From: kernel test robot <oliver.sang@intel.com>
To: Kuniyuki Iwashima <kuniyu@google.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
Shakeel Butt <shakeel.butt@linux.dev>, <netdev@vger.kernel.org>,
<ltp@lists.linux.it>, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
Johannes Weiner <hannes@cmpxchg.org>,
"Michal Hocko" <mhocko@kernel.org>,
Roman Gushchin <roman.gushchin@linux.dev>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Neal Cardwell <ncardwell@google.com>,
Willem de Bruijn <willemb@google.com>,
Mina Almasry <almasrymina@google.com>,
Kuniyuki Iwashima <kuniyu@google.com>,
"Kuniyuki Iwashima" <kuni1840@gmail.com>, <bpf@vger.kernel.org>,
<oliver.sang@intel.com>
Subject: Re: [PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().
Date: Wed, 17 Sep 2025 14:37:16 +0800 [thread overview]
Message-ID: <202509171359.658ddb38-lkp@intel.com> (raw)
In-Reply-To: <20250910192057.1045711-2-kuniyu@google.com>
Hello,
kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in__inet_accept" on:
commit: d465aa09942825d93a377c3715c464e8f6827f13 ("[PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().")
url: https://github.com/intel-lab-lkp/linux/commits/Kuniyuki-Iwashima/tcp-Save-lock_sock-for-memcg-in-inet_csk_accept/20250911-032312
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git net
patch link: https://lore.kernel.org/all/20250910192057.1045711-2-kuniyu@google.com/
patch subject: [PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().
in testcase: ltp
version: ltp-x86_64-c6660a3e0-1_20250913
with following parameters:
test: net.features
config: x86_64-rhel-9.4-ltp
compiler: gcc-14
test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz (Haswell) with 16G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202509171359.658ddb38-lkp@intel.com
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250917/202509171359.658ddb38-lkp@intel.com
we saw a lot of "BUG:KASAN:slab-out-of-bounds_in__inet_accept" issue in dmesg
uploaded to above link, below is just one example:
[ 468.984291][T30180] ==================================================================
[ 468.992753][T30180] BUG: KASAN: slab-out-of-bounds in __inet_accept+0x5c6/0x640
[ 469.000550][T30180] Read of size 1 at addr ffff88810df4ea20 by task netstress/30180
[ 469.008720][T30180]
[ 469.011389][T30180] CPU: 0 UID: 0 PID: 30180 Comm: netstress Not tainted 6.17.0-rc2-00437-gd465aa099428 #1 PREEMPT(voluntary)
[ 469.011393][T30180] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
[ 469.011395][T30180] Call Trace:
[ 469.011396][T30180] <TASK>
[ 469.011398][T30180] dump_stack_lvl+0x47/0x70
[ 469.011403][T30180] print_address_description+0x88/0x320
[ 469.011408][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011410][T30180] print_report+0x106/0x1f4
[ 469.011413][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011415][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011417][T30180] kasan_report+0xb5/0xf0
[ 469.011421][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011424][T30180] __inet_accept+0x5c6/0x640
[ 468.992753][T30180] BUG: KASAN: slab-out-of-bounds in __inet_accept+0x5c6/0x640
[ 469.011427][T30180] inet_accept+0xe2/0x170
[ 469.000550][T30180] Read of size 1 at addr ffff88810df4ea20 by task netstress/30180
[ 469.011430][T30180] do_accept+0x2e5/0x480
[ 469.008720][T30180]
[ 469.011434][T30180] ? folio_xchg_last_cpupid+0xc5/0x130
[ 469.011389][T30180] CPU: 0 UID: 0 PID: 30180 Comm: netstress Not tainted 6.17.0-rc2-00437-gd465aa099428 #1 PREEMPT(voluntary)
[ 469.011393][T30180] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
[ 469.011437][T30180] ? __pfx_do_accept+0x10/0x10
[ 469.011395][T30180] Call Trace:
[ 469.011441][T30180] ? _raw_spin_lock+0x80/0xe0
[ 469.011396][T30180] <TASK>
[ 469.011444][T30180] ? __pfx__raw_spin_lock+0x10/0x10
[ 469.011398][T30180] dump_stack_lvl+0x47/0x70
[ 469.011447][T30180] ? alloc_fd+0x266/0x410
[ 469.011403][T30180] print_address_description+0x88/0x320
[ 469.011451][T30180] __sys_accept4+0xc4/0x150
[ 469.011454][T30180] ? __pfx___sys_accept4+0x10/0x10
[ 469.011458][T30180] __x64_sys_accept+0x70/0xb0
[ 469.011461][T30180] do_syscall_64+0x7b/0x2c0
[ 469.011466][T30180] ? __pfx___handle_mm_fault+0x10/0x10
[ 469.011468][T30180] ? __pfx_css_rstat_updated+0x10/0x10
[ 469.011471][T30180] ? count_memcg_events+0x253/0x3f0
[ 469.011475][T30180] ? handle_mm_fault+0x382/0x6c0
[ 469.011478][T30180] ? do_user_addr_fault+0x820/0xd60
[ 469.011482][T30180] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 469.011485][T30180] RIP: 0033:0x7f9c169c4687
[ 469.011488][T30180] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[ 469.011490][T30180] RSP: 002b:00007ffff0036ac0 EFLAGS: 00000202 ORIG_RAX: 000000000000002b
[ 469.011494][T30180] RAX: ffffffffffffffda RBX: 00007f9c16932740 RCX: 00007f9c169c4687
[ 469.011496][T30180] RDX: 00007ffff0036b14 RSI: 00007ffff0036b20 RDI: 0000000000000006
