[ 6292.194976][ T3241] ==================================================================
[ 6292.195385][ T3241] BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 6292.195694][ T3241] Read of size 4 at addr ffff88800ab07b10 by task tls/3241
[ 6292.195980][ T3241]
[ 6292.196094][ T3241] CPU: 3 UID: 0 PID: 3241 Comm: tls Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full)
[ 6292.196099][ T3241] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 6292.196104][ T3241] Call Trace:
[ 6292.196107][ T3241]
[ 6292.196110][ T3241] dump_stack_lvl+0x82/0xd0
[ 6292.196131][ T3241] print_address_description.constprop.0+0x2c/0x400
[ 6292.196150][ T3241] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 6292.196160][ T3241] print_report+0xb4/0x270
[ 6292.196164][ T3241] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 6292.196172][ T3241] ? kasan_addr_to_slab+0x25/0x80
[ 6292.196175][ T3241] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 6292.196183][ T3241] kasan_report+0xca/0x100
[ 6292.196189][ T3241] ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 6292.196199][ T3241] tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 6292.196209][ T3241] ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 6292.196217][ T3241] ? __lock_acquire+0x44d/0x7e0
[ 6292.196233][ T3241] tls_rx_rec_wait+0x2c9/0x8d0 [tls]
[ 6292.196242][ T3241] ? sk_psock_get+0xe8/0x310 [tls]
[ 6292.196252][ T3241] ? __pfx_tls_rx_rec_wait+0x10/0x10 [tls]
[ 6292.196260][ T3241] ? sk_psock_get+0xe8/0x310 [tls]
[ 6292.196269][ T3241] ? __pfx_woken_wake_function+0x10/0x10
[ 6292.196277][ T3241] ? __local_bh_enable_ip+0xa9/0x130
[ 6292.196292][ T3241] tls_sw_recvmsg+0x40f/0x1aa0 [tls]
[ 6292.196308][ T3241] ? __pfx_tls_sw_recvmsg+0x10/0x10 [tls]
[ 6292.196316][ T3241] ? do_pte_missing+0x7d0/0xe00
[ 6292.196329][ T3241] inet_recvmsg+0x1c3/0x1f0
[ 6292.196344][ T3241] ? __pfx_inet_recvmsg+0x10/0x10
[ 6292.196350][ T3241] __sys_recvfrom+0x32a/0x3f0
[ 6292.196363][ T3241] ? __pfx___sys_recvfrom+0x10/0x10
[ 6292.196371][ T3241] ? rseq_update_cpu_node_id+0x10c/0x180
[ 6292.196383][ T3241] ? __rseq_handle_notify_resume+0x2b8/0x420
[ 6292.196385][ T3241] ? find_held_lock+0x2b/0x80
[ 6292.196393][ T3241] ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 6292.196397][ T3241] ? exc_page_fault+0x5d/0xc0
[ 6292.196405][ T3241] ? xfd_validate_state+0x2c/0x140
[ 6292.196415][ T3241] ? do_user_addr_fault+0x959/0xe00
[ 6292.196423][ T3241] __x64_sys_recvfrom+0xe0/0x1c0
[ 6292.196427][ T3241] ? do_syscall_64+0x85/0x380
[ 6292.196433][ T3241] ? lockdep_hardirqs_on+0x7c/0x110
[ 6292.196436][ T3241] do_syscall_64+0xc1/0x380
[ 6292.196440][ T3241] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 6292.196448][ T3241] RIP: 0033:0x7f8ac269eef0
[ 6292.196452][ T3241] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[ 6292.196455][ T3241] RSP: 002b:00007ffd7272e458 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 6292.196462][ T3241] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007f8ac269eef0
[ 6292.196465][ T3241] RDX: 0000000000001f41 RSI: 00007ffd7273cef0 RDI: 0000000000000177
[ 6292.196467][ T3241] RBP: 00007ffd7273ee70 R08: 0000000000000000 R09: 0000000000000000
