Skip to content

tcp: skip RST in resetConnectionLocked when snd/rcv are nil#12567

Merged
copybara-service[bot] merged 2 commits intogoogle:masterfrom
nt:claude/fix-turbine-orch-error-X0OIm
Feb 6, 2026
Merged

tcp: skip RST in resetConnectionLocked when snd/rcv are nil#12567
copybara-service[bot] merged 2 commits intogoogle:masterfrom
nt:claude/fix-turbine-orch-error-X0OIm

Conversation

@nt
Copy link
Contributor

@nt nt commented Jan 30, 2026
edited
Loading

resetConnectionLocked dereferences e.snd to compute the RST sequence number, but snd (and rcv) are only initialized when the TCP handshake completes in transitionToStateEstablishedLocked. Endpoints still in StateSynSent or StateSynRecv have nil snd/rcv, and calling resetConnectionLocked on them (e.g. from beforeSave during checkpoint) panics with a nil pointer dereference.

Guard the RST-sending block behind a nil check on e.snd. The rest of the function (set hardError, purge queues, cleanup, transition to StateError) is still unconditionally executed.

This address the following crash:

encoding error: runtime error: invalid memory address or nil pointer dereference:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x124f2a0?, 0x31fb280?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).resetConnectionLocked(0xc000a7d508, {0x1685100?, 0x324f8a0?})
\tpkg/tcpip/transport/tcp/connect.go:1084 +0x84
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).beforeSave(0xc000a7d508)
\tpkg/tcpip/transport/tcp/endpoint_state.go:59 +0x188
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).StateSave(0xc000a7d508, {{0xc001139c08?, 0xc0016e4f48?}})
\tbazel-out/k8-opt/bin/pkg/tcpip/transport/tcp/tcp_state_autogen.go:504 +0x4a
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeStruct(0xc001139c08, {0x144da00, 0xc000a7d508, 0x199}, 0xc0014dc9e0)
\tpkg/state/encode.go:536 +0x58e
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeObject(0xc001139c08, {0x144da00?, 0xc000a7d508?, 0xc000bb0008?}, 0x0, 0xc0014dc9e0)
\tpkg/state/encode.go:733 +0x5e5
gvisor.dev/gvisor/pkg/state.(*encodeState).Save.func2()
\tpkg/state/encode.go:770 +0x8b
gvisor.dev/gvisor/pkg/state.safely(0xc001139c08?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:763 +0x1eb
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b

for object tcp.Endpoint{TCPEndpointStateInner:tcp.TCPEndpointStateInner{TSOffset:tcp.TSOffset{milliseconds:0x8020a5db}, SACKPermitted:false, SendTSOk:false, RecentTS:0x0}, TransportEndpointInfo:stack.TransportEndpointInfo{NetProto:0x800, TransProto:0x6, ID:stack.TransportEndpointID{LocalPort:0x873b, LocalAddress:tcpip.Address{addr:[16]uint8{0x15, 0x0, 0x1, 0xf2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, RemotePort:0x1bb, RemoteAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}}, BindNICID:0, BindAddr:tcpip.Address{addr:[16]uint8{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:0}, RegisterNICID:0}, DefaultSocketOptionsHandler:tcpip.DefaultSocketOptionsHandler{}, endpointEntry:tcp.endpointEntry{next:(*tcp.Endpoint)(nil), prev:(*tcp.Endpoint)(nil)}, pendingProcessingMu:tcp.pendingProcessingMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, pendingProcessing:false, stack:(*stack.Stack)(0xc000581808), protocol:(*tcp.protocol)(0xc0003cb0e0), waiterQueue:(*waiter.Queue)(0xc00230cde0), hardError:(*tcpip.ErrConnectionAborted)(0x324f8a0), lastErrorMu:tcp.lastErrorMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, lastError:tcpip.Error(nil), rcvQueueMu:tcp.rcvQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPRcvBufState:tcp.TCPRcvBufState{RcvBufUsed:0, RcvAutoParams:tcp.RcvBufAutoTuneParams{MeasureTime:tcpip.MonotonicTime{nanoseconds:0}, CopiedBytes:0, PrevCopiedBytes:0, RcvBufSize:0, RTT:0, RTTVar:0, RTTMeasureSeqNumber:0x0, RTTMeasureTime:tcpip.MonotonicTime{nanoseconds:0}, Disabled:false}, RcvClosed:false}, rcvMemUsed:atomicbitops.Int32{:sync.NoCopy{}, value:0}, mu:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}, ownedByUser:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, rcvQueue:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, state:atomicbitops.Uint32{:sync.NoCopy{}, value:0x2}, connectionDirectionState:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, origEndpointState:0x0, isPortReserved:true, isRegistered:true, boundNICID:0, route:(*stack.Route)(0xc00085a300), ipv4TTL:0x0, ipv6HopLimit:-1, isConnectNotified:false, h:(*tcp.handshake)(0xc000987c20), portFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundBindToDevice:0, boundPortFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundDest:tcpip.FullAddress{NIC:0, Addr:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, Port:0x1bb, LinkAddr:""}, effectiveNetProtos:[]tcpip.NetworkProtocolNumber{0x800}, recentTSTime:tcpip.MonotonicTime{nanoseconds:0}, shutdownFlags:0, tcpRecovery:0, sack:tcp.SACKInfo{Blocks:[6]header.SACKBlock{header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}}, NumBlocks:0}, delay:0x0, scoreboard:(*tcp.SACKScoreboard)(nil), segmentQueue:tcp.segmentQueue{mu:tcp.segmentQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, list:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, ep:(*tcp.Endpoint)(0xc000a7d508), frozen:true}, userMSS:0x0, maxSynRetries:0x6, windowClamp:0x100000, sndQueueInfo:tcp.sndQueueInfo{sndQueueMu:tcp.sndQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPSndBufState:tcp.TCPSndBufState{SndBufSize:0, SndBufUsed:0, SndClosed:false, PacketTooBigCount:0, SndMTU:2147483647, AutoTuneSndBufDisabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}}, cc:"reno", keepalive:tcp.keepalive{keepaliveMutex:tcp.keepaliveMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, idle:7200000000000, interval:75000000000, count:9, unacked:0, timer:tcp.timer{state:1, clock:(*kernel.Timekeeper)(0xc000413e30), target:tcpip.MonotonicTime{nanoseconds:0}, clockTarget:tcpip.MonotonicTime{nanoseconds:0}, timer:tcpip.Timer(nil), callback:(func())(0xb8d7c0)}, waker:sleep.Waker{:sync.NoCopy{}, s:(unsafe.Pointer)(nil), next:(*sleep.Waker)(nil), allWakersNext:(*sleep.Waker)(nil)}}, userTimeout:0, deferAccept:0, acceptMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, acceptQueue:tcp.acceptQueue{endpoints:list.List{root:list.Element{next:(*list.Element)(nil), prev:(*list.Element)(nil), list:(*list.List)(nil), Value:interface {}(nil)}, len:0}, pendingEndpoints:map[*tcp.Endpoint]struct {}(nil), capacity:0}, rcv:(*tcp.receiver)(nil), snd:(*tcp.sender)(nil), drainDone:(chan struct {})(nil), undrain:(chan struct {})(nil), probe:(tcp.TCPProbeFunc)(nil), connectingAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, amss:0x5b4, sendTOS:0x0, gso:stack.GSO{Type:1, NeedsCsum:true, CsumOffset:0x10, MSS:0x0, L3HdrLen:0x14, MaxSize:0x10000}, stats:tcp.Stats{SegmentsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SegmentsSent:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x6}}, FailedConnectionAttempts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ReceiveErrors:tcp.ReceiveErrors{ReceiveErrors:tcpip.ReceiveErrors{ReceiveBufferOverflow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, MalformedPacketsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ClosedReceiver:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentQueueDropped:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowSynDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowAckDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ZeroRcvWindowState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, WantZeroRcvWindow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, ReadErrors:tcpip.ReadErrors{ReadClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NotConnected:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SendErrors:tcp.SendErrors{SendErrors:tcpip.SendErrors{SendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NoRoute:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SynSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Retransmits:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, FastRetransmit:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Timeouts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, WriteErrors:tcpip.WriteErrors{WriteClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidArgs:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}}, tcpLingerTimeout:60000000000, closed:false, txHash:0xde1870cc, owner:(*kernel.Task)(0xc001505908), ops:tcpip.SocketOptions{handler:(*tcp.Endpoint)(0xc000a7d508), stackHandler:(*stack.Stack)(0xc000581808), broadcastEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, passCredEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, noChecksumEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reuseAddressEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reusePortEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, keepAliveEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, multicastLoopEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, receiveTOSEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTTLEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveHopLimitEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTClassEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receivePacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveIPv6PacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, hdrIncludedEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, v6OnlyEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, quickAckEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, delayOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, corkOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveOriginalDstAddress:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv4RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv6RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, errQueueMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, errQueue:tcpip.sockErrorList{head:(*tcpip.SockError)(nil), tail:(*tcpip.SockError)(nil)}, bindToDevice:atomicbitops.Int32{:sync.NoCopy{}, value:0}, getSendBufferLimits:(tcpip.GetSendBufferLimits)(0xb98f20), sendBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, getReceiveBufferLimits:(tcpip.GetReceiveBufferLimits)(0xb99180), receiveBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, linger:tcpip.LingerOption{Enabled:false, Timeout:0}, rcvlowat:atomicbitops.Int32{:sync.NoCopy{}, value:0}, experimentOptionValue:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}, lastOutOfWindowAckTime:tcpip.MonotonicTime{nanoseconds:0}, finWait2Timer:tcpip.Timer(nil), timeWaitTimer:tcpip.Timer(nil), listenCtx:(*tcp.listenContext)(nil), limRdr:(*io.LimitedReader)(0xc001bd9ce0), pmtud:0, alsoBindToV4:false}:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x125bf80?, 0xc001595e20?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/state.Failf(...)
\tpkg/state/state.go:269
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:774 +0x427
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b

