* Re: [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path
2026-04-22 10:58 [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path Mingyu Wang
@ 2026-04-22 11:55 ` Sabrina Dubroca
2026-04-22 15:04 ` Jakub Kicinski
2026-04-22 15:41 ` [syzbot ci] " syzbot ci
2 siblings, 0 replies; 4+ messages in thread
From: Sabrina Dubroca @ 2026-04-22 11:55 UTC (permalink / raw)
To: Mingyu Wang
Cc: willemdebruijn.kernel, davem, dsahern, edumazet, kuba, pabeni,
horms, netdev, linux-kernel
2026-04-22, 18:58:02 +0800, Mingyu Wang wrote:
> During fuzzing with failslab enabled, a memory leak was observed in the
> IPv6 UDP send path.
>
> When sending via the lockless fast path (!corkreq), udpv6_sendmsg()
> calls ip6_make_skb() and assumes that the routing entry (dst_entry)
> reference has been stolen by the callee. However, if ip6_make_skb()
> fails early (e.g., due to an ENOMEM from memory allocation failure),
> it returns an error pointer without consuming the dst reference.
Not in all cases? If ip6_setup_cork() fails, we call
ip6_cork_release() which will release the dst. The MSG_PROBE path also
releases the dst. __ip6_flush_pending_frames() also looks like it does
that.
> Since udpv6_sendmsg() unconditionally jumps to the 'out_no_dst' label,
> the unconsumed dst_entry is never released, resulting in a memory leak.
>
> Fix this by explicitly calling dst_release(dst) when ip6_make_skb()
> returns an error.
>
> Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
And this is missing a Fixes tag.
> net/ipv6/udp.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 15e032194ecc..b83ecfd729af 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1706,8 +1706,11 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> dst_rt6_info(dst),
> msg->msg_flags, &cork);
> err = PTR_ERR(skb);
> - if (!IS_ERR_OR_NULL(skb))
> + if (!IS_ERR_OR_NULL(skb)) {
> err = udp_v6_send_skb(skb, fl6, &cork.base);
> + } else {
> + dst_release(dst);
> + }
> /* ip6_make_skb steals dst reference */
This comment becomes really confusing after your patch.
> goto out_no_dst;
> }
> --
> 2.34.1
>
>
--
Sabrina
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path
2026-04-22 10:58 [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path Mingyu Wang
2026-04-22 11:55 ` Sabrina Dubroca
@ 2026-04-22 15:04 ` Jakub Kicinski
2026-04-22 15:41 ` [syzbot ci] " syzbot ci
2 siblings, 0 replies; 4+ messages in thread
From: Jakub Kicinski @ 2026-04-22 15:04 UTC (permalink / raw)
To: Mingyu Wang
Cc: willemdebruijn.kernel, davem, dsahern, edumazet, pabeni, horms,
netdev, linux-kernel
On Wed, 22 Apr 2026 18:58:02 +0800 Mingyu Wang wrote:
> During fuzzing with failslab enabled, a memory leak was observed in the
> IPv6 UDP send path.
>
> When sending via the lockless fast path (!corkreq), udpv6_sendmsg()
> calls ip6_make_skb() and assumes that the routing entry (dst_entry)
> reference has been stolen by the callee. However, if ip6_make_skb()
> fails early (e.g., due to an ENOMEM from memory allocation failure),
> it returns an error pointer without consuming the dst reference.
>
> Since udpv6_sendmsg() unconditionally jumps to the 'out_no_dst' label,
> the unconsumed dst_entry is never released, resulting in a memory leak.
>
> Fix this by explicitly calling dst_release(dst) when ip6_make_skb()
> returns an error.
Test this with cmsg_ip.sh on a debug-enabled kernel before you repost.
I think it causes crashes there.
--
pw-bot: cr
^ permalink raw reply [flat|nested] 4+ messages in thread
* [syzbot ci] Re: ipv6: udp: fix memory leak in udpv6_sendmsg error path
2026-04-22 10:58 [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path Mingyu Wang
2026-04-22 11:55 ` Sabrina Dubroca
2026-04-22 15:04 ` Jakub Kicinski
@ 2026-04-22 15:41 ` syzbot ci
2 siblings, 0 replies; 4+ messages in thread
From: syzbot ci @ 2026-04-22 15:41 UTC (permalink / raw)
To: 25181214217, davem, dsahern, edumazet, horms, kuba, linux-kernel,
netdev, pabeni, willemdebruijn.kernel
Cc: syzbot, syzkaller-bugs
syzbot ci has tested the following series
[v1] ipv6: udp: fix memory leak in udpv6_sendmsg error path
https://lore.kernel.org/all/20260422105802.486216-1-25181214217@stu.xidian.edu.cn
* [PATCH] ipv6: udp: fix memory leak in udpv6_sendmsg error path
and found the following issues:
* KASAN: slab-use-after-free Read in ip6_pol_route
* KASAN: slab-use-after-free Write in rcuref_put
* WARNING in rcuref_put_slowpath
Full report is available here:
https://ci.syzbot.org/series/2abb21f1-6f46-4f6f-a074-0051111986db
***
KASAN: slab-use-after-free Read in ip6_pol_route
tree: torvalds
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base: 6596a02b207886e9e00bb0161c7fd59fea53c081
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/ad85c1df-394a-471c-b2ea-0e168bab3b26/config
syz repro: https://ci.syzbot.org/findings/66d12b42-aa7a-4da1-b456-d18de1a54007/syz_repro
==================================================================
BUG: KASAN: slab-use-after-free in rt6_get_pcpu_route net/ipv6/route.c:1446 [inline]
BUG: KASAN: slab-use-after-free in ip6_pol_route+0x12b5/0x13d0 net/ipv6/route.c:2316
Read of size 4 at addr ffff88810e948518 by task syz.0.26/6002
CPU: 0 UID: 0 PID: 6002 Comm: syz.0.26 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
rt6_get_pcpu_route net/ipv6/route.c:1446 [inline]
ip6_pol_route+0x12b5/0x13d0 net/ipv6/route.c:2316
pol_lookup_func include/net/ip6_fib.h:667 [inline]
fib6_rule_lookup+0x222/0x730 net/ipv6/fib6_rules.c:123
ip6_route_output_flags_noref net/ipv6/route.c:2699 [inline]
ip6_route_output_flags+0x364/0x5d0 net/ipv6/route.c:2711
ip6_route_output include/net/ip6_route.h:100 [inline]
ip6_dst_lookup_tail+0x1c3/0x15a0 net/ipv6/ip6_output.c:1155
ip6_dst_lookup_flow+0x89/0x150 net/ipv6/ip6_output.c:1288
ip6_datagram_dst_update+0x73a/0xd20 net/ipv6/datagram.c:97
__ip6_datagram_connect+0xbd1/0x1150 net/ipv6/datagram.c:256
udpv6_connect+0x36/0x240 net/ipv6/udp.c:1297
__sys_connect_file net/socket.c:2148 [inline]
__sys_connect+0x312/0x450 net/socket.c:2167
__do_sys_connect net/socket.c:2173 [inline]
__se_sys_connect net/socket.c:2170 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2170
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f999eb9c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f999fa0a028 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f999ee15fa0 RCX: 00007f999eb9c819
RDX: 000000000000001c RSI: 00002000000002c0 RDI: 0000000000000003
RBP: 00007f999ec32c91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f999ee16038 R14: 00007f999ee15fa0 R15: 00007fff22f1ff88
</TASK>
Allocated by task 30:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4905
dst_alloc+0x105/0x170 net/core/dst.c:90
ip6_dst_alloc net/ipv6/route.c:342 [inline]
ip6_rt_pcpu_alloc net/ipv6/route.c:1419 [inline]
rt6_make_pcpu_route net/ipv6/route.c:1468 [inline]
ip6_pol_route+0xafb/0x13d0 net/ipv6/route.c:2319
pol_lookup_func include/net/ip6_fib.h:667 [inline]
fib6_rule_lookup+0x222/0x730 net/ipv6/fib6_rules.c:123
ip6_route_output_flags_noref net/ipv6/route.c:2699 [inline]
ip6_route_output_flags+0x364/0x5d0 net/ipv6/route.c:2711
ip6_route_output include/net/ip6_route.h:100 [inline]
ip6_dst_lookup_tail+0x1c3/0x15a0 net/ipv6/ip6_output.c:1155
