[ 4434.022494][ T8900] ==================================================================
[ 4434.022878][ T8900] BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 4434.023181][ T8900] Read of size 4 at addr ffff88801786f2d0 by task kworker/1:0/8900
[ 4434.023454][ T8900] 
[ 4434.023552][ T8900] CPU: 1 UID: 0 PID: 8900 Comm: kworker/1:0 Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full) 
[ 4434.023557][ T8900] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 4434.023560][ T8900] Workqueue: tls-strp tls_strp_work [tls]
[ 4434.023572][ T8900] Call Trace:
[ 4434.023575][ T8900]  <TASK>
[ 4434.023577][ T8900]  dump_stack_lvl+0x82/0xd0
[ 4434.023590][ T8900]  print_address_description.constprop.0+0x2c/0x400
[ 4434.023601][ T8900]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 4434.023617][ T8900]  print_report+0xb4/0x270
[ 4434.023621][ T8900]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 4434.023628][ T8900]  ? kasan_addr_to_slab+0x25/0x80
[ 4434.023632][ T8900]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 4434.023640][ T8900]  kasan_report+0xca/0x100
[ 4434.023644][ T8900]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 4434.023655][ T8900]  tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 4434.023663][ T8900]  ? do_raw_spin_lock+0x130/0x270
[ 4434.023670][ T8900]  ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 4434.023680][ T8900]  ? __local_bh_enable_ip+0xa9/0x130
[ 4434.023688][ T8900]  tls_strp_work+0x3c/0x80 [tls]
[ 4434.023697][ T8900]  process_one_work+0xe40/0x1660
[ 4434.023705][ T8900]  ? __pfx_process_one_work+0x10/0x10
[ 4434.023711][ T8900]  ? assign_work+0x16c/0x240
[ 4434.023718][ T8900]  worker_thread+0x591/0xcf0
[ 4434.023724][ T8900]  ? __pfx_worker_thread+0x10/0x10
[ 4434.023727][ T8900]  kthread+0x37b/0x600
[ 4434.023731][ T8900]  ? __pfx_kthread+0x10/0x10
[ 4434.023733][ T8900]  ? ret_from_fork+0x1b/0x320
[ 4434.023738][ T8900]  ? __lock_release+0x5d/0x170
[ 4434.023742][ T8900]  ? rcu_is_watching+0x12/0xc0
[ 4434.023748][ T8900]  ? __pfx_kthread+0x10/0x10
[ 4434.023752][ T8900]  ret_from_fork+0x240/0x320
[ 4434.023754][ T8900]  ? __pfx_kthread+0x10/0x10
[ 4434.023757][ T8900]  ret_from_fork_asm+0x1a/0x30
[ 4434.023768][ T8900]  </TASK>
[ 4434.023770][ T8900] 
[ 4434.029944][ T8900] Allocated by task 21140:
[ 4434.030122][ T8900]  kasan_save_stack+0x24/0x50
[ 4434.030319][ T8900]  kasan_save_track+0x14/0x30
[ 4434.030500][ T8900]  __kasan_slab_alloc+0x59/0x70
[ 4434.030683][ T8900]  kmem_cache_alloc_node_noprof+0x110/0x340
[ 4434.030920][ T8900]  __alloc_skb+0x213/0x2e0
[ 4434.031106][ T8900]  tcp_stream_alloc_skb+0x30/0x520
[ 4434.031293][ T8900]  tcp_sendmsg_locked+0xf54/0x3740
[ 4434.031472][ T8900]  tls_push_sg+0x22b/0x880 [tls]
[ 4434.031662][ T8900]  tls_tx_records+0x2da/0x750 [tls]
[ 4434.031853][ T8900]  tls_push_record+0xc25/0x1d20 [tls]
[ 4434.032037][ T8900]  bpf_exec_tx_verdict+0xc84/0x1360 [tls]
[ 4434.032221][ T8900]  tls_sw_sendmsg_locked.constprop.0+0xe5c/0x19d0 [tls]
[ 4434.032449][ T8900]  tls_sw_sendmsg+0x9f/0xe0 [tls]
[ 4434.032637][ T8900]  __sys_sendto+0x369/0x440
[ 4434.032829][ T8900]  __x64_sys_sendto+0xe0/0x1c0
[ 4434.033010][ T8900]  do_syscall_64+0xc1/0x380
[ 4434.033204][ T8900]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 4434.033434][ T8900] 
[ 4434.033529][ T8900] Freed by task 21135:
[ 4434.033668][ T8900]  kasan_save_stack+0x24/0x50
[ 4434.033877][ T8900]  kasan_save_track+0x14/0x30
[ 4434.034057][ T8900]  kasan_save_free_info+0x3b/0x60
