./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2922232926
<...>
Warning: Permanently added '10.128.10.39' (ED25519) to the list of known hosts.
execve("./syz-executor2922232926", ["./syz-executor2922232926"], 0x7fff970c2c50 /* 10 vars */) = 0
brk(NULL) = 0x55555c781000
brk(0x55555c781d00) = 0x55555c781d00
arch_prctl(ARCH_SET_FS, 0x55555c781380) = 0
set_tid_address(0x55555c781650) = 288
set_robust_list(0x55555c781660, 24) = 0
rseq(0x55555c781ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented)
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2922232926", 4096) = 28
getrandom("\x4d\x64\x98\x81\x18\x76\xf7\xe0", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55555c781d00
brk(0x55555c7a2d00) = 0x55555c7a2d00
brk(0x55555c7a3000) = 0x55555c7a3000
mprotect(0x7ff7e8c75000, 16384, PROT_READ) = 0
mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000
mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000
mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000
openat(AT_FDCWD, "/proc/self/make-it-fail", O_WRONLY) = 3
close(3) = 0
openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_WRONLY) = 3
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 289
./strace-static-x86_64: Process 289 attached
[pid 289] set_robust_list(0x55555c781660, 24) = 0
[pid 289] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 289] setpgid(0, 0) = 0
[pid 289] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 289] write(3, "1000", 4) = 4
[pid 289] close(3) = 0
[pid 289] write(1, "executing program\n", 18executing program
) = 18
[ 23.334362][ T30] audit: type=1400 audit(1749890906.222:64): avc: denied { execmem } for pid=288 comm="syz-executor292" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 23.361760][ T30] audit: type=1400 audit(1749890906.252:65): avc: denied { prog_load } for pid=289 comm="syz-executor292" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 23.381359][ T30] audit: type=1400 audit(1749890906.252:66): avc: denied { bpf } for pid=289 comm="syz-executor292" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[pid 289] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 289] close(3) = 0
[pid 289] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 289] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[ 23.571833][ T30] audit: type=1400 audit(1749890906.462:67): avc: denied { perfmon } for pid=289 comm="syz-executor292" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[ 23.593235][ T30] audit: type=1400 audit(1749890906.482:68): avc: denied { prog_run } for pid=289 comm="syz-executor292" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[pid 289] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 289] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 289] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 289] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 289] write(7, "5", 1) = 1
[ 23.612964][ T30] audit: type=1400 audit(1749890906.502:69): avc: denied { map_create } for pid=289 comm="syz-executor292" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 23.614274][ T289] FAULT_INJECTION: forcing a failure.
[ 23.614274][ T289] name failslab, interval 1, probability 0, space 0, times 1
[ 23.632674][ T30] audit: type=1400 audit(1749890906.502:70): avc: denied { map_read map_write } for pid=289 comm="syz-executor292" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 23.645731][ T289] CPU: 1 PID: 289 Comm: syz-executor292 Not tainted 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 23.675555][ T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 23.685620][ T289] Call Trace:
[ 23.688894][ T289]
[ 23.691822][ T289] __dump_stack+0x21/0x30
[ 23.696165][ T289] dump_stack_lvl+0xee/0x150
[ 23.700761][ T289] ? show_regs_print_info+0x20/0x20
[ 23.705952][ T289] dump_stack+0x15/0x20
[ 23.710097][ T289] should_fail+0x3c1/0x510
[ 23.714636][ T289] __should_failslab+0xa4/0xe0
[ 23.719406][ T289] should_failslab+0x9/0x20
[ 23.723903][ T289] slab_pre_alloc_hook+0x3b/0xe0
[ 23.728838][ T289] kmem_cache_alloc_trace+0x48/0x270
[ 23.734125][ T289] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 23.739935][ T289] ? migrate_disable+0x180/0x180
[ 23.744875][ T289] sk_psock_skb_ingress_self+0x5f/0x330
[ 23.750415][ T289] ? migrate_disable+0xd6/0x180
[ 23.755275][ T289] sk_psock_verdict_recv+0x636/0x800
[ 23.760553][ T289] unix_read_sock+0x10a/0x2c0
[ 23.765229][ T289] ? sk_psock_skb_redirect+0x440/0x440
[ 23.770684][ T289] ? unix_stream_splice_actor+0x120/0x120
[ 23.776395][ T289] ? __kasan_check_write+0x14/0x20
[ 23.781498][ T289] ? unix_stream_splice_actor+0x120/0x120
[ 23.787213][ T289] sk_psock_verdict_data_ready+0x115/0x170
[ 23.793011][ T289] ? sk_psock_start_verdict+0xc0/0xc0
[ 23.798374][ T289] ? _raw_spin_lock+0x8e/0xe0
[ 23.803044][ T289] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 23.808844][ T289] ? skb_queue_tail+0xcb/0xf0
[ 23.813512][ T289] unix_dgram_sendmsg+0x11e6/0x1880
[ 23.818796][ T289] ? unix_dgram_poll+0x6b0/0x6b0
[ 23.823729][ T289] ? __update_load_avg_cfs_rq+0xaf/0x2f0
[ 23.829352][ T289] ? security_socket_sendmsg+0x82/0xa0
[ 23.834804][ T289] ? unix_dgram_poll+0x6b0/0x6b0
[ 23.839741][ T289] ____sys_sendmsg+0x5a2/0x8c0
[ 23.844516][ T289] ? __sys_sendmsg_sock+0x40/0x40
[ 23.849539][ T289] ? import_iovec+0x7c/0xb0
[ 23.854038][ T289] ___sys_sendmsg+0x1f0/0x260
[ 23.858708][ T289] ? _raw_spin_unlock+0x4d/0x70
[ 23.863556][ T289] ? __sys_sendmsg+0x250/0x250
[ 23.868311][ T289] ? __schedule+0xb76/0x14c0
[ 23.872893][ T289] ? _raw_spin_lock_irqsave+0x110/0x110
[ 23.878432][ T289] ? cgroup_update_frozen+0x15c/0x970
[ 23.883797][ T289] ? ptrace_stop+0x6f4/0xa80
[ 23.888380][ T289] ? __kasan_check_read+0x11/0x20
[ 23.893396][ T289] ? __fdget+0x15b/0x230
[ 23.897633][ T289] __x64_sys_sendmsg+0x1e2/0x2a0
[ 23.902564][ T289] ? ___sys_sendmsg+0x260/0x260
[ 23.907406][ T289] ? __kasan_check_write+0x14/0x20
[ 23.912506][ T289] ? switch_fpu_return+0x15d/0x2c0
[ 23.917617][ T289] x64_sys_call+0x4b/0x9a0
[ 23.922024][ T289] do_syscall_64+0x4c/0xa0
[ 23.926429][ T289] ? clear_bhb_loop+0x50/0xa0
[ 23.931094][ T289] ? clear_bhb_loop+0x50/0xa0
[ 23.935760][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 23.941648][ T289] RIP: 0033:0x7ff7e8c09b29
[ 23.946055][ T289] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 289] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 289] exit_group(0) = ?
[ 23.965658][ T289] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 23.974091][ T289] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 23.982054][ T289] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 23.990014][ T289] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 23.997973][ T289] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 24.005953][ T289] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 24.013941][ T289]
[ 24.019189][ T289] ==================================================================
[ 24.027353][ T289] BUG: KASAN: use-after-free in consume_skb+0x3a/0x1f0
[ 24.034203][ T289] Read of size 4 at addr ffff8881065ce4ac by task syz-executor292/289
[ 24.042358][ T289]
[ 24.044674][ T289] CPU: 1 PID: 289 Comm: syz-executor292 Not tainted 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 24.054895][ T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 24.064943][ T289] Call Trace:
[ 24.068227][ T289]
[ 24.071160][ T289] __dump_stack+0x21/0x30
[ 24.075481][ T289] dump_stack_lvl+0xee/0x150
[ 24.080063][ T289] ? show_regs_print_info+0x20/0x20
[ 24.085263][ T289] ? load_image+0x3a0/0x3a0
[ 24.089760][ T289] print_address_description+0x7f/0x2c0
[ 24.095315][ T289] ? consume_skb+0x3a/0x1f0
[ 24.099811][ T289] kasan_report+0xf1/0x140
[ 24.104219][ T289] ? consume_skb+0x3a/0x1f0
[ 24.108715][ T289] kasan_check_range+0x280/0x290
[ 24.113643][ T289] __kasan_check_read+0x11/0x20
[ 24.118483][ T289] consume_skb+0x3a/0x1f0
[ 24.122801][ T289] __sk_msg_free+0x4f4/0x560
[ 24.127378][ T289] ? _raw_spin_lock_bh+0x8e/0xe0
[ 24.132305][ T289] ? _raw_spin_lock_irq+0xe0/0xe0
[ 24.137332][ T289] ? skb_dequeue+0x125/0x160
[ 24.141916][ T289] sk_psock_stop+0x4c9/0x570
[ 24.146503][ T289] ? sock_no_sendpage_locked+0x130/0x130
[ 24.152137][ T289] sk_psock_drop+0x226/0x300
[ 24.156723][ T289] sock_map_unref+0x3c2/0x420
[ 24.161395][ T289] ? sk_psock_link_pop+0x154/0x170
[ 24.166502][ T289] sock_map_remove_links+0x3cd/0x600
[ 24.171793][ T289] ? sock_init_data+0xc0/0xc0
[ 24.176469][ T289] ? sock_map_unhash+0x130/0x130
[ 24.181418][ T289] sock_map_close+0x111/0x440
[ 24.186098][ T289] ? unix_peer_get+0xe0/0xe0
[ 24.190684][ T289] ? sock_map_remove_links+0x600/0x600
[ 24.196144][ T289] ? clear_nonspinnable+0x60/0x60
[ 24.201164][ T289] ? security_file_free+0xc7/0xe0
[ 24.206192][ T289] unix_release+0x82/0xc0
[ 24.210518][ T289] sock_close+0xe0/0x270
[ 24.214761][ T289] ? sock_mmap+0xa0/0xa0
[ 24.219001][ T289] __fput+0x20b/0x8b0
[ 24.222984][ T289] ____fput+0x15/0x20
[ 24.226961][ T289] task_work_run+0x127/0x190
[ 24.231549][ T289] do_exit+0xa76/0x27a0
[ 24.235702][ T289] ? ptrace_stop+0x6f4/0xa80
[ 24.240295][ T289] ? put_task_struct+0x90/0x90
[ 24.245056][ T289] ? ptrace_notify+0x1c4/0x250
[ 24.249819][ T289] ? do_notify_parent+0x800/0x800
[ 24.254843][ T289] do_group_exit+0x141/0x310
[ 24.259431][ T289] ? debug_smp_processor_id+0x17/0x20
[ 24.264834][ T289] __x64_sys_exit_group+0x3f/0x40
[ 24.269855][ T289] x64_sys_call+0x832/0x9a0
[ 24.274359][ T289] do_syscall_64+0x4c/0xa0
[ 24.278773][ T289] ? clear_bhb_loop+0x50/0xa0
[ 24.283444][ T289] ? clear_bhb_loop+0x50/0xa0
[ 24.288115][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 24.294008][ T289] RIP: 0033:0x7ff7e8c07c79
[ 24.298416][ T289] Code: Unable to access opcode bytes at RIP 0x7ff7e8c07c4f.
[ 24.305777][ T289] RSP: 002b:00007fff7b2d8048 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 24.314186][ T289] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff7e8c07c79
[ 24.322153][ T289] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 24.330123][ T289] RBP: 00007ff7e8c7b390 R08: ffffffffffffffb8 R09: 00000000000000a0
[ 24.338086][ T289] R10: 0000000000000001 R11: 0000000000000246 R12: 00007ff7e8c7b390
[ 24.346060][ T289] R13: 0000000000000000 R14: 00007ff7e8c7bde0 R15: 00007ff7e8bd1320
[ 24.354033][ T289]
[ 24.357044][ T289]
[ 24.359367][ T289] Allocated by task 289:
[ 24.363597][ T289] __kasan_slab_alloc+0xbd/0xf0
[ 24.368447][ T289] slab_post_alloc_hook+0x4f/0x2b0
[ 24.373548][ T289] kmem_cache_alloc+0xf7/0x260
[ 24.378302][ T289] skb_clone+0x1cf/0x360
[ 24.382540][ T289] sk_psock_verdict_recv+0x53/0x800
[ 24.387732][ T289] unix_read_sock+0x10a/0x2c0
[ 24.392405][ T289] sk_psock_verdict_data_ready+0x115/0x170
[ 24.398203][ T289] unix_dgram_sendmsg+0x11e6/0x1880
[ 24.403392][ T289] ____sys_sendmsg+0x5a2/0x8c0
[ 24.408146][ T289] ___sys_sendmsg+0x1f0/0x260
[ 24.412812][ T289] __x64_sys_sendmsg+0x1e2/0x2a0
[ 24.417744][ T289] x64_sys_call+0x4b/0x9a0
[ 24.422152][ T289] do_syscall_64+0x4c/0xa0
[ 24.426572][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 24.432466][ T289]
[ 24.434791][ T289] Freed by task 42:
[ 24.438595][ T289] kasan_set_track+0x4a/0x70
[ 24.443176][ T289] kasan_set_free_info+0x23/0x40
[ 24.448106][ T289] ____kasan_slab_free+0x125/0x160
[ 24.453210][ T289] __kasan_slab_free+0x11/0x20
[ 24.457964][ T289] slab_free_freelist_hook+0xc2/0x190
[ 24.463334][ T289] kmem_cache_free+0x100/0x320
[ 24.468092][ T289] kfree_skbmem+0x10c/0x180
[ 24.472592][ T289] kfree_skb+0xc1/0x2f0
[ 24.476745][ T289] sk_psock_backlog+0xa85/0xd80
[ 24.481601][ T289] process_one_work+0x6be/0xba0
[ 24.486461][ T289] worker_thread+0xa59/0x1200
[ 24.491147][ T289] kthread+0x411/0x500
[ 24.495220][ T289] ret_from_fork+0x1f/0x30
[ 24.499637][ T289]
[ 24.501959][ T289] The buggy address belongs to the object at ffff8881065ce3c0
[ 24.501959][ T289] which belongs to the cache skbuff_head_cache of size 248
[ 24.516530][ T289] The buggy address is located 236 bytes inside of
[ 24.516530][ T289] 248-byte region [ffff8881065ce3c0, ffff8881065ce4b8)
[ 24.529802][ T289] The buggy address belongs to the page:
[ 24.535459][ T289] page:ffffea0004197380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065ce
[ 24.545706][ T289] flags: 0x4000000000000200(slab|zone=1)
[ 24.551347][ T289] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 24.559922][ T289] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 24.568503][ T289] page dumped because: kasan: bad access detected
[ 24.574910][ T289] page_owner tracks the page as allocated
[ 24.580616][ T289] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 23612872653, free_ts 18452601211
[ 24.596581][ T289] post_alloc_hook+0x192/0x1b0
[ 24.601346][ T289] prep_new_page+0x1c/0x110
[ 24.605852][ T289] get_page_from_freelist+0x2cc5/0x2d50
[ 24.611395][ T289] __alloc_pages+0x18f/0x440
[ 24.615997][ T289] new_slab+0xa1/0x4d0
[ 24.620062][ T289] ___slab_alloc+0x381/0x810
[ 24.624646][ T289] __slab_alloc+0x49/0x90
[ 24.628972][ T289] kmem_cache_alloc+0x138/0x260
[ 24.633824][ T289] __alloc_skb+0xe0/0x740
[ 24.638148][ T289] audit_log_start+0x3c7/0x8b0
[ 24.642906][ T289] common_lsm_audit+0xd1/0x1600
[ 24.647752][ T289] slow_avc_audit+0x1ac/0x220
[ 24.652426][ T289] avc_has_perm+0x1e6/0x240
[ 24.656925][ T289] selinux_bpf_map+0xd2/0x110
[ 24.661599][ T289] security_bpf_map+0x69/0xa0
[ 24.666274][ T289] bpf_map_new_fd+0x2b/0x70
[ 24.670780][ T289] page last free stack trace:
[ 24.675455][ T289] free_unref_page_prepare+0x542/0x550
[ 24.680924][ T289] free_unref_page+0xa2/0x550
[ 24.685599][ T289] __free_pages+0x6c/0x100
[ 24.690017][ T289] free_pages+0x82/0x90
[ 24.694174][ T289] pgd_free+0x187/0x1a0
[ 24.698330][ T289] __mmdrop+0xad/0x410
[ 24.702402][ T289] finish_task_switch+0x2bb/0x780
[ 24.707425][ T289] __schedule+0xb76/0x14c0
[ 24.711835][ T289] schedule+0x11e/0x1e0
[ 24.715984][ T289] do_wait+0x6b3/0x9a0
[ 24.720046][ T289] kernel_wait4+0x1a5/0x260
[ 24.724544][ T289] __x64_sys_wait4+0x130/0x1e0
[ 24.729300][ T289] x64_sys_call+0xec/0x9a0
[ 24.733709][ T289] do_syscall_64+0x4c/0xa0
[ 24.738123][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 24.744019][ T289]
[ 24.746346][ T289] Memory state around the buggy address:
[ 24.751971][ T289] ffff8881065ce380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 24.760028][ T289] ffff8881065ce400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.768080][ T289] >ffff8881065ce480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 24.776224][ T289] ^
[ 24.781589][ T289] ffff8881065ce500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.789661][ T289] ffff8881065ce580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 24.797726][ T289] ==================================================================
[ 24.805781][ T289] Disabling lock debugging due to kernel taint
[ 24.811979][ T289] ==================================================================
[ 24.820041][ T289] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 24.828460][ T289]
[ 24.830779][ T289] CPU: 1 PID: 289 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 24.842408][ T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 24.852457][ T289] Call Trace:
[ 24.855747][ T289]
[ 24.858673][ T289] __dump_stack+0x21/0x30
[ 24.863008][ T289] dump_stack_lvl+0xee/0x150
[ 24.867628][ T289] ? show_regs_print_info+0x20/0x20
[ 24.872825][ T289] ? load_image+0x3a0/0x3a0
[ 24.877334][ T289] print_address_description+0x7f/0x2c0
[ 24.882886][ T289] ? kmem_cache_free+0x100/0x320
[ 24.887830][ T289] kasan_report_invalid_free+0x58/0x90
[ 24.893302][ T289] ? kmem_cache_free+0x100/0x320
[ 24.898237][ T289] ____kasan_slab_free+0x13d/0x160
[ 24.903343][ T289] __kasan_slab_free+0x11/0x20
[ 24.908107][ T289] slab_free_freelist_hook+0xc2/0x190
[ 24.913479][ T289] ? kfree_skbmem+0x10c/0x180
[ 24.918152][ T289] kmem_cache_free+0x100/0x320
[ 24.922910][ T289] ? skb_release_data+0x94f/0xa10
[ 24.927927][ T289] kfree_skbmem+0x10c/0x180
[ 24.932459][ T289] consume_skb+0xb3/0x1f0
[ 24.936783][ T289] __sk_msg_free+0x4f4/0x560
[ 24.941379][ T289] ? _raw_spin_lock_bh+0x8e/0xe0
[ 24.946316][ T289] ? _raw_spin_lock_irq+0xe0/0xe0
[ 24.951343][ T289] ? skb_dequeue+0x125/0x160
[ 24.955937][ T289] sk_psock_stop+0x4c9/0x570
[ 24.960527][ T289] ? sock_no_sendpage_locked+0x130/0x130
[ 24.966160][ T289] sk_psock_drop+0x226/0x300
[ 24.970749][ T289] sock_map_unref+0x3c2/0x420
[ 24.975422][ T289] ? sk_psock_link_pop+0x154/0x170
[ 24.980531][ T289] sock_map_remove_links+0x3cd/0x600
[ 24.985817][ T289] ? sock_init_data+0xc0/0xc0
[ 24.990499][ T289] ? sock_map_unhash+0x130/0x130
[ 24.995440][ T289] sock_map_close+0x111/0x440
[ 25.000113][ T289] ? unix_peer_get+0xe0/0xe0
[ 25.004697][ T289] ? sock_map_remove_links+0x600/0x600
[ 25.010162][ T289] ? clear_nonspinnable+0x60/0x60
[ 25.015184][ T289] ? security_file_free+0xc7/0xe0
[ 25.020210][ T289] unix_release+0x82/0xc0
[ 25.024536][ T289] sock_close+0xe0/0x270
[ 25.028774][ T289] ? sock_mmap+0xa0/0xa0
[ 25.033013][ T289] __fput+0x20b/0x8b0
[ 25.036991][ T289] ____fput+0x15/0x20
[ 25.040965][ T289] task_work_run+0x127/0x190
[ 25.045552][ T289] do_exit+0xa76/0x27a0
[ 25.049703][ T289] ? ptrace_stop+0x6f4/0xa80
[ 25.054298][ T289] ? put_task_struct+0x90/0x90
[ 25.059057][ T289] ? ptrace_notify+0x1c4/0x250
[ 25.063811][ T289] ? do_notify_parent+0x800/0x800
[ 25.068827][ T289] do_group_exit+0x141/0x310
[ 25.073414][ T289] ? debug_smp_processor_id+0x17/0x20
[ 25.078825][ T289] __x64_sys_exit_group+0x3f/0x40
[ 25.083841][ T289] x64_sys_call+0x832/0x9a0
[ 25.088336][ T289] do_syscall_64+0x4c/0xa0
[ 25.092748][ T289] ? clear_bhb_loop+0x50/0xa0
[ 25.097419][ T289] ? clear_bhb_loop+0x50/0xa0
[ 25.102088][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 25.108000][ T289] RIP: 0033:0x7ff7e8c07c79
[ 25.112427][ T289] Code: Unable to access opcode bytes at RIP 0x7ff7e8c07c4f.
