| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202508110750.a66a4225-lkp@intel.com>
Date: Mon, 11 Aug 2025 13:27:12 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Menglong Dong <menglong8.dong@...il.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, Menglong Dong
<dongml2@...natelecom.cn>, <rcu@...r.kernel.org>, <netdev@...r.kernel.org>,
<ltp@...ts.linux.it>, <edumazet@...gle.com>, <kuniyu@...gle.com>,
<kraig@...gle.com>, <ncardwell@...gle.com>, <davem@...emloft.net>,
<dsahern@...nel.org>, <kuba@...nel.org>, <pabeni@...hat.com>,
<horms@...nel.org>, <linux-kernel@...r.kernel.org>, <oliver.sang@...el.com>
Subject: Re: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__inet_hash" on:
commit: 859ca60b71ef223e210d3d003a225d9ca70879fd ("[PATCH net v2] net: ip: order the reuseport socket in __inet_hash")
url: https://github.com/intel-lab-lkp/linux/commits/Menglong-Dong/net-ip-order-the-reuseport-socket-in-__inet_hash/20250801-171131
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git 01051012887329ea78eaca19b1d2eac4c9f601b5
patch link: https://lore.kernel.org/all/20250801090949.129941-1-dongml2@chinatelecom.cn/
patch subject: [PATCH net v2] net: ip: order the reuseport socket in __inet_hash
in testcase: ltp
version: ltp-x86_64-6505f9e29-1_20250802
with following parameters:
disk: 1HDD
fs: ext4
test: fs_perms_simple
config: x86_64-rhel-9.4-ltp
compiler: gcc-12
test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz (Ivy Bridge) with 8G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202508110750.a66a4225-lkp@intel.com
kern :err : [ 128.186735] BUG: KASAN: slab-use-after-free in __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800)
kern :err : [ 128.186868] Read of size 2 at addr ffff8882125c5f10 by task isc-net-0001/3160
kern :err : [ 128.187050] CPU: 2 UID: 108 PID: 3160 Comm: isc-net-0001 Tainted: G S 6.16.0-06590-g859ca60b71ef #1 PREEMPT(voluntary)
kern :err : [ 128.187056] Tainted: [S]=CPU_OUT_OF_SPEC
kern :err : [ 128.187058] Hardware name: Hewlett-Packard p6-1451cx/2ADA, BIOS 8.15 02/05/2013
kern :err : [ 128.187060] Call Trace:
kern :err : [ 128.187063] <TASK>
kern :err : [ 128.187065] dump_stack_lvl (lib/dump_stack.c:123 (discriminator 1))
kern :err : [ 128.187072] print_address_description+0x2c/0x390
kern :err : [ 128.187079] ? __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800)
kern :err : [ 128.187084] print_report (mm/kasan/report.c:483)
kern :err : [ 128.187088] ? kasan_addr_to_slab (mm/kasan/common.c:37)
kern :err : [ 128.187092] ? __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800)
kern :err : [ 128.187096] kasan_report (mm/kasan/report.c:597)
kern :err : [ 128.187101] ? __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800)
kern :err : [ 128.187106] __inet_hash (net/ipv4/inet_hashtables.c:749 net/ipv4/inet_hashtables.c:800)
kern :err : [ 128.187111] inet_csk_listen_start (net/ipv4/inet_connection_sock.c:1356)
kern :err : [ 128.187115] __inet_listen_sk (net/ipv4/af_inet.c:219)
kern :err : [ 128.187120] ? __pfx___inet_listen_sk (net/ipv4/af_inet.c:192)
kern :err : [ 128.187123] ? _raw_spin_lock_bh (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178)
kern :err : [ 128.187128] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177)
kern :err : [ 128.187134] inet_listen (net/ipv4/af_inet.c:240)
kern :err : [ 128.187138] __sys_listen (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:1918)
kern :err : [ 128.187144] __x64_sys_listen (net/socket.c:1930)
kern :err : [ 128.187148] ? __x64_sys_getsockname (net/socket.c:2145)
kern :err : [ 128.187152] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
kern :err : [ 128.187155] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
kern :err : [ 128.187159] ? do_sock_setsockopt (net/socket.c:2313)
kern :err : [ 128.187163] ? __x64_sys_bind (net/socket.c:1892)
kern :err : [ 128.187167] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
kern :err : [ 128.187169] ? alloc_fd (fs/file.c:612)
kern :err : [ 128.187174] ? fdget (include/linux/file.h:57 fs/file.c:1176 fs/file.c:1181)
kern :err : [ 128.187178] ? fput (arch/x86/include/asm/atomic64_64.h:79 include/linux/atomic/atomic-arch-fallback.h:2913 include/linux/atomic/atomic-arch-fallback.h:3364 include/linux/atomic/atomic-long.h:698 include/linux/atomic/atomic-instrumented.h:3767 include/linux/file_ref.h:157 fs/file_table.c:544)
kern :err : [ 128.187181] ? __sys_setsockopt (include/linux/file.h:63 include/linux/file.h:83 net/socket.c:2361)
kern :err : [ 128.187185] ? __x64_sys_setsockopt (net/socket.c:2372)
kern :err : [ 128.187188] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
kern :err : [ 128.187191] ? __x64_sys_openat (fs/open.c:1461)
kern :err : [ 128.187194] ? __pfx___x64_sys_openat (fs/open.c:1461)
kern :err : [ 128.187198] ? __x64_sys_setsockopt (net/socket.c:2372)
kern :err : [ 128.187201] ? count_memcg_events (arch/x86/include/asm/atomic.h:23 include/linux/atomic/atomic-arch-fallback.h:457 include/linux/atomic/atomic-instrumented.h:33 mm/memcontrol.c:560 mm/memcontrol.c:585 mm/memcontrol.c:564 mm/memcontrol.c:848)
kern :err : [ 128.187206] ? do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
kern :err : [ 128.187209] ? handle_mm_fault (mm/memory.c:6272 mm/memory.c:6425)
kern :err : [ 128.187213] ? do_user_addr_fault (arch/x86/include/asm/atomic.h:93 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:389 include/linux/refcount.h:432 include/linux/mmap_lock.h:142 include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338)
kern :err : [ 128.187218] ? exc_page_fault (arch/x86/include/asm/irqflags.h:37 arch/x86/include/asm/irqflags.h:114 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532)
kern :err : [ 128.187223] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
kern :err : [ 128.187227] RIP: 0033:0x7fe51b028897
kern :err : [ 128.187231] Code: f0 ff ff 77 06 c3 0f 1f 44 00 00 48 8b 15 61 75 0c 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 32 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 75 0c 00 f7 d8 64 89 01 48
All code
========
0: f0 ff lock (bad)
2: ff 77 06 push 0x6(%rdi)
5: c3 ret
6: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
b: 48 8b 15 61 75 0c 00 mov 0xc7561(%rip),%rdx # 0xc7573
12: f7 d8 neg %eax
14: 64 89 02 mov %eax,%fs:(%rdx)
17: b8 ff ff ff ff mov $0xffffffff,%eax
1c: c3 ret
1d: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
23: b8 32 00 00 00 mov $0x32,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 39 75 0c 00 mov 0xc7539(%rip),%rcx # 0xc7573
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d 39 75 0c 00 mov 0xc7539(%rip),%rcx # 0xc7549
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
kern :err : [ 128.187235] RSP: 002b:00007fe5169fe0f8 EFLAGS: 00000217 ORIG_RAX: 0000000000000032
kern :err : [ 128.187239] RAX: ffffffffffffffda RBX: 00007fe516a1d760 RCX: 00007fe51b028897
kern :err : [ 128.187241] RDX: 0000000000000002 RSI: 000000000000000a RDI: 000000000000002c
kern :err : [ 128.187243] RBP: 0000000000000000 R08: 0000000000008000 R09: 00000000ffffffff
kern :err : [ 128.187245] R10: 00007fe5169fe024 R11: 0000000000000217 R12: 00007fe51bbd1d70
kern :err : [ 128.187248] R13: 000000000000000a R14: 00007fe5182de000 R15: 00007fe516a1d5d0
kern :err : [ 128.187252] </TASK>
kern :err : [ 128.192052] Allocated by task 2436:
kern :warn : [ 128.192126] kasan_save_stack (mm/kasan/common.c:48)
kern :warn : [ 128.192209] kasan_save_track (arch/x86/include/asm/current.h:25 mm/kasan/common.c:60 mm/kasan/common.c:69)
kern :warn : [ 128.192289] __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)
kern :warn : [ 128.192373] kmem_cache_alloc_noprof (mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4204)
kern :warn : [ 128.192466] sk_prot_alloc (net/core/sock.c:2233 (discriminator 2))
kern :warn : [ 128.192545] sk_alloc (net/core/sock.c:2295)
kern :warn : [ 128.192615] inet_create (net/ipv4/af_inet.c:1733 (discriminator 2))
kern :warn : [ 128.192717] __sock_create (net/socket.c:1590)