[ 6292.196469][ T3241] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8ac255e000
[ 6292.196470][ T3241] R13: 00007ffd7273cef0 R14: 00007ffd7273ee84 R15: 00000000010fca1f
[ 6292.196477][ T3241]
[ 6292.196479][ T3241]
[ 6292.207379][ T3241] Allocated by task 3248:
[ 6292.207527][ T3241] kasan_save_stack+0x24/0x50
[ 6292.207730][ T3241] kasan_save_track+0x14/0x30
[ 6292.207927][ T3241] __kasan_slab_alloc+0x59/0x70
[ 6292.208121][ T3241] kmem_cache_alloc_node_noprof+0x110/0x340
[ 6292.208367][ T3241] __alloc_skb+0x213/0x2e0
[ 6292.208571][ T3241] tcp_stream_alloc_skb+0x30/0x520
[ 6292.208771][ T3241] tcp_sendmsg_locked+0xf54/0x3740
[ 6292.208967][ T3241] tls_push_sg+0x22b/0x880 [tls]
[ 6292.209174][ T3241] tls_tx_records+0x2da/0x750 [tls]
[ 6292.209376][ T3241] tls_push_record+0xc25/0x1d20 [tls]
[ 6292.209582][ T3241] bpf_exec_tx_verdict+0xc84/0x1360 [tls]
[ 6292.209782][ T3241] tls_sw_sendmsg_locked.constprop.0+0xe5c/0x19d0 [tls]
[ 6292.210032][ T3241] tls_sw_sendmsg+0x9f/0xe0 [tls]
[ 6292.210230][ T3241] __sys_sendto+0x369/0x440
[ 6292.210426][ T3241] __x64_sys_sendto+0xe0/0x1c0
[ 6292.210622][ T3241] do_syscall_64+0xc1/0x380
[ 6292.210827][ T3241] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 6292.211076][ T3241]
[ 6292.211175][ T3241] Freed by task 3241:
[ 6292.211323][ T3241] kasan_save_stack+0x24/0x50
[ 6292.211521][ T3241] kasan_save_track+0x14/0x30
[ 6292.211718][ T3241] kasan_save_free_info+0x3b/0x60
[ 6292.211923][ T3241] __kasan_slab_free+0x38/0x50
[ 6292.212118][ T3241] kmem_cache_free+0x149/0x330
[ 6292.212316][ T3241] tcp_collapse_one+0xf5/0x1c0
[ 6292.212521][ T3241] tcp_collapse+0xae2/0x17a0
[ 6292.212718][ T3241] tcp_try_rmem_schedule+0x799/0x12e0
[ 6292.212914][ T3241] tcp_data_queue+0x553/0x2340
[ 6292.213112][ T3241] tcp_rcv_established+0x5e8/0x2370
[ 6292.213316][ T3241] tcp_v4_do_rcv+0x4ba/0x8c0
[ 6292.213517][ T3241] __release_sock+0x27a/0x390
[ 6292.213715][ T3241] release_sock+0x53/0x1d0
[ 6292.213913][ T3241] tls_sw_recvmsg+0x72f/0x1aa0 [tls]
[ 6292.214120][ T3241] inet_recvmsg+0x1c3/0x1f0
[ 6292.214318][ T3241] __sys_recvfrom+0x32a/0x3f0
[ 6292.214513][ T3241] __x64_sys_recvfrom+0xe0/0x1c0
[ 6292.214712][ T3241] do_syscall_64+0xc1/0x380
[ 6292.214910][ T3241] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 6292.215152][ T3241]
[ 6292.215251][ T3241] The buggy address belongs to the object at ffff88800ab07a00
[ 6292.215251][ T3241] which belongs to the cache skbuff_fclone_cache of size 472
[ 6292.215784][ T3241] The buggy address is located 272 bytes inside of
[ 6292.215784][ T3241] freed 472-byte region [ffff88800ab07a00, ffff88800ab07bd8)
[ 6292.216270][ T3241]
[ 6292.216369][ T3241] The buggy address belongs to the physical page:
[ 6292.216608][ T3241] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88800ab045c0 pfn:0xab04
[ 6292.217013][ T3241] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 6292.217304][ T3241] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 6292.217561][ T3241] page_type: f5(slab)
[ 6292.217716][ T3241] raw: 0080000000000240 ffff8880019a3cc0 ffffea0000249810 ffff888002252448
[ 6292.218065][ T3241] raw: ffff88800ab045c0 0000000000170014 00000000f5000000 0000000000000000