0130 11:50:36.087642       1 cli.go:189] Version release-20250820.0-120-g6bf3c4885132-dirty, go1.24.1, amd64, 180 CPUs, linux, PID 1, PPID 0, UID 0, GID 0
D0130 11:50:36.087661       1 cli.go:190] Page size: 0x1000 (4096 bytes)
I0130 11:50:36.087676       1 cli.go:191] Args: [runsc-sandbox --root=/var/run/runsc --debug=true --debug-log=/dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/ --file-access=shared --overlay2=none --network=sandbox --net-raw=true --net-disconnect-ok=true --systrap-disable-syscall-patching=true --debug-log-fd=3 boot --bundle=/dev/shm/sandboxing/meager-eager-tidy-chin --gofer-mount-confs=lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 760451858432 --cpu-num 4 --total-memory 74088185856 --attached --io-fds=4 --io-fds=5 --io-fds=6 --dev-io-fd=-1 --mounts-fd=7 --start-sync-fd=8 --controller-fd=9 --spec-fd=10 --stdio-fds=11 --stdio-fds=12 --stdio-fds=13 meager-eager-tidy-chin]
I0130 11:50:36.087706       1 config.go:461] Platform: systrap
I0130 11:50:36.087735       1 config.go:462] RootDir: /var/run/runsc
I0130 11:50:36.087747       1 config.go:463] FileAccess: shared / Directfs: true / Overlay: none
I0130 11:50:36.087762       1 config.go:464] Network: sandbox
I0130 11:50:36.087774       1 config.go:466] Debug: true. Strace: false, max size: 1024, syscalls: 
W0130 11:50:36.087785       1 config.go:469] --allow-suid is disabled, SUID/SGID bits on executables will be ignored.
D0130 11:50:36.087799       1 config.go:487] Config.RootDir (--root): /var/run/runsc
D0130 11:50:36.087813       1 config.go:487] Config.Traceback (--traceback): system
D0130 11:50:36.087831       1 config.go:487] Config.Debug (--debug): true
D0130 11:50:36.087842       1 config.go:487] Config.LogFilename (--log): (empty)
D0130 11:50:36.087877       1 config.go:487] Config.LogFormat (--log-format): text
D0130 11:50:36.087887       1 config.go:487] Config.DebugLog (--debug-log): /dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/
D0130 11:50:36.087898       1 config.go:487] Config.DebugToUserLog (--debug-to-user-log): false
D0130 11:50:36.087908       1 config.go:487] Config.DebugCommand (--debug-command): (empty)
D0130 11:50:36.087918       1 config.go:487] Config.PanicLog (--panic-log): (empty)
D0130 11:50:36.087932       1 config.go:487] Config.CoverageReport (--coverage-report): (empty)
D0130 11:50:36.087942       1 config.go:487] Config.DebugLogFormat (--debug-log-format): text
D0130 11:50:36.087953       1 config.go:487] Config.FileAccess (--file-access): shared
D0130 11:50:36.087965       1 config.go:487] Config.FileAccessMounts (--file-access-mounts): shared
D0130 11:50:36.087975       1 config.go:487] Config.Overlay (--overlay): false
D0130 11:50:36.087986       1 config.go:487] Config.Overlay2 (--overlay2): none
D0130 11:50:36.087997       1 config.go:487] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D0130 11:50:36.088014       1 config.go:487] Config.HostUDS (--host-uds): none
D0130 11:50:36.088031       1 config.go:487] Config.HostFifo (--host-fifo): none
D0130 11:50:36.088043       1 config.go:487] Config.HostSettings (--host-settings): check
D0130 11:50:36.088052       1 config.go:487] Config.Network (--network): sandbox
D0130 11:50:36.088060       1 config.go:487] Config.EnableRaw (--net-raw): true
D0130 11:50:36.088067       1 config.go:487] Config.AllowPacketEndpointWrite (--TESTONLY-allow-packet-endpoint-write): false
D0130 11:50:36.088075       1 config.go:487] Config.HostGSO (--gso): true
D0130 11:50:36.088082       1 config.go:487] Config.GVisorGSO (--software-gso): true
D0130 11:50:36.088090       1 config.go:487] Config.GVisorGRO (--gvisor-gro): false
D0130 11:50:36.088097       1 config.go:487] Config.TXChecksumOffload (--tx-checksum-offload): false
D0130 11:50:36.088105       1 config.go:487] Config.RXChecksumOffload (--rx-checksum-offload): true
D0130 11:50:36.088113       1 config.go:487] Config.QDisc (--qdisc): fifo
D0130 11:50:36.088121       1 config.go:487] Config.LogPackets (--log-packets): false
D0130 11:50:36.088132       1 config.go:487] Config.PCAP (--pcap-log): (empty)
D0130 11:50:36.088148       1 config.go:487] Config.Platform (--platform): systrap
D0130 11:50:36.088159       1 config.go:487] Config.PlatformDevicePath (--platform_device_path): (empty)
D0130 11:50:36.088170       1 config.go:487] Config.MetricServer (--metric-server): (empty)
D0130 11:50:36.088181       1 config.go:487] Config.FinalMetricsLog (--final-metrics-log): (empty)
D0130 11:50:36.088190       1 config.go:487] Config.ProfilingMetrics (--profiling-metrics): (empty)
D0130 11:50:36.088199       1 config.go:487] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D0130 11:50:36.088209       1 config.go:487] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D0130 11:50:36.088219       1 config.go:487] Config.Strace (--strace): false
D0130 11:50:36.088228       1 config.go:487] Config.StraceSyscalls (--strace-syscalls): (empty)
D0130 11:50:36.088238       1 config.go:487] Config.StraceLogSize (--strace-log-size): 1024
D0130 11:50:36.088247       1 config.go:487] Config.StraceEvent (--strace-event): false
D0130 11:50:36.088255       1 config.go:489] Config.DisableSeccomp: false
D0130 11:50:36.088272       1 config.go:487] Config.EnableCoreTags (--enable-core-tags): false
D0130 11:50:36.088285       1 config.go:487] Config.WatchdogAction (--watchdog-action): logWarning
D0130 11:50:36.088302       1 config.go:487] Config.PanicSignal (--panic-signal): -1
D0130 11:50:36.088312       1 config.go:487] Config.ProfileEnable (--profile): false
D0130 11:50:36.088322       1 config.go:487] Config.ProfileBlock (--profile-block): (empty)
D0130 11:50:36.088333       1 config.go:487] Config.ProfileCPU (--profile-cpu): (empty)
D0130 11:50:36.088343       1 config.go:487] Config.ProfileGCInterval (--profile-gc-interval): 0s
D0130 11:50:36.088359       1 config.go:487] Config.ProfileHeap (--profile-heap): (empty)
D0130 11:50:36.088369       1 config.go:487] Config.ProfileMutex (--profile-mutex): (empty)
D0130 11:50:36.088379       1 config.go:487] Config.TraceFile (--trace): (empty)
D0130 11:50:36.088393       1 config.go:487] Config.NumNetworkChannels (--num-network-channels): 1
D0130 11:50:36.088404       1 config.go:487] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D0130 11:50:36.088414       1 config.go:487] Config.Rootless (--rootless): false
D0130 11:50:36.088424       1 config.go:487] Config.AlsoLogToStderr (--alsologtostderr): false
D0130 11:50:36.088436       1 config.go:487] Config.ReferenceLeak (--ref-leak-mode): disabled
D0130 11:50:36.088447       1 config.go:487] Config.CPUNumFromQuota (--cpu-num-from-quota): true
D0130 11:50:36.088457       1 config.go:487] Config.AllowFlagOverride (--allow-flag-override): false
D0130 11:50:36.088466       1 config.go:487] Config.OCISeccomp (--oci-seccomp): false
D0130 11:50:36.088475       1 config.go:487] Config.IgnoreCgroups (--ignore-cgroups): false
D0130 11:50:36.088485       1 config.go:487] Config.SystemdCgroup (--systemd-cgroup): false
D0130 11:50:36.088496       1 config.go:487] Config.PodInitConfig (--pod-init-config): (empty)
D0130 11:50:36.088503       1 config.go:487] Config.BufferPooling (--buffer-pooling): true
D0130 11:50:36.088511       1 config.go:487] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D0130 11:50:36.088520       1 config.go:487] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D0130 11:50:36.088528       1 config.go:487] Config.FDLimit (--fdlimit): -1
D0130 11:50:36.088535       1 config.go:487] Config.DCache (--dcache): -1
D0130 11:50:36.088544       1 config.go:487] Config.IOUring (--iouring): false
D0130 11:50:36.088554       1 config.go:487] Config.DirectFS (--directfs): true
D0130 11:50:36.088564       1 config.go:487] Config.AppHugePages (--app-huge-pages): true
D0130 11:50:36.088574       1 config.go:487] Config.NVProxy (--nvproxy): false
D0130 11:50:36.088583       1 config.go:487] Config.NVProxyDocker (--nvproxy-docker): false
D0130 11:50:36.088592       1 config.go:487] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D0130 11:50:36.088609       1 config.go:487] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D0130 11:50:36.088618       1 config.go:487] Config.TPUProxy (--tpuproxy): false
D0130 11:50:36.088630       1 config.go:487] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D0130 11:50:36.088637       1 config.go:487] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D0130 11:50:36.088645       1 config.go:487] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D0130 11:50:36.088653       1 config.go:489] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D0130 11:50:36.088661       1 config.go:487] Config.ReproduceNAT (--reproduce-nat): false
D0130 11:50:36.088669       1 config.go:487] Config.ReproduceNftables (--reproduce-nftables): false
D0130 11:50:36.088681       1 config.go:487] Config.NetDisconnectOk (--net-disconnect-ok): true
D0130 11:50:36.088689       1 config.go:487] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D0130 11:50:36.088697       1 config.go:487] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D0130 11:50:36.088704       1 config.go:487] Config.RestoreSpecValidation (--restore-spec-validation): enforce
D0130 11:50:36.088713       1 config.go:487] Config.GVisorMarkerFile (--gvisor-marker-file): false
D0130 11:50:36.088721       1 config.go:487] Config.SystrapDisableSyscallPatching (--systrap-disable-syscall-patching): true
D0130 11:50:36.088728       1 config.go:487] Config.SaveRestoreNetstack (--save-restore-netstack): true
D0130 11:50:36.088735       1 config.go:487] Config.Nftables (--TESTONLY-nftables): false
D0130 11:50:36.088742       1 config.go:487] Config.AllowSUID (--allow-suid): false
D0130 11:50:36.088752       1 cli.go:197] runsc process spawned at 11:50:36.086274, Go started execution at 11:50:36.087214. Startup overhead: 939.687µs
I0130 11:50:36.088767       1 cli.go:200] **************** gVisor ****************
I0130 11:50:36.089555       1 boot.go:283] Setting product_name: "Google Compute Engine"
I0130 11:50:36.089742       1 boot.go:294] Setting host-thp-shmem-enabled: "never"
I0130 11:50:36.089800       1 boot.go:304] Setting host-thp-defrag: "defer"
I0130 11:50:36.090725       1 chroot.go:162] Setting up sandbox chroot in "/tmp"
I0130 11:50:36.102251       1 chroot.go:37] Mounting "proc" at "/tmp/proc/sandbox-proc"
D0130 11:50:36.125546       1 specutils.go:114] Spec:

@google-cla
Copy link

google-cla bot commented Jan 30, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@nt nt marked this pull request as ready for review January 30, 2026 15:13
@ayushr2
Copy link
Collaborator

ayushr2 commented Jan 30, 2026

Thanks for your contribution @nt! Could you sign the CLA?

Per RFC 793 (Transmission Control Protocol), when a connection is being aborted (pages 61-62):

SYN-SENT STATE:

 All queued SENDs and RECEIVEs should be given "connection reset"
      notification, delete the TCB, enter CLOSED state, and return.

So I think skipping the RST packet while in StateSynSent state is the right thing as per this PR.

But when connection is in the following states:

SYN-RECEIVED STATE
ESTABLISHED STATE
FIN-WAIT-1 STATE
FIN-WAIT-2 STATE
CLOSE-WAIT STATE

   Send a reset segment:

        <SEQ=SND.NXT><CTL=RST>

      All queued SENDs and RECEIVEs should be given "connection reset"
      notification; all segments queued for transmission (except for the
      RST formed above) or retransmission should be flushed, delete the
      TCB, enter CLOSED state, and return.

So in StateSynRecv, we are supposed to send the RST packet.

@ayushr2
Copy link
Collaborator

ayushr2 commented Jan 30, 2026

But I suppose this PR is still an improvement as it avoids the panic. cc @nybidari do you know of a better solution?

@nayana8
Copy link

nayana8 commented Jan 30, 2026

In Linux, if an ack has not been received, the sequence number should be zero for RST packet. We should follow that, @nt the similar fix here would be to use sequence number as zero when snd is nil.

@nayana8
Copy link

nayana8 commented Jan 30, 2026

Also, the receive window should be zero when rcv is nil as the connection will be immediately terminated after receiving RST.

@nt nt force-pushed the claude/fix-turbine-orch-error-X0OIm branch from f96dc21 to 1727a24 Compare February 2, 2026 19:58
@nt
Copy link
Contributor Author

nt commented Feb 2, 2026

thanks for looking @nayana8, I think this push addresses your comments.

@ayushr2 ayushr2 requested a review from nybidari February 2, 2026 20:22
nybidari
nybidari reviewed Feb 2, 2026
View reviewed changes
@nt nt requested a review from nybidari February 3, 2026 18:06
@nt
Copy link
Contributor Author

nt commented Feb 3, 2026

thanks for the review @nybidari, ptal.

nybidari
nybidari approved these changes Feb 3, 2026
View reviewed changes
Copy link
Contributor

@nybidari nybidari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

copybara-service bot pushed a commit that referenced this pull request Feb 3, 2026
@nt @gvisor-bot
tcp: skip RST in resetConnectionLocked when snd/rcv are nil
331b895 
resetConnectionLocked dereferences e.snd to compute the RST sequence number, but snd (and rcv) are only initialized when the TCP handshake completes in transitionToStateEstablishedLocked. Endpoints still in StateSynSent or StateSynRecv have nil snd/rcv, and calling resetConnectionLocked on them (e.g. from beforeSave during checkpoint) panics with a nil pointer dereference.

Guard the RST-sending block behind a nil check on e.snd. The rest of the function (set hardError, purge queues, cleanup, transition to StateError) is still unconditionally executed.

This address the following crash:

```
encoding error: runtime error: invalid memory address or nil pointer dereference:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x124f2a0?, 0x31fb280?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).resetConnectionLocked(0xc000a7d508, {0x1685100?, 0x324f8a0?})
\tpkg/tcpip/transport/tcp/connect.go:1084 +0x84
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).beforeSave(0xc000a7d508)
\tpkg/tcpip/transport/tcp/endpoint_state.go:59 +0x188
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).StateSave(0xc000a7d508, {{0xc001139c08?, 0xc0016e4f48?}})
\tbazel-out/k8-opt/bin/pkg/tcpip/transport/tcp/tcp_state_autogen.go:504 +0x4a
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeStruct(0xc001139c08, {0x144da00, 0xc000a7d508, 0x199}, 0xc0014dc9e0)
\tpkg/state/encode.go:536 +0x58e
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeObject(0xc001139c08, {0x144da00?, 0xc000a7d508?, 0xc000bb0008?}, 0x0, 0xc0014dc9e0)
\tpkg/state/encode.go:733 +0x5e5
gvisor.dev/gvisor/pkg/state.(*encodeState).Save.func2()
\tpkg/state/encode.go:770 +0x8b
gvisor.dev/gvisor/pkg/state.safely(0xc001139c08?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:763 +0x1eb
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b

for object tcp.Endpoint{TCPEndpointStateInner:tcp.TCPEndpointStateInner{TSOffset:tcp.TSOffset{milliseconds:0x8020a5db}, SACKPermitted:false, SendTSOk:false, RecentTS:0x0}, TransportEndpointInfo:stack.TransportEndpointInfo{NetProto:0x800, TransProto:0x6, ID:stack.TransportEndpointID{LocalPort:0x873b, LocalAddress:tcpip.Address{addr:[16]uint8{0x15, 0x0, 0x1, 0xf2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, RemotePort:0x1bb, RemoteAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}}, BindNICID:0, BindAddr:tcpip.Address{addr:[16]uint8{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:0}, RegisterNICID:0}, DefaultSocketOptionsHandler:tcpip.DefaultSocketOptionsHandler{}, endpointEntry:tcp.endpointEntry{next:(*tcp.Endpoint)(nil), prev:(*tcp.Endpoint)(nil)}, pendingProcessingMu:tcp.pendingProcessingMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, pendingProcessing:false, stack:(*stack.Stack)(0xc000581808), protocol:(*tcp.protocol)(0xc0003cb0e0), waiterQueue:(*waiter.Queue)(0xc00230cde0), hardError:(*tcpip.ErrConnectionAborted)(0x324f8a0), lastErrorMu:tcp.lastErrorMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, lastError:tcpip.Error(nil), rcvQueueMu:tcp.rcvQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPRcvBufState:tcp.TCPRcvBufState{RcvBufUsed:0, RcvAutoParams:tcp.RcvBufAutoTuneParams{MeasureTime:tcpip.MonotonicTime{nanoseconds:0}, CopiedBytes:0, PrevCopiedBytes:0, RcvBufSize:0, RTT:0, RTTVar:0, RTTMeasureSeqNumber:0x0, RTTMeasureTime:tcpip.MonotonicTime{nanoseconds:0}, Disabled:false}, RcvClosed:false}, rcvMemUsed:atomicbitops.Int32{:sync.NoCopy{}, value:0}, mu:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}, ownedByUser:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, rcvQueue:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, state:atomicbitops.Uint32{:sync.NoCopy{}, value:0x2}, connectionDirectionState:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, origEndpointState:0x0, isPortReserved:true, isRegistered:true, boundNICID:0, route:(*stack.Route)(0xc00085a300), ipv4TTL:0x0, ipv6HopLimit:-1, isConnectNotified:false, h:(*tcp.handshake)(0xc000987c20), portFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundBindToDevice:0, boundPortFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundDest:tcpip.FullAddress{NIC:0, Addr:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, Port:0x1bb, LinkAddr:""}, effectiveNetProtos:[]tcpip.NetworkProtocolNumber{0x800}, recentTSTime:tcpip.MonotonicTime{nanoseconds:0}, shutdownFlags:0, tcpRecovery:0, sack:tcp.SACKInfo{Blocks:[6]header.SACKBlock{header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}}, NumBlocks:0}, delay:0x0, scoreboard:(*tcp.SACKScoreboard)(nil), segmentQueue:tcp.segmentQueue{mu:tcp.segmentQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, list:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, ep:(*tcp.Endpoint)(0xc000a7d508), frozen:true}, userMSS:0x0, maxSynRetries:0x6, windowClamp:0x100000, sndQueueInfo:tcp.sndQueueInfo{sndQueueMu:tcp.sndQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPSndBufState:tcp.TCPSndBufState{SndBufSize:0, SndBufUsed:0, SndClosed:false, PacketTooBigCount:0, SndMTU:2147483647, AutoTuneSndBufDisabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}}, cc:"reno", keepalive:tcp.keepalive{keepaliveMutex:tcp.keepaliveMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, idle:7200000000000, interval:75000000000, count:9, unacked:0, timer:tcp.timer{state:1, clock:(*kernel.Timekeeper)(0xc000413e30), target:tcpip.MonotonicTime{nanoseconds:0}, clockTarget:tcpip.MonotonicTime{nanoseconds:0}, timer:tcpip.Timer(nil), callback:(func())(0xb8d7c0)}, waker:sleep.Waker{:sync.NoCopy{}, s:(unsafe.Pointer)(nil), next:(*sleep.Waker)(nil), allWakersNext:(*sleep.Waker)(nil)}}, userTimeout:0, deferAccept:0, acceptMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, acceptQueue:tcp.acceptQueue{endpoints:list.List{root:list.Element{next:(*list.Element)(nil), prev:(*list.Element)(nil), list:(*list.List)(nil), Value:interface {}(nil)}, len:0}, pendingEndpoints:map[*tcp.Endpoint]struct {}(nil), capacity:0}, rcv:(*tcp.receiver)(nil), snd:(*tcp.sender)(nil), drainDone:(chan struct {})(nil), undrain:(chan struct {})(nil), probe:(tcp.TCPProbeFunc)(nil), connectingAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, amss:0x5b4, sendTOS:0x0, gso:stack.GSO{Type:1, NeedsCsum:true, CsumOffset:0x10, MSS:0x0, L3HdrLen:0x14, MaxSize:0x10000}, stats:tcp.Stats{SegmentsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SegmentsSent:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x6}}, FailedConnectionAttempts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ReceiveErrors:tcp.ReceiveErrors{ReceiveErrors:tcpip.ReceiveErrors{ReceiveBufferOverflow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, MalformedPacketsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ClosedReceiver:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentQueueDropped:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowSynDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowAckDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ZeroRcvWindowState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, WantZeroRcvWindow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, ReadErrors:tcpip.ReadErrors{ReadClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NotConnected:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SendErrors:tcp.SendErrors{SendErrors:tcpip.SendErrors{SendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NoRoute:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SynSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Retransmits:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, FastRetransmit:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Timeouts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, WriteErrors:tcpip.WriteErrors{WriteClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidArgs:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}}, tcpLingerTimeout:60000000000, closed:false, txHash:0xde1870cc, owner:(*kernel.Task)(0xc001505908), ops:tcpip.SocketOptions{handler:(*tcp.Endpoint)(0xc000a7d508), stackHandler:(*stack.Stack)(0xc000581808), broadcastEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, passCredEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, noChecksumEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reuseAddressEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reusePortEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, keepAliveEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, multicastLoopEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, receiveTOSEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTTLEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveHopLimitEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTClassEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receivePacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveIPv6PacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, hdrIncludedEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, v6OnlyEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, quickAckEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, delayOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, corkOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveOriginalDstAddress:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv4RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv6RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, errQueueMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, errQueue:tcpip.sockErrorList{head:(*tcpip.SockError)(nil), tail:(*tcpip.SockError)(nil)}, bindToDevice:atomicbitops.Int32{:sync.NoCopy{}, value:0}, getSendBufferLimits:(tcpip.GetSendBufferLimits)(0xb98f20), sendBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, getReceiveBufferLimits:(tcpip.GetReceiveBufferLimits)(0xb99180), receiveBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, linger:tcpip.LingerOption{Enabled:false, Timeout:0}, rcvlowat:atomicbitops.Int32{:sync.NoCopy{}, value:0}, experimentOptionValue:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}, lastOutOfWindowAckTime:tcpip.MonotonicTime{nanoseconds:0}, finWait2Timer:tcpip.Timer(nil), timeWaitTimer:tcpip.Timer(nil), listenCtx:(*tcp.listenContext)(nil), limRdr:(*io.LimitedReader)(0xc001bd9ce0), pmtud:0, alsoBindToV4:false}:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x125bf80?, 0xc001595e20?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/state.Failf(...)
\tpkg/state/state.go:269
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:774 +0x427
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b
```

```
0130 11:50:36.087642       1 cli.go:189] Version release-20250820.0-120-g6bf3c4885132-dirty, go1.24.1, amd64, 180 CPUs, linux, PID 1, PPID 0, UID 0, GID 0
D0130 11:50:36.087661       1 cli.go:190] Page size: 0x1000 (4096 bytes)
I0130 11:50:36.087676       1 cli.go:191] Args: [runsc-sandbox --root=/var/run/runsc --debug=true --debug-log=/dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/ --file-access=shared --overlay2=none --network=sandbox --net-raw=true --net-disconnect-ok=true --systrap-disable-syscall-patching=true --debug-log-fd=3 boot --bundle=/dev/shm/sandboxing/meager-eager-tidy-chin --gofer-mount-confs=lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 760451858432 --cpu-num 4 --total-memory 74088185856 --attached --io-fds=4 --io-fds=5 --io-fds=6 --dev-io-fd=-1 --mounts-fd=7 --start-sync-fd=8 --controller-fd=9 --spec-fd=10 --stdio-fds=11 --stdio-fds=12 --stdio-fds=13 meager-eager-tidy-chin]
I0130 11:50:36.087706       1 config.go:461] Platform: systrap
I0130 11:50:36.087735       1 config.go:462] RootDir: /var/run/runsc
I0130 11:50:36.087747       1 config.go:463] FileAccess: shared / Directfs: true / Overlay: none
I0130 11:50:36.087762       1 config.go:464] Network: sandbox
I0130 11:50:36.087774       1 config.go:466] Debug: true. Strace: false, max size: 1024, syscalls:
W0130 11:50:36.087785       1 config.go:469] --allow-suid is disabled, SUID/SGID bits on executables will be ignored.
D0130 11:50:36.087799       1 config.go:487] Config.RootDir (--root): /var/run/runsc
D0130 11:50:36.087813       1 config.go:487] Config.Traceback (--traceback): system
D0130 11:50:36.087831       1 config.go:487] Config.Debug (--debug): true
D0130 11:50:36.087842       1 config.go:487] Config.LogFilename (--log): (empty)
D0130 11:50:36.087877       1 config.go:487] Config.LogFormat (--log-format): text
D0130 11:50:36.087887       1 config.go:487] Config.DebugLog (--debug-log): /dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/
D0130 11:50:36.087898       1 config.go:487] Config.DebugToUserLog (--debug-to-user-log): false
D0130 11:50:36.087908       1 config.go:487] Config.DebugCommand (--debug-command): (empty)
D0130 11:50:36.087918       1 config.go:487] Config.PanicLog (--panic-log): (empty)
D0130 11:50:36.087932       1 config.go:487] Config.CoverageReport (--coverage-report): (empty)
D0130 11:50:36.087942       1 config.go:487] Config.DebugLogFormat (--debug-log-format): text
D0130 11:50:36.087953       1 config.go:487] Config.FileAccess (--file-access): shared
D0130 11:50:36.087965       1 config.go:487] Config.FileAccessMounts (--file-access-mounts): shared
D0130 11:50:36.087975       1 config.go:487] Config.Overlay (--overlay): false
D0130 11:50:36.087986       1 config.go:487] Config.Overlay2 (--overlay2): none
D0130 11:50:36.087997       1 config.go:487] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D0130 11:50:36.088014       1 config.go:487] Config.HostUDS (--host-uds): none
D0130 11:50:36.088031       1 config.go:487] Config.HostFifo (--host-fifo): none
D0130 11:50:36.088043       1 config.go:487] Config.HostSettings (--host-settings): check
D0130 11:50:36.088052       1 config.go:487] Config.Network (--network): sandbox
D0130 11:50:36.088060       1 config.go:487] Config.EnableRaw (--net-raw): true
D0130 11:50:36.088067       1 config.go:487] Config.AllowPacketEndpointWrite (--TESTONLY-allow-packet-endpoint-write): false
D0130 11:50:36.088075       1 config.go:487] Config.HostGSO (--gso): true
D0130 11:50:36.088082       1 config.go:487] Config.GVisorGSO (--software-gso): true
D0130 11:50:36.088090       1 config.go:487] Config.GVisorGRO (--gvisor-gro): false
D0130 11:50:36.088097       1 config.go:487] Config.TXChecksumOffload (--tx-checksum-offload): false
D0130 11:50:36.088105       1 config.go:487] Config.RXChecksumOffload (--rx-checksum-offload): true
D0130 11:50:36.088113       1 config.go:487] Config.QDisc (--qdisc): fifo
D0130 11:50:36.088121       1 config.go:487] Config.LogPackets (--log-packets): false
D0130 11:50:36.088132       1 config.go:487] Config.PCAP (--pcap-log): (empty)
D0130 11:50:36.088148       1 config.go:487] Config.Platform (--platform): systrap
D0130 11:50:36.088159       1 config.go:487] Config.PlatformDevicePath (--platform_device_path): (empty)
D0130 11:50:36.088170       1 config.go:487] Config.MetricServer (--metric-server): (empty)
D0130 11:50:36.088181       1 config.go:487] Config.FinalMetricsLog (--final-metrics-log): (empty)
D0130 11:50:36.088190       1 config.go:487] Config.ProfilingMetrics (--profiling-metrics): (empty)
D0130 11:50:36.088199       1 config.go:487] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D0130 11:50:36.088209       1 config.go:487] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D0130 11:50:36.088219       1 config.go:487] Config.Strace (--strace): false
D0130 11:50:36.088228       1 config.go:487] Config.StraceSyscalls (--strace-syscalls): (empty)
D0130 11:50:36.088238       1 config.go:487] Config.StraceLogSize (--strace-log-size): 1024
D0130 11:50:36.088247       1 config.go:487] Config.StraceEvent (--strace-event): false
D0130 11:50:36.088255       1 config.go:489] Config.DisableSeccomp: false
D0130 11:50:36.088272       1 config.go:487] Config.EnableCoreTags (--enable-core-tags): false
D0130 11:50:36.088285       1 config.go:487] Config.WatchdogAction (--watchdog-action): logWarning
D0130 11:50:36.088302       1 config.go:487] Config.PanicSignal (--panic-signal): -1
D0130 11:50:36.088312       1 config.go:487] Config.ProfileEnable (--profile): false
D0130 11:50:36.088322       1 config.go:487] Config.ProfileBlock (--profile-block): (empty)
D0130 11:50:36.088333       1 config.go:487] Config.ProfileCPU (--profile-cpu): (empty)
D0130 11:50:36.088343       1 config.go:487] Config.ProfileGCInterval (--profile-gc-interval): 0s
D0130 11:50:36.088359       1 config.go:487] Config.ProfileHeap (--profile-heap): (empty)
D0130 11:50:36.088369       1 config.go:487] Config.ProfileMutex (--profile-mutex): (empty)
D0130 11:50:36.088379       1 config.go:487] Config.TraceFile (--trace): (empty)
D0130 11:50:36.088393       1 config.go:487] Config.NumNetworkChannels (--num-network-channels): 1
D0130 11:50:36.088404       1 config.go:487] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D0130 11:50:36.088414       1 config.go:487] Config.Rootless (--rootless): false
D0130 11:50:36.088424       1 config.go:487] Config.AlsoLogToStderr (--alsologtostderr): false
D0130 11:50:36.088436       1 config.go:487] Config.ReferenceLeak (--ref-leak-mode): disabled
D0130 11:50:36.088447       1 config.go:487] Config.CPUNumFromQuota (--cpu-num-from-quota): true
D0130 11:50:36.088457       1 config.go:487] Config.AllowFlagOverride (--allow-flag-override): false
D0130 11:50:36.088466       1 config.go:487] Config.OCISeccomp (--oci-seccomp): false
D0130 11:50:36.088475       1 config.go:487] Config.IgnoreCgroups (--ignore-cgroups): false
D0130 11:50:36.088485       1 config.go:487] Config.SystemdCgroup (--systemd-cgroup): false
D0130 11:50:36.088496       1 config.go:487] Config.PodInitConfig (--pod-init-config): (empty)
D0130 11:50:36.088503       1 config.go:487] Config.BufferPooling (--buffer-pooling): true
D0130 11:50:36.088511       1 config.go:487] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D0130 11:50:36.088520       1 config.go:487] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D0130 11:50:36.088528       1 config.go:487] Config.FDLimit (--fdlimit): -1
D0130 11:50:36.088535       1 config.go:487] Config.DCache (--dcache): -1
D0130 11:50:36.088544       1 config.go:487] Config.IOUring (--iouring): false
D0130 11:50:36.088554       1 config.go:487] Config.DirectFS (--directfs): true
D0130 11:50:36.088564       1 config.go:487] Config.AppHugePages (--app-huge-pages): true
D0130 11:50:36.088574       1 config.go:487] Config.NVProxy (--nvproxy): false
D0130 11:50:36.088583       1 config.go:487] Config.NVProxyDocker (--nvproxy-docker): false
D0130 11:50:36.088592       1 config.go:487] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D0130 11:50:36.088609       1 config.go:487] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D0130 11:50:36.088618       1 config.go:487] Config.TPUProxy (--tpuproxy): false
D0130 11:50:36.088630       1 config.go:487] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D0130 11:50:36.088637       1 config.go:487] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D0130 11:50:36.088645       1 config.go:487] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D0130 11:50:36.088653       1 config.go:489] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D0130 11:50:36.088661       1 config.go:487] Config.ReproduceNAT (--reproduce-nat): false
D0130 11:50:36.088669       1 config.go:487] Config.ReproduceNftables (--reproduce-nftables): false
D0130 11:50:36.088681       1 config.go:487] Config.NetDisconnectOk (--net-disconnect-ok): true
D0130 11:50:36.088689       1 config.go:487] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D0130 11:50:36.088697       1 config.go:487] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D0130 11:50:36.088704       1 config.go:487] Config.RestoreSpecValidation (--restore-spec-validation): enforce
D0130 11:50:36.088713       1 config.go:487] Config.GVisorMarkerFile (--gvisor-marker-file): false
D0130 11:50:36.088721       1 config.go:487] Config.SystrapDisableSyscallPatching (--systrap-disable-syscall-patching): true
D0130 11:50:36.088728       1 config.go:487] Config.SaveRestoreNetstack (--save-restore-netstack): true
D0130 11:50:36.088735       1 config.go:487] Config.Nftables (--TESTONLY-nftables): false
D0130 11:50:36.088742       1 config.go:487] Config.AllowSUID (--allow-suid): false
D0130 11:50:36.088752       1 cli.go:197] runsc process spawned at 11:50:36.086274, Go started execution at 11:50:36.087214. Startup overhead: 939.687µs
I0130 11:50:36.088767       1 cli.go:200] **************** gVisor ****************
I0130 11:50:36.089555       1 boot.go:283] Setting product_name: "Google Compute Engine"
I0130 11:50:36.089742       1 boot.go:294] Setting host-thp-shmem-enabled: "never"
I0130 11:50:36.089800       1 boot.go:304] Setting host-thp-defrag: "defer"
I0130 11:50:36.090725       1 chroot.go:162] Setting up sandbox chroot in "/tmp"
I0130 11:50:36.102251       1 chroot.go:37] Mounting "proc" at "/tmp/proc/sandbox-proc"
D0130 11:50:36.125546       1 specutils.go:114] Spec:
```

