[ 1306.824005][T13529] ==================================================================
[ 1306.824479][T13529] BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 1306.824777][T13529] Read of size 4 at addr ffff888013085750 by task tls/13529
[ 1306.825056][T13529]
[ 1306.825157][T13529] CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full)
[ 1306.825162][T13529] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1306.825165][T13529] Call Trace:
[ 1306.825169][T13529]
[ 1306.825171][T13529] dump_stack_lvl+0x82/0xd0
[ 1306.825191][T13529] print_address_description.constprop.0+0x2c/0x400
[ 1306.825201][T13529] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 1306.825211][T13529] print_report+0xb4/0x270
[ 1306.825215][T13529] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 1306.825223][T13529] ? kasan_addr_to_slab+0x25/0x80
[ 1306.825226][T13529] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 1306.825234][T13529] kasan_report+0xca/0x100
[ 1306.825238][T13529] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 1306.825249][T13529] tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 1306.825257][T13529] ? rcu_is_watching+0x12/0xc0
[ 1306.825265][T13529] ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 1306.825274][T13529] ? __lock_acquire+0x44d/0x7e0
[ 1306.825281][T13529] tls_rx_rec_wait+0x2c9/0x8d0 [tls]
[ 1306.825291][T13529] ? sk_psock_get+0xe8/0x310 [tls]
[ 1306.825301][T13529] ? __pfx_tls_rx_rec_wait+0x10/0x10 [tls]
[ 1306.825309][T13529] ? sk_psock_get+0xe8/0x310 [tls]
[ 1306.825318][T13529] ? __pfx_woken_wake_function+0x10/0x10
[ 1306.825325][T13529] ? __local_bh_enable_ip+0xa9/0x130
[ 1306.825331][T13529] tls_sw_recvmsg+0x40f/0x1aa0 [tls]
[ 1306.825347][T13529] ? __pfx_tls_sw_recvmsg+0x10/0x10 [tls]
[ 1306.825355][T13529] ? do_pte_missing+0x7d0/0xe00
[ 1306.825363][T13529] inet_recvmsg+0x1c3/0x1f0
[ 1306.825371][T13529] ? __pfx_inet_recvmsg+0x10/0x10
[ 1306.825378][T13529] __sys_recvfrom+0x32a/0x3f0
[ 1306.825384][T13529] ? __pfx___sys_recvfrom+0x10/0x10
[ 1306.825391][T13529] ? rseq_update_cpu_node_id+0x10c/0x180
[ 1306.825396][T13529] ? __rseq_handle_notify_resume+0x2b8/0x420
[ 1306.825399][T13529] ? find_held_lock+0x2b/0x80
[ 1306.825405][T13529] ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 1306.825409][T13529] ? exc_page_fault+0x5d/0xc0
[ 1306.825415][T13529] ? xfd_validate_state+0x2c/0x140
[ 1306.825420][T13529] ? do_user_addr_fault+0x959/0xe00
[ 1306.825425][T13529] __x64_sys_recvfrom+0xe0/0x1c0
[ 1306.825429][T13529] ? do_syscall_64+0x85/0x380
[ 1306.825434][T13529] ? lockdep_hardirqs_on+0x7c/0x110
[ 1306.825437][T13529] do_syscall_64+0xc1/0x380
[ 1306.825441][T13529] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1306.825445][T13529] RIP: 0033:0x7f6428c84ef0
[ 1306.825449][T13529] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[ 1306.825452][T13529] RSP: 002b:00007ffc7264d228 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 1306.825457][T13529] RAX: ffffffffffffffda RBX: 0000000000001f41 RCX: 00007f6428c84ef0
[ 1306.825460][T13529] RDX: 0000000000001f41 RSI: 00007ffc7265bcc0 RDI: 00000000000002b4
[ 1306.825462][T13529] RBP: 00007ffc7265dc40 R08: 0000000000000000 R09: 0000000000000000
[ 1306.825464][T13529] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6428b42000