[ 4434.034236][ T8900]  __kasan_slab_free+0x38/0x50
[ 4434.034416][ T8900]  kmem_cache_free+0x149/0x330
[ 4434.034597][ T8900]  tcp_collapse_one+0xf5/0x1c0
[ 4434.034777][ T8900]  tcp_collapse+0xae2/0x17a0
[ 4434.034969][ T8900]  tcp_try_rmem_schedule+0x799/0x12e0
[ 4434.035149][ T8900]  tcp_data_queue+0x553/0x2340
[ 4434.035328][ T8900]  tcp_rcv_established+0x5e8/0x2370
[ 4434.035505][ T8900]  tcp_v4_do_rcv+0x4ba/0x8c0
[ 4434.035681][ T8900]  __release_sock+0x27a/0x390
[ 4434.035869][ T8900]  release_sock+0x53/0x1d0
[ 4434.036050][ T8900]  tls_rx_reader_acquire+0x25a/0x4f0 [tls]
[ 4434.036276][ T8900]  tls_sw_recvmsg+0x152/0x1aa0 [tls]
[ 4434.036462][ T8900]  inet_recvmsg+0x1c3/0x1f0
[ 4434.036641][ T8900]  __sys_recvfrom+0x32a/0x3f0
[ 4434.036830][ T8900]  __x64_sys_recvfrom+0xe0/0x1c0
[ 4434.037018][ T8900]  do_syscall_64+0xc1/0x380
[ 4434.037197][ T8900]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 4434.037418][ T8900] 
[ 4434.037512][ T8900] The buggy address belongs to the object at ffff88801786f1c0
[ 4434.037512][ T8900]  which belongs to the cache skbuff_fclone_cache of size 472
[ 4434.037999][ T8900] The buggy address is located 272 bytes inside of
[ 4434.037999][ T8900]  freed 472-byte region [ffff88801786f1c0, ffff88801786f398)
[ 4434.038428][ T8900] 
[ 4434.038519][ T8900] The buggy address belongs to the physical page:
[ 4434.038735][ T8900] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1786c
[ 4434.039064][ T8900] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 4434.039334][ T8900] flags: 0x80000000000040(head|node=0|zone=1)
[ 4434.039569][ T8900] page_type: f5(slab)
[ 4434.039713][ T8900] raw: 0080000000000040 ffff8880019a3cc0 ffffea000050af10 ffff8880022ce468
[ 4434.040061][ T8900] raw: 0000000000000000 0000000000170017 00000000f5000000 0000000000000000
[ 4434.040386][ T8900] head: 0080000000000040 ffff8880019a3cc0 ffffea000050af10 ffff8880022ce468
[ 4434.040703][ T8900] head: 0000000000000000 0000000000170017 00000000f5000000 0000000000000000
[ 4434.041030][ T8900] head: 0080000000000002 ffffea00005e1b01 00000000ffffffff 00000000ffffffff
[ 4434.041346][ T8900] head: ffff888000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 4434.041663][ T8900] page dumped because: kasan: bad access detected
[ 4434.041886][ T8900] 
[ 4434.041982][ T8900] Memory state around the buggy address:
[ 4434.042155][ T8900]  ffff88801786f180: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 4434.042416][ T8900]  ffff88801786f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4434.042677][ T8900] >ffff88801786f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4434.042946][ T8900]                                                  ^
[ 4434.043175][ T8900]  ffff88801786f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4434.043433][ T8900]  ffff88801786f380: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4434.043698][ T8900] ==================================================================
[ 4434.044016][ T8900] Disabling lock debugging due to kernel taint
[ 4434.044260][ T8900] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI
[ 4434.044644][ T8900] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[ 4434.044901][ T8900] CPU: 1 UID: 0 PID: 8900 Comm: kworker/1:0 Tainted: G    B               6.16.0-rc5-virtme #1 PREEMPT(full) 
[ 4434.045302][ T8900] Tainted: [B]=BAD_PAGE
[ 4434.045433][ T8900] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 4434.045650][ T8900] Workqueue: tls-strp tls_strp_work [tls]
