Received: by 2002:a05:7412:3b8b:b0:fc:a2b0:25d7 with SMTP id nd11csp1309822rdb; Fri, 9 Feb 2024 18:25:58 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVHPfxCnZ3sXyHCqywlyOYWFFgZSP+L7Nl72LlXqfv8C49l2R8di0TaU9oSS0VYRGZ66DT0rPKKJDF3jRvV2oOj1AWbHeOoIw8VwhoI7w== X-Google-Smtp-Source: AGHT+IGikklmPFVeqXfBzxT7E7C8a41VCiSXT0uMaZsEjYF0Y9RhRVZTGAb/RGWu0PjTqNcGZ/E3 X-Received: by 2002:a17:90b:1254:b0:296:3167:9616 with SMTP id gx20-20020a17090b125400b0029631679616mr825966pjb.22.1707531958562; Fri, 09 Feb 2024 18:25:58 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707531958; cv=pass; d=google.com; s=arc-20160816; b=r5e+qkmCmFgcMWWNpYt3o3nQY9e327q0M7Ta8uwHtTdTBcAlKu0IptR/uULjSwtA5T ej73uBEHeXQpH7VxYmiE7E58MsBP5ppe6Zoik12xW+MG5TYdwgCSMyOyC/CvVrPCTZJW 5m7U4VjqpKTjbNWLp0ZV1EOaleXgyZ2Kce9MHT6QDN0Emk3LitpzFo7dhs5Q4ScYgB9n K2hcA4ODjfxLCETLOlaHBM47qkwgnLRch7UiTOxRi5IxCCVwFdYeN4jBbgkZxwd+olAd lp3NY6sWP4oAXUDsHHGuLIvILq/UydoQzkHiYSp2mD5qE5/4P0nn4Jz7yh0Nxvd9x25H 7R4w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=ixgvRQqZH60NQEADBPZbrgxjqPHtvCoMrFmCHZzIkgM=; fh=yJ+JW8gxlFrBv/xW9sXsrC4UMw5nGTWlSzv1/SDUT5w=; b=d8nW0N7Y82vZ4XQ34dgK/07B42LmOEQVUOFFUmS97X75XpGKY5OqlA+9/uZCEN/VC5 YncJWYkOHy4m7tMLdHkYa4MaTKE9HHiqnscUB6Sm/B+2U+nY1RLn+NfnwcV5zQMYTXAq 2mWat0Zowf/rCA1PTzygVzkaMVoGsI5px6SxqIkDFWcB+vZVN6vvjSuI6RURw7gD97Vt tYp09SUBVlhtXQhNttPyaNMEuqOf/vi3rDn0hGS5KUusabAIdO9EHOggjfQY4yso0017 t6AFxpPn8+kpplRz+VzDI4Z0kUz5oJnