Warning: Permanently added '10.128.0.245' (ED25519) to the list of known hosts.
2025/03/20 02:40:13 ignoring optional flag "sandboxArg"="0"
2025/03/20 02:40:13 ignoring optional flag "type"="gce"
2025/03/20 02:40:14 parsed 1 programs
[ 48.800025][ T30] kauditd_printk_skb: 19 callbacks suppressed
[ 48.800040][ T30] audit: type=1400 audit(1742438414.153:95): avc: denied { unlink } for pid=350 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
2025/03/20 02:40:14 executed programs: 0
[ 48.832745][ T30] audit: type=1400 audit(1742438414.183:96): avc: denied { read } for pid=83 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 48.833878][ T350] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 48.910557][ T356] bridge0: port 1(bridge_slave_0) entered blocking state
[ 48.917404][ T356] bridge0: port 1(bridge_slave_0) entered disabled state
[ 48.924710][ T356] device bridge_slave_0 entered promiscuous mode
[ 48.931349][ T356] bridge0: port 2(bridge_slave_1) entered blocking state
[ 48.938267][ T356] bridge0: port 2(bridge_slave_1) entered disabled state
[ 48.945769][ T356] device bridge_slave_1 entered promiscuous mode
[ 48.991068][ T356] bridge0: port 2(bridge_slave_1) entered blocking state
[ 48.997931][ T356] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 49.005133][ T356] bridge0: port 1(bridge_slave_0) entered blocking state
[ 49.012000][ T356] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 49.031134][ T45] bridge0: port 1(bridge_slave_0) entered disabled state
[ 49.038288][ T45] bridge0: port 2(bridge_slave_1) entered disabled state
[ 49.045482][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 49.053247][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 49.062634][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 49.070774][ T45] bridge0: port 1(bridge_slave_0) entered blocking state
[ 49.077603][ T45] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 49.086464][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 49.094610][ T45] bridge0: port 2(bridge_slave_1) entered blocking state
[ 49.101789][ T45] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 49.113757][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 49.122791][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 49.136422][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 49.147693][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 49.155592][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 49.163062][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 49.171524][ T356] device veth0_vlan entered promiscuous mode
[ 49.181676][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 49.190973][ T356] device veth1_macvtap entered promiscuous mode
[ 49.200357][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 49.210505][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 49.226109][ T30] audit: type=1400 audit(1742438414.573:97): avc: denied { mounton } for pid=356 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=514 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[ 49.258830][ T30] audit: type=1400 audit(1742438414.603:98): avc: denied { prog_load } for pid=361 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 49.278136][ T30] audit: type=1400 audit(1742438414.603:99): avc: denied { bpf } for pid=361 comm="syz-executor.0" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[ 49.358640][ T30] audit: type=1400 audit(1742438414.703:100): avc: denied { map_create } for pid=361 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 49.359308][ T365] FAULT_INJECTION: forcing a failure.
[ 49.359308][ T365] name fail_usercopy, interval 1, probability 0, space 0, times 1
[ 49.389229][ T30] audit: type=1400 audit(1742438414.703:101): avc: denied { map_read map_write } for pid=361 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 49.391582][ T365] CPU: 0 PID: 365 Comm: syz-executor.0 Not tainted 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 49.420881][ T365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 49.430963][ T365] Call Trace:
[ 49.434072][ T365]
[ 49.436849][ T365] dump_stack_lvl+0x151/0x1c0
[ 49.441536][ T365] ? io_uring_drop_tctx_refs+0x190/0x190
[ 49.447003][ T365] ? vsnprintf+0x1dd/0x1c70
[ 49.451365][ T365] dump_stack+0x15/0x20
[ 49.455336][ T365] should_fail+0x3c6/0x510
[ 49.459596][ T365] should_fail_usercopy+0x1a/0x20
[ 49.464532][ T365] _copy_from_user+0x20/0xd0
[ 49.468960][ T365] kstrtouint_from_user+0xca/0x2a0
[ 49.473997][ T365] ? kstrtol_from_user+0x310/0x310
[ 49.478940][ T365] ? snprintf+0xd6/0x120
[ 49.483030][ T365] ? check_stack_object+0x114/0x130
[ 49.488104][ T365] ? __kasan_check_read+0x11/0x20
[ 49.493013][ T365] ? _copy_to_user+0x78/0x90
[ 49.497520][ T365] proc_fail_nth_write+0xa6/0x290
[ 49.502381][ T365] ? selinux_file_permission+0x2c4/0x570
[ 49.507859][ T365] ? proc_fail_nth_read+0x210/0x210
[ 49.512880][ T365] ? fsnotify_perm+0x6a/0x5b0
[ 49.517487][ T365] ? security_file_permission+0x86/0xb0
[ 49.522912][ T365] ? proc_fail_nth_read+0x210/0x210
[ 49.527907][ T365] vfs_write+0x406/0x1110
[ 49.532154][ T365] ? file_end_write+0x1c0/0x1c0
[ 49.536840][ T365] ? __kasan_check_write+0x14/0x20
[ 49.541838][ T365] ? mutex_lock+0xb6/0x1e0
[ 49.546039][ T365] ? wait_for_completion_killable_timeout+0x10/0x10
[ 49.552856][ T365] ? __fdget_pos+0x2e7/0x3a0
[ 49.557233][ T365] ? ksys_write+0x77/0x2c0
[ 49.561586][ T365] ksys_write+0x199/0x2c0
[ 49.565738][ T365] ? __ia32_sys_read+0x90/0x90
[ 49.570428][ T365] ? debug_smp_processor_id+0x17/0x20
[ 49.575636][ T365] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 49.581535][ T365] __x64_sys_write+0x7b/0x90
[ 49.583866][ T30] audit: type=1400 audit(1742438414.913:102): avc: denied { perfmon } for pid=361 comm="syz-executor.0" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[ 49.586100][ T365] x64_sys_call+0x2f/0x9a0
[ 49.611185][ T365] do_syscall_64+0x3b/0xb0
[ 49.615475][ T365] ? clear_bhb_loop+0x35/0x90
[ 49.619987][ T365] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 49.625806][ T365] RIP: 0033:0x7fc018e24bef
[ 49.630100][ T365] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 b9 80 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 0c 81 02 00 48
[ 49.649491][ T365] RSP: 002b:00007fc0189650c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 49.657735][ T365] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc018e24bef
[ 49.665547][ T365] RDX: 0000000000000001 RSI: 00007fc018965130 RDI: 0000000000000006
[ 49.673360][ T365] RBP: 00007fc018965120 R08: 0000000000000000 R09: 0000000000000000
[ 49.681169][ T365] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[ 49.688979][ T365] R13: 000000000000006e R14: 00007fc018f54120 R15: 00007ffc3e38d1c8
[ 49.696792][ T365]
[ 49.700656][ T30] audit: type=1400 audit(1742438415.053:103): avc: denied { prog_run } for pid=361 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 49.729753][ T367] FAULT_INJECTION: forcing a failure.
[ 49.729753][ T367] name failslab, interval 1, probability 0, space 0, times 1
[ 49.742947][ T367] CPU: 1 PID: 367 Comm: syz-executor.0 Not tainted 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 49.753194][ T367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 49.763256][ T367] Call Trace:
[ 49.766386][ T367]
[ 49.769155][ T367] dump_stack_lvl+0x151/0x1c0
[ 49.773667][ T367] ? io_uring_drop_tctx_refs+0x190/0x190
[ 49.779165][ T367] dump_stack+0x15/0x20
[ 49.783138][ T367] should_fail+0x3c6/0x510
[ 49.787383][ T367] __should_failslab+0xa4/0xe0
[ 49.791980][ T367] should_failslab+0x9/0x20
[ 49.796320][ T367] slab_pre_alloc_hook+0x37/0xd0
[ 49.801103][ T367] kmem_cache_alloc_trace+0x48/0x270
[ 49.806304][ T367] ? sk_psock_skb_ingress_self+0x60/0x330
[ 49.811863][ T367] ? migrate_disable+0x190/0x190
[ 49.816639][ T367] sk_psock_skb_ingress_self+0x60/0x330
[ 49.822054][ T367] sk_psock_verdict_recv+0x66d/0x840
[ 49.827136][ T367] unix_read_sock+0x132/0x370
[ 49.831646][ T367] ? sk_psock_skb_redirect+0x440/0x440
[ 49.836940][ T367] ? unix_stream_splice_actor+0x120/0x120
[ 49.842680][ T367] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 49.847971][ T367] ? unix_stream_splice_actor+0x120/0x120
[ 49.853519][ T367] sk_psock_verdict_data_ready+0x147/0x1a0
[ 49.859160][ T367] ? sk_psock_start_verdict+0xc0/0xc0
[ 49.864363][ T367] ? _raw_spin_lock+0xa4/0x1b0
[ 49.868964][ T367] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 49.874606][ T367] ? skb_queue_tail+0xfb/0x120
[ 49.879212][ T367] unix_dgram_sendmsg+0x15fa/0x2090
[ 49.884254][ T367] ? unix_dgram_poll+0x690/0x690
[ 49.889019][ T367] ? _raw_spin_unlock+0x4d/0x70
[ 49.893701][ T367] ? security_socket_sendmsg+0x82/0xb0
[ 49.899029][ T367] ? unix_dgram_poll+0x690/0x690
[ 49.903768][ T367] ____sys_sendmsg+0x59e/0x8f0
[ 49.908371][ T367] ? __sys_sendmsg_sock+0x40/0x40
[ 49.913230][ T367] ? import_iovec+0xe5/0x120
[ 49.917669][ T367] ___sys_sendmsg+0x252/0x2e0
[ 49.922184][ T367] ? __sys_sendmsg+0x260/0x260
[ 49.926773][ T367] ? putname+0xfa/0x150
[ 49.930778][ T367] ? __fdget+0x1bc/0x240
[ 49.934861][ T367] __se_sys_sendmsg+0x19a/0x260
[ 49.939544][ T367] ? __x64_sys_sendmsg+0x90/0x90
[ 49.944389][ T367] ? ksys_write+0x260/0x2c0
[ 49.948744][ T367] ? debug_smp_processor_id+0x17/0x20
[ 49.954057][ T367] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 49.959956][ T367] __x64_sys_sendmsg+0x7b/0x90
[ 49.964578][ T367] x64_sys_call+0x16a/0x9a0
[ 49.969128][ T367] do_syscall_64+0x3b/0xb0
[ 49.973363][ T367] ? clear_bhb_loop+0x35/0x90
[ 49.977883][ T367] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 49.983697][ T367] RIP: 0033:0x7fc018e25ea9
[ 49.987947][ T367] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 50.008116][ T367] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 50.016481][ T367] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 50.024284][ T367] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 50.032100][ T367] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 50.039996][ T367] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 50.047808][ T367] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 50.055711][ T367]
[ 50.062147][ T366] ==================================================================
[ 50.070051][ T366] BUG: KASAN: use-after-free in consume_skb+0x3c/0x250
[ 50.076709][ T366] Read of size 4 at addr ffff88811fbae86c by task syz-executor.0/366
[ 50.084606][ T366]
[ 50.086777][ T366] CPU: 1 PID: 366 Comm: syz-executor.0 Not tainted 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 50.097058][ T366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 50.107310][ T366] Call Trace:
[ 50.110427][ T366]
[ 50.113205][ T366] dump_stack_lvl+0x151/0x1c0
[ 50.117900][ T366] ? io_uring_drop_tctx_refs+0x190/0x190
[ 50.123363][ T366] ? panic+0x760/0x760
[ 50.127272][ T366] print_address_description+0x87/0x3b0
[ 50.132645][ T366] kasan_report+0x179/0x1c0
[ 50.137010][ T366] ? consume_skb+0x3c/0x250
[ 50.141494][ T366] ? consume_skb+0x3c/0x250
[ 50.145831][ T366] kasan_check_range+0x293/0x2a0
[ 50.150702][ T366] __kasan_check_read+0x11/0x20
[ 50.155359][ T366] consume_skb+0x3c/0x250
[ 50.159529][ T366] __sk_msg_free+0x2dd/0x370
[ 50.164040][ T366] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 50.169713][ T366] sk_psock_stop+0x4e3/0x580
[ 50.174206][ T366] sk_psock_drop+0x219/0x310
[ 50.178622][ T366] sock_map_unref+0x3c6/0x430
[ 50.183135][ T366] ? _raw_spin_unlock_bh+0x51/0x60
[ 50.188194][ T366] sock_map_remove_links+0x41c/0x650
[ 50.193335][ T366] ? __kasan_record_aux_stack+0xd3/0xf0
[ 50.198703][ T366] ? kasan_record_aux_stack+0xe/0x10
[ 50.203842][ T366] ? task_work_add+0x27/0x1d0
[ 50.208339][ T366] ? sock_map_unhash+0x120/0x120
[ 50.213104][ T366] ? x64_sys_call+0x3d/0x9a0
[ 50.217618][ T366] ? locks_remove_posix+0x610/0x610
[ 50.222653][ T366] sock_map_close+0x114/0x530
[ 50.227165][ T366] ? unix_peer_get+0xe0/0xe0
[ 50.231600][ T366] ? sock_map_remove_links+0x650/0x650
[ 50.236971][ T366] ? rwsem_mark_wake+0x770/0x770
[ 50.241748][ T366] unix_release+0x82/0xc0
[ 50.245915][ T366] sock_close+0xdf/0x270
[ 50.249990][ T366] ? sock_mmap+0xa0/0xa0
[ 50.254068][ T366] __fput+0x228/0x8c0
[ 50.257916][ T366] ____fput+0x15/0x20
[ 50.261707][ T366] task_work_run+0x129/0x190
[ 50.266136][ T366] exit_to_user_mode_loop+0xc4/0xe0
[ 50.271170][ T366] exit_to_user_mode_prepare+0x5a/0xa0
[ 50.276462][ T366] syscall_exit_to_user_mode+0x26/0x160
[ 50.281855][ T366] do_syscall_64+0x47/0xb0
[ 50.286193][ T366] ? clear_bhb_loop+0x35/0x90
[ 50.290707][ T366] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 50.296586][ T366] RIP: 0033:0x7fc018e24d9a
[ 50.300814][ T366] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 50.320428][ T366] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 50.328752][ T366] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 50.336564][ T366] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 50.344373][ T366] RBP: 00007fc018f55980 R08: 0000001b31f60000 R09: 0000000000000001
[ 50.352309][ T366] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000c577
[ 50.360200][ T366] R13: 000000000000c238 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 50.368091][ T366]
[ 50.370953][ T366]
[ 50.373126][ T366] Allocated by task 367:
[ 50.377201][ T366] __kasan_slab_alloc+0xb1/0xe0
[ 50.381890][ T366] slab_post_alloc_hook+0x53/0x2c0
[ 50.386929][ T366] kmem_cache_alloc+0xf5/0x250
[ 50.391530][ T366] skb_clone+0x1d1/0x360
[ 50.395690][ T366] sk_psock_verdict_recv+0x53/0x840
[ 50.400734][ T366] unix_read_sock+0x132/0x370
[ 50.405238][ T366] sk_psock_verdict_data_ready+0x147/0x1a0
[ 50.410967][ T366] unix_dgram_sendmsg+0x15fa/0x2090
[ 50.415998][ T366] ____sys_sendmsg+0x59e/0x8f0
[ 50.420599][ T366] ___sys_sendmsg+0x252/0x2e0
[ 50.425224][ T366] __se_sys_sendmsg+0x19a/0x260
[ 50.429887][ T366] __x64_sys_sendmsg+0x7b/0x90
[ 50.434485][ T366] x64_sys_call+0x16a/0x9a0
[ 50.438913][ T366] do_syscall_64+0x3b/0xb0
[ 50.443175][ T366] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 50.448897][ T366]
[ 50.451065][ T366] Freed by task 311:
[ 50.454881][ T366] kasan_set_track+0x4b/0x70
[ 50.459396][ T366] kasan_set_free_info+0x23/0x40
[ 50.464256][ T366] ____kasan_slab_free+0x126/0x160
[ 50.469201][ T366] __kasan_slab_free+0x11/0x20
[ 50.473802][ T366] slab_free_freelist_hook+0xbd/0x190
[ 50.479025][ T366] kmem_cache_free+0x115/0x330
[ 50.483612][ T366] kfree_skbmem+0x104/0x170
[ 50.487950][ T366] kfree_skb+0xc2/0x360
[ 50.492071][ T366] sk_psock_backlog+0xad1/0xdc0
[ 50.496754][ T366] process_one_work+0x6bb/0xc10
[ 50.501615][ T366] worker_thread+0xad5/0x12a0
[ 50.506216][ T366] kthread+0x421/0x510
[ 50.510216][ T366] ret_from_fork+0x1f/0x30
[ 50.514570][ T366]
[ 50.516740][ T366] The buggy address belongs to the object at ffff88811fbae780
[ 50.516740][ T366] which belongs to the cache skbuff_head_cache of size 248
[ 50.531150][ T366] The buggy address is located 236 bytes inside of
[ 50.531150][ T366] 248-byte region [ffff88811fbae780, ffff88811fbae878)
[ 50.544265][ T366] The buggy address belongs to the page:
[ 50.549734][ T366] page:ffffea00047eeb80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fbae
[ 50.559881][ T366] flags: 0x4000000000000200(slab|zone=1)
[ 50.565353][ T366] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab080
[ 50.573858][ T366] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 50.582271][ T366] page dumped because: kasan: bad access detected
[ 50.588533][ T366] page_owner tracks the page as allocated
[ 50.594074][ T366] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 90, ts 49703833839, free_ts 42441259919
[ 50.609712][ T366] post_alloc_hook+0x1a3/0x1b0
[ 50.614303][ T366] prep_new_page+0x1b/0x110
[ 50.618697][ T366] get_page_from_freelist+0x3550/0x35d0
[ 50.624049][ T366] __alloc_pages+0x27e/0x8f0
[ 50.628443][ T366] new_slab+0x9a/0x4e0
[ 50.632347][ T366] ___slab_alloc+0x39e/0x830
[ 50.636784][ T366] __slab_alloc+0x4a/0x90
[ 50.640940][ T366] kmem_cache_alloc+0x139/0x250
[ 50.645630][ T366] __alloc_skb+0xbe/0x550
[ 50.649793][ T366] alloc_skb_with_frags+0xa6/0x680
[ 50.654743][ T366] sock_alloc_send_pskb+0x915/0xa50
[ 50.659785][ T366] unix_dgram_sendmsg+0x6fd/0x2090
[ 50.664721][ T366] __sys_sendto+0x564/0x720
[ 50.669065][ T366] __x64_sys_sendto+0xe5/0x100
[ 50.673748][ T366] x64_sys_call+0x15c/0x9a0
[ 50.678092][ T366] do_syscall_64+0x3b/0xb0
[ 50.682342][ T366] page last free stack trace:
[ 50.686865][ T366] free_unref_page_prepare+0x7c8/0x7d0
[ 50.692148][ T366] free_unref_page+0xe8/0x750
[ 50.696664][ T366] __put_page+0xb0/0xe0
[ 50.700656][ T366] anon_pipe_buf_release+0x187/0x200
[ 50.705811][ T366] pipe_read+0x5a6/0x1040
[ 50.709944][ T366] vfs_read+0xa81/0xd40
[ 50.714052][ T366] ksys_read+0x199/0x2c0
[ 50.718110][ T366] __x64_sys_read+0x7b/0x90
[ 50.722443][ T366] x64_sys_call+0x28/0x9a0
[ 50.726698][ T366] do_syscall_64+0x3b/0xb0
[ 50.730952][ T366] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 50.736766][ T366]
[ 50.738938][ T366] Memory state around the buggy address:
[ 50.744499][ T366] ffff88811fbae700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 50.752629][ T366] ffff88811fbae780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.760458][ T366] >ffff88811fbae800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 50.768526][ T366] ^
[ 50.775828][ T366] ffff88811fbae880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 50.783719][ T366] ffff88811fbae900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.791619][ T366] ==================================================================
[ 50.799516][ T366] Disabling lock debugging due to kernel taint
[ 50.805566][ T366] ==================================================================
[ 50.813403][ T366] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 50.821645][ T366]
[ 50.823906][ T366] CPU: 1 PID: 366 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 50.835447][ T366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 50.845429][ T366] Call Trace:
[ 50.848551][ T366]
[ 50.851340][ T366] dump_stack_lvl+0x151/0x1c0
[ 50.855842][ T366] ? io_uring_drop_tctx_refs+0x190/0x190
[ 50.861308][ T366] ? __wake_up_klogd+0xd5/0x110
[ 50.865999][ T366] ? panic+0x760/0x760
[ 50.869906][ T366] ? kmem_cache_free+0x115/0x330
[ 50.874777][ T366] print_address_description+0x87/0x3b0
[ 50.880156][ T366] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 50.886134][ T366] ? kmem_cache_free+0x115/0x330
[ 50.890911][ T366] ? kmem_cache_free+0x115/0x330
[ 50.895686][ T366] kasan_report_invalid_free+0x6b/0xa0
[ 50.900976][ T366] ____kasan_slab_free+0x13e/0x160
[ 50.906013][ T366] __kasan_slab_free+0x11/0x20
[ 50.910611][ T366] slab_free_freelist_hook+0xbd/0x190
[ 50.915819][ T366] kmem_cache_free+0x115/0x330
[ 50.920502][ T366] ? kfree_skbmem+0x104/0x170
[ 50.925124][ T366] kfree_skbmem+0x104/0x170
[ 50.929442][ T366] consume_skb+0xb4/0x250
[ 50.933608][ T366] __sk_msg_free+0x2dd/0x370
[ 50.938035][ T366] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 50.943970][ T366] sk_psock_stop+0x4e3/0x580
[ 50.948387][ T366] sk_psock_drop+0x219/0x310
[ 50.952816][ T366] sock_map_unref+0x3c6/0x430
[ 50.957323][ T366] ? _raw_spin_unlock_bh+0x51/0x60
[ 50.962273][ T366] sock_map_remove_links+0x41c/0x650
[ 50.967481][ T366] ? __kasan_record_aux_stack+0xd3/0xf0
[ 50.972867][ T366] ? kasan_record_aux_stack+0xe/0x10
[ 50.977996][ T366] ? task_work_add+0x27/0x1d0
[ 50.982504][ T366] ? sock_map_unhash+0x120/0x120
[ 50.987451][ T366] ? x64_sys_call+0x3d/0x9a0
[ 50.991869][ T366] ? locks_remove_posix+0x610/0x610
[ 50.996904][ T366] sock_map_close+0x114/0x530
[ 51.001525][ T366] ? unix_peer_get+0xe0/0xe0
[ 51.005940][ T366] ? sock_map_remove_links+0x650/0x650
[ 51.011236][ T366] ? rwsem_mark_wake+0x770/0x770
[ 51.016011][ T366] unix_release+0x82/0xc0
[ 51.020177][ T366] sock_close+0xdf/0x270
[ 51.024252][ T366] ? sock_mmap+0xa0/0xa0
[ 51.028333][ T366] __fput+0x228/0x8c0
[ 51.032165][ T366] ____fput+0x15/0x20
[ 51.035978][ T366] task_work_run+0x129/0x190
[ 51.040397][ T366] exit_to_user_mode_loop+0xc4/0xe0
[ 51.045431][ T366] exit_to_user_mode_prepare+0x5a/0xa0
[ 51.050723][ T366] syscall_exit_to_user_mode+0x26/0x160
[ 51.056104][ T366] do_syscall_64+0x47/0xb0
[ 51.060356][ T366] ? clear_bhb_loop+0x35/0x90
[ 51.064872][ T366] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 51.070601][ T366] RIP: 0033:0x7fc018e24d9a
[ 51.074971][ T366] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 51.094560][ T366] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 51.102813][ T366] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 51.110711][ T366] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 51.118523][ T366] RBP: 00007fc018f55980 R08: 0000001b31f60000 R09: 0000000000000001
[ 51.126449][ T366] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000c577
[ 51.134401][ T366] R13: 000000000000c238 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 51.142220][ T366]
[ 51.145156][ T366]
[ 51.147321][ T366] Allocated by task 367:
[ 51.151407][ T366] __kasan_slab_alloc+0xb1/0xe0
[ 51.156093][ T366] slab_post_alloc_hook+0x53/0x2c0
[ 51.161036][ T366] kmem_cache_alloc+0xf5/0x250
[ 51.165639][ T366] skb_clone+0x1d1/0x360
[ 51.169715][ T366] sk_psock_verdict_recv+0x53/0x840
[ 51.174755][ T366] unix_read_sock+0x132/0x370
[ 51.179278][ T366] sk_psock_verdict_data_ready+0x147/0x1a0
[ 51.184916][ T366] unix_dgram_sendmsg+0x15fa/0x2090
[ 51.190061][ T366] ____sys_sendmsg+0x59e/0x8f0
[ 51.194658][ T366] ___sys_sendmsg+0x252/0x2e0
[ 51.199413][ T366] __se_sys_sendmsg+0x19a/0x260
[ 51.204057][ T366] __x64_sys_sendmsg+0x7b/0x90
[ 51.208746][ T366] x64_sys_call+0x16a/0x9a0
[ 51.213081][ T366] do_syscall_64+0x3b/0xb0
[ 51.217337][ T366] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 51.223074][ T366]
[ 51.225235][ T366] Freed by task 311:
[ 51.228964][ T366] kasan_set_track+0x4b/0x70
[ 51.233394][ T366] kasan_set_free_info+0x23/0x40
[ 51.238252][ T366] ____kasan_slab_free+0x126/0x160
[ 51.243201][ T366] __kasan_slab_free+0x11/0x20
[ 51.247801][ T366] slab_free_freelist_hook+0xbd/0x190
[ 51.253092][ T366] kmem_cache_free+0x115/0x330
[ 51.257723][ T366] kfree_skbmem+0x104/0x170
[ 51.262122][ T366] kfree_skb+0xc2/0x360
[ 51.266200][ T366] sk_psock_backlog+0xad1/0xdc0
[ 51.270888][ T366] process_one_work+0x6bb/0xc10
[ 51.275574][ T366] worker_thread+0xad5/0x12a0
[ 51.280093][ T366] kthread+0x421/0x510
[ 51.284007][ T366] ret_from_fork+0x1f/0x30
[ 51.288247][ T366]
[ 51.290416][ T366] The buggy address belongs to the object at ffff88811fbae780
[ 51.290416][ T366] which belongs to the cache skbuff_head_cache of size 248
[ 51.305049][ T366] The buggy address is located 0 bytes inside of
[ 51.305049][ T366] 248-byte region [ffff88811fbae780, ffff88811fbae878)
[ 51.318084][ T366] The buggy address belongs to the page:
[ 51.323535][ T366] page:ffffea00047eeb80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fbae
[ 51.333600][ T366] flags: 0x4000000000000200(slab|zone=1)
[ 51.339086][ T366] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab080
[ 51.347704][ T366] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 51.356080][ T366] page dumped because: kasan: bad access detected
[ 51.362507][ T366] page_owner tracks the page as allocated
[ 51.368172][ T366] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 90, ts 49703833839, free_ts 42441259919
[ 51.383896][ T366] post_alloc_hook+0x1a3/0x1b0
[ 51.388481][ T366] prep_new_page+0x1b/0x110
[ 51.392812][ T366] get_page_from_freelist+0x3550/0x35d0
[ 51.398195][ T366] __alloc_pages+0x27e/0x8f0
[ 51.402619][ T366] new_slab+0x9a/0x4e0
[ 51.406529][ T366] ___slab_alloc+0x39e/0x830
[ 51.410961][ T366] __slab_alloc+0x4a/0x90
[ 51.415119][ T366] kmem_cache_alloc+0x139/0x250
[ 51.419981][ T366] __alloc_skb+0xbe/0x550
[ 51.424145][ T366] alloc_skb_with_frags+0xa6/0x680
[ 51.429199][ T366] sock_alloc_send_pskb+0x915/0xa50
[ 51.434212][ T366] unix_dgram_sendmsg+0x6fd/0x2090
[ 51.439351][ T366] __sys_sendto+0x564/0x720
[ 51.443672][ T366] __x64_sys_sendto+0xe5/0x100
[ 51.448361][ T366] x64_sys_call+0x15c/0x9a0
[ 51.452717][ T366] do_syscall_64+0x3b/0xb0
[ 51.457133][ T366] page last free stack trace:
[ 51.461650][ T366] free_unref_page_prepare+0x7c8/0x7d0
[ 51.466945][ T366] free_unref_page+0xe8/0x750
[ 51.471533][ T366] __put_page+0xb0/0xe0
[ 51.475527][ T366] anon_pipe_buf_release+0x187/0x200
[ 51.480646][ T366] pipe_read+0x5a6/0x1040
[ 51.484823][ T366] vfs_read+0xa81/0xd40
[ 51.488810][ T366] ksys_read+0x199/0x2c0
[ 51.492918][ T366] __x64_sys_read+0x7b/0x90
[ 51.497224][ T366] x64_sys_call+0x28/0x9a0
[ 51.501489][ T366] do_syscall_64+0x3b/0xb0
[ 51.505729][ T366] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 51.511465][ T366]
[ 51.513632][ T366] Memory state around the buggy address:
[ 51.519189][ T366] ffff88811fbae680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.527176][ T366] ffff88811fbae700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 51.535235][ T366] >ffff88811fbae780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.543208][ T366] ^
[ 51.547116][ T366] ffff88811fbae800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 51.555008][ T366] ffff88811fbae880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 51.562905][ T366] ==================================================================
[ 51.592546][ T370] FAULT_INJECTION: forcing a failure.
[ 51.592546][ T370] name failslab, interval 1, probability 0, space 0, times 0
[ 51.605512][ T370] CPU: 0 PID: 370 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 51.617499][ T370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 51.627509][ T370] Call Trace:
[ 51.630629][ T370]
[ 51.633490][ T370] dump_stack_lvl+0x151/0x1c0
[ 51.638091][ T370] ? io_uring_drop_tctx_refs+0x190/0x190
[ 51.643565][ T370] dump_stack+0x15/0x20
[ 51.647552][ T370] should_fail+0x3c6/0x510
[ 51.651804][ T370] __should_failslab+0xa4/0xe0
[ 51.656504][ T370] should_failslab+0x9/0x20
[ 51.660957][ T370] slab_pre_alloc_hook+0x37/0xd0
[ 51.665788][ T370] kmem_cache_alloc_trace+0x48/0x270
[ 51.670985][ T370] ? sk_psock_skb_ingress_self+0x60/0x330
[ 51.676537][ T370] ? migrate_disable+0x190/0x190
[ 51.681310][ T370] sk_psock_skb_ingress_self+0x60/0x330
[ 51.686718][ T370] sk_psock_verdict_recv+0x66d/0x840
[ 51.691815][ T370] unix_read_sock+0x132/0x370
[ 51.696330][ T370] ? sk_psock_skb_redirect+0x440/0x440
[ 51.701718][ T370] ? unix_stream_splice_actor+0x120/0x120
[ 51.707271][ T370] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 51.712568][ T370] ? unix_stream_splice_actor+0x120/0x120
[ 51.718207][ T370] sk_psock_verdict_data_ready+0x147/0x1a0
[ 51.723855][ T370] ? sk_psock_start_verdict+0xc0/0xc0
[ 51.729142][ T370] ? _raw_spin_lock+0xa4/0x1b0
[ 51.733740][ T370] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 51.739398][ T370] ? skb_queue_tail+0xfb/0x120
[ 51.743984][ T370] unix_dgram_sendmsg+0x15fa/0x2090
[ 51.749018][ T370] ? unix_dgram_poll+0x690/0x690
[ 51.753793][ T370] ? _raw_spin_unlock+0x4d/0x70
[ 51.758508][ T370] ? security_socket_sendmsg+0x82/0xb0
[ 51.763777][ T370] ? unix_dgram_poll+0x690/0x690
[ 51.768578][ T370] ____sys_sendmsg+0x59e/0x8f0
[ 51.773187][ T370] ? __sys_sendmsg_sock+0x40/0x40
[ 51.778010][ T370] ? import_iovec+0xe5/0x120
[ 51.782432][ T370] ___sys_sendmsg+0x252/0x2e0
[ 51.786946][ T370] ? __sys_sendmsg+0x260/0x260
[ 51.791556][ T370] ? putname+0xfa/0x150
[ 51.795549][ T370] ? __fdget+0x1bc/0x240
[ 51.799627][ T370] __se_sys_sendmsg+0x19a/0x260
[ 51.804306][ T370] ? __x64_sys_sendmsg+0x90/0x90
[ 51.809099][ T370] ? ksys_write+0x260/0x2c0
[ 51.813570][ T370] ? debug_smp_processor_id+0x17/0x20
[ 51.818819][ T370] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 51.824722][ T370] __x64_sys_sendmsg+0x7b/0x90
[ 51.829440][ T370] x64_sys_call+0x16a/0x9a0
[ 51.833751][ T370] do_syscall_64+0x3b/0xb0
[ 51.838003][ T370] ? clear_bhb_loop+0x35/0x90
[ 51.842509][ T370] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 51.848239][ T370] RIP: 0033:0x7fc018e25ea9
[ 51.852491][ T370] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 51.871941][ T370] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 51.880181][ T370] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 51.887997][ T370] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 51.895980][ T370] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 51.903914][ T370] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 51.911733][ T370] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 51.919665][ T370]
[ 51.925012][ T369] ==================================================================
[ 51.932902][ T369] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 51.941136][ T369]
[ 51.943308][ T369] CPU: 1 PID: 369 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 51.954899][ T369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 51.964858][ T369] Call Trace:
[ 51.968251][ T369]
[ 51.971447][ T369] dump_stack_lvl+0x151/0x1c0
[ 51.976135][ T369] ? io_uring_drop_tctx_refs+0x190/0x190
[ 51.981601][ T369] ? __wake_up_klogd+0xd5/0x110
[ 51.986281][ T369] ? panic+0x760/0x760
[ 51.990188][ T369] ? kmem_cache_free+0x115/0x330
[ 51.994960][ T369] print_address_description+0x87/0x3b0
[ 52.000342][ T369] ? kmem_cache_free+0x115/0x330
[ 52.005118][ T369] ? kmem_cache_free+0x115/0x330
[ 52.009914][ T369] kasan_report_invalid_free+0x6b/0xa0
[ 52.015185][ T369] ____kasan_slab_free+0x13e/0x160
[ 52.020146][ T369] __kasan_slab_free+0x11/0x20
[ 52.024817][ T369] slab_free_freelist_hook+0xbd/0x190
[ 52.030138][ T369] kmem_cache_free+0x115/0x330
[ 52.034842][ T369] ? kfree_skbmem+0x104/0x170
[ 52.039361][ T369] kfree_skbmem+0x104/0x170
[ 52.043684][ T369] consume_skb+0xb4/0x250
[ 52.047870][ T369] __sk_msg_free+0x2dd/0x370
[ 52.052281][ T369] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 52.057915][ T369] sk_psock_stop+0x4e3/0x580
[ 52.062341][ T369] sk_psock_drop+0x219/0x310
[ 52.066764][ T369] sock_map_unref+0x3c6/0x430
[ 52.071279][ T369] ? _raw_spin_unlock_bh+0x51/0x60
[ 52.076224][ T369] sock_map_remove_links+0x41c/0x650
[ 52.081351][ T369] ? __kasan_record_aux_stack+0xd3/0xf0
[ 52.086729][ T369] ? kasan_record_aux_stack+0xe/0x10
[ 52.091897][ T369] ? task_work_add+0x27/0x1d0
[ 52.096472][ T369] ? sock_map_unhash+0x120/0x120
[ 52.101234][ T369] ? x64_sys_call+0x3d/0x9a0
[ 52.105663][ T369] ? locks_remove_posix+0x610/0x610
[ 52.110699][ T369] sock_map_close+0x114/0x530
[ 52.115228][ T369] ? unix_peer_get+0xe0/0xe0
[ 52.119643][ T369] ? sock_map_remove_links+0x650/0x650
[ 52.124939][ T369] ? rwsem_mark_wake+0x770/0x770
[ 52.129797][ T369] unix_release+0x82/0xc0
[ 52.134055][ T369] sock_close+0xdf/0x270
[ 52.138212][ T369] ? sock_mmap+0xa0/0xa0
[ 52.142289][ T369] __fput+0x228/0x8c0
[ 52.146204][ T369] ____fput+0x15/0x20
[ 52.150021][ T369] task_work_run+0x129/0x190
[ 52.154613][ T369] exit_to_user_mode_loop+0xc4/0xe0
[ 52.159609][ T369] exit_to_user_mode_prepare+0x5a/0xa0
[ 52.164983][ T369] syscall_exit_to_user_mode+0x26/0x160
[ 52.170367][ T369] do_syscall_64+0x47/0xb0
[ 52.174626][ T369] ? clear_bhb_loop+0x35/0x90
[ 52.179131][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 52.184866][ T369] RIP: 0033:0x7fc018e24d9a
[ 52.189123][ T369] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 52.209026][ T369] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 52.217776][ T369] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 52.225599][ T369] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 52.233396][ T369] RBP: 00007fc018f55980 R08: 0000001b31f60000 R09: 0000000000000001
[ 52.241201][ T369] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000ccbe
[ 52.249026][ T369] R13: 000000000000c97f R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 52.256922][ T369]
[ 52.259784][ T369]
[ 52.261950][ T369] Allocated by task 370:
[ 52.266113][ T369] __kasan_slab_alloc+0xb1/0xe0
[ 52.270796][ T369] slab_post_alloc_hook+0x53/0x2c0
[ 52.275765][ T369] kmem_cache_alloc+0xf5/0x250
[ 52.280349][ T369] skb_clone+0x1d1/0x360
[ 52.284435][ T369] sk_psock_verdict_recv+0x53/0x840
[ 52.289466][ T369] unix_read_sock+0x132/0x370
[ 52.294151][ T369] sk_psock_verdict_data_ready+0x147/0x1a0
[ 52.299790][ T369] unix_dgram_sendmsg+0x15fa/0x2090
[ 52.304924][ T369] ____sys_sendmsg+0x59e/0x8f0
[ 52.309613][ T369] ___sys_sendmsg+0x252/0x2e0
[ 52.314209][ T369] __se_sys_sendmsg+0x19a/0x260
[ 52.318902][ T369] __x64_sys_sendmsg+0x7b/0x90
[ 52.323499][ T369] x64_sys_call+0x16a/0x9a0
[ 52.327840][ T369] do_syscall_64+0x3b/0xb0
[ 52.332090][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 52.337822][ T369]
[ 52.339993][ T369] Freed by task 20:
[ 52.343633][ T369] kasan_set_track+0x4b/0x70
[ 52.348060][ T369] kasan_set_free_info+0x23/0x40
[ 52.352840][ T369] ____kasan_slab_free+0x126/0x160
[ 52.357794][ T369] __kasan_slab_free+0x11/0x20
[ 52.362381][ T369] slab_free_freelist_hook+0xbd/0x190
[ 52.367590][ T369] kmem_cache_free+0x115/0x330
[ 52.372192][ T369] kfree_skbmem+0x104/0x170
[ 52.376616][ T369] kfree_skb+0xc2/0x360
[ 52.380609][ T369] sk_psock_backlog+0xad1/0xdc0
[ 52.385473][ T369] process_one_work+0x6bb/0xc10
[ 52.390330][ T369] worker_thread+0xad5/0x12a0
[ 52.394840][ T369] kthread+0x421/0x510
[ 52.398748][ T369] ret_from_fork+0x1f/0x30
[ 52.402999][ T369]
[ 52.405169][ T369] The buggy address belongs to the object at ffff88810f4e9640
[ 52.405169][ T369] which belongs to the cache skbuff_head_cache of size 248
[ 52.419586][ T369] The buggy address is located 0 bytes inside of
[ 52.419586][ T369] 248-byte region [ffff88810f4e9640, ffff88810f4e9738)
[ 52.432522][ T369] The buggy address belongs to the page:
[ 52.437987][ T369] page:ffffea00043d3a40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f4e9
[ 52.448159][ T369] flags: 0x4000000000000200(slab|zone=1)
[ 52.453635][ T369] raw: 4000000000000200 ffffea00043c2440 0000000200000002 ffff8881081ab080
[ 52.462053][ T369] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 52.470471][ T369] page dumped because: kasan: bad access detected
[ 52.476808][ T369] page_owner tracks the page as allocated
[ 52.482366][ T369] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 110, ts 4794649972, free_ts 0
[ 52.497282][ T369] post_alloc_hook+0x1a3/0x1b0
[ 52.501892][ T369] prep_new_page+0x1b/0x110
[ 52.506230][ T369] get_page_from_freelist+0x3550/0x35d0
[ 52.511615][ T369] __alloc_pages+0x27e/0x8f0
[ 52.516030][ T369] new_slab+0x9a/0x4e0
[ 52.520026][ T369] ___slab_alloc+0x39e/0x830
[ 52.524449][ T369] __slab_alloc+0x4a/0x90
[ 52.528619][ T369] kmem_cache_alloc+0x139/0x250
[ 52.533311][ T369] __alloc_skb+0xbe/0x550
[ 52.537468][ T369] netlink_sendmsg+0x797/0xd20
[ 52.542082][ T369] ____sys_sendmsg+0x59e/0x8f0
[ 52.546688][ T369] ___sys_sendmsg+0x252/0x2e0
[ 52.551192][ T369] __se_sys_sendmsg+0x19a/0x260
[ 52.555872][ T369] __x64_sys_sendmsg+0x7b/0x90
[ 52.560472][ T369] x64_sys_call+0x16a/0x9a0
[ 52.564815][ T369] do_syscall_64+0x3b/0xb0
[ 52.569254][ T369] page_owner free stack trace missing
[ 52.574467][ T369]
[ 52.576852][ T369] Memory state around the buggy address:
[ 52.582495][ T369] ffff88810f4e9500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.590389][ T369] ffff88810f4e9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 52.598285][ T369] >ffff88810f4e9600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 52.606359][ T369] ^
[ 52.612365][ T369] ffff88810f4e9680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.620252][ T369] ffff88810f4e9700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 52.628331][ T369] ==================================================================
[ 52.648285][ T373] FAULT_INJECTION: forcing a failure.
[ 52.648285][ T373] name failslab, interval 1, probability 0, space 0, times 0
[ 52.660810][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 52.672559][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 52.682721][ T373] Call Trace:
[ 52.685879][ T373]
[ 52.688626][ T373] dump_stack_lvl+0x151/0x1c0
[ 52.693133][ T373] ? io_uring_drop_tctx_refs+0x190/0x190
[ 52.698598][ T373] dump_stack+0x15/0x20
[ 52.702596][ T373] should_fail+0x3c6/0x510
[ 52.706853][ T373] __should_failslab+0xa4/0xe0
[ 52.711443][ T373] should_failslab+0x9/0x20
[ 52.715783][ T373] slab_pre_alloc_hook+0x37/0xd0
[ 52.720559][ T373] kmem_cache_alloc_trace+0x48/0x270
[ 52.725677][ T373] ? sk_psock_skb_ingress_self+0x60/0x330
[ 52.731316][ T373] ? migrate_disable+0x190/0x190
[ 52.736096][ T373] sk_psock_skb_ingress_self+0x60/0x330
[ 52.741584][ T373] sk_psock_verdict_recv+0x66d/0x840
[ 52.746703][ T373] unix_read_sock+0x132/0x370
[ 52.751229][ T373] ? sk_psock_skb_redirect+0x440/0x440
[ 52.756513][ T373] ? unix_stream_splice_actor+0x120/0x120
[ 52.762066][ T373] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 52.767368][ T373] ? unix_stream_splice_actor+0x120/0x120
[ 52.773000][ T373] sk_psock_verdict_data_ready+0x147/0x1a0
[ 52.778643][ T373] ? sk_psock_start_verdict+0xc0/0xc0
[ 52.783849][ T373] ? _raw_spin_lock+0xa4/0x1b0
[ 52.788476][ T373] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 52.794298][ T373] ? skb_queue_tail+0xfb/0x120
[ 52.798885][ T373] unix_dgram_sendmsg+0x15fa/0x2090
[ 52.803942][ T373] ? unix_dgram_poll+0x690/0x690
[ 52.808698][ T373] ? _raw_spin_unlock+0x4d/0x70
[ 52.813748][ T373] ? security_socket_sendmsg+0x82/0xb0
[ 52.819310][ T373] ? unix_dgram_poll+0x690/0x690
[ 52.824072][ T373] ____sys_sendmsg+0x59e/0x8f0
[ 52.828708][ T373] ? __sys_sendmsg_sock+0x40/0x40
[ 52.833529][ T373] ? import_iovec+0xe5/0x120
[ 52.837955][ T373] ___sys_sendmsg+0x252/0x2e0
[ 52.842482][ T373] ? __sys_sendmsg+0x260/0x260
[ 52.847071][ T373] ? putname+0xfa/0x150
[ 52.851169][ T373] ? __fdget+0x1bc/0x240
[ 52.855242][ T373] __se_sys_sendmsg+0x19a/0x260
[ 52.859944][ T373] ? __x64_sys_sendmsg+0x90/0x90
[ 52.864714][ T373] ? ksys_write+0x260/0x2c0
[ 52.869046][ T373] ? debug_smp_processor_id+0x17/0x20
[ 52.874415][ T373] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 52.880397][ T373] __x64_sys_sendmsg+0x7b/0x90
[ 52.885081][ T373] x64_sys_call+0x16a/0x9a0
[ 52.889521][ T373] do_syscall_64+0x3b/0xb0
[ 52.893761][ T373] ? clear_bhb_loop+0x35/0x90
[ 52.898288][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 52.904002][ T373] RIP: 0033:0x7fc018e25ea9
[ 52.908253][ T373] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 52.927825][ T373] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 52.936381][ T373] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 52.944303][ T373] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 52.952113][ T373] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 52.959933][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 52.967760][ T373] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 52.975552][ T373]
[ 52.978886][ T372] ==================================================================
[ 52.982397][ T30] audit: type=1400 audit(1742438418.323:104): avc: denied { remove_name } for pid=83 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 52.986772][ T372] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 53.017747][ T372]
[ 53.019924][ T372] CPU: 0 PID: 372 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 53.031545][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 53.041527][ T372] Call Trace:
[ 53.044650][ T372]
[ 53.047426][ T372] dump_stack_lvl+0x151/0x1c0
[ 53.051940][ T372] ? io_uring_drop_tctx_refs+0x190/0x190
[ 53.057406][ T372] ? __wake_up_klogd+0xd5/0x110
[ 53.062094][ T372] ? panic+0x760/0x760
[ 53.066012][ T372] ? kmem_cache_free+0x115/0x330
[ 53.070771][ T372] print_address_description+0x87/0x3b0
[ 53.076153][ T372] ? kmem_cache_free+0x115/0x330
[ 53.080930][ T372] ? kmem_cache_free+0x115/0x330
[ 53.085704][ T372] kasan_report_invalid_free+0x6b/0xa0
[ 53.091085][ T372] ____kasan_slab_free+0x13e/0x160
[ 53.096038][ T372] __kasan_slab_free+0x11/0x20
[ 53.100650][ T372] slab_free_freelist_hook+0xbd/0x190
[ 53.105859][ T372] kmem_cache_free+0x115/0x330
[ 53.110447][ T372] ? kfree_skbmem+0x104/0x170
[ 53.115064][ T372] kfree_skbmem+0x104/0x170
[ 53.119605][ T372] consume_skb+0xb4/0x250
[ 53.123738][ T372] __sk_msg_free+0x2dd/0x370
[ 53.128170][ T372] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 53.133807][ T372] sk_psock_stop+0x4e3/0x580
[ 53.138239][ T372] sk_psock_drop+0x219/0x310
[ 53.142809][ T372] sock_map_unref+0x3c6/0x430
[ 53.147428][ T372] ? _raw_spin_unlock_bh+0x51/0x60
[ 53.152371][ T372] sock_map_remove_links+0x41c/0x650
[ 53.157572][ T372] ? __kasan_record_aux_stack+0xd3/0xf0
[ 53.163377][ T372] ? kasan_record_aux_stack+0xe/0x10
[ 53.168561][ T372] ? task_work_add+0x27/0x1d0
[ 53.173006][ T372] ? sock_map_unhash+0x120/0x120
[ 53.178054][ T372] ? x64_sys_call+0x3d/0x9a0
[ 53.182482][ T372] ? locks_remove_posix+0x610/0x610
[ 53.187501][ T372] sock_map_close+0x114/0x530
[ 53.192016][ T372] ? unix_peer_get+0xe0/0xe0
[ 53.196435][ T372] ? sock_map_remove_links+0x650/0x650
[ 53.201732][ T372] ? rwsem_mark_wake+0x770/0x770
[ 53.206529][ T372] unix_release+0x82/0xc0
[ 53.210813][ T372] sock_close+0xdf/0x270
[ 53.214884][ T372] ? sock_mmap+0xa0/0xa0
[ 53.219055][ T372] __fput+0x228/0x8c0
[ 53.222876][ T372] ____fput+0x15/0x20
[ 53.226696][ T372] task_work_run+0x129/0x190
[ 53.231131][ T372] exit_to_user_mode_loop+0xc4/0xe0
[ 53.236153][ T372] exit_to_user_mode_prepare+0x5a/0xa0
[ 53.241449][ T372] syscall_exit_to_user_mode+0x26/0x160
[ 53.246833][ T372] do_syscall_64+0x47/0xb0
[ 53.251083][ T372] ? clear_bhb_loop+0x35/0x90
[ 53.255617][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 53.261357][ T372] RIP: 0033:0x7fc018e24d9a
[ 53.265579][ T372] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 53.285019][ T372] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 53.293284][ T372] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 53.301082][ T372] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 53.308884][ T372] RBP: 00007fc018f55980 R08: 00007fc018da8000 R09: 0000000000000001
[ 53.316696][ T372] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000cdd0
[ 53.324508][ T372] R13: 000000000000cd9e R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 53.332324][ T372]
[ 53.335183][ T372]
[ 53.337352][ T372] Allocated by task 373:
[ 53.341441][ T372] __kasan_slab_alloc+0xb1/0xe0
[ 53.346205][ T372] slab_post_alloc_hook+0x53/0x2c0
[ 53.351250][ T372] kmem_cache_alloc+0xf5/0x250
[ 53.356022][ T372] skb_clone+0x1d1/0x360
[ 53.360090][ T372] sk_psock_verdict_recv+0x53/0x840
[ 53.365126][ T372] unix_read_sock+0x132/0x370
[ 53.369641][ T372] sk_psock_verdict_data_ready+0x147/0x1a0
[ 53.375293][ T372] unix_dgram_sendmsg+0x15fa/0x2090
[ 53.380313][ T372] ____sys_sendmsg+0x59e/0x8f0
[ 53.384941][ T372] ___sys_sendmsg+0x252/0x2e0
[ 53.389527][ T372] __se_sys_sendmsg+0x19a/0x260
[ 53.394200][ T372] __x64_sys_sendmsg+0x7b/0x90
[ 53.398864][ T372] x64_sys_call+0x16a/0x9a0
[ 53.403174][ T372] do_syscall_64+0x3b/0xb0
[ 53.407393][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 53.413128][ T372]
[ 53.415291][ T372] Freed by task 20:
[ 53.419116][ T372] kasan_set_track+0x4b/0x70
[ 53.423643][ T372] kasan_set_free_info+0x23/0x40
[ 53.428450][ T372] ____kasan_slab_free+0x126/0x160
[ 53.433602][ T372] __kasan_slab_free+0x11/0x20
[ 53.438200][ T372] slab_free_freelist_hook+0xbd/0x190
[ 53.443784][ T372] kmem_cache_free+0x115/0x330
[ 53.448335][ T372] kfree_skbmem+0x104/0x170
[ 53.452671][ T372] kfree_skb+0xc2/0x360
[ 53.456661][ T372] sk_psock_backlog+0xad1/0xdc0
[ 53.461350][ T372] process_one_work+0x6bb/0xc10
[ 53.466041][ T372] worker_thread+0xad5/0x12a0
[ 53.470554][ T372] kthread+0x421/0x510
[ 53.474468][ T372] ret_from_fork+0x1f/0x30
[ 53.478723][ T372]
[ 53.480880][ T372] The buggy address belongs to the object at ffff88810f4ed140
[ 53.480880][ T372] which belongs to the cache skbuff_head_cache of size 248
[ 53.495558][ T372] The buggy address is located 0 bytes inside of
[ 53.495558][ T372] 248-byte region [ffff88810f4ed140, ffff88810f4ed238)
[ 53.508746][ T372] The buggy address belongs to the page:
[ 53.514209][ T372] page:ffffea00043d3b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f4ed
[ 53.524291][ T372] flags: 0x4000000000000200(slab|zone=1)
[ 53.529771][ T372] raw: 4000000000000200 dead000000000100 dead000000000122 ffff8881081ab080
[ 53.538171][ T372] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 53.546675][ T372] page dumped because: kasan: bad access detected
[ 53.552931][ T372] page_owner tracks the page as allocated
[ 53.558562][ T372] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 107, ts 4803874639, free_ts 0
[ 53.574412][ T372] post_alloc_hook+0x1a3/0x1b0
[ 53.579025][ T372] prep_new_page+0x1b/0x110
[ 53.583433][ T372] get_page_from_freelist+0x3550/0x35d0
[ 53.588839][ T372] __alloc_pages+0x27e/0x8f0
[ 53.593238][ T372] new_slab+0x9a/0x4e0
[ 53.597144][ T372] ___slab_alloc+0x39e/0x830
[ 53.601570][ T372] __slab_alloc+0x4a/0x90
[ 53.605743][ T372] kmem_cache_alloc+0x139/0x250
[ 53.610425][ T372] __alloc_skb+0xbe/0x550
[ 53.614601][ T372] netlink_sendmsg+0x797/0xd20
[ 53.619303][ T372] ____sys_sendmsg+0x59e/0x8f0
[ 53.623984][ T372] ___sys_sendmsg+0x252/0x2e0
[ 53.628499][ T372] __se_sys_sendmsg+0x19a/0x260
[ 53.633186][ T372] __x64_sys_sendmsg+0x7b/0x90
[ 53.638143][ T372] x64_sys_call+0x16a/0x9a0
[ 53.642571][ T372] do_syscall_64+0x3b/0xb0
[ 53.646816][ T372] page_owner free stack trace missing
[ 53.652122][ T372]
[ 53.654284][ T372] Memory state around the buggy address:
[ 53.659781][ T372] ffff88810f4ed000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.667680][ T372] ffff88810f4ed080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 53.675556][ T372] >ffff88810f4ed100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 53.683456][ T372] ^
[ 53.689454][ T372] ffff88810f4ed180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.697341][ T372] ffff88810f4ed200: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 53.705242][ T372] ==================================================================
[ 53.726556][ T376] FAULT_INJECTION: forcing a failure.
[ 53.726556][ T376] name failslab, interval 1, probability 0, space 0, times 0
[ 53.739268][ T376] CPU: 1 PID: 376 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 53.750809][ T376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 53.760878][ T376] Call Trace:
[ 53.763995][ T376]
[ 53.766868][ T376] dump_stack_lvl+0x151/0x1c0
[ 53.771385][ T376] ? io_uring_drop_tctx_refs+0x190/0x190
[ 53.777051][ T376] dump_stack+0x15/0x20
[ 53.781132][ T376] should_fail+0x3c6/0x510
[ 53.785377][ T376] __should_failslab+0xa4/0xe0
[ 53.790679][ T376] should_failslab+0x9/0x20
[ 53.795023][ T376] slab_pre_alloc_hook+0x37/0xd0
[ 53.799786][ T376] kmem_cache_alloc_trace+0x48/0x270
[ 53.804912][ T376] ? sk_psock_skb_ingress_self+0x60/0x330
[ 53.810580][ T376] ? migrate_disable+0x190/0x190
[ 53.815368][ T376] sk_psock_skb_ingress_self+0x60/0x330
[ 53.820768][ T376] sk_psock_verdict_recv+0x66d/0x840
[ 53.826041][ T376] unix_read_sock+0x132/0x370
[ 53.830673][ T376] ? sk_psock_skb_redirect+0x440/0x440
[ 53.835939][ T376] ? unix_stream_splice_actor+0x120/0x120
[ 53.841494][ T376] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 53.846791][ T376] ? unix_stream_splice_actor+0x120/0x120
[ 53.852341][ T376] sk_psock_verdict_data_ready+0x147/0x1a0
[ 53.857984][ T376] ? sk_psock_start_verdict+0xc0/0xc0
[ 53.863280][ T376] ? _raw_spin_lock+0xa4/0x1b0
[ 53.867916][ T376] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 53.873517][ T376] ? skb_queue_tail+0xfb/0x120
[ 53.878118][ T376] unix_dgram_sendmsg+0x15fa/0x2090
[ 53.883160][ T376] ? unix_dgram_poll+0x690/0x690
[ 53.887934][ T376] ? _raw_spin_unlock+0x4d/0x70
[ 53.892743][ T376] ? security_socket_sendmsg+0x82/0xb0
[ 53.898293][ T376] ? unix_dgram_poll+0x690/0x690
[ 53.903151][ T376] ____sys_sendmsg+0x59e/0x8f0
[ 53.907859][ T376] ? __sys_sendmsg_sock+0x40/0x40
[ 53.912724][ T376] ? import_iovec+0xe5/0x120
[ 53.917138][ T376] ___sys_sendmsg+0x252/0x2e0
[ 53.921652][ T376] ? __sys_sendmsg+0x260/0x260
[ 53.926252][ T376] ? putname+0xfa/0x150
[ 53.930248][ T376] ? __fdget+0x1bc/0x240
[ 53.934339][ T376] __se_sys_sendmsg+0x19a/0x260
[ 53.939028][ T376] ? __x64_sys_sendmsg+0x90/0x90
[ 53.943782][ T376] ? ksys_write+0x260/0x2c0
[ 53.948144][ T376] ? debug_smp_processor_id+0x17/0x20
[ 53.953335][ T376] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 53.959245][ T376] __x64_sys_sendmsg+0x7b/0x90
[ 53.963962][ T376] x64_sys_call+0x16a/0x9a0
[ 53.968293][ T376] do_syscall_64+0x3b/0xb0
[ 53.972586][ T376] ? clear_bhb_loop+0x35/0x90
[ 53.977062][ T376] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 53.982783][ T376] RIP: 0033:0x7fc018e25ea9
[ 53.987038][ T376] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 54.006481][ T376] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 54.014865][ T376] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 54.022651][ T376] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 54.030464][ T376] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 54.038274][ T376] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 54.046086][ T376] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 54.054103][ T376]
[ 54.059016][ T375] ==================================================================
[ 54.066907][ T375] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 54.075283][ T375]
[ 54.077447][ T375] CPU: 0 PID: 375 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 54.089131][ T375] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 54.099124][ T375] Call Trace:
[ 54.102244][ T375]
[ 54.105124][ T375] dump_stack_lvl+0x151/0x1c0
[ 54.109639][ T375] ? io_uring_drop_tctx_refs+0x190/0x190
[ 54.115253][ T375] ? __wake_up_klogd+0xd5/0x110
[ 54.119902][ T375] ? panic+0x760/0x760
[ 54.123869][ T375] ? kmem_cache_free+0x115/0x330
[ 54.128643][ T375] print_address_description+0x87/0x3b0
[ 54.134113][ T375] ? kmem_cache_free+0x115/0x330
[ 54.138991][ T375] ? kmem_cache_free+0x115/0x330
[ 54.143758][ T375] kasan_report_invalid_free+0x6b/0xa0
[ 54.149044][ T375] ____kasan_slab_free+0x13e/0x160
[ 54.153985][ T375] __kasan_slab_free+0x11/0x20
[ 54.158585][ T375] slab_free_freelist_hook+0xbd/0x190
[ 54.163792][ T375] kmem_cache_free+0x115/0x330
[ 54.168403][ T375] ? kfree_skbmem+0x104/0x170
[ 54.173202][ T375] kfree_skbmem+0x104/0x170
[ 54.177727][ T375] consume_skb+0xb4/0x250
[ 54.182049][ T375] __sk_msg_free+0x2dd/0x370
[ 54.186618][ T375] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 54.192494][ T375] sk_psock_stop+0x4e3/0x580
[ 54.196916][ T375] sk_psock_drop+0x219/0x310
[ 54.201344][ T375] sock_map_unref+0x3c6/0x430
[ 54.205854][ T375] ? _raw_spin_unlock_bh+0x51/0x60
[ 54.210802][ T375] sock_map_remove_links+0x41c/0x650
[ 54.215922][ T375] ? __kasan_record_aux_stack+0xd3/0xf0
[ 54.221310][ T375] ? kasan_record_aux_stack+0xe/0x10
[ 54.226441][ T375] ? task_work_add+0x27/0x1d0
[ 54.231039][ T375] ? sock_map_unhash+0x120/0x120
[ 54.235795][ T375] ? x64_sys_call+0x3d/0x9a0
[ 54.240264][ T375] ? locks_remove_posix+0x610/0x610
[ 54.245291][ T375] sock_map_close+0x114/0x530
[ 54.249780][ T375] ? unix_peer_get+0xe0/0xe0
[ 54.254209][ T375] ? sock_map_remove_links+0x650/0x650
[ 54.259495][ T375] ? rwsem_mark_wake+0x770/0x770
[ 54.264375][ T375] unix_release+0x82/0xc0
[ 54.268553][ T375] sock_close+0xdf/0x270
[ 54.272785][ T375] ? sock_mmap+0xa0/0xa0
[ 54.276901][ T375] __fput+0x228/0x8c0
[ 54.280717][ T375] ____fput+0x15/0x20
[ 54.284614][ T375] task_work_run+0x129/0x190
[ 54.289138][ T375] exit_to_user_mode_loop+0xc4/0xe0
[ 54.294249][ T375] exit_to_user_mode_prepare+0x5a/0xa0
[ 54.299541][ T375] syscall_exit_to_user_mode+0x26/0x160
[ 54.304925][ T375] do_syscall_64+0x47/0xb0
[ 54.309180][ T375] ? clear_bhb_loop+0x35/0x90
[ 54.313689][ T375] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 54.319592][ T375] RIP: 0033:0x7fc018e24d9a
[ 54.323843][ T375] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 54.343466][ T375] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 54.351771][ T375] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 54.359523][ T375] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 54.367550][ T375] RBP: 00007fc018f55980 R08: 0000001b31f60000 R09: 0000000000000001
[ 54.375363][ T375] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000d514
[ 54.383165][ T375] R13: 000000000000d1d5 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 54.390986][ T375]
[ 54.393849][ T375]
[ 54.396008][ T375] Allocated by task 376:
[ 54.400096][ T375] __kasan_slab_alloc+0xb1/0xe0
[ 54.404780][ T375] slab_post_alloc_hook+0x53/0x2c0
[ 54.409722][ T375] kmem_cache_alloc+0xf5/0x250
[ 54.414320][ T375] skb_clone+0x1d1/0x360
[ 54.418399][ T375] sk_psock_verdict_recv+0x53/0x840
[ 54.423437][ T375] unix_read_sock+0x132/0x370
[ 54.427948][ T375] sk_psock_verdict_data_ready+0x147/0x1a0
[ 54.433599][ T375] unix_dgram_sendmsg+0x15fa/0x2090
[ 54.438635][ T375] ____sys_sendmsg+0x59e/0x8f0
[ 54.443312][ T375] ___sys_sendmsg+0x252/0x2e0
[ 54.447824][ T375] __se_sys_sendmsg+0x19a/0x260
[ 54.452512][ T375] __x64_sys_sendmsg+0x7b/0x90
[ 54.457119][ T375] x64_sys_call+0x16a/0x9a0
[ 54.461448][ T375] do_syscall_64+0x3b/0xb0
[ 54.465965][ T375] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 54.471690][ T375]
[ 54.473861][ T375] Freed by task 311:
[ 54.477683][ T375] kasan_set_track+0x4b/0x70
[ 54.482107][ T375] kasan_set_free_info+0x23/0x40
[ 54.486878][ T375] ____kasan_slab_free+0x126/0x160
[ 54.491826][ T375] __kasan_slab_free+0x11/0x20
[ 54.496438][ T375] slab_free_freelist_hook+0xbd/0x190
[ 54.501730][ T375] kmem_cache_free+0x115/0x330
[ 54.506323][ T375] kfree_skbmem+0x104/0x170
[ 54.510757][ T375] kfree_skb+0xc2/0x360
[ 54.514785][ T375] sk_psock_backlog+0xad1/0xdc0
[ 54.519427][ T375] process_one_work+0x6bb/0xc10
[ 54.524118][ T375] worker_thread+0xad5/0x12a0
[ 54.528636][ T375] kthread+0x421/0x510
[ 54.532550][ T375] ret_from_fork+0x1f/0x30
[ 54.536807][ T375]
[ 54.538966][ T375] The buggy address belongs to the object at ffff88811fb99c80
[ 54.538966][ T375] which belongs to the cache skbuff_head_cache of size 248
[ 54.553368][ T375] The buggy address is located 0 bytes inside of
[ 54.553368][ T375] 248-byte region [ffff88811fb99c80, ffff88811fb99d78)
[ 54.566301][ T375] The buggy address belongs to the page:
[ 54.571767][ T375] page:ffffea00047ee640 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fb99
[ 54.582279][ T375] flags: 0x4000000000000200(slab|zone=1)
[ 54.587744][ T375] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab080
[ 54.596165][ T375] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 54.604575][ T375] page dumped because: kasan: bad access detected
[ 54.610826][ T375] page_owner tracks the page as allocated
[ 54.616379][ T375] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 101, ts 53721940246, free_ts 52640018581
[ 54.632259][ T375] post_alloc_hook+0x1a3/0x1b0
[ 54.636867][ T375] prep_new_page+0x1b/0x110
[ 54.641197][ T375] get_page_from_freelist+0x3550/0x35d0
[ 54.646584][ T375] __alloc_pages+0x27e/0x8f0
[ 54.651006][ T375] new_slab+0x9a/0x4e0
[ 54.654915][ T375] ___slab_alloc+0x39e/0x830
[ 54.659336][ T375] __slab_alloc+0x4a/0x90
[ 54.663504][ T375] kmem_cache_alloc+0x139/0x250
[ 54.668188][ T375] __alloc_skb+0xbe/0x550
[ 54.672445][ T375] netlink_sendmsg+0x797/0xd20
[ 54.677045][ T375] ____sys_sendmsg+0x59e/0x8f0
[ 54.681656][ T375] ___sys_sendmsg+0x252/0x2e0
[ 54.686242][ T375] __se_sys_sendmsg+0x19a/0x260
[ 54.690948][ T375] __x64_sys_sendmsg+0x7b/0x90
[ 54.695531][ T375] x64_sys_call+0x16a/0x9a0
[ 54.699882][ T375] do_syscall_64+0x3b/0xb0
[ 54.704213][ T375] page last free stack trace:
[ 54.708727][ T375] free_unref_page_prepare+0x7c8/0x7d0
[ 54.714023][ T375] free_unref_page_list+0x14b/0xa60
[ 54.719058][ T375] release_pages+0x1310/0x1370
[ 54.723652][ T375] free_pages_and_swap_cache+0x8a/0xa0
[ 54.728946][ T375] tlb_finish_mmu+0x177/0x320
[ 54.733465][ T375] exit_mmap+0x484/0x990
[ 54.737537][ T375] __mmput+0x95/0x310
[ 54.741358][ T375] mmput+0x5b/0x170
[ 54.745017][ T375] do_exit+0xb9c/0x2ca0
[ 54.749005][ T375] do_group_exit+0x141/0x310
[ 54.753422][ T375] get_signal+0x7a3/0x1630
[ 54.757773][ T375] arch_do_signal_or_restart+0xbd/0x1680
[ 54.763232][ T375] exit_to_user_mode_loop+0xa0/0xe0
[ 54.768275][ T375] exit_to_user_mode_prepare+0x5a/0xa0
[ 54.773566][ T375] syscall_exit_to_user_mode+0x26/0x160
[ 54.778949][ T375] do_syscall_64+0x47/0xb0
[ 54.783203][ T375]
[ 54.785710][ T375] Memory state around the buggy address:
[ 54.791199][ T375] ffff88811fb99b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.799382][ T375] ffff88811fb99c00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
2025/03/20 02:40:20 executed programs: 5
[ 54.807248][ T375] >ffff88811fb99c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.815145][ T375] ^
[ 54.819054][ T375] ffff88811fb99d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 54.826951][ T375] ffff88811fb99d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 54.834888][ T375] ==================================================================
[ 54.924912][ T379] FAULT_INJECTION: forcing a failure.
