Re: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash

Re: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash

[kernel test robot]

Hello,

kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__inet_hash" on:

commit: 859ca60b71ef223e210d3d003a225d9ca70879fd ("[PATCH net v2] net: ip: order the reuseport socket in __inet_hash")
url: https://github.com/intel-lab-lkp/linux/commits/Menglong-Dong/net-ip-order-the-reuseport-socket-in-__inet_hash/20250801-171131
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git 01051012887329ea78eaca19b1d2eac4c9f601b5
patch link: https://lore.kernel.org/all/20250801090949.129941-1-dongml2@chinatelecom.cn/
patch subject: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash

in testcase: ltp
version: ltp-x86_64-6505f9e29-1_20250802
with following parameters:

	disk: 1HDD
	fs: ext4
	test: fs_perms_simple



config: x86_64-rhel-9.4-ltp
compiler: gcc-12
test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz (Ivy Bridge) with 8G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com


kern :err : [  128.186735] BUG: KASAN: slab-use-after-free in __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800) 
kern  :err   : [  128.186868] Read of size 2 at addr ffff8882125c5f10 by task isc-net-0001/3160

kern  :err   : [  128.187050] CPU: 2 UID: 108 PID: 3160 Comm: isc-net-0001 Tainted: G S                  6.16.0-06590-g859ca60b71ef #1 PREEMPT(voluntary)
kern  :err   : [  128.187056] Tainted: [S]=CPU_OUT_OF_SPEC
kern  :err   : [  128.187058] Hardware name: Hewlett-Packard p6-1451cx/2ADA, BIOS 8.15 02/05/2013
kern  :err   : [  128.187060] Call Trace:
kern  :err   : [  128.187063]  <TASK>
kern :err : [  128.187065] dump_stack_lvl (lib/dump_stack.c:123 (discriminator 1)) 
kern :err : [  128.187072] print_address_description+0x2c/0x390 
kern :err : [  128.187079] ? __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800) 
kern :err : [  128.187084] print_report (mm/kasan/report.c:483) 
kern :err : [  128.187088] ? kasan_addr_to_slab (mm/kasan/common.c:37) 
kern :err : [  128.187092] ? __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800) 
kern :err : [  128.187096] kasan_report (mm/kasan/report.c:597) 
kern :err : [  128.187101] ? __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800) 
kern :err : [  128.187106] __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800) 
kern :err : [  128.187111] inet_csk_listen_start (net/ipv4/inet_connection_sock.c:1356) 
kern :err : [  128.187115] __inet_listen_sk (net/ipv4/af_inet.c:219) 
kern :err : [  128.187120] ? __pfx___inet_listen_sk (net/ipv4/af_inet.c:192) 
kern :err : [  128.187123] ? _raw_spin_lock_bh (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
kern :err : [  128.187128] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177) 
kern :err : [  128.187134] inet_listen (net/ipv4/af_inet.c:240) 
kern :err : [  128.187138] __sys_listen (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:1918) 
kern :err : [  128.187144] __x64_sys_listen (net/socket.c:1930) 
kern :err : [  128.187148] ? __x64_sys_getsockname (net/socket.c:2145) 
kern :err : [  128.187152] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
kern :err : [  128.187155] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
kern :err : [  128.187159] ? do_sock_setsockopt (net/socket.c:2313) 
kern :err : [  128.187163] ? __x64_sys_bind (net/socket.c:1892) 
kern :err : [  128.187167] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
kern :err : [  128.187169] ? alloc_fd (fs/file.c:612) 
