Re: [syzbot] [net?] [bpf?] KASAN: slab-use-after-free Read in __sk_msg_recvmsg

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+431f9a9e3f5227fbb904@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] [bpf?] KASAN: slab-use-after-free Read in __sk_msg_recvmsg
Date: Wed, 01 Apr 2026 20:39:02 -0700	[thread overview]
Message-ID: <69cde4d6.050a0220.25c253.047b.GAE@google.com> (raw)
In-Reply-To: <20260402021644.30008-1-kartikey406@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in inet_sock_destruct

------------[ cut here ]------------
sk->sk_forward_alloc
WARNING: net/ipv4/af_inet.c:162 at inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:162, CPU#1: ksoftirqd/1/23
Modules linked in:
CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:162
Code: 0f 0b 90 e9 58 fe ff ff e8 50 dd 9e f7 90 0f 0b 90 e9 8b fe ff ff e8 42 dd 9e f7 90 0f 0b 90 e9 b1 fe ff ff e8 34 dd 9e f7 90 <0f> 0b 90 e9 d7 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 95 fc
RSP: 0018:ffffc900001d7ae8 EFLAGS: 00010246
RAX: ffffffff8a26d13c RBX: dffffc0000000000 RCX: ffff88801daf8000
RDX: 0000000000000100 RSI: 0000000000000090 RDI: 0000000000000000
RBP: 0000000000000090 R08: ffff88801bffcf27 R09: 1ffff110037ff9e4
R10: dffffc0000000000 R11: ffffed10037ff9e5 R12: ffff88801bffcc80
R13: dffffc0000000000 R14: ffff88801bffcf0c R15: ffffffff8fca6c00
FS:  0000000000000000(0000) GS:ffff888125557000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdb873e9f00 CR3: 000000000e54c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __sk_destruct+0x85/0x880 net/core/sock.c:2350
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 run_ksoftirqd+0x36/0x60 kernel/softirq.c:1063
 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


Tested on:

commit:         a77fb1ac Octeontx2-af: add WQ_PERCPU to alloc_workqueu..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=137ed5da580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=71d49d824b43a0d9
dashboard link: https://syzkaller.appspot.com/bug?extid=431f9a9e3f5227fbb904
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=143bf0f2580000

next      parent reply	other threads:[~2026-04-02  3:39 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260402021644.30008-1-kartikey406@gmail.com>
2026-04-02  3:39 ` syzbot [this message]
     [not found] <205eac28a9e50dffa8213d335fa3b425ef0b5e4b.camel@yandex.ru>
2026-05-21 15:48 ` [syzbot] [net?] [bpf?] KASAN: slab-use-after-free Read in __sk_msg_recvmsg syzbot
     [not found] <20260402042844.31897-1-kartikey406@gmail.com>
2026-04-02  5:01 ` syzbot
2026-04-02  0:49 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69cde4d6.050a0220.25c253.047b.GAE@google.com \
    --to=syzbot+431f9a9e3f5227fbb904@syzkaller.appspotmail.com \
    --cc=kartikey406@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.