[syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d086c886ceb9 Add linux-next specific files for 20250718
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1517af22580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=69896dd7b8c4e81e
dashboard link: https://syzkaller.appspot.com/bug?extid=0fc08dad8f34563208d5
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1317af22580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/54504fbc2437/disk-d086c886.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b427b00abffe/vmlinux-d086c886.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a87731b006b/bzImage-d086c886.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0fc08dad8f34563208d5@syzkaller.appspotmail.com

bpq0: left promiscuous mode
==================================================================
BUG: KASAN: slab-use-after-free in rose_new_lci+0x334/0x340 net/rose/af_rose.c:325
Read of size 1 at addr ffff88807776a431 by task syz.1.6214/19371

CPU: 0 UID: 0 PID: 19371 Comm: syz.1.6214 Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 rose_new_lci+0x334/0x340 net/rose/af_rose.c:325
 rose_connect+0x463/0x10a0 net/rose/af_rose.c:823
 __sys_connect_file net/socket.c:2086 [inline]
 __sys_connect+0x313/0x440 net/socket.c:2105
 __do_sys_connect net/socket.c:2111 [inline]
 __se_sys_connect net/socket.c:2108 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2108
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f861738e9a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f861824d038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f86175b5fa0 RCX: 00007f861738e9a9
RDX: 0000000000000040 RSI: 0000200000000100 RDI: 0000000000000009
RBP: 00007f8617410d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f86175b5fa0 R15: 00007ffd84d12788
 </TASK>

Allocated by task 19371:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4396
 kmalloc_noprof include/linux/slab.h:905 [inline]
 rose_add_node+0x23a/0xde0 net/rose/rose_route.c:85
 rose_rt_ioctl+0xa48/0xfb0 net/rose/rose_route.c:740
 rose_ioctl+0x3ce/0x8b0 net/rose/af_rose.c:1380
 sock_do_ioctl+0xdc/0x300 net/socket.c:1238
 sock_ioctl+0x576/0x790 net/socket.c:1359
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 19376:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kfree+0x18e/0x440 mm/slub.c:4879
 rose_rt_device_down+0x473/0x4c0 net/rose/rose_route.c:515
 rose_device_event+0x603/0x6a0 net/rose/af_rose.c:248
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 __dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9589
 dev_change_flags+0x130/0x260 net/core/dev_api.c:68
 dev_ioctl+0x7b4/0x1150 net/core/dev_ioctl.c:823
 sock_do_ioctl+0x22c/0x300 net/socket.c:1252
 sock_ioctl+0x576/0x790 net/socket.c:1359
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807776a400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 49 bytes inside of
 freed 512-byte region [ffff88807776a400, ffff88807776a600)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77768
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a841c80 ffffea00017ded00 dead000000000002
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a841c80 ffffea00017ded00 dead000000000002
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001ddda01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 49, tgid 49 (kworker/u8:3), ts 110489602895, free_ts 110339344367
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 __do_kmalloc_node mm/slub.c:4364 [inline]
 __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3811
 ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3940
 addrconf_prefix_route net/ipv6/addrconf.c:2483 [inline]
 addrconf_add_linklocal+0x45f/0x6c0 net/ipv6/addrconf.c:3308
 addrconf_addr_gen+0x490/0x580 net/ipv6/addrconf.c:3437
 addrconf_init_auto_addrs+0x62d/0xa30 net/ipv6/addrconf.c:-1
 addrconf_notify+0xacc/0x1010 net/ipv6/addrconf.c:3735
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 netif_state_change+0x284/0x3a0 net/core/dev.c:1583
page last free pid 6066 tgid 6066 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 __slab_free+0x303/0x3c0 mm/slub.c:4591
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
 vm_area_alloc+0x24/0x140 mm/vma_init.c:31
 __mmap_new_vma mm/vma.c:2461 [inline]
 __mmap_region mm/vma.c:2669 [inline]
 mmap_region+0xdc7/0x20c0 mm/vma.c:2739
 do_mmap+0xc45/0x10d0 mm/mmap.c:558
 vm_mmap_pgoff+0x2a6/0x4d0 mm/util.c:579
 elf_map fs/binfmt_elf.c:384 [inline]
 elf_load+0x248/0x6c0 fs/binfmt_elf.c:407
 load_elf_binary+0x1079/0x2740 fs/binfmt_elf.c:1173
 search_binary_handler fs/exec.c:1670 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve+0x99c/0x1450 fs/exec.c:1754
 do_execveat_common+0x510/0x6a0 fs/exec.c:1860
 do_execve fs/exec.c:1934 [inline]
 __do_sys_execve fs/exec.c:2010 [inline]
 __se_sys_execve fs/exec.c:2005 [inline]
 __x64_sys_execve+0x94/0xb0 fs/exec.c:2005
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94

Memory state around the buggy address:
 ffff88807776a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807776a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807776a400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88807776a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807776a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[Hillf Danton]

> Date: Thu, 24 Jul 2025 02:38:33 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    d086c886ceb9 Add linux-next specific files for 20250718
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1517af22580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=69896dd7b8c4e81e
> dashboard link: https://syzkaller.appspot.com/bug?extid=0fc08dad8f34563208d5
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1317af22580000

#syz test

--- x/include/net/rose.h
+++ y/include/net/rose.h
@@ -98,6 +98,7 @@ struct rose_neigh {
 	unsigned short		count;
 	unsigned short		use;
 	unsigned int		number;
+	atomic_t		ref;
 	char			restarted;
 	char			dce_mode;
 	char			loopback;
@@ -214,6 +215,7 @@ void rose_link_device_down(struct net_de
 struct net_device *rose_dev_first(void);
 struct net_device *rose_dev_get(rose_address *);
 struct rose_route *rose_route_free_lci(unsigned int, struct rose_neigh *);
+void rose_put_neigh(struct rose_neigh *);
 struct rose_neigh *rose_get_neigh(rose_address *, unsigned char *,
 				  unsigned char *, int);
 int rose_rt_ioctl(unsigned int, void __user *);
--- x/net/rose/af_rose.c
+++ y/net/rose/af_rose.c
@@ -171,6 +171,7 @@ void rose_kill_by_neigh(struct rose_neig
 		if (rose->neighbour == neigh) {
 			rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
 			rose->neighbour->use--;
+			rose_put_neigh(rose->neighbour);
 			rose->neighbour = NULL;
 		}
 	}
@@ -383,8 +384,10 @@ void rose_destroy_socket(struct sock *sk
 		timer_setup(&sk->sk_timer, rose_destroy_timer, 0);
 		sk->sk_timer.expires  = jiffies + 10 * HZ;
 		add_timer(&sk->sk_timer);
-	} else
+	} else {
+		rose_put_neigh(rose_sk(sk)->neighbour);
 		sock_put(sk);
+	}
 }
 
