lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202509171359.658ddb38-lkp@intel.com>
Date: Wed, 17 Sep 2025 14:37:16 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Kuniyuki Iwashima <kuniyu@...gle.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, Shakeel Butt
	<shakeel.butt@...ux.dev>, <netdev@...r.kernel.org>, <ltp@...ts.linux.it>,
	Alexei Starovoitov <ast@...nel.org>, Andrii Nakryiko <andrii@...nel.org>,
	Daniel Borkmann <daniel@...earbox.net>, Martin KaFai Lau
	<martin.lau@...ux.dev>, John Fastabend <john.fastabend@...il.com>, "Stanislav
 Fomichev" <sdf@...ichev.me>, Johannes Weiner <hannes@...xchg.org>, "Michal
 Hocko" <mhocko@...nel.org>, Roman Gushchin <roman.gushchin@...ux.dev>, "David
 S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, "Jakub
 Kicinski" <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Neal Cardwell
	<ncardwell@...gle.com>, Willem de Bruijn <willemb@...gle.com>, Mina Almasry
	<almasrymina@...gle.com>, Kuniyuki Iwashima <kuniyu@...gle.com>, "Kuniyuki
 Iwashima" <kuni1840@...il.com>, <bpf@...r.kernel.org>,
	<oliver.sang@...el.com>
Subject: Re: [PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in
 inet_csk_accept().


Hello,

kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in__inet_accept" on:

commit: d465aa09942825d93a377c3715c464e8f6827f13 ("[PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().")
url: https://github.com/intel-lab-lkp/linux/commits/Kuniyuki-Iwashima/tcp-Save-lock_sock-for-memcg-in-inet_csk_accept/20250911-032312
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git net
patch link: https://lore.kernel.org/all/20250910192057.1045711-2-kuniyu@google.com/
patch subject: [PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().

in testcase: ltp
version: ltp-x86_64-c6660a3e0-1_20250913
with following parameters:

	test: net.features



config: x86_64-rhel-9.4-ltp
compiler: gcc-14
test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz (Haswell) with 16G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202509171359.658ddb38-lkp@intel.com


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250917/202509171359.658ddb38-lkp@intel.com


we saw a lot of "BUG:KASAN:slab-out-of-bounds_in__inet_accept" issue in dmesg
uploaded to above link, below is just one example:


[  468.984291][T30180] ==================================================================
[  468.992753][T30180] BUG: KASAN: slab-out-of-bounds in __inet_accept+0x5c6/0x640
[  469.000550][T30180] Read of size 1 at addr ffff88810df4ea20 by task netstress/30180
[  469.008720][T30180] 
[  469.011389][T30180] CPU: 0 UID: 0 PID: 30180 Comm: netstress Not tainted 6.17.0-rc2-00437-gd465aa099428 #1 PREEMPT(voluntary) 
[  469.011393][T30180] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
[  469.011395][T30180] Call Trace:
[  469.011396][T30180]  <TASK>
[  469.011398][T30180]  dump_stack_lvl+0x47/0x70
[  469.011403][T30180]  print_address_description+0x88/0x320
[  469.011408][T30180]  ? __inet_accept+0x5c6/0x640
[  469.011410][T30180]  print_report+0x106/0x1f4
[  469.011413][T30180]  ? __inet_accept+0x5c6/0x640
[  469.011415][T30180]  ? __inet_accept+0x5c6/0x640
[  469.011417][T30180]  kasan_report+0xb5/0xf0
[  469.011421][T30180]  ? __inet_accept+0x5c6/0x640
[  469.011424][T30180]  __inet_accept+0x5c6/0x640
[  468.992753][T30180] BUG: KASAN: slab-out-of-bounds in __inet_accept+0x5c6/0x640
[  469.011427][T30180]  inet_accept+0xe2/0x170
[  469.000550][T30180] Read of size 1 at addr ffff88810df4ea20 by task netstress/30180
[  469.011430][T30180]  do_accept+0x2e5/0x480
[  469.008720][T30180] 
[  469.011434][T30180]  ? folio_xchg_last_cpupid+0xc5/0x130
[  469.011389][T30180] CPU: 0 UID: 0 PID: 30180 Comm: netstress Not tainted 6.17.0-rc2-00437-gd465aa099428 #1 PREEMPT(voluntary) 
[  469.011393][T30180] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
[  469.011437][T30180]  ? __pfx_do_accept+0x10/0x10
[  469.011395][T30180] Call Trace:
[  469.011441][T30180]  ? _raw_spin_lock+0x80/0xe0
[  469.011396][T30180]  <TASK>
[  469.011444][T30180]  ? __pfx__raw_spin_lock+0x10/0x10
[  469.011398][T30180]  dump_stack_lvl+0x47/0x70
[  469.011447][T30180]  ? alloc_fd+0x266/0x410
[  469.011403][T30180]  print_address_description+0x88/0x320
[  469.011451][T30180]  __sys_accept4+0xc4/0x150
[  469.011454][T30180]  ? __pfx___sys_accept4+0x10/0x10
[  469.011458][T30180]  __x64_sys_accept+0x70/0xb0
[  469.011461][T30180]  do_syscall_64+0x7b/0x2c0
[  469.011466][T30180]  ? __pfx___handle_mm_fault+0x10/0x10
[  469.011468][T30180]  ? __pfx_css_rstat_updated+0x10/0x10
[  469.011471][T30180]  ? count_memcg_events+0x253/0x3f0
[  469.011475][T30180]  ? handle_mm_fault+0x382/0x6c0
[  469.011478][T30180]  ? do_user_addr_fault+0x820/0xd60
[  469.011482][T30180]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  469.011485][T30180] RIP: 0033:0x7f9c169c4687
[  469.011488][T30180] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[  469.011490][T30180] RSP: 002b:00007ffff0036ac0 EFLAGS: 00000202 ORIG_RAX: 000000000000002b
[  469.011494][T30180] RAX: ffffffffffffffda RBX: 00007f9c16932740 RCX: 00007f9c169c4687
[  469.011496][T30180] RDX: 00007ffff0036b14 RSI: 00007ffff0036b20 RDI: 0000000000000006
[  469.011498][T30180] RBP: 0000562f1b4e85a0 R08: 0000000000000000 R09: 0000000000000000
[  469.011500][T30180] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff0036b18
[  469.011501][T30180] R13: 00007ffff0036b20 R14: 00007ffff0036b14 R15: 0000562f1b4d3e5f
[  469.011504][T30180]  </TASK>
[  469.011505][T30180] 
[  469.257645][T30180] The buggy address belongs to the object at ffff88810df4e800
[  469.257645][T30180]  which belongs to the cache SCTPv6 of size 1536
[  469.271959][T30180] The buggy address is located 544 bytes inside of
[  469.271959][T30180]  allocated 1536-byte region [ffff88810df4e800, ffff88810df4ee00)
[  469.286795][T30180] 
[  469.289353][T30180] The buggy address belongs to the physical page:
[  469.296000][T30180] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10df48
[  469.305055][T30180] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  469.313790][T30180] memcg:ffff888223ff8201
[  469.318241][T30180] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[  469.326258][T30180] page_type: f5(slab)
[  469.011408][T30180]  ? __inet_accept+0x5c6/0x640
[  469.330466][T30180] raw: 0017ffffc0000040 ffff888101e08640 dead000000000122 0000000000000000
[  469.011410][T30180]  print_report+0x106/0x1f4
[  469.339270][T30180] raw: 0000000000000000 0000000080130013 00000000f5000000 ffff888223ff8201
[  469.011413][T30180]  ? __inet_accept+0x5c6/0x640
[  469.348078][T30180] head: 0017ffffc0000040 ffff888101e08640 dead000000000122 0000000000000000
[  469.011415][T30180]  ? __inet_accept+0x5c6/0x640
[  469.356993][T30180] head: 0000000000000000 0000000080130013 00000000f5000000 ffff888223ff8201
[  469.011417][T30180]  kasan_report+0xb5/0xf0
[  469.365914][T30180] head: 0017ffffc0000003 ffffea000437d201 00000000ffffffff 00000000ffffffff
[  469.011421][T30180]  ? __inet_accept+0x5c6/0x640
[  469.374851][T30180] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  469.011424][T30180]  __inet_accept+0x5c6/0x640
[  469.383788][T30180] page dumped because: kasan: bad access detected
[  469.011427][T30180]  inet_accept+0xe2/0x170
[  469.390449][T30180] 
[  469.011430][T30180]  do_accept+0x2e5/0x480
[  469.011434][T30180]  ? folio_xchg_last_cpupid+0xc5/0x130
[  469.393031][T30180] Memory state around the buggy address:
[  469.011437][T30180]  ? __pfx_do_accept+0x10/0x10
[  469.398939][T30180]  ffff88810df4e900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  469.011441][T30180]  ? _raw_spin_lock+0x80/0xe0
[  469.407261][T30180]  ffff88810df4e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  469.011444][T30180]  ? __pfx__raw_spin_lock+0x10/0x10
[  469.415589][T30180] >ffff88810df4ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  469.011447][T30180]  ? alloc_fd+0x266/0x410
[  469.423933][T30180]                                ^
[  469.011451][T30180]  __sys_accept4+0xc4/0x150
[  469.429308][T30180]  ffff88810df4ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  469.011454][T30180]  ? __pfx___sys_accept4+0x10/0x10
[  469.437670][T30180]  ffff88810df4eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  469.011458][T30180]  __x64_sys_accept+0x70/0xb0
[  469.446024][T30180] ==================================================================
[  469.011461][T30180]  do_syscall_64+0x7b/0x2c0
[  469.454415][T30180] Disabling lock debugging due to kernel taint
[  469.011466][T30180]  ? __pfx___handle_mm_fault+0x10/0x10

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