ip6_dst_lookup_flow+0x89/0x150 net/ipv6/ip6_output.c:1288
send6+0x4dc/0x910 drivers/net/wireguard/socket.c:139
wg_socket_send_skb_to_peer+0x111/0x1d0 drivers/net/wireguard/socket.c:177
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x203/0x350 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 23:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kmem_cache_free+0x182/0x650 mm/slub.c:6373
dst_destroy+0x235/0x350 net/core/dst.c:122
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x840 kernel/softirq.c:622
run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
__call_rcu_common kernel/rcu/tree.c:3131 [inline]
call_rcu+0xee/0x890 kernel/rcu/tree.c:3251
inet_sock_destruct+0x564/0x740 net/ipv4/af_inet.c:165
__sk_destruct+0x8d/0x9d0 net/core/sock.c:2352
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x840 kernel/softirq.c:622
run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88810e948480
which belongs to the cache ip6_dst_cache of size 232
The buggy address is located 152 bytes inside of
freed 232-byte region [ffff88810e948480, ffff88810e948568)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e948
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88810e9480f9
flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 017ff00000000040 ffff8881772f6c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000018000150015 00000000f5000000 ffff88810e9480f9
head: 017ff00000000040 ffff8881772f6c80 dead000000000100 dead000000000122
head: 0000000000000000 0000018000150015 00000000f5000000 ffff88810e9480f9
head: 017ff00000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5871, tgid 5871 (kworker/0:3), ts 86853962004, free_ts 86835725693
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x339/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4905
dst_alloc+0x105/0x170 net/core/dst.c:90
ip6_dst_alloc net/ipv6/route.c:342 [inline]
ip6_rt_pcpu_alloc net/ipv6/route.c:1419 [inline]
rt6_make_pcpu_route net/ipv6/route.c:1468 [inline]
ip6_pol_route+0xafb/0x13d0 net/ipv6/route.c:2319
pol_lookup_func include/net/ip6_fib.h:667 [inline]
fib6_rule_lookup+0x556/0x730 net/ipv6/fib6_rules.c:123
ip6_route_input_lookup net/ipv6/route.c:2352 [inline]
ip6_route_input+0x730/0xad0 net/ipv6/route.c:2655
ip6_rcv_finish+0x141/0x280 net/ipv6/ip6_input.c:117
NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6209 [inline]
__netif_receive_skb net/core/dev.c:6322 [inline]
process_backlog+0x7dd/0x1950 net/core/dev.c:6673
__napi_poll+0xae/0x340 net/core/dev.c:7737
napi_poll net/core/dev.c:7800 [inline]
net_rx_action+0x627/0xf70 net/core/dev.c:7957
page last free pid 5871 tgid 5871 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2943
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x840 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
__alloc_skb+0x1aa/0x7d0 net/core/skbuff.c:697
alloc_skb include/linux/skbuff.h:1383 [inline]
mld_newpack+0x14c/0xc90 net/ipv6/mcast.c:1775
add_grhead+0x5a/0x2a0 net/ipv6/mcast.c:1886
add_grec+0x1452/0x1740 net/ipv6/mcast.c:2025
mld_send_cr net/ipv6/mcast.c:2148 [inline]
mld_ifc_work+0x6e6/0xe70 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff88810e948400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88810e948480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810e948500: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
^
ffff88810e948580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88810e948600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
***
KASAN: slab-use-after-free Write in rcuref_put
tree: torvalds
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base: 6596a02b207886e9e00bb0161c7fd59fea53c081
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/ad85c1df-394a-471c-b2ea-0e168bab3b26/config