[ 1306.825466][T13529] R13: 00007ffc7265bcc0 R14: 00007ffc7265dc54 R15: 00000000005a64cb
[ 1306.825473][T13529]
[ 1306.825474][T13529]
[ 1306.836209][T13529] Allocated by task 13534:
[ 1306.836403][T13529] kasan_save_stack+0x24/0x50
[ 1306.836599][T13529] kasan_save_track+0x14/0x30
[ 1306.836792][T13529] __kasan_slab_alloc+0x59/0x70
[ 1306.836998][T13529] kmem_cache_alloc_node_noprof+0x110/0x340
[ 1306.837235][T13529] __alloc_skb+0x213/0x2e0
[ 1306.837425][T13529] tcp_stream_alloc_skb+0x30/0x520
[ 1306.837622][T13529] tcp_sendmsg_locked+0xf54/0x3740
[ 1306.837811][T13529] tls_push_sg+0x22b/0x880 [tls]
[ 1306.838004][T13529] tls_tx_records+0x2da/0x750 [tls]
[ 1306.838198][T13529] tls_push_record+0xc25/0x1d20 [tls]
[ 1306.838394][T13529] bpf_exec_tx_verdict+0xc84/0x1360 [tls]
[ 1306.838586][T13529] tls_sw_sendmsg_locked.constprop.0+0x8c3/0x19d0 [tls]
[ 1306.838825][T13529] tls_sw_sendmsg+0x9f/0xe0 [tls]
[ 1306.839017][T13529] sock_sendmsg+0x261/0x370
[ 1306.839204][T13529] splice_to_socket+0x823/0x1050
[ 1306.839401][T13529] direct_splice_actor+0x169/0x5d0
[ 1306.839589][T13529] splice_direct_to_actor+0x2c9/0x850
[ 1306.839782][T13529] do_splice_direct+0x130/0x1f0
[ 1306.839970][T13529] do_sendfile+0x485/0x1290
[ 1306.840158][T13529] __x64_sys_sendfile64+0x190/0x1d0
[ 1306.840351][T13529] do_syscall_64+0xc1/0x380
[ 1306.840545][T13529] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1306.840785][T13529]
[ 1306.840883][T13529] Freed by task 13526:
[ 1306.841030][T13529] kasan_save_stack+0x24/0x50
[ 1306.841230][T13529] kasan_save_track+0x14/0x30
[ 1306.841421][T13529] kasan_save_free_info+0x3b/0x60
[ 1306.841618][T13529] __kasan_slab_free+0x38/0x50
[ 1306.841805][T13529] kmem_cache_free+0x149/0x330
[ 1306.841994][T13529] tcp_collapse_one+0xf5/0x1c0
[ 1306.842182][T13529] tcp_collapse+0xae2/0x17a0
[ 1306.842368][T13529] tcp_try_rmem_schedule+0x799/0x12e0
[ 1306.842554][T13529] tcp_data_queue+0x553/0x2340
[ 1306.842746][T13529] tcp_rcv_established+0x5e8/0x2370
[ 1306.842936][T13529] tcp_v4_do_rcv+0x4ba/0x8c0
[ 1306.843124][T13529] __release_sock+0x27a/0x390
[ 1306.843314][T13529] release_sock+0x53/0x1d0
[ 1306.843502][T13529] tls_sw_recvmsg+0x72f/0x1aa0 [tls]
[ 1306.843695][T13529] inet_recvmsg+0x1c3/0x1f0
[ 1306.843881][T13529] __sys_recvfrom+0x32a/0x3f0
[ 1306.844073][T13529] __x64_sys_recvfrom+0xe0/0x1c0
[ 1306.844325][T13529] do_syscall_64+0xc1/0x380
[ 1306.844581][T13529] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1306.844820][T13529]
[ 1306.844916][T13529] The buggy address belongs to the object at ffff888013085640
[ 1306.844916][T13529] which belongs to the cache skbuff_fclone_cache of size 472
[ 1306.845514][T13529] The buggy address is located 272 bytes inside of
[ 1306.845514][T13529] freed 472-byte region [ffff888013085640, ffff888013085818)
[ 1306.846147][T13529]
[ 1306.846280][T13529] The buggy address belongs to the physical page:
[ 1306.846533][T13529] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13084
[ 1306.846866][T13529] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1306.847176][T13529] flags: 0x80000000000040(head|node=0|zone=1)
[ 1306.847501][T13529] page_type: f5(slab)
[ 1306.847698][T13529] raw: 0080000000000040 ffff8880019a3cc0 ffffea00003af410 ffffea000018c110