 /*
--- x/net/rose/rose_route.c
+++ y/net/rose/rose_route.c
@@ -97,6 +97,7 @@ static int __must_check rose_add_node(st
 		rose_neigh->dce_mode  = 0;
 		rose_neigh->loopback  = 0;
 		rose_neigh->number    = rose_neigh_no++;
+		atomic_set(&rose_neigh->ref, 1);
 		rose_neigh->restarted = 0;
 
 		skb_queue_head_init(&rose_neigh->queue);
@@ -237,7 +238,7 @@ static void rose_remove_neigh(struct ros
 		if (rose_neigh->ax25)
 			ax25_cb_put(rose_neigh->ax25);
 		kfree(rose_neigh->digipeat);
-		kfree(rose_neigh);
+		rose_put_neigh(rose_neigh);
 		return;
 	}
 
@@ -247,7 +248,7 @@ static void rose_remove_neigh(struct ros
 			if (rose_neigh->ax25)
 				ax25_cb_put(rose_neigh->ax25);
 			kfree(rose_neigh->digipeat);
-			kfree(rose_neigh);
+			rose_put_neigh(rose_neigh);
 			return;
 		}
 
@@ -265,8 +266,10 @@ static void rose_remove_route(struct ros
 	if (rose_route->neigh1 != NULL)
 		rose_route->neigh1->use--;
 
-	if (rose_route->neigh2 != NULL)
+	if (rose_route->neigh2 != NULL) {
 		rose_route->neigh2->use--;
+		rose_put_neigh(rose_route->neigh2);
+	}
 
 	if ((s = rose_route_list) == rose_route) {
 		rose_route_list = rose_route->next;
@@ -667,6 +670,11 @@ struct rose_route *rose_route_free_lci(u
 	return NULL;
 }
 
+void rose_put_neigh(struct rose_neigh *n)
+{
+	if (n && atomic_dec_and_test(&n->ref))
+		kfree(n);
+}
 /*
  *	Find a neighbour or a route given a ROSE address.
  */
@@ -712,6 +720,8 @@ struct rose_neigh *rose_get_neigh(rose_a
 	}
 
 out:
+	if (res)
+		atomic_inc(&res->ref);
 	if (!route_frame) spin_unlock_bh(&rose_node_list_lock);
 	return res;
 }
@@ -1061,6 +1071,7 @@ int rose_route_frame(struct sk_buff *skb
 	rose_route->neigh1    = rose_neigh;
 	rose_route->lci2      = new_lci;
 	rose_route->neigh2    = new_neigh;
+	new_neigh = NULL;
 
 	rose_route->neigh1->use++;
 	rose_route->neigh2->use++;
@@ -1076,6 +1087,8 @@ int rose_route_frame(struct sk_buff *skb
 	res = 1;
 
 out:
+	if (new_neigh)
+		rose_put_neigh(new_neigh);
 	spin_unlock_bh(&rose_route_list_lock);
 	spin_unlock_bh(&rose_neigh_list_lock);
 
--

Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

time autogenerated kernel key: 411d18369abccd4be36dd14e96620bc309eb5008'
[   25.412267][    T1] zswap: loaded using pool 842/zsmalloc
[   25.421935][    T1] Demotion targets for Node 0: null
[   25.427682][    T1] Demotion targets for Node 1: null
[   25.433317][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   28.252798][    T1] Key type .fscrypt registered
[   28.257691][    T1] Key type fscrypt-provisioning registered
[   28.267169][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   28.296016][    T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[   28.304390][    T1] Key type big_key registered
[   28.309206][    T1] Key type encrypted registered
[   28.314392][    T1] AppArmor: AppArmor sha256 policy hashing enabled
[   28.321182][    T1] ima: No TPM chip found, activating TPM-bypass!
[   28.327936][    T1] Loading compiled-in module X.509 certificates
[   28.354527][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 411d18369abccd4be36dd14e96620bc309eb5008'
[   28.365562][    T1] ima: Allocated hash algorithm: sha256
[   28.371787][    T1] ima: No architecture policies found
[   28.379012][    T1] evm: Initialising EVM extended attributes:
[   28.385545][    T1] evm: security.selinux (disabled)
[   28.391065][    T1] evm: security.SMACK64 (disabled)
[   28.396482][    T1] evm: security.SMACK64EXEC (disabled)
[   28.401998][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   28.408073][    T1] evm: security.SMACK64MMAP (disabled)
[   28.413867][    T1] evm: security.apparmor
[   28.418143][    T1] evm: security.ima
[   28.422521][    T1] evm: security.capability
[   28.427059][    T1] evm: HMAC attrs: 0x1
[   28.434195][    T1] PM:   Magic number: 1:949:995
[   28.439749][    T1] net rose29: hash matches
[   28.444908][    T1] video4linux vbi18: hash matches
[   28.450516][    T1] usb usb45-port2: hash matches
[   28.455917][    T1] tty ttyd8: hash matches
[   28.460252][    T1] tty ttyab: hash matches
[   28.464866][    T1] memory memory38: hash matches
[   28.469977][    T1] netconsole: network logging started
[   28.476739][    T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[   28.489150][    T1] rdma_rxe: loaded
[   28.494456][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   28.505596][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   28.513895][    T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   28.525102][    T1] clk: Disabling unused clocks
[   28.527624][    T9] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[   28.530137][    T1] ALSA device list:
[   28.540193][    T9] faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
[   28.544007][    T1]   #0: Dummy 1
[   28.556175][    T1]   #1: Loopback 1
[   28.559884][    T1]   #2: Virtual MIDI Card 1
[   28.568164][    T1] check access for rdinit=/init failed: -2, ignoring
[   28.575043][    T1] md: Waiting for all devices to be available before autodetect
[   28.582883][    T1] md: If you don't use raid, use raid=noautodetect
[   28.589636][    T1] md: Autodetecting RAID arrays.
[   28.594942][    T1] md: autorun ...
[   28.598571][    T1] md: ... autorun DONE.
[   28.750006][    T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[   28.758280][    T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[   28.771327][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   28.781669][    T1] devtmpfs: mounted
[   28.859632][    T1] Freeing unused kernel image (initmem) memory: 26452K
[   28.870416][    T1] Write protecting the kernel read-only data: 215040k
[   28.892858][    T1] Freeing unused kernel image (text/rodata gap) memory: 1720K
[   28.905960][    T1] Freeing unused kernel image (rodata/data gap) memory: 1368K
[   29.008924][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   29.017291][    T1] x86/mm: Checking user space page tables
[   29.103385][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   29.116866][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   29.127235][    T1] Run /sbin/init as init process
[   29.672955][ T5182] mount (5182) used greatest stack depth: 24104 bytes left
[   29.718622][ T5183] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[   29.917588][ T5187] mount (5187) used greatest stack depth: 21768 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [   31.260209][ T5217] udevd[5217]: starting version 3.2.14
[   31.564308][ T5218] udevd[5218]: starting eudev-3.2.14
[   31.572722][ T5217] udevd (5217) used greatest stack depth: 20200 bytes left
[   39.981780][ T5298] ------------[ cut here ]------------
[   39.987880][ T5298] AppArmor WARN apparmor_unix_stream_connect: ((({ typeof(*(new_ctx->label)) *__UNIQUE_ID_rcu2213 = (typeof(*(new_ctx->label)) *)({ do { __attribute__((__noreturn__)) extern void __compiletime_assert_2214(void) __attribute__((__error__("Unsupported access size for {READ,WRITE}_ONCE()."))); if (!((sizeof((new_ctx->label)) == sizeof(char) || sizeof((new_ctx->label)) == sizeof(short) || sizeof((new_ctx->label)) == sizeof(int) || sizeof((new_ctx->label)) == sizeof(long)) || sizeof((new_ctx->label)) == sizeof(long long))) __compiletime_assert_2214(); } while (0); (*(const volatile typeof( _Generic(((new_ctx->label)), char: (char)0, unsigned char: (unsigned char)0, signed char: (signed char)0, unsigned short: (unsigned short)0, signed short: (signed short)0, unsigned int: (unsigned int)0, signed int: (signed int)0, unsigned long: (unsigned long)0, signed long: (signed long)0, unsigned long long: (unsigned long long)0, signed long long: (signed long long)0, default: ((new_ctx->label)))) *)&((new_ctx->label))); }); ; 
[   39.988383][ T5298] WARNING: security/apparmor/lsm.c:1211 at apparmor_unix_stream_connect+0x5fa/0x650, CPU#1: udevadm/5298
[   40.093629][ T5298] Modules linked in:
[   40.097754][ T5298] CPU: 1 UID: 0 PID: 5298 Comm: udevadm Not tainted 6.16.0-rc7-next-20250724-syzkaller-g9ee814bd78e3-dirty #0 PREEMPT(full) 
[   40.110934][ T5298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   40.121356][ T5298] RIP: 0010:apparmor_unix_stream_connect+0x5fa/0x650
[   40.128151][ T5298] Code: 00 3b fd 48 89 ef e8 35 4d 00 00 e9 09 fe ff ff e8 bb 00 3b fd 90 48 c7 c7 80 33 fd 8b 48 c7 c6 31 52 c7 8d e8 f7 7f fe fc 90 <0f> 0b 90 90 e9 27 fe ff ff e8 98 00 3b fd be 02 00 00 00 eb 0a e8
[   40.147953][ T5298] RSP: 0018:ffffc90002ea7c38 EFLAGS: 00010246
[   40.154059][ T5298] RAX: cf750a2836ea2b00 RBX: 1ffff110060bf730 RCX: ffff888025c05a00
[   40.162334][ T5298] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   40.170652][ T5298] RBP: ffff88801ba8f8f8 R08: ffff8880b8724253 R09: 1ffff110170e484a
[   40.178878][ T5298] R10: dffffc0000000000 R11: ffffed10170e484b R12: ffff8880305fb980
[   40.187005][ T5298] R13: 1ffff110061438f8 R14: 0000000000000000 R15: 000000000000002f
[   40.195124][ T5298] FS:  00007f3c0e04d880(0000) GS:ffff8881258a2000(0000) knlGS:0000000000000000
[   40.204276][ T5298] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   40.211158][ T5298] CR2: 00007f3c0d87ae00 CR3: 00000000272b4000 CR4: 00000000003526f0
[   40.219275][ T5298] Call Trace:
[   40.222564][ T5298]  <TASK>
[   40.225597][ T5298]  security_unix_stream_connect+0xcb/0x2c0
[   40.231517][ T5298]  unix_stream_connect+0x8fc/0x1010
[   40.236832][ T5298]  __sys_connect+0x316/0x440
[   40.241544][ T5298]  ? count_memcg_event_mm+0x21/0x260
[   40.246904][ T5298]  ? __pfx___sys_connect+0x10/0x10
[   40.252181][ T5298]  __x64_sys_connect+0x7a/0x90
[   40.257000][ T5298]  do_syscall_64+0xfa/0x3b0
[   40.261527][ T5298]  ? lockdep_hardirqs_on+0x9c/0x150
[   40.266888][ T5298]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   40.272978][ T5298]  ? clear_bhb_loop+0x60/0xb0
[   40.277772][ T5298]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   40.283684][ T5298] RIP: 0033:0x7f3c0d8a7407
[   40.288636][ T5298] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   40.309777][ T5298] RSP: 002b:00007fff5ce448e0 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
[   40.319130][ T5298] RAX: ffffffffffffffda RBX: 00007f3c0e04d880 RCX: 00007f3c0d8a7407
[   40.327724][ T5298] RDX: 0000000000000013 RSI: 000055c2ae585948 RDI: 0000000000000003
[   40.336911][ T5298] RBP: 000000000000001e R08: 0000000000000000 R09: 0000000000000000
[   40.345329][ T5298] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff5ce44940
[   40.353678][ T5298] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
[   40.362476][ T5298]  </TASK>
[   40.366429][ T5298] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   40.373855][ T5298] CPU: 1 UID: 0 PID: 5298 Comm: udevadm Not tainted 6.16.0-rc7-next-20250724-syzkaller-g9ee814bd78e3-dirty #0 PREEMPT(full) 
[   40.387072][ T5298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   40.397386][ T5298] Call Trace:
[   40.400703][ T5298]  <TASK>
[   40.403622][ T5298]  dump_stack_lvl+0x99/0x250
[   40.408303][ T5298]  ? __asan_memcpy+0x40/0x70
[   40.412885][ T5298]  ? __pfx_dump_stack_lvl+0x10/0x10
[   40.418073][ T5298]  ? __pfx__printk+0x10/0x10
[   40.422681][ T5298]  vpanic+0x281/0x750
[   40.426738][ T5298]  ? __pfx__printk+0x10/0x10
[   40.431319][ T5298]  ? __pfx_vpanic+0x10/0x10
[   40.435807][ T5298]  ? is_bpf_text_address+0x292/0x2b0
[   40.441220][ T5298]  ? is_bpf_text_address+0x26/0x2b0
[   40.446734][ T5298]  panic+0xb9/0xc0
[   40.450573][ T5298]  ? __pfx_panic+0x10/0x10
[   40.455599][ T5298]  __warn+0x334/0x4c0
[   40.459567][ T5298]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   40.465718][ T5298]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   40.471790][ T5298]  report_bug+0x2be/0x4f0
[   40.476573][ T5298]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   40.482630][ T5298]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   40.488771][ T5298]  ? apparmor_unix_stream_connect+0x5fc/0x650
[   40.495061][ T5298]  handle_bug+0x84/0x160
[   40.499294][ T5298]  exc_invalid_op+0x1a/0x50
[   40.503832][ T5298]  asm_exc_invalid_op+0x1a/0x20
[   40.508675][ T5298] RIP: 0010:apparmor_unix_stream_connect+0x5fa/0x650
[   40.515337][ T5298] Code: 00 3b fd 48 89 ef e8 35 4d 00 00 e9 09 fe ff ff e8 bb 00 3b fd 90 48 c7 c7 80 33 fd 8b 48 c7 c6 31 52 c7 8d e8 f7 7f fe fc 90 <0f> 0b 90 90 e9 27 fe ff ff e8 98 00 3b fd be 02 00 00 00 eb 0a e8
[   40.535366][ T5298] RSP: 0018:ffffc90002ea7c38 EFLAGS: 00010246
[   40.541439][ T5298] RAX: cf750a2836ea2b00 RBX: 1ffff110060bf730 RCX: ffff888025c05a00
[   40.549422][ T5298] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   40.557719][ T5298] RBP: ffff88801ba8f8f8 R08: ffff8880b8724253 R09: 1ffff110170e484a
[   40.565865][ T5298] R10: dffffc0000000000 R11: ffffed10170e484b R12: ffff8880305fb980
[   40.573915][ T5298] R13: 1ffff110061438f8 R14: 0000000000000000 R15: 000000000000002f
[   40.582336][ T5298]  ? apparmor_unix_stream_connect+0x5f9/0x650
[   40.588408][ T5298]  security_unix_stream_connect+0xcb/0x2c0
[   40.594232][ T5298]  unix_stream_connect+0x8fc/0x1010
[   40.599535][ T5298]  __sys_connect+0x316/0x440
[   40.604198][ T5298]  ? count_memcg_event_mm+0x21/0x260
[   40.609852][ T5298]  ? __pfx___sys_connect+0x10/0x10
[   40.615074][ T5298]  __x64_sys_connect+0x7a/0x90
[   40.619915][ T5298]  do_syscall_64+0xfa/0x3b0
[   40.624425][ T5298]  ? lockdep_hardirqs_on+0x9c/0x150
[   40.629702][ T5298]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   40.635763][ T5298]  ? clear_bhb_loop+0x60/0xb0
[   40.640550][ T5298]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   40.646442][ T5298] RIP: 0033:0x7f3c0d8a7407
[   40.650863][ T5298] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   40.670744][ T5298] RSP: 002b:00007fff5ce448e0 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
[   40.679610][ T5298] RAX: ffffffffffffffda RBX: 00007f3c0e04d880 RCX: 00007f3c0d8a7407
[   40.687939][ T5298] RDX: 0000000000000013 RSI: 000055c2ae585948 RDI: 0000000000000003
[   40.696264][ T5298] RBP: 000000000000001e R08: 0000000000000000 R09: 0000000000000000
[   40.704492][ T5298] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff5ce44940
[   40.712559][ T5298] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
[   40.720633][ T5298]  </TASK>
[   40.724029][ T5298] Kernel Offset: disabled
[   40.728710][ T5298] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4223422955=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 85deaf45cc
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=85deaf45cc57320362fabb5ef83eb8cf413f4274 -X github.com/google/syzkaller/prog.gitRevisionDate=20250722-150712"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"85deaf45cc57320362fabb5ef83eb8cf413f4274\"
/usr/bin/ld: /tmp/ccImJGwk.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1574b0a2580000