[ 6292.218409][ T3241] head: 0080000000000240 ffff8880019a3cc0 ffffea0000249810 ffff888002252448
[ 6292.218756][ T3241] head: ffff88800ab045c0 0000000000170014 00000000f5000000 0000000000000000
[ 6292.219101][ T3241] head: 0080000000000002 ffffea00002ac101 00000000ffffffff 00000000ffffffff
[ 6292.219450][ T3241] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 6292.219794][ T3241] page dumped because: kasan: bad access detected
[ 6292.220041][ T3241]
[ 6292.220139][ T3241] Memory state around the buggy address:
[ 6292.220329][ T3241] ffff88800ab07a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 6292.220621][ T3241] ffff88800ab07a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 6292.220912][ T3241] >ffff88800ab07b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 6292.221200][ T3241] ^
[ 6292.221391][ T3241] ffff88800ab07b80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[ 6292.221678][ T3241] ffff88800ab07c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 6292.221973][ T3241] ==================================================================
[ 6292.226410][ T3241] Disabling lock debugging due to kernel taint
[ 6292.226697][ T3241] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI
[ 6292.227117][ T3241] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[ 6292.227400][ T3241] CPU: 3 UID: 0 PID: 3241 Comm: tls Tainted: G B 6.16.0-rc5-virtme #1 PREEMPT(full)
[ 6292.227783][ T3241] Tainted: [B]=BAD_PAGE
[ 6292.227929][ T3241] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 6292.228166][ T3241] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 6292.228420][ T3241] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 6292.229083][ T3241] RSP: 0018:ffffc90002867908 EFLAGS: 00010206
[ 6292.229321][ T3241] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc082513c
[ 6292.229609][ T3241] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 6292.229893][ T3241] RBP: ffff88801b572cd0 R08: ffff88801b572cda R09: fffffbfff5a5b0b8
[ 6292.230170][ T3241] R10: ffffffffad2d85c7 R11: ffffc90002867400 R12: 1ffff9200050cf24
[ 6292.230444][ T3241] R13: 0000000000001e86 R14: dffffc0000000000 R15: 000000000d945df4
[ 6292.230825][ T3241] FS: 00007f8ac258c740(0000) GS:ffff8880bfd17000(0000) knlGS:0000000000000000
[ 6292.231147][ T3241] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6292.231378][ T3241] CR2: 00007f8ac269f110 CR3: 0000000018962005 CR4: 0000000000772ef0
[ 6292.231756][ T3241] PKRU: 55555554
[ 6292.231903][ T3241] Call Trace:
[ 6292.232040][ T3241]
[ 6292.232134][ T3241] ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 6292.232371][ T3241] ? __lock_acquire+0x44d/0x7e0
[ 6292.232560][ T3241] tls_rx_rec_wait+0x2c9/0x8d0 [tls]
[ 6292.232751][ T3241] ? sk_psock_get+0xe8/0x310 [tls]
[ 6292.232939][ T3241] ? __pfx_tls_rx_rec_wait+0x10/0x10 [tls]
[ 6292.233269][ T3241] ? sk_psock_get+0xe8/0x310 [tls]
[ 6292.233456][ T3241] ? __pfx_woken_wake_function+0x10/0x10
[ 6292.233640][ T3241] ? __local_bh_enable_ip+0xa9/0x130
[ 6292.233828][ T3241] tls_sw_recvmsg+0x40f/0x1aa0 [tls]
[ 6292.234119][ T3241] ? __pfx_tls_sw_recvmsg+0x10/0x10 [tls]
[ 6292.234306][ T3241] ? do_pte_missing+0x7d0/0xe00
[ 6292.234493][ T3241] inet_recvmsg+0x1c3/0x1f0
[ 6292.234674][ T3241] ? __pfx_inet_recvmsg+0x10/0x10
