650/0x650
[ 56.311035][ T386] ? rwsem_mark_wake+0x770/0x770
[ 56.315805][ T386] unix_release+0x82/0xc0
[ 56.319965][ T386] sock_close+0xdf/0x270
[ 56.324130][ T386] ? sock_mmap+0xa0/0xa0
[ 56.328235][ T386] __fput+0x3fe/0x910
[ 56.332031][ T386] ____fput+0x15/0x20
[ 56.335851][ T386] task_work_run+0x129/0x190
[ 56.340286][ T386] exit_to_user_mode_loop+0xc4/0xe0
[ 56.345324][ T386] exit_to_user_mode_prepare+0x5a/0xa0
[ 56.350697][ T386] syscall_exit_to_user_mode+0x26/0x160
[ 56.356072][ T386] do_syscall_64+0x47/0xb0
[ 56.360332][ T386] ? clear_bhb_loop+0x35/0x90
[ 56.364923][ T386] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 56.370653][ T386] RIP: 0033:0x7f3fa6c9ad9a
[ 56.374909][ T386] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 56.394347][ T386] RSP: 002b:00007ffdfb3e2210 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 56.402676][ T386] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3fa6c9ad9a
[ 56.410489][ T386] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 56.418302][ T386] RBP: 00007f3fa6dcb980 R08: 0000001b31c60000 R09: 0000000000000001
[ 56.426211][ T386] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000dd4d
[ 56.434012][ T386] R13: 000000000000da0e R14: 00007ffdfb3e23d0 R15: 00007f3fa6c52cb0
[ 56.441824][ T386]
[ 56.444687][ T386]
[ 56.446854][ T386] Allocated by task 387:
[ 56.450937][ T386] __kasan_slab_alloc+0xb1/0xe0
[ 56.455620][ T386] slab_post_alloc_hook+0x53/0x2c0
[ 56.460568][ T386] kmem_cache_alloc+0xf5/0x200
[ 56.465174][ T386] skb_clone+0x1d1/0x360
[ 56.469249][ T386] sk_psock_verdict_recv+0x53/0x840
[ 56.474282][ T386] unix_read_sock+0x132/0x370
[ 56.478797][ T386] sk_psock_verdict_data_ready+0x147/0x1a0
[ 56.484435][ T386] unix_dgram_sendmsg+0x15fa/0x2090
[ 56.489475][ T386] ____sys_sendmsg+0x59e/0x8f0
[ 56.494085][ T386] ___sys_sendmsg+0x252/0x2e0
[ 56.498582][ T386] __se_sys_sendmsg+0x19a/0x260
[ 56.503274][ T386] __x64_sys_sendmsg+0x7b/0x90
[ 56.507868][ T386] x64_sys_call+0x16a/0x9a0
[ 56.512210][ T386] do_syscall_64+0x3b/0xb0
[ 56.516462][ T386] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 56.522194][ T386]
[ 56.524362][ T386] Freed by task 307:
[ 56.528095][ T386] kasan_set_track+0x4b/0x70
[ 56.532516][ T386] kasan_set_free_info+0x23/0x40
[ 56.537296][ T386] ____kasan_slab_free+0x126/0x160
[ 56.542273][ T386] __kasan_slab_free+0x11/0x20
[ 56.546927][ T386] slab_free_freelist_hook+0xbd/0x190
[ 56.552132][ T386] kmem_cache_free+0x116/0x2e0
[ 56.556732][ T386] kfree_skbmem+0x104/0x170
[ 56.561072][ T386] kfree_skb+0xc2/0x360
[ 56.565070][ T386] sk_psock_backlog+0xc21/0xd90
[ 56.569756][ T386] process_one_work+0x6bb/0xc10
[ 56.574442][ T386] worker_thread+0xad5/0x12a0
[ 56.578956][ T386] kthread+0x421/0x510
[ 56.582857][ T386] ret_from_fork+0x1f/0x30
[ 56.587120][ T386]
[ 56.589280][ T386] The buggy address belongs to the object at ffff88810cb2c500
[ 56.589280][ T386] which belongs to the cache skbuff_head_cache of size 248
[ 56.603695][ T386] The buggy address is located 0 bytes inside of
[ 56.603695][ T386] 248-byte region [ffff88810cb2c500, ffff88810cb2c5f8)
[ 56.616627][ T386] The buggy address belongs to the page:
[ 56.622093][ T386] page:ffffea000432cb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cb2c
[ 56.632160][ T386] flags: 0x4000000000000200(slab|zone=1)
[ 56.637631][ T386] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081b3e00
[ 56.646052][ T386] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 56.654461][ T386] page dumped because: kasan: bad access detected
[ 56.660712][ T386] page_owner tracks the page as allocated
[ 56.666267][ T386] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 89, ts 55832985456, free_ts 54445999594
[ 56.681891][ T386] post_alloc_hook+0x1a3/0x1b0
[ 56.686489][ T386] prep_new_page+0x1b/0x110
[ 56.690828][ T386] get_page_from_freelist+0x3550/0x35d0
[ 56.696211][ T386] __alloc_pages+0x27e/0x8f0
[ 56.700634][ T386] new_slab+0x9a/0x4e0
[ 56.704541][ T386] ___slab_alloc+0x39e/0x830
[ 56.708969][ T386] __slab_alloc+0x4a/0x90
[ 56.713132][ T386] kmem_cache_alloc+0x134/0x200
[ 56.717820][ T386] __alloc_skb+0xbe/0x550
[ 56.721988][ T386] alloc_skb_with_frags+0xa6/0x680
[ 56.726940][ T386] sock_alloc_send_pskb+0x915/0xa50
[ 56.731968][ T386] unix_dgram_sendmsg+0x6fd/0x2090
[ 56.736914][ T386] __sys_sendto+0x564/0x720
[ 56.741254][ T386] __x64_sys_sendto+0xe5/0x100
[ 56.745853][ T386] x64_sys_call+0x15c/0x9a0