[ 1306.848144][T13529] raw: 0000000000000000 0000000000170017 00000000f5000000 0000000000000000
[ 1306.848553][T13529] head: 0080000000000040 ffff8880019a3cc0 ffffea00003af410 ffffea000018c110
[ 1306.848887][T13529] head: 0000000000000000 0000000000170017 00000000f5000000 0000000000000000
[ 1306.849215][T13529] head: 0080000000000002 ffffea00004c2101 00000000ffffffff 00000000ffffffff
[ 1306.849543][T13529] head: ffff888000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1306.849969][T13529] page dumped because: kasan: bad access detected
[ 1306.850259][T13529]
[ 1306.850358][T13529] Memory state around the buggy address:
[ 1306.850543][T13529] ffff888013085600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1306.850820][T13529] ffff888013085680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1306.851187][T13529] >ffff888013085700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1306.851526][T13529] ^
[ 1306.851755][T13529] ffff888013085780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1306.852029][T13529] ffff888013085800: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1306.852299][T13529] ==================================================================
[ 1306.852874][T13529] Disabling lock debugging due to kernel taint
[ 1306.853223][T13529] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI
[ 1306.853678][T13529] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[ 1306.853942][T13529] CPU: 2 UID: 0 PID: 13529 Comm: tls Tainted: G B 6.16.0-rc5-virtme #1 PREEMPT(full)
[ 1306.854448][T13529] Tainted: [B]=BAD_PAGE
[ 1306.854600][T13529] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1306.854823][T13529] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 1306.855059][T13529] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 1306.855705][T13529] RSP: 0018:ffffc90005027908 EFLAGS: 00010206
[ 1306.855930][T13529] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc0ace13c
[ 1306.856198][T13529] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 1306.856466][T13529] RBP: ffff8880098bc4d0 R08: ffff8880098bc4da R09: fffffbfff3fdb0b8
[ 1306.856738][T13529] R10: ffffffff9fed85c7 R11: ffffc90005027400 R12: 1ffff92000a04f24
[ 1306.857013][T13529] R13: 0000000000001e86 R14: dffffc0000000000 R15: 0000000029fa2eaf
[ 1306.857285][T13529] FS: 00007f6428b72740(0000) GS:ffff8880c5897000(0000) knlGS:0000000000000000
[ 1306.857602][T13529] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1306.857830][T13529] CR2: 00007f6428c733c0 CR3: 000000000e83b006 CR4: 0000000000772ef0
[ 1306.858111][T13529] PKRU: 55555554
[ 1306.858249][T13529] Call Trace:
[ 1306.858386][T13529]
[ 1306.858482][T13529] ? rcu_is_watching+0x12/0xc0
[ 1306.858666][T13529] ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 1306.858896][T13529] ? __lock_acquire+0x44d/0x7e0
[ 1306.859077][T13529] tls_rx_rec_wait+0x2c9/0x8d0 [tls]
[ 1306.859268][T13529] ? sk_psock_get+0xe8/0x310 [tls]
[ 1306.859451][T13529] ? __pfx_tls_rx_rec_wait+0x10/0x10 [tls]
[ 1306.859679][T13529] ? sk_psock_get+0xe8/0x310 [tls]
[ 1306.859862][T13529] ? __pfx_woken_wake_function+0x10/0x10
[ 1306.860075][T13529] ? __local_bh_enable_ip+0xa9/0x130
[ 1306.860322][T13529] tls_sw_recvmsg+0x40f/0x1aa0 [tls]
[ 1306.860572][T13529] ? __pfx_tls_sw_recvmsg+0x10/0x10 [tls]
