[syzbot] [bpf?] [net?] KASAN: slab-use-after-free Read in sk_msg_recvmsg
1 view
Skip to first unread message
syzbot
Feb 15, 2026, 3:21:30āÆPMĀ (12 hours ago)Ā Feb 15
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ja...@cloudflare.com, john.fa...@gmail.com, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a040afa3bca4 gve: fix probe failure if clock read fails
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=165bf05a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e3161cabe5a361ff
dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dd245a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ecdb2a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ff453661cfef/disk-a040afa3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c65fb54cea84/vmlinux-a040afa3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/94868c75f7e1/bzImage-a040afa3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9307c9...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428
Read of size 4 at addr ffff88814cdcf000 by task syz.0.24/6020
CPU: 1 UID: 0 PID: 6020 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428
udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84
inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891
sock_recvmsg_nosec net/socket.c:1078 [inline]
sock_recvmsg+0x1a8/0x270 net/socket.c:1100
____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812
___sys_recvmsg+0x215/0x590 net/socket.c:2854
do_recvmmsg+0x334/0x800 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb319f9aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb31ad97028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fb31a216090 RCX: 00007fb319f9aeb9
RDX: 0000000000000001 RSI: 0000200000000400 RDI: 0000000000000004
RBP: 00007fb31a008c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000040000021 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb31a216128 R14: 00007fb31a216090 R15: 00007ffe21dd0a98
</TASK>
Allocated by task 6019:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3d1/0x6e0 mm/slub.c:5780
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_sk_msg net/core/skmsg.c:510 [inline]
sk_psock_skb_ingress_self+0x60/0x350 net/core/skmsg.c:612
sk_psock_verdict_apply net/core/skmsg.c:1038 [inline]
sk_psock_verdict_recv+0x7d9/0x8d0 net/core/skmsg.c:1236
udp_read_skb+0x73e/0x7e0 net/ipv4/udp.c:2045
sk_psock_verdict_data_ready+0x12d/0x550 net/core/skmsg.c:1257
__udp_enqueue_schedule_skb+0xc54/0x10b0 net/ipv4/udp.c:1789
__udp_queue_rcv_skb net/ipv4/udp.c:2346 [inline]
udp_queue_rcv_one_skb+0xac5/0x19c0 net/ipv4/udp.c:2475
__udp4_lib_mcast_deliver+0xc06/0xcf0 net/ipv4/udp.c:2585
__udp4_lib_rcv+0x10f6/0x2620 net/ipv4/udp.c:2724
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318
dst_input include/net/dst.h:474 [inline]
ip_sublist_rcv_finish+0x221/0x2a0 net/ipv4/ip_input.c:584
ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
ip_sublist_rcv+0x5c6/0xa70 net/ipv4/ip_input.c:644
ip_list_rcv+0x3f1/0x450 net/ipv4/ip_input.c:678
__netif_receive_skb_list_ptype net/core/dev.c:6195 [inline]
__netif_receive_skb_list_core+0x7e5/0x810 net/core/dev.c:6242
__netif_receive_skb_list net/core/dev.c:6294 [inline]
netif_receive_skb_list_internal+0x995/0xcf0 net/core/dev.c:6385
netif_receive_skb_list+0x54/0x410 net/core/dev.c:6437
xdp_recv_frames net/bpf/test_run.c:269 [inline]
xdp_test_run_batch net/bpf/test_run.c:350 [inline]
bpf_test_run_xdp_live+0x1946/0x1cf0 net/bpf/test_run.c:379
bpf_prog_test_run_xdp+0x81c/0x1160 net/bpf/test_run.c:1396
bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
__sys_bpf+0x5cb/0x920 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6021:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6674 [inline]
kfree+0x1be/0x650 mm/slub.c:6882
kfree_sk_msg include/linux/skmsg.h:385 [inline]
sk_msg_recvmsg+0xaa8/0xc30 net/core/skmsg.c:483
udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84
inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891
sock_recvmsg_nosec net/socket.c:1078 [inline]
sock_recvmsg+0x1a8/0x270 net/socket.c:1100
____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812
___sys_recvmsg+0x215/0x590 net/socket.c:2854
do_recvmmsg+0x334/0x800 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88814cdcf000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