FUTURE_COPYBARA_INTEGRATE_REVIEW=#12567 from nt:claude/fix-turbine-orch-error-X0OIm d8c4fa8
PiperOrigin-RevId: 864954362
@copybara-service copybara-service bot mentioned this pull request Feb 3, 2026
Open
copybara-service bot pushed a commit that referenced this pull request Feb 4, 2026
@nt @gvisor-bot
tcp: skip RST in resetConnectionLocked when snd/rcv are nil
59d1432 
resetConnectionLocked dereferences e.snd to compute the RST sequence number, but snd (and rcv) are only initialized when the TCP handshake completes in transitionToStateEstablishedLocked. Endpoints still in StateSynSent or StateSynRecv have nil snd/rcv, and calling resetConnectionLocked on them (e.g. from beforeSave during checkpoint) panics with a nil pointer dereference.

Guard the RST-sending block behind a nil check on e.snd. The rest of the function (set hardError, purge queues, cleanup, transition to StateError) is still unconditionally executed.

This address the following crash:

```
encoding error: runtime error: invalid memory address or nil pointer dereference:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x124f2a0?, 0x31fb280?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).resetConnectionLocked(0xc000a7d508, {0x1685100?, 0x324f8a0?})
\tpkg/tcpip/transport/tcp/connect.go:1084 +0x84
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).beforeSave(0xc000a7d508)
\tpkg/tcpip/transport/tcp/endpoint_state.go:59 +0x188
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).StateSave(0xc000a7d508, {{0xc001139c08?, 0xc0016e4f48?}})
\tbazel-out/k8-opt/bin/pkg/tcpip/transport/tcp/tcp_state_autogen.go:504 +0x4a
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeStruct(0xc001139c08, {0x144da00, 0xc000a7d508, 0x199}, 0xc0014dc9e0)
\tpkg/state/encode.go:536 +0x58e
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeObject(0xc001139c08, {0x144da00?, 0xc000a7d508?, 0xc000bb0008?}, 0x0, 0xc0014dc9e0)
\tpkg/state/encode.go:733 +0x5e5
gvisor.dev/gvisor/pkg/state.(*encodeState).Save.func2()
\tpkg/state/encode.go:770 +0x8b
gvisor.dev/gvisor/pkg/state.safely(0xc001139c08?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:763 +0x1eb
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b

for object tcp.Endpoint{TCPEndpointStateInner:tcp.TCPEndpointStateInner{TSOffset:tcp.TSOffset{milliseconds:0x8020a5db}, SACKPermitted:false, SendTSOk:false, RecentTS:0x0}, TransportEndpointInfo:stack.TransportEndpointInfo{NetProto:0x800, TransProto:0x6, ID:stack.TransportEndpointID{LocalPort:0x873b, LocalAddress:tcpip.Address{addr:[16]uint8{0x15, 0x0, 0x1, 0xf2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, RemotePort:0x1bb, RemoteAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}}, BindNICID:0, BindAddr:tcpip.Address{addr:[16]uint8{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:0}, RegisterNICID:0}, DefaultSocketOptionsHandler:tcpip.DefaultSocketOptionsHandler{}, endpointEntry:tcp.endpointEntry{next:(*tcp.Endpoint)(nil), prev:(*tcp.Endpoint)(nil)}, pendingProcessingMu:tcp.pendingProcessingMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, pendingProcessing:false, stack:(*stack.Stack)(0xc000581808), protocol:(*tcp.protocol)(0xc0003cb0e0), waiterQueue:(*waiter.Queue)(0xc00230cde0), hardError:(*tcpip.ErrConnectionAborted)(0x324f8a0), lastErrorMu:tcp.lastErrorMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, lastError:tcpip.Error(nil), rcvQueueMu:tcp.rcvQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPRcvBufState:tcp.TCPRcvBufState{RcvBufUsed:0, RcvAutoParams:tcp.RcvBufAutoTuneParams{MeasureTime:tcpip.MonotonicTime{nanoseconds:0}, CopiedBytes:0, PrevCopiedBytes:0, RcvBufSize:0, RTT:0, RTTVar:0, RTTMeasureSeqNumber:0x0, RTTMeasureTime:tcpip.MonotonicTime{nanoseconds:0}, Disabled:false}, RcvClosed:false}, rcvMemUsed:atomicbitops.Int32{:sync.NoCopy{}, value:0}, mu:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}, ownedByUser:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, rcvQueue:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, state:atomicbitops.Uint32{:sync.NoCopy{}, value:0x2}, connectionDirectionState:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, origEndpointState:0x0, isPortReserved:true, isRegistered:true, boundNICID:0, route:(*stack.Route)(0xc00085a300), ipv4TTL:0x0, ipv6HopLimit:-1, isConnectNotified:false, h:(*tcp.handshake)(0xc000987c20), portFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundBindToDevice:0, boundPortFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundDest:tcpip.FullAddress{NIC:0, Addr:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, Port:0x1bb, LinkAddr:""}, effectiveNetProtos:[]tcpip.NetworkProtocolNumber{0x800}, recentTSTime:tcpip.MonotonicTime{nanoseconds:0}, shutdownFlags:0, tcpRecovery:0, sack:tcp.SACKInfo{Blocks:[6]header.SACKBlock{header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}}, NumBlocks:0}, delay:0x0, scoreboard:(*tcp.SACKScoreboard)(nil), segmentQueue:tcp.segmentQueue{mu:tcp.segmentQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, list:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, ep:(*tcp.Endpoint)(0xc000a7d508), frozen:true}, userMSS:0x0, maxSynRetries:0x6, windowClamp:0x100000, sndQueueInfo:tcp.sndQueueInfo{sndQueueMu:tcp.sndQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPSndBufState:tcp.TCPSndBufState{SndBufSize:0, SndBufUsed:0, SndClosed:false, PacketTooBigCount:0, SndMTU:2147483647, AutoTuneSndBufDisabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}}, cc:"reno", keepalive:tcp.keepalive{keepaliveMutex:tcp.keepaliveMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, idle:7200000000000, interval:75000000000, count:9, unacked:0, timer:tcp.timer{state:1, clock:(*kernel.Timekeeper)(0xc000413e30), target:tcpip.MonotonicTime{nanoseconds:0}, clockTarget:tcpip.MonotonicTime{nanoseconds:0}, timer:tcpip.Timer(nil), callback:(func())(0xb8d7c0)}, waker:sleep.Waker{:sync.NoCopy{}, s:(unsafe.Pointer)(nil), next:(*sleep.Waker)(nil), allWakersNext:(*sleep.Waker)(nil)}}, userTimeout:0, deferAccept:0, acceptMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, acceptQueue:tcp.acceptQueue{endpoints:list.List{root:list.Element{next:(*list.Element)(nil), prev:(*list.Element)(nil), list:(*list.List)(nil), Value:interface {}(nil)}, len:0}, pendingEndpoints:map[*tcp.Endpoint]struct {}(nil), capacity:0}, rcv:(*tcp.receiver)(nil), snd:(*tcp.sender)(nil), drainDone:(chan struct {})(nil), undrain:(chan struct {})(nil), probe:(tcp.TCPProbeFunc)(nil), connectingAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, amss:0x5b4, sendTOS:0x0, gso:stack.GSO{Type:1, NeedsCsum:true, CsumOffset:0x10, MSS:0x0, L3HdrLen:0x14, MaxSize:0x10000}, stats:tcp.Stats{SegmentsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SegmentsSent:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x6}}, FailedConnectionAttempts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ReceiveErrors:tcp.ReceiveErrors{ReceiveErrors:tcpip.ReceiveErrors{ReceiveBufferOverflow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, MalformedPacketsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ClosedReceiver:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentQueueDropped:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowSynDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowAckDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ZeroRcvWindowState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, WantZeroRcvWindow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, ReadErrors:tcpip.ReadErrors{ReadClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NotConnected:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SendErrors:tcp.SendErrors{SendErrors:tcpip.SendErrors{SendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NoRoute:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SynSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Retransmits:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, FastRetransmit:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Timeouts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, WriteErrors:tcpip.WriteErrors{WriteClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidArgs:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}}, tcpLingerTimeout:60000000000, closed:false, txHash:0xde1870cc, owner:(*kernel.Task)(0xc001505908), ops:tcpip.SocketOptions{handler:(*tcp.Endpoint)(0xc000a7d508), stackHandler:(*stack.Stack)(0xc000581808), broadcastEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, passCredEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, noChecksumEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reuseAddressEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reusePortEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, keepAliveEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, multicastLoopEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, receiveTOSEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTTLEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveHopLimitEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTClassEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receivePacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveIPv6PacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, hdrIncludedEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, v6OnlyEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, quickAckEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, delayOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, corkOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveOriginalDstAddress:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv4RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv6RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, errQueueMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, errQueue:tcpip.sockErrorList{head:(*tcpip.SockError)(nil), tail:(*tcpip.SockError)(nil)}, bindToDevice:atomicbitops.Int32{:sync.NoCopy{}, value:0}, getSendBufferLimits:(tcpip.GetSendBufferLimits)(0xb98f20), sendBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, getReceiveBufferLimits:(tcpip.GetReceiveBufferLimits)(0xb99180), receiveBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, linger:tcpip.LingerOption{Enabled:false, Timeout:0}, rcvlowat:atomicbitops.Int32{:sync.NoCopy{}, value:0}, experimentOptionValue:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}, lastOutOfWindowAckTime:tcpip.MonotonicTime{nanoseconds:0}, finWait2Timer:tcpip.Timer(nil), timeWaitTimer:tcpip.Timer(nil), listenCtx:(*tcp.listenContext)(nil), limRdr:(*io.LimitedReader)(0xc001bd9ce0), pmtud:0, alsoBindToV4:false}:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x125bf80?, 0xc001595e20?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/state.Failf(...)
\tpkg/state/state.go:269
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:774 +0x427
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b
```

```
0130 11:50:36.087642       1 cli.go:189] Version release-20250820.0-120-g6bf3c4885132-dirty, go1.24.1, amd64, 180 CPUs, linux, PID 1, PPID 0, UID 0, GID 0
D0130 11:50:36.087661       1 cli.go:190] Page size: 0x1000 (4096 bytes)
I0130 11:50:36.087676       1 cli.go:191] Args: [runsc-sandbox --root=/var/run/runsc --debug=true --debug-log=/dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/ --file-access=shared --overlay2=none --network=sandbox --net-raw=true --net-disconnect-ok=true --systrap-disable-syscall-patching=true --debug-log-fd=3 boot --bundle=/dev/shm/sandboxing/meager-eager-tidy-chin --gofer-mount-confs=lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 760451858432 --cpu-num 4 --total-memory 74088185856 --attached --io-fds=4 --io-fds=5 --io-fds=6 --dev-io-fd=-1 --mounts-fd=7 --start-sync-fd=8 --controller-fd=9 --spec-fd=10 --stdio-fds=11 --stdio-fds=12 --stdio-fds=13 meager-eager-tidy-chin]
I0130 11:50:36.087706       1 config.go:461] Platform: systrap
I0130 11:50:36.087735       1 config.go:462] RootDir: /var/run/runsc
I0130 11:50:36.087747       1 config.go:463] FileAccess: shared / Directfs: true / Overlay: none
I0130 11:50:36.087762       1 config.go:464] Network: sandbox
I0130 11:50:36.087774       1 config.go:466] Debug: true. Strace: false, max size: 1024, syscalls:
W0130 11:50:36.087785       1 config.go:469] --allow-suid is disabled, SUID/SGID bits on executables will be ignored.
D0130 11:50:36.087799       1 config.go:487] Config.RootDir (--root): /var/run/runsc
D0130 11:50:36.087813       1 config.go:487] Config.Traceback (--traceback): system
D0130 11:50:36.087831       1 config.go:487] Config.Debug (--debug): true
D0130 11:50:36.087842       1 config.go:487] Config.LogFilename (--log): (empty)
D0130 11:50:36.087877       1 config.go:487] Config.LogFormat (--log-format): text
D0130 11:50:36.087887       1 config.go:487] Config.DebugLog (--debug-log): /dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/
D0130 11:50:36.087898       1 config.go:487] Config.DebugToUserLog (--debug-to-user-log): false
D0130 11:50:36.087908       1 config.go:487] Config.DebugCommand (--debug-command): (empty)
D0130 11:50:36.087918       1 config.go:487] Config.PanicLog (--panic-log): (empty)
D0130 11:50:36.087932       1 config.go:487] Config.CoverageReport (--coverage-report): (empty)
D0130 11:50:36.087942       1 config.go:487] Config.DebugLogFormat (--debug-log-format): text
D0130 11:50:36.087953       1 config.go:487] Config.FileAccess (--file-access): shared
D0130 11:50:36.087965       1 config.go:487] Config.FileAccessMounts (--file-access-mounts): shared
D0130 11:50:36.087975       1 config.go:487] Config.Overlay (--overlay): false
D0130 11:50:36.087986       1 config.go:487] Config.Overlay2 (--overlay2): none
D0130 11:50:36.087997       1 config.go:487] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D0130 11:50:36.088014       1 config.go:487] Config.HostUDS (--host-uds): none
D0130 11:50:36.088031       1 config.go:487] Config.HostFifo (--host-fifo): none
D0130 11:50:36.088043       1 config.go:487] Config.HostSettings (--host-settings): check
D0130 11:50:36.088052       1 config.go:487] Config.Network (--network): sandbox
D0130 11:50:36.088060       1 config.go:487] Config.EnableRaw (--net-raw): true
D0130 11:50:36.088067       1 config.go:487] Config.AllowPacketEndpointWrite (--TESTONLY-allow-packet-endpoint-write): false
D0130 11:50:36.088075       1 config.go:487] Config.HostGSO (--gso): true
D0130 11:50:36.088082       1 config.go:487] Config.GVisorGSO (--software-gso): true
D0130 11:50:36.088090       1 config.go:487] Config.GVisorGRO (--gvisor-gro): false
D0130 11:50:36.088097       1 config.go:487] Config.TXChecksumOffload (--tx-checksum-offload): false
D0130 11:50:36.088105       1 config.go:487] Config.RXChecksumOffload (--rx-checksum-offload): true
D0130 11:50:36.088113       1 config.go:487] Config.QDisc (--qdisc): fifo
D0130 11:50:36.088121       1 config.go:487] Config.LogPackets (--log-packets): false
D0130 11:50:36.088132       1 config.go:487] Config.PCAP (--pcap-log): (empty)
D0130 11:50:36.088148       1 config.go:487] Config.Platform (--platform): systrap
D0130 11:50:36.088159       1 config.go:487] Config.PlatformDevicePath (--platform_device_path): (empty)
D0130 11:50:36.088170       1 config.go:487] Config.MetricServer (--metric-server): (empty)
D0130 11:50:36.088181       1 config.go:487] Config.FinalMetricsLog (--final-metrics-log): (empty)
D0130 11:50:36.088190       1 config.go:487] Config.ProfilingMetrics (--profiling-metrics): (empty)
D0130 11:50:36.088199       1 config.go:487] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D0130 11:50:36.088209       1 config.go:487] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D0130 11:50:36.088219       1 config.go:487] Config.Strace (--strace): false
D0130 11:50:36.088228       1 config.go:487] Config.StraceSyscalls (--strace-syscalls): (empty)
D0130 11:50:36.088238       1 config.go:487] Config.StraceLogSize (--strace-log-size): 1024
D0130 11:50:36.088247       1 config.go:487] Config.StraceEvent (--strace-event): false
D0130 11:50:36.088255       1 config.go:489] Config.DisableSeccomp: false
D0130 11:50:36.088272       1 config.go:487] Config.EnableCoreTags (--enable-core-tags): false
D0130 11:50:36.088285       1 config.go:487] Config.WatchdogAction (--watchdog-action): logWarning
D0130 11:50:36.088302       1 config.go:487] Config.PanicSignal (--panic-signal): -1
D0130 11:50:36.088312       1 config.go:487] Config.ProfileEnable (--profile): false
D0130 11:50:36.088322       1 config.go:487] Config.ProfileBlock (--profile-block): (empty)
D0130 11:50:36.088333       1 config.go:487] Config.ProfileCPU (--profile-cpu): (empty)
D0130 11:50:36.088343       1 config.go:487] Config.ProfileGCInterval (--profile-gc-interval): 0s
D0130 11:50:36.088359       1 config.go:487] Config.ProfileHeap (--profile-heap): (empty)
D0130 11:50:36.088369       1 config.go:487] Config.ProfileMutex (--profile-mutex): (empty)
D0130 11:50:36.088379       1 config.go:487] Config.TraceFile (--trace): (empty)
D0130 11:50:36.088393       1 config.go:487] Config.NumNetworkChannels (--num-network-channels): 1
D0130 11:50:36.088404       1 config.go:487] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D0130 11:50:36.088414       1 config.go:487] Config.Rootless (--rootless): false
D0130 11:50:36.088424       1 config.go:487] Config.AlsoLogToStderr (--alsologtostderr): false
D0130 11:50:36.088436       1 config.go:487] Config.ReferenceLeak (--ref-leak-mode): disabled
D0130 11:50:36.088447       1 config.go:487] Config.CPUNumFromQuota (--cpu-num-from-quota): true
D0130 11:50:36.088457       1 config.go:487] Config.AllowFlagOverride (--allow-flag-override): false
D0130 11:50:36.088466       1 config.go:487] Config.OCISeccomp (--oci-seccomp): false
D0130 11:50:36.088475       1 config.go:487] Config.IgnoreCgroups (--ignore-cgroups): false
D0130 11:50:36.088485       1 config.go:487] Config.SystemdCgroup (--systemd-cgroup): false
D0130 11:50:36.088496       1 config.go:487] Config.PodInitConfig (--pod-init-config): (empty)
D0130 11:50:36.088503       1 config.go:487] Config.BufferPooling (--buffer-pooling): true
D0130 11:50:36.088511       1 config.go:487] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D0130 11:50:36.088520       1 config.go:487] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D0130 11:50:36.088528       1 config.go:487] Config.FDLimit (--fdlimit): -1
D0130 11:50:36.088535       1 config.go:487] Config.DCache (--dcache): -1
D0130 11:50:36.088544       1 config.go:487] Config.IOUring (--iouring): false
D0130 11:50:36.088554       1 config.go:487] Config.DirectFS (--directfs): true
D0130 11:50:36.088564       1 config.go:487] Config.AppHugePages (--app-huge-pages): true
D0130 11:50:36.088574       1 config.go:487] Config.NVProxy (--nvproxy): false
D0130 11:50:36.088583       1 config.go:487] Config.NVProxyDocker (--nvproxy-docker): false
D0130 11:50:36.088592       1 config.go:487] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D0130 11:50:36.088609       1 config.go:487] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D0130 11:50:36.088618       1 config.go:487] Config.TPUProxy (--tpuproxy): false
D0130 11:50:36.088630       1 config.go:487] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D0130 11:50:36.088637       1 config.go:487] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D0130 11:50:36.088645       1 config.go:487] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D0130 11:50:36.088653       1 config.go:489] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D0130 11:50:36.088661       1 config.go:487] Config.ReproduceNAT (--reproduce-nat): false
D0130 11:50:36.088669       1 config.go:487] Config.ReproduceNftables (--reproduce-nftables): false
D0130 11:50:36.088681       1 config.go:487] Config.NetDisconnectOk (--net-disconnect-ok): true
D0130 11:50:36.088689       1 config.go:487] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D0130 11:50:36.088697       1 config.go:487] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D0130 11:50:36.088704       1 config.go:487] Config.RestoreSpecValidation (--restore-spec-validation): enforce
D0130 11:50:36.088713       1 config.go:487] Config.GVisorMarkerFile (--gvisor-marker-file): false
D0130 11:50:36.088721       1 config.go:487] Config.SystrapDisableSyscallPatching (--systrap-disable-syscall-patching): true
D0130 11:50:36.088728       1 config.go:487] Config.SaveRestoreNetstack (--save-restore-netstack): true
D0130 11:50:36.088735       1 config.go:487] Config.Nftables (--TESTONLY-nftables): false
D0130 11:50:36.088742       1 config.go:487] Config.AllowSUID (--allow-suid): false
D0130 11:50:36.088752       1 cli.go:197] runsc process spawned at 11:50:36.086274, Go started execution at 11:50:36.087214. Startup overhead: 939.687µs
I0130 11:50:36.088767       1 cli.go:200] **************** gVisor ****************
I0130 11:50:36.089555       1 boot.go:283] Setting product_name: "Google Compute Engine"
I0130 11:50:36.089742       1 boot.go:294] Setting host-thp-shmem-enabled: "never"
I0130 11:50:36.089800       1 boot.go:304] Setting host-thp-defrag: "defer"
I0130 11:50:36.090725       1 chroot.go:162] Setting up sandbox chroot in "/tmp"
I0130 11:50:36.102251       1 chroot.go:37] Mounting "proc" at "/tmp/proc/sandbox-proc"
D0130 11:50:36.125546       1 specutils.go:114] Spec:
```