kern :err : [  128.187174] ? fdget (include/linux/file.h:57 fs/file.c:1176 fs/file.c:1181) 
kern :err : [  128.187178] ? fput (arch/x86/include/asm/atomic64_64.h:79 include/linux/atomic/atomic-arch-fallback.h:2913 include/linux/atomic/atomic-arch-fallback.h:3364 include/linux/atomic/atomic-long.h:698 include/linux/atomic/atomic-instrumented.h:3767 include/linux/file_ref.h:157 fs/file_table.c:544) 
kern :err : [  128.187181] ? __sys_setsockopt (include/linux/file.h:63 include/linux/file.h:83 net/socket.c:2361) 
kern :err : [  128.187185] ? __x64_sys_setsockopt (net/socket.c:2372) 
kern :err : [  128.187188] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
kern :err : [  128.187191] ? __x64_sys_openat (fs/open.c:1461) 
kern :err : [  128.187194] ? __pfx___x64_sys_openat (fs/open.c:1461) 
kern :err : [  128.187198] ? __x64_sys_setsockopt (net/socket.c:2372) 
kern :err : [  128.187201] ? count_memcg_events (arch/x86/include/asm/atomic.h:23 include/linux/atomic/atomic-arch-fallback.h:457 include/linux/atomic/atomic-instrumented.h:33 mm/memcontrol.c:560 mm/memcontrol.c:585 mm/memcontrol.c:564 mm/memcontrol.c:848) 
kern :err : [  128.187206] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
kern :err : [  128.187209] ? handle_mm_fault (mm/memory.c:6272 mm/memory.c:6425) 
kern :err : [  128.187213] ? do_user_addr_fault (arch/x86/include/asm/atomic.h:93 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:389 include/linux/refcount.h:432 include/linux/mmap_lock.h:142 include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338) 
kern :err : [  128.187218] ? exc_page_fault (arch/x86/include/asm/irqflags.h:37 arch/x86/include/asm/irqflags.h:114 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
kern :err : [  128.187223] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
kern  :err   : [  128.187227] RIP: 0033:0x7fe51b028897
kern :err : [ 128.187231] Code: f0 ff ff 77 06 c3 0f 1f 44 00 00 48 8b 15 61 75 0c 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 32 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 75 0c 00 f7 d8 64 89 01 48
All code
========
   0:	f0 ff                	lock (bad)
   2:	ff 77 06             	push   0x6(%rdi)
   5:	c3                   	ret
   6:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   b:	48 8b 15 61 75 0c 00 	mov    0xc7561(%rip),%rdx        # 0xc7573
  12:	f7 d8                	neg    %eax
  14:	64 89 02             	mov    %eax,%fs:(%rdx)
  17:	b8 ff ff ff ff       	mov    $0xffffffff,%eax
  1c:	c3                   	ret
  1d:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  23:	b8 32 00 00 00       	mov    $0x32,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	ret
  33:	48 8b 0d 39 75 0c 00 	mov    0xc7539(%rip),%rcx        # 0xc7573
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	ret
   9:	48 8b 0d 39 75 0c 00 	mov    0xc7539(%rip),%rcx        # 0xc7549
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
kern  :err   : [  128.187235] RSP: 002b:00007fe5169fe0f8 EFLAGS: 00000217 ORIG_RAX: 0000000000000032
kern  :err   : [  128.187239] RAX: ffffffffffffffda RBX: 00007fe516a1d760 RCX: 00007fe51b028897
kern  :err   : [  128.187241] RDX: 0000000000000002 RSI: 000000000000000a RDI: 000000000000002c
kern  :err   : [  128.187243] RBP: 0000000000000000 R08: 0000000000008000 R09: 00000000ffffffff
kern  :err   : [  128.187245] R10: 00007fe5169fe024 R11: 0000000000000217 R12: 00007fe51bbd1d70
kern  :err   : [  128.187248] R13: 000000000000000a R14: 00007fe5182de000 R15: 00007fe516a1d5d0
kern  :err   : [  128.187252]  </TASK>

kern  :err   : [  128.192052] Allocated by task 2436:
kern :warn : [  128.192126] kasan_save_stack (mm/kasan/common.c:48) 
kern :warn : [  128.192209] kasan_save_track (arch/x86/include/asm/current.h:25 mm/kasan/common.c:60 mm/kasan/common.c:69) 
kern :warn : [  128.192289] __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) 
kern :warn : [  128.192373] kmem_cache_alloc_noprof (mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4204) 
kern :warn : [  128.192466] sk_prot_alloc (net/core/sock.c:2233 (discriminator 2)) 
kern :warn : [  128.192545] sk_alloc (net/core/sock.c:2295) 
kern :warn : [  128.192615] inet_create (net/ipv4/af_inet.c:1733 (discriminator 2)) 
kern :warn : [  128.192717] __sock_create (net/socket.c:1590) 
kern :warn : [  128.192796] __sys_socket (net/socket.c:1686 net/socket.c:1669 net/socket.c:1731) 
kern :warn : [  128.192874] __x64_sys_socket (net/socket.c:1743) 
kern :warn : [  128.192956] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
kern :warn : [  128.193034] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 

kern  :err   : [  128.193176] Freed by task 0:
kern :warn : [  128.193240] kasan_save_stack (mm/kasan/common.c:48) 
kern :warn : [  128.193321] kasan_save_track (arch/x86/include/asm/current.h:25 mm/kasan/common.c:60 mm/kasan/common.c:69) 
kern :warn : [  128.193401] kasan_save_free_info (mm/kasan/generic.c:579) 
kern :warn : [  128.193487] __kasan_slab_free (mm/kasan/common.c:271) 
kern :warn : [  128.193569] slab_free_after_rcu_debug (mm/slub.c:4693) 
kern :warn : [  128.193663] rcu_do_batch (arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2583) 
kern :warn : [  128.193740] rcu_core (kernel/rcu/tree.c:2834) 
kern :warn : [  128.193812] handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:580) 
kern :warn : [  128.193894] __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) 
kern :warn : [  128.193977] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 arch/x86/kernel/apic/apic.c:1050) 
kern :warn : [  128.194074] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:574) 

kern  :err   : [  128.194217] Last potentially related work creation:
kern :warn : [  128.194312] kasan_save_stack (mm/kasan/common.c:48) 
kern :warn : [  128.194393] kasan_record_aux_stack (mm/kasan/generic.c:548) 
kern :warn : [  128.194481] kmem_cache_free (mm/slub.c:2344 mm/slub.c:4643 mm/slub.c:4745) 
kern :warn : [  128.194563] __sk_destruct (net/core/sock.c:2279 net/core/sock.c:2373) 
kern :warn : [  128.194642] rcu_do_batch (arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2583) 
kern :warn : [  128.194719] rcu_core (kernel/rcu/tree.c:2834) 
kern :warn : [  128.194791] handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:580) 
kern :warn : [  128.194873] __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680) 
kern :warn : [  128.194955] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 arch/x86/kernel/apic/apic.c:1050) 
kern :warn : [  128.195052] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:574) 

kern  :err   : [  128.195194] Second to last potentially related work creation:
kern :warn : [  128.195303] kasan_save_stack (mm/kasan/common.c:48) 
kern :warn : [  128.195383] kasan_record_aux_stack (mm/kasan/generic.c:548) 
kern :warn : [  128.195472] __call_rcu_common+0xc8/0x980 
kern :warn : [  128.195571] inet_release (net/ipv4/af_inet.c:436) 
kern :warn : [  128.195648] __sock_release (net/socket.c:650) 
kern :warn : [  128.195727] sock_close (net/socket.c:1441) 
kern :warn : [  128.195799] __fput (fs/file_table.c:468) 
kern :warn : [  128.195869] fput_close_sync (fs/file_table.c:571) 
kern :warn : [  128.195951] __x64_sys_close (fs/open.c:1590 fs/open.c:1572 fs/open.c:1572) 
kern :warn : [  128.196032] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
kern :warn : [  128.196109] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 

kern  :err   : [  128.196250] The buggy address belongs to the object at ffff8882125c5f00
which belongs to the cache TCP of size 2304
kern  :err   : [  128.196468] The buggy address is located 16 bytes inside of
freed 2304-byte region [ffff8882125c5f00, ffff8882125c6800)

kern  :err   : [  128.196733] The buggy address belongs to the physical page:
kern  :warn  : [  128.196839] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8882125c5580 pfn:0x2125c0
kern  :warn  : [  128.197008] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
kern  :warn  : [  128.197148] memcg:ffff888217e99e01
kern  :warn  : [  128.197221] anon flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
kern  :warn  : [  128.197358] page_type: f5(slab)
kern  :warn  : [  128.197429] raw: 0017ffffc0000040 ffff88810221c640 0000000000000000 0000000000000001


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250811/202508110750.a66a4225-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [LTP] [PATCH net v2] net: ip: order the reuseport socket in __inet_hash

[Wei Gao]

On Mon, Aug 11, 2025 at 01:27:12PM +0800, kernel test robot wrote:
> 
> 
> Hello,
> 
> kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__inet_hash" on:
> 
> commit: 859ca60b71ef223e210d3d003a225d9ca70879fd ("[PATCH net v2] net: ip: order the reuseport socket in __inet_hash")
> url: https://github.com/intel-lab-lkp/linux/commits/Menglong-Dong/net-ip-order-the-reuseport-socket-in-__inet_hash/20250801-171131
> base: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git 01051012887329ea78eaca19b1d2eac4c9f601b5
> patch link: https://lore.kernel.org/all/20250801090949.129941-1-dongml2@chinatelecom.cn/
> patch subject: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash
> 
> in testcase: ltp
> version: ltp-x86_64-6505f9e29-1_20250802
> with following parameters:
> 
> 	disk: 1HDD
> 	fs: ext4
> 	test: fs_perms_simple
> 
> 
> 
> config: x86_64-rhel-9.4-ltp
> compiler: gcc-12
> test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz (Ivy Bridge) with 8G memory
> 
> (please refer to attached dmesg/kmsg for entire log/backtrace)
> 
> 
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com
> 
> 
> kern :err : [  128.186735] BUG: KASAN: slab-use-after-free in __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800) 

This kasan error not related with LTP case, i guess it triggered by network
related process such as bind etc. I try to give following patch to fix
kasan error, correct me if any mistake, thanks.

From: Wei Gao <wegao@suse.com>
Date: Sat, 16 Aug 2025 09:32:56 +0800
Subject: [PATCH v1] net: Fix BUG:KASAN:slab-use-after-free_in__inet_hash

Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com
Signed-off-by: Wei Gao <wegao@suse.com>
---
 include/linux/rculist_nulls.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
index da500f4ae142..5def9009c507 100644
--- a/include/linux/rculist_nulls.h
+++ b/include/linux/rculist_nulls.h
@@ -57,7 +57,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
  * @node: element of the list.
  */
 #define hlist_nulls_pprev_rcu(node) \
-       (*((struct hlist_nulls_node __rcu __force **)&(node)->pprev))
+       (*((struct hlist_nulls_node __rcu __force **)(node)->pprev))

 /**
  * hlist_nulls_del_rcu - deletes entry from hash list without re-initialization
@@ -175,7 +175,7 @@ static inline void hlist_nulls_add_before_rcu(struct hlist_nulls_node *n,
 {
        WRITE_ONCE(n->pprev, next->pprev);
        n->next = next;
-       rcu_assign_pointer(hlist_nulls_pprev_rcu(n), n);
+       rcu_assign_pointer(hlist_nulls_pprev_rcu(next), n);
        WRITE_ONCE(next->pprev, &n->next);
 }

--
2.43.0

Re: [LTP] [PATCH net v2] net: ip: order the reuseport socket in __inet_hash

[Kuniyuki Iwashima]

On Fri, Aug 15, 2025 at 7:18 PM Wei Gao <wegao@suse.com> wrote:
>
> On Mon, Aug 11, 2025 at 01:27:12PM +0800, kernel test robot wrote:
> >
> >
> > Hello,
> >
> > kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__inet_hash" on:
> >
> > commit: 859ca60b71ef223e210d3d003a225d9ca70879fd ("[PATCH net v2] net: ip: order the reuseport socket in __inet_hash")
> > url: https://github.com/intel-lab-lkp/linux/commits/Menglong-Dong/net-ip-order-the-reuseport-socket-in-__inet_hash/20250801-171131
> > base: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git 01051012887329ea78eaca19b1d2eac4c9f601b5
> > patch link: https://lore.kernel.org/all/20250801090949.129941-1-dongml2@chinatelecom.cn/
> > patch subject: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash
> >
> > in testcase: ltp
> > version: ltp-x86_64-6505f9e29-1_20250802
> > with following parameters:
> >
> >       disk: 1HDD
> >       fs: ext4
> >       test: fs_perms_simple
> >
> >
> >
> > config: x86_64-rhel-9.4-ltp
> > compiler: gcc-12
> > test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz (Ivy Bridge) with 8G memory
> >
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> >
> >
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@intel.com>
> > | Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com
> >
> >
> > kern :err : [  128.186735] BUG: KASAN: slab-use-after-free in __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800)
>
> This kasan error not related with LTP case, i guess it triggered by network
> related process such as bind etc. I try to give following patch to fix
> kasan error, correct me if any mistake, thanks.

Note that the report was for the patch in the mailing list
and the patch was not applied to net-next.git nor net.git.


>
> From: Wei Gao <wegao@suse.com>
> Date: Sat, 16 Aug 2025 09:32:56 +0800
> Subject: [PATCH v1] net: Fix BUG:KASAN:slab-use-after-free_in__inet_hash
>
> Reported-by: kernel test robot <oliver.sang@intel.com>
> Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com
> Signed-off-by: Wei Gao <wegao@suse.com>
> ---
>  include/linux/rculist_nulls.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
> index da500f4ae142..5def9009c507 100644
> --- a/include/linux/rculist_nulls.h
> +++ b/include/linux/rculist_nulls.h
> @@ -57,7 +57,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
>   * @node: element of the list.
>   */
>  #define hlist_nulls_pprev_rcu(node) \
> -       (*((struct hlist_nulls_node __rcu __force **)&(node)->pprev))
> +       (*((struct hlist_nulls_node __rcu __force **)(node)->pprev))
>
>  /**
>   * hlist_nulls_del_rcu - deletes entry from hash list without re-initialization
> @@ -175,7 +175,7 @@ static inline void hlist_nulls_add_before_rcu(struct hlist_nulls_node *n,
>  {
>         WRITE_ONCE(n->pprev, next->pprev);
>         n->next = next;
> -       rcu_assign_pointer(hlist_nulls_pprev_rcu(n), n);
> +       rcu_assign_pointer(hlist_nulls_pprev_rcu(next), n);
>         WRITE_ONCE(next->pprev, &n->next);
>  }
>
> --
> 2.43.0
>

