From: syzbot <syzbot+f50072212ab792c86925@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2)
Date: Sun, 08 Mar 2026 22:43:01 -0700 [thread overview]
Message-ID: <69ae5de5.a00a0220.b130.000a.GAE@google.com> (raw)
In-Reply-To: <CADhLXY4mSD+SP_A3a+z=Fx_hHoAfbW11MJmnMxwE+z7+G4Cc7Q@mail.gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in sock_def_readable
==================================================================
BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:381 [inline]
BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]
BUG: KASAN: slab-use-after-free in wq_has_sleeper include/linux/wait.h:161 [inline]
BUG: KASAN: slab-use-after-free in skwq_has_sleeper include/net/sock.h:2404 [inline]
BUG: KASAN: slab-use-after-free in sock_def_readable+0x1cb/0x580 net/core/sock.c:3610
Read of size 8 at addr ffff888011ead1c0 by task dhcpcd/5015
CPU: 0 UID: 0 PID: 5015 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
list_empty include/linux/list.h:381 [inline]
waitqueue_active include/linux/wait.h:127 [inline]
wq_has_sleeper include/linux/wait.h:161 [inline]
skwq_has_sleeper include/net/sock.h:2404 [inline]
sock_def_readable+0x1cb/0x580 net/core/sock.c:3610
send_to_lecd+0x353/0x690 net/atm/lec.c:539
lec_arp_resolve net/atm/lec.c:1792 [inline]
lec_start_xmit+0xec0/0x2660 net/atm/lec.c:285
__netdev_start_xmit include/linux/netdevice.h:5292 [inline]
netdev_start_xmit include/linux/netdevice.h:5301 [inline]
xmit_one net/core/dev.c:3871 [inline]
dev_hard_start_xmit+0x2d8/0x870 net/core/dev.c:3887
sch_direct_xmit+0x251/0x4c0 net/sched/sch_generic.c:347
__dev_xmit_skb net/core/dev.c:4186 [inline]
__dev_queue_xmit+0x1550/0x3890 net/core/dev.c:4802
lapb_data_transmit+0x90/0xb0 net/lapb/lapb_iface.c:447
lapb_transmit_buffer+0x163/0x200 net/lapb/lapb_out.c:149
lapb_establish_data_link+0x89/0xe0 net/lapb/lapb_out.c:-1
lapb_device_event+0x4e1/0x670 net/lapb/lapb_iface.c:-1
notifier_call_chain+0x1be/0x400 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
call_netdevice_notifiers net/core/dev.c:2301 [inline]
__dev_notify_flags+0x1a9/0x310 net/core/dev.c:9803
netif_change_flags+0xe8/0x1a0 net/core/dev.c:9832
dev_change_flags+0x130/0x260 net/core/dev_api.c:68
devinet_ioctl+0x9f2/0x1b30 net/ipv4/devinet.c:1199
inet_ioctl+0x42a/0x560 net/ipv4/af_inet.c:1009
sock_do_ioctl+0x101/0x320 net/socket.c:1254
sock_ioctl+0x5c6/0x7f0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0bc372b378
Code: 00 00 48 8d 44 24 08 48 89 54 24 e0 48 89 44 24 c0 48 8d 44 24 d0 48 89 44 24 c8 b8 10 00 00 00 c7 44 24 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 07 89 d0 c3 0f 1f 40 00 48 8b 15 49 3a 0d
RSP: 002b:00007fff9b806dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000018 RCX: 00007f0bc372b378
RDX: 00007fff9b816fc0 RSI: 0000000000008914 RDI: 0000000000000018
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff9b827160
R13: 00007f0bc362b708 R14: 0000000000000028 R15: 0000000000008914
</TASK>
Allocated by task 5796:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4542 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4888
sock_alloc_inode+0x28/0xc0 net/socket.c:322
alloc_inode+0x6a/0x1b0 fs/inode.c:347
new_inode_pseudo include/linux/fs.h:3003 [inline]
sock_alloc net/socket.c:637 [inline]
__sock_create+0x12d/0x9d0 net/socket.c:1569
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xd6/0x1b0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 15:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2692 [inline]
slab_free mm/slub.c:6168 [inline]
kmem_cache_free+0x187/0x630 mm/slub.c:6298
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x870 kernel/softirq.c:622
run_ksoftirqd+0x36/0x60 kernel/softirq.c:1063
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
__call_rcu_common kernel/rcu/tree.c:3131 [inline]
call_rcu+0xee/0x890 kernel/rcu/tree.c:3251
destroy_inode fs/inode.c:402 [inline]
evict+0x95b/0xb10 fs/inode.c:870
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
__fput+0x691/0xa70 fs/file_table.c:477
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888011ead140
which belongs to the cache sock_inode_cache of size 1344
The buggy address is located 128 bytes inside of