syz repro: https://ci.syzbot.org/findings/3d5ef30a-8158-4bce-901b-48b8fcc50925/syz_repro
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
BUG: KASAN: slab-use-after-free in atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326 [inline]
BUG: KASAN: slab-use-after-free in __rcuref_put include/linux/rcuref.h:109 [inline]
BUG: KASAN: slab-use-after-free in rcuref_put+0xf7/0x170 include/linux/rcuref.h:173
Write of size 4 at addr ffff8881130ec940 by task klogd/5265
CPU: 0 UID: 0 PID: 5265 Comm: klogd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326 [inline]
__rcuref_put include/linux/rcuref.h:109 [inline]
rcuref_put+0xf7/0x170 include/linux/rcuref.h:173
dst_release+0x24/0x1b0 net/core/dst.c:168
inet_sock_destruct+0x564/0x740 net/ipv4/af_inet.c:165
__sk_destruct+0x8d/0x9d0 net/core/sock.c:2352
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x840 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
__alloc_skb+0x1aa/0x7d0 net/core/skbuff.c:697
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0xc8/0x760 net/core/skbuff.c:6734
sock_alloc_send_pskb+0x878/0x990 net/core/sock.c:2998
unix_dgram_sendmsg+0x460/0x18d0 net/unix/af_unix.c:2131
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
__sys_sendto+0x672/0x710 net/socket.c:2265
__do_sys_sendto net/socket.c:2272 [inline]
__se_sys_sendto net/socket.c:2268 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2268
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2da31309b5
Code: 8b 44 24 08 48 83 c4 28 48 98 c3 48 98 c3 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 26 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 7a 48 8b 15 44 c4 0c 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fffcd483948 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f2da31309b5
RDX: 0000000000000071 RSI: 000055812f074f90 RDI: 0000000000000003
RBP: 000055812f070910 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000004000 R11: 0000000000000246 R12: 0000000000000013
R13: 00007f2da32be212 R14: 00007fffcd483a48 R15: 0000000000000000
</TASK>
Allocated by task 3571:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4905
dst_alloc+0x105/0x170 net/core/dst.c:90
ip6_dst_alloc net/ipv6/route.c:342 [inline]
ip6_rt_pcpu_alloc net/ipv6/route.c:1419 [inline]
rt6_make_pcpu_route net/ipv6/route.c:1468 [inline]
ip6_pol_route+0xafb/0x13d0 net/ipv6/route.c:2319
pol_lookup_func include/net/ip6_fib.h:667 [inline]
fib6_rule_lookup+0x222/0x730 net/ipv6/fib6_rules.c:123
ip6_route_output_flags_noref net/ipv6/route.c:2699 [inline]
ip6_route_output_flags+0x364/0x5d0 net/ipv6/route.c:2711
ip6_route_output include/net/ip6_route.h:100 [inline]
ip6_dst_lookup_tail+0x1c3/0x15a0 net/ipv6/ip6_output.c:1155
ip6_dst_lookup_flow+0x89/0x150 net/ipv6/ip6_output.c:1288
send6+0x4dc/0x910 drivers/net/wireguard/socket.c:139
wg_socket_send_skb_to_peer+0x111/0x1d0 drivers/net/wireguard/socket.c:177
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x203/0x350 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 5265:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kmem_cache_free+0x182/0x650 mm/slub.c:6373
dst_destroy+0x235/0x350 net/core/dst.c:122
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x840 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
__alloc_skb+0x1aa/0x7d0 net/core/skbuff.c:697
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0xc8/0x760 net/core/skbuff.c:6734
sock_alloc_send_pskb+0x878/0x990 net/core/sock.c:2998
unix_dgram_sendmsg+0x460/0x18d0 net/unix/af_unix.c:2131
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
__sys_sendto+0x672/0x710 net/socket.c:2265
__do_sys_sendto net/socket.c:2272 [inline]
__se_sys_sendto net/socket.c:2268 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2268
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
