Re: [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+f50072212ab792c86925@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2)
Date: Mon, 09 Mar 2026 00:36:03 -0700	[thread overview]
Message-ID: <69ae7863.a70a0220.52840.000f.GAE@google.com> (raw)
In-Reply-To: <20260309070203.436407-1-kartikey406@gmail.com>

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

lost connection to test machine



qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
Warning: Permanently added '[localhost]:8651' (ED25519) to the list of known hosts.
2026/03/09 07:34:15 parsed 1 programs
[   61.038498][ T5297] cgroup: Unknown subsys name 'net'
[   61.082207][ T5297] cgroup: Unknown subsys name 'cpuset'
[   61.085713][ T5297] cgroup: Unknown subsys name 'rlimit'
[   76.021725][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[   76.024057][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[   86.265587][ T1360] cfg80211: failed to load regulatory.db
[  118.279844][ T1009] ata1.00: exception Emask 0x0 SAct 0x4000 SErr 0x0 action 0x6 frozen
[  118.282758][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.284895][ T1009] ata1.00: cmd 61/00:70:36:81:04/20:00:00:00:00/40 tag 14 ncq dma 4194304 ou
[  118.284895][ T1009]          res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[  118.290867][ T1009] ata1.00: status: { DRDY }
[  118.292518][ T1009] ata1: hard resetting link
[  118.613228][ T1009] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[  118.617551][ T1009] ata1.00: configured for UDMA/100
[  118.619916][ T1009] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
[  118.640373][ T1009] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[  118.642754][ T1009] ata1: failed to read log page 10h (errno=-5)
[  118.645021][ T1009] ata1.00: exception Emask 0x1 SAct 0x7c SErr 0x0 action 0x0
[  118.647590][ T1009] ata1.00: irq_stat 0x41000000
[  118.649279][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.651718][ T1009] ata1.00: cmd 61/00:10:5e:12:05/20:00:00:00:00/40 tag 2 ncq dma 4194304 ou
[  118.651718][ T1009]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  118.657603][ T1009] ata1.00: status: { DRDY }
[  118.659224][ T1009] ata1.00: error: { ABRT }
[  118.661112][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.663256][ T1009] ata1.00: cmd 61/d8:18:5e:32:05/0e:00:00:00:00/40 tag 3 ncq dma 1945600 ou
[  118.663256][ T1009]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  118.669137][ T1009] ata1.00: status: { DRDY }
[  118.670973][ T1009] ata1.00: error: { ABRT }
[  118.672562][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.674666][ T1009] ata1.00: cmd 61/60:20:36:41:05/05:00:00:00:00/40 tag 4 ncq dma 704512 out
[  118.674666][ T1009]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  118.680766][ T1009] ata1.00: status: { DRDY }
[  118.682372][ T1009] ata1.00: error: { ABRT }
[  118.683945][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.686052][ T1009] ata1.00: cmd 61/00:28:96:46:05/20:00:00:00:00/40 tag 5 ncq dma 4194304 ou
[  118.686052][ T1009]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  118.692196][ T1009] ata1.00: status: { DRDY }
[  118.693803][ T1009] ata1.00: error: { ABRT }
[  118.695419][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.697514][ T1009] ata1.00: cmd 61/a0:30:96:66:05/1a:00:00:00:00/40 tag 6 ncq dma 3489792 ou
[  118.697514][ T1009]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  118.703662][ T1009] ata1.00: status: { DRDY }
[  118.705269][ T1009] ata1.00: error: { ABRT }
[  118.707646][ T1009] ata1.00: configured for UDMA/100
[  118.710038][ T1009] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
[  118.753868][ T1009] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[  118.756214][ T1009] ata1: failed to read log page 10h (errno=-5)
[  118.758355][ T1009] ata1.00: NCQ disabled due to excessive errors
[  118.770980][ T1009] ata1.00: exception Emask 0x1 SAct 0x1800 SErr 0x0 action 0x0
[  118.773616][ T1009] ata1.00: irq_stat 0x41000008
[  118.775342][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.777442][ T1009] ata1.00: cmd 61/00:58:36:81:04/20:00:00:00:00/40 tag 11 ncq dma 4194304 ou
[  118.777442][ T1009]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  118.800358][ T1009] ata1.00: status: { DRDY }
[  118.802026][ T1009] ata1.00: error: { ABRT }
[  118.803601][ T1009] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.805715][ T1009] ata1.00: cmd 61/00:60:5e:12:05/20:00:00:00:00/40 tag 12 ncq dma 4194304 ou
[  118.805715][ T1009]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  118.815619][ T1009] ata1.00: status: { DRDY }
[  118.817308][ T1009] ata1.00: error: { ABRT }
[  118.819854][ T1009] ata1.00: configured for UDMA/100
[  118.821947][ T1009] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2930426070=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.26.0'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 7c9658af8505
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=7c9658af8505abccd5bf5890cc8a8e6d9826eaa0 -X github.com/google/syzkaller/prog.gitRevisionDate=20260223-092328"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=7c9658af8505abccd5bf5890cc8a8e6d9826eaa0 -X github.com/google/syzkaller/prog.gitRevisionDate=20260223-092328"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=7c9658af8505abccd5bf5890cc8a8e6d9826eaa0 -X github.com/google/syzkaller/prog.gitRevisionDate=20260223-092328"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"7c9658af8505abccd5bf5890cc8a8e6d9826eaa0\"
/usr/bin/ld: /tmp/cckeeX7G.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         1f318b96 Linux 7.0-rc3
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=f50072212ab792c86925
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15a98016580000

next      parent reply	other threads:[~2026-03-09  7:36 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260309070203.436407-1-kartikey406@gmail.com>
2026-03-09  7:36 ` syzbot [this message]
     [not found] <20260309152037.506918-1-kartikey406@gmail.com>
2026-03-09 15:50 ` [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2) syzbot
     [not found] <20260309082148.437826-1-kartikey406@gmail.com>
2026-03-09  8:44 ` syzbot
     [not found] <20260309075327.437215-1-kartikey406@gmail.com>
2026-03-09  8:13 ` syzbot
     [not found] <20260309062812.435877-1-kartikey406@gmail.com>
2026-03-09  6:59 ` syzbot
     [not found] <CADhLXY4mSD+SP_A3a+z=Fx_hHoAfbW11MJmnMxwE+z7+G4Cc7Q@mail.gmail.com>
2026-03-09  5:43 ` syzbot
     [not found] <20260309045640.364653-1-kartikey406@gmail.com>
2026-03-09  5:15 ` syzbot
2026-03-08 13:42 syzbot
2026-03-09  9:20 ` Jiayuan Chen
2026-03-09  9:39   ` syzbot
2026-03-12  2:26 ` Hillf Danton
2026-03-12  2:46   ` syzbot
2026-03-12  6:35 ` Hillf Danton
2026-03-12  6:53   ` syzbot
2026-03-12  7:37 ` Hillf Danton
2026-03-12  7:57   ` syzbot
2026-03-12 22:02 ` Hillf Danton
2026-03-12 22:22   ` syzbot
2026-03-13 18:44 ` Hillf Danton
2026-03-13 19:02   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69ae7863.a70a0220.52840.000f.GAE@google.com \
    --to=syzbot+f50072212ab792c86925@syzkaller.appspotmail.com \
    --cc=kartikey406@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.