[ 6292.234959][ T3241] __sys_recvfrom+0x32a/0x3f0
[ 6292.235142][ T3241] ? __pfx___sys_recvfrom+0x10/0x10
[ 6292.235329][ T3241] ? rseq_update_cpu_node_id+0x10c/0x180
[ 6292.235513][ T3241] ? __rseq_handle_notify_resume+0x2b8/0x420
[ 6292.235841][ T3241] ? find_held_lock+0x2b/0x80
[ 6292.236024][ T3241] ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 6292.236248][ T3241] ? exc_page_fault+0x5d/0xc0
[ 6292.236429][ T3241] ? xfd_validate_state+0x2c/0x140
[ 6292.236719][ T3241] ? do_user_addr_fault+0x959/0xe00
[ 6292.236904][ T3241] __x64_sys_recvfrom+0xe0/0x1c0
[ 6292.237085][ T3241] ? do_syscall_64+0x85/0x380
[ 6292.237264][ T3241] ? lockdep_hardirqs_on+0x7c/0x110
[ 6292.237445][ T3241] do_syscall_64+0xc1/0x380
[ 6292.237628][ T3241] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 6292.237851][ T3241] RIP: 0033:0x7f8ac269eef0
[ 6292.238040][ T3241] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[ 6292.238678][ T3241] RSP: 002b:00007ffd7272e458 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 6292.239055][ T3241] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007f8ac269eef0
[ 6292.239332][ T3241] RDX: 0000000000001f41 RSI: 00007ffd7273cef0 RDI: 0000000000000177
[ 6292.239607][ T3241] RBP: 00007ffd7273ee70 R08: 0000000000000000 R09: 0000000000000000
[ 6292.239984][ T3241] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8ac255e000
[ 6292.240256][ T3241] R13: 00007ffd7273cef0 R14: 00007ffd7273ee84 R15: 00000000010fca1f
[ 6292.240638][ T3241]
[ 6292.240779][ T3241] Modules linked in: chacha chacha_x86_64 libchacha chacha20poly1305 libpoly1305 poly1305_x86_64 tls sch_fq drop_monitor act_gact cls_flower sch_ingress sctp_diag sctp unix_diag bonding xfrm_user macsec vxlan ip6_gre ip_gre gre cls_u32 sch_htb nft_chain_nat xt_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT ipt_REJECT nft_compat nf_tables [last unloaded: psample]
[ 6292.242123][ T3241] ---[ end trace 0000000000000000 ]---
[ 6292.242426][ T3241] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 6292.242665][ T3241] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 6292.245599][ T3241] RSP: 0018:ffffc90002867908 EFLAGS: 00010206
[ 6292.245841][ T3241] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc082513c
[ 6292.246108][ T3241] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 6292.246377][ T3241] RBP: ffff88801b572cd0 R08: ffff88801b572cda R09: fffffbfff5a5b0b8
[ 6292.246670][ T3241] R10: ffffffffad2d85c7 R11: ffffc90002867400 R12: 1ffff9200050cf24
[ 6292.246939][ T3241] R13: 0000000000001e86 R14: dffffc0000000000 R15: 000000000d945df4
[ 6292.247206][ T3241] FS: 00007f8ac258c740(0000) GS:ffff8880bfd17000(0000) knlGS:0000000000000000
[ 6292.247527][ T3241] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6292.247759][ T3241] CR2: 00007f8ac269f110 CR3: 0000000018962005 CR4: 0000000000772ef0
[ 6292.248038][ T3241] PKRU: 55555554
[ 6292.248176][ T3241] Kernel panic - not syncing: Fatal exception
[ 6292.248607][ T3241] Kernel Offset: 0x25e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 6292.249015][ T3241] ---[ end Kernel panic - not syncing: Fatal exception ]---
WAIT TIMEOUT stderr
Ctrl-C stderr
Ctrl-C stderr
WAIT TIMEOUT stderr