syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [PATCH v2 net 2/2] sctp: Clear inet_opt in sctp_v6_copy_ip_options(). | 4 (4) | 2025/12/11 14:21 |
| [PATCH v1 net 2/2] sctp: Clear pktoptions and rxpmtu in sctp_v6_copy_ip_options(). | 4 (4) | 2025/12/10 05:17 |
| [syzbot] [net?] KASAN: invalid-free in inet_sock_destruct | 0 (1) | 2025/12/08 13:22 |
================================================================== BUG: KASAN: double-free in inet_sock_destruct+0x538/0x740 net/ipv4/af_inet.c:159 Free of addr ffff8880304b6d40 by task ksoftirqd/0/15 CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report_invalid_free+0xea/0x110 mm/kasan/report.c:557 check_slab_allocation+0xe1/0x130 include/linux/page-flags.h:-1 kasan_slab_pre_free include/linux/kasan.h:198 [inline] slab_free_hook mm/slub.c:2484 [inline] slab_free mm/slub.c:6630 [inline] kfree+0x148/0x6d0 mm/slub.c:6837 inet_sock_destruct+0x538/0x740 net/ipv4/af_inet.c:159 __sk_destruct+0x89/0x660 net/core/sock.c:2350 sock_put include/net/sock.h:1991 [inline] sctp_endpoint_destroy_rcu+0xa1/0xf0 net/sctp/endpointola.c:197 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:622 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6003: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __do_kmalloc_node mm/slub.c:5642 [inline] __kmalloc_noprof+0x411/0x7f0 mm/slub.c:5654 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ip_options_get+0x51/0x4c0 net/ipv4/ip_options.c:517 do_ip_setsockopt+0x1d9b/0x2d00 net/ipv4/ip_sockglue.c:1087 ip_setsockopt+0x66/0x110 net/ipv4/ip_sockglue.c:1417 do_sock_setsockopt+0x17c/0x1b0 net/socket.c:2360 __sys_setsockopt net/socket.c:2385 [inline] __do_sys_setsockopt net/socket.c:2391 [inline] __se_sys_setsockopt net/socket.c:2388 [inline] __x64_sys_setsockopt+0x13f/0x1b0 net/socket.c:2388 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 15: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2539 [inline] slab_free mm/slub.c:6630 [inline] kfree+0x19a/0x6d0 mm/slub.c:6837 inet_sock_destruct+0x538/0x740 net/ipv4/af_inet.c:159 __sk_destruct+0x89/0x660 net/core/sock.c:2350 sock_put include/net/sock.h:1991 [inline] sctp_endpoint_destroy_rcu+0xa1/0xf0 net/sctp/endpointola.c:197 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:622 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff8880304b6d40 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes inside of 32-byte region [ffff8880304b6d40, ffff8880304b6d60) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x304b6 ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88801a026780 ffffea0001fd4840 0000000000000003 raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP), pid 5759, tgid 5759 (dhcpcd-run-hook), ts 60270754860, free_ts 60270622880 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850 prep_new_page mm/page_alloc.c:1858 [inline] get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:3055 [inline] allocate_slab+0x96/0x350 mm/slub.c:3228 new_slab mm/slub.c:3282 [inline] ___slab_alloc+0xe94/0x18a0 mm/slub.c:4651 __slab_alloc+0x65/0x100 mm/slub.c:4770 __slab_alloc_node mm/slub.c:4846 [inline] slab_alloc_node mm/slub.c:5268 [inline] __kmalloc_cache_noprof+0x411/0x6f0 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] slab_free_hook mm/slub.c:2491 [inline] slab_free mm/slub.c:6630 [inline] kmem_cache_free+0x16f/0x690 mm/slub.c:6740 exit_mmap+0x537/0xb40 mm/mmap.c:1305 __mmput+0x118/0x430 kernel/fork.c:1133 exit_mm+0x1da/0x2c0 kernel/exit.c:582 do_exit+0x648/0x2300 kernel/exit.c:954 do_group_exit+0x21c/0x2d0 kernel/exit.c:1107 __do_sys_exit_group kernel/exit.c:1118 [inline] __se_sys_exit_group kernel/exit.c:1116 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1116 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 page last free pid 5759 tgid 5759 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1394 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x112/0x1d0 mm/mmu_gather.c:500 exit_mmap+0x444/0xb40 mm/mmap.c:1293 __mmput+0x118/0x430 kernel/fork.c:1133 exit_mm+0x1da/0x2c0 kernel/exit.c:582 do_exit+0x648/0x2300 kernel/exit.c:954 do_group_exit+0x21c/0x2d0 kernel/exit.c:1107 __do_sys_exit_group kernel/exit.c:1118 [inline] __se_sys_exit_group kernel/exit.c:1116 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1116 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff8880304b6c00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc ffff8880304b6c80: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc >ffff8880304b6d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ^ ffff8880304b6d80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ffff8880304b6e00: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/11/10 22:49 | net-next | a0c3aefb08cd | 4e1406b4 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci-upstream-net-kasan-gce | KASAN: invalid-free in inet_sock_destruct | |
| 2025/11/10 20:14 | net-next | a0c3aefb08cd | 4e1406b4 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci-upstream-net-kasan-gce | KASAN: invalid-free in inet_sock_destruct | |
| 2025/11/16 06:13 | linux-next | 6d7e7251d03f | f7988ea4 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci-upstream-rust-kasan-gce | KASAN: invalid-free in inet_sock_destruct | |
| 2025/11/15 16:30 | linux-next | 6d7e7251d03f | f7988ea4 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci-upstream-rust-kasan-gce | KASAN: invalid-free in inet_sock_destruct | |
| 2025/12/09 15:26 | upstream | cb015814f8b6 | d1b870e1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: invalid-free in inet_sock_destruct | ||
| 2025/12/11 03:58 | upstream | 8c8081cc599f | d1b870e1 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: invalid-free in inet_sock_destruct | ||
| 2025/12/11 03:58 | upstream | 8c8081cc599f | d1b870e1 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: invalid-free in inet_sock_destruct | ||
| 2025/12/11 03:58 | upstream | 8c8081cc599f | d1b870e1 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: invalid-free in inet_sock_destruct | ||
| 2025/12/18 21:38 | net | 7b07be1ff1cb | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-net-this-kasan-gce | KASAN: invalid-free in inet_sock_destruct | ||
| 2025/11/10 19:15 | net-next | a0c3aefb08cd | 4e1406b4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-net-kasan-gce | KASAN: invalid-free in inet_sock_destruct |