[ 54.924912][ T379] name failslab, interval 1, probability 0, space 0, times 0
[ 54.937763][ T379] CPU: 0 PID: 379 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 54.949593][ T379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 54.959477][ T379] Call Trace:
[ 54.962598][ T379]
[ 54.965379][ T379] dump_stack_lvl+0x151/0x1c0
[ 54.969904][ T379] ? io_uring_drop_tctx_refs+0x190/0x190
[ 54.975394][ T379] dump_stack+0x15/0x20
[ 54.979353][ T379] should_fail+0x3c6/0x510
[ 54.983706][ T379] __should_failslab+0xa4/0xe0
[ 54.988293][ T379] should_failslab+0x9/0x20
[ 54.992732][ T379] slab_pre_alloc_hook+0x37/0xd0
[ 54.997505][ T379] kmem_cache_alloc_trace+0x48/0x270
[ 55.002619][ T379] ? sk_psock_skb_ingress_self+0x60/0x330
[ 55.008179][ T379] ? migrate_disable+0x190/0x190
[ 55.012954][ T379] sk_psock_skb_ingress_self+0x60/0x330
[ 55.018325][ T379] sk_psock_verdict_recv+0x66d/0x840
[ 55.023456][ T379] unix_read_sock+0x132/0x370
[ 55.027959][ T379] ? sk_psock_skb_redirect+0x440/0x440
[ 55.033349][ T379] ? unix_stream_splice_actor+0x120/0x120
[ 55.038894][ T379] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 55.044193][ T379] ? unix_stream_splice_actor+0x120/0x120
[ 55.049750][ T379] sk_psock_verdict_data_ready+0x147/0x1a0
[ 55.055386][ T379] ? sk_psock_start_verdict+0xc0/0xc0
[ 55.060682][ T379] ? _raw_spin_lock+0xa4/0x1b0
[ 55.065284][ T379] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 55.070924][ T379] ? skb_queue_tail+0xfb/0x120
[ 55.075522][ T379] unix_dgram_sendmsg+0x15fa/0x2090
[ 55.080559][ T379] ? unix_dgram_poll+0x690/0x690
[ 55.085330][ T379] ? _raw_spin_unlock+0x4d/0x70
[ 55.090018][ T379] ? security_socket_sendmsg+0x82/0xb0
[ 55.095315][ T379] ? unix_dgram_poll+0x690/0x690
[ 55.100093][ T379] ____sys_sendmsg+0x59e/0x8f0
[ 55.104703][ T379] ? __sys_sendmsg_sock+0x40/0x40
[ 55.109550][ T379] ? import_iovec+0xe5/0x120
[ 55.113973][ T379] ___sys_sendmsg+0x252/0x2e0
[ 55.118488][ T379] ? __sys_sendmsg+0x260/0x260
[ 55.123090][ T379] ? putname+0xfa/0x150
[ 55.127079][ T379] ? __fdget+0x1bc/0x240
[ 55.131157][ T379] __se_sys_sendmsg+0x19a/0x260
[ 55.135932][ T379] ? __x64_sys_sendmsg+0x90/0x90
[ 55.140704][ T379] ? ksys_write+0x260/0x2c0
[ 55.145045][ T379] ? debug_smp_processor_id+0x17/0x20
[ 55.150296][ T379] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 55.156165][ T379] __x64_sys_sendmsg+0x7b/0x90
[ 55.160957][ T379] x64_sys_call+0x16a/0x9a0
[ 55.165282][ T379] do_syscall_64+0x3b/0xb0
[ 55.169535][ T379] ? clear_bhb_loop+0x35/0x90
[ 55.174055][ T379] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.179778][ T379] RIP: 0033:0x7fc018e25ea9
[ 55.184032][ T379] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 55.203674][ T379] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 55.212120][ T379] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 55.219925][ T379] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 55.227747][ T379] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 55.235546][ T379] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 55.243664][ T379] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 55.251468][ T379]
[ 55.255603][ T378] ==================================================================
[ 55.263575][ T378] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 55.271821][ T378]
[ 55.273996][ T378] CPU: 1 PID: 378 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 55.285614][ T378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 55.295604][ T378] Call Trace:
[ 55.298817][ T378]
[ 55.301585][ T378] dump_stack_lvl+0x151/0x1c0
[ 55.306100][ T378] ? io_uring_drop_tctx_refs+0x190/0x190
[ 55.311657][ T378] ? __wake_up_klogd+0xd5/0x110
[ 55.316343][ T378] ? panic+0x760/0x760
[ 55.320244][ T378] ? kmem_cache_free+0x115/0x330
[ 55.325038][ T378] print_address_description+0x87/0x3b0
[ 55.330417][ T378] ? kmem_cache_free+0x115/0x330
[ 55.335184][ T378] ? kmem_cache_free+0x115/0x330
[ 55.339945][ T378] kasan_report_invalid_free+0x6b/0xa0
[ 55.345244][ T378] ____kasan_slab_free+0x13e/0x160
[ 55.350191][ T378] __kasan_slab_free+0x11/0x20
[ 55.354789][ T378] slab_free_freelist_hook+0xbd/0x190
[ 55.359997][ T378] kmem_cache_free+0x115/0x330
[ 55.364598][ T378] ? kfree_skbmem+0x104/0x170
[ 55.369116][ T378] kfree_skbmem+0x104/0x170
[ 55.373452][ T378] consume_skb+0xb4/0x250
[ 55.377704][ T378] __sk_msg_free+0x2dd/0x370
[ 55.382132][ T378] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 55.387783][ T378] sk_psock_stop+0x4e3/0x580
[ 55.392197][ T378] sk_psock_drop+0x219/0x310
[ 55.396662][ T378] sock_map_unref+0x3c6/0x430
[ 55.401252][ T378] ? _raw_spin_unlock_bh+0x51/0x60
[ 55.406193][ T378] sock_map_remove_links+0x41c/0x650
[ 55.411316][ T378] ? __kasan_record_aux_stack+0xd3/0xf0
[ 55.416704][ T378] ? kasan_record_aux_stack+0xe/0x10
[ 55.421818][ T378] ? task_work_add+0x27/0x1d0
[ 55.426340][ T378] ? sock_map_unhash+0x120/0x120
[ 55.431101][ T378] ? x64_sys_call+0x3d/0x9a0
[ 55.435704][ T378] ? locks_remove_posix+0x610/0x610
[ 55.440744][ T378] sock_map_close+0x114/0x530
[ 55.445252][ T378] ? unix_peer_get+0xe0/0xe0
[ 55.449698][ T378] ? sock_map_remove_links+0x650/0x650
[ 55.454974][ T378] ? rwsem_mark_wake+0x770/0x770
[ 55.459749][ T378] unix_release+0x82/0xc0
[ 55.463916][ T378] sock_close+0xdf/0x270
[ 55.467992][ T378] ? sock_mmap+0xa0/0xa0
[ 55.472071][ T378] __fput+0x228/0x8c0
[ 55.475907][ T378] ____fput+0x15/0x20
[ 55.479717][ T378] task_work_run+0x129/0x190
[ 55.484139][ T378] exit_to_user_mode_loop+0xc4/0xe0
[ 55.489171][ T378] exit_to_user_mode_prepare+0x5a/0xa0
[ 55.494470][ T378] syscall_exit_to_user_mode+0x26/0x160
[ 55.499844][ T378] do_syscall_64+0x47/0xb0
[ 55.504095][ T378] ? clear_bhb_loop+0x35/0x90
[ 55.508609][ T378] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.514513][ T378] RIP: 0033:0x7fc018e24d9a
[ 55.518769][ T378] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 55.538209][ T378] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 55.546452][ T378] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 55.554436][ T378] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 55.562250][ T378] RBP: 00007fc018f55980 R08: 0000001b31f60000 R09: 0000000000000001
[ 55.570060][ T378] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000d9bc
[ 55.577881][ T378] R13: 000000000000d683 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 55.585781][ T378]
[ 55.588719][ T378]
[ 55.590894][ T378] Allocated by task 379:
[ 55.594971][ T378] __kasan_slab_alloc+0xb1/0xe0
[ 55.599657][ T378] slab_post_alloc_hook+0x53/0x2c0
[ 55.604867][ T378] kmem_cache_alloc+0xf5/0x250
[ 55.609464][ T378] skb_clone+0x1d1/0x360
[ 55.613543][ T378] sk_psock_verdict_recv+0x53/0x840
[ 55.618578][ T378] unix_read_sock+0x132/0x370
[ 55.623089][ T378] sk_psock_verdict_data_ready+0x147/0x1a0
[ 55.628734][ T378] unix_dgram_sendmsg+0x15fa/0x2090
[ 55.633770][ T378] ____sys_sendmsg+0x59e/0x8f0
[ 55.638363][ T378] ___sys_sendmsg+0x252/0x2e0
[ 55.642879][ T378] __se_sys_sendmsg+0x19a/0x260
[ 55.647564][ T378] __x64_sys_sendmsg+0x7b/0x90
[ 55.652165][ T378] x64_sys_call+0x16a/0x9a0
[ 55.656503][ T378] do_syscall_64+0x3b/0xb0
[ 55.661022][ T378] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.666746][ T378]
[ 55.668917][ T378] Freed by task 60:
[ 55.672563][ T378] kasan_set_track+0x4b/0x70
[ 55.677005][ T378] kasan_set_free_info+0x23/0x40
[ 55.681762][ T378] ____kasan_slab_free+0x126/0x160
[ 55.686711][ T378] __kasan_slab_free+0x11/0x20
[ 55.691321][ T378] slab_free_freelist_hook+0xbd/0x190
[ 55.696517][ T378] kmem_cache_free+0x115/0x330
[ 55.701121][ T378] kfree_skbmem+0x104/0x170
[ 55.705459][ T378] kfree_skb+0xc2/0x360
[ 55.709448][ T378] sk_psock_backlog+0xad1/0xdc0
[ 55.714138][ T378] process_one_work+0x6bb/0xc10
[ 55.718913][ T378] worker_thread+0xad5/0x12a0
[ 55.723692][ T378] kthread+0x421/0x510
[ 55.727690][ T378] ret_from_fork+0x1f/0x30
[ 55.732198][ T378]
[ 55.734374][ T378] The buggy address belongs to the object at ffff88811fbdf780
[ 55.734374][ T378] which belongs to the cache skbuff_head_cache of size 248
[ 55.748772][ T378] The buggy address is located 0 bytes inside of
[ 55.748772][ T378] 248-byte region [ffff88811fbdf780, ffff88811fbdf878)
[ 55.761708][ T378] The buggy address belongs to the page:
[ 55.767178][ T378] page:ffffea00047ef7c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fbdf
[ 55.777245][ T378] flags: 0x4000000000000200(slab|zone=1)
[ 55.782731][ T378] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab080
[ 55.791147][ T378] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 55.799547][ T378] page dumped because: kasan: bad access detected
[ 55.805985][ T378] page_owner tracks the page as allocated
[ 55.811530][ T378] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 375, ts 54843322467, free_ts 42440421087
[ 55.829144][ T378] post_alloc_hook+0x1a3/0x1b0
[ 55.833747][ T378] prep_new_page+0x1b/0x110
[ 55.838084][ T378] get_page_from_freelist+0x3550/0x35d0
[ 55.843466][ T378] __alloc_pages+0x27e/0x8f0
[ 55.847900][ T378] new_slab+0x9a/0x4e0
[ 55.851813][ T378] ___slab_alloc+0x39e/0x830
[ 55.856401][ T378] __slab_alloc+0x4a/0x90
[ 55.860566][ T378] kmem_cache_alloc+0x139/0x250
[ 55.865263][ T378] __alloc_skb+0xbe/0x550
[ 55.869520][ T378] ndisc_alloc_skb+0xf3/0x2d0
[ 55.874194][ T378] ndisc_send_rs+0x26c/0x6a0
[ 55.878618][ T378] addrconf_rs_timer+0x2d1/0x600
[ 55.883391][ T378] call_timer_fn+0x3b/0x2d0
[ 55.888337][ T378] __run_timers+0x72a/0xa10
[ 55.892777][ T378] run_timer_softirq+0x69/0xf0
[ 55.897383][ T378] handle_softirqs+0x25e/0x5c0
[ 55.901979][ T378] page last free stack trace:
[ 55.906487][ T378] free_unref_page_prepare+0x7c8/0x7d0
[ 55.911871][ T378] free_unref_page+0xe8/0x750
[ 55.916382][ T378] __put_page+0xb0/0xe0
[ 55.920383][ T378] anon_pipe_buf_release+0x187/0x200
[ 55.925502][ T378] pipe_read+0x5a6/0x1040
[ 55.929751][ T378] vfs_read+0xa81/0xd40
[ 55.934023][ T378] ksys_read+0x199/0x2c0
[ 55.938091][ T378] __x64_sys_read+0x7b/0x90
[ 55.942509][ T378] x64_sys_call+0x28/0x9a0
[ 55.946761][ T378] do_syscall_64+0x3b/0xb0
[ 55.951011][ T378] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 55.956747][ T378]
[ 55.958916][ T378] Memory state around the buggy address:
[ 55.964471][ T378] ffff88811fbdf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.972370][ T378] ffff88811fbdf700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 55.980355][ T378] >ffff88811fbdf780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.988257][ T378] ^
[ 55.992169][ T378] ffff88811fbdf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 56.000165][ T378] ffff88811fbdf880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 56.008053][ T378] ==================================================================
[ 56.030341][ T382] FAULT_INJECTION: forcing a failure.