freed 1024-byte region [ffff88814cdcf000, ffff88814cdcf400)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14cdc8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88813fe26dc0 ffffea000509f800 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 057ff00000000040 ffff88813fe26dc0 ffffea000509f800 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 057ff00000000003 ffffea0005337201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 17135672743, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3a0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xd82/0x1760 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x40d/0x6e0 mm/slub.c:5775
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
init_srcu_struct_fields+0x7f/0xa20 kernel/rcu/srcutree.c:240
rtnl_link_register+0x141/0x2f0 net/core/rtnetlink.c:615
ipgre_init+0x64/0x110 net/ipv4/ip_gre.c:1819
do_one_initcall+0x250/0x840 init/main.c:1378
do_initcall_level+0x104/0x190 init/main.c:1440
do_initcalls+0x59/0xa0 init/main.c:1456
kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
kernel_init+0x1d/0x1d0 init/main.c:1578
page_owner free stack trace missing
Memory state around the buggy address:
ffff88814cdcef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88814cdcef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88814cdcf000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88814cdcf080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88814cdcf100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a040afa3bca4 gve: fix probe failure if clock read fails
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=165bf05a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e3161cabe5a361ff
dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dd245a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ecdb2a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ff453661cfef/disk-a040afa3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c65fb54cea84/vmlinux-a040afa3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/94868c75f7e1/bzImage-a040afa3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9307c9...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428
Read of size 4 at addr ffff88814cdcf000 by task syz.0.24/6020
CPU: 1 UID: 0 PID: 6020 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428
udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84
inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891
sock_recvmsg_nosec net/socket.c:1078 [inline]
sock_recvmsg+0x1a8/0x270 net/socket.c:1100
____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812
___sys_recvmsg+0x215/0x590 net/socket.c:2854
do_recvmmsg+0x334/0x800 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb319f9aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb31ad97028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fb31a216090 RCX: 00007fb319f9aeb9
RDX: 0000000000000001 RSI: 0000200000000400 RDI: 0000000000000004
RBP: 00007fb31a008c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000040000021 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb31a216128 R14: 00007fb31a216090 R15: 00007ffe21dd0a98
</TASK>
Allocated by task 6019:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3d1/0x6e0 mm/slub.c:5780
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_sk_msg net/core/skmsg.c:510 [inline]
sk_psock_skb_ingress_self+0x60/0x350 net/core/skmsg.c:612
sk_psock_verdict_apply net/core/skmsg.c:1038 [inline]
sk_psock_verdict_recv+0x7d9/0x8d0 net/core/skmsg.c:1236
udp_read_skb+0x73e/0x7e0 net/ipv4/udp.c:2045
sk_psock_verdict_data_ready+0x12d/0x550 net/core/skmsg.c:1257
__udp_enqueue_schedule_skb+0xc54/0x10b0 net/ipv4/udp.c:1789
__udp_queue_rcv_skb net/ipv4/udp.c:2346 [inline]
udp_queue_rcv_one_skb+0xac5/0x19c0 net/ipv4/udp.c:2475
__udp4_lib_mcast_deliver+0xc06/0xcf0 net/ipv4/udp.c:2585
__udp4_lib_rcv+0x10f6/0x2620 net/ipv4/udp.c:2724
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318
dst_input include/net/dst.h:474 [inline]
ip_sublist_rcv_finish+0x221/0x2a0 net/ipv4/ip_input.c:584
ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
ip_sublist_rcv+0x5c6/0xa70 net/ipv4/ip_input.c:644
ip_list_rcv+0x3f1/0x450 net/ipv4/ip_input.c:678
__netif_receive_skb_list_ptype net/core/dev.c:6195 [inline]
__netif_receive_skb_list_core+0x7e5/0x810 net/core/dev.c:6242
__netif_receive_skb_list net/core/dev.c:6294 [inline]
netif_receive_skb_list_internal+0x995/0xcf0 net/core/dev.c:6385
netif_receive_skb_list+0x54/0x410 net/core/dev.c:6437
xdp_recv_frames net/bpf/test_run.c:269 [inline]
xdp_test_run_batch net/bpf/test_run.c:350 [inline]
