[ 3823.888367][T27360] ==================================================================
[ 3823.888751][T27360] BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 3823.889030][T27360] Read of size 4 at addr ffff88800edc2d50 by task tls/27360
[ 3823.889301][T27360] 
[ 3823.889405][T27360] CPU: 0 UID: 0 PID: 27360 Comm: tls Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full) 
[ 3823.889413][T27360] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 3823.889420][T27360] Call Trace:
[ 3823.889424][T27360]  <TASK>
[ 3823.889426][T27360]  dump_stack_lvl+0x82/0xd0
[ 3823.889460][T27360]  print_address_description.constprop.0+0x2c/0x400
[ 3823.889480][T27360]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 3823.889490][T27360]  print_report+0xb4/0x270
[ 3823.889493][T27360]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 3823.889501][T27360]  ? kasan_addr_to_slab+0x25/0x80
[ 3823.889505][T27360]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 3823.889513][T27360]  kasan_report+0xca/0x100
[ 3823.889519][T27360]  ? tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 3823.889529][T27360]  tls_strp_check_rcv+0x898/0x9a0 [tls]
[ 3823.889539][T27360]  ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 3823.889548][T27360]  ? __lock_acquire+0x44d/0x7e0
[ 3823.889563][T27360]  tls_rx_rec_wait+0x2c9/0x8d0 [tls]
[ 3823.889572][T27360]  ? sk_psock_get+0xe8/0x310 [tls]
[ 3823.889581][T27360]  ? __pfx_tls_rx_rec_wait+0x10/0x10 [tls]
[ 3823.889589][T27360]  ? sk_psock_get+0xe8/0x310 [tls]
[ 3823.889597][T27360]  ? __pfx_woken_wake_function+0x10/0x10
[ 3823.889606][T27360]  ? __local_bh_enable_ip+0xa9/0x130
[ 3823.889620][T27360]  tls_sw_recvmsg+0x40f/0x1aa0 [tls]
[ 3823.889635][T27360]  ? __pfx_tls_sw_recvmsg+0x10/0x10 [tls]
[ 3823.889643][T27360]  ? do_pte_missing+0x7d0/0xe00
[ 3823.889655][T27360]  inet_recvmsg+0x1c3/0x1f0
[ 3823.889671][T27360]  ? __pfx_inet_recvmsg+0x10/0x10
[ 3823.889677][T27360]  __sys_recvfrom+0x32a/0x3f0
[ 3823.889693][T27360]  ? __pfx___sys_recvfrom+0x10/0x10
[ 3823.889700][T27360]  ? rseq_update_cpu_node_id+0x10c/0x180
[ 3823.889712][T27360]  ? __rseq_handle_notify_resume+0x2b8/0x420
[ 3823.889715][T27360]  ? find_held_lock+0x2b/0x80
[ 3823.889723][T27360]  ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 3823.889727][T27360]  ? exc_page_fault+0x5d/0xc0
[ 3823.889735][T27360]  ? xfd_validate_state+0x2c/0x140
[ 3823.889744][T27360]  ? do_user_addr_fault+0x959/0xe00
[ 3823.889753][T27360]  __x64_sys_recvfrom+0xe0/0x1c0
[ 3823.889756][T27360]  ? do_syscall_64+0x85/0x380
[ 3823.889763][T27360]  ? lockdep_hardirqs_on+0x7c/0x110
[ 3823.889765][T27360]  do_syscall_64+0xc1/0x380
[ 3823.889769][T27360]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3823.889777][T27360] RIP: 0033:0x7fd79c8deef0
[ 3823.889781][T27360] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[ 3823.889784][T27360] RSP: 002b:00007ffe30bd6978 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 3823.889791][T27360] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007fd79c8deef0
[ 3823.889794][T27360] RDX: 0000000000001f41 RSI: 00007ffe30be5410 RDI: 0000000000000138
[ 3823.889796][T27360] RBP: 00007ffe30be7390 R08: 0000000000000000 R09: 0000000000000000
