Re: [syzbot] [net?] [bpf?] KASAN: slab-use-after-free Read in __sk_msg_recvmsg

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+431f9a9e3f5227fbb904@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] [bpf?] KASAN: slab-use-after-free Read in __sk_msg_recvmsg
Date: Wed, 01 Apr 2026 22:01:02 -0700	[thread overview]
Message-ID: <69cdf80e.050a0220.182279.0001.GAE@google.com> (raw)
In-Reply-To: <20260402042844.31897-1-kartikey406@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in inet_sock_destruct

------------[ cut here ]------------
sk->sk_forward_alloc
WARNING: net/ipv4/af_inet.c:162 at inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:162, CPU#0: swapper/0/0
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:162
Code: 0f 0b 90 e9 58 fe ff ff e8 50 dd 9e f7 90 0f 0b 90 e9 8b fe ff ff e8 42 dd 9e f7 90 0f 0b 90 e9 b1 fe ff ff e8 34 dd 9e f7 90 <0f> 0b 90 e9 d7 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 95 fc
RSP: 0018:ffffc90000007d48 EFLAGS: 00010246
RAX: ffffffff8a26d13c RBX: dffffc0000000000 RCX: ffffffff8e494ec0
RDX: 0000000000000100 RSI: 0000000000000090 RDI: 0000000000000000
RBP: 0000000000000090 R08: ffff88801d7bf9a7 R09: 1ffff11003af7f34
R10: dffffc0000000000 R11: ffffed1003af7f35 R12: ffff88801d7bf700
R13: dffffc0000000000 R14: ffff88801d7bf98c R15: ffffffff8fca6c00
FS:  0000000000000000(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000e54c000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 __sk_destruct+0x85/0x880 net/core/sock.c:2350
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: 2e 6d 02 c3 cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d e3 42 18 00 fb f4 <e9> fc e9 02 00 cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90
RSP: 0018:ffffffff8e407dc0 EFLAGS: 00000246
RAX: 0000000000104be1 RBX: ffffffff819a913a RCX: 0000000080000001
RDX: 0000000000000001 RSI: ffffffff8df2727a RDI: ffffffff8c27ca80
RBP: ffffffff8e407eb0 R08: ffff8880b863399b R09: 1ffff110170c6733
R10: dffffc0000000000 R11: ffffed10170c6734 R12: 0000000000000000
R13: 1ffffffff1c929d8 R14: 0000000000000000 R15: 1ffffffff1c929d8
 arch_safe_halt arch/x86/kernel/process.c:766 [inline]
 default_idle+0x9/0x20 arch/x86/kernel/process.c:767
 default_idle_call+0x72/0xb0 kernel/sched/idle.c:122
 cpuidle_idle_call kernel/sched/idle.c:199 [inline]
 do_idle+0x36a/0x5f0 kernel/sched/idle.c:352
 cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:451
 rest_init+0x2de/0x300 init/main.c:760
 start_kernel+0x385/0x3d0 init/main.c:1210
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291
 common_startup_64+0x13e/0x147
 </TASK>
----------------
Code disassembly (best guess):
   0:	2e 6d                	cs insl (%dx),%es:(%rdi)
   2:	02 c3                	add    %bl,%al
   4:	cc                   	int3
   5:	cc                   	int3
   6:	cc                   	int3
   7:	cc                   	int3
   8:	cc                   	int3
   9:	cc                   	int3
   a:	cc                   	int3
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	90                   	nop
  1b:	f3 0f 1e fa          	endbr64
  1f:	66 90                	xchg   %ax,%ax
  21:	0f 00 2d e3 42 18 00 	verw   0x1842e3(%rip)        # 0x18430b
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	e9 fc e9 02 00       	jmp    0x2ea2b <-- trapping instruction
  2f:	cc                   	int3
  30:	cc                   	int3
  31:	cc                   	int3
  32:	cc                   	int3
  33:	cc                   	int3
  34:	cc                   	int3
  35:	cc                   	int3
  36:	cc                   	int3
  37:	cc                   	int3
  38:	cc                   	int3
  39:	cc                   	int3
  3a:	cc                   	int3
  3b:	90                   	nop
  3c:	90                   	nop
  3d:	90                   	nop
  3e:	90                   	nop
  3f:	90                   	nop


Tested on:

commit:         cee10a01 net: macb: fix use of at91_default_usrio with..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=1664d4d2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=71d49d824b43a0d9
dashboard link: https://syzkaller.appspot.com/bug?extid=431f9a9e3f5227fbb904
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=176d65da580000

next      parent reply	other threads:[~2026-04-02  5:01 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260402042844.31897-1-kartikey406@gmail.com>
2026-04-02  5:01 ` syzbot [this message]
     [not found] <205eac28a9e50dffa8213d335fa3b425ef0b5e4b.camel@yandex.ru>
2026-05-21 15:48 ` [syzbot] [net?] [bpf?] KASAN: slab-use-after-free Read in __sk_msg_recvmsg syzbot
     [not found] <20260402021644.30008-1-kartikey406@gmail.com>
2026-04-02  3:39 ` syzbot
2026-04-02  0:49 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69cdf80e.050a0220.182279.0001.GAE@google.com \
    --to=syzbot+431f9a9e3f5227fbb904@syzkaller.appspotmail.com \
    --cc=kartikey406@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.