[ 4434.045841][ T8900] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 4434.046096][ T8900] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 4434.046701][ T8900] RSP: 0018:ffffc900058a7bb0 EFLAGS: 00010206
[ 4434.046918][ T8900] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc05a013c
[ 4434.047192][ T8900] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 4434.047454][ T8900] RBP: ffff88800e2162d0 R08: ffff88800e2162da R09: fffffbfff5b5b0b8
[ 4434.047713][ T8900] R10: ffffffffadad85c7 R11: ffffc900058a76c0 R12: 1ffff92000b14f79
[ 4434.047970][ T8900] R13: 0000000000001ec5 R14: dffffc0000000000 R15: 000000002c5d2bb8
[ 4434.048242][ T8900] FS:  0000000000000000(0000) GS:ffff8880bf417000(0000) knlGS:0000000000000000
[ 4434.048540][ T8900] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4434.048758][ T8900] CR2: 00007ffcc7406000 CR3: 000000000b047003 CR4: 0000000000772ef0
[ 4434.049021][ T8900] PKRU: 55555554
[ 4434.049160][ T8900] Call Trace:
[ 4434.049289][ T8900]  <TASK>
[ 4434.049377][ T8900]  ? do_raw_spin_lock+0x130/0x270
[ 4434.049560][ T8900]  ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 4434.049780][ T8900]  ? __local_bh_enable_ip+0xa9/0x130
[ 4434.049953][ T8900]  tls_strp_work+0x3c/0x80 [tls]
[ 4434.050140][ T8900]  process_one_work+0xe40/0x1660
[ 4434.050407][ T8900]  ? __pfx_process_one_work+0x10/0x10
[ 4434.050580][ T8900]  ? assign_work+0x16c/0x240
[ 4434.050755][ T8900]  worker_thread+0x591/0xcf0
[ 4434.050930][ T8900]  ? __pfx_worker_thread+0x10/0x10
[ 4434.051195][ T8900]  kthread+0x37b/0x600
[ 4434.051324][ T8900]  ? __pfx_kthread+0x10/0x10
[ 4434.051495][ T8900]  ? ret_from_fork+0x1b/0x320
[ 4434.051665][ T8900]  ? __lock_release+0x5d/0x170
[ 4434.051922][ T8900]  ? rcu_is_watching+0x12/0xc0
[ 4434.052093][ T8900]  ? __pfx_kthread+0x10/0x10
[ 4434.052285][ T8900]  ret_from_fork+0x240/0x320
[ 4434.052458][ T8900]  ? __pfx_kthread+0x10/0x10
[ 4434.052719][ T8900]  ret_from_fork_asm+0x1a/0x30
[ 4434.052897][ T8900]  </TASK>
[ 4434.053039][ T8900] Modules linked in: chacha chacha_x86_64 libchacha chacha20poly1305 libpoly1305 poly1305_x86_64 tls cls_bpf sch_ingress netdevsim psample ip6t_rpfilter vxlan mpls_gso mpls_iptunnel mpls_router xt_HL nft_compat nf_tables amt
[ 4434.053858][ T8900] ---[ end trace 0000000000000000 ]---
[ 4434.054036][ T8900] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 4434.054367][ T8900] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 4434.055149][ T8900] RSP: 0018:ffffc900058a7bb0 EFLAGS: 00010206
[ 4434.055385][ T8900] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc05a013c
[ 4434.055645][ T8900] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 4434.055897][ T8900] RBP: ffff88800e2162d0 R08: ffff88800e2162da R09: fffffbfff5b5b0b8
[ 4434.056146][ T8900] R10: ffffffffadad85c7 R11: ffffc900058a76c0 R12: 1ffff92000b14f79
[ 4434.056411][ T8900] R13: 0000000000001ec5 R14: dffffc0000000000 R15: 000000002c5d2bb8
[ 4434.056765][ T8900] FS:  0000000000000000(0000) GS:ffff8880bf417000(0000) knlGS:0000000000000000
[ 4434.057063][ T8900] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4434.057376][ T8900] CR2: 00007ffcc7406000 CR3: 000000000b047003 CR4: 0000000000772ef0
[ 4434.057642][ T8900] PKRU: 55555554
[ 4434.057772][ T8900] Kernel panic - not syncing: Fatal exception
[ 4434.058184][ T8900] Kernel Offset: 0x26600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 4434.058699][ T8900] ---[ end Kernel panic - not syncing: Fatal exception ]---

WAIT TIMEOUT stderr

Ctrl-C stderr

Ctrl-C stderr

WAIT TIMEOUT stderr