[ 1306.860756][T13529] ? do_pte_missing+0x7d0/0xe00
[ 1306.860939][T13529] inet_recvmsg+0x1c3/0x1f0
[ 1306.861129][T13529] ? __pfx_inet_recvmsg+0x10/0x10
[ 1306.861311][T13529] __sys_recvfrom+0x32a/0x3f0
[ 1306.861491][T13529] ? __pfx___sys_recvfrom+0x10/0x10
[ 1306.861673][T13529] ? rseq_update_cpu_node_id+0x10c/0x180
[ 1306.861859][T13529] ? __rseq_handle_notify_resume+0x2b8/0x420
[ 1306.862079][T13529] ? find_held_lock+0x2b/0x80
[ 1306.862260][T13529] ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 1306.862483][T13529] ? exc_page_fault+0x5d/0xc0
[ 1306.862663][T13529] ? xfd_validate_state+0x2c/0x140
[ 1306.862842][T13529] ? do_user_addr_fault+0x959/0xe00
[ 1306.863034][T13529] __x64_sys_recvfrom+0xe0/0x1c0
[ 1306.863277][T13529] ? do_syscall_64+0x85/0x380
[ 1306.863522][T13529] ? lockdep_hardirqs_on+0x7c/0x110
[ 1306.863765][T13529] do_syscall_64+0xc1/0x380
[ 1306.864007][T13529] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1306.864312][T13529] RIP: 0033:0x7f6428c84ef0
[ 1306.864563][T13529] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[ 1306.865188][T13529] RSP: 002b:00007ffc7264d228 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 1306.865454][T13529] RAX: ffffffffffffffda RBX: 0000000000001f41 RCX: 00007f6428c84ef0
[ 1306.865746][T13529] RDX: 0000000000001f41 RSI: 00007ffc7265bcc0 RDI: 00000000000002b4
[ 1306.866052][T13529] RBP: 00007ffc7265dc40 R08: 0000000000000000 R09: 0000000000000000
[ 1306.866417][T13529] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6428b42000
[ 1306.866709][T13529] R13: 00007ffc7265bcc0 R14: 00007ffc7265dc54 R15: 00000000005a64cb
[ 1306.866982][T13529]
[ 1306.867119][T13529] Modules linked in: chacha chacha_x86_64 libchacha chacha20poly1305 libpoly1305 poly1305_x86_64 tls act_mirred netdevsim psample ip6t_rpfilter nft_compat nf_tables pktgen xfrm_user l2tp_ip6 l2tp_eth l2tp_ip l2tp_netlink l2tp_core sctp_diag sctp act_gact cls_flower sch_ingress ip6_gre ip_gre gre unix_diag
[ 1306.868428][T13529] ---[ end trace 0000000000000000 ]---
[ 1306.868699][T13529] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 1306.868953][T13529] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 1306.871696][T13529] RSP: 0018:ffffc90005027908 EFLAGS: 00010206
[ 1306.871957][T13529] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc0ace13c
[ 1306.872244][T13529] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 1306.872519][T13529] RBP: ffff8880098bc4d0 R08: ffff8880098bc4da R09: fffffbfff3fdb0b8
[ 1306.872821][T13529] R10: ffffffff9fed85c7 R11: ffffc90005027400 R12: 1ffff92000a04f24
[ 1306.873106][T13529] R13: 0000000000001e86 R14: dffffc0000000000 R15: 0000000029fa2eaf
[ 1306.873386][T13529] FS: 00007f6428b72740(0000) GS:ffff8880c5897000(0000) knlGS:0000000000000000
[ 1306.873729][T13529] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1306.873969][T13529] CR2: 00007f6428c733c0 CR3: 000000000e83b006 CR4: 0000000000772ef0
[ 1306.874251][T13529] PKRU: 55555554
[ 1306.874401][T13529] Kernel panic - not syncing: Fatal exception
[ 1306.874826][T13529] Kernel Offset: 0x18a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1306.875320][T13529] ---[ end Kernel panic - not syncing: Fatal exception ]---
WAIT TIMEOUT stderr
Ctrl-C stderr
Ctrl-C stderr
WAIT TIMEOUT stderr