[ 56.030341][ T382] name failslab, interval 1, probability 0, space 0, times 0
[ 56.043428][ T382] CPU: 0 PID: 382 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 56.054955][ T382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 56.064852][ T382] Call Trace:
[ 56.067976][ T382]
[ 56.070781][ T382] dump_stack_lvl+0x151/0x1c0
[ 56.075264][ T382] ? io_uring_drop_tctx_refs+0x190/0x190
[ 56.080735][ T382] dump_stack+0x15/0x20
[ 56.084723][ T382] should_fail+0x3c6/0x510
[ 56.088977][ T382] __should_failslab+0xa4/0xe0
[ 56.093602][ T382] should_failslab+0x9/0x20
[ 56.097916][ T382] slab_pre_alloc_hook+0x37/0xd0
[ 56.102694][ T382] kmem_cache_alloc_trace+0x48/0x270
[ 56.107818][ T382] ? sk_psock_skb_ingress_self+0x60/0x330
[ 56.113374][ T382] ? migrate_disable+0x190/0x190
[ 56.118144][ T382] sk_psock_skb_ingress_self+0x60/0x330
[ 56.123529][ T382] sk_psock_verdict_recv+0x66d/0x840
[ 56.128824][ T382] unix_read_sock+0x132/0x370
[ 56.133348][ T382] ? sk_psock_skb_redirect+0x440/0x440
[ 56.138629][ T382] ? unix_stream_splice_actor+0x120/0x120
[ 56.144267][ T382] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 56.149651][ T382] ? unix_stream_splice_actor+0x120/0x120
[ 56.155204][ T382] sk_psock_verdict_data_ready+0x147/0x1a0
[ 56.160871][ T382] ? sk_psock_start_verdict+0xc0/0xc0
[ 56.166049][ T382] ? _raw_spin_lock+0xa4/0x1b0
[ 56.170654][ T382] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 56.176326][ T382] ? skb_queue_tail+0xfb/0x120
[ 56.180894][ T382] unix_dgram_sendmsg+0x15fa/0x2090
[ 56.185932][ T382] ? unix_dgram_poll+0x690/0x690
[ 56.190705][ T382] ? _raw_spin_unlock+0x4d/0x70
[ 56.195387][ T382] ? security_socket_sendmsg+0x82/0xb0
[ 56.200768][ T382] ? unix_dgram_poll+0x690/0x690
[ 56.205800][ T382] ____sys_sendmsg+0x59e/0x8f0
[ 56.210493][ T382] ? __sys_sendmsg_sock+0x40/0x40
[ 56.215353][ T382] ? import_iovec+0xe5/0x120
[ 56.219796][ T382] ___sys_sendmsg+0x252/0x2e0
[ 56.224297][ T382] ? __sys_sendmsg+0x260/0x260
[ 56.228893][ T382] ? putname+0xfa/0x150
[ 56.232889][ T382] ? __fdget+0x1bc/0x240
[ 56.236985][ T382] __se_sys_sendmsg+0x19a/0x260
[ 56.241649][ T382] ? __x64_sys_sendmsg+0x90/0x90
[ 56.246421][ T382] ? ksys_write+0x260/0x2c0
[ 56.250769][ T382] ? debug_smp_processor_id+0x17/0x20
[ 56.255974][ T382] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 56.261998][ T382] __x64_sys_sendmsg+0x7b/0x90
[ 56.266594][ T382] x64_sys_call+0x16a/0x9a0
[ 56.270952][ T382] do_syscall_64+0x3b/0xb0
[ 56.275185][ T382] ? clear_bhb_loop+0x35/0x90
[ 56.279706][ T382] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 56.285426][ T382] RIP: 0033:0x7fc018e25ea9
[ 56.289689][ T382] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 56.309311][ T382] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 56.317540][ T382] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 56.325350][ T382] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 56.333259][ T382] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 56.341060][ T382] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 56.348873][ T382] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 56.356690][ T382]
[ 56.360052][ T381] ==================================================================
[ 56.367925][ T381] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 56.376171][ T381]
[ 56.378342][ T381] CPU: 0 PID: 381 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 56.389885][ T381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 56.399779][ T381] Call Trace:
[ 56.402911][ T381]
[ 56.405690][ T381] dump_stack_lvl+0x151/0x1c0
[ 56.410194][ T381] ? io_uring_drop_tctx_refs+0x190/0x190
[ 56.415670][ T381] ? __wake_up_klogd+0xd5/0x110
[ 56.420366][ T381] ? panic+0x760/0x760
[ 56.424259][ T381] ? kmem_cache_free+0x115/0x330
[ 56.429026][ T381] print_address_description+0x87/0x3b0
[ 56.434418][ T381] ? kmem_cache_free+0x115/0x330
[ 56.439191][ T381] ? kmem_cache_free+0x115/0x330
[ 56.444049][ T381] kasan_report_invalid_free+0x6b/0xa0
[ 56.449870][ T381] ____kasan_slab_free+0x13e/0x160
[ 56.454937][ T381] __kasan_slab_free+0x11/0x20
[ 56.459805][ T381] slab_free_freelist_hook+0xbd/0x190
[ 56.465010][ T381] kmem_cache_free+0x115/0x330
[ 56.469614][ T381] ? kfree_skbmem+0x104/0x170
[ 56.474120][ T381] kfree_skbmem+0x104/0x170
[ 56.478463][ T381] consume_skb+0xb4/0x250
[ 56.482697][ T381] __sk_msg_free+0x2dd/0x370
[ 56.487071][ T381] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 56.492688][ T381] sk_psock_stop+0x4e3/0x580
[ 56.497120][ T381] sk_psock_drop+0x219/0x310
[ 56.501539][ T381] sock_map_unref+0x3c6/0x430
[ 56.506226][ T381] ? _raw_spin_unlock_bh+0x51/0x60
[ 56.511172][ T381] sock_map_remove_links+0x41c/0x650
[ 56.516293][ T381] ? __kasan_record_aux_stack+0xd3/0xf0
[ 56.521848][ T381] ? kasan_record_aux_stack+0xe/0x10
[ 56.527056][ T381] ? task_work_add+0x27/0x1d0
[ 56.531672][ T381] ? sock_map_unhash+0x120/0x120
[ 56.536448][ T381] ? x64_sys_call+0x3d/0x9a0
[ 56.540958][ T381] ? locks_remove_posix+0x610/0x610
[ 56.546104][ T381] sock_map_close+0x114/0x530
[ 56.550624][ T381] ? unix_peer_get+0xe0/0xe0
[ 56.555173][ T381] ? sock_map_remove_links+0x650/0x650
[ 56.560470][ T381] ? rwsem_mark_wake+0x770/0x770
[ 56.565234][ T381] unix_release+0x82/0xc0
[ 56.569666][ T381] sock_close+0xdf/0x270
[ 56.573769][ T381] ? sock_mmap+0xa0/0xa0
[ 56.577835][ T381] __fput+0x228/0x8c0
[ 56.581637][ T381] ____fput+0x15/0x20
[ 56.585567][ T381] task_work_run+0x129/0x190
[ 56.589968][ T381] exit_to_user_mode_loop+0xc4/0xe0
[ 56.595002][ T381] exit_to_user_mode_prepare+0x5a/0xa0
[ 56.600319][ T381] syscall_exit_to_user_mode+0x26/0x160
[ 56.605677][ T381] do_syscall_64+0x47/0xb0
[ 56.609939][ T381] ? clear_bhb_loop+0x35/0x90
[ 56.614442][ T381] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 56.620172][ T381] RIP: 0033:0x7fc018e24d9a
[ 56.624572][ T381] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 56.644166][ T381] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 56.652413][ T381] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 56.660324][ T381] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 56.668124][ T381] RBP: 00007fc018f55980 R08: 00007fc018da8000 R09: 0000000000000001
[ 56.676115][ T381] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000db07
[ 56.683915][ T381] R13: 000000000000dad5 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 56.691855][ T381]
[ 56.694712][ T381]
[ 56.696881][ T381] Allocated by task 382:
[ 56.700965][ T381] __kasan_slab_alloc+0xb1/0xe0
[ 56.705764][ T381] slab_post_alloc_hook+0x53/0x2c0
[ 56.710712][ T381] kmem_cache_alloc+0xf5/0x250
[ 56.715336][ T381] skb_clone+0x1d1/0x360
[ 56.719393][ T381] sk_psock_verdict_recv+0x53/0x840
[ 56.724449][ T381] unix_read_sock+0x132/0x370
[ 56.728938][ T381] sk_psock_verdict_data_ready+0x147/0x1a0
[ 56.734579][ T381] unix_dgram_sendmsg+0x15fa/0x2090
[ 56.739701][ T381] ____sys_sendmsg+0x59e/0x8f0
[ 56.744473][ T381] ___sys_sendmsg+0x252/0x2e0
[ 56.748987][ T381] __se_sys_sendmsg+0x19a/0x260
[ 56.753673][ T381] __x64_sys_sendmsg+0x7b/0x90
[ 56.758276][ T381] x64_sys_call+0x16a/0x9a0
[ 56.762620][ T381] do_syscall_64+0x3b/0xb0
[ 56.766869][ T381] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 56.772594][ T381]
[ 56.774771][ T381] Freed by task 20:
[ 56.778415][ T381] kasan_set_track+0x4b/0x70
[ 56.782836][ T381] kasan_set_free_info+0x23/0x40
[ 56.787610][ T381] ____kasan_slab_free+0x126/0x160
[ 56.792555][ T381] __kasan_slab_free+0x11/0x20
[ 56.797155][ T381] slab_free_freelist_hook+0xbd/0x190
[ 56.802367][ T381] kmem_cache_free+0x115/0x330
[ 56.806966][ T381] kfree_skbmem+0x104/0x170
[ 56.811313][ T381] kfree_skb+0xc2/0x360
[ 56.815298][ T381] sk_psock_backlog+0xad1/0xdc0
[ 56.819984][ T381] process_one_work+0x6bb/0xc10
[ 56.824668][ T381] worker_thread+0xad5/0x12a0
[ 56.829290][ T381] kthread+0x421/0x510
[ 56.833263][ T381] ret_from_fork+0x1f/0x30
[ 56.837533][ T381]
[ 56.839690][ T381] The buggy address belongs to the object at ffff88811fbf5b40
[ 56.839690][ T381] which belongs to the cache skbuff_head_cache of size 248
[ 56.854114][ T381] The buggy address is located 0 bytes inside of
[ 56.854114][ T381] 248-byte region [ffff88811fbf5b40, ffff88811fbf5c38)
[ 56.867031][ T381] The buggy address belongs to the page:
[ 56.872510][ T381] page:ffffea00047efd40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fbf5
[ 56.882591][ T381] flags: 0x4000000000000200(slab|zone=1)
[ 56.888190][ T381] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab080
[ 56.896949][ T381] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 56.905348][ T381] page dumped because: kasan: bad access detected
[ 56.911608][ T381] page_owner tracks the page as allocated
[ 56.917262][ T381] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 380, ts 56021566701, free_ts 56016047101
[ 56.932972][ T381] post_alloc_hook+0x1a3/0x1b0
[ 56.937678][ T381] prep_new_page+0x1b/0x110
[ 56.942329][ T381] get_page_from_freelist+0x3550/0x35d0
[ 56.947697][ T381] __alloc_pages+0x27e/0x8f0
[ 56.952133][ T381] new_slab+0x9a/0x4e0
[ 56.956031][ T381] ___slab_alloc+0x39e/0x830
[ 56.960640][ T381] __slab_alloc+0x4a/0x90
[ 56.964893][ T381] kmem_cache_alloc+0x139/0x250
[ 56.969752][ T381] __alloc_skb+0xbe/0x550
[ 56.973917][ T381] alloc_skb_with_frags+0xa6/0x680
[ 56.978860][ T381] sock_alloc_send_pskb+0x915/0xa50
[ 56.983896][ T381] unix_dgram_sendmsg+0x6fd/0x2090
[ 56.988843][ T381] __sys_sendto+0x564/0x720
[ 56.993184][ T381] __x64_sys_sendto+0xe5/0x100
[ 56.997786][ T381] x64_sys_call+0x15c/0x9a0
[ 57.002133][ T381] do_syscall_64+0x3b/0xb0
[ 57.006379][ T381] page last free stack trace:
[ 57.010999][ T381] free_unref_page_prepare+0x7c8/0x7d0
[ 57.016272][ T381] free_unref_page+0xe8/0x750
[ 57.020788][ T381] __free_pages+0x61/0xf0
[ 57.024950][ T381] __vunmap+0x7c1/0x940
[ 57.028944][ T381] vfree+0x7f/0xb0
[ 57.032502][ T381] bpf_jit_free+0x1e3/0x240
[ 57.036840][ T381] bpf_prog_free_deferred+0x61e/0x730
[ 57.042050][ T381] process_one_work+0x6bb/0xc10
[ 57.046737][ T381] worker_thread+0xad5/0x12a0
[ 57.051248][ T381] kthread+0x421/0x510
[ 57.055159][ T381] ret_from_fork+0x1f/0x30
[ 57.059421][ T381]
[ 57.061592][ T381] Memory state around the buggy address:
[ 57.067142][ T381] ffff88811fbf5a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 57.075059][ T381] ffff88811fbf5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 57.082935][ T381] >ffff88811fbf5b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 57.090916][ T381] ^
[ 57.096914][ T381] ffff88811fbf5b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 57.104815][ T381] ffff88811fbf5c00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 57.112816][ T381] ==================================================================
[ 57.133848][ T385] FAULT_INJECTION: forcing a failure.