[ 25.119785][ T289] RSP: 002b:00007fff7b2d8048 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 25.128215][ T289] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff7e8c07c79
[ 25.136185][ T289] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 25.144150][ T289] RBP: 00007ff7e8c7b390 R08: ffffffffffffffb8 R09: 00000000000000a0
[ 25.152116][ T289] R10: 0000000000000001 R11: 0000000000000246 R12: 00007ff7e8c7b390
[ 25.160088][ T289] R13: 0000000000000000 R14: 00007ff7e8c7bde0 R15: 00007ff7e8bd1320
[ 25.168056][ T289]
[ 25.171071][ T289]
[ 25.173393][ T289] Allocated by task 289:
[ 25.177624][ T289] __kasan_slab_alloc+0xbd/0xf0
[ 25.182473][ T289] slab_post_alloc_hook+0x4f/0x2b0
[ 25.187582][ T289] kmem_cache_alloc+0xf7/0x260
[ 25.192348][ T289] skb_clone+0x1cf/0x360
[ 25.196591][ T289] sk_psock_verdict_recv+0x53/0x800
[ 25.201786][ T289] unix_read_sock+0x10a/0x2c0
[ 25.206460][ T289] sk_psock_verdict_data_ready+0x115/0x170
[ 25.212262][ T289] unix_dgram_sendmsg+0x11e6/0x1880
[ 25.217460][ T289] ____sys_sendmsg+0x5a2/0x8c0
[ 25.222217][ T289] ___sys_sendmsg+0x1f0/0x260
[ 25.226887][ T289] __x64_sys_sendmsg+0x1e2/0x2a0
[ 25.231823][ T289] x64_sys_call+0x4b/0x9a0
[ 25.236237][ T289] do_syscall_64+0x4c/0xa0
[ 25.240661][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 25.246550][ T289]
[ 25.248868][ T289] Freed by task 42:
[ 25.252688][ T289] kasan_set_track+0x4a/0x70
[ 25.257278][ T289] kasan_set_free_info+0x23/0x40
[ 25.262212][ T289] ____kasan_slab_free+0x125/0x160
[ 25.267315][ T289] __kasan_slab_free+0x11/0x20
[ 25.272084][ T289] slab_free_freelist_hook+0xc2/0x190
[ 25.277458][ T289] kmem_cache_free+0x100/0x320
[ 25.282216][ T289] kfree_skbmem+0x10c/0x180
[ 25.286710][ T289] kfree_skb+0xc1/0x2f0
[ 25.290857][ T289] sk_psock_backlog+0xa85/0xd80
[ 25.295708][ T289] process_one_work+0x6be/0xba0
[ 25.300555][ T289] worker_thread+0xa59/0x1200
[ 25.305230][ T289] kthread+0x411/0x500
[ 25.309299][ T289] ret_from_fork+0x1f/0x30
[ 25.313737][ T289]
[ 25.316058][ T289] The buggy address belongs to the object at ffff8881065ce3c0
[ 25.316058][ T289] which belongs to the cache skbuff_head_cache of size 248
[ 25.330626][ T289] The buggy address is located 0 bytes inside of
[ 25.330626][ T289] 248-byte region [ffff8881065ce3c0, ffff8881065ce4b8)
[ 25.343722][ T289] The buggy address belongs to the page:
[ 25.349349][ T289] page:ffffea0004197380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065ce
[ 25.359578][ T289] flags: 0x4000000000000200(slab|zone=1)
[ 25.365211][ T289] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 25.373795][ T289] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 25.382370][ T289] page dumped because: kasan: bad access detected
[ 25.388769][ T289] page_owner tracks the page as allocated
[ 25.394471][ T289] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 289, ts 23612872653, free_ts 18452601211
[ 25.410437][ T289] post_alloc_hook+0x192/0x1b0
[ 25.415195][ T289] prep_new_page+0x1c/0x110
[ 25.419692][ T289] get_page_from_freelist+0x2cc5/0x2d50
[ 25.425233][ T289] __alloc_pages+0x18f/0x440
[ 25.429820][ T289] new_slab+0xa1/0x4d0
[ 25.433902][ T289] ___slab_alloc+0x381/0x810
[ 25.438486][ T289] __slab_alloc+0x49/0x90
[ 25.442815][ T289] kmem_cache_alloc+0x138/0x260
[ 25.447664][ T289] __alloc_skb+0xe0/0x740
[ 25.452016][ T289] audit_log_start+0x3c7/0x8b0
[ 25.456788][ T289] common_lsm_audit+0xd1/0x1600
[ 25.461631][ T289] slow_avc_audit+0x1ac/0x220
[ 25.466304][ T289] avc_has_perm+0x1e6/0x240
[ 25.470808][ T289] selinux_bpf_map+0xd2/0x110
[ 25.475496][ T289] security_bpf_map+0x69/0xa0
[ 25.480170][ T289] bpf_map_new_fd+0x2b/0x70
[ 25.484675][ T289] page last free stack trace:
[ 25.489340][ T289] free_unref_page_prepare+0x542/0x550
[ 25.494802][ T289] free_unref_page+0xa2/0x550
[ 25.499479][ T289] __free_pages+0x6c/0x100
[ 25.504030][ T289] free_pages+0x82/0x90
[ 25.508197][ T289] pgd_free+0x187/0x1a0
[ 25.512361][ T289] __mmdrop+0xad/0x410
[ 25.516460][ T289] finish_task_switch+0x2bb/0x780
[ 25.521498][ T289] __schedule+0xb76/0x14c0
[ 25.525914][ T289] schedule+0x11e/0x1e0
[ 25.530065][ T289] do_wait+0x6b3/0x9a0
[ 25.534144][ T289] kernel_wait4+0x1a5/0x260
[ 25.538648][ T289] __x64_sys_wait4+0x130/0x1e0
[ 25.543405][ T289] x64_sys_call+0xec/0x9a0
[ 25.547817][ T289] do_syscall_64+0x4c/0xa0
[ 25.552231][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 25.558130][ T289]
[ 25.560447][ T289] Memory state around the buggy address:
[ 25.566069][ T289] ffff8881065ce280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 289] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=289, si_uid=0, si_status=0, si_utime=0, si_stime=29} ---
[ 25.574234][ T289] ffff8881065ce300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 25.582288][ T289] >ffff8881065ce380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 25.590525][ T289] ^
[ 25.596664][ T289] ffff8881065ce400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.604718][ T289] ffff8881065ce480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 25.612768][ T289] ==================================================================
restart_syscall(<... resuming interrupted clone ...>executing program
) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 291
./strace-static-x86_64: Process 291 attached
[pid 291] set_robust_list(0x55555c781660, 24) = 0
[pid 291] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 291] setpgid(0, 0) = 0
[pid 291] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 291] write(3, "1000", 4) = 4
[pid 291] close(3) = 0
[pid 291] write(1, "executing program\n", 18) = 18
[ 25.624653][ T30] audit: type=1400 audit(1749890908.512:71): avc: denied { read } for pid=83 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 25.646379][ T30] audit: type=1400 audit(1749890908.512:72): avc: denied { search } for pid=83 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[pid 291] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 291] close(3) = 0
[pid 291] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 291] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 291] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 291] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 291] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 291] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 291] write(7, "5", 1) = 1
[ 25.667963][ T30] audit: type=1400 audit(1749890908.512:73): avc: denied { write } for pid=83 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 25.692498][ T291] FAULT_INJECTION: forcing a failure.
[ 25.692498][ T291] name failslab, interval 1, probability 0, space 0, times 0
[ 25.705304][ T291] CPU: 0 PID: 291 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 25.716943][ T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 25.727003][ T291] Call Trace:
[ 25.730282][ T291]
[ 25.733217][ T291] __dump_stack+0x21/0x30
[ 25.737550][ T291] dump_stack_lvl+0xee/0x150
[ 25.742136][ T291] ? show_regs_print_info+0x20/0x20
[ 25.747330][ T291] ? __kasan_check_write+0x14/0x20
[ 25.752437][ T291] ? _raw_spin_lock_irqsave+0xb0/0x110
[ 25.757900][ T291] dump_stack+0x15/0x20
[ 25.762050][ T291] should_fail+0x3c1/0x510
[ 25.766462][ T291] __should_failslab+0xa4/0xe0
[ 25.771232][ T291] should_failslab+0x9/0x20
[ 25.775729][ T291] slab_pre_alloc_hook+0x3b/0xe0
[ 25.780667][ T291] ? skb_clone+0x1cf/0x360
[ 25.785077][ T291] kmem_cache_alloc+0x44/0x260
[ 25.789842][ T291] skb_clone+0x1cf/0x360
[ 25.794080][ T291] ? __kasan_check_write+0x14/0x20
[ 25.799191][ T291] sk_psock_verdict_recv+0x53/0x800
[ 25.804389][ T291] unix_read_sock+0x10a/0x2c0
[ 25.809064][ T291] ? sk_psock_skb_redirect+0x440/0x440
[ 25.814520][ T291] ? unix_stream_splice_actor+0x120/0x120
[ 25.820235][ T291] ? __kasan_check_write+0x14/0x20
[ 25.825342][ T291] ? unix_stream_splice_actor+0x120/0x120
[ 25.831061][ T291] sk_psock_verdict_data_ready+0x115/0x170
[ 25.836868][ T291] ? sk_psock_start_verdict+0xc0/0xc0
[ 25.842231][ T291] ? _raw_spin_lock+0x8e/0xe0
[ 25.846905][ T291] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 25.852721][ T291] ? skb_queue_tail+0xcb/0xf0
[ 25.857397][ T291] unix_dgram_sendmsg+0x11e6/0x1880
[ 25.862599][ T291] ? unix_dgram_poll+0x6b0/0x6b0
[ 25.867533][ T291] ? newidle_balance+0x6a8/0xcc0
[ 25.872472][ T291] ? security_socket_sendmsg+0x82/0xa0
[ 25.877931][ T291] ? unix_dgram_poll+0x6b0/0x6b0
[ 25.882864][ T291] ____sys_sendmsg+0x5a2/0x8c0
[ 25.887716][ T291] ? __sys_sendmsg_sock+0x40/0x40
[ 25.892738][ T291] ? import_iovec+0x7c/0xb0
[ 25.897235][ T291] ___sys_sendmsg+0x1f0/0x260
[ 25.901995][ T291] ? _raw_spin_unlock+0x4d/0x70
[ 25.906844][ T291] ? __sys_sendmsg+0x250/0x250
[ 25.911603][ T291] ? __schedule+0xb76/0x14c0
[ 25.916193][ T291] ? _raw_spin_lock_irqsave+0x110/0x110
[ 25.921746][ T291] ? cgroup_update_frozen+0x15c/0x970
[ 25.927115][ T291] ? ptrace_stop+0x6f4/0xa80
[ 25.931702][ T291] ? __kasan_check_read+0x11/0x20
[ 25.936727][ T291] ? __fdget+0x15b/0x230
[ 25.940970][ T291] __x64_sys_sendmsg+0x1e2/0x2a0
[ 25.945907][ T291] ? ___sys_sendmsg+0x260/0x260
[ 25.950755][ T291] ? __kasan_check_write+0x14/0x20
[ 25.955866][ T291] ? switch_fpu_return+0x15d/0x2c0
[ 25.960979][ T291] x64_sys_call+0x4b/0x9a0
[ 25.965396][ T291] do_syscall_64+0x4c/0xa0
[ 25.969808][ T291] ? clear_bhb_loop+0x50/0xa0
[ 25.974482][ T291] ? clear_bhb_loop+0x50/0xa0
[ 25.979154][ T291] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 25.985047][ T291] RIP: 0033:0x7ff7e8c09b29
[ 25.989464][ T291] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 26.009068][ T291] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.017482][ T291] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[pid 291] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 291] exit_group(0) = ?
[pid 291] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=291, si_uid=0, si_status=0, si_utime=0, si_stime=6} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 292 attached
[pid 292] set_robust_list(0x55555c781660, 24) = 0
[pid 288] <... clone resumed>, child_tidptr=0x55555c781650) = 292
[pid 292] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 292] setpgid(0, 0) = 0
[pid 292] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 292] write(3, "1000", 4) = 4
[pid 292] close(3) = 0
executing program
[pid 292] write(1, "executing program\n", 18) = 18
[pid 292] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 292] close(3) = 0
[pid 292] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 292] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 292] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 292] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 292] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 292] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 292] write(7, "5", 1) = 1
[ 26.025580][ T291] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 26.033549][ T291] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 26.041604][ T291] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 26.049567][ T291] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 26.057554][ T291]
[ 26.079854][ T292] FAULT_INJECTION: forcing a failure.