FUTURE_COPYBARA_INTEGRATE_REVIEW=#12567 from nt:claude/fix-turbine-orch-error-X0OIm d8c4fa8
PiperOrigin-RevId: 865007585
@copybara-service copybara-service bot mentioned this pull request Feb 4, 2026
Merged
copybara-service bot pushed a commit that referenced this pull request Feb 5, 2026
@nt @gvisor-bot
tcp: skip RST in resetConnectionLocked when snd/rcv are nil
8a12098 
resetConnectionLocked dereferences e.snd to compute the RST sequence number, but snd (and rcv) are only initialized when the TCP handshake completes in transitionToStateEstablishedLocked. Endpoints still in StateSynSent or StateSynRecv have nil snd/rcv, and calling resetConnectionLocked on them (e.g. from beforeSave during checkpoint) panics with a nil pointer dereference.

Guard the RST-sending block behind a nil check on e.snd. The rest of the function (set hardError, purge queues, cleanup, transition to StateError) is still unconditionally executed.

This address the following crash:

```
encoding error: runtime error: invalid memory address or nil pointer dereference:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x124f2a0?, 0x31fb280?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).resetConnectionLocked(0xc000a7d508, {0x1685100?, 0x324f8a0?})
\tpkg/tcpip/transport/tcp/connect.go:1084 +0x84
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).beforeSave(0xc000a7d508)
\tpkg/tcpip/transport/tcp/endpoint_state.go:59 +0x188
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).StateSave(0xc000a7d508, {{0xc001139c08?, 0xc0016e4f48?}})
\tbazel-out/k8-opt/bin/pkg/tcpip/transport/tcp/tcp_state_autogen.go:504 +0x4a
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeStruct(0xc001139c08, {0x144da00, 0xc000a7d508, 0x199}, 0xc0014dc9e0)
\tpkg/state/encode.go:536 +0x58e
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeObject(0xc001139c08, {0x144da00?, 0xc000a7d508?, 0xc000bb0008?}, 0x0, 0xc0014dc9e0)
\tpkg/state/encode.go:733 +0x5e5
gvisor.dev/gvisor/pkg/state.(*encodeState).Save.func2()
\tpkg/state/encode.go:770 +0x8b
gvisor.dev/gvisor/pkg/state.safely(0xc001139c08?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:763 +0x1eb
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b

for object tcp.Endpoint{TCPEndpointStateInner:tcp.TCPEndpointStateInner{TSOffset:tcp.TSOffset{milliseconds:0x8020a5db}, SACKPermitted:false, SendTSOk:false, RecentTS:0x0}, TransportEndpointInfo:stack.TransportEndpointInfo{NetProto:0x800, TransProto:0x6, ID:stack.TransportEndpointID{LocalPort:0x873b, LocalAddress:tcpip.Address{addr:[16]uint8{0x15, 0x0, 0x1, 0xf2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, RemotePort:0x1bb, RemoteAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}}, BindNICID:0, BindAddr:tcpip.Address{addr:[16]uint8{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:0}, RegisterNICID:0}, DefaultSocketOptionsHandler:tcpip.DefaultSocketOptionsHandler{}, endpointEntry:tcp.endpointEntry{next:(*tcp.Endpoint)(nil), prev:(*tcp.Endpoint)(nil)}, pendingProcessingMu:tcp.pendingProcessingMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, pendingProcessing:false, stack:(*stack.Stack)(0xc000581808), protocol:(*tcp.protocol)(0xc0003cb0e0), waiterQueue:(*waiter.Queue)(0xc00230cde0), hardError:(*tcpip.ErrConnectionAborted)(0x324f8a0), lastErrorMu:tcp.lastErrorMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, lastError:tcpip.Error(nil), rcvQueueMu:tcp.rcvQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPRcvBufState:tcp.TCPRcvBufState{RcvBufUsed:0, RcvAutoParams:tcp.RcvBufAutoTuneParams{MeasureTime:tcpip.MonotonicTime{nanoseconds:0}, CopiedBytes:0, PrevCopiedBytes:0, RcvBufSize:0, RTT:0, RTTVar:0, RTTMeasureSeqNumber:0x0, RTTMeasureTime:tcpip.MonotonicTime{nanoseconds:0}, Disabled:false}, RcvClosed:false}, rcvMemUsed:atomicbitops.Int32{:sync.NoCopy{}, value:0}, mu:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}, ownedByUser:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, rcvQueue:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, state:atomicbitops.Uint32{:sync.NoCopy{}, value:0x2}, connectionDirectionState:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, origEndpointState:0x0, isPortReserved:true, isRegistered:true, boundNICID:0, route:(*stack.Route)(0xc00085a300), ipv4TTL:0x0, ipv6HopLimit:-1, isConnectNotified:false, h:(*tcp.handshake)(0xc000987c20), portFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundBindToDevice:0, boundPortFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundDest:tcpip.FullAddress{NIC:0, Addr:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, Port:0x1bb, LinkAddr:""}, effectiveNetProtos:[]tcpip.NetworkProtocolNumber{0x800}, recentTSTime:tcpip.MonotonicTime{nanoseconds:0}, shutdownFlags:0, tcpRecovery:0, sack:tcp.SACKInfo{Blocks:[6]header.SACKBlock{header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}}, NumBlocks:0}, delay:0x0, scoreboard:(*tcp.SACKScoreboard)(nil), segmentQueue:tcp.segmentQueue{mu:tcp.segmentQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, list:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, ep:(*tcp.Endpoint)(0xc000a7d508), frozen:true}, userMSS:0x0, maxSynRetries:0x6, windowClamp:0x100000, sndQueueInfo:tcp.sndQueueInfo{sndQueueMu:tcp.sndQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPSndBufState:tcp.TCPSndBufState{SndBufSize:0, SndBufUsed:0, SndClosed:false, PacketTooBigCount:0, SndMTU:2147483647, AutoTuneSndBufDisabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}}, cc:"reno", keepalive:tcp.keepalive{keepaliveMutex:tcp.keepaliveMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, idle:7200000000000, interval:75000000000, count:9, unacked:0, timer:tcp.timer{state:1, clock:(*kernel.Timekeeper)(0xc000413e30), target:tcpip.MonotonicTime{nanoseconds:0}, clockTarget:tcpip.MonotonicTime{nanoseconds:0}, timer:tcpip.Timer(nil), callback:(func())(0xb8d7c0)}, waker:sleep.Waker{:sync.NoCopy{}, s:(unsafe.Pointer)(nil), next:(*sleep.Waker)(nil), allWakersNext:(*sleep.Waker)(nil)}}, userTimeout:0, deferAccept:0, acceptMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, acceptQueue:tcp.acceptQueue{endpoints:list.List{root:list.Element{next:(*list.Element)(nil), prev:(*list.Element)(nil), list:(*list.List)(nil), Value:interface {}(nil)}, len:0}, pendingEndpoints:map[*tcp.Endpoint]struct {}(nil), capacity:0}, rcv:(*tcp.receiver)(nil), snd:(*tcp.sender)(nil), drainDone:(chan struct {})(nil), undrain:(chan struct {})(nil), probe:(tcp.TCPProbeFunc)(nil), connectingAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, amss:0x5b4, sendTOS:0x0, gso:stack.GSO{Type:1, NeedsCsum:true, CsumOffset:0x10, MSS:0x0, L3HdrLen:0x14, MaxSize:0x10000}, stats:tcp.Stats{SegmentsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SegmentsSent:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x6}}, FailedConnectionAttempts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ReceiveErrors:tcp.ReceiveErrors{ReceiveErrors:tcpip.ReceiveErrors{ReceiveBufferOverflow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, MalformedPacketsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ClosedReceiver:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentQueueDropped:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowSynDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowAckDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ZeroRcvWindowState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, WantZeroRcvWindow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, ReadErrors:tcpip.ReadErrors{ReadClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NotConnected:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SendErrors:tcp.SendErrors{SendErrors:tcpip.SendErrors{SendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NoRoute:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SynSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Retransmits:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, FastRetransmit:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Timeouts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, WriteErrors:tcpip.WriteErrors{WriteClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidArgs:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}}, tcpLingerTimeout:60000000000, closed:false, txHash:0xde1870cc, owner:(*kernel.Task)(0xc001505908), ops:tcpip.SocketOptions{handler:(*tcp.Endpoint)(0xc000a7d508), stackHandler:(*stack.Stack)(0xc000581808), broadcastEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, passCredEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, noChecksumEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reuseAddressEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reusePortEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, keepAliveEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, multicastLoopEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, receiveTOSEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTTLEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveHopLimitEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTClassEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receivePacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveIPv6PacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, hdrIncludedEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, v6OnlyEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, quickAckEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, delayOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, corkOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveOriginalDstAddress:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv4RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv6RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, errQueueMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, errQueue:tcpip.sockErrorList{head:(*tcpip.SockError)(nil), tail:(*tcpip.SockError)(nil)}, bindToDevice:atomicbitops.Int32{:sync.NoCopy{}, value:0}, getSendBufferLimits:(tcpip.GetSendBufferLimits)(0xb98f20), sendBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, getReceiveBufferLimits:(tcpip.GetReceiveBufferLimits)(0xb99180), receiveBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, linger:tcpip.LingerOption{Enabled:false, Timeout:0}, rcvlowat:atomicbitops.Int32{:sync.NoCopy{}, value:0}, experimentOptionValue:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}, lastOutOfWindowAckTime:tcpip.MonotonicTime{nanoseconds:0}, finWait2Timer:tcpip.Timer(nil), timeWaitTimer:tcpip.Timer(nil), listenCtx:(*tcp.listenContext)(nil), limRdr:(*io.LimitedReader)(0xc001bd9ce0), pmtud:0, alsoBindToV4:false}:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x125bf80?, 0xc001595e20?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/state.Failf(...)