Tested on:

commit:         9ee814bd Add linux-next specific files for 20250724
git tree:       linux-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=83210eaba5794b83
dashboard link: https://syzkaller.appspot.com/bug?extid=0fc08dad8f34563208d5
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17f1c0a2580000

Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[Hillf Danton]

> Date: Thu, 24 Jul 2025 02:38:33 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    d086c886ceb9 Add linux-next specific files for 20250718
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1517af22580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=69896dd7b8c4e81e
> dashboard link: https://syzkaller.appspot.com/bug?extid=0fc08dad8f34563208d5
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1317af22580000

#syz test

--- x/include/net/rose.h
+++ y/include/net/rose.h
@@ -98,6 +98,7 @@ struct rose_neigh {
 	unsigned short		count;
 	unsigned short		use;
 	unsigned int		number;
+	atomic_t		ref;
 	char			restarted;
 	char			dce_mode;
 	char			loopback;
@@ -214,6 +215,7 @@ void rose_link_device_down(struct net_de
 struct net_device *rose_dev_first(void);
 struct net_device *rose_dev_get(rose_address *);
 struct rose_route *rose_route_free_lci(unsigned int, struct rose_neigh *);
+void rose_put_neigh(struct rose_neigh *);
 struct rose_neigh *rose_get_neigh(rose_address *, unsigned char *,
 				  unsigned char *, int);
 int rose_rt_ioctl(unsigned int, void __user *);
--- x/net/rose/af_rose.c
+++ y/net/rose/af_rose.c
@@ -171,6 +171,7 @@ void rose_kill_by_neigh(struct rose_neig
 		if (rose->neighbour == neigh) {
 			rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
 			rose->neighbour->use--;
+			rose_put_neigh(rose->neighbour);
 			rose->neighbour = NULL;
 		}
 	}
@@ -383,8 +384,10 @@ void rose_destroy_socket(struct sock *sk
 		timer_setup(&sk->sk_timer, rose_destroy_timer, 0);
 		sk->sk_timer.expires  = jiffies + 10 * HZ;
 		add_timer(&sk->sk_timer);
-	} else
+	} else {
+		rose_put_neigh(rose_sk(sk)->neighbour);
 		sock_put(sk);
+	}
 }
 
 /*
--- x/net/rose/rose_route.c
+++ y/net/rose/rose_route.c
@@ -97,6 +97,7 @@ static int __must_check rose_add_node(st
 		rose_neigh->dce_mode  = 0;
 		rose_neigh->loopback  = 0;
 		rose_neigh->number    = rose_neigh_no++;
+		atomic_set(&rose_neigh->ref, 1);
 		rose_neigh->restarted = 0;
 
 		skb_queue_head_init(&rose_neigh->queue);
@@ -237,7 +238,7 @@ static void rose_remove_neigh(struct ros
 		if (rose_neigh->ax25)
 			ax25_cb_put(rose_neigh->ax25);
 		kfree(rose_neigh->digipeat);
-		kfree(rose_neigh);
+		rose_put_neigh(rose_neigh);
 		return;
 	}
 
@@ -247,7 +248,7 @@ static void rose_remove_neigh(struct ros
 			if (rose_neigh->ax25)
 				ax25_cb_put(rose_neigh->ax25);
 			kfree(rose_neigh->digipeat);
-			kfree(rose_neigh);
+			rose_put_neigh(rose_neigh);
 			return;
 		}
 
@@ -265,8 +266,10 @@ static void rose_remove_route(struct ros
 	if (rose_route->neigh1 != NULL)
 		rose_route->neigh1->use--;
 
-	if (rose_route->neigh2 != NULL)
+	if (rose_route->neigh2 != NULL) {
 		rose_route->neigh2->use--;
+		rose_put_neigh(rose_route->neigh2);
+	}
 
 	if ((s = rose_route_list) == rose_route) {
 		rose_route_list = rose_route->next;
@@ -667,6 +670,11 @@ struct rose_route *rose_route_free_lci(u
 	return NULL;
 }
 
+void rose_put_neigh(struct rose_neigh *n)
+{
+	if (n && atomic_dec_and_test(&n->ref))
+		kfree(n);
+}
 /*
  *	Find a neighbour or a route given a ROSE address.
  */
@@ -712,6 +720,8 @@ struct rose_neigh *rose_get_neigh(rose_a
 	}
 
 out:
+	if (res)
+		atomic_inc(&res->ref);
 	if (!route_frame) spin_unlock_bh(&rose_node_list_lock);
 	return res;
 }
@@ -1061,6 +1071,7 @@ int rose_route_frame(struct sk_buff *skb
 	rose_route->neigh1    = rose_neigh;
 	rose_route->lci2      = new_lci;
 	rose_route->neigh2    = new_neigh;
+	new_neigh = NULL;
 
 	rose_route->neigh1->use++;
 	rose_route->neigh2->use++;
@@ -1076,6 +1087,8 @@ int rose_route_frame(struct sk_buff *skb
 	res = 1;
 
 out:
+	if (new_neigh)
+		rose_put_neigh(new_neigh);
 	spin_unlock_bh(&rose_route_list_lock);
 	spin_unlock_bh(&rose_neigh_list_lock);
 
--- x/net/unix/af_unix.c
+++ y/net/unix/af_unix.c
@@ -1750,12 +1750,6 @@ restart:
 		goto out_unlock;
 	}
 
-	err = security_unix_stream_connect(sk, other, newsk);
-	if (err) {
-		unix_state_unlock(sk);
-		goto out_unlock;
-	}
-
 	/* The way is open! Fastly set all the necessary fields... */
 
 	sock_hold(sk);
@@ -1804,6 +1798,11 @@ restart:
 	smp_mb__after_atomic();	/* sock_hold() does an atomic_inc() */
 	unix_peer(sk)	= newsk;
 
+	err = security_unix_stream_connect(sk, other, newsk);
+	if (err) {
+		unix_state_unlock(sk);
+		goto out_unlock;
+	}
 	unix_state_unlock(sk);
 
