Re: [bug report] BUG: KASAN: slab-use-after-free in sock_def_readable+0x101/0x450

Hou Tao <houtao@xxxxxxxxxxxxxxx> · Tue, 14 Nov 2023 11:53:48 +0800

Hi,

On 11/13/2023 10:12 PM, Hou Tao wrote:
> Hi,
>
> I got the following kasan report when running test_progs on bpf-tree
> (commit 100888fb6d8a):
>
> [  212.183985]
> ==================================================================
> [  212.184699] BUG: KASAN: slab-use-after-free in
> sock_def_readable+0x101/0x450
> [  212.185375] Read of size 8 at addr ffff88812d9f1860 by task
> kworker/4:1/67
>
> [  212.186195] CPU: 4 PID: 67 Comm: kworker/4:1 Tainted: G          
> O       6.6.0+ #9
> [  212.186942] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [  212.188044] Workqueue: events sk_psock_backlog
> [  212.188496] Call Trace:
> [  212.188746]  <TASK>
> [  212.188967]  dump_stack_lvl+0x4a/0x90
> [  212.189342]  print_report+0xd2/0x620
> [  212.189706]  ? kasan_complete_mode_report_info+0x7c/0x210
> [  212.190241]  kasan_report+0xd1/0x110
> [  212.190599]  ? sock_def_readable+0x101/0x450
> [  212.191022]  ? sock_def_readable+0x101/0x450
> [  212.191452]  kasan_check_range+0x101/0x1c0
> [  212.191852]  __kasan_check_read+0x11/0x20
> [  212.192253]  sock_def_readable+0x101/0x450
> [  212.192656]  unix_stream_sendmsg+0x3cc/0xaa0
> [  212.193093]  ? __pfx_unix_stream_sendmsg+0x10/0x10
> [  212.193565]  ? __pfx___lock_acquire+0x10/0x10
> [  212.194034]  sock_sendmsg+0x219/0x230
> [  212.194400]  ? __pfx_sock_sendmsg+0x10/0x10
> [  212.194813]  ? lock_acquire+0x180/0x420
> [  212.195193]  ? sk_psock_backlog+0x3c/0x600
> [  212.195598]  ? __pfx_lock_acquire+0x10/0x10
> [  212.196014]  ? lock_is_held_type+0x97/0x100
> [  212.196436]  ? __asan_storeN+0x12/0x20
> [  212.196808]  __skb_send_sock+0x53b/0x660
> [  212.197204]  ? __pfx_sendmsg_unlocked+0x10/0x10
> [  212.197653]  ? sk_psock_backlog+0x3c/0x600
> [  212.198057]  ? __pfx___skb_send_sock+0x10/0x10
> [  212.198499]  ? __mutex_unlock_slowpath+0x122/0x410
> [  212.198990]  skb_send_sock+0x15/0x20

It seems I hit the send button too soon. There is already pending fixes
for the problem [1]. Please ignore the bug report.

[1]:
https://lore.kernel.org/bpf/20231016190819.81307-1-john.fastabend@xxxxxxxxx/