[ 3823.889798][T27360] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd79c79e000
[ 3823.889800][T27360] R13: 00007ffe30be5410 R14: 00007ffe30be73a4 R15: 000000000104dec5
[ 3823.889806][T27360]  </TASK>
[ 3823.889808][T27360] 
[ 3823.899652][T27360] Allocated by task 27366:
[ 3823.899831][T27360]  kasan_save_stack+0x24/0x50
[ 3823.900014][T27360]  kasan_save_track+0x14/0x30
[ 3823.900192][T27360]  __kasan_slab_alloc+0x59/0x70
[ 3823.900369][T27360]  kmem_cache_alloc_node_noprof+0x110/0x340
[ 3823.900592][T27360]  __alloc_skb+0x213/0x2e0
[ 3823.900779][T27360]  tcp_stream_alloc_skb+0x30/0x520
[ 3823.900966][T27360]  tcp_sendmsg_locked+0xf54/0x3740
[ 3823.901144][T27360]  tls_push_sg+0x22b/0x880 [tls]
[ 3823.901328][T27360]  tls_tx_records+0x2da/0x750 [tls]
[ 3823.901511][T27360]  tls_push_record+0xc25/0x1d20 [tls]
[ 3823.901692][T27360]  bpf_exec_tx_verdict+0xc84/0x1360 [tls]
[ 3823.901876][T27360]  tls_sw_sendmsg_locked.constprop.0+0xe5c/0x19d0 [tls]
[ 3823.902106][T27360]  tls_sw_sendmsg+0x9f/0xe0 [tls]
[ 3823.902287][T27360]  __sys_sendto+0x369/0x440
[ 3823.902466][T27360]  __x64_sys_sendto+0xe0/0x1c0
[ 3823.902643][T27360]  do_syscall_64+0xc1/0x380
[ 3823.902819][T27360]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3823.903041][T27360] 
[ 3823.903132][T27360] Freed by task 27360:
[ 3823.903267][T27360]  kasan_save_stack+0x24/0x50
[ 3823.903448][T27360]  kasan_save_track+0x14/0x30
[ 3823.903631][T27360]  kasan_save_free_info+0x3b/0x60
[ 3823.903813][T27360]  __kasan_slab_free+0x38/0x50
[ 3823.903988][T27360]  kmem_cache_free+0x149/0x330
[ 3823.904166][T27360]  tcp_collapse_one+0xf5/0x1c0
[ 3823.904342][T27360]  tcp_collapse+0xae2/0x17a0
[ 3823.904521][T27360]  tcp_try_rmem_schedule+0x799/0x12e0
[ 3823.904703][T27360]  tcp_data_queue+0x553/0x2340
[ 3823.904882][T27360]  tcp_rcv_established+0x5e8/0x2370
[ 3823.905059][T27360]  tcp_v4_do_rcv+0x4ba/0x8c0
[ 3823.905240][T27360]  __release_sock+0x27a/0x390
[ 3823.905420][T27360]  release_sock+0x53/0x1d0
[ 3823.905599][T27360]  tls_sw_recvmsg+0x72f/0x1aa0 [tls]
[ 3823.905781][T27360]  inet_recvmsg+0x1c3/0x1f0
[ 3823.905960][T27360]  __sys_recvfrom+0x32a/0x3f0
[ 3823.906139][T27360]  __x64_sys_recvfrom+0xe0/0x1c0
[ 3823.906320][T27360]  do_syscall_64+0xc1/0x380
[ 3823.906495][T27360]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3823.906714][T27360] 
[ 3823.906804][T27360] The buggy address belongs to the object at ffff88800edc2c40
[ 3823.906804][T27360]  which belongs to the cache skbuff_fclone_cache of size 472
[ 3823.907279][T27360] The buggy address is located 272 bytes inside of
[ 3823.907279][T27360]  freed 472-byte region [ffff88800edc2c40, ffff88800edc2e18)
[ 3823.907711][T27360] 
[ 3823.907801][T27360] The buggy address belongs to the physical page:
[ 3823.908017][T27360] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88800edc2f00 pfn:0xedc0
[ 3823.908372][T27360] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 3823.908635][T27360] flags: 0x80000000000240(workingset|head|node=0|zone=1)
[ 3823.908864][T27360] page_type: f5(slab)
[ 3823.909007][T27360] raw: 0080000000000240 ffff8880019a3cc0 ffffea00003f3410 ffffea000067a710
[ 3823.909334][T27360] raw: ffff88800edc2f00 0000000000170015 00000000f5000000 0000000000000000