__call_rcu_common kernel/rcu/tree.c:3131 [inline]
call_rcu+0xee/0x890 kernel/rcu/tree.c:3251
udpv6_sendmsg+0x1e9c/0x2690 net/ipv6/udp.c:1712
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x5c7/0x9f0 net/socket.c:2698
___sys_sendmsg+0x2a5/0x360 net/socket.c:2752
__sys_sendmmsg+0x27c/0x4e0 net/socket.c:2841
__do_sys_sendmmsg net/socket.c:2868 [inline]
__se_sys_sendmmsg net/socket.c:2865 [inline]
__x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2865
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8881130ec900
which belongs to the cache ip6_dst_cache of size 232
The buggy address is located 64 bytes inside of
freed 232-byte region [ffff8881130ec900, ffff8881130ec9e8)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1130ec
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff8881130ec0f9
flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 017ff00000000040 ffff888103f2c500 dead000000000100 dead000000000122
raw: 0000000000000000 0000018000150015 00000000f5000000 ffff8881130ec0f9
head: 017ff00000000040 ffff888103f2c500 dead000000000100 dead000000000122
head: 0000000000000000 0000018000150015 00000000f5000000 ffff8881130ec0f9
head: 017ff00000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 13, tgid 13 (kworker/u8:1), ts 74988667148, free_ts 74987085458
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x339/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4905
dst_alloc+0x105/0x170 net/core/dst.c:90
ip6_dst_alloc net/ipv6/route.c:342 [inline]
icmp6_dst_alloc+0x75/0x440 net/ipv6/route.c:3337
ndisc_send_skb+0x44a/0x1670 net/ipv6/ndisc.c:491
ndisc_send_ns+0xd7/0x160 net/ipv6/ndisc.c:671
addrconf_dad_work+0xac4/0x14c0 net/ipv6/addrconf.c:4294
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
page last free pid 5952 tgid 5952 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2943
__slab_free+0x274/0x2c0 mm/slub.c:5608
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4905
alloc_empty_file+0x5b/0x1d0 fs/file_table.c:262
alloc_file fs/file_table.c:396 [inline]
alloc_file_pseudo+0x155/0x240 fs/file_table.c:425
sock_alloc_file+0xb8/0x2e0 net/socket.c:543
sock_map_fd net/socket.c:573 [inline]
__sys_socket+0x13c/0x1b0 net/socket.c:1815
__do_sys_socket net/socket.c:1820 [inline]
__se_sys_socket net/socket.c:1818 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1818
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8881130ec800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff8881130ec880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881130ec900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881130ec980: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff8881130eca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
***
WARNING in rcuref_put_slowpath
tree: torvalds
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base: 6596a02b207886e9e00bb0161c7fd59fea53c081
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/ad85c1df-394a-471c-b2ea-0e168bab3b26/config
syz repro: https://ci.syzbot.org/findings/e5d6936b-9f45-45fd-88ab-8e917a818ac4/syz_repro
------------[ cut here ]------------
rcuref - imbalanced put()
WARNING: lib/rcuref.c:266 at rcuref_put_slowpath+0x16e/0x1d0 lib/rcuref.c:266, CPU#0: udevd/5862
Modules linked in:
CPU: 0 UID: 0 PID: 5862 Comm: udevd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:rcuref_put_slowpath+0x16e/0x1d0 lib/rcuref.c:266
Code: c1 e8 03 42 0f b6 04 38 84 c0 75 48 c7 03 00 00 00 a0 31 c0 e9 6d ff ff ff e8 9e ef 06 07 e8 99 1c 14 fd 48 8d 3d 02 a8 8c 0b <67> 48 0f b9 3a 48 89 df be 04 00 00 00 e8 50 5a 7f fd 48 89 d8 48
RSP: 0018:ffffc90000007c20 EFLAGS: 00010246
RAX: ffffffff84b1b457 RBX: ffff88811617cac0 RCX: ffff8881706f1d80
RDX: 0000000000000100 RSI: 00000000dfffffff RDI: ffffffff903e5c60
RBP: ffffc90000007cb8 R08: ffff88811617cac3 R09: 1ffff11022c2f958
R10: dffffc0000000000 R11: ffffed1022c2f959 R12: 1ffff92000000f84
R13: ffff888116047a08 R14: 00000000dfffffff R15: dffffc0000000000
FS: 00007f0704ed8c80(0000) GS:ffff88818dc14000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f58f0b456b8 CR3: 000000016883c000 CR4: 00000000000006f0
Call Trace:
<IRQ>
__rcuref_put include/linux/rcuref.h:117 [inline]
rcuref_put+0x15b/0x170 include/linux/rcuref.h:173
dst_release+0x24/0x1b0 net/core/dst.c:168
inet_sock_destruct+0x564/0x740 net/ipv4/af_inet.c:165
__sk_destruct+0x8d/0x9d0 net/core/sock.c:2352
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x840 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xca/0x220 kernel/softirq.c:735
irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_acquire+0x221/0x350 kernel/locking/lockdep.c:5872
Code: ff ff ff e8 a1 d7 16 0a f7 44 24 08 00 02 00 00 0f 84 3a ff ff ff 65 48 8b 05 8b f2 9e 11 48 3b 44 24 58 75 33 fb 48 83 c4 60 <5b> 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 8d 3d 58 0a 95
RSP: 0018:ffffc900032075b0 EFLAGS: 00000282
RAX: 5df8ffef7d258800 RBX: 0000000000000000 RCX: 0000000000000046
RDX: 00000000c1e3b5cc RSI: ffffffff8e24e50c RDI: ffffffff8c289ee0
RBP: ffffffff81d5c3d6 R08: ffffffff81d5c3d6 R09: ffffffff8e95cce0
R10: ffffc900032076d8 R11: ffffffff81b105c0 R12: 0000000000000002
R13: ffffffff8e95cce0 R14: 0000000000000000 R15: 0000000000000246
rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
rcu_read_lock include/linux/rcupdate.h:838 [inline]
is_bpf_text_address+0x47/0x2b0 kernel/bpf/core.c:747
kernel_text_address+0xa5/0xe0 kernel/extable.c:125
__kernel_text_address+0xd/0x30 kernel/extable.c:79
unwind_get_return_address+0x4d/0x90 arch/x86/kernel/unwind_orc.c:385
arch_stack_walk+0xfb/0x150 arch/x86/kernel/stacktrace.c:26
stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x1c5/0x640 mm/slub.c:6561
tomoyo_path_perm+0x403/0x560 security/tomoyo/file.c:847
security_inode_getattr+0x12b/0x310 security/security.c:1895
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat fs/stat.c:281 [inline]
vfs_fstatat+0xb4/0x170 fs/stat.c:371
__do_sys_newfstatat fs/stat.c:538 [inline]
__se_sys_newfstatat fs/stat.c:532 [inline]
__x64_sys_newfstatat+0x151/0x200 fs/stat.c:532
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0704b165f4
Code: 64 c7 00 09 00 00 00 83 c8 ff c3 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 00 00 00 00 41 89 ca b8 06 01 00 00 0f 05 <45> 31 c0 3d 00 f0 ff ff 76 10 48 8b 15 03 a8 0d 00 f7 d8 41 83 c8
RSP: 002b:00007ffff3316628 EFLAGS: 00000206 ORIG_RAX: 0000000000000106
RAX: ffffffffffffffda RBX: 00007f0704bee460 RCX: 00007f0704b165f4
RDX: 00007ffff3316630 RSI: 00007f0704bb3130 RDI: 0000000000000009
RBP: 0000563dde263be0 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000001000 R11: 0000000000000206 R12: 0000000000000002
R13: 0000000000000002 R14: 0000563dde263be0 R15: 0000563db7af4ea6
</TASK>
----------------
Code disassembly (best guess):
0: c1 e8 03 shr $0x3,%eax
3: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
8: 84 c0 test %al,%al
a: 75 48 jne 0x54
c: c7 03 00 00 00 a0 movl $0xa0000000,(%rbx)
12: 31 c0 xor %eax,%eax
14: e9 6d ff ff ff jmp 0xffffff86
19: e8 9e ef 06 07 call 0x706efbc
1e: e8 99 1c 14 fd call 0xfd141cbc
23: 48 8d 3d 02 a8 8c 0b lea 0xb8ca802(%rip),%rdi # 0xb8ca82c
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 48 89 df mov %rbx,%rdi
32: be 04 00 00 00 mov $0x4,%esi
37: e8 50 5a 7f fd call 0xfd7f5a8c
3c: 48 89 d8 mov %rbx,%rax
3f: 48 rex.W
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).
The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.
^ permalink raw reply [flat|nested] 4+ messages in thread