[ 469.011498][T30180] RBP: 0000562f1b4e85a0 R08: 0000000000000000 R09: 0000000000000000
[ 469.011500][T30180] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff0036b18
[ 469.011501][T30180] R13: 00007ffff0036b20 R14: 00007ffff0036b14 R15: 0000562f1b4d3e5f
[ 469.011504][T30180] </TASK>
[ 469.011505][T30180]
[ 469.257645][T30180] The buggy address belongs to the object at ffff88810df4e800
[ 469.257645][T30180] which belongs to the cache SCTPv6 of size 1536
[ 469.271959][T30180] The buggy address is located 544 bytes inside of
[ 469.271959][T30180] allocated 1536-byte region [ffff88810df4e800, ffff88810df4ee00)
[ 469.286795][T30180]
[ 469.289353][T30180] The buggy address belongs to the physical page:
[ 469.296000][T30180] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10df48
[ 469.305055][T30180] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 469.313790][T30180] memcg:ffff888223ff8201
[ 469.318241][T30180] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[ 469.326258][T30180] page_type: f5(slab)
[ 469.011408][T30180] ? __inet_accept+0x5c6/0x640
[ 469.330466][T30180] raw: 0017ffffc0000040 ffff888101e08640 dead000000000122 0000000000000000
[ 469.011410][T30180] print_report+0x106/0x1f4
[ 469.339270][T30180] raw: 0000000000000000 0000000080130013 00000000f5000000 ffff888223ff8201
[ 469.011413][T30180] ? __inet_accept+0x5c6/0x640
[ 469.348078][T30180] head: 0017ffffc0000040 ffff888101e08640 dead000000000122 0000000000000000
[ 469.011415][T30180] ? __inet_accept+0x5c6/0x640
[ 469.356993][T30180] head: 0000000000000000 0000000080130013 00000000f5000000 ffff888223ff8201
[ 469.011417][T30180] kasan_report+0xb5/0xf0
[ 469.365914][T30180] head: 0017ffffc0000003 ffffea000437d201 00000000ffffffff 00000000ffffffff
[ 469.011421][T30180] ? __inet_accept+0x5c6/0x640
[ 469.374851][T30180] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 469.011424][T30180] __inet_accept+0x5c6/0x640
[ 469.383788][T30180] page dumped because: kasan: bad access detected
[ 469.011427][T30180] inet_accept+0xe2/0x170
[ 469.390449][T30180]
[ 469.011430][T30180] do_accept+0x2e5/0x480
[ 469.011434][T30180] ? folio_xchg_last_cpupid+0xc5/0x130
[ 469.393031][T30180] Memory state around the buggy address:
[ 469.011437][T30180] ? __pfx_do_accept+0x10/0x10
[ 469.398939][T30180] ffff88810df4e900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011441][T30180] ? _raw_spin_lock+0x80/0xe0
[ 469.407261][T30180] ffff88810df4e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011444][T30180] ? __pfx__raw_spin_lock+0x10/0x10
[ 469.415589][T30180] >ffff88810df4ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011447][T30180] ? alloc_fd+0x266/0x410
[ 469.423933][T30180] ^
[ 469.011451][T30180] __sys_accept4+0xc4/0x150
[ 469.429308][T30180] ffff88810df4ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011454][T30180] ? __pfx___sys_accept4+0x10/0x10
[ 469.437670][T30180] ffff88810df4eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011458][T30180] __x64_sys_accept+0x70/0xb0
[ 469.446024][T30180] ==================================================================
[ 469.011461][T30180] do_syscall_64+0x7b/0x2c0
[ 469.454415][T30180] Disabling lock debugging due to kernel taint
[ 469.011466][T30180] ? __pfx___handle_mm_fault+0x10/0x10
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2025-09-17 6:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-10 19:19 [PATCH v8 bpf-next/net 0/6] bpf: Allow decoupling memcg from sk->sk_prot->memory_allocated Kuniyuki Iwashima
2025-09-10 19:19 ` [PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept() Kuniyuki Iwashima
2025-09-17 6:37 ` kernel test robot [this message]
2025-09-17 7:03 ` Kuniyuki Iwashima
2025-09-10 19:19 ` [PATCH v8 bpf-next/net 2/6] net-memcg: Allow decoupling memcg from global protocol memory accounting Kuniyuki Iwashima
2025-09-17 19:18 ` Martin KaFai Lau
2025-09-10 19:19 ` [PATCH v8 bpf-next/net 3/6] net-memcg: Introduce net.core.memcg_exclusive sysctl Kuniyuki Iwashima
2025-09-10 19:19 ` [PATCH v8 bpf-next/net 4/6] bpf: Support bpf_setsockopt() for BPF_CGROUP_INET_SOCK_CREATE Kuniyuki Iwashima
2025-09-10 19:19 ` [PATCH v8 bpf-next/net 5/6] bpf: Introduce SK_BPF_MEMCG_FLAGS and SK_BPF_MEMCG_EXCLUSIVE Kuniyuki Iwashima
2025-09-10 19:19 ` [PATCH v8 bpf-next/net 6/6] selftest: bpf: Add test for SK_MEMCG_EXCLUSIVE Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202509171359.658ddb38-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=almasrymina@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hannes@cmpxchg.org \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@google.com \
--cc=lkp@intel.com \
--cc=ltp@lists.linux.it \
--cc=martin.lau@linux.dev \
--cc=mhocko@kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=oe-lkp@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=roman.gushchin@linux.dev \
--cc=sdf@fomichev.me \
--cc=shakeel.butt@linux.dev \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).