[ 57.133848][ T385] name failslab, interval 1, probability 0, space 0, times 0
[ 57.146788][ T385] CPU: 0 PID: 385 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 57.158507][ T385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 57.168820][ T385] Call Trace:
[ 57.171981][ T385]
[ 57.174711][ T385] dump_stack_lvl+0x151/0x1c0
[ 57.179334][ T385] ? io_uring_drop_tctx_refs+0x190/0x190
[ 57.184878][ T385] dump_stack+0x15/0x20
[ 57.188867][ T385] should_fail+0x3c6/0x510
[ 57.193130][ T385] __should_failslab+0xa4/0xe0
[ 57.197722][ T385] should_failslab+0x9/0x20
[ 57.202147][ T385] slab_pre_alloc_hook+0x37/0xd0
[ 57.206926][ T385] kmem_cache_alloc_trace+0x48/0x270
[ 57.212055][ T385] ? sk_psock_skb_ingress_self+0x60/0x330
[ 57.217622][ T385] ? migrate_disable+0x190/0x190
[ 57.222394][ T385] sk_psock_skb_ingress_self+0x60/0x330
[ 57.227845][ T385] sk_psock_verdict_recv+0x66d/0x840
[ 57.232959][ T385] unix_read_sock+0x132/0x370
[ 57.237578][ T385] ? sk_psock_skb_redirect+0x440/0x440
[ 57.242854][ T385] ? unix_stream_splice_actor+0x120/0x120
[ 57.248416][ T385] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 57.253702][ T385] ? unix_stream_splice_actor+0x120/0x120
[ 57.259390][ T385] sk_psock_verdict_data_ready+0x147/0x1a0
[ 57.265030][ T385] ? sk_psock_start_verdict+0xc0/0xc0
[ 57.270347][ T385] ? _raw_spin_lock+0xa4/0x1b0
[ 57.274935][ T385] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 57.280575][ T385] ? skb_queue_tail+0xfb/0x120
[ 57.285179][ T385] unix_dgram_sendmsg+0x15fa/0x2090
[ 57.290213][ T385] ? unix_dgram_poll+0x690/0x690
[ 57.295097][ T385] ? _raw_spin_unlock+0x4d/0x70
[ 57.299782][ T385] ? security_socket_sendmsg+0x82/0xb0
[ 57.305070][ T385] ? unix_dgram_poll+0x690/0x690
[ 57.309854][ T385] ____sys_sendmsg+0x59e/0x8f0
[ 57.314457][ T385] ? __sys_sendmsg_sock+0x40/0x40
[ 57.319307][ T385] ? import_iovec+0xe5/0x120
[ 57.323730][ T385] ___sys_sendmsg+0x252/0x2e0
[ 57.328261][ T385] ? __sys_sendmsg+0x260/0x260
[ 57.332984][ T385] ? putname+0xfa/0x150
[ 57.336957][ T385] ? __fdget+0x1bc/0x240
[ 57.341165][ T385] __se_sys_sendmsg+0x19a/0x260
[ 57.345844][ T385] ? __x64_sys_sendmsg+0x90/0x90
[ 57.350613][ T385] ? ksys_write+0x260/0x2c0
[ 57.355132][ T385] ? debug_smp_processor_id+0x17/0x20
[ 57.360341][ T385] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 57.366670][ T385] __x64_sys_sendmsg+0x7b/0x90
[ 57.371286][ T385] x64_sys_call+0x16a/0x9a0
[ 57.375709][ T385] do_syscall_64+0x3b/0xb0
[ 57.379958][ T385] ? clear_bhb_loop+0x35/0x90
[ 57.384506][ T385] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 57.390193][ T385] RIP: 0033:0x7fc018e25ea9
[ 57.394442][ T385] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 57.413987][ T385] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 57.422238][ T385] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 57.430041][ T385] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 57.437857][ T385] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 57.445665][ T385] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 57.453562][ T385] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 57.461815][ T385]
[ 57.466705][ T384] ==================================================================
[ 57.474679][ T384] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 57.483009][ T384]
[ 57.485171][ T384] CPU: 1 PID: 384 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 57.496730][ T384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 57.506615][ T384] Call Trace:
[ 57.509742][ T384]
[ 57.512526][ T384] dump_stack_lvl+0x151/0x1c0
[ 57.517044][ T384] ? io_uring_drop_tctx_refs+0x190/0x190
[ 57.522685][ T384] ? __wake_up_klogd+0xd5/0x110
[ 57.527363][ T384] ? panic+0x760/0x760
[ 57.531267][ T384] ? sched_clock_cpu+0x18/0x3b0
[ 57.535957][ T384] ? kmem_cache_free+0x115/0x330
[ 57.540727][ T384] print_address_description+0x87/0x3b0
[ 57.546108][ T384] ? newidle_balance+0x982/0xfc0
[ 57.550969][ T384] ? kmem_cache_free+0x115/0x330
[ 57.556024][ T384] ? kmem_cache_free+0x115/0x330
[ 57.560805][ T384] kasan_report_invalid_free+0x6b/0xa0
[ 57.566113][ T384] ____kasan_slab_free+0x13e/0x160
[ 57.571324][ T384] __kasan_slab_free+0x11/0x20
[ 57.575913][ T384] slab_free_freelist_hook+0xbd/0x190
[ 57.581123][ T384] kmem_cache_free+0x115/0x330
[ 57.585981][ T384] ? kfree_skbmem+0x104/0x170
[ 57.590697][ T384] kfree_skbmem+0x104/0x170
[ 57.595038][ T384] consume_skb+0xb4/0x250
[ 57.599383][ T384] __sk_msg_free+0x2dd/0x370
[ 57.603798][ T384] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 57.609481][ T384] sk_psock_stop+0x4e3/0x580
[ 57.613868][ T384] sk_psock_drop+0x219/0x310
[ 57.618293][ T384] sock_map_unref+0x3c6/0x430
[ 57.622801][ T384] ? _raw_spin_unlock_bh+0x51/0x60
[ 57.627750][ T384] sock_map_remove_links+0x41c/0x650
[ 57.632869][ T384] ? __kasan_record_aux_stack+0xd3/0xf0
[ 57.638250][ T384] ? kasan_record_aux_stack+0xe/0x10
[ 57.643373][ T384] ? task_work_add+0x27/0x1d0
[ 57.647977][ T384] ? sock_map_unhash+0x120/0x120
[ 57.652744][ T384] ? x64_sys_call+0x3d/0x9a0
[ 57.657259][ T384] ? locks_remove_posix+0x610/0x610
[ 57.662299][ T384] sock_map_close+0x114/0x530
[ 57.666806][ T384] ? unix_peer_get+0xe0/0xe0
[ 57.671249][ T384] ? sock_map_remove_links+0x650/0x650
[ 57.676531][ T384] ? rwsem_mark_wake+0x770/0x770
[ 57.681304][ T384] unix_release+0x82/0xc0
[ 57.685488][ T384] sock_close+0xdf/0x270
[ 57.689546][ T384] ? sock_mmap+0xa0/0xa0
[ 57.693625][ T384] __fput+0x228/0x8c0
[ 57.697446][ T384] ____fput+0x15/0x20
[ 57.701350][ T384] task_work_run+0x129/0x190
[ 57.705777][ T384] exit_to_user_mode_loop+0xc4/0xe0
[ 57.710809][ T384] exit_to_user_mode_prepare+0x5a/0xa0
[ 57.716123][ T384] syscall_exit_to_user_mode+0x26/0x160
[ 57.721487][ T384] do_syscall_64+0x47/0xb0
[ 57.725738][ T384] ? clear_bhb_loop+0x35/0x90
[ 57.730251][ T384] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 57.735980][ T384] RIP: 0033:0x7fc018e24d9a
[ 57.740235][ T384] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 57.759889][ T384] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 57.768137][ T384] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 57.776025][ T384] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 57.783983][ T384] RBP: 00007fc018f55980 R08: 0000001b31f60000 R09: 0000000000000001
[ 57.791895][ T384] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000e263
[ 57.799704][ T384] R13: 000000000000df24 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 57.807567][ T384]
[ 57.810377][ T384]
[ 57.812637][ T384] Allocated by task 385:
[ 57.816714][ T384] __kasan_slab_alloc+0xb1/0xe0
[ 57.821456][ T384] slab_post_alloc_hook+0x53/0x2c0
[ 57.826356][ T384] kmem_cache_alloc+0xf5/0x250
[ 57.830954][ T384] skb_clone+0x1d1/0x360
[ 57.835065][ T384] sk_psock_verdict_recv+0x53/0x840
[ 57.840079][ T384] unix_read_sock+0x132/0x370
[ 57.844670][ T384] sk_psock_verdict_data_ready+0x147/0x1a0
[ 57.850311][ T384] unix_dgram_sendmsg+0x15fa/0x2090
[ 57.855336][ T384] ____sys_sendmsg+0x59e/0x8f0
[ 57.859943][ T384] ___sys_sendmsg+0x252/0x2e0
[ 57.864469][ T384] __se_sys_sendmsg+0x19a/0x260
[ 57.869137][ T384] __x64_sys_sendmsg+0x7b/0x90
[ 57.873738][ T384] x64_sys_call+0x16a/0x9a0
[ 57.878320][ T384] do_syscall_64+0x3b/0xb0
[ 57.882548][ T384] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 57.888872][ T384]
[ 57.891046][ T384] Freed by task 60:
[ 57.894687][ T384] kasan_set_track+0x4b/0x70
[ 57.899112][ T384] kasan_set_free_info+0x23/0x40
[ 57.903883][ T384] ____kasan_slab_free+0x126/0x160
[ 57.908828][ T384] __kasan_slab_free+0x11/0x20
[ 57.913458][ T384] slab_free_freelist_hook+0xbd/0x190
[ 57.918673][ T384] kmem_cache_free+0x115/0x330
[ 57.923241][ T384] kfree_skbmem+0x104/0x170
[ 57.927715][ T384] kfree_skb+0xc2/0x360
[ 57.931702][ T384] sk_psock_backlog+0xad1/0xdc0
[ 57.936378][ T384] process_one_work+0x6bb/0xc10
[ 57.941064][ T384] worker_thread+0xad5/0x12a0
[ 57.945585][ T384] kthread+0x421/0x510
[ 57.949488][ T384] ret_from_fork+0x1f/0x30
[ 57.953822][ T384]
[ 57.955995][ T384] The buggy address belongs to the object at ffff88811fb8d500
[ 57.955995][ T384] which belongs to the cache skbuff_head_cache of size 248
[ 57.970657][ T384] The buggy address is located 0 bytes inside of
[ 57.970657][ T384] 248-byte region [ffff88811fb8d500, ffff88811fb8d5f8)
[ 57.983588][ T384] The buggy address belongs to the page:
[ 57.989058][ T384] page:ffffea00047ee340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fb8d
[ 57.999121][ T384] flags: 0x4000000000000200(slab|zone=1)
[ 58.004600][ T384] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab080
[ 58.013216][ T384] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 58.021617][ T384] page dumped because: kasan: bad access detected
[ 58.027953][ T384] page_owner tracks the page as allocated
[ 58.033514][ T384] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 101, ts 57128892510, free_ts 57124169545
[ 58.049219][ T384] post_alloc_hook+0x1a3/0x1b0
[ 58.053812][ T384] prep_new_page+0x1b/0x110
[ 58.058162][ T384] get_page_from_freelist+0x3550/0x35d0
[ 58.063546][ T384] __alloc_pages+0x27e/0x8f0
[ 58.067971][ T384] new_slab+0x9a/0x4e0
[ 58.071956][ T384] ___slab_alloc+0x39e/0x830
[ 58.076472][ T384] __slab_alloc+0x4a/0x90
[ 58.080639][ T384] kmem_cache_alloc+0x139/0x250
[ 58.085327][ T384] __alloc_skb+0xbe/0x550
[ 58.089493][ T384] netlink_sendmsg+0x797/0xd20
[ 58.094096][ T384] ____sys_sendmsg+0x59e/0x8f0
[ 58.098955][ T384] ___sys_sendmsg+0x252/0x2e0
[ 58.103473][ T384] __se_sys_sendmsg+0x19a/0x260
[ 58.108160][ T384] __x64_sys_sendmsg+0x7b/0x90
[ 58.112844][ T384] x64_sys_call+0x16a/0x9a0
[ 58.117182][ T384] do_syscall_64+0x3b/0xb0
[ 58.121429][ T384] page last free stack trace:
[ 58.125942][ T384] free_unref_page_prepare+0x7c8/0x7d0
[ 58.131235][ T384] free_unref_page+0xe8/0x750
[ 58.135857][ T384] __free_pages+0x61/0xf0
[ 58.140001][ T384] __vunmap+0x7c1/0x940
[ 58.143994][ T384] free_work+0x5b/0x80
[ 58.148019][ T384] process_one_work+0x6bb/0xc10
[ 58.152706][ T384] worker_thread+0xad5/0x12a0
[ 58.157240][ T384] kthread+0x421/0x510
[ 58.161117][ T384] ret_from_fork+0x1f/0x30
[ 58.165381][ T384]
[ 58.167536][ T384] Memory state around the buggy address:
[ 58.173010][ T384] ffff88811fb8d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.180907][ T384] ffff88811fb8d480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 58.188967][ T384] >ffff88811fb8d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.196788][ T384] ^
[ 58.200785][ T384] ffff88811fb8d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 58.208779][ T384] ffff88811fb8d600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 58.216763][ T384] ==================================================================
[ 58.238561][ T388] FAULT_INJECTION: forcing a failure.
[ 58.238561][ T388] name failslab, interval 1, probability 0, space 0, times 0
[ 58.251069][ T388] CPU: 0 PID: 388 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 58.262603][ T388] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 58.272524][ T388] Call Trace:
[ 58.275620][ T388]
[ 58.278404][ T388] dump_stack_lvl+0x151/0x1c0
[ 58.282913][ T388] ? io_uring_drop_tctx_refs+0x190/0x190
[ 58.288382][ T388] dump_stack+0x15/0x20
[ 58.292462][ T388] should_fail+0x3c6/0x510
[ 58.296718][ T388] __should_failslab+0xa4/0xe0
[ 58.301322][ T388] should_failslab+0x9/0x20
[ 58.305665][ T388] slab_pre_alloc_hook+0x37/0xd0
[ 58.310430][ T388] kmem_cache_alloc_trace+0x48/0x270
[ 58.315543][ T388] ? sk_psock_skb_ingress_self+0x60/0x330
[ 58.321104][ T388] ? migrate_disable+0x190/0x190
[ 58.325874][ T388] sk_psock_skb_ingress_self+0x60/0x330
[ 58.331267][ T388] sk_psock_verdict_recv+0x66d/0x840
[ 58.336464][ T388] unix_read_sock+0x132/0x370
[ 58.340980][ T388] ? sk_psock_skb_redirect+0x440/0x440
[ 58.346271][ T388] ? unix_stream_splice_actor+0x120/0x120
[ 58.351852][ T388] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 58.357210][ T388] ? unix_stream_splice_actor+0x120/0x120
[ 58.362769][ T388] sk_psock_verdict_data_ready+0x147/0x1a0
[ 58.368402][ T388] ? sk_psock_start_verdict+0xc0/0xc0
[ 58.373610][ T388] ? _raw_spin_lock+0xa4/0x1b0
[ 58.378299][ T388] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 58.383939][ T388] ? skb_queue_tail+0xfb/0x120
[ 58.388713][ T388] unix_dgram_sendmsg+0x15fa/0x2090
[ 58.393752][ T388] ? unix_dgram_poll+0x690/0x690
[ 58.398543][ T388] ? _raw_spin_unlock+0x4d/0x70
[ 58.403210][ T388] ? security_socket_sendmsg+0x82/0xb0
[ 58.408590][ T388] ? unix_dgram_poll+0x690/0x690
[ 58.413365][ T388] ____sys_sendmsg+0x59e/0x8f0
[ 58.418049][ T388] ? __sys_sendmsg_sock+0x40/0x40
[ 58.422946][ T388] ? import_iovec+0xe5/0x120
[ 58.427341][ T388] ___sys_sendmsg+0x252/0x2e0
[ 58.431853][ T388] ? __sys_sendmsg+0x260/0x260
[ 58.436635][ T388] ? putname+0xfa/0x150
[ 58.440621][ T388] ? __fdget+0x1bc/0x240
[ 58.444702][ T388] __se_sys_sendmsg+0x19a/0x260
[ 58.449481][ T388] ? __x64_sys_sendmsg+0x90/0x90
[ 58.454374][ T388] ? ksys_write+0x260/0x2c0
[ 58.458717][ T388] ? debug_smp_processor_id+0x17/0x20
[ 58.463916][ T388] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 58.469822][ T388] __x64_sys_sendmsg+0x7b/0x90
[ 58.474439][ T388] x64_sys_call+0x16a/0x9a0
[ 58.478767][ T388] do_syscall_64+0x3b/0xb0
[ 58.483010][ T388] ? clear_bhb_loop+0x35/0x90
[ 58.487521][ T388] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 58.493258][ T388] RIP: 0033:0x7fc018e25ea9
[ 58.497504][ T388] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 58.516948][ T388] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 58.525191][ T388] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 58.533007][ T388] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 58.540821][ T388] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 58.548627][ T388] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 58.556445][ T388] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 58.564263][ T388]
[ 58.569069][ T387] ==================================================================
[ 58.577036][ T387] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 58.585494][ T387]
[ 58.587638][ T387] CPU: 1 PID: 387 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 58.599278][ T387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 58.609172][ T387] Call Trace:
[ 58.612383][ T387]
[ 58.615160][ T387] dump_stack_lvl+0x151/0x1c0
[ 58.619681][ T387] ? io_uring_drop_tctx_refs+0x190/0x190
[ 58.625329][ T387] ? __wake_up_klogd+0xd5/0x110
[ 58.630014][ T387] ? panic+0x760/0x760
[ 58.633920][ T387] ? kmem_cache_free+0x115/0x330