\tpkg/state/state.go:269
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:774 +0x427
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b
```

```
0130 11:50:36.087642       1 cli.go:189] Version release-20250820.0-120-g6bf3c4885132-dirty, go1.24.1, amd64, 180 CPUs, linux, PID 1, PPID 0, UID 0, GID 0
D0130 11:50:36.087661       1 cli.go:190] Page size: 0x1000 (4096 bytes)
I0130 11:50:36.087676       1 cli.go:191] Args: [runsc-sandbox --root=/var/run/runsc --debug=true --debug-log=/dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/ --file-access=shared --overlay2=none --network=sandbox --net-raw=true --net-disconnect-ok=true --systrap-disable-syscall-patching=true --debug-log-fd=3 boot --bundle=/dev/shm/sandboxing/meager-eager-tidy-chin --gofer-mount-confs=lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 760451858432 --cpu-num 4 --total-memory 74088185856 --attached --io-fds=4 --io-fds=5 --io-fds=6 --dev-io-fd=-1 --mounts-fd=7 --start-sync-fd=8 --controller-fd=9 --spec-fd=10 --stdio-fds=11 --stdio-fds=12 --stdio-fds=13 meager-eager-tidy-chin]
I0130 11:50:36.087706       1 config.go:461] Platform: systrap
I0130 11:50:36.087735       1 config.go:462] RootDir: /var/run/runsc
I0130 11:50:36.087747       1 config.go:463] FileAccess: shared / Directfs: true / Overlay: none
I0130 11:50:36.087762       1 config.go:464] Network: sandbox
I0130 11:50:36.087774       1 config.go:466] Debug: true. Strace: false, max size: 1024, syscalls:
W0130 11:50:36.087785       1 config.go:469] --allow-suid is disabled, SUID/SGID bits on executables will be ignored.
D0130 11:50:36.087799       1 config.go:487] Config.RootDir (--root): /var/run/runsc
D0130 11:50:36.087813       1 config.go:487] Config.Traceback (--traceback): system
D0130 11:50:36.087831       1 config.go:487] Config.Debug (--debug): true
D0130 11:50:36.087842       1 config.go:487] Config.LogFilename (--log): (empty)
D0130 11:50:36.087877       1 config.go:487] Config.LogFormat (--log-format): text
D0130 11:50:36.087887       1 config.go:487] Config.DebugLog (--debug-log): /dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/
D0130 11:50:36.087898       1 config.go:487] Config.DebugToUserLog (--debug-to-user-log): false
D0130 11:50:36.087908       1 config.go:487] Config.DebugCommand (--debug-command): (empty)
D0130 11:50:36.087918       1 config.go:487] Config.PanicLog (--panic-log): (empty)
D0130 11:50:36.087932       1 config.go:487] Config.CoverageReport (--coverage-report): (empty)
D0130 11:50:36.087942       1 config.go:487] Config.DebugLogFormat (--debug-log-format): text
D0130 11:50:36.087953       1 config.go:487] Config.FileAccess (--file-access): shared
D0130 11:50:36.087965       1 config.go:487] Config.FileAccessMounts (--file-access-mounts): shared
D0130 11:50:36.087975       1 config.go:487] Config.Overlay (--overlay): false
D0130 11:50:36.087986       1 config.go:487] Config.Overlay2 (--overlay2): none
D0130 11:50:36.087997       1 config.go:487] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D0130 11:50:36.088014       1 config.go:487] Config.HostUDS (--host-uds): none
D0130 11:50:36.088031       1 config.go:487] Config.HostFifo (--host-fifo): none
D0130 11:50:36.088043       1 config.go:487] Config.HostSettings (--host-settings): check
D0130 11:50:36.088052       1 config.go:487] Config.Network (--network): sandbox
D0130 11:50:36.088060       1 config.go:487] Config.EnableRaw (--net-raw): true
D0130 11:50:36.088067       1 config.go:487] Config.AllowPacketEndpointWrite (--TESTONLY-allow-packet-endpoint-write): false
D0130 11:50:36.088075       1 config.go:487] Config.HostGSO (--gso): true
D0130 11:50:36.088082       1 config.go:487] Config.GVisorGSO (--software-gso): true
D0130 11:50:36.088090       1 config.go:487] Config.GVisorGRO (--gvisor-gro): false
D0130 11:50:36.088097       1 config.go:487] Config.TXChecksumOffload (--tx-checksum-offload): false
D0130 11:50:36.088105       1 config.go:487] Config.RXChecksumOffload (--rx-checksum-offload): true
D0130 11:50:36.088113       1 config.go:487] Config.QDisc (--qdisc): fifo
D0130 11:50:36.088121       1 config.go:487] Config.LogPackets (--log-packets): false
D0130 11:50:36.088132       1 config.go:487] Config.PCAP (--pcap-log): (empty)
D0130 11:50:36.088148       1 config.go:487] Config.Platform (--platform): systrap
D0130 11:50:36.088159       1 config.go:487] Config.PlatformDevicePath (--platform_device_path): (empty)
D0130 11:50:36.088170       1 config.go:487] Config.MetricServer (--metric-server): (empty)
D0130 11:50:36.088181       1 config.go:487] Config.FinalMetricsLog (--final-metrics-log): (empty)
D0130 11:50:36.088190       1 config.go:487] Config.ProfilingMetrics (--profiling-metrics): (empty)
D0130 11:50:36.088199       1 config.go:487] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D0130 11:50:36.088209       1 config.go:487] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D0130 11:50:36.088219       1 config.go:487] Config.Strace (--strace): false
D0130 11:50:36.088228       1 config.go:487] Config.StraceSyscalls (--strace-syscalls): (empty)
D0130 11:50:36.088238       1 config.go:487] Config.StraceLogSize (--strace-log-size): 1024
D0130 11:50:36.088247       1 config.go:487] Config.StraceEvent (--strace-event): false
D0130 11:50:36.088255       1 config.go:489] Config.DisableSeccomp: false
D0130 11:50:36.088272       1 config.go:487] Config.EnableCoreTags (--enable-core-tags): false
D0130 11:50:36.088285       1 config.go:487] Config.WatchdogAction (--watchdog-action): logWarning
D0130 11:50:36.088302       1 config.go:487] Config.PanicSignal (--panic-signal): -1
D0130 11:50:36.088312       1 config.go:487] Config.ProfileEnable (--profile): false
D0130 11:50:36.088322       1 config.go:487] Config.ProfileBlock (--profile-block): (empty)
D0130 11:50:36.088333       1 config.go:487] Config.ProfileCPU (--profile-cpu): (empty)
D0130 11:50:36.088343       1 config.go:487] Config.ProfileGCInterval (--profile-gc-interval): 0s
D0130 11:50:36.088359       1 config.go:487] Config.ProfileHeap (--profile-heap): (empty)
D0130 11:50:36.088369       1 config.go:487] Config.ProfileMutex (--profile-mutex): (empty)
D0130 11:50:36.088379       1 config.go:487] Config.TraceFile (--trace): (empty)
D0130 11:50:36.088393       1 config.go:487] Config.NumNetworkChannels (--num-network-channels): 1
D0130 11:50:36.088404       1 config.go:487] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D0130 11:50:36.088414       1 config.go:487] Config.Rootless (--rootless): false
D0130 11:50:36.088424       1 config.go:487] Config.AlsoLogToStderr (--alsologtostderr): false
D0130 11:50:36.088436       1 config.go:487] Config.ReferenceLeak (--ref-leak-mode): disabled
D0130 11:50:36.088447       1 config.go:487] Config.CPUNumFromQuota (--cpu-num-from-quota): true
D0130 11:50:36.088457       1 config.go:487] Config.AllowFlagOverride (--allow-flag-override): false
D0130 11:50:36.088466       1 config.go:487] Config.OCISeccomp (--oci-seccomp): false
D0130 11:50:36.088475       1 config.go:487] Config.IgnoreCgroups (--ignore-cgroups): false
D0130 11:50:36.088485       1 config.go:487] Config.SystemdCgroup (--systemd-cgroup): false
D0130 11:50:36.088496       1 config.go:487] Config.PodInitConfig (--pod-init-config): (empty)
D0130 11:50:36.088503       1 config.go:487] Config.BufferPooling (--buffer-pooling): true
D0130 11:50:36.088511       1 config.go:487] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D0130 11:50:36.088520       1 config.go:487] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D0130 11:50:36.088528       1 config.go:487] Config.FDLimit (--fdlimit): -1
D0130 11:50:36.088535       1 config.go:487] Config.DCache (--dcache): -1
D0130 11:50:36.088544       1 config.go:487] Config.IOUring (--iouring): false
D0130 11:50:36.088554       1 config.go:487] Config.DirectFS (--directfs): true
D0130 11:50:36.088564       1 config.go:487] Config.AppHugePages (--app-huge-pages): true
D0130 11:50:36.088574       1 config.go:487] Config.NVProxy (--nvproxy): false
D0130 11:50:36.088583       1 config.go:487] Config.NVProxyDocker (--nvproxy-docker): false
D0130 11:50:36.088592       1 config.go:487] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D0130 11:50:36.088609       1 config.go:487] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D0130 11:50:36.088618       1 config.go:487] Config.TPUProxy (--tpuproxy): false
D0130 11:50:36.088630       1 config.go:487] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D0130 11:50:36.088637       1 config.go:487] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D0130 11:50:36.088645       1 config.go:487] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D0130 11:50:36.088653       1 config.go:489] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D0130 11:50:36.088661       1 config.go:487] Config.ReproduceNAT (--reproduce-nat): false
D0130 11:50:36.088669       1 config.go:487] Config.ReproduceNftables (--reproduce-nftables): false
D0130 11:50:36.088681       1 config.go:487] Config.NetDisconnectOk (--net-disconnect-ok): true
D0130 11:50:36.088689       1 config.go:487] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D0130 11:50:36.088697       1 config.go:487] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D0130 11:50:36.088704       1 config.go:487] Config.RestoreSpecValidation (--restore-spec-validation): enforce
D0130 11:50:36.088713       1 config.go:487] Config.GVisorMarkerFile (--gvisor-marker-file): false
D0130 11:50:36.088721       1 config.go:487] Config.SystrapDisableSyscallPatching (--systrap-disable-syscall-patching): true
D0130 11:50:36.088728       1 config.go:487] Config.SaveRestoreNetstack (--save-restore-netstack): true
D0130 11:50:36.088735       1 config.go:487] Config.Nftables (--TESTONLY-nftables): false
D0130 11:50:36.088742       1 config.go:487] Config.AllowSUID (--allow-suid): false
D0130 11:50:36.088752       1 cli.go:197] runsc process spawned at 11:50:36.086274, Go started execution at 11:50:36.087214. Startup overhead: 939.687µs
I0130 11:50:36.088767       1 cli.go:200] **************** gVisor ****************
I0130 11:50:36.089555       1 boot.go:283] Setting product_name: "Google Compute Engine"
I0130 11:50:36.089742       1 boot.go:294] Setting host-thp-shmem-enabled: "never"
I0130 11:50:36.089800       1 boot.go:304] Setting host-thp-defrag: "defer"
I0130 11:50:36.090725       1 chroot.go:162] Setting up sandbox chroot in "/tmp"
I0130 11:50:36.102251       1 chroot.go:37] Mounting "proc" at "/tmp/proc/sandbox-proc"
D0130 11:50:36.125546       1 specutils.go:114] Spec:
```

FUTURE_COPYBARA_INTEGRATE_REVIEW=#12567 from nt:claude/fix-turbine-orch-error-X0OIm d8c4fa8
PiperOrigin-RevId: 865007585
copybara-service bot pushed a commit that referenced this pull request Feb 5, 2026
@nt @gvisor-bot
tcp: skip RST in resetConnectionLocked when snd/rcv are nil
562cde6 
resetConnectionLocked dereferences e.snd to compute the RST sequence number, but snd (and rcv) are only initialized when the TCP handshake completes in transitionToStateEstablishedLocked. Endpoints still in StateSynSent or StateSynRecv have nil snd/rcv, and calling resetConnectionLocked on them (e.g. from beforeSave during checkpoint) panics with a nil pointer dereference.

Guard the RST-sending block behind a nil check on e.snd. The rest of the function (set hardError, purge queues, cleanup, transition to StateError) is still unconditionally executed.

This address the following crash:

```
encoding error: runtime error: invalid memory address or nil pointer dereference:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x124f2a0?, 0x31fb280?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).resetConnectionLocked(0xc000a7d508, {0x1685100?, 0x324f8a0?})
\tpkg/tcpip/transport/tcp/connect.go:1084 +0x84
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).beforeSave(0xc000a7d508)
\tpkg/tcpip/transport/tcp/endpoint_state.go:59 +0x188
gvisor.dev/gvisor/pkg/tcpip/transport/tcp.(*Endpoint).StateSave(0xc000a7d508, {{0xc001139c08?, 0xc0016e4f48?}})
\tbazel-out/k8-opt/bin/pkg/tcpip/transport/tcp/tcp_state_autogen.go:504 +0x4a
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeStruct(0xc001139c08, {0x144da00, 0xc000a7d508, 0x199}, 0xc0014dc9e0)
\tpkg/state/encode.go:536 +0x58e
gvisor.dev/gvisor/pkg/state.(*encodeState).encodeObject(0xc001139c08, {0x144da00?, 0xc000a7d508?, 0xc000bb0008?}, 0x0, 0xc0014dc9e0)
\tpkg/state/encode.go:733 +0x5e5
gvisor.dev/gvisor/pkg/state.(*encodeState).Save.func2()
\tpkg/state/encode.go:770 +0x8b
gvisor.dev/gvisor/pkg/state.safely(0xc001139c08?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:763 +0x1eb
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b

for object tcp.Endpoint{TCPEndpointStateInner:tcp.TCPEndpointStateInner{TSOffset:tcp.TSOffset{milliseconds:0x8020a5db}, SACKPermitted:false, SendTSOk:false, RecentTS:0x0}, TransportEndpointInfo:stack.TransportEndpointInfo{NetProto:0x800, TransProto:0x6, ID:stack.TransportEndpointID{LocalPort:0x873b, LocalAddress:tcpip.Address{addr:[16]uint8{0x15, 0x0, 0x1, 0xf2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, RemotePort:0x1bb, RemoteAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}}, BindNICID:0, BindAddr:tcpip.Address{addr:[16]uint8{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:0}, RegisterNICID:0}, DefaultSocketOptionsHandler:tcpip.DefaultSocketOptionsHandler{}, endpointEntry:tcp.endpointEntry{next:(*tcp.Endpoint)(nil), prev:(*tcp.Endpoint)(nil)}, pendingProcessingMu:tcp.pendingProcessingMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, pendingProcessing:false, stack:(*stack.Stack)(0xc000581808), protocol:(*tcp.protocol)(0xc0003cb0e0), waiterQueue:(*waiter.Queue)(0xc00230cde0), hardError:(*tcpip.ErrConnectionAborted)(0x324f8a0), lastErrorMu:tcp.lastErrorMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, lastError:tcpip.Error(nil), rcvQueueMu:tcp.rcvQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPRcvBufState:tcp.TCPRcvBufState{RcvBufUsed:0, RcvAutoParams:tcp.RcvBufAutoTuneParams{MeasureTime:tcpip.MonotonicTime{nanoseconds:0}, CopiedBytes:0, PrevCopiedBytes:0, RcvBufSize:0, RTT:0, RTTVar:0, RTTMeasureSeqNumber:0x0, RTTMeasureTime:tcpip.MonotonicTime{nanoseconds:0}, Disabled:false}, RcvClosed:false}, rcvMemUsed:atomicbitops.Int32{:sync.NoCopy{}, value:0}, mu:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}, ownedByUser:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, rcvQueue:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, state:atomicbitops.Uint32{:sync.NoCopy{}, value:0x2}, connectionDirectionState:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, origEndpointState:0x0, isPortReserved:true, isRegistered:true, boundNICID:0, route:(*stack.Route)(0xc00085a300), ipv4TTL:0x0, ipv6HopLimit:-1, isConnectNotified:false, h:(*tcp.handshake)(0xc000987c20), portFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundBindToDevice:0, boundPortFlags:ports.Flags{MostRecent:false, LoadBalanced:false, TupleOnly:false}, boundDest:tcpip.FullAddress{NIC:0, Addr:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, Port:0x1bb, LinkAddr:""}, effectiveNetProtos:[]tcpip.NetworkProtocolNumber{0x800}, recentTSTime:tcpip.MonotonicTime{nanoseconds:0}, shutdownFlags:0, tcpRecovery:0, sack:tcp.SACKInfo{Blocks:[6]header.SACKBlock{header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}, header.SACKBlock{Start:0x0, End:0x0}}, NumBlocks:0}, delay:0x0, scoreboard:(*tcp.SACKScoreboard)(nil), segmentQueue:tcp.segmentQueue{mu:tcp.segmentQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, list:tcp.segmentList{head:(*tcp.segment)(nil), tail:(*tcp.segment)(nil)}, ep:(*tcp.Endpoint)(0xc000a7d508), frozen:true}, userMSS:0x0, maxSynRetries:0x6, windowClamp:0x100000, sndQueueInfo:tcp.sndQueueInfo{sndQueueMu:tcp.sndQueueMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, TCPSndBufState:tcp.TCPSndBufState{SndBufSize:0, SndBufUsed:0, SndClosed:false, PacketTooBigCount:0, SndMTU:2147483647, AutoTuneSndBufDisabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}}, cc:"reno", keepalive:tcp.keepalive{keepaliveMutex:tcp.keepaliveMutex{mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}}, idle:7200000000000, interval:75000000000, count:9, unacked:0, timer:tcp.timer{state:1, clock:(*kernel.Timekeeper)(0xc000413e30), target:tcpip.MonotonicTime{nanoseconds:0}, clockTarget:tcpip.MonotonicTime{nanoseconds:0}, timer:tcpip.Timer(nil), callback:(func())(0xb8d7c0)}, waker:sleep.Waker{:sync.NoCopy{}, s:(unsafe.Pointer)(nil), next:(*sleep.Waker)(nil), allWakersNext:(*sleep.Waker)(nil)}}, userTimeout:0, deferAccept:0, acceptMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, acceptQueue:tcp.acceptQueue{endpoints:list.List{root:list.Element{next:(*list.Element)(nil), prev:(*list.Element)(nil), list:(*list.List)(nil), Value:interface {}(nil)}, len:0}, pendingEndpoints:map[*tcp.Endpoint]struct {}(nil), capacity:0}, rcv:(*tcp.receiver)(nil), snd:(*tcp.sender)(nil), drainDone:(chan struct {})(nil), undrain:(chan struct {})(nil), probe:(tcp.TCPProbeFunc)(nil), connectingAddress:tcpip.Address{addr:[16]uint8{0xa, 0x7c, 0xd, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, length:4}, amss:0x5b4, sendTOS:0x0, gso:stack.GSO{Type:1, NeedsCsum:true, CsumOffset:0x10, MSS:0x0, L3HdrLen:0x14, MaxSize:0x10000}, stats:tcp.Stats{SegmentsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SegmentsSent:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x6}}, FailedConnectionAttempts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ReceiveErrors:tcp.ReceiveErrors{ReceiveErrors:tcpip.ReceiveErrors{ReceiveBufferOverflow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, MalformedPacketsReceived:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ClosedReceiver:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentQueueDropped:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ChecksumErrors:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowSynDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ListenOverflowAckDrop:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, ZeroRcvWindowState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, WantZeroRcvWindow:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, ReadErrors:tcpip.ReadErrors{ReadClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NotConnected:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SendErrors:tcp.SendErrors{SendErrors:tcpip.SendErrors{SendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, NoRoute:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, SegmentSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, SynSendToNetworkFailed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Retransmits:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, FastRetransmit:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, Timeouts:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}, WriteErrors:tcpip.WriteErrors{WriteClosed:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidEndpointState:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}, InvalidArgs:tcpip.StatCounter{count:atomicbitops.Uint64{:sync.NoCopy{}, value:0x0}}}}, tcpLingerTimeout:60000000000, closed:false, txHash:0xde1870cc, owner:(*kernel.Task)(0xc001505908), ops:tcpip.SocketOptions{handler:(*tcp.Endpoint)(0xc000a7d508), stackHandler:(*stack.Stack)(0xc000581808), broadcastEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, passCredEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, noChecksumEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reuseAddressEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, reusePortEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, keepAliveEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, multicastLoopEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, receiveTOSEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTTLEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveHopLimitEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveTClassEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receivePacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveIPv6PacketInfoEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, hdrIncludedEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, v6OnlyEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, quickAckEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, delayOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x1}, corkOptionEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, receiveOriginalDstAddress:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv4RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, ipv6RecvErrEnabled:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}, errQueueMu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, errQueue:tcpip.sockErrorList{head:(*tcpip.SockError)(nil), tail:(*tcpip.SockError)(nil)}, bindToDevice:atomicbitops.Int32{:sync.NoCopy{}, value:0}, getSendBufferLimits:(tcpip.GetSendBufferLimits)(0xb98f20), sendBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, getReceiveBufferLimits:(tcpip.GetReceiveBufferLimits)(0xb99180), receiveBufferSize:atomicbitops.Int64{:sync.NoCopy{}, value:1048576}, mu:sync.Mutex{m:sync.CrossGoroutineMutex{m:sync.Mutex{:sync.noCopy{}, mu:sync.Mutex{state:0, sema:0x0}}}}, linger:tcpip.LingerOption{Enabled:false, Timeout:0}, rcvlowat:atomicbitops.Int32{:sync.NoCopy{}, value:0}, experimentOptionValue:atomicbitops.Uint32{:sync.NoCopy{}, value:0x0}}, lastOutOfWindowAckTime:tcpip.MonotonicTime{nanoseconds:0}, finWait2Timer:tcpip.Timer(nil), timeWaitTimer:tcpip.Timer(nil), listenCtx:(*tcp.listenContext)(nil), limRdr:(*io.LimitedReader)(0xc001bd9ce0), pmtud:0, alsoBindToV4:false}:
goroutine 3057 [running]:
gvisor.dev/gvisor/pkg/state.safely.func1()
\tpkg/state/state.go:309 +0x170
panic({0x125bf80?, 0xc001595e20?})
\tGOROOT/src/runtime/panic.go:792 +0x132
gvisor.dev/gvisor/pkg/state.Failf(...)
\tpkg/state/state.go:269
gvisor.dev/gvisor/pkg/state.(*encodeState).Save(0xc001139c08, {0x144e140?, 0xc000004408?, 0xc001139c08?})
\tpkg/state/encode.go:774 +0x427
gvisor.dev/gvisor/pkg/state.Save.func1()
\tpkg/state/state.go:104 +0x8e
gvisor.dev/gvisor/pkg/state.safely(0xa694fe?)
\tpkg/state/state.go:322 +0x51
gvisor.dev/gvisor/pkg/state.Save({0x7e8a46be5fe0, 0xc000a92740}, {0x7e89c478fc78, 0xc001a16880}, {0x144e8a0, 0xc000004408})
\tpkg/state/state.go:103 +0x1c5
gvisor.dev/gvisor/pkg/sentry/kernel.(*Kernel).SaveTo(0xc000004408, {0x1697558, 0xc000a92740}, {0x1674740, 0xc001a16880}, {0x0, 0x0}, {0x0, 0x0}, 0x0, ...)
\tpkg/sentry/kernel/kernel.go:710 +0xd6a
gvisor.dev/gvisor/pkg/sentry/state.(*SaveOpts).Save(0xc0003b2e40, {0x1697558, 0xc000a92740}, 0xc000004408, 0xc0002ce180)