[ 26.079854][ T292] name fail_page_alloc, interval 1, probability 0, space 0, times 1
[ 26.093325][ T292] CPU: 1 PID: 292 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 26.104952][ T292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 26.115004][ T292] Call Trace:
[ 26.118278][ T292]
[ 26.121205][ T292] __dump_stack+0x21/0x30
[ 26.125537][ T292] dump_stack_lvl+0xee/0x150
[ 26.130128][ T292] ? show_regs_print_info+0x20/0x20
[ 26.135322][ T292] ? __kernel_text_address+0xa0/0x100
[ 26.140696][ T292] ? unwind_get_return_address+0x4d/0x90
[ 26.146327][ T292] dump_stack+0x15/0x20
[ 26.150478][ T292] should_fail+0x3c1/0x510
[ 26.154895][ T292] should_fail_alloc_page+0x55/0x80
[ 26.160089][ T292] prepare_alloc_pages+0x156/0x600
[ 26.165192][ T292] ? __alloc_pages_bulk+0xab0/0xab0
[ 26.170398][ T292] __alloc_pages+0x10a/0x440
[ 26.174986][ T292] ? __x64_sys_sendmsg+0x1e2/0x2a0
[ 26.180086][ T292] ? x64_sys_call+0x4b/0x9a0
[ 26.184674][ T292] ? prep_new_page+0x110/0x110
[ 26.189434][ T292] new_slab+0xa1/0x4d0
[ 26.193499][ T292] ___slab_alloc+0x381/0x810
[ 26.198086][ T292] ? memset+0x35/0x40
[ 26.202055][ T292] ? skb_clone+0x1cf/0x360
[ 26.206469][ T292] ? skb_clone+0x1cf/0x360
[ 26.210897][ T292] __slab_alloc+0x49/0x90
[ 26.215224][ T292] ? skb_clone+0x1cf/0x360
[ 26.219636][ T292] kmem_cache_alloc+0x138/0x260
[ 26.224483][ T292] skb_clone+0x1cf/0x360
[ 26.228722][ T292] ? __kasan_check_write+0x14/0x20
[ 26.233830][ T292] sk_psock_verdict_recv+0x53/0x800
[ 26.239032][ T292] unix_read_sock+0x10a/0x2c0
[ 26.243745][ T292] ? sk_psock_skb_redirect+0x440/0x440
[ 26.249202][ T292] ? unix_stream_splice_actor+0x120/0x120
[ 26.254922][ T292] ? __kasan_check_write+0x14/0x20
[ 26.260030][ T292] ? unix_stream_splice_actor+0x120/0x120
[ 26.265748][ T292] sk_psock_verdict_data_ready+0x115/0x170
[ 26.271552][ T292] ? sk_psock_start_verdict+0xc0/0xc0
[ 26.276924][ T292] ? _raw_spin_lock+0x8e/0xe0
[ 26.281599][ T292] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 26.287408][ T292] ? skb_queue_tail+0xcb/0xf0
[ 26.292089][ T292] unix_dgram_sendmsg+0x11e6/0x1880
[ 26.297294][ T292] ? unix_dgram_poll+0x6b0/0x6b0
[ 26.302230][ T292] ? newidle_balance+0x6a8/0xcc0
[ 26.307171][ T292] ? security_socket_sendmsg+0x82/0xa0
[ 26.312630][ T292] ? unix_dgram_poll+0x6b0/0x6b0
[ 26.317563][ T292] ____sys_sendmsg+0x5a2/0x8c0
[ 26.322323][ T292] ? __sys_sendmsg_sock+0x40/0x40
[ 26.327351][ T292] ? import_iovec+0x7c/0xb0
[ 26.331853][ T292] ___sys_sendmsg+0x1f0/0x260
[ 26.336536][ T292] ? _raw_spin_unlock+0x4d/0x70
[ 26.341389][ T292] ? __sys_sendmsg+0x250/0x250
[ 26.346155][ T292] ? __schedule+0xb76/0x14c0
[ 26.350745][ T292] ? _raw_spin_lock_irqsave+0x110/0x110
[ 26.356307][ T292] ? cgroup_update_frozen+0x15c/0x970
[ 26.361685][ T292] ? ptrace_stop+0x6f4/0xa80
[ 26.366276][ T292] ? __kasan_check_read+0x11/0x20
[ 26.371317][ T292] ? __fdget+0x15b/0x230
[ 26.375566][ T292] __x64_sys_sendmsg+0x1e2/0x2a0
[ 26.380505][ T292] ? ___sys_sendmsg+0x260/0x260
[ 26.385357][ T292] ? __kasan_check_write+0x14/0x20
[ 26.390467][ T292] ? switch_fpu_return+0x15d/0x2c0
[ 26.395581][ T292] x64_sys_call+0x4b/0x9a0
[ 26.399996][ T292] do_syscall_64+0x4c/0xa0
[ 26.404405][ T292] ? clear_bhb_loop+0x50/0xa0
[ 26.409077][ T292] ? clear_bhb_loop+0x50/0xa0
[ 26.413757][ T292] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 26.419641][ T292] RIP: 0033:0x7ff7e8c09b29
[ 26.424051][ T292] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 26.443655][ T292] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.452074][ T292] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 26.460042][ T292] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 26.468026][ T292] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 26.476010][ T292] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[pid 292] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 292] exit_group(0) = ?
[pid 292] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=292, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 293
./strace-static-x86_64: Process 293 attached
[pid 293] set_robust_list(0x55555c781660, 24) = 0
[pid 293] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 293] setpgid(0, 0) = 0
[pid 293] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 293] write(3, "1000", 4) = 4
[pid 293] close(3) = 0
[pid 293] write(1, "executing program\n", 18executing program
) = 18
[pid 293] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 293] close(3) = 0
[pid 293] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 293] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 293] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 293] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 293] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 293] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 293] write(7, "5", 1) = 1
[ 26.483976][ T292] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 26.491942][ T292]
[ 26.500977][ T293] FAULT_INJECTION: forcing a failure.
[ 26.500977][ T293] name failslab, interval 1, probability 0, space 0, times 0
[ 26.513821][ T293] CPU: 0 PID: 293 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 26.525462][ T293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 26.535513][ T293] Call Trace:
[ 26.538807][ T293]
[ 26.541732][ T293] __dump_stack+0x21/0x30
[ 26.546067][ T293] dump_stack_lvl+0xee/0x150
[ 26.550650][ T293] ? show_regs_print_info+0x20/0x20
[ 26.555838][ T293] dump_stack+0x15/0x20
[ 26.559983][ T293] should_fail+0x3c1/0x510
[ 26.564385][ T293] __should_failslab+0xa4/0xe0
[ 26.569162][ T293] should_failslab+0x9/0x20
[ 26.573653][ T293] slab_pre_alloc_hook+0x3b/0xe0
[ 26.578581][ T293] kmem_cache_alloc_trace+0x48/0x270
[ 26.583853][ T293] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 26.589560][ T293] ? migrate_disable+0x180/0x180
[ 26.594490][ T293] sk_psock_skb_ingress_self+0x5f/0x330
[ 26.600025][ T293] ? migrate_disable+0xd6/0x180
[ 26.604861][ T293] sk_psock_verdict_recv+0x636/0x800
[ 26.610132][ T293] unix_read_sock+0x10a/0x2c0
[ 26.614798][ T293] ? sk_psock_skb_redirect+0x440/0x440
[ 26.620243][ T293] ? unix_stream_splice_actor+0x120/0x120
[ 26.625948][ T293] ? __kasan_check_write+0x14/0x20
[ 26.631050][ T293] ? unix_stream_splice_actor+0x120/0x120
[ 26.636754][ T293] sk_psock_verdict_data_ready+0x115/0x170
[ 26.642549][ T293] ? sk_psock_start_verdict+0xc0/0xc0
[ 26.647913][ T293] ? _raw_spin_lock+0x8e/0xe0
[ 26.652599][ T293] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 26.658555][ T293] ? skb_queue_tail+0xcb/0xf0
[ 26.663239][ T293] unix_dgram_sendmsg+0x11e6/0x1880
[ 26.668446][ T293] ? unix_dgram_poll+0x6b0/0x6b0
[ 26.673385][ T293] ? __update_load_avg_cfs_rq+0xaf/0x2f0
[ 26.679016][ T293] ? security_socket_sendmsg+0x82/0xa0
[ 26.684495][ T293] ? unix_dgram_poll+0x6b0/0x6b0
[ 26.689430][ T293] ____sys_sendmsg+0x5a2/0x8c0
[ 26.694191][ T293] ? __sys_sendmsg_sock+0x40/0x40
[ 26.699210][ T293] ? import_iovec+0x7c/0xb0
[ 26.703709][ T293] ___sys_sendmsg+0x1f0/0x260
[ 26.708387][ T293] ? _raw_spin_unlock+0x4d/0x70
[ 26.713236][ T293] ? __sys_sendmsg+0x250/0x250
[ 26.718006][ T293] ? __schedule+0xb76/0x14c0
[ 26.722811][ T293] ? _raw_spin_lock_irqsave+0x110/0x110
[ 26.728365][ T293] ? cgroup_update_frozen+0x15c/0x970
[ 26.733738][ T293] ? ptrace_stop+0x6f4/0xa80
[ 26.738327][ T293] ? __kasan_check_read+0x11/0x20
[ 26.743346][ T293] ? __fdget+0x15b/0x230
[ 26.747582][ T293] __x64_sys_sendmsg+0x1e2/0x2a0
[ 26.752516][ T293] ? ___sys_sendmsg+0x260/0x260
[ 26.757360][ T293] ? __kasan_check_write+0x14/0x20
[ 26.762467][ T293] ? switch_fpu_return+0x15d/0x2c0
[ 26.767572][ T293] x64_sys_call+0x4b/0x9a0
[ 26.771983][ T293] do_syscall_64+0x4c/0xa0
[ 26.776388][ T293] ? clear_bhb_loop+0x50/0xa0
[ 26.781057][ T293] ? clear_bhb_loop+0x50/0xa0
[ 26.785753][ T293] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 26.791644][ T293] RIP: 0033:0x7ff7e8c09b29
[ 26.796049][ T293] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 26.815645][ T293] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.824073][ T293] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[pid 293] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 293] exit_group(0) = ?
[pid 293] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=293, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 294
./strace-static-x86_64: Process 294 attached
[pid 294] set_robust_list(0x55555c781660, 24) = 0
[pid 294] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 294] setpgid(0, 0) = 0
[pid 294] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 294] write(3, "1000", 4) = 4
[pid 294] close(3) = 0
[pid 294] write(1, "executing program\n", 18executing program
) = 18
[ 26.832049][ T293] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 26.840011][ T293] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 26.847971][ T293] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 26.855932][ T293] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 26.863899][ T293]
[ 26.867873][ T20] ==================================================================
[ 26.875953][ T20] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 26.884384][ T20]
[ 26.886711][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 26.897896][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 26.907944][ T20] Workqueue: events bpf_map_free_deferred
[ 26.913689][ T20] Call Trace:
[ 26.916961][ T20]
[ 26.919888][ T20] __dump_stack+0x21/0x30
[ 26.924213][ T20] dump_stack_lvl+0xee/0x150
[ 26.928819][ T20] ? show_regs_print_info+0x20/0x20
[ 26.934006][ T20] ? load_image+0x3a0/0x3a0
[ 26.938505][ T20] ? kasan_set_track+0x5b/0x70
[ 26.943260][ T20] print_address_description+0x7f/0x2c0
[ 26.948815][ T20] ? kmem_cache_free+0x100/0x320
[ 26.953750][ T20] kasan_report_invalid_free+0x58/0x90
[ 26.959203][ T20] ? kmem_cache_free+0x100/0x320
[ 26.964147][ T20] ____kasan_slab_free+0x13d/0x160
[ 26.969252][ T20] __kasan_slab_free+0x11/0x20
[ 26.974008][ T20] slab_free_freelist_hook+0xc2/0x190
[ 26.979379][ T20] ? kfree_skbmem+0x10c/0x180
[ 26.984048][ T20] kmem_cache_free+0x100/0x320
[ 26.988810][ T20] ? skb_release_data+0x94f/0xa10
[ 26.993832][ T20] kfree_skbmem+0x10c/0x180
[ 26.998331][ T20] consume_skb+0xb3/0x1f0
[ 27.002658][ T20] __sk_msg_free+0x4f4/0x560
[ 27.007246][ T20] ? _raw_spin_lock_bh+0x8e/0xe0
[ 27.012187][ T20] ? _raw_spin_lock_irq+0xe0/0xe0
[ 27.017215][ T20] ? skb_dequeue+0x125/0x160
[ 27.021803][ T20] sk_psock_stop+0x4c9/0x570
[ 27.026389][ T20] ? sock_no_sendpage_locked+0x130/0x130
[ 27.032036][ T20] sk_psock_drop+0x226/0x300
[ 27.036622][ T20] sock_map_unref+0x3c2/0x420
[ 27.041296][ T20] sock_map_free+0x134/0x2a0
[ 27.045884][ T20] bpf_map_free_deferred+0x10e/0x1e0
[ 27.051169][ T20] process_one_work+0x6be/0xba0
[ 27.056050][ T20] worker_thread+0xa59/0x1200
[ 27.060726][ T20] ? _raw_spin_lock_irqsave+0xb0/0x110
[ 27.066186][ T20] kthread+0x411/0x500
[ 27.070255][ T20] ? worker_clr_flags+0x190/0x190
[ 27.075274][ T20] ? kthread_blkcg+0xd0/0xd0
[ 27.079881][ T20] ret_from_fork+0x1f/0x30
[ 27.084295][ T20]
[ 27.087314][ T20]
[ 27.089632][ T20] Allocated by task 293:
[ 27.093864][ T20] __kasan_slab_alloc+0xbd/0xf0
[ 27.098708][ T20] slab_post_alloc_hook+0x4f/0x2b0
[ 27.103813][ T20] kmem_cache_alloc+0xf7/0x260
[ 27.108571][ T20] skb_clone+0x1cf/0x360
[ 27.112806][ T20] sk_psock_verdict_recv+0x53/0x800
[ 27.118000][ T20] unix_read_sock+0x10a/0x2c0
[ 27.122671][ T20] sk_psock_verdict_data_ready+0x115/0x170
[ 27.128479][ T20] unix_dgram_sendmsg+0x11e6/0x1880
[ 27.133677][ T20] ____sys_sendmsg+0x5a2/0x8c0
[ 27.138436][ T20] ___sys_sendmsg+0x1f0/0x260
[ 27.143106][ T20] __x64_sys_sendmsg+0x1e2/0x2a0
[ 27.148037][ T20] x64_sys_call+0x4b/0x9a0
[ 27.152447][ T20] do_syscall_64+0x4c/0xa0
[ 27.156856][ T20] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 27.162748][ T20]
[ 27.165062][ T20] Freed by task 20:
[ 27.168859][ T20] kasan_set_track+0x4a/0x70
[ 27.173444][ T20] kasan_set_free_info+0x23/0x40
[ 27.178404][ T20] ____kasan_slab_free+0x125/0x160
[ 27.183509][ T20] __kasan_slab_free+0x11/0x20
[ 27.188264][ T20] slab_free_freelist_hook+0xc2/0x190
[ 27.193632][ T20] kmem_cache_free+0x100/0x320
[ 27.198393][ T20] kfree_skbmem+0x10c/0x180
[ 27.202889][ T20] kfree_skb+0xc1/0x2f0
[ 27.207038][ T20] sk_psock_backlog+0xa85/0xd80
[ 27.211880][ T20] process_one_work+0x6be/0xba0
[ 27.216728][ T20] worker_thread+0xa59/0x1200
[ 27.221491][ T20] kthread+0x411/0x500
[ 27.225555][ T20] ret_from_fork+0x1f/0x30
[ 27.230063][ T20]
[ 27.232378][ T20] The buggy address belongs to the object at ffff8881268203c0
[ 27.232378][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 27.246943][ T20] The buggy address is located 0 bytes inside of
[ 27.246943][ T20] 248-byte region [ffff8881268203c0, ffff8881268204b8)
[ 27.260041][ T20] The buggy address belongs to the page:
[ 27.265658][ T20] page:ffffea00049a0800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126820
[ 27.275892][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 27.281525][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 27.290100][ T20] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 27.298668][ T20] page dumped because: kasan: bad access detected
[ 27.305063][ T20] page_owner tracks the page as allocated
[ 27.310765][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xa20(GFP_ATOMIC), pid 292, ts 26495110813, free_ts 26495077769
[ 27.324211][ T20] post_alloc_hook+0x192/0x1b0
[ 27.328973][ T20] prep_new_page+0x1c/0x110
[ 27.333471][ T20] get_page_from_freelist+0x2cc5/0x2d50
[ 27.339010][ T20] __alloc_pages+0x18f/0x440
[ 27.343597][ T20] alloc_slab_page+0x1c/0x80
[ 27.348182][ T20] new_slab+0x393/0x4d0
[ 27.352341][ T20] ___slab_alloc+0x381/0x810
[ 27.356924][ T20] __slab_alloc+0x49/0x90
[ 27.361247][ T20] kmem_cache_alloc+0x138/0x260
[ 27.366094][ T20] skb_clone+0x1cf/0x360
[ 27.370330][ T20] sk_psock_verdict_recv+0x53/0x800
[ 27.375524][ T20] unix_read_sock+0x10a/0x2c0
[ 27.380205][ T20] sk_psock_verdict_data_ready+0x115/0x170
[ 27.386010][ T20] unix_dgram_sendmsg+0x11e6/0x1880
[ 27.391212][ T20] ____sys_sendmsg+0x5a2/0x8c0
[ 27.395968][ T20] ___sys_sendmsg+0x1f0/0x260
[ 27.400638][ T20] page last free stack trace:
[ 27.405301][ T20] free_unref_page_prepare+0x542/0x550
[ 27.410773][ T20] free_unref_page+0xa2/0x550
[ 27.415449][ T20] __free_pages+0x6c/0x100
[ 27.419860][ T20] __vunmap+0x84d/0x9e0
[ 27.424016][ T20] vfree+0x8b/0xc0
[ 27.427730][ T20] bpf_jit_free+0x1e3/0x240
[ 27.432230][ T20] bpf_prog_free_deferred+0x5c7/0x6d0
[ 27.437598][ T20] process_one_work+0x6be/0xba0
[ 27.442447][ T20] worker_thread+0xa59/0x1200
[ 27.447120][ T20] kthread+0x411/0x500
[ 27.451185][ T20] ret_from_fork+0x1f/0x30
[ 27.455608][ T20]
[ 27.457925][ T20] Memory state around the buggy address:
[ 27.463572][ T20] ffff888126820280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.471623][ T20] ffff888126820300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 27.479673][ T20] >ffff888126820380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[pid 294] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 294] close(3) = 0
[pid 294] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 294] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 294] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 294] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 294] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 294] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 294] write(7, "5", 1) = 1
[ 27.487743][ T20] ^
[ 27.493899][ T20] ffff888126820400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.501961][ T20] ffff888126820480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 27.510017][ T20] ==================================================================
[ 27.524285][ T294] FAULT_INJECTION: forcing a failure.
[ 27.524285][ T294] name failslab, interval 1, probability 0, space 0, times 0
[ 27.537001][ T294] CPU: 0 PID: 294 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 27.548645][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 27.558707][ T294] Call Trace:
[ 27.561980][ T294]
[ 27.564906][ T294] __dump_stack+0x21/0x30
[ 27.569232][ T294] dump_stack_lvl+0xee/0x150
[ 27.573812][ T294] ? show_regs_print_info+0x20/0x20
[ 27.579003][ T294] dump_stack+0x15/0x20
[ 27.583152][ T294] should_fail+0x3c1/0x510
[ 27.587569][ T294] __should_failslab+0xa4/0xe0
[ 27.592333][ T294] should_failslab+0x9/0x20
[ 27.596829][ T294] slab_pre_alloc_hook+0x3b/0xe0
[ 27.601764][ T294] kmem_cache_alloc_trace+0x48/0x270
[ 27.607045][ T294] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 27.612767][ T294] ? migrate_disable+0x180/0x180
[ 27.617705][ T294] sk_psock_skb_ingress_self+0x5f/0x330
[ 27.623250][ T294] ? migrate_disable+0xd6/0x180
[ 27.628109][ T294] sk_psock_verdict_recv+0x636/0x800
[ 27.633401][ T294] unix_read_sock+0x10a/0x2c0
[ 27.638077][ T294] ? sk_psock_skb_redirect+0x440/0x440
[ 27.643533][ T294] ? unix_stream_splice_actor+0x120/0x120
[ 27.649257][ T294] ? __kasan_check_write+0x14/0x20
[ 27.654390][ T294] ? unix_stream_splice_actor+0x120/0x120
[ 27.660113][ T294] sk_psock_verdict_data_ready+0x115/0x170
[ 27.665921][ T294] ? sk_psock_start_verdict+0xc0/0xc0
[ 27.671293][ T294] ? _raw_spin_lock+0x8e/0xe0
[ 27.675968][ T294] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 27.681786][ T294] ? skb_queue_tail+0xcb/0xf0
[ 27.686474][ T294] unix_dgram_sendmsg+0x11e6/0x1880
[ 27.691685][ T294] ? unix_dgram_poll+0x6b0/0x6b0
[ 27.696629][ T294] ? __update_load_avg_cfs_rq+0xaf/0x2f0
[ 27.702269][ T294] ? security_socket_sendmsg+0x82/0xa0
[ 27.707732][ T294] ? unix_dgram_poll+0x6b0/0x6b0
[ 27.712670][ T294] ____sys_sendmsg+0x5a2/0x8c0
[ 27.717432][ T294] ? __sys_sendmsg_sock+0x40/0x40
[ 27.722455][ T294] ? import_iovec+0x7c/0xb0
[ 27.726962][ T294] ___sys_sendmsg+0x1f0/0x260
[ 27.731639][ T294] ? _raw_spin_unlock+0x4d/0x70
[ 27.736509][ T294] ? __sys_sendmsg+0x250/0x250
[ 27.741269][ T294] ? __schedule+0xb76/0x14c0
[ 27.745865][ T294] ? _raw_spin_lock_irqsave+0x110/0x110
[ 27.751414][ T294] ? cgroup_update_frozen+0x15c/0x970
[ 27.756789][ T294] ? ptrace_stop+0x6f4/0xa80
[ 27.761377][ T294] ? __kasan_check_read+0x11/0x20
[ 27.766406][ T294] ? __fdget+0x15b/0x230
[ 27.770651][ T294] __x64_sys_sendmsg+0x1e2/0x2a0
[ 27.775584][ T294] ? ___sys_sendmsg+0x260/0x260
[ 27.780440][ T294] ? __kasan_check_write+0x14/0x20
[ 27.785553][ T294] ? switch_fpu_return+0x15d/0x2c0
[ 27.790665][ T294] x64_sys_call+0x4b/0x9a0
[ 27.795077][ T294] do_syscall_64+0x4c/0xa0
[ 27.799488][ T294] ? clear_bhb_loop+0x50/0xa0
[ 27.804160][ T294] ? clear_bhb_loop+0x50/0xa0
[ 27.808833][ T294] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 27.814741][ T294] RIP: 0033:0x7ff7e8c09b29
[ 27.819156][ T294] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 294] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 294] exit_group(0) = ?
[ 27.838877][ T294] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 27.847298][ T294] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 27.855267][ T294] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 27.863233][ T294] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 27.871201][ T294] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 27.879166][ T294] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 27.887158][ T294]
[ 27.891429][ T294] ==================================================================
[ 27.899507][ T294] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 27.907914][ T294]
[ 27.910225][ T294] CPU: 1 PID: 294 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 27.921851][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 27.931894][ T294] Call Trace:
[ 27.935160][ T294]
[ 27.938084][ T294] __dump_stack+0x21/0x30
[ 27.942407][ T294] dump_stack_lvl+0xee/0x150
[ 27.946986][ T294] ? show_regs_print_info+0x20/0x20
[ 27.952175][ T294] ? load_image+0x3a0/0x3a0
[ 27.956670][ T294] print_address_description+0x7f/0x2c0
[ 27.962212][ T294] ? kmem_cache_free+0x100/0x320
[ 27.967142][ T294] kasan_report_invalid_free+0x58/0x90
[ 27.972590][ T294] ? kmem_cache_free+0x100/0x320
[ 27.977519][ T294] ____kasan_slab_free+0x13d/0x160
[ 27.982619][ T294] __kasan_slab_free+0x11/0x20
[ 27.987373][ T294] slab_free_freelist_hook+0xc2/0x190
[ 27.992735][ T294] ? kfree_skbmem+0x10c/0x180
[ 27.997403][ T294] kmem_cache_free+0x100/0x320
[ 28.002157][ T294] ? skb_release_data+0x94f/0xa10
[ 28.007172][ T294] kfree_skbmem+0x10c/0x180
[ 28.011666][ T294] consume_skb+0xb3/0x1f0
[ 28.015984][ T294] __sk_msg_free+0x4f4/0x560
[ 28.020564][ T294] ? _raw_spin_lock_bh+0x8e/0xe0
[ 28.025495][ T294] ? _raw_spin_lock_irq+0xe0/0xe0
[ 28.030510][ T294] ? skb_dequeue+0x125/0x160
[ 28.035096][ T294] sk_psock_stop+0x4c9/0x570
[ 28.039676][ T294] ? sock_no_sendpage_locked+0x130/0x130
[ 28.045301][ T294] sk_psock_drop+0x226/0x300
[ 28.049886][ T294] sock_map_unref+0x3c2/0x420
[ 28.054552][ T294] ? sk_psock_link_pop+0x154/0x170
[ 28.059654][ T294] sock_map_remove_links+0x3cd/0x600
[ 28.064929][ T294] ? sock_init_data+0xc0/0xc0
[ 28.069615][ T294] ? sock_map_unhash+0x130/0x130
[ 28.074544][ T294] sock_map_close+0x111/0x440
[ 28.079209][ T294] ? unix_peer_get+0xe0/0xe0
[ 28.083809][ T294] ? sock_map_remove_links+0x600/0x600
[ 28.089255][ T294] ? clear_nonspinnable+0x60/0x60
[ 28.094269][ T294] ? security_file_free+0xc7/0xe0
[ 28.099286][ T294] unix_release+0x82/0xc0
[ 28.103607][ T294] sock_close+0xe0/0x270
[ 28.107835][ T294] ? sock_mmap+0xa0/0xa0
[ 28.112061][ T294] __fput+0x20b/0x8b0
[ 28.116031][ T294] ____fput+0x15/0x20
[ 28.120019][ T294] task_work_run+0x127/0x190
[ 28.124597][ T294] do_exit+0xa76/0x27a0
[ 28.128741][ T294] ? ptrace_stop+0x6f4/0xa80
[ 28.133324][ T294] ? put_task_struct+0x90/0x90
[ 28.138080][ T294] ? ptrace_notify+0x1c4/0x250
[ 28.142834][ T294] ? do_notify_parent+0x800/0x800
[ 28.147846][ T294] do_group_exit+0x141/0x310
[ 28.152424][ T294] ? debug_smp_processor_id+0x17/0x20
[ 28.157780][ T294] __x64_sys_exit_group+0x3f/0x40
[ 28.162796][ T294] x64_sys_call+0x832/0x9a0
[ 28.167288][ T294] do_syscall_64+0x4c/0xa0
[ 28.171695][ T294] ? clear_bhb_loop+0x50/0xa0
[ 28.176362][ T294] ? clear_bhb_loop+0x50/0xa0
[ 28.181027][ T294] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 28.186908][ T294] RIP: 0033:0x7ff7e8c07c79
[ 28.191310][ T294] Code: Unable to access opcode bytes at RIP 0x7ff7e8c07c4f.
[ 28.198670][ T294] RSP: 002b:00007fff7b2d8048 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 28.207071][ T294] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff7e8c07c79
[ 28.215035][ T294] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 28.222995][ T294] RBP: 00007ff7e8c7b390 R08: ffffffffffffffb8 R09: 00000000000000a0
[ 28.230954][ T294] R10: 0000000000000001 R11: 0000000000000246 R12: 00007ff7e8c7b390
[ 28.238911][ T294] R13: 0000000000000000 R14: 00007ff7e8c7bde0 R15: 00007ff7e8bd1320
[ 28.246887][ T294]
[ 28.249905][ T294]
[ 28.252223][ T294] Allocated by task 294:
[ 28.256466][ T294] __kasan_slab_alloc+0xbd/0xf0
[ 28.261320][ T294] slab_post_alloc_hook+0x4f/0x2b0
[ 28.266423][ T294] kmem_cache_alloc+0xf7/0x260
[ 28.271191][ T294] skb_clone+0x1cf/0x360
[ 28.275427][ T294] sk_psock_verdict_recv+0x53/0x800
[ 28.280622][ T294] unix_read_sock+0x10a/0x2c0
[ 28.285295][ T294] sk_psock_verdict_data_ready+0x115/0x170
[ 28.291114][ T294] unix_dgram_sendmsg+0x11e6/0x1880
[ 28.296302][ T294] ____sys_sendmsg+0x5a2/0x8c0
[ 28.301059][ T294] ___sys_sendmsg+0x1f0/0x260
[ 28.305722][ T294] __x64_sys_sendmsg+0x1e2/0x2a0
[ 28.310646][ T294] x64_sys_call+0x4b/0x9a0
[ 28.315049][ T294] do_syscall_64+0x4c/0xa0
[ 28.319457][ T294] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 28.325344][ T294]
[ 28.327657][ T294] Freed by task 290:
[ 28.331533][ T294] kasan_set_track+0x4a/0x70
[ 28.336111][ T294] kasan_set_free_info+0x23/0x40
[ 28.341035][ T294] ____kasan_slab_free+0x125/0x160
[ 28.346138][ T294] __kasan_slab_free+0x11/0x20
[ 28.350891][ T294] slab_free_freelist_hook+0xc2/0x190
[ 28.356261][ T294] kmem_cache_free+0x100/0x320
[ 28.361030][ T294] kfree_skbmem+0x10c/0x180
[ 28.365530][ T294] kfree_skb+0xc1/0x2f0
[ 28.369678][ T294] sk_psock_backlog+0xa85/0xd80
[ 28.374514][ T294] process_one_work+0x6be/0xba0
[ 28.379353][ T294] worker_thread+0xa59/0x1200
[ 28.384035][ T294] kthread+0x411/0x500
[ 28.388096][ T294] ret_from_fork+0x1f/0x30
[ 28.392499][ T294]
[ 28.394811][ T294] The buggy address belongs to the object at ffff8881067d53c0
[ 28.394811][ T294] which belongs to the cache skbuff_head_cache of size 248
[ 28.409365][ T294] The buggy address is located 0 bytes inside of
[ 28.409365][ T294] 248-byte region [ffff8881067d53c0, ffff8881067d54b8)
[ 28.422447][ T294] The buggy address belongs to the page:
[ 28.428069][ T294] page:ffffea000419f540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1067d5
[ 28.438290][ T294] flags: 0x4000000000000200(slab|zone=1)
[ 28.443918][ T294] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 28.452517][ T294] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 28.461076][ T294] page dumped because: kasan: bad access detected
[ 28.467465][ T294] page_owner tracks the page as allocated
[ 28.473162][ T294] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 284, ts 27523985549, free_ts 26869001051
[ 28.489118][ T294] post_alloc_hook+0x192/0x1b0
[ 28.493873][ T294] prep_new_page+0x1c/0x110
[ 28.498366][ T294] get_page_from_freelist+0x2cc5/0x2d50
[ 28.503898][ T294] __alloc_pages+0x18f/0x440
[ 28.508474][ T294] new_slab+0xa1/0x4d0
[ 28.512531][ T294] ___slab_alloc+0x381/0x810
[ 28.517111][ T294] __slab_alloc+0x49/0x90
[ 28.521437][ T294] kmem_cache_alloc+0x138/0x260
[ 28.526286][ T294] skb_clone+0x1cf/0x360
[ 28.530519][ T294] dev_queue_xmit_nit+0x269/0xa40
[ 28.535530][ T294] dev_hard_start_xmit+0x163/0x670
[ 28.540628][ T294] sch_direct_xmit+0x267/0x8d0
[ 28.545389][ T294] __dev_queue_xmit+0x1523/0x2d80
[ 28.550400][ T294] dev_queue_xmit+0x17/0x20
[ 28.554891][ T294] ip_finish_output2+0xb7c/0xe60
[ 28.559815][ T294] __ip_finish_output+0x161/0x360
[ 28.564829][ T294] page last free stack trace:
[ 28.569483][ T294] free_unref_page_prepare+0x542/0x550
[ 28.574928][ T294] free_unref_page+0xa2/0x550
[ 28.579593][ T294] __free_pages+0x6c/0x100
[ 28.583993][ T294] __free_slab+0xe8/0x1e0
[ 28.588423][ T294] __unfreeze_partials+0x160/0x190
[ 28.593522][ T294] put_cpu_partial+0xc6/0x120
[ 28.598202][ T294] __slab_free+0x1d4/0x290
[ 28.602605][ T294] ___cache_free+0x104/0x120
[ 28.607184][ T294] qlink_free+0x4d/0x90
[ 28.611329][ T294] qlist_free_all+0x5f/0xb0
[ 28.615819][ T294] kasan_quarantine_reduce+0x14a/0x170
[ 28.621294][ T294] __kasan_slab_alloc+0x2f/0xf0
[ 28.626145][ T294] slab_post_alloc_hook+0x4f/0x2b0
[ 28.631432][ T294] kmem_cache_alloc+0xf7/0x260
[ 28.636191][ T294] __alloc_skb+0xe0/0x740
[ 28.640521][ T294] alloc_skb_with_frags+0xa8/0x620
[ 28.645794][ T294]
[ 28.648139][ T294] Memory state around the buggy address:
[ 28.653754][ T294] ffff8881067d5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.661809][ T294] ffff8881067d5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 28.669859][ T294] >ffff8881067d5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 28.677904][ T294] ^
[ 28.684042][ T294] ffff8881067d5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 294] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=294, si_uid=0, si_status=0, si_utime=0, si_stime=67} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 295 attached
[pid 295] set_robust_list(0x55555c781660, 24) = 0
[pid 288] <... clone resumed>, child_tidptr=0x55555c781650) = 295
[pid 295] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 295] setpgid(0, 0) = 0
[pid 295] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 295] write(3, "1000", 4) = 4
[pid 295] close(3) = 0
executing program
[pid 295] write(1, "executing program\n", 18) = 18
[pid 295] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 295] close(3) = 0
[pid 295] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 295] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 295] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 295] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 295] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 295] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 295] write(7, "5", 1) = 1
[ 28.692090][ T294] ffff8881067d5480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 28.700221][ T294] ==================================================================
[ 28.726894][ T295] FAULT_INJECTION: forcing a failure.