freed 1344-byte region [ffff888011ead140, ffff888011ead680)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11eac
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888043587181
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b7b0140 dead000000000100 dead000000000122
raw: 0000000000000000 00000008000b000b 00000000f5000000 ffff888043587181
head: 00fff00000000040 ffff88801b7b0140 dead000000000100 dead000000000122
head: 0000000000000000 00000008000b000b 00000000f5000000 ffff888043587181
head: 00fff00000000002 ffffea000047ab01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5302, tgid 5302 (sshd-session), ts 94001934717, free_ts 93590589059
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3296 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3485
new_slab mm/slub.c:3543 [inline]
refill_objects+0x331/0x3c0 mm/slub.c:7178
__pcs_replace_empty_main+0x2f9/0x5e0 mm/slub.c:-1
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
kmem_cache_alloc_lru_noprof+0x37c/0x640 mm/slub.c:4888
sock_alloc_inode+0x28/0xc0 net/socket.c:322
alloc_inode+0x6a/0x1b0 fs/inode.c:347
new_inode_pseudo include/linux/fs.h:3003 [inline]
sock_alloc net/socket.c:637 [inline]
__sock_create+0x12d/0x9d0 net/socket.c:1569
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xd6/0x1b0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5297 tgid 5297 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1433 [inline]
free_unref_folios+0xed5/0x16d0 mm/page_alloc.c:3040
folios_put_refs+0x789/0x8d0 mm/swap.c:1002
free_pages_and_swap_cache+0x2e7/0x5b0 mm/swap_state.c:423
__tlb_batch_free_encoded_pages mm/mmu_gather.c:138 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:151 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:398 [inline]
tlb_flush_mmu+0x6d3/0xa30 mm/mmu_gather.c:405
tlb_finish_mmu+0xf9/0x230 mm/mmu_gather.c:530
unmap_region+0x2a5/0x330 mm/vma.c:488
vms_clear_ptes mm/vma.c:1284 [inline]
vms_complete_munmap_vmas+0x493/0xc60 mm/vma.c:1326
do_vmi_align_munmap+0x3b7/0x4b0 mm/vma.c:1585
do_vmi_munmap+0x252/0x2d0 mm/vma.c:1633
__vm_munmap+0x22c/0x3d0 mm/vma.c:3254
__do_sys_munmap mm/mmap.c:1078 [inline]
__se_sys_munmap mm/mmap.c:1075 [inline]
__x64_sys_munmap+0x60/0x70 mm/mmap.c:1075
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888011ead080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888011ead100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888011ead180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888011ead200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888011ead280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 1f318b96 Linux 7.0-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=123f0d52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=f50072212ab792c86925
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12d228ba580000
next parent reply other threads:[~2026-03-09 5:43 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CADhLXY4mSD+SP_A3a+z=Fx_hHoAfbW11MJmnMxwE+z7+G4Cc7Q@mail.gmail.com>
2026-03-09 5:43 ` syzbot [this message]
[not found] <20260309152037.506918-1-kartikey406@gmail.com>
2026-03-09 15:50 ` [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2) syzbot
[not found] <20260309082148.437826-1-kartikey406@gmail.com>
2026-03-09 8:44 ` syzbot
[not found] <20260309075327.437215-1-kartikey406@gmail.com>
2026-03-09 8:13 ` syzbot
[not found] <20260309070203.436407-1-kartikey406@gmail.com>
2026-03-09 7:36 ` syzbot
[not found] <20260309062812.435877-1-kartikey406@gmail.com>
2026-03-09 6:59 ` syzbot
[not found] <20260309045640.364653-1-kartikey406@gmail.com>
2026-03-09 5:15 ` syzbot
2026-03-08 13:42 syzbot
2026-03-09 9:20 ` Jiayuan Chen
2026-03-09 9:39 ` syzbot
2026-03-12 2:26 ` Hillf Danton
2026-03-12 2:46 ` syzbot
2026-03-12 6:35 ` Hillf Danton
2026-03-12 6:53 ` syzbot
2026-03-12 7:37 ` Hillf Danton
2026-03-12 7:57 ` syzbot
2026-03-12 22:02 ` Hillf Danton
2026-03-12 22:22 ` syzbot
2026-03-13 18:44 ` Hillf Danton
2026-03-13 19:02 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69ae5de5.a00a0220.b130.000a.GAE@google.com \
--to=syzbot+f50072212ab792c86925@syzkaller.appspotmail.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.