bpf_test_run_xdp_live+0x1946/0x1cf0 net/bpf/test_run.c:379
bpf_prog_test_run_xdp+0x81c/0x1160 net/bpf/test_run.c:1396
bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
__sys_bpf+0x5cb/0x920 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6021:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6674 [inline]
kfree+0x1be/0x650 mm/slub.c:6882
kfree_sk_msg include/linux/skmsg.h:385 [inline]
sk_msg_recvmsg+0xaa8/0xc30 net/core/skmsg.c:483
udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84
inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891
sock_recvmsg_nosec net/socket.c:1078 [inline]
sock_recvmsg+0x1a8/0x270 net/socket.c:1100
____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812
___sys_recvmsg+0x215/0x590 net/socket.c:2854
do_recvmmsg+0x334/0x800 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88814cdcf000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
freed 1024-byte region [ffff88814cdcf000, ffff88814cdcf400)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14cdc8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88813fe26dc0 ffffea000509f800 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 057ff00000000040 ffff88813fe26dc0 ffffea000509f800 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 057ff00000000003 ffffea0005337201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 17135672743, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3a0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xd82/0x1760 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x40d/0x6e0 mm/slub.c:5775
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
init_srcu_struct_fields+0x7f/0xa20 kernel/rcu/srcutree.c:240
rtnl_link_register+0x141/0x2f0 net/core/rtnetlink.c:615
ipgre_init+0x64/0x110 net/ipv4/ip_gre.c:1819
do_one_initcall+0x250/0x840 init/main.c:1378
do_initcall_level+0x104/0x190 init/main.c:1440
do_initcalls+0x59/0xa0 init/main.c:1456
kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
kernel_init+0x1d/0x1d0 init/main.c:1578
page_owner free stack trace missing
Memory state around the buggy address:
ffff88814cdcef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88814cdcef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88814cdcf000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88814cdcf080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88814cdcf100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Feb 15, 2026, 8:00:00āÆPMĀ (7 hours ago)Ā Feb 15
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Sun, 15 Feb 2026 12:21:29 -0800 [thread overview]
--- x/net/core/skmsg.c
+++ y/net/core/skmsg.c
@@ -417,7 +417,9 @@ int sk_msg_recvmsg(struct sock *sk, stru
int peek = flags & MSG_PEEK;
struct sk_msg *msg_rx;
int i, copied = 0;
+ static DEFINE_MUTEX(lk);
+ mutex_lock(&lk);
msg_rx = sk_psock_peek_msg(psock);
while (copied != len) {
struct scatterlist *sge;
@@ -485,6 +487,7 @@ int sk_msg_recvmsg(struct sock *sk, stru
msg_rx = sk_psock_peek_msg(psock);
}
out:
+ mutex_unlock(&lk);
return copied;
}
EXPORT_SYMBOL_GPL(sk_msg_recvmsg);
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: a040afa3bca4 gve: fix probe failure if clock read fails
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=165bf05a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e3161cabe5a361ff
> dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dd245a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ecdb2a580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: a040afa3bca4 gve: fix probe failure if clock read fails
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=165bf05a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e3161cabe5a361ff
> dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dd245a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ecdb2a580000
--- x/net/core/skmsg.c
+++ y/net/core/skmsg.c
@@ -417,7 +417,9 @@ int sk_msg_recvmsg(struct sock *sk, stru
int peek = flags & MSG_PEEK;
struct sk_msg *msg_rx;
int i, copied = 0;
+ static DEFINE_MUTEX(lk);
+ mutex_lock(&lk);
msg_rx = sk_psock_peek_msg(psock);
while (copied != len) {
struct scatterlist *sge;
@@ -485,6 +487,7 @@ int sk_msg_recvmsg(struct sock *sk, stru
msg_rx = sk_psock_peek_msg(psock);
}
out:
+ mutex_unlock(&lk);
return copied;
}
EXPORT_SYMBOL_GPL(sk_msg_recvmsg);
--
syzbot
Feb 15, 2026, 9:10:04āÆPMĀ (6 hours ago)Ā Feb 15
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/core/skmsg.c
Hunk #1 FAILED at 417.