[ 28.726894][ T295] name failslab, interval 1, probability 0, space 0, times 0
[ 28.739583][ T295] CPU: 0 PID: 295 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 28.751225][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 28.761281][ T295] Call Trace:
[ 28.764562][ T295]
[ 28.767499][ T295] __dump_stack+0x21/0x30
[ 28.771830][ T295] dump_stack_lvl+0xee/0x150
[ 28.776423][ T295] ? show_regs_print_info+0x20/0x20
[ 28.781620][ T295] dump_stack+0x15/0x20
[ 28.785774][ T295] should_fail+0x3c1/0x510
[ 28.790195][ T295] __should_failslab+0xa4/0xe0
[ 28.794978][ T295] should_failslab+0x9/0x20
[ 28.799485][ T295] slab_pre_alloc_hook+0x3b/0xe0
[ 28.804422][ T295] kmem_cache_alloc_trace+0x48/0x270
[ 28.809732][ T295] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 28.815457][ T295] ? migrate_disable+0x180/0x180
[ 28.820395][ T295] sk_psock_skb_ingress_self+0x5f/0x330
[ 28.825939][ T295] ? migrate_disable+0xd6/0x180
[ 28.830786][ T295] sk_psock_verdict_recv+0x636/0x800
[ 28.836073][ T295] unix_read_sock+0x10a/0x2c0
[ 28.840751][ T295] ? sk_psock_skb_redirect+0x440/0x440
[ 28.846207][ T295] ? unix_stream_splice_actor+0x120/0x120
[ 28.851926][ T295] ? __kasan_check_write+0x14/0x20
[ 28.857041][ T295] ? unix_stream_splice_actor+0x120/0x120
[ 28.862759][ T295] sk_psock_verdict_data_ready+0x115/0x170
[ 28.868566][ T295] ? sk_psock_start_verdict+0xc0/0xc0
[ 28.873934][ T295] ? _raw_spin_lock+0x8e/0xe0
[ 28.878613][ T295] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 28.884418][ T295] ? skb_queue_tail+0xcb/0xf0
[ 28.889113][ T295] unix_dgram_sendmsg+0x11e6/0x1880
[ 28.894333][ T295] ? unix_dgram_poll+0x6b0/0x6b0
[ 28.899274][ T295] ? newidle_balance+0x6a8/0xcc0
[ 28.904215][ T295] ? security_socket_sendmsg+0x82/0xa0
[ 28.909673][ T295] ? unix_dgram_poll+0x6b0/0x6b0
[ 28.914611][ T295] ____sys_sendmsg+0x5a2/0x8c0
[ 28.919379][ T295] ? __sys_sendmsg_sock+0x40/0x40
[ 28.924403][ T295] ? import_iovec+0x7c/0xb0
[ 28.928904][ T295] ___sys_sendmsg+0x1f0/0x260
[ 28.933588][ T295] ? _raw_spin_unlock+0x4d/0x70
[ 28.938441][ T295] ? __sys_sendmsg+0x250/0x250
[ 28.943220][ T295] ? __schedule+0xb76/0x14c0
[ 28.947810][ T295] ? _raw_spin_lock_irqsave+0x110/0x110
[ 28.953354][ T295] ? cgroup_update_frozen+0x15c/0x970
[ 28.958731][ T295] ? ptrace_stop+0x6f4/0xa80
[ 28.963324][ T295] ? __kasan_check_read+0x11/0x20
[ 28.968356][ T295] ? __fdget+0x15b/0x230
[ 28.972604][ T295] __x64_sys_sendmsg+0x1e2/0x2a0
[ 28.977538][ T295] ? ___sys_sendmsg+0x260/0x260
[ 28.982387][ T295] ? __kasan_check_write+0x14/0x20
[ 28.987494][ T295] ? switch_fpu_return+0x15d/0x2c0
[ 28.992608][ T295] x64_sys_call+0x4b/0x9a0
[ 28.997023][ T295] do_syscall_64+0x4c/0xa0
[ 29.001437][ T295] ? clear_bhb_loop+0x50/0xa0
[ 29.006115][ T295] ? clear_bhb_loop+0x50/0xa0
[ 29.010785][ T295] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 29.016681][ T295] RIP: 0033:0x7ff7e8c09b29
[ 29.021092][ T295] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 295] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 295] exit_group(0) = ?
[ 29.040693][ T295] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 29.049103][ T295] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 29.057070][ T295] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 29.065038][ T295] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 29.073008][ T295] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 29.080977][ T295] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 29.088946][ T295]
[ 29.093055][ T295] ==================================================================
[ 29.101137][ T295] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 29.109544][ T295]
[ 29.111857][ T295] CPU: 1 PID: 295 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 29.123471][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 29.133513][ T295] Call Trace:
[ 29.136780][ T295]
[ 29.139703][ T295] __dump_stack+0x21/0x30
[ 29.144023][ T295] dump_stack_lvl+0xee/0x150
[ 29.148607][ T295] ? show_regs_print_info+0x20/0x20
[ 29.153793][ T295] ? load_image+0x3a0/0x3a0
[ 29.158285][ T295] print_address_description+0x7f/0x2c0
[ 29.163823][ T295] ? kmem_cache_free+0x100/0x320
[ 29.168752][ T295] kasan_report_invalid_free+0x58/0x90
[ 29.174202][ T295] ? kmem_cache_free+0x100/0x320
[ 29.179129][ T295] ____kasan_slab_free+0x13d/0x160
[ 29.184230][ T295] __kasan_slab_free+0x11/0x20
[ 29.188984][ T295] slab_free_freelist_hook+0xc2/0x190
[ 29.194350][ T295] ? kfree_skbmem+0x10c/0x180
[ 29.199016][ T295] kmem_cache_free+0x100/0x320
[ 29.203779][ T295] ? skb_release_data+0x94f/0xa10
[ 29.208792][ T295] kfree_skbmem+0x10c/0x180
[ 29.213287][ T295] consume_skb+0xb3/0x1f0
[ 29.217603][ T295] __sk_msg_free+0x4f4/0x560
[ 29.222183][ T295] ? _raw_spin_lock_bh+0x8e/0xe0
[ 29.227115][ T295] ? _raw_spin_lock_irq+0xe0/0xe0
[ 29.232130][ T295] ? skb_dequeue+0x125/0x160
[ 29.236706][ T295] sk_psock_stop+0x4c9/0x570
[ 29.241288][ T295] ? sock_no_sendpage_locked+0x130/0x130
[ 29.246911][ T295] sk_psock_drop+0x226/0x300
[ 29.251493][ T295] sock_map_unref+0x3c2/0x420
[ 29.256161][ T295] ? sk_psock_link_pop+0x154/0x170
[ 29.261260][ T295] sock_map_remove_links+0x3cd/0x600
[ 29.266535][ T295] ? sock_init_data+0xc0/0xc0
[ 29.271205][ T295] ? sock_map_unhash+0x130/0x130
[ 29.276131][ T295] sock_map_close+0x111/0x440
[ 29.280797][ T295] ? unix_peer_get+0xe0/0xe0
[ 29.285380][ T295] ? sock_map_remove_links+0x600/0x600
[ 29.290940][ T295] ? clear_nonspinnable+0x60/0x60
[ 29.295956][ T295] ? security_file_free+0xc7/0xe0
[ 29.300974][ T295] unix_release+0x82/0xc0
[ 29.305294][ T295] sock_close+0xe0/0x270
[ 29.309524][ T295] ? sock_mmap+0xa0/0xa0
[ 29.313756][ T295] __fput+0x20b/0x8b0
[ 29.317732][ T295] ____fput+0x15/0x20
[ 29.321701][ T295] task_work_run+0x127/0x190
[ 29.326283][ T295] do_exit+0xa76/0x27a0
[ 29.330434][ T295] ? ptrace_stop+0x6f4/0xa80
[ 29.335020][ T295] ? put_task_struct+0x90/0x90
[ 29.339772][ T295] ? ptrace_notify+0x1c4/0x250
[ 29.344526][ T295] ? do_notify_parent+0x800/0x800
[ 29.349543][ T295] do_group_exit+0x141/0x310
[ 29.354124][ T295] ? debug_smp_processor_id+0x17/0x20
[ 29.359487][ T295] __x64_sys_exit_group+0x3f/0x40
[ 29.364499][ T295] x64_sys_call+0x832/0x9a0
[ 29.368993][ T295] do_syscall_64+0x4c/0xa0
[ 29.373399][ T295] ? clear_bhb_loop+0x50/0xa0
[ 29.378063][ T295] ? clear_bhb_loop+0x50/0xa0
[ 29.382727][ T295] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 29.388609][ T295] RIP: 0033:0x7ff7e8c07c79
[ 29.393017][ T295] Code: Unable to access opcode bytes at RIP 0x7ff7e8c07c4f.
[ 29.400369][ T295] RSP: 002b:00007fff7b2d8048 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 29.408771][ T295] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff7e8c07c79
[ 29.416735][ T295] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 29.424694][ T295] RBP: 00007ff7e8c7b390 R08: ffffffffffffffb8 R09: 00000000000000a0
[ 29.432654][ T295] R10: 0000000000000001 R11: 0000000000000246 R12: 00007ff7e8c7b390
[ 29.440615][ T295] R13: 0000000000000000 R14: 00007ff7e8c7bde0 R15: 00007ff7e8bd1320
[ 29.448580][ T295]
[ 29.451589][ T295]
[ 29.453928][ T295] Allocated by task 295:
[ 29.458152][ T295] __kasan_slab_alloc+0xbd/0xf0
[ 29.462997][ T295] slab_post_alloc_hook+0x4f/0x2b0
[ 29.468119][ T295] kmem_cache_alloc+0xf7/0x260
[ 29.472871][ T295] skb_clone+0x1cf/0x360
[ 29.477104][ T295] sk_psock_verdict_recv+0x53/0x800
[ 29.482296][ T295] unix_read_sock+0x10a/0x2c0
[ 29.486964][ T295] sk_psock_verdict_data_ready+0x115/0x170
[ 29.492765][ T295] unix_dgram_sendmsg+0x11e6/0x1880
[ 29.497949][ T295] ____sys_sendmsg+0x5a2/0x8c0
[ 29.502700][ T295] ___sys_sendmsg+0x1f0/0x260
[ 29.507362][ T295] __x64_sys_sendmsg+0x1e2/0x2a0
[ 29.512286][ T295] x64_sys_call+0x4b/0x9a0
[ 29.516690][ T295] do_syscall_64+0x4c/0xa0
[ 29.521104][ T295] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 29.526988][ T295]
[ 29.529308][ T295] Freed by task 290:
[ 29.533191][ T295] kasan_set_track+0x4a/0x70
[ 29.537772][ T295] kasan_set_free_info+0x23/0x40
[ 29.542724][ T295] ____kasan_slab_free+0x125/0x160
[ 29.547910][ T295] __kasan_slab_free+0x11/0x20
[ 29.552662][ T295] slab_free_freelist_hook+0xc2/0x190
[ 29.558026][ T295] kmem_cache_free+0x100/0x320
[ 29.562778][ T295] kfree_skbmem+0x10c/0x180
[ 29.567266][ T295] kfree_skb+0xc1/0x2f0
[ 29.571407][ T295] sk_psock_backlog+0xa85/0xd80
[ 29.576244][ T295] process_one_work+0x6be/0xba0
[ 29.581087][ T295] worker_thread+0xa59/0x1200
[ 29.585753][ T295] kthread+0x411/0x500
[ 29.589808][ T295] ret_from_fork+0x1f/0x30
[ 29.594211][ T295]
[ 29.596522][ T295] The buggy address belongs to the object at ffff888126a9a280
[ 29.596522][ T295] which belongs to the cache skbuff_head_cache of size 248
[ 29.611171][ T295] The buggy address is located 0 bytes inside of
[ 29.611171][ T295] 248-byte region [ffff888126a9a280, ffff888126a9a378)
[ 29.624256][ T295] The buggy address belongs to the page:
[ 29.629867][ T295] page:ffffea00049aa680 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126a9a
[ 29.640091][ T295] flags: 0x4000000000000200(slab|zone=1)
[ 29.645718][ T295] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 29.654302][ T295] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 29.662875][ T295] page dumped because: kasan: bad access detected
[ 29.669282][ T295] page_owner tracks the page as allocated
[ 29.674985][ T295] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 284, ts 28726170529, free_ts 28723782629
[ 29.690958][ T295] post_alloc_hook+0x192/0x1b0
[ 29.695718][ T295] prep_new_page+0x1c/0x110
[ 29.700236][ T295] get_page_from_freelist+0x2cc5/0x2d50
[ 29.705771][ T295] __alloc_pages+0x18f/0x440
[ 29.710350][ T295] new_slab+0xa1/0x4d0
[ 29.714408][ T295] ___slab_alloc+0x381/0x810
[ 29.718986][ T295] __slab_alloc+0x49/0x90
[ 29.723305][ T295] kmem_cache_alloc+0x138/0x260
[ 29.728144][ T295] skb_clone+0x1cf/0x360
[ 29.732373][ T295] dev_queue_xmit_nit+0x269/0xa40
[ 29.737386][ T295] dev_hard_start_xmit+0x163/0x670
[ 29.742491][ T295] sch_direct_xmit+0x267/0x8d0
[ 29.747255][ T295] __dev_queue_xmit+0x1523/0x2d80
[ 29.752273][ T295] dev_queue_xmit+0x17/0x20
[ 29.756771][ T295] ip_finish_output2+0xb7c/0xe60
[ 29.761706][ T295] __ip_finish_output+0x161/0x360
[ 29.766721][ T295] page last free stack trace:
[ 29.771380][ T295] free_unref_page_prepare+0x542/0x550
[ 29.776827][ T295] free_unref_page+0xa2/0x550
[ 29.781489][ T295] __free_pages+0x6c/0x100
[ 29.785891][ T295] __vunmap+0x84d/0x9e0
[ 29.790035][ T295] vfree+0x8b/0xc0
[ 29.793742][ T295] bpf_patch_insn_data+0x83f/0xe40
[ 29.798840][ T295] bpf_check+0x623d/0xf330
[ 29.803243][ T295] bpf_prog_load+0x1042/0x1550
[ 29.807993][ T295] __sys_bpf+0x4c3/0x730
[ 29.812221][ T295] __x64_sys_bpf+0x7c/0x90
[ 29.816638][ T295] x64_sys_call+0x4b9/0x9a0
[ 29.821125][ T295] do_syscall_64+0x4c/0xa0
[ 29.825528][ T295] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 29.831412][ T295]
[ 29.833720][ T295] Memory state around the buggy address:
[ 29.839343][ T295] ffff888126a9a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 295] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=295, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 296
./strace-static-x86_64: Process 296 attached
[pid 296] set_robust_list(0x55555c781660, 24) = 0
[pid 296] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 296] setpgid(0, 0) = 0
[pid 296] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 296] write(3, "1000", 4) = 4
[pid 296] close(3) = 0
[pid 296] write(1, "executing program\n", 18executing program
) = 18
[pid 296] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 296] close(3) = 0
[pid 296] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 296] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 296] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 296] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 296] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 296] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 296] write(7, "5", 1) = 1
[ 29.847389][ T295] ffff888126a9a200: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 29.855438][ T295] >ffff888126a9a280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 29.863479][ T295] ^
[ 29.867528][ T295] ffff888126a9a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 29.875573][ T295] ffff888126a9a380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 29.883618][ T295] ==================================================================
[ 29.912512][ T296] FAULT_INJECTION: forcing a failure.
[ 29.912512][ T296] name failslab, interval 1, probability 0, space 0, times 0
[ 29.925316][ T296] CPU: 0 PID: 296 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 29.936951][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 29.947002][ T296] Call Trace:
[ 29.950272][ T296]
[ 29.953194][ T296] __dump_stack+0x21/0x30
[ 29.957520][ T296] dump_stack_lvl+0xee/0x150
[ 29.962101][ T296] ? show_regs_print_info+0x20/0x20
[ 29.967292][ T296] dump_stack+0x15/0x20
[ 29.971443][ T296] should_fail+0x3c1/0x510
[ 29.975856][ T296] __should_failslab+0xa4/0xe0
[ 29.980614][ T296] should_failslab+0x9/0x20
[ 29.985109][ T296] slab_pre_alloc_hook+0x3b/0xe0
[ 29.990042][ T296] kmem_cache_alloc_trace+0x48/0x270
[ 29.995329][ T296] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 30.001043][ T296] ? migrate_disable+0x180/0x180
[ 30.005973][ T296] sk_psock_skb_ingress_self+0x5f/0x330
[ 30.011513][ T296] ? migrate_disable+0xd6/0x180
[ 30.016376][ T296] sk_psock_verdict_recv+0x636/0x800
[ 30.021652][ T296] unix_read_sock+0x10a/0x2c0
[ 30.026321][ T296] ? sk_psock_skb_redirect+0x440/0x440
[ 30.031772][ T296] ? unix_stream_splice_actor+0x120/0x120
[ 30.037657][ T296] ? __kasan_check_write+0x14/0x20
[ 30.042760][ T296] ? unix_stream_splice_actor+0x120/0x120
[ 30.048472][ T296] sk_psock_verdict_data_ready+0x115/0x170
[ 30.054273][ T296] ? sk_psock_start_verdict+0xc0/0xc0
[ 30.059635][ T296] ? _raw_spin_lock+0x8e/0xe0
[ 30.064301][ T296] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 30.070098][ T296] ? skb_queue_tail+0xcb/0xf0
[ 30.074772][ T296] unix_dgram_sendmsg+0x11e6/0x1880
[ 30.079982][ T296] ? unix_dgram_poll+0x6b0/0x6b0
[ 30.084909][ T296] ? newidle_balance+0x6a8/0xcc0
[ 30.089856][ T296] ? security_socket_sendmsg+0x82/0xa0
[ 30.095308][ T296] ? unix_dgram_poll+0x6b0/0x6b0
[ 30.100239][ T296] ____sys_sendmsg+0x5a2/0x8c0
[ 30.104994][ T296] ? __sys_sendmsg_sock+0x40/0x40
[ 30.110015][ T296] ? import_iovec+0x7c/0xb0
[ 30.114513][ T296] ___sys_sendmsg+0x1f0/0x260
[ 30.119178][ T296] ? _raw_spin_unlock+0x4d/0x70
[ 30.124027][ T296] ? __sys_sendmsg+0x250/0x250
[ 30.128777][ T296] ? __schedule+0xb76/0x14c0
[ 30.133356][ T296] ? _raw_spin_lock_irqsave+0x110/0x110
[ 30.138891][ T296] ? cgroup_update_frozen+0x15c/0x970
[ 30.144252][ T296] ? ptrace_stop+0x6f4/0xa80
[ 30.148831][ T296] ? __kasan_check_read+0x11/0x20
[ 30.153842][ T296] ? __fdget+0x15b/0x230
[ 30.158073][ T296] __x64_sys_sendmsg+0x1e2/0x2a0
[ 30.163000][ T296] ? ___sys_sendmsg+0x260/0x260
[ 30.167841][ T296] ? __kasan_check_write+0x14/0x20
[ 30.172950][ T296] ? switch_fpu_return+0x15d/0x2c0
[ 30.178054][ T296] x64_sys_call+0x4b/0x9a0
[ 30.182461][ T296] do_syscall_64+0x4c/0xa0
[ 30.186869][ T296] ? clear_bhb_loop+0x50/0xa0
[ 30.191537][ T296] ? clear_bhb_loop+0x50/0xa0
[ 30.196203][ T296] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 30.202088][ T296] RIP: 0033:0x7ff7e8c09b29
[ 30.206494][ T296] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 30.226098][ T296] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 30.234505][ T296] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 30.242468][ T296] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 30.250429][ T296] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[pid 296] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 296] exit_group(0) = ?