[ 3823.909644][T27360] head: 0080000000000240 ffff8880019a3cc0 ffffea00003f3410 ffffea000067a710
[ 3823.909962][T27360] head: ffff88800edc2f00 0000000000170015 00000000f5000000 0000000000000000
[ 3823.910270][T27360] head: 0080000000000002 ffffea00003b7001 00000000ffffffff 00000000ffffffff
[ 3823.910579][T27360] head: ffff888000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 3823.910889][T27360] page dumped because: kasan: bad access detected
[ 3823.911113][T27360] 
[ 3823.911201][T27360] Memory state around the buggy address:
[ 3823.911371][T27360]  ffff88800edc2c00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 3823.911632][T27360]  ffff88800edc2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3823.911888][T27360] >ffff88800edc2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3823.912152][T27360]                                                  ^
[ 3823.912372][T27360]  ffff88800edc2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3823.912628][T27360]  ffff88800edc2e00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3823.912883][T27360] ==================================================================
[ 3823.913267][T27360] Disabling lock debugging due to kernel taint
[ 3823.913514][T27360] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI
[ 3823.913903][T27360] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[ 3823.914167][T27360] CPU: 0 UID: 0 PID: 27360 Comm: tls Tainted: G    B               6.16.0-rc5-virtme #1 PREEMPT(full) 
[ 3823.914498][T27360] Tainted: [B]=BAD_PAGE
[ 3823.914629][T27360] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 3823.914835][T27360] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 3823.915054][T27360] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 3823.915641][T27360] RSP: 0018:ffffc90001baf908 EFLAGS: 00010206
[ 3823.915851][T27360] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc059413c
[ 3823.916100][T27360] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 3823.916352][T27360] RBP: ffff8880099420d0 R08: ffff8880099420da R09: fffffbfff27db0b8
[ 3823.916598][T27360] R10: ffffffff93ed85c7 R11: ffffc90001baf400 R12: 1ffff92000375f24
[ 3823.916851][T27360] R13: 0000000000001e86 R14: dffffc0000000000 R15: 00000000454254b3
[ 3823.917099][T27360] FS:  00007fd79c7cc740(0000) GS:ffff8880d8f97000(0000) knlGS:0000000000000000
[ 3823.917394][T27360] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3823.917605][T27360] CR2: 00007fd79c8df110 CR3: 000000000fe0e003 CR4: 0000000000772ef0
[ 3823.917854][T27360] PKRU: 55555554
[ 3823.917981][T27360] Call Trace:
[ 3823.918106][T27360]  <TASK>
[ 3823.918194][T27360]  ? __pfx_tls_strp_check_rcv+0x10/0x10 [tls]
[ 3823.918412][T27360]  ? __lock_acquire+0x44d/0x7e0
[ 3823.918585][T27360]  tls_rx_rec_wait+0x2c9/0x8d0 [tls]
[ 3823.918762][T27360]  ? sk_psock_get+0xe8/0x310 [tls]
[ 3823.918935][T27360]  ? __pfx_tls_rx_rec_wait+0x10/0x10 [tls]
[ 3823.919143][T27360]  ? sk_psock_get+0xe8/0x310 [tls]
[ 3823.919325][T27360]  ? __pfx_woken_wake_function+0x10/0x10
[ 3823.919495][T27360]  ? __local_bh_enable_ip+0xa9/0x130
[ 3823.919664][T27360]  tls_sw_recvmsg+0x40f/0x1aa0 [tls]
[ 3823.919843][T27360]  ? __pfx_tls_sw_recvmsg+0x10/0x10 [tls]