Hunk #2 succeeded at 493 with fuzz 1 (offset 8 lines).
1 out of 2 hunks FAILED
Tested on:
commit: ee5492fd fbnic: close fw_log race between users and te..
git tree: net
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/core/skmsg.c
Hunk #1 FAILED at 417.
Hunk #2 succeeded at 493 with fuzz 1 (offset 8 lines).
1 out of 2 hunks FAILED
Tested on:
commit: ee5492fd fbnic: close fw_log race between users and te..
git tree: net
kernel config: https://syzkaller.appspot.com/x/.config?x=e3161cabe5a361ff
dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=12aa015a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
compiler:
Hillf Danton
12:16āÆAMĀ (3 hours ago)Ā 12:16āÆAM
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Sun, 15 Feb 2026 12:21:29 -0800 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: a040afa3bca4 gve: fix probe failure if clock read fails
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=165bf05a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e3161cabe5a361ff
> dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dd245a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ecdb2a580000
>
> syzbot found the following issue on:
>
> HEAD commit: a040afa3bca4 gve: fix probe failure if clock read fails
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=165bf05a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e3161cabe5a361ff
> dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dd245a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ecdb2a580000
#syz test
--- x/net/core/skmsg.c
+++ y/net/core/skmsg.c
@@ -500,7 +500,13 @@ out:
--- x/net/core/skmsg.c
+++ y/net/core/skmsg.c
int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
int len, int flags)
{
- return __sk_msg_recvmsg(sk, psock, msg, len, flags, NULL);
+ static DEFINE_MUTEX(lk);
+ int rc;
+
+ mutex_lock(&lk);
+ rc = __sk_msg_recvmsg(sk, psock, msg, len, flags, NULL);
+ mutex_unlock(&lk);
+ return rc;
}
EXPORT_SYMBOL_GPL(sk_msg_recvmsg);
--
syzbot
12:36āÆAMĀ (2 hours ago)Ā 12:36āÆAM
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in inet_sock_destruct
------------[ cut here ]------------
sk->sk_forward_alloc
WARNING: net/ipv4/af_inet.c:157 at inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:157, CPU#0: swapper/0/0
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:157
Code: 0f 0b 90 e9 58 fe ff ff e8 a0 6b ac f7 90 0f 0b 90 e9 8b fe ff ff e8 92 6b ac f7 90 0f 0b 90 e9 b1 fe ff ff e8 84 6b ac f7 90 <0f> 0b 90 e9 d7 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 95 fc
RSP: 0018:ffffc90000007d48 EFLAGS: 00010246
RAX: ffffffff8a17cf4c RBX: dffffc0000000000 RCX: ffffffff8e494ec0
RDX: 0000000000000100 RSI: 0000000000000f70 RDI: 0000000000000000
RBP: 0000000000000f70 R08: ffff8880353d9c27 R09: 1ffff11006a7b384
R10: dffffc0000000000 R11: ffffed1006a7b385 R12: ffff8880353d9980
R13: dffffc0000000000 R14: ffff8880353d9c0c R15: ffffffff8fc9c980
FS: 0000000000000000(0000) GS:ffff8881254ae000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff98a5e8600 CR3: 000000007804e000 CR4: 00000000003526f0
Call Trace:
<IRQ>
__sk_destruct+0x85/0x880 net/core/sock.c:2350
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: 24 7b 02 c3 cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 43 18 2b 00 fb f4 <e9> 7c e8 02 00 cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90
RSP: 0018:ffffffff8e407dc0 EFLAGS: 00000246
RAX: 0000000000128b1b RBX: ffffffff8199661d RCX: 0000000080000001
RDX: 0000000000000001 RSI: ffffffff8dee2c77 RDI: ffffffff8c276680
RBP: ffffffff8e407eb0 R08: ffff8880b863375b R09: 1ffff110170c66eb
R10: dffffc0000000000 R11: ffffed10170c66ec R12: ffffffff9010a270
R13: 1ffffffff1c929d8 R14: 0000000000000000 R15: 0000000000000000
arch_safe_halt arch/x86/kernel/process.c:766 [inline]
default_idle+0x9/0x20 arch/x86/kernel/process.c:767
default_idle_call+0x72/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x1bd/0x500 kernel/sched/idle.c:332
cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:430
rest_init+0x2de/0x300 init/main.c:757
start_kernel+0x380/0x3d0 init/main.c:1206
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x147
</TASK>
----------------
Code disassembly (best guess):
0: 24 7b and $0x7b,%al
2: 02 c3 add %bl,%al
4: cc int3
5: cc int3
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: cc int3
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d 43 18 2b 00 verw 0x2b1843(%rip) # 0x2b186b
28: fb sti
29: f4 hlt
* 2a: e9 7c e8 02 00 jmp 0x2e8ab <-- trapping instruction
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: cc int3
3a: cc int3
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
Tested on:
commit: ee5492fd fbnic: close fw_log race between users and te..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=10c8affa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2b1668f8734e4fc
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in inet_sock_destruct
------------[ cut here ]------------
sk->sk_forward_alloc
WARNING: net/ipv4/af_inet.c:157 at inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:157, CPU#0: swapper/0/0
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:157
Code: 0f 0b 90 e9 58 fe ff ff e8 a0 6b ac f7 90 0f 0b 90 e9 8b fe ff ff e8 92 6b ac f7 90 0f 0b 90 e9 b1 fe ff ff e8 84 6b ac f7 90 <0f> 0b 90 e9 d7 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 95 fc
RSP: 0018:ffffc90000007d48 EFLAGS: 00010246
RAX: ffffffff8a17cf4c RBX: dffffc0000000000 RCX: ffffffff8e494ec0
RDX: 0000000000000100 RSI: 0000000000000f70 RDI: 0000000000000000
RBP: 0000000000000f70 R08: ffff8880353d9c27 R09: 1ffff11006a7b384
R10: dffffc0000000000 R11: ffffed1006a7b385 R12: ffff8880353d9980
R13: dffffc0000000000 R14: ffff8880353d9c0c R15: ffffffff8fc9c980
FS: 0000000000000000(0000) GS:ffff8881254ae000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff98a5e8600 CR3: 000000007804e000 CR4: 00000000003526f0
Call Trace:
<IRQ>
__sk_destruct+0x85/0x880 net/core/sock.c:2350
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: 24 7b 02 c3 cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 43 18 2b 00 fb f4 <e9> 7c e8 02 00 cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90
RSP: 0018:ffffffff8e407dc0 EFLAGS: 00000246
RAX: 0000000000128b1b RBX: ffffffff8199661d RCX: 0000000080000001
RDX: 0000000000000001 RSI: ffffffff8dee2c77 RDI: ffffffff8c276680
RBP: ffffffff8e407eb0 R08: ffff8880b863375b R09: 1ffff110170c66eb
R10: dffffc0000000000 R11: ffffed10170c66ec R12: ffffffff9010a270
R13: 1ffffffff1c929d8 R14: 0000000000000000 R15: 0000000000000000
arch_safe_halt arch/x86/kernel/process.c:766 [inline]
default_idle+0x9/0x20 arch/x86/kernel/process.c:767
default_idle_call+0x72/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x1bd/0x500 kernel/sched/idle.c:332
cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:430
rest_init+0x2de/0x300 init/main.c:757
start_kernel+0x380/0x3d0 init/main.c:1206
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x147
</TASK>
----------------
Code disassembly (best guess):
0: 24 7b and $0x7b,%al
2: 02 c3 add %bl,%al
4: cc int3
5: cc int3
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: cc int3
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d 43 18 2b 00 verw 0x2b1843(%rip) # 0x2b186b
28: fb sti
29: f4 hlt
* 2a: e9 7c e8 02 00 jmp 0x2e8ab <-- trapping instruction
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: cc int3
3a: cc int3
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
Tested on:
commit: ee5492fd fbnic: close fw_log race between users and te..
console output: https://syzkaller.appspot.com/x/log.txt?x=10c8affa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2b1668f8734e4fc
dashboard link: https://syzkaller.appspot.com/bug?extid=9307c991a6d07ce6e6d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12123652580000
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Reply all
Reply to author
Forward
0 new messages