Re: [LTP] [PATCH net v2] net: ip: order the reuseport socket in __inet_hash

[Wei Gao]

On Fri, Aug 15, 2025 at 07:35:10PM -0700, Kuniyuki Iwashima wrote:
> On Fri, Aug 15, 2025 at 7:18 PM Wei Gao <wegao@suse.com> wrote:
> >
> > On Mon, Aug 11, 2025 at 01:27:12PM +0800, kernel test robot wrote:
> > >
> > >
> > > Hello,
> > >
> > > kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__inet_hash" on:
> > >
> > > commit: 859ca60b71ef223e210d3d003a225d9ca70879fd ("[PATCH net v2] net: ip: order the reuseport socket in __inet_hash")
> > > url: https://github.com/intel-lab-lkp/linux/commits/Menglong-Dong/net-ip-order-the-reuseport-socket-in-__inet_hash/20250801-171131
> > > base: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git 01051012887329ea78eaca19b1d2eac4c9f601b5
> > > patch link: https://lore.kernel.org/all/20250801090949.129941-1-dongml2@chinatelecom.cn/
> > > patch subject: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash
> > >
> > > in testcase: ltp
> > > version: ltp-x86_64-6505f9e29-1_20250802
> > > with following parameters:
> > >
> > >       disk: 1HDD
> > >       fs: ext4
> > >       test: fs_perms_simple
> > >
> > >
> > >
> > > config: x86_64-rhel-9.4-ltp
> > > compiler: gcc-12
> > > test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz (Ivy Bridge) with 8G memory
> > >
> > > (please refer to attached dmesg/kmsg for entire log/backtrace)
> > >
> > >
> > >
> > > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > > the same patch/commit), kindly add following tags
> > > | Reported-by: kernel test robot <oliver.sang@intel.com>
> > > | Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com
> > >
> > >
> > > kern :err : [  128.186735] BUG: KASAN: slab-use-after-free in __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800)
> >
> > This kasan error not related with LTP case, i guess it triggered by network
> > related process such as bind etc. I try to give following patch to fix
> > kasan error, correct me if any mistake, thanks.
> 
> Note that the report was for the patch in the mailing list
> and the patch was not applied to net-next.git nor net.git.
Thanks for note. 
Since this email sent to LTP group so i got this. Since
i'm interested in this 'kasan' problem, so trying to fix it.
> 
> 
> >
> > From: Wei Gao <wegao@suse.com>
> > Date: Sat, 16 Aug 2025 09:32:56 +0800
> > Subject: [PATCH v1] net: Fix BUG:KASAN:slab-use-after-free_in__inet_hash
> >
> > Reported-by: kernel test robot <oliver.sang@intel.com>
> > Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com
> > Signed-off-by: Wei Gao <wegao@suse.com>
> > ---
> >  include/linux/rculist_nulls.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
> > index da500f4ae142..5def9009c507 100644
> > --- a/include/linux/rculist_nulls.h
> > +++ b/include/linux/rculist_nulls.h
> > @@ -57,7 +57,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
> >   * @node: element of the list.
> >   */
> >  #define hlist_nulls_pprev_rcu(node) \
> > -       (*((struct hlist_nulls_node __rcu __force **)&(node)->pprev))
> > +       (*((struct hlist_nulls_node __rcu __force **)(node)->pprev))
> >
> >  /**
> >   * hlist_nulls_del_rcu - deletes entry from hash list without re-initialization
> > @@ -175,7 +175,7 @@ static inline void hlist_nulls_add_before_rcu(struct hlist_nulls_node *n,
> >  {
> >         WRITE_ONCE(n->pprev, next->pprev);
> >         n->next = next;
> > -       rcu_assign_pointer(hlist_nulls_pprev_rcu(n), n);
> > +       rcu_assign_pointer(hlist_nulls_pprev_rcu(next), n);
> >         WRITE_ONCE(next->pprev, &n->next);
> >  }
> >
> > --
> > 2.43.0
> >