Re: [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2)

[syzbot <syzbot+f50072212ab792c86925@syzkaller.appspotmail.com>]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

lost connection to test machine



syzkaller login: qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0xfb000)
[   97.299132][   T10] cfg80211: failed to load regulatory.db
Warning: Permanently added '[localhost]:10854' (ED25519) to the list of known hosts.
2026/03/13 19:00:35 parsed 1 programs
[  105.586401][ T5314] cgroup: Unknown subsys name 'net'
[  105.643957][ T5314] cgroup: Unknown subsys name 'cpuset'
[  105.650699][ T5314] cgroup: Unknown subsys name 'rlimit'
[  143.372540][ T1314] ieee802154 phy0 wpan0: encryption failed: -22
[  143.376030][ T1314] ieee802154 phy1 wpan1: encryption failed: -22
[  156.189227][ T1011] ata1.00: exception Emask 0x0 SAct 0x4000 SErr 0x0 action 0x6 frozen
[  156.193435][ T1011] ata1.00: failed command: WRITE FPDMA QUEUED
[  156.196306][ T1011] ata1.00: cmd 61/d8:70:36:61:04/07:00:00:00:00/40 tag 14 ncq dma 1028096 ou
[  156.196306][ T1011]          res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[  156.205965][ T1011] ata1.00: status: { DRDY }
[  156.208393][ T1011] ata1: hard resetting link
[  156.531189][ T1011] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[  156.536384][ T1011] ata1.00: configured for UDMA/100
[  156.539569][ T1011] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x2bb000)
[  156.595084][ T1011] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[  156.598460][ T1011] ata1: failed to read log page 10h (errno=-5)
[  156.619268][ T1011] ata1.00: NCQ disabled due to excessive errors
[  156.622929][ T1011] ata1.00: exception Emask 0x1 SAct 0x1e00 SErr 0x0 action 0x0
[  156.627134][ T1011] ata1.00: irq_stat 0x41000008
[  156.639141][ T1011] ata1.00: failed command: WRITE FPDMA QUEUED
[  156.642238][ T1011] ata1.00: cmd 61/d8:48:86:a2:04/02:00:00:00:00/40 tag 9 ncq dma 372736 out
[  156.642238][ T1011]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  156.679095][ T1011] ata1.00: status: { DRDY }
[  156.681893][ T1011] ata1.00: error: { ABRT }
[  156.684701][ T1011] ata1.00: failed command: WRITE FPDMA QUEUED
[  156.699416][ T1011] ata1.00: cmd 61/00:50:5e:a5:04/06:00:00:00:00/40 tag 10 ncq dma 786432 out
[  156.699416][ T1011]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  156.707246][ T1011] ata1.00: status: { DRDY }
[  156.718658][ T1011] ata1.00: error: { ABRT }
[  156.720862][ T1011] ata1.00: failed command: WRITE FPDMA QUEUED
[  156.723709][ T1011] ata1.00: cmd 61/d8:58:5e:ab:04/15:00:00:00:00/40 tag 11 ncq dma 2863104 ou
[  156.723709][ T1011]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  156.742964][ T1011] ata1.00: status: { DRDY }
[  156.745213][ T1011] ata1.00: error: { ABRT }
[  156.747285][ T1011] ata1.00: failed command: WRITE FPDMA QUEUED
[  156.750902][ T1011] ata1.00: cmd 61/00:60:36:c1:04/20:00:00:00:00/40 tag 12 ncq dma 4194304 ou
[  156.750902][ T1011]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[  156.760311][ T1011] ata1.00: status: { DRDY }
[  156.762534][ T1011] ata1.00: error: { ABRT }
[  156.766637][ T1011] ata1.00: configured for UDMA/100
[  156.770968][ T1011] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build649871866=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.26.0'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 7c9658af8505
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=7c9658af8505abccd5bf5890cc8a8e6d9826eaa0 -X github.com/google/syzkaller/prog.gitRevisionDate=20260223-092328"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=7c9658af8505abccd5bf5890cc8a8e6d9826eaa0 -X github.com/google/syzkaller/prog.gitRevisionDate=20260223-092328"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=7c9658af8505abccd5bf5890cc8a8e6d9826eaa0 -X github.com/google/syzkaller/prog.gitRevisionDate=20260223-092328"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"7c9658af8505abccd5bf5890cc8a8e6d9826eaa0\"
/usr/bin/ld: /tmp/ccZ4u7l4.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         65169048 Merge tag 'spi-fix-v7.0-rc2' of git://git.ker..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=c5c49ee0942d1cdb
dashboard link: https://syzkaller.appspot.com/bug?extid=f50072212ab792c86925
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16822776580000