 	/* take ten and send info to listening sock */
--

Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ed kernel key: 9ece6e4dbdc04b5c1cbbfaba00b7dca934806a52'
[   32.312810][    T1] zswap: loaded using pool 842/zsmalloc
[   32.324717][    T1] Demotion targets for Node 0: null
[   32.330575][    T1] Demotion targets for Node 1: null
[   32.335881][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   35.693466][    T1] Key type .fscrypt registered
[   35.699267][    T1] Key type fscrypt-provisioning registered
[   35.711339][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   35.748666][    T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[   35.758902][    T1] Key type big_key registered
[   35.764107][    T1] Key type encrypted registered
[   35.769924][    T1] AppArmor: AppArmor sha256 policy hashing enabled
[   35.777609][    T1] ima: No TPM chip found, activating TPM-bypass!
[   35.784293][    T1] Loading compiled-in module X.509 certificates
[   35.824583][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 9ece6e4dbdc04b5c1cbbfaba00b7dca934806a52'
[   35.836683][    T1] ima: Allocated hash algorithm: sha256
[   35.843653][    T1] ima: No architecture policies found
[   35.850844][    T1] evm: Initialising EVM extended attributes:
[   35.857287][    T1] evm: security.selinux (disabled)
[   35.862772][    T1] evm: security.SMACK64 (disabled)
[   35.868535][    T1] evm: security.SMACK64EXEC (disabled)
[   35.874405][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   35.880994][    T1] evm: security.SMACK64MMAP (disabled)
[   35.887534][    T1] evm: security.apparmor
[   35.892048][    T1] evm: security.ima
[   35.896126][    T1] evm: security.capability
[   35.901126][    T1] evm: HMAC attrs: 0x1
[   35.908402][    T1] PM:   Magic number: 1:51:204
[   35.914541][    T1] video4linux video84: hash matches
[   35.920228][    T1] usb usb53-port3: hash matches
[   35.925732][    T1] tty ttyt2: hash matches
[   35.931143][    T1] netconsole: network logging started
[   35.940096][    T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[   35.955263][    T1] rdma_rxe: loaded
[   35.961839][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   35.976051][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   35.985947][    T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   35.996554][    T1] clk: Disabling unused clocks
[   35.998201][   T43] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[   36.002101][    T1] ALSA device list:
[   36.016187][   T43] faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
[   36.016507][    T1]   #0: Dummy 1
[   36.029888][    T1]   #1: Loopback 1
[   36.033903][    T1]   #2: Virtual MIDI Card 1
[   36.043176][    T1] check access for rdinit=/init failed: -2, ignoring
[   36.050421][    T1] md: Waiting for all devices to be available before autodetect
[   36.059471][    T1] md: If you don't use raid, use raid=noautodetect
[   36.066354][    T1] md: Autodetecting RAID arrays.
[   36.071715][    T1] md: autorun ...
[   36.075839][    T1] md: ... autorun DONE.
[   36.248389][    T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[   36.258318][    T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[   36.271871][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   36.301101][    T1] devtmpfs: mounted
[   36.394643][    T1] Freeing unused kernel image (initmem) memory: 26452K
[   36.408071][    T1] Write protecting the kernel read-only data: 215040k
[   36.433709][    T1] Freeing unused kernel image (text/rodata gap) memory: 1720K
[   36.448517][    T1] Freeing unused kernel image (rodata/data gap) memory: 1368K
[   36.661640][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   36.670344][    T1] x86/mm: Checking user space page tables
[   36.853655][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   36.868256][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   36.879031][    T1] Run /sbin/init as init process
[   37.400517][ T5182] mount (5182) used greatest stack depth: 24104 bytes left
[   37.482883][ T5183] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[   37.672016][ T5188] modprobe (5188) used greatest stack depth: 22264 bytes left
[   37.685646][ T5187] mount (5187) used greatest stack depth: 21768 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: [   38.681051][ T5213] logger (5213) used greatest stack depth: 21704 bytes left
OK
Populating /dev using udev: [   39.012692][ T5217] udevd[5217]: starting version 3.2.14
[   39.312287][ T5218] udevd[5218]: starting eudev-3.2.14
[   39.322002][ T5217] udevd (5217) used greatest stack depth: 18824 bytes left
[   49.239305][ T5307] ------------[ cut here ]------------
[   49.246128][ T5307] AppArmor WARN apparmor_unix_stream_connect: ((({ typeof(*(new_ctx->label)) *__UNIQUE_ID_rcu2213 = (typeof(*(new_ctx->label)) *)({ do { __attribute__((__noreturn__)) extern void __compiletime_assert_2214(void) __attribute__((__error__("Unsupported access size for {READ,WRITE}_ONCE()."))); if (!((sizeof((new_ctx->label)) == sizeof(char) || sizeof((new_ctx->label)) == sizeof(short) || sizeof((new_ctx->label)) == sizeof(int) || sizeof((new_ctx->label)) == sizeof(long)) || sizeof((new_ctx->label)) == sizeof(long long))) __compiletime_assert_2214(); } while (0); (*(const volatile typeof( _Generic(((new_ctx->label)), char: (char)0, unsigned char: (unsigned char)0, signed char: (signed char)0, unsigned short: (unsigned short)0, signed short: (signed short)0, unsigned int: (unsigned int)0, signed int: (signed int)0, unsigned long: (unsigned long)0, signed long: (signed long)0, unsigned long long: (unsigned long long)0, signed long long: (signed long long)0, default: ((new_ctx->label)))) *)&((new_ctx->label))); }); ; 
[   49.247187][ T5307] WARNING: security/apparmor/lsm.c:1211 at apparmor_unix_stream_connect+0x5fa/0x650, CPU#1: udevadm/5307
[   49.364397][ T5307] Modules linked in:
[   49.369110][ T5307] CPU: 1 UID: 0 PID: 5307 Comm: udevadm Not tainted 6.16.0-rc7-next-20250724-syzkaller-g9ee814bd78e3-dirty #0 PREEMPT(full) 
[   49.383192][ T5307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   49.393762][ T5307] RIP: 0010:apparmor_unix_stream_connect+0x5fa/0x650
[   49.400918][ T5307] Code: 00 3b fd 48 89 ef e8 35 4d 00 00 e9 09 fe ff ff e8 bb 00 3b fd 90 48 c7 c7 80 33 fd 8b 48 c7 c6 31 52 c7 8d e8 f7 7f fe fc 90 <0f> 0b 90 90 e9 27 fe ff ff e8 98 00 3b fd be 02 00 00 00 eb 0a e8