[ 30.258389][ T296] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 30.266354][ T296] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 30.274406][ T296]
[ 30.279931][ T290] ==================================================================
[ 30.287998][ T290] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 30.296406][ T290]
[ 30.298718][ T290] CPU: 1 PID: 290 Comm: kworker/1:2 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[pid 296] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=296, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 297
./strace-static-x86_64: Process 297 attached
[pid 297] set_robust_list(0x55555c781660, 24) = 0
[pid 297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 297] setpgid(0, 0) = 0
[pid 297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 297] write(3, "1000", 4) = 4
[pid 297] close(3) = 0
executing program
[pid 297] write(1, "executing program\n", 18) = 18
[ 30.309982][ T290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 30.320025][ T290] Workqueue: events bpf_map_free_deferred
[ 30.325750][ T290] Call Trace:
[ 30.329043][ T290]
[ 30.331976][ T290] __dump_stack+0x21/0x30
[ 30.336306][ T290] dump_stack_lvl+0xee/0x150
[ 30.340892][ T290] ? show_regs_print_info+0x20/0x20
[ 30.346104][ T290] ? load_image+0x3a0/0x3a0
[ 30.350607][ T290] print_address_description+0x7f/0x2c0
[ 30.356151][ T290] ? kmem_cache_free+0x100/0x320
[ 30.361094][ T290] kasan_report_invalid_free+0x58/0x90
[ 30.366549][ T290] ? kmem_cache_free+0x100/0x320
[ 30.371494][ T290] ____kasan_slab_free+0x13d/0x160
[ 30.376601][ T290] __kasan_slab_free+0x11/0x20
[ 30.381362][ T290] slab_free_freelist_hook+0xc2/0x190
[ 30.386735][ T290] ? kfree_skbmem+0x10c/0x180
[ 30.391409][ T290] kmem_cache_free+0x100/0x320
[ 30.396178][ T290] ? skb_release_data+0x94f/0xa10
[ 30.401201][ T290] kfree_skbmem+0x10c/0x180
[ 30.405699][ T290] consume_skb+0xb3/0x1f0
[ 30.410029][ T290] __sk_msg_free+0x4f4/0x560
[ 30.414613][ T290] ? _raw_spin_lock_bh+0x8e/0xe0
[ 30.419549][ T290] ? _raw_spin_lock_irq+0xe0/0xe0
[ 30.424571][ T290] ? skb_dequeue+0x125/0x160
[ 30.429159][ T290] sk_psock_stop+0x4c9/0x570
[ 30.433746][ T290] ? sock_no_sendpage_locked+0x130/0x130
[ 30.439376][ T290] sk_psock_drop+0x226/0x300
[ 30.443967][ T290] sock_map_unref+0x3c2/0x420
[ 30.448639][ T290] sock_map_free+0x134/0x2a0
[ 30.453224][ T290] bpf_map_free_deferred+0x10e/0x1e0
[ 30.458504][ T290] process_one_work+0x6be/0xba0
[ 30.463350][ T290] worker_thread+0xa59/0x1200
[ 30.468028][ T290] ? _raw_spin_lock_irqsave+0xb0/0x110
[ 30.473491][ T290] ? __kthread_parkme+0xac/0x200
[ 30.478429][ T290] kthread+0x411/0x500
[ 30.482492][ T290] ? worker_clr_flags+0x190/0x190
[ 30.487524][ T290] ? kthread_blkcg+0xd0/0xd0
[ 30.492108][ T290] ret_from_fork+0x1f/0x30
[ 30.496524][ T290]
[ 30.499550][ T290]
[ 30.501868][ T290] Allocated by task 296:
[ 30.506108][ T290] __kasan_slab_alloc+0xbd/0xf0
[ 30.510955][ T290] slab_post_alloc_hook+0x4f/0x2b0
[ 30.516064][ T290] kmem_cache_alloc+0xf7/0x260
[ 30.520823][ T290] skb_clone+0x1cf/0x360
[ 30.525060][ T290] sk_psock_verdict_recv+0x53/0x800
[ 30.530261][ T290] unix_read_sock+0x10a/0x2c0
[ 30.534948][ T290] sk_psock_verdict_data_ready+0x115/0x170
[ 30.540753][ T290] unix_dgram_sendmsg+0x11e6/0x1880
[ 30.545946][ T290] ____sys_sendmsg+0x5a2/0x8c0
[ 30.550702][ T290] ___sys_sendmsg+0x1f0/0x260
[ 30.555368][ T290] __x64_sys_sendmsg+0x1e2/0x2a0
[ 30.560322][ T290] x64_sys_call+0x4b/0x9a0
[ 30.564739][ T290] do_syscall_64+0x4c/0xa0
[ 30.569160][ T290] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 30.575058][ T290]
[ 30.577382][ T290] Freed by task 20:
[ 30.581180][ T290] kasan_set_track+0x4a/0x70
[ 30.585765][ T290] kasan_set_free_info+0x23/0x40
[ 30.590700][ T290] ____kasan_slab_free+0x125/0x160
[ 30.595810][ T290] __kasan_slab_free+0x11/0x20
[ 30.600568][ T290] slab_free_freelist_hook+0xc2/0x190
[ 30.605937][ T290] kmem_cache_free+0x100/0x320
[ 30.610702][ T290] kfree_skbmem+0x10c/0x180
[ 30.615201][ T290] kfree_skb+0xc1/0x2f0
[ 30.619349][ T290] sk_psock_backlog+0xa85/0xd80
[ 30.624206][ T290] process_one_work+0x6be/0xba0
[ 30.629066][ T290] worker_thread+0xa59/0x1200
[ 30.633748][ T290] kthread+0x411/0x500
[ 30.637816][ T290] ret_from_fork+0x1f/0x30
[ 30.642228][ T290]
[ 30.644552][ T290] The buggy address belongs to the object at ffff888126c54500
[ 30.644552][ T290] which belongs to the cache skbuff_head_cache of size 248
[ 30.659118][ T290] The buggy address is located 0 bytes inside of
[ 30.659118][ T290] 248-byte region [ffff888126c54500, ffff888126c545f8)
[ 30.672232][ T290] The buggy address belongs to the page:
[ 30.677850][ T290] page:ffffea00049b1500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126c54
[ 30.688084][ T290] flags: 0x4000000000000200(slab|zone=1)
[ 30.693731][ T290] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 30.702307][ T290] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 30.710887][ T290] page dumped because: kasan: bad access detected
[ 30.717291][ T290] page_owner tracks the page as allocated
[ 30.722994][ T290] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 284, ts 29909747524, free_ts 23485966533
[ 30.738972][ T290] post_alloc_hook+0x192/0x1b0
[ 30.743732][ T290] prep_new_page+0x1c/0x110
[ 30.748253][ T290] get_page_from_freelist+0x2cc5/0x2d50
[ 30.753796][ T290] __alloc_pages+0x18f/0x440
[ 30.758401][ T290] new_slab+0xa1/0x4d0
[ 30.762464][ T290] ___slab_alloc+0x381/0x810
[ 30.767047][ T290] __slab_alloc+0x49/0x90
[ 30.771461][ T290] kmem_cache_alloc+0x138/0x260
[ 30.776306][ T290] skb_clone+0x1cf/0x360
[ 30.780542][ T290] dev_queue_xmit_nit+0x269/0xa40
[ 30.785563][ T290] dev_hard_start_xmit+0x163/0x670
[ 30.790673][ T290] sch_direct_xmit+0x267/0x8d0
[ 30.795435][ T290] __dev_queue_xmit+0x1523/0x2d80
[ 30.800455][ T290] dev_queue_xmit+0x17/0x20
[ 30.804957][ T290] ip_finish_output2+0xb7c/0xe60
[ 30.809894][ T290] __ip_finish_output+0x161/0x360
[ 30.814929][ T290] page last free stack trace:
[ 30.819596][ T290] __free_pages_ok+0x91a/0x9e0
[ 30.824361][ T290] __free_pages+0xf6/0x100
[ 30.828771][ T290] free_nonslab_page+0x86/0xc0
[ 30.833533][ T290] kfree+0x19a/0x270
[ 30.837429][ T290] kvfree+0x35/0x40
[ 30.841229][ T290] btf_check_all_metas+0x5f1/0xa70
[ 30.846336][ T290] btf_parse_vmlinux+0x3f4/0xdf0
[ 30.851270][ T290] bpf_check+0x640/0xf330
[ 30.855596][ T290] bpf_prog_load+0x1042/0x1550
[ 30.860357][ T290] __sys_bpf+0x4c3/0x730
[ 30.864595][ T290] __x64_sys_bpf+0x7c/0x90
[ 30.869005][ T290] x64_sys_call+0x4b9/0x9a0
[ 30.873502][ T290] do_syscall_64+0x4c/0xa0
[ 30.877915][ T290] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 30.883817][ T290]
[ 30.886133][ T290] Memory state around the buggy address:
[ 30.891753][ T290] ffff888126c54400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.899810][ T290] ffff888126c54480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 30.907885][ T290] >ffff888126c54500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 297] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 297] close(3) = 0
[pid 297] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 297] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 297] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 297] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 297] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 297] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 297] write(7, "5", 1) = 1
[ 30.915941][ T290] ^
[ 30.920002][ T290] ffff888126c54580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 30.928055][ T290] ffff888126c54600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 30.936104][ T290] ==================================================================
[ 30.949944][ T297] FAULT_INJECTION: forcing a failure.
[ 30.949944][ T297] name failslab, interval 1, probability 0, space 0, times 0
[ 30.962659][ T297] CPU: 0 PID: 297 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 30.974302][ T297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 30.984351][ T297] Call Trace:
[ 30.987623][ T297]
[ 30.990542][ T297] __dump_stack+0x21/0x30
[ 30.994863][ T297] dump_stack_lvl+0xee/0x150
[ 30.999441][ T297] ? show_regs_print_info+0x20/0x20
[ 31.004630][ T297] dump_stack+0x15/0x20
[ 31.008783][ T297] should_fail+0x3c1/0x510
[ 31.013188][ T297] __should_failslab+0xa4/0xe0
[ 31.017948][ T297] should_failslab+0x9/0x20
[ 31.022442][ T297] slab_pre_alloc_hook+0x3b/0xe0
[ 31.027369][ T297] kmem_cache_alloc_trace+0x48/0x270
[ 31.032648][ T297] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 31.038361][ T297] ? migrate_disable+0x180/0x180
[ 31.043290][ T297] sk_psock_skb_ingress_self+0x5f/0x330
[ 31.048823][ T297] ? migrate_disable+0xd6/0x180
[ 31.053661][ T297] sk_psock_verdict_recv+0x636/0x800
[ 31.058938][ T297] unix_read_sock+0x10a/0x2c0
[ 31.063605][ T297] ? sk_psock_skb_redirect+0x440/0x440
[ 31.069061][ T297] ? unix_stream_splice_actor+0x120/0x120
[ 31.074776][ T297] ? __kasan_check_write+0x14/0x20
[ 31.079873][ T297] ? unix_stream_splice_actor+0x120/0x120
[ 31.085584][ T297] sk_psock_verdict_data_ready+0x115/0x170
[ 31.091383][ T297] ? sk_psock_start_verdict+0xc0/0xc0
[ 31.096753][ T297] ? _raw_spin_lock+0x8e/0xe0
[ 31.101432][ T297] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 31.107250][ T297] ? skb_queue_tail+0xcb/0xf0
[ 31.111918][ T297] unix_dgram_sendmsg+0x11e6/0x1880
[ 31.117108][ T297] ? unix_dgram_poll+0x6b0/0x6b0
[ 31.122039][ T297] ? __update_load_avg_cfs_rq+0xaf/0x2f0
[ 31.127661][ T297] ? security_socket_sendmsg+0x82/0xa0
[ 31.133113][ T297] ? unix_dgram_poll+0x6b0/0x6b0
[ 31.138046][ T297] ____sys_sendmsg+0x5a2/0x8c0
[ 31.142799][ T297] ? __sys_sendmsg_sock+0x40/0x40
[ 31.147817][ T297] ? import_iovec+0x7c/0xb0
[ 31.152318][ T297] ___sys_sendmsg+0x1f0/0x260
[ 31.156993][ T297] ? _raw_spin_unlock+0x4d/0x70
[ 31.161859][ T297] ? __sys_sendmsg+0x250/0x250
[ 31.166612][ T297] ? __schedule+0xb76/0x14c0
[ 31.171192][ T297] ? _raw_spin_lock_irqsave+0x110/0x110
[ 31.176729][ T297] ? cgroup_update_frozen+0x15c/0x970
[ 31.182095][ T297] ? ptrace_stop+0x6f4/0xa80
[ 31.186679][ T297] ? __kasan_check_read+0x11/0x20
[ 31.191693][ T297] ? __fdget+0x15b/0x230
[ 31.195942][ T297] __x64_sys_sendmsg+0x1e2/0x2a0
[ 31.200872][ T297] ? ___sys_sendmsg+0x260/0x260
[ 31.205713][ T297] ? __kasan_check_write+0x14/0x20
[ 31.210816][ T297] ? switch_fpu_return+0x15d/0x2c0
[ 31.215920][ T297] x64_sys_call+0x4b/0x9a0
[ 31.220358][ T297] do_syscall_64+0x4c/0xa0
[ 31.224766][ T297] ? clear_bhb_loop+0x50/0xa0
[ 31.229464][ T297] ? clear_bhb_loop+0x50/0xa0
[ 31.234131][ T297] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 31.240017][ T297] RIP: 0033:0x7ff7e8c09b29
[ 31.244432][ T297] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 297] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 297] exit_group(0) = ?
[ 31.264035][ T297] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 31.272440][ T297] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 31.280417][ T297] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 31.288397][ T297] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 31.296359][ T297] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 31.304348][ T297] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 31.312315][ T297]
[ 31.316741][ T297] ==================================================================
[ 31.324830][ T297] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 31.333267][ T297]
[ 31.335590][ T297] CPU: 0 PID: 297 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 31.347213][ T297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 31.357271][ T297] Call Trace:
[ 31.360545][ T297]
[ 31.363471][ T297] __dump_stack+0x21/0x30
[ 31.367805][ T297] dump_stack_lvl+0xee/0x150
[ 31.372391][ T297] ? show_regs_print_info+0x20/0x20
[ 31.377586][ T297] ? load_image+0x3a0/0x3a0
[ 31.382088][ T297] print_address_description+0x7f/0x2c0
[ 31.387639][ T297] ? kmem_cache_free+0x100/0x320
[ 31.392577][ T297] kasan_report_invalid_free+0x58/0x90
[ 31.398032][ T297] ? kmem_cache_free+0x100/0x320
[ 31.402978][ T297] ____kasan_slab_free+0x13d/0x160
[ 31.408086][ T297] __kasan_slab_free+0x11/0x20
[ 31.412854][ T297] slab_free_freelist_hook+0xc2/0x190
[ 31.418230][ T297] ? kfree_skbmem+0x10c/0x180
[ 31.422990][ T297] kmem_cache_free+0x100/0x320
[ 31.427762][ T297] ? skb_release_data+0x94f/0xa10
[ 31.432779][ T297] kfree_skbmem+0x10c/0x180
[ 31.437281][ T297] consume_skb+0xb3/0x1f0
[ 31.441609][ T297] __sk_msg_free+0x4f4/0x560
[ 31.446198][ T297] ? _raw_spin_lock_bh+0x8e/0xe0
[ 31.451134][ T297] ? _raw_spin_lock_irq+0xe0/0xe0
[ 31.456278][ T297] ? skb_dequeue+0x125/0x160
[ 31.460880][ T297] sk_psock_stop+0x4c9/0x570
[ 31.465476][ T297] ? sock_no_sendpage_locked+0x130/0x130
[ 31.471122][ T297] sk_psock_drop+0x226/0x300
[ 31.475746][ T297] sock_map_unref+0x3c2/0x420
[ 31.480434][ T297] ? sk_psock_link_pop+0x154/0x170
[ 31.485540][ T297] sock_map_remove_links+0x3cd/0x600
[ 31.490912][ T297] ? sock_init_data+0xc0/0xc0
[ 31.495598][ T297] ? sock_map_unhash+0x130/0x130
[ 31.500639][ T297] sock_map_close+0x111/0x440
[ 31.505321][ T297] ? unix_peer_get+0xe0/0xe0
[ 31.509917][ T297] ? sock_map_remove_links+0x600/0x600
[ 31.515379][ T297] ? clear_nonspinnable+0x60/0x60
[ 31.520409][ T297] ? security_file_free+0xc7/0xe0
[ 31.525437][ T297] unix_release+0x82/0xc0
[ 31.529769][ T297] sock_close+0xe0/0x270
[ 31.534011][ T297] ? sock_mmap+0xa0/0xa0
[ 31.538256][ T297] __fput+0x20b/0x8b0
[ 31.542242][ T297] ____fput+0x15/0x20
[ 31.546222][ T297] task_work_run+0x127/0x190
[ 31.550810][ T297] do_exit+0xa76/0x27a0
[ 31.555190][ T297] ? ptrace_stop+0x6f4/0xa80
[ 31.559817][ T297] ? put_task_struct+0x90/0x90
[ 31.564604][ T297] ? ptrace_notify+0x1c4/0x250
[ 31.569379][ T297] ? do_notify_parent+0x800/0x800
[ 31.574407][ T297] do_group_exit+0x141/0x310
[ 31.578996][ T297] ? debug_smp_processor_id+0x17/0x20
[ 31.584519][ T297] __x64_sys_exit_group+0x3f/0x40
[ 31.589547][ T297] x64_sys_call+0x832/0x9a0
[ 31.594049][ T297] do_syscall_64+0x4c/0xa0
[ 31.598459][ T297] ? clear_bhb_loop+0x50/0xa0
[ 31.603231][ T297] ? clear_bhb_loop+0x50/0xa0
[ 31.607914][ T297] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 31.613813][ T297] RIP: 0033:0x7ff7e8c07c79
[ 31.618225][ T297] Code: Unable to access opcode bytes at RIP 0x7ff7e8c07c4f.
[ 31.625582][ T297] RSP: 002b:00007fff7b2d8048 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 31.633993][ T297] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff7e8c07c79
[ 31.641966][ T297] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 31.649942][ T297] RBP: 00007ff7e8c7b390 R08: ffffffffffffffb8 R09: 00000000000000a0
[ 31.657925][ T297] R10: 0000000000000001 R11: 0000000000000246 R12: 00007ff7e8c7b390
[ 31.665899][ T297] R13: 0000000000000000 R14: 00007ff7e8c7bde0 R15: 00007ff7e8bd1320
[ 31.673904][ T297]
[ 31.676924][ T297]
[ 31.679245][ T297] Allocated by task 297:
[ 31.683475][ T297] __kasan_slab_alloc+0xbd/0xf0
[ 31.688326][ T297] slab_post_alloc_hook+0x4f/0x2b0
[ 31.693438][ T297] kmem_cache_alloc+0xf7/0x260
[ 31.698205][ T297] skb_clone+0x1cf/0x360
[ 31.702447][ T297] sk_psock_verdict_recv+0x53/0x800
[ 31.707644][ T297] unix_read_sock+0x10a/0x2c0
[ 31.712322][ T297] sk_psock_verdict_data_ready+0x115/0x170
[ 31.718139][ T297] unix_dgram_sendmsg+0x11e6/0x1880
[ 31.723343][ T297] ____sys_sendmsg+0x5a2/0x8c0
[ 31.728113][ T297] ___sys_sendmsg+0x1f0/0x260
[ 31.732793][ T297] __x64_sys_sendmsg+0x1e2/0x2a0
[ 31.737727][ T297] x64_sys_call+0x4b/0x9a0
[ 31.742141][ T297] do_syscall_64+0x4c/0xa0
[ 31.746565][ T297] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 31.752457][ T297]
[ 31.754783][ T297] Freed by task 20:
[ 31.758582][ T297] kasan_set_track+0x4a/0x70
[ 31.763165][ T297] kasan_set_free_info+0x23/0x40
[ 31.768097][ T297] ____kasan_slab_free+0x125/0x160
[ 31.773209][ T297] __kasan_slab_free+0x11/0x20
[ 31.777966][ T297] slab_free_freelist_hook+0xc2/0x190
[ 31.783340][ T297] kmem_cache_free+0x100/0x320
[ 31.788103][ T297] kfree_skbmem+0x10c/0x180
[ 31.792601][ T297] kfree_skb+0xc1/0x2f0
[ 31.796751][ T297] sk_psock_backlog+0xa85/0xd80
[ 31.801594][ T297] process_one_work+0x6be/0xba0
[ 31.806445][ T297] worker_thread+0xa59/0x1200
[ 31.811124][ T297] kthread+0x411/0x500
[ 31.815192][ T297] ret_from_fork+0x1f/0x30
[ 31.819605][ T297]
[ 31.821920][ T297] The buggy address belongs to the object at ffff888101dbddc0
[ 31.821920][ T297] which belongs to the cache skbuff_head_cache of size 248
[ 31.836487][ T297] The buggy address is located 0 bytes inside of
[ 31.836487][ T297] 248-byte region [ffff888101dbddc0, ffff888101dbdeb8)
[ 31.849599][ T297] The buggy address belongs to the page:
[ 31.855222][ T297] page:ffffea0004076f40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101dbd
[ 31.865453][ T297] flags: 0x4000000000000200(slab|zone=1)
[ 31.871090][ T297] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 31.879689][ T297] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 31.888262][ T297] page dumped because: kasan: bad access detected
[ 31.894681][ T297] page_owner tracks the page as allocated
[ 31.900384][ T297] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 284, ts 30948717459, free_ts 30947632195
[ 31.916347][ T297] post_alloc_hook+0x192/0x1b0
[ 31.921111][ T297] prep_new_page+0x1c/0x110
[ 31.925612][ T297] get_page_from_freelist+0x2cc5/0x2d50
[ 31.931155][ T297] __alloc_pages+0x18f/0x440
[ 31.935743][ T297] new_slab+0xa1/0x4d0
[ 31.939814][ T297] ___slab_alloc+0x381/0x810
[ 31.944402][ T297] __slab_alloc+0x49/0x90
[ 31.948726][ T297] kmem_cache_alloc+0x138/0x260
[ 31.953573][ T297] skb_clone+0x1cf/0x360
[ 31.957813][ T297] dev_queue_xmit_nit+0x269/0xa40
[ 31.962833][ T297] dev_hard_start_xmit+0x163/0x670
[ 31.967941][ T297] sch_direct_xmit+0x267/0x8d0
[ 31.972701][ T297] __dev_queue_xmit+0x1523/0x2d80
[ 31.977723][ T297] dev_queue_xmit+0x17/0x20
[ 31.982221][ T297] ip_finish_output2+0xb7c/0xe60
[ 31.987155][ T297] __ip_finish_output+0x161/0x360
[ 31.992178][ T297] page last free stack trace:
[ 31.996843][ T297] free_unref_page_prepare+0x542/0x550
[ 32.002299][ T297] free_unref_page+0xa2/0x550
[ 32.006973][ T297] __free_pages+0x6c/0x100
[ 32.011385][ T297] __free_slab+0xe8/0x1e0
[ 32.015717][ T297] discard_slab+0x29/0x40
[ 32.020050][ T297] __slab_free+0x211/0x290
[ 32.024461][ T297] ___cache_free+0x104/0x120
[ 32.029055][ T297] qlink_free+0x4d/0x90
[ 32.033209][ T297] qlist_free_all+0x5f/0xb0
[ 32.037708][ T297] kasan_quarantine_reduce+0x14a/0x170
[ 32.043164][ T297] __kasan_slab_alloc+0x2f/0xf0
[ 32.048008][ T297] slab_post_alloc_hook+0x4f/0x2b0
[ 32.053123][ T297] kmem_cache_alloc+0xf7/0x260
[ 32.057880][ T297] __alloc_skb+0xe0/0x740
[ 32.062205][ T297] sk_stream_alloc_skb+0x21a/0xb60
[ 32.067309][ T297] tcp_sendmsg_locked+0xc3e/0x3590
[ 32.072417][ T297]
[ 32.074735][ T297] Memory state around the buggy address:
[ 32.080358][ T297] ffff888101dbdc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 32.088424][ T297] ffff888101dbdd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 32.096478][ T297] >ffff888101dbdd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 32.104537][ T297] ^
[ 32.110684][ T297] ffff888101dbde00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 297] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=0, si_utime=0, si_stime=64} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 298
./strace-static-x86_64: Process 298 attached
[pid 298] set_robust_list(0x55555c781660, 24) = 0
[pid 298] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 298] setpgid(0, 0) = 0
[pid 298] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 298] write(3, "1000", 4) = 4
[pid 298] close(3executing program
) = 0
[pid 298] write(1, "executing program\n", 18) = 18
[pid 298] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 298] close(3) = 0
[pid 298] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 298] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 298] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 298] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 298] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 298] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 298] write(7, "5", 1) = 1
[ 32.118763][ T297] ffff888101dbde80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 32.126815][ T297] ==================================================================
[ 32.141467][ T298] FAULT_INJECTION: forcing a failure.
[ 32.141467][ T298] name failslab, interval 1, probability 0, space 0, times 0
[ 32.154268][ T298] CPU: 1 PID: 298 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 32.165922][ T298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 32.175968][ T298] Call Trace:
[ 32.179237][ T298]
[ 32.182158][ T298] __dump_stack+0x21/0x30
[ 32.186487][ T298] dump_stack_lvl+0xee/0x150
[ 32.191067][ T298] ? show_regs_print_info+0x20/0x20
[ 32.196255][ T298] dump_stack+0x15/0x20
[ 32.200402][ T298] should_fail+0x3c1/0x510
[ 32.204818][ T298] __should_failslab+0xa4/0xe0
[ 32.209575][ T298] should_failslab+0x9/0x20
[ 32.214069][ T298] slab_pre_alloc_hook+0x3b/0xe0
[ 32.219000][ T298] kmem_cache_alloc_trace+0x48/0x270
[ 32.224275][ T298] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 32.229984][ T298] ? migrate_disable+0x180/0x180
[ 32.234917][ T298] sk_psock_skb_ingress_self+0x5f/0x330
[ 32.240454][ T298] sk_psock_verdict_recv+0x636/0x800
[ 32.245733][ T298] unix_read_sock+0x10a/0x2c0
[ 32.250408][ T298] ? sk_psock_skb_redirect+0x440/0x440
[ 32.255857][ T298] ? unix_stream_splice_actor+0x120/0x120
[ 32.261571][ T298] ? __kasan_check_write+0x14/0x20
[ 32.266679][ T298] ? unix_stream_splice_actor+0x120/0x120
[ 32.272389][ T298] sk_psock_verdict_data_ready+0x115/0x170
[ 32.278191][ T298] ? sk_psock_start_verdict+0xc0/0xc0
[ 32.283553][ T298] ? _raw_spin_lock+0x8e/0xe0
[ 32.288221][ T298] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 32.294054][ T298] ? skb_queue_tail+0xcb/0xf0
[ 32.298723][ T298] unix_dgram_sendmsg+0x11e6/0x1880
[ 32.303921][ T298] ? unix_dgram_poll+0x6b0/0x6b0
[ 32.308849][ T298] ? __update_load_avg_cfs_rq+0xaf/0x2f0
[ 32.314472][ T298] ? security_socket_sendmsg+0x82/0xa0
[ 32.319925][ T298] ? unix_dgram_poll+0x6b0/0x6b0
[ 32.324858][ T298] ____sys_sendmsg+0x5a2/0x8c0
[ 32.329615][ T298] ? __sys_sendmsg_sock+0x40/0x40
[ 32.334631][ T298] ? import_iovec+0x7c/0xb0
[ 32.339126][ T298] ___sys_sendmsg+0x1f0/0x260
[ 32.343795][ T298] ? _raw_spin_unlock+0x4d/0x70
[ 32.348635][ T298] ? __sys_sendmsg+0x250/0x250
[ 32.353399][ T298] ? __schedule+0xb76/0x14c0
[ 32.357991][ T298] ? _raw_spin_lock_irqsave+0x110/0x110
[ 32.363533][ T298] ? cgroup_update_frozen+0x15c/0x970
[ 32.368903][ T298] ? ptrace_stop+0x6f4/0xa80
[ 32.373491][ T298] ? __kasan_check_read+0x11/0x20
[ 32.378511][ T298] ? __fdget+0x15b/0x230
[ 32.382745][ T298] __x64_sys_sendmsg+0x1e2/0x2a0
[ 32.387705][ T298] ? ___sys_sendmsg+0x260/0x260
[ 32.392550][ T298] ? __kasan_check_write+0x14/0x20
[ 32.397651][ T298] ? switch_fpu_return+0x15d/0x2c0
[ 32.402755][ T298] x64_sys_call+0x4b/0x9a0
[ 32.407158][ T298] do_syscall_64+0x4c/0xa0
[ 32.411562][ T298] ? clear_bhb_loop+0x50/0xa0
[ 32.416228][ T298] ? clear_bhb_loop+0x50/0xa0
[ 32.420893][ T298] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 32.426779][ T298] RIP: 0033:0x7ff7e8c09b29
[ 32.431184][ T298] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 32.450794][ T298] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 32.459200][ T298] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[pid 298] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 298] exit_group(0) = ?
[pid 298] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=298, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c781650) = 299
[ 32.467170][ T298] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 32.475135][ T298] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 32.483118][ T298] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 32.491080][ T298] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 32.499043][ T298]
[ 32.503050][ T290] ==================================================================
[ 32.511128][ T290] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 32.519572][ T290]
[ 32.521897][ T290] CPU: 1 PID: 290 Comm: kworker/1:2 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 32.533175][ T290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 32.543225][ T290] Workqueue: events bpf_map_free_deferred
[ 32.548947][ T290] Call Trace:
[ 32.552226][ T290]
[ 32.555155][ T290] __dump_stack+0x21/0x30
[ 32.559480][ T290] dump_stack_lvl+0xee/0x150
[ 32.564068][ T290] ? show_regs_print_info+0x20/0x20
[ 32.569265][ T290] ? load_image+0x3a0/0x3a0
[ 32.573770][ T290] ? kasan_set_track+0x5b/0x70
[ 32.578532][ T290] print_address_description+0x7f/0x2c0
[ 32.584090][ T290] ? kmem_cache_free+0x100/0x320
[ 32.589028][ T290] kasan_report_invalid_free+0x58/0x90
[ 32.594484][ T290] ? kmem_cache_free+0x100/0x320
[ 32.599419][ T290] ____kasan_slab_free+0x13d/0x160
[ 32.604530][ T290] __kasan_slab_free+0x11/0x20
[ 32.609292][ T290] slab_free_freelist_hook+0xc2/0x190
[ 32.614673][ T290] ? kfree_skbmem+0x10c/0x180
[ 32.619350][ T290] kmem_cache_free+0x100/0x320
[ 32.624112][ T290] ? skb_release_data+0x94f/0xa10
[ 32.629139][ T290] kfree_skbmem+0x10c/0x180
[ 32.633636][ T290] consume_skb+0xb3/0x1f0
[ 32.637964][ T290] __sk_msg_free+0x4f4/0x560
[ 32.642552][ T290] ? _raw_spin_lock_bh+0x8e/0xe0
[ 32.647495][ T290] ? _raw_spin_lock_irq+0xe0/0xe0
[ 32.652519][ T290] ? skb_dequeue+0x125/0x160
[ 32.657107][ T290] sk_psock_stop+0x4c9/0x570
[ 32.661703][ T290] ? sock_no_sendpage_locked+0x130/0x130
[ 32.667335][ T290] sk_psock_drop+0x226/0x300
[ 32.671933][ T290] sock_map_unref+0x3c2/0x420
[ 32.676624][ T290] sock_map_free+0x134/0x2a0
[ 32.681226][ T290] bpf_map_free_deferred+0x10e/0x1e0
[ 32.686526][ T290] process_one_work+0x6be/0xba0
[ 32.691389][ T290] worker_thread+0xa59/0x1200
[ 32.696069][ T290] ? _raw_spin_lock_irqsave+0xb0/0x110
[ 32.701533][ T290] ? __kthread_parkme+0xac/0x200
[ 32.706473][ T290] kthread+0x411/0x500
[ 32.710537][ T290] ? worker_clr_flags+0x190/0x190
[ 32.715560][ T290] ? kthread_blkcg+0xd0/0xd0
[ 32.720149][ T290] ret_from_fork+0x1f/0x30
[ 32.724566][ T290]
[ 32.727582][ T290]
[ 32.729912][ T290] Allocated by task 298:
[ 32.734146][ T290] __kasan_slab_alloc+0xbd/0xf0
[ 32.738995][ T290] slab_post_alloc_hook+0x4f/0x2b0
[ 32.744102][ T290] kmem_cache_alloc+0xf7/0x260
[ 32.748860][ T290] skb_clone+0x1cf/0x360
[ 32.753100][ T290] sk_psock_verdict_recv+0x53/0x800
[ 32.758289][ T290] unix_read_sock+0x10a/0x2c0
[ 32.762961][ T290] sk_psock_verdict_data_ready+0x115/0x170
[ 32.768762][ T290] unix_dgram_sendmsg+0x11e6/0x1880
[ 32.773957][ T290] ____sys_sendmsg+0x5a2/0x8c0
[ 32.778721][ T290] ___sys_sendmsg+0x1f0/0x260
[ 32.783391][ T290] __x64_sys_sendmsg+0x1e2/0x2a0
[ 32.788321][ T290] x64_sys_call+0x4b/0x9a0
[ 32.792731][ T290] do_syscall_64+0x4c/0xa0
[ 32.797143][ T290] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 32.803039][ T290]
[ 32.805374][ T290] Freed by task 290:
[ 32.809260][ T290] kasan_set_track+0x4a/0x70
[ 32.813839][ T290] kasan_set_free_info+0x23/0x40
[ 32.818773][ T290] ____kasan_slab_free+0x125/0x160
[ 32.823875][ T290] __kasan_slab_free+0x11/0x20
[ 32.828636][ T290] slab_free_freelist_hook+0xc2/0x190
[ 32.834000][ T290] kmem_cache_free+0x100/0x320
[ 32.838769][ T290] kfree_skbmem+0x10c/0x180
[ 32.843263][ T290] kfree_skb+0xc1/0x2f0
[ 32.847410][ T290] sk_psock_backlog+0xa85/0xd80
[ 32.852249][ T290] process_one_work+0x6be/0xba0
[ 32.857093][ T290] worker_thread+0xa59/0x1200
[ 32.861909][ T290] kthread+0x411/0x500
[ 32.865981][ T290] ret_from_fork+0x1f/0x30
[ 32.870393][ T290]
[ 32.872713][ T290] The buggy address belongs to the object at ffff8881263e7500
[ 32.872713][ T290] which belongs to the cache skbuff_head_cache of size 248
[ 32.887278][ T290] The buggy address is located 0 bytes inside of
[ 32.887278][ T290] 248-byte region [ffff8881263e7500, ffff8881263e75f8)
[ 32.900372][ T290] The buggy address belongs to the page:
[ 32.905996][ T290] page:ffffea000498f9c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1263e7
[ 32.916231][ T290] flags: 0x4000000000000200(slab|zone=1)
[ 32.921867][ T290] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aaa80
[ 32.930450][ T290] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 32.939023][ T290] page dumped because: kasan: bad access detected
[ 32.945425][ T290] page_owner tracks the page as allocated
[ 32.951132][ T290] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 285, ts 32140182711, free_ts 32139972841
[ 32.967098][ T290] post_alloc_hook+0x192/0x1b0
[ 32.971858][ T290] prep_new_page+0x1c/0x110
[ 32.976354][ T290] get_page_from_freelist+0x2cc5/0x2d50
[ 32.981895][ T290] __alloc_pages+0x18f/0x440
[ 32.986479][ T290] new_slab+0xa1/0x4d0
[ 32.990553][ T290] ___slab_alloc+0x381/0x810
[ 32.995138][ T290] kmem_cache_alloc_bulk+0xf7/0x340
[ 33.000334][ T290] __alloc_skb+0x526/0x740
[ 33.004745][ T290] __napi_alloc_skb+0x162/0x2e0
[ 33.009590][ T290] page_to_skb+0x287/0xb60
[ 33.013998][ T290] receive_buf+0xc17/0x49f0
[ 33.018494][ T290] virtnet_poll+0x545/0xef0
[ 33.022993][ T290] __napi_poll+0xbe/0x590
[ 33.027318][ T290] net_rx_action+0x371/0x8e0
[ 33.031896][ T290] handle_softirqs+0x250/0x560
[ 33.036658][ T290] __irq_exit_rcu+0x52/0xf0
[ 33.041156][ T290] page last free stack trace:
[ 33.045819][ T290] free_unref_page_prepare+0x542/0x550
[ 33.051279][ T290] free_unref_page+0xa2/0x550
[ 33.055952][ T290] __free_pages+0x6c/0x100
[ 33.060363][ T290] __vunmap+0x84d/0x9e0
[ 33.064511][ T290] vfree+0x8b/0xc0
[ 33.068229][ T290] bpf_patch_insn_data+0x83f/0xe40
[ 33.073336][ T290] bpf_check+0x623d/0xf330
[ 33.077750][ T290] bpf_prog_load+0x1042/0x1550
[ 33.082506][ T290] __sys_bpf+0x4c3/0x730
[ 33.086743][ T290] __x64_sys_bpf+0x7c/0x90
[ 33.091155][ T290] x64_sys_call+0x4b9/0x9a0
[ 33.095658][ T290] do_syscall_64+0x4c/0xa0
[ 33.100074][ T290] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 33.105967][ T290]
[ 33.108289][ T290] Memory state around the buggy address:
[ 33.113912][ T290] ffff8881263e7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
./strace-static-x86_64: Process 299 attached
[pid 299] set_robust_list(0x55555c781660, 24) = 0
[pid 299] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 299] setpgid(0, 0) = 0
[pid 299] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 299] write(3, "1000", 4) = 4
[pid 299] close(3) = 0
[pid 299] write(1, "executing program\n", 18executing program
) = 18
[pid 299] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 299] close(3) = 0
[pid 299] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 299] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 299] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 299] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 299] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[ 33.121969][ T290] ffff8881263e7480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 33.130021][ T290] >ffff8881263e7500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.138072][ T290] ^
[ 33.142134][ T290] ffff8881263e7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 33.150186][ T290] ffff8881263e7600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 33.158238][ T290] ==================================================================
[pid 299] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 299] write(7, "5", 1) = 1
[ 33.174597][ T299] FAULT_INJECTION: forcing a failure.
[ 33.174597][ T299] name failslab, interval 1, probability 0, space 0, times 0
[ 33.187300][ T299] CPU: 1 PID: 299 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 33.198953][ T299] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 33.209000][ T299] Call Trace:
[ 33.212273][ T299]
[ 33.215195][ T299] __dump_stack+0x21/0x30
[ 33.219521][ T299] dump_stack_lvl+0xee/0x150
[ 33.224105][ T299] ? show_regs_print_info+0x20/0x20
[ 33.229301][ T299] dump_stack+0x15/0x20
[ 33.233447][ T299] should_fail+0x3c1/0x510
[ 33.237874][ T299] __should_failslab+0xa4/0xe0
[ 33.242635][ T299] should_failslab+0x9/0x20
[ 33.247136][ T299] slab_pre_alloc_hook+0x3b/0xe0
[ 33.252069][ T299] kmem_cache_alloc_trace+0x48/0x270
[ 33.257354][ T299] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 33.263068][ T299] ? migrate_disable+0x180/0x180
[ 33.267999][ T299] sk_psock_skb_ingress_self+0x5f/0x330
[ 33.273545][ T299] ? migrate_disable+0xd6/0x180
[ 33.278396][ T299] sk_psock_verdict_recv+0x636/0x800
[ 33.283682][ T299] unix_read_sock+0x10a/0x2c0
[ 33.288351][ T299] ? sk_psock_skb_redirect+0x440/0x440
[ 33.293801][ T299] ? unix_stream_splice_actor+0x120/0x120
[ 33.299523][ T299] ? __kasan_check_write+0x14/0x20
[ 33.304648][ T299] ? unix_stream_splice_actor+0x120/0x120
[ 33.310388][ T299] sk_psock_verdict_data_ready+0x115/0x170
[ 33.316195][ T299] ? sk_psock_start_verdict+0xc0/0xc0
[ 33.321562][ T299] ? _raw_spin_lock+0x8e/0xe0
[ 33.326239][ T299] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 33.332043][ T299] ? skb_queue_tail+0xcb/0xf0
[ 33.336739][ T299] unix_dgram_sendmsg+0x11e6/0x1880
[ 33.341940][ T299] ? unix_dgram_poll+0x6b0/0x6b0
[ 33.346877][ T299] ? __update_load_avg_cfs_rq+0xaf/0x2f0
[ 33.352526][ T299] ? security_socket_sendmsg+0x82/0xa0
[ 33.358018][ T299] ? unix_dgram_poll+0x6b0/0x6b0
[ 33.362958][ T299] ____sys_sendmsg+0x5a2/0x8c0
[ 33.367719][ T299] ? __sys_sendmsg_sock+0x40/0x40
[ 33.372742][ T299] ? import_iovec+0x7c/0xb0
[ 33.377269][ T299] ___sys_sendmsg+0x1f0/0x260
[ 33.381936][ T299] ? _raw_spin_unlock+0x4d/0x70
[ 33.386779][ T299] ? __sys_sendmsg+0x250/0x250
[ 33.391537][ T299] ? __schedule+0xb76/0x14c0
[ 33.396126][ T299] ? _raw_spin_lock_irqsave+0x110/0x110
[ 33.401674][ T299] ? cgroup_update_frozen+0x15c/0x970
[ 33.407066][ T299] ? ptrace_stop+0x6f4/0xa80
[ 33.411656][ T299] ? __kasan_check_read+0x11/0x20
[ 33.416685][ T299] ? __fdget+0x15b/0x230
[ 33.420940][ T299] __x64_sys_sendmsg+0x1e2/0x2a0
[ 33.425878][ T299] ? ___sys_sendmsg+0x260/0x260
[ 33.430730][ T299] ? __kasan_check_write+0x14/0x20
[ 33.435843][ T299] ? switch_fpu_return+0x15d/0x2c0
[ 33.441108][ T299] x64_sys_call+0x4b/0x9a0
[ 33.445532][ T299] do_syscall_64+0x4c/0xa0
[ 33.449959][ T299] ? clear_bhb_loop+0x50/0xa0
[ 33.454640][ T299] ? clear_bhb_loop+0x50/0xa0
[ 33.459315][ T299] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 33.465210][ T299] RIP: 0033:0x7ff7e8c09b29
[ 33.469626][ T299] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 33.489226][ T299] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 33.497643][ T299] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 33.505617][ T299] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 33.513586][ T299] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[pid 299] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 299] exit_group(0) = ?
[pid 299] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=299, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 300 attached
, child_tidptr=0x55555c781650) = 300
[pid 300] set_robust_list(0x55555c781660, 24) = 0
[pid 300] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 300] setpgid(0, 0) = 0
[pid 300] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 300] write(3, "1000", 4) = 4
[pid 300] close(3) = 0
[pid 300] write(1, "executing program\n", 18executing program
) = 18
[pid 300] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_MSG, insn_cnt=4, insns=0x200000000040, license="GPL", log_level=2, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 3
[pid 300] close(3) = 0
[pid 300] socketpair(AF_UNIX, SOCK_DGRAM, 0, [3, 4]) = 0
[pid 300] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x200000000540, license="GPL", log_level=4, log_size=64912, log_buf="func#0 @0\n0: R1=ctx(id=0,off=0,imm=0) R10=fp0\n0: (b4) w0 = 0\n1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R"..., kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 5
[pid 300] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 6
[pid 300] bpf(BPF_PROG_ATTACH, {target_fd=6, attach_bpf_fd=5, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 300] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=6, key=0x200000000000, value=0x200000000080, flags=BPF_ANY}, 32) = 0
[pid 300] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 7
[pid 300] write(7, "5", 1) = 1
[ 33.521553][ T299] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 33.529523][ T299] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 33.537498][ T299]
[ 33.558976][ T300] FAULT_INJECTION: forcing a failure.
[ 33.558976][ T300] name failslab, interval 1, probability 0, space 0, times 0
[ 33.571702][ T300] CPU: 0 PID: 300 Comm: syz-executor292 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 33.583357][ T300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 33.593407][ T300] Call Trace:
[ 33.596677][ T300]
[ 33.599599][ T300] __dump_stack+0x21/0x30
[ 33.603928][ T300] dump_stack_lvl+0xee/0x150
[ 33.608508][ T300] ? show_regs_print_info+0x20/0x20
[ 33.613695][ T300] dump_stack+0x15/0x20
[ 33.617841][ T300] should_fail+0x3c1/0x510
[ 33.622247][ T300] __should_failslab+0xa4/0xe0
[ 33.627016][ T300] should_failslab+0x9/0x20
[ 33.631510][ T300] slab_pre_alloc_hook+0x3b/0xe0
[ 33.636528][ T300] kmem_cache_alloc_trace+0x48/0x270
[ 33.641809][ T300] ? sk_psock_skb_ingress_self+0x5f/0x330
[ 33.647520][ T300] ? migrate_disable+0x180/0x180
[ 33.652456][ T300] sk_psock_skb_ingress_self+0x5f/0x330
[ 33.657993][ T300] ? migrate_disable+0xd6/0x180
[ 33.662835][ T300] sk_psock_verdict_recv+0x636/0x800
[ 33.668112][ T300] unix_read_sock+0x10a/0x2c0
[ 33.672785][ T300] ? sk_psock_skb_redirect+0x440/0x440
[ 33.678235][ T300] ? unix_stream_splice_actor+0x120/0x120
[ 33.683946][ T300] ? __kasan_check_write+0x14/0x20
[ 33.689060][ T300] ? unix_stream_splice_actor+0x120/0x120
[ 33.694791][ T300] sk_psock_verdict_data_ready+0x115/0x170
[ 33.700600][ T300] ? sk_psock_start_verdict+0xc0/0xc0
[ 33.705971][ T300] ? _raw_spin_lock+0x8e/0xe0
[ 33.710655][ T300] ? _raw_spin_unlock_irqrestore+0x5b/0x80
[ 33.716459][ T300] ? skb_queue_tail+0xcb/0xf0
[ 33.721142][ T300] unix_dgram_sendmsg+0x11e6/0x1880
[ 33.726341][ T300] ? unix_dgram_poll+0x6b0/0x6b0
[ 33.731280][ T300] ? newidle_balance+0x6a8/0xcc0
[ 33.736220][ T300] ? security_socket_sendmsg+0x82/0xa0
[ 33.741677][ T300] ? unix_dgram_poll+0x6b0/0x6b0
[ 33.746616][ T300] ____sys_sendmsg+0x5a2/0x8c0
[ 33.751387][ T300] ? __sys_sendmsg_sock+0x40/0x40
[ 33.756408][ T300] ? import_iovec+0x7c/0xb0
[ 33.760916][ T300] ___sys_sendmsg+0x1f0/0x260
[ 33.765590][ T300] ? _raw_spin_unlock+0x4d/0x70
[ 33.770441][ T300] ? __sys_sendmsg+0x250/0x250
[ 33.775202][ T300] ? __schedule+0xb76/0x14c0
[ 33.779800][ T300] ? _raw_spin_lock_irqsave+0x110/0x110
[ 33.785346][ T300] ? cgroup_update_frozen+0x15c/0x970
[ 33.790721][ T300] ? ptrace_stop+0x6f4/0xa80
[ 33.795312][ T300] ? __kasan_check_read+0x11/0x20
[ 33.800335][ T300] ? __fdget+0x15b/0x230
[ 33.804581][ T300] __x64_sys_sendmsg+0x1e2/0x2a0
[ 33.809518][ T300] ? ___sys_sendmsg+0x260/0x260
[ 33.814366][ T300] ? __kasan_check_write+0x14/0x20
[ 33.819474][ T300] ? switch_fpu_return+0x15d/0x2c0
[ 33.824597][ T300] x64_sys_call+0x4b/0x9a0
[ 33.829014][ T300] do_syscall_64+0x4c/0xa0
[ 33.833549][ T300] ? clear_bhb_loop+0x50/0xa0
[ 33.838220][ T300] ? clear_bhb_loop+0x50/0xa0
[ 33.843007][ T300] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 33.848906][ T300] RIP: 0033:0x7ff7e8c09b29
[ 33.853326][ T300] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 300] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, 0) = 0
[pid 300] exit_group(0) = ?
[ 33.872928][ T300] RSP: 002b:00007fff7b2d80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 33.881369][ T300] RAX: ffffffffffffffda RBX: 00007fff7b2d80c0 RCX: 00007ff7e8c09b29
[ 33.889343][ T300] RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004
[ 33.897316][ T300] RBP: 0000000000000001 R08: 00007fff7b2d7e47 R09: 00000000000000a0
[ 33.905288][ T300] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 33.913281][ T300] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
[ 33.921254][ T300]
[ 33.925360][ T26] ==================================================================
[ 33.933445][ T26] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x100/0x320
[ 33.941860][ T26]
[ 33.944188][ T26] CPU: 1 PID: 26 Comm: kworker/1:0 Tainted: G B 5.15.185-syzkaller-00339-ge678c93d43cc #0
[ 33.955417][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 33.965469][ T26] Workqueue: events bpf_map_free_deferred
[ 33.971189][ T26] Call Trace:
[ 33.974467][ T26]
[ 33.977392][ T26] __dump_stack+0x21/0x30
[ 33.981717][ T26] dump_stack_lvl+0xee/0x150
[ 33.986303][ T26] ? show_regs_print_info+0x20/0x20
[ 33.991502][ T26] ? load_image+0x3a0/0x3a0
[ 33.996006][ T26] ? kasan_set_track+0x5b/0x70
[ 34.000767][ T26] print_address_description+0x7f/0x2c0
[ 34.006312][ T26] ? kmem_cache_free+0x100/0x320
[ 34.011249][ T26] kasan_report_invalid_free+0x58/0x90
[ 34.016726][ T26] ? kmem_cache_free+0x100/0x320
[ 34.021665][ T26] ____kasan_slab_free+0x13d/0x160