[ 58.638699][ T387] print_address_description+0x87/0x3b0
[ 58.644073][ T387] ? newidle_balance+0x746/0xfc0
[ 58.648849][ T387] ? kmem_cache_free+0x115/0x330
[ 58.653621][ T387] ? kmem_cache_free+0x115/0x330
[ 58.658395][ T387] kasan_report_invalid_free+0x6b/0xa0
[ 58.663691][ T387] ____kasan_slab_free+0x13e/0x160
[ 58.668637][ T387] __kasan_slab_free+0x11/0x20
[ 58.673240][ T387] slab_free_freelist_hook+0xbd/0x190
[ 58.678446][ T387] kmem_cache_free+0x115/0x330
[ 58.683044][ T387] ? kfree_skbmem+0x104/0x170
[ 58.687560][ T387] kfree_skbmem+0x104/0x170
[ 58.691985][ T387] consume_skb+0xb4/0x250
[ 58.696151][ T387] __sk_msg_free+0x2dd/0x370
[ 58.700577][ T387] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 58.706220][ T387] sk_psock_stop+0x4e3/0x580
[ 58.710650][ T387] sk_psock_drop+0x219/0x310
[ 58.715175][ T387] sock_map_unref+0x3c6/0x430
[ 58.719674][ T387] ? _raw_spin_unlock_bh+0x51/0x60
[ 58.724618][ T387] sock_map_remove_links+0x41c/0x650
[ 58.729743][ T387] ? __kasan_record_aux_stack+0xd3/0xf0
[ 58.735122][ T387] ? kasan_record_aux_stack+0xe/0x10
[ 58.740250][ T387] ? task_work_add+0x27/0x1d0
[ 58.744760][ T387] ? sock_map_unhash+0x120/0x120
[ 58.749533][ T387] ? x64_sys_call+0x3d/0x9a0
[ 58.753962][ T387] ? locks_remove_posix+0x610/0x610
[ 58.758991][ T387] sock_map_close+0x114/0x530
[ 58.763505][ T387] ? unix_peer_get+0xe0/0xe0
[ 58.767931][ T387] ? sock_map_remove_links+0x650/0x650
[ 58.773347][ T387] ? rwsem_mark_wake+0x770/0x770
[ 58.778094][ T387] unix_release+0x82/0xc0
[ 58.782253][ T387] sock_close+0xdf/0x270
[ 58.786334][ T387] ? sock_mmap+0xa0/0xa0
[ 58.790410][ T387] __fput+0x228/0x8c0
[ 58.794233][ T387] ____fput+0x15/0x20
[ 58.798047][ T387] task_work_run+0x129/0x190
[ 58.802478][ T387] exit_to_user_mode_loop+0xc4/0xe0
[ 58.807598][ T387] exit_to_user_mode_prepare+0x5a/0xa0
[ 58.812988][ T387] syscall_exit_to_user_mode+0x26/0x160
[ 58.818358][ T387] do_syscall_64+0x47/0xb0
[ 58.822609][ T387] ? clear_bhb_loop+0x35/0x90
[ 58.827130][ T387] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 58.832852][ T387] RIP: 0033:0x7fc018e24d9a
[ 58.837116][ T387] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 58.856549][ T387] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 58.864801][ T387] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 58.872777][ T387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 58.880588][ T387] RBP: 00007fc018f55980 R08: 0000001b31f60000 R09: 0000000000000001
[ 58.888400][ T387] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000e6b4
[ 58.896232][ T387] R13: 000000000000e375 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 58.904026][ T387]
[ 58.906887][ T387]
[ 58.909064][ T387] Allocated by task 388:
[ 58.913138][ T387] __kasan_slab_alloc+0xb1/0xe0
[ 58.917854][ T387] slab_post_alloc_hook+0x53/0x2c0
[ 58.922767][ T387] kmem_cache_alloc+0xf5/0x250
[ 58.927373][ T387] skb_clone+0x1d1/0x360
[ 58.931449][ T387] sk_psock_verdict_recv+0x53/0x840
[ 58.936483][ T387] unix_read_sock+0x132/0x370
[ 58.940996][ T387] sk_psock_verdict_data_ready+0x147/0x1a0
[ 58.946640][ T387] unix_dgram_sendmsg+0x15fa/0x2090
[ 58.951670][ T387] ____sys_sendmsg+0x59e/0x8f0
[ 58.956271][ T387] ___sys_sendmsg+0x252/0x2e0
[ 58.960785][ T387] __se_sys_sendmsg+0x19a/0x260
[ 58.965657][ T387] __x64_sys_sendmsg+0x7b/0x90
[ 58.970254][ T387] x64_sys_call+0x16a/0x9a0
[ 58.974703][ T387] do_syscall_64+0x3b/0xb0
[ 58.978951][ T387] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 58.984686][ T387]
[ 58.986845][ T387] Freed by task 60:
[ 58.990489][ T387] kasan_set_track+0x4b/0x70
[ 58.994919][ T387] kasan_set_free_info+0x23/0x40
[ 58.999714][ T387] ____kasan_slab_free+0x126/0x160
[ 59.004724][ T387] __kasan_slab_free+0x11/0x20
[ 59.009330][ T387] slab_free_freelist_hook+0xbd/0x190
[ 59.014530][ T387] kmem_cache_free+0x115/0x330
[ 59.019138][ T387] kfree_skbmem+0x104/0x170
[ 59.023472][ T387] kfree_skb+0xc2/0x360
[ 59.027468][ T387] sk_psock_backlog+0xad1/0xdc0
[ 59.032154][ T387] process_one_work+0x6bb/0xc10
[ 59.036946][ T387] worker_thread+0xad5/0x12a0
[ 59.041543][ T387] kthread+0x421/0x510
[ 59.045867][ T387] ret_from_fork+0x1f/0x30
[ 59.050118][ T387]
[ 59.052285][ T387] The buggy address belongs to the object at ffff88811fa7cc80
[ 59.052285][ T387] which belongs to the cache skbuff_head_cache of size 248
[ 59.066713][ T387] The buggy address is located 0 bytes inside of
[ 59.066713][ T387] 248-byte region [ffff88811fa7cc80, ffff88811fa7cd78)
[ 59.079721][ T387] The buggy address belongs to the page:
[ 59.085717][ T387] page:ffffea00047e9f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fa7c
[ 59.095771][ T387] flags: 0x4000000000000200(slab|zone=1)
[ 59.101246][ T387] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081ab080
[ 59.109754][ T387] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 59.118188][ T387] page dumped because: kasan: bad access detected
[ 59.124503][ T387] page_owner tracks the page as allocated
[ 59.130058][ T387] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 90, ts 58232888646, free_ts 57123905484
[ 59.145864][ T387] post_alloc_hook+0x1a3/0x1b0
[ 59.150460][ T387] prep_new_page+0x1b/0x110
[ 59.154800][ T387] get_page_from_freelist+0x3550/0x35d0
[ 59.160181][ T387] __alloc_pages+0x27e/0x8f0
[ 59.164608][ T387] new_slab+0x9a/0x4e0
[ 59.168516][ T387] ___slab_alloc+0x39e/0x830
[ 59.172966][ T387] __slab_alloc+0x4a/0x90
[ 59.177106][ T387] kmem_cache_alloc+0x139/0x250
[ 59.181791][ T387] __alloc_skb+0xbe/0x550
[ 59.185960][ T387] alloc_skb_with_frags+0xa6/0x680
[ 59.190904][ T387] sock_alloc_send_pskb+0x915/0xa50
[ 59.195944][ T387] unix_dgram_sendmsg+0x6fd/0x2090
[ 59.200895][ T387] __sys_sendto+0x564/0x720
[ 59.205225][ T387] __x64_sys_sendto+0xe5/0x100
[ 59.209827][ T387] x64_sys_call+0x15c/0x9a0
[ 59.214166][ T387] do_syscall_64+0x3b/0xb0
[ 59.218435][ T387] page last free stack trace:
[ 59.222930][ T387] free_unref_page_prepare+0x7c8/0x7d0
[ 59.228229][ T387] free_unref_page_list+0x14b/0xa60
[ 59.233264][ T387] release_pages+0x1310/0x1370
[ 59.237863][ T387] free_pages_and_swap_cache+0x8a/0xa0
[ 59.243157][ T387] tlb_finish_mmu+0x177/0x320
[ 59.247668][ T387] exit_mmap+0x484/0x990
[ 59.251751][ T387] __mmput+0x95/0x310
[ 59.255567][ T387] mmput+0x5b/0x170
[ 59.259212][ T387] do_exit+0xb9c/0x2ca0
[ 59.263206][ T387] do_group_exit+0x141/0x310
[ 59.267648][ T387] __x64_sys_exit_group+0x3f/0x40
[ 59.272579][ T387] x64_sys_call+0x610/0x9a0
[ 59.277014][ T387] do_syscall_64+0x3b/0xb0
[ 59.281268][ T387] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 59.287009][ T387]
[ 59.289179][ T387] Memory state around the buggy address:
[ 59.294648][ T387] ffff88811fa7cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.302539][ T387] ffff88811fa7cc00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 59.310432][ T387] >ffff88811fa7cc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.318330][ T387] ^
[ 59.322249][ T387] ffff88811fa7cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 59.330151][ T387] ffff88811fa7cd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 59.338032][ T387] ==================================================================
[ 59.359221][ T391] FAULT_INJECTION: forcing a failure.
[ 59.359221][ T391] name failslab, interval 1, probability 0, space 0, times 0
[ 59.371805][ T391] CPU: 1 PID: 391 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 59.383304][ T391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 59.393167][ T391] Call Trace:
[ 59.396293][ T391]
[ 59.399072][ T391] dump_stack_lvl+0x151/0x1c0
[ 59.403581][ T391] ? io_uring_drop_tctx_refs+0x190/0x190
[ 59.409061][ T391] dump_stack+0x15/0x20
[ 59.413043][ T391] should_fail+0x3c6/0x510
[ 59.417291][ T391] __should_failslab+0xa4/0xe0
[ 59.421895][ T391] should_failslab+0x9/0x20
[ 59.426239][ T391] slab_pre_alloc_hook+0x37/0xd0
[ 59.431009][ T391] kmem_cache_alloc_trace+0x48/0x270
[ 59.436231][ T391] ? sk_psock_skb_ingress_self+0x60/0x330
[ 59.441809][ T391] ? migrate_disable+0x190/0x190
[ 59.446560][ T391] sk_psock_skb_ingress_self+0x60/0x330
[ 59.451953][ T391] sk_psock_verdict_recv+0x66d/0x840
[ 59.457063][ T391] unix_read_sock+0x132/0x370
[ 59.461581][ T391] ? sk_psock_skb_redirect+0x440/0x440
[ 59.466865][ T391] ? unix_stream_splice_actor+0x120/0x120
[ 59.472419][ T391] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 59.477843][ T391] ? unix_stream_splice_actor+0x120/0x120
[ 59.483468][ T391] sk_psock_verdict_data_ready+0x147/0x1a0
[ 59.489117][ T391] ? sk_psock_start_verdict+0xc0/0xc0
[ 59.494489][ T391] ? _raw_spin_lock+0xa4/0x1b0
[ 59.499278][ T391] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 59.505032][ T391] ? skb_queue_tail+0xfb/0x120
[ 59.509624][ T391] unix_dgram_sendmsg+0x15fa/0x2090
[ 59.514660][ T391] ? unix_dgram_poll+0x690/0x690
[ 59.519531][ T391] ? _raw_spin_unlock+0x4d/0x70
[ 59.524209][ T391] ? security_socket_sendmsg+0x82/0xb0
[ 59.529502][ T391] ? unix_dgram_poll+0x690/0x690
[ 59.534297][ T391] ____sys_sendmsg+0x59e/0x8f0
[ 59.538956][ T391] ? __sys_sendmsg_sock+0x40/0x40
[ 59.543817][ T391] ? import_iovec+0xe5/0x120
[ 59.548243][ T391] ___sys_sendmsg+0x252/0x2e0
[ 59.552759][ T391] ? __sys_sendmsg+0x260/0x260
[ 59.557371][ T391] ? putname+0xfa/0x150
[ 59.561354][ T391] ? __fdget+0x1bc/0x240
[ 59.565456][ T391] __se_sys_sendmsg+0x19a/0x260
[ 59.570117][ T391] ? __x64_sys_sendmsg+0x90/0x90
[ 59.574896][ T391] ? ksys_write+0x260/0x2c0
[ 59.579324][ T391] ? debug_smp_processor_id+0x17/0x20
[ 59.584528][ T391] ? fpregs_assert_state_consistent+0xb6/0xe0
[ 59.590432][ T391] __x64_sys_sendmsg+0x7b/0x90
[ 59.595059][ T391] x64_sys_call+0x16a/0x9a0
[ 59.599373][ T391] do_syscall_64+0x3b/0xb0
[ 59.603626][ T391] ? clear_bhb_loop+0x35/0x90
[ 59.608167][ T391] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 59.613868][ T391] RIP: 0033:0x7fc018e25ea9
[ 59.618126][ T391] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 59.637576][ T391] RSP: 002b:00007fc0189a70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 59.645805][ T391] RAX: ffffffffffffffda RBX: 00007fc018f53f80 RCX: 00007fc018e25ea9
[ 59.653620][ T391] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
[ 59.661606][ T391] RBP: 00007fc0189a7120 R08: 0000000000000000 R09: 0000000000000000
[ 59.669555][ T391] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 59.677372][ T391] R13: 000000000000000b R14: 00007fc018f53f80 R15: 00007ffc3e38d1c8
[ 59.685207][ T391]
[ 59.688318][ T390] ==================================================================
[ 59.696190][ T390] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x115/0x330
[ 59.704528][ T390]
[ 59.706691][ T390] CPU: 1 PID: 390 Comm: syz-executor.0 Tainted: G B 5.15.178-syzkaller-1079147-g7d1f9b5c2ff5 #0
[ 59.718300][ T390] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 59.728218][ T390] Call Trace:
[ 59.731354][ T390]
[ 59.734120][ T390] dump_stack_lvl+0x151/0x1c0
[ 59.738634][ T390] ? io_uring_drop_tctx_refs+0x190/0x190
[ 59.744204][ T390] ? __wake_up_klogd+0xd5/0x110
[ 59.748875][ T390] ? panic+0x760/0x760
[ 59.752907][ T390] ? kmem_cache_free+0x115/0x330
[ 59.757649][ T390] print_address_description+0x87/0x3b0
[ 59.763048][ T390] ? kmem_cache_free+0x115/0x330
[ 59.768065][ T390] ? kmem_cache_free+0x115/0x330
[ 59.772926][ T390] kasan_report_invalid_free+0x6b/0xa0
[ 59.778171][ T390] ____kasan_slab_free+0x13e/0x160
[ 59.783087][ T390] __kasan_slab_free+0x11/0x20
[ 59.787680][ T390] slab_free_freelist_hook+0xbd/0x190
[ 59.792896][ T390] kmem_cache_free+0x115/0x330
[ 59.797489][ T390] ? kfree_skbmem+0x104/0x170
[ 59.802014][ T390] kfree_skbmem+0x104/0x170
[ 59.806341][ T390] consume_skb+0xb4/0x250
[ 59.810771][ T390] __sk_msg_free+0x2dd/0x370
[ 59.815715][ T390] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 59.821370][ T390] sk_psock_stop+0x4e3/0x580
[ 59.825794][ T390] sk_psock_drop+0x219/0x310
[ 59.830224][ T390] sock_map_unref+0x3c6/0x430
[ 59.834724][ T390] ? _raw_spin_unlock_bh+0x51/0x60
[ 59.839670][ T390] sock_map_remove_links+0x41c/0x650
[ 59.844890][ T390] ? __kasan_record_aux_stack+0xd3/0xf0
[ 59.850265][ T390] ? kasan_record_aux_stack+0xe/0x10
[ 59.855380][ T390] ? task_work_add+0x27/0x1d0
[ 59.859896][ T390] ? sock_map_unhash+0x120/0x120
[ 59.864669][ T390] ? x64_sys_call+0x3d/0x9a0
[ 59.869182][ T390] ? locks_remove_posix+0x610/0x610
[ 59.874215][ T390] sock_map_close+0x114/0x530
[ 59.878734][ T390] ? unix_peer_get+0xe0/0xe0
[ 59.883157][ T390] ? sock_map_remove_links+0x650/0x650
[ 59.888463][ T390] ? rwsem_mark_wake+0x770/0x770
[ 59.893409][ T390] unix_release+0x82/0xc0
[ 59.897575][ T390] sock_close+0xdf/0x270
[ 59.901755][ T390] ? sock_mmap+0xa0/0xa0
[ 59.905834][ T390] __fput+0x228/0x8c0
[ 59.909652][ T390] ____fput+0x15/0x20
[ 59.913553][ T390] task_work_run+0x129/0x190
[ 59.917980][ T390] exit_to_user_mode_loop+0xc4/0xe0
[ 59.923033][ T390] exit_to_user_mode_prepare+0x5a/0xa0
[ 59.928312][ T390] syscall_exit_to_user_mode+0x26/0x160
[ 59.933782][ T390] do_syscall_64+0x47/0xb0
[ 59.938139][ T390] ? clear_bhb_loop+0x35/0x90
[ 59.942649][ T390] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 59.948416][ T390] RIP: 0033:0x7fc018e24d9a
[ 59.952673][ T390] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
[ 59.972166][ T390] RSP: 002b:00007ffc3e38d290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 59.980407][ T390] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc018e24d9a
[ 59.988221][ T390] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 59.996118][ T390] RBP: 00007fc018f55980 R08: 00007fc018da8000 R09: 0000000000000001
[ 60.003931][ T390] R10: 0000000000000001 R11: 0000000000000293 R12: 000000000000e807
[ 60.011855][ T390] R13: 000000000000e7d5 R14: 00007ffc3e38d450 R15: 00007fc018ddccb0
[ 60.019664][ T390]
[ 60.022542][ T390]
[ 60.024750][ T390] Allocated by task 391:
[ 60.028776][ T390] __kasan_slab_alloc+0xb1/0xe0
[ 60.033456][ T390] slab_post_alloc_hook+0x53/0x2c0
[ 60.038406][ T390] kmem_cache_alloc+0xf5/0x250
[ 60.043003][ T390] skb_clone+0x1d1/0x360
[ 60.047082][ T390] sk_psock_verdict_recv+0x53/0x840
[ 60.052206][ T390] unix_read_sock+0x132/0x370
[ 60.056727][ T390] sk_psock_verdict_data_ready+0x147/0x1a0
[ 60.062362][ T390] unix_dgram_sendmsg+0x15fa/0x2090
[ 60.067393][ T390] ____sys_sendmsg+0x59e/0x8f0
[ 60.071994][ T390] ___sys_sendmsg+0x252/0x2e0
[ 60.076510][ T390] __se_sys_sendmsg+0x19a/0x260
[ 60.081197][ T390] __x64_sys_sendmsg+0x7b/0x90
[ 60.085808][ T390] x64_sys_call+0x16a/0x9a0
[ 60.090222][ T390] do_syscall_64+0x3b/0xb0