[   49.421322][ T5307] RSP: 0018:ffffc90002ea7c38 EFLAGS: 00010246
[   49.428021][ T5307] RAX: e44b99ab8cef2000 RBX: 1ffff11006365f58 RCX: ffff888025c38000
[   49.436750][ T5307] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   49.445413][ T5307] RBP: ffff88801ba8f8f8 R08: ffff8880b8724253 R09: 1ffff110170e484a
[   49.453784][ T5307] R10: dffffc0000000000 R11: ffffed10170e484b R12: ffff888031b2fac0
[   49.462663][ T5307] R13: 1ffff1100bcfff70 R14: 0000000000000000 R15: 000000000000002f
[   49.471487][ T5307] FS:  00007f12d413d880(0000) GS:ffff8881258a2000(0000) knlGS:0000000000000000
[   49.480684][ T5307] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   49.487634][ T5307] CR2: 00007f12d3a7ae00 CR3: 000000005dcd8000 CR4: 00000000003526f0
[   49.496204][ T5307] Call Trace:
[   49.499687][ T5307]  <TASK>
[   49.502867][ T5307]  security_unix_stream_connect+0xcb/0x2c0
[   49.509574][ T5307]  unix_stream_connect+0xc57/0x1030
[   49.515768][ T5307]  __sys_connect+0x316/0x440
[   49.521045][ T5307]  ? count_memcg_event_mm+0x21/0x260
[   49.527164][ T5307]  ? __pfx___sys_connect+0x10/0x10
[   49.534369][ T5307]  __x64_sys_connect+0x7a/0x90
[   49.539881][ T5307]  do_syscall_64+0xfa/0x3b0
[   49.544628][ T5307]  ? lockdep_hardirqs_on+0x9c/0x150
[   49.550014][ T5307]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   49.556349][ T5307]  ? clear_bhb_loop+0x60/0xb0
[   49.561387][ T5307]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   49.568532][ T5307] RIP: 0033:0x7f12d3aa7407
[   49.573201][ T5307] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   49.594955][ T5307] RSP: 002b:00007ffe1593fa80 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
[   49.603833][ T5307] RAX: ffffffffffffffda RBX: 00007f12d413d880 RCX: 00007f12d3aa7407
[   49.612506][ T5307] RDX: 0000000000000013 RSI: 000055ce2bac2948 RDI: 0000000000000003
[   49.621046][ T5307] RBP: 000000000000001e R08: 0000000000000000 R09: 0000000000000000
[   49.629405][ T5307] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe1593fae0
[   49.638437][ T5307] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
[   49.647498][ T5307]  </TASK>
[   49.650564][ T5307] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   49.657982][ T5307] CPU: 1 UID: 0 PID: 5307 Comm: udevadm Not tainted 6.16.0-rc7-next-20250724-syzkaller-g9ee814bd78e3-dirty #0 PREEMPT(full) 
[   49.670964][ T5307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   49.681493][ T5307] Call Trace:
[   49.685026][ T5307]  <TASK>
[   49.688100][ T5307]  dump_stack_lvl+0x99/0x250
[   49.692927][ T5307]  ? __asan_memcpy+0x40/0x70
[   49.697931][ T5307]  ? __pfx_dump_stack_lvl+0x10/0x10
[   49.703453][ T5307]  ? __pfx__printk+0x10/0x10
[   49.708160][ T5307]  vpanic+0x281/0x750
[   49.712205][ T5307]  ? __pfx__printk+0x10/0x10
[   49.717124][ T5307]  ? __pfx_vpanic+0x10/0x10
[   49.721690][ T5307]  ? is_bpf_text_address+0x292/0x2b0
[   49.727130][ T5307]  ? is_bpf_text_address+0x26/0x2b0
[   49.732566][ T5307]  panic+0xb9/0xc0
[   49.736352][ T5307]  ? __pfx_panic+0x10/0x10
[   49.740901][ T5307]  __warn+0x334/0x4c0
[   49.745033][ T5307]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   49.751314][ T5307]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   49.757676][ T5307]  report_bug+0x2be/0x4f0
[   49.762126][ T5307]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   49.768310][ T5307]  ? apparmor_unix_stream_connect+0x5fa/0x650
[   49.774745][ T5307]  ? apparmor_unix_stream_connect+0x5fc/0x650
[   49.781261][ T5307]  handle_bug+0x84/0x160
[   49.785905][ T5307]  exc_invalid_op+0x1a/0x50
[   49.790709][ T5307]  asm_exc_invalid_op+0x1a/0x20
[   49.796020][ T5307] RIP: 0010:apparmor_unix_stream_connect+0x5fa/0x650
[   49.803687][ T5307] Code: 00 3b fd 48 89 ef e8 35 4d 00 00 e9 09 fe ff ff e8 bb 00 3b fd 90 48 c7 c7 80 33 fd 8b 48 c7 c6 31 52 c7 8d e8 f7 7f fe fc 90 <0f> 0b 90 90 e9 27 fe ff ff e8 98 00 3b fd be 02 00 00 00 eb 0a e8
[   49.824919][ T5307] RSP: 0018:ffffc90002ea7c38 EFLAGS: 00010246
[   49.831283][ T5307] RAX: e44b99ab8cef2000 RBX: 1ffff11006365f58 RCX: ffff888025c38000
[   49.839564][ T5307] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   49.848147][ T5307] RBP: ffff88801ba8f8f8 R08: ffff8880b8724253 R09: 1ffff110170e484a
[   49.856684][ T5307] R10: dffffc0000000000 R11: ffffed10170e484b R12: ffff888031b2fac0
[   49.865820][ T5307] R13: 1ffff1100bcfff70 R14: 0000000000000000 R15: 000000000000002f
[   49.875259][ T5307]  ? apparmor_unix_stream_connect+0x5f9/0x650
[   49.881502][ T5307]  security_unix_stream_connect+0xcb/0x2c0
[   49.887795][ T5307]  unix_stream_connect+0xc57/0x1030
[   49.893751][ T5307]  __sys_connect+0x316/0x440
[   49.898486][ T5307]  ? count_memcg_event_mm+0x21/0x260
[   49.904618][ T5307]  ? __pfx___sys_connect+0x10/0x10
[   49.909963][ T5307]  __x64_sys_connect+0x7a/0x90
[   49.915011][ T5307]  do_syscall_64+0xfa/0x3b0
[   49.919636][ T5307]  ? lockdep_hardirqs_on+0x9c/0x150
[   49.924973][ T5307]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   49.931380][ T5307]  ? clear_bhb_loop+0x60/0xb0
[   49.936332][ T5307]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   49.942236][ T5307] RIP: 0033:0x7f12d3aa7407
[   49.946844][ T5307] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   49.967773][ T5307] RSP: 002b:00007ffe1593fa80 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
[   49.976926][ T5307] RAX: ffffffffffffffda RBX: 00007f12d413d880 RCX: 00007f12d3aa7407
[   49.985528][ T5307] RDX: 0000000000000013 RSI: 000055ce2bac2948 RDI: 0000000000000003
[   49.993550][ T5307] RBP: 000000000000001e R08: 0000000000000000 R09: 0000000000000000
[   50.001699][ T5307] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe1593fae0
[   50.011078][ T5307] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
[   50.019984][ T5307]  </TASK>
[   50.023826][ T5307] Kernel Offset: disabled
[   50.028304][ T5307] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2871270070=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 85deaf45cc
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=85deaf45cc57320362fabb5ef83eb8cf413f4274 -X github.com/google/syzkaller/prog.gitRevisionDate=20250722-150712"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"85deaf45cc57320362fabb5ef83eb8cf413f4274\"
/usr/bin/ld: /tmp/ccMQNojd.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=11d894f0580000


Tested on:

commit:         9ee814bd Add linux-next specific files for 20250724
git tree:       linux-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=83210eaba5794b83
dashboard link: https://syzkaller.appspot.com/bug?extid=0fc08dad8f34563208d5
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11c610a2580000

Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[Hillf Danton]

> Date: Thu, 24 Jul 2025 02:38:33 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    d086c886ceb9 Add linux-next specific files for 20250718
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1517af22580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=69896dd7b8c4e81e
> dashboard link: https://syzkaller.appspot.com/bug?extid=0fc08dad8f34563208d5
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1317af22580000

#syz test

--- x/include/net/rose.h
+++ y/include/net/rose.h
@@ -98,6 +98,7 @@ struct rose_neigh {
 	unsigned short		count;
 	unsigned short		use;
 	unsigned int		number;
+	atomic_t		ref;
 	char			restarted;
 	char			dce_mode;
 	char			loopback;
@@ -214,6 +215,7 @@ void rose_link_device_down(struct net_de
 struct net_device *rose_dev_first(void);
 struct net_device *rose_dev_get(rose_address *);
 struct rose_route *rose_route_free_lci(unsigned int, struct rose_neigh *);
+void rose_put_neigh(struct rose_neigh *);
 struct rose_neigh *rose_get_neigh(rose_address *, unsigned char *,
 				  unsigned char *, int);
 int rose_rt_ioctl(unsigned int, void __user *);
--- x/net/rose/af_rose.c
+++ y/net/rose/af_rose.c
@@ -171,6 +171,7 @@ void rose_kill_by_neigh(struct rose_neig
 		if (rose->neighbour == neigh) {
 			rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
 			rose->neighbour->use--;
+			rose_put_neigh(rose->neighbour);
 			rose->neighbour = NULL;
 		}
 	}
@@ -383,8 +384,10 @@ void rose_destroy_socket(struct sock *sk
 		timer_setup(&sk->sk_timer, rose_destroy_timer, 0);
 		sk->sk_timer.expires  = jiffies + 10 * HZ;
 		add_timer(&sk->sk_timer);
-	} else
+	} else {
+		rose_put_neigh(rose_sk(sk)->neighbour);
 		sock_put(sk);
+	}
 }
 
 /*
--- x/net/rose/rose_route.c
+++ y/net/rose/rose_route.c
@@ -97,6 +97,7 @@ static int __must_check rose_add_node(st
 		rose_neigh->dce_mode  = 0;
 		rose_neigh->loopback  = 0;
 		rose_neigh->number    = rose_neigh_no++;
+		atomic_set(&rose_neigh->ref, 1);
 		rose_neigh->restarted = 0;
 
 		skb_queue_head_init(&rose_neigh->queue);
@@ -237,7 +238,7 @@ static void rose_remove_neigh(struct ros
 		if (rose_neigh->ax25)
 			ax25_cb_put(rose_neigh->ax25);
 		kfree(rose_neigh->digipeat);
-		kfree(rose_neigh);
+		rose_put_neigh(rose_neigh);
 		return;
 	}
 
@@ -247,7 +248,7 @@ static void rose_remove_neigh(struct ros
 			if (rose_neigh->ax25)
 				ax25_cb_put(rose_neigh->ax25);
 			kfree(rose_neigh->digipeat);
-			kfree(rose_neigh);
+			rose_put_neigh(rose_neigh);
 			return;
 		}
 
@@ -265,8 +266,10 @@ static void rose_remove_route(struct ros
 	if (rose_route->neigh1 != NULL)
 		rose_route->neigh1->use--;
 
-	if (rose_route->neigh2 != NULL)
+	if (rose_route->neigh2 != NULL) {
 		rose_route->neigh2->use--;
+		rose_put_neigh(rose_route->neigh2);
+	}
 
 	if ((s = rose_route_list) == rose_route) {
 		rose_route_list = rose_route->next;
@@ -667,6 +670,11 @@ struct rose_route *rose_route_free_lci(u
 	return NULL;
 }
 
+void rose_put_neigh(struct rose_neigh *n)
+{
+	if (n && atomic_dec_and_test(&n->ref))
+		kfree(n);
+}
 /*
  *	Find a neighbour or a route given a ROSE address.
  */
@@ -712,6 +720,8 @@ struct rose_neigh *rose_get_neigh(rose_a
 	}
 
 out:
+	if (res)
+		atomic_inc(&res->ref);
 	if (!route_frame) spin_unlock_bh(&rose_node_list_lock);
 	return res;
 }
@@ -1061,6 +1071,7 @@ int rose_route_frame(struct sk_buff *skb
 	rose_route->neigh1    = rose_neigh;
 	rose_route->lci2      = new_lci;
 	rose_route->neigh2    = new_neigh;
+	new_neigh = NULL;
 
 	rose_route->neigh1->use++;
 	rose_route->neigh2->use++;
@@ -1076,6 +1087,8 @@ int rose_route_frame(struct sk_buff *skb
 	res = 1;
 
 out:
+	if (new_neigh)
+		rose_put_neigh(new_neigh);
 	spin_unlock_bh(&rose_route_list_lock);
 	spin_unlock_bh(&rose_neigh_list_lock);
 
--- x/net/unix/af_unix.c
+++ y/net/unix/af_unix.c
@@ -1750,12 +1750,6 @@ restart:
 		goto out_unlock;
 	}
 
-	err = security_unix_stream_connect(sk, other, newsk);
-	if (err) {
-		unix_state_unlock(sk);
-		goto out_unlock;
-	}
-
 	/* The way is open! Fastly set all the necessary fields... */
 
 	sock_hold(sk);
--

Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_new_lci

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0fc08dad8f34563208d5@syzkaller.appspotmail.com
Tested-by: syzbot+0fc08dad8f34563208d5@syzkaller.appspotmail.com

Tested on:

commit:         9ee814bd Add linux-next specific files for 20250724
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=126494f0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=83210eaba5794b83
dashboard link: https://syzkaller.appspot.com/bug?extid=0fc08dad8f34563208d5
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17e1bb82580000

Note: testing is done by a robot and is best-effort only.