\tpkg/sentry/state/state.go:109 +0x325
gvisor.dev/gvisor/pkg/sentry/control.(*State).SaveWithOpts(0xc001337530, 0xc0003b2e40, 0x1466f14?)
\tpkg/sentry/control/state.go:180 +0xb2
gvisor.dev/gvisor/runsc/boot.(*Loader).saveWithOpts(0xc000384008, 0xc0003b2e40, 0xc001490128)
\trunsc/boot/restore.go:453 +0x265
gvisor.dev/gvisor/runsc/boot.(*Loader).save(0xc000384008, 0xc0014900e0)
\trunsc/boot/restore.go:419 +0x89
gvisor.dev/gvisor/runsc/boot.(*containerManager).Checkpoint(0xc000220740, 0xc0014900e0, 0x0?)
\trunsc/boot/controller.go:464 +0x52
reflect.Value.call({0xc0002be660?, 0xc0001fc7a0?, 0xc00063dc18?}, {0x145ae28, 0x4}, {0xc00063dea8, 0x3, 0xc00063dc48?})
\tGOROOT/src/reflect/value.go:584 +0xca6
reflect.Value.Call({0xc0002be660?, 0xc0001fc7a0?, 0xf0?}, {0xc00063dea8?, 0xc0014900e0?, 0x16?})
\tGOROOT/src/reflect/value.go:368 +0xb9
gvisor.dev/gvisor/pkg/urpc.(*Server).handleOne(0xc0002d81e0, 0xc0012a2180)
\tpkg/urpc/urpc.go:343 +0x731
gvisor.dev/gvisor/pkg/urpc.(*Server).handleRegistered(...)
\tpkg/urpc/urpc.go:454
gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling.func1()
\tpkg/urpc/urpc.go:474 +0x67
created by gvisor.dev/gvisor/pkg/urpc.(*Server).StartHandling in goroutine 392
\tpkg/urpc/urpc.go:472 +0x6b
```

```
0130 11:50:36.087642       1 cli.go:189] Version release-20250820.0-120-g6bf3c4885132-dirty, go1.24.1, amd64, 180 CPUs, linux, PID 1, PPID 0, UID 0, GID 0
D0130 11:50:36.087661       1 cli.go:190] Page size: 0x1000 (4096 bytes)
I0130 11:50:36.087676       1 cli.go:191] Args: [runsc-sandbox --root=/var/run/runsc --debug=true --debug-log=/dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/ --file-access=shared --overlay2=none --network=sandbox --net-raw=true --net-disconnect-ok=true --systrap-disable-syscall-patching=true --debug-log-fd=3 boot --bundle=/dev/shm/sandboxing/meager-eager-tidy-chin --gofer-mount-confs=lisafs:none,lisafs:none,lisafs:none --apply-caps=true --setup-root --total-host-memory 760451858432 --cpu-num 4 --total-memory 74088185856 --attached --io-fds=4 --io-fds=5 --io-fds=6 --dev-io-fd=-1 --mounts-fd=7 --start-sync-fd=8 --controller-fd=9 --spec-fd=10 --stdio-fds=11 --stdio-fds=12 --stdio-fds=13 meager-eager-tidy-chin]
I0130 11:50:36.087706       1 config.go:461] Platform: systrap
I0130 11:50:36.087735       1 config.go:462] RootDir: /var/run/runsc
I0130 11:50:36.087747       1 config.go:463] FileAccess: shared / Directfs: true / Overlay: none
I0130 11:50:36.087762       1 config.go:464] Network: sandbox
I0130 11:50:36.087774       1 config.go:466] Debug: true. Strace: false, max size: 1024, syscalls:
W0130 11:50:36.087785       1 config.go:469] --allow-suid is disabled, SUID/SGID bits on executables will be ignored.
D0130 11:50:36.087799       1 config.go:487] Config.RootDir (--root): /var/run/runsc
D0130 11:50:36.087813       1 config.go:487] Config.Traceback (--traceback): system
D0130 11:50:36.087831       1 config.go:487] Config.Debug (--debug): true
D0130 11:50:36.087842       1 config.go:487] Config.LogFilename (--log): (empty)
D0130 11:50:36.087877       1 config.go:487] Config.LogFormat (--log-format): text
D0130 11:50:36.087887       1 config.go:487] Config.DebugLog (--debug-log): /dev/shm/sandboxing-debug/meager-eager-tidy-chin/runsc/
D0130 11:50:36.087898       1 config.go:487] Config.DebugToUserLog (--debug-to-user-log): false
D0130 11:50:36.087908       1 config.go:487] Config.DebugCommand (--debug-command): (empty)
D0130 11:50:36.087918       1 config.go:487] Config.PanicLog (--panic-log): (empty)
D0130 11:50:36.087932       1 config.go:487] Config.CoverageReport (--coverage-report): (empty)
D0130 11:50:36.087942       1 config.go:487] Config.DebugLogFormat (--debug-log-format): text
D0130 11:50:36.087953       1 config.go:487] Config.FileAccess (--file-access): shared
D0130 11:50:36.087965       1 config.go:487] Config.FileAccessMounts (--file-access-mounts): shared
D0130 11:50:36.087975       1 config.go:487] Config.Overlay (--overlay): false
D0130 11:50:36.087986       1 config.go:487] Config.Overlay2 (--overlay2): none
D0130 11:50:36.087997       1 config.go:487] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D0130 11:50:36.088014       1 config.go:487] Config.HostUDS (--host-uds): none
D0130 11:50:36.088031       1 config.go:487] Config.HostFifo (--host-fifo): none
D0130 11:50:36.088043       1 config.go:487] Config.HostSettings (--host-settings): check
D0130 11:50:36.088052       1 config.go:487] Config.Network (--network): sandbox
D0130 11:50:36.088060       1 config.go:487] Config.EnableRaw (--net-raw): true
D0130 11:50:36.088067       1 config.go:487] Config.AllowPacketEndpointWrite (--TESTONLY-allow-packet-endpoint-write): false
D0130 11:50:36.088075       1 config.go:487] Config.HostGSO (--gso): true
D0130 11:50:36.088082       1 config.go:487] Config.GVisorGSO (--software-gso): true
D0130 11:50:36.088090       1 config.go:487] Config.GVisorGRO (--gvisor-gro): false
D0130 11:50:36.088097       1 config.go:487] Config.TXChecksumOffload (--tx-checksum-offload): false
D0130 11:50:36.088105       1 config.go:487] Config.RXChecksumOffload (--rx-checksum-offload): true
D0130 11:50:36.088113       1 config.go:487] Config.QDisc (--qdisc): fifo
D0130 11:50:36.088121       1 config.go:487] Config.LogPackets (--log-packets): false
D0130 11:50:36.088132       1 config.go:487] Config.PCAP (--pcap-log): (empty)
D0130 11:50:36.088148       1 config.go:487] Config.Platform (--platform): systrap
D0130 11:50:36.088159       1 config.go:487] Config.PlatformDevicePath (--platform_device_path): (empty)
D0130 11:50:36.088170       1 config.go:487] Config.MetricServer (--metric-server): (empty)
D0130 11:50:36.088181       1 config.go:487] Config.FinalMetricsLog (--final-metrics-log): (empty)
D0130 11:50:36.088190       1 config.go:487] Config.ProfilingMetrics (--profiling-metrics): (empty)
D0130 11:50:36.088199       1 config.go:487] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D0130 11:50:36.088209       1 config.go:487] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D0130 11:50:36.088219       1 config.go:487] Config.Strace (--strace): false
D0130 11:50:36.088228       1 config.go:487] Config.StraceSyscalls (--strace-syscalls): (empty)
D0130 11:50:36.088238       1 config.go:487] Config.StraceLogSize (--strace-log-size): 1024
D0130 11:50:36.088247       1 config.go:487] Config.StraceEvent (--strace-event): false
D0130 11:50:36.088255       1 config.go:489] Config.DisableSeccomp: false
D0130 11:50:36.088272       1 config.go:487] Config.EnableCoreTags (--enable-core-tags): false
D0130 11:50:36.088285       1 config.go:487] Config.WatchdogAction (--watchdog-action): logWarning
D0130 11:50:36.088302       1 config.go:487] Config.PanicSignal (--panic-signal): -1
D0130 11:50:36.088312       1 config.go:487] Config.ProfileEnable (--profile): false
D0130 11:50:36.088322       1 config.go:487] Config.ProfileBlock (--profile-block): (empty)
D0130 11:50:36.088333       1 config.go:487] Config.ProfileCPU (--profile-cpu): (empty)
D0130 11:50:36.088343       1 config.go:487] Config.ProfileGCInterval (--profile-gc-interval): 0s
D0130 11:50:36.088359       1 config.go:487] Config.ProfileHeap (--profile-heap): (empty)
D0130 11:50:36.088369       1 config.go:487] Config.ProfileMutex (--profile-mutex): (empty)
D0130 11:50:36.088379       1 config.go:487] Config.TraceFile (--trace): (empty)
D0130 11:50:36.088393       1 config.go:487] Config.NumNetworkChannels (--num-network-channels): 1
D0130 11:50:36.088404       1 config.go:487] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D0130 11:50:36.088414       1 config.go:487] Config.Rootless (--rootless): false
D0130 11:50:36.088424       1 config.go:487] Config.AlsoLogToStderr (--alsologtostderr): false
D0130 11:50:36.088436       1 config.go:487] Config.ReferenceLeak (--ref-leak-mode): disabled
D0130 11:50:36.088447       1 config.go:487] Config.CPUNumFromQuota (--cpu-num-from-quota): true
D0130 11:50:36.088457       1 config.go:487] Config.AllowFlagOverride (--allow-flag-override): false
D0130 11:50:36.088466       1 config.go:487] Config.OCISeccomp (--oci-seccomp): false
D0130 11:50:36.088475       1 config.go:487] Config.IgnoreCgroups (--ignore-cgroups): false
D0130 11:50:36.088485       1 config.go:487] Config.SystemdCgroup (--systemd-cgroup): false
D0130 11:50:36.088496       1 config.go:487] Config.PodInitConfig (--pod-init-config): (empty)
D0130 11:50:36.088503       1 config.go:487] Config.BufferPooling (--buffer-pooling): true
D0130 11:50:36.088511       1 config.go:487] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D0130 11:50:36.088520       1 config.go:487] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D0130 11:50:36.088528       1 config.go:487] Config.FDLimit (--fdlimit): -1
D0130 11:50:36.088535       1 config.go:487] Config.DCache (--dcache): -1
D0130 11:50:36.088544       1 config.go:487] Config.IOUring (--iouring): false
D0130 11:50:36.088554       1 config.go:487] Config.DirectFS (--directfs): true
D0130 11:50:36.088564       1 config.go:487] Config.AppHugePages (--app-huge-pages): true
D0130 11:50:36.088574       1 config.go:487] Config.NVProxy (--nvproxy): false
D0130 11:50:36.088583       1 config.go:487] Config.NVProxyDocker (--nvproxy-docker): false
D0130 11:50:36.088592       1 config.go:487] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D0130 11:50:36.088609       1 config.go:487] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D0130 11:50:36.088618       1 config.go:487] Config.TPUProxy (--tpuproxy): false
D0130 11:50:36.088630       1 config.go:487] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D0130 11:50:36.088637       1 config.go:487] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D0130 11:50:36.088645       1 config.go:487] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D0130 11:50:36.088653       1 config.go:489] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D0130 11:50:36.088661       1 config.go:487] Config.ReproduceNAT (--reproduce-nat): false
D0130 11:50:36.088669       1 config.go:487] Config.ReproduceNftables (--reproduce-nftables): false
D0130 11:50:36.088681       1 config.go:487] Config.NetDisconnectOk (--net-disconnect-ok): true
D0130 11:50:36.088689       1 config.go:487] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D0130 11:50:36.088697       1 config.go:487] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D0130 11:50:36.088704       1 config.go:487] Config.RestoreSpecValidation (--restore-spec-validation): enforce
D0130 11:50:36.088713       1 config.go:487] Config.GVisorMarkerFile (--gvisor-marker-file): false
D0130 11:50:36.088721       1 config.go:487] Config.SystrapDisableSyscallPatching (--systrap-disable-syscall-patching): true
D0130 11:50:36.088728       1 config.go:487] Config.SaveRestoreNetstack (--save-restore-netstack): true
D0130 11:50:36.088735       1 config.go:487] Config.Nftables (--TESTONLY-nftables): false
D0130 11:50:36.088742       1 config.go:487] Config.AllowSUID (--allow-suid): false
D0130 11:50:36.088752       1 cli.go:197] runsc process spawned at 11:50:36.086274, Go started execution at 11:50:36.087214. Startup overhead: 939.687µs
I0130 11:50:36.088767       1 cli.go:200] **************** gVisor ****************
I0130 11:50:36.089555       1 boot.go:283] Setting product_name: "Google Compute Engine"
I0130 11:50:36.089742       1 boot.go:294] Setting host-thp-shmem-enabled: "never"
I0130 11:50:36.089800       1 boot.go:304] Setting host-thp-defrag: "defer"
I0130 11:50:36.090725       1 chroot.go:162] Setting up sandbox chroot in "/tmp"
I0130 11:50:36.102251       1 chroot.go:37] Mounting "proc" at "/tmp/proc/sandbox-proc"
D0130 11:50:36.125546       1 specutils.go:114] Spec:
```

FUTURE_COPYBARA_INTEGRATE_REVIEW=#12567 from nt:claude/fix-turbine-orch-error-X0OIm d8c4fa8
PiperOrigin-RevId: 865007585
@copybara-service copybara-service bot merged commit f586013 into google:master Feb 6, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nybidari nybidari nybidari approved these changes

Assignees

No one assigned

Labels

ready to pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nt @ayushr2 @nayana8 @nybidari