[ 3823.920012][T27360]  ? do_pte_missing+0x7d0/0xe00
[ 3823.920180][T27360]  inet_recvmsg+0x1c3/0x1f0
[ 3823.920347][T27360]  ? __pfx_inet_recvmsg+0x10/0x10
[ 3823.920516][T27360]  __sys_recvfrom+0x32a/0x3f0
[ 3823.920684][T27360]  ? __pfx___sys_recvfrom+0x10/0x10
[ 3823.920953][T27360]  ? rseq_update_cpu_node_id+0x10c/0x180
[ 3823.921120][T27360]  ? __rseq_handle_notify_resume+0x2b8/0x420
[ 3823.921325][T27360]  ? find_held_lock+0x2b/0x80
[ 3823.921593][T27360]  ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 3823.921797][T27360]  ? exc_page_fault+0x5d/0xc0
[ 3823.921962][T27360]  ? xfd_validate_state+0x2c/0x140
[ 3823.922128][T27360]  ? do_user_addr_fault+0x959/0xe00
[ 3823.922392][T27360]  __x64_sys_recvfrom+0xe0/0x1c0
[ 3823.922557][T27360]  ? do_syscall_64+0x85/0x380
[ 3823.922722][T27360]  ? lockdep_hardirqs_on+0x7c/0x110
[ 3823.922888][T27360]  do_syscall_64+0xc1/0x380
[ 3823.923154][T27360]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 3823.923365][T27360] RIP: 0033:0x7fd79c8deef0
[ 3823.923533][T27360] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
[ 3823.924218][T27360] RSP: 002b:00007ffe30bd6978 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 3823.924466][T27360] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007fd79c8deef0
[ 3823.924816][T27360] RDX: 0000000000001f41 RSI: 00007ffe30be5410 RDI: 0000000000000138
[ 3823.925067][T27360] RBP: 00007ffe30be7390 R08: 0000000000000000 R09: 0000000000000000
[ 3823.925420][T27360] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd79c79e000
[ 3823.925667][T27360] R13: 00007ffe30be5410 R14: 00007ffe30be73a4 R15: 000000000104dec5
[ 3823.925919][T27360]  </TASK>
[ 3823.926045][T27360] Modules linked in: chacha chacha_x86_64 libchacha chacha20poly1305 libpoly1305 poly1305_x86_64 tls xfrm_user geneve vxlan act_csum act_pedit cls_flower sch_prio openvswitch psample nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nsh
[ 3823.927004][T27360] ---[ end trace 0000000000000000 ]---
[ 3823.927175][T27360] RIP: 0010:tls_strp_check_rcv+0x5d6/0x9a0 [tls]
[ 3823.927395][T27360] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
[ 3823.927986][T27360] RSP: 0018:ffffc90001baf908 EFLAGS: 00010206
[ 3823.928201][T27360] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc059413c
[ 3823.928546][T27360] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 3823.928796][T27360] RBP: ffff8880099420d0 R08: ffff8880099420da R09: fffffbfff27db0b8
[ 3823.929044][T27360] R10: ffffffff93ed85c7 R11: ffffc90001baf400 R12: 1ffff92000375f24
[ 3823.929305][T27360] R13: 0000000000001e86 R14: dffffc0000000000 R15: 00000000454254b3
[ 3823.929554][T27360] FS:  00007fd79c7cc740(0000) GS:ffff8880d8f97000(0000) knlGS:0000000000000000
[ 3823.929845][T27360] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3823.930054][T27360] CR2: 00007fd79c8df110 CR3: 000000000fe0e003 CR4: 0000000000772ef0
[ 3823.930305][T27360] PKRU: 55555554
[ 3823.930431][T27360] Kernel panic - not syncing: Fatal exception
[ 3823.930965][T27360] Kernel Offset: 0xca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 3823.931344][T27360] ---[ end Kernel panic - not syncing: Fatal exception ]---

WAIT TIMEOUT stderr

Ctrl-C stderr

Ctrl-C stderr

WAIT TIMEOUT stderr