kern :warn : [ 128.192796] __sys_socket (net/socket.c:1686 net/socket.c:1669 net/socket.c:1731)
kern :warn : [ 128.192874] __x64_sys_socket (net/socket.c:1743)
kern :warn : [ 128.192956] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
kern :warn : [ 128.193034] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
kern :err : [ 128.193176] Freed by task 0:
kern :warn : [ 128.193240] kasan_save_stack (mm/kasan/common.c:48)
kern :warn : [ 128.193321] kasan_save_track (arch/x86/include/asm/current.h:25 mm/kasan/common.c:60 mm/kasan/common.c:69)
kern :warn : [ 128.193401] kasan_save_free_info (mm/kasan/generic.c:579)
kern :warn : [ 128.193487] __kasan_slab_free (mm/kasan/common.c:271)
kern :warn : [ 128.193569] slab_free_after_rcu_debug (mm/slub.c:4693)
kern :warn : [ 128.193663] rcu_do_batch (arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2583)
kern :warn : [ 128.193740] rcu_core (kernel/rcu/tree.c:2834)
kern :warn : [ 128.193812] handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:580)
kern :warn : [ 128.193894] __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680)
kern :warn : [ 128.193977] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 arch/x86/kernel/apic/apic.c:1050)
kern :warn : [ 128.194074] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:574)
kern :err : [ 128.194217] Last potentially related work creation:
kern :warn : [ 128.194312] kasan_save_stack (mm/kasan/common.c:48)
kern :warn : [ 128.194393] kasan_record_aux_stack (mm/kasan/generic.c:548)
kern :warn : [ 128.194481] kmem_cache_free (mm/slub.c:2344 mm/slub.c:4643 mm/slub.c:4745)
kern :warn : [ 128.194563] __sk_destruct (net/core/sock.c:2279 net/core/sock.c:2373)
kern :warn : [ 128.194642] rcu_do_batch (arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2583)
kern :warn : [ 128.194719] rcu_core (kernel/rcu/tree.c:2834)
kern :warn : [ 128.194791] handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:580)
kern :warn : [ 128.194873] __irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680)
kern :warn : [ 128.194955] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 arch/x86/kernel/apic/apic.c:1050)
kern :warn : [ 128.195052] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:574)
kern :err : [ 128.195194] Second to last potentially related work creation:
kern :warn : [ 128.195303] kasan_save_stack (mm/kasan/common.c:48)
kern :warn : [ 128.195383] kasan_record_aux_stack (mm/kasan/generic.c:548)
kern :warn : [ 128.195472] __call_rcu_common+0xc8/0x980
kern :warn : [ 128.195571] inet_release (net/ipv4/af_inet.c:436)
kern :warn : [ 128.195648] __sock_release (net/socket.c:650)
kern :warn : [ 128.195727] sock_close (net/socket.c:1441)
kern :warn : [ 128.195799] __fput (fs/file_table.c:468)
kern :warn : [ 128.195869] fput_close_sync (fs/file_table.c:571)
kern :warn : [ 128.195951] __x64_sys_close (fs/open.c:1590 fs/open.c:1572 fs/open.c:1572)
kern :warn : [ 128.196032] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
kern :warn : [ 128.196109] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
kern :err : [ 128.196250] The buggy address belongs to the object at ffff8882125c5f00
which belongs to the cache TCP of size 2304
kern :err : [ 128.196468] The buggy address is located 16 bytes inside of
freed 2304-byte region [ffff8882125c5f00, ffff8882125c6800)
kern :err : [ 128.196733] The buggy address belongs to the physical page:
kern :warn : [ 128.196839] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8882125c5580 pfn:0x2125c0
kern :warn : [ 128.197008] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
kern :warn : [ 128.197148] memcg:ffff888217e99e01
kern :warn : [ 128.197221] anon flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
kern :warn : [ 128.197358] page_type: f5(slab)
kern :warn : [ 128.197429] raw: 0017ffffc0000040 ffff88810221c640 0000000000000000 0000000000000001
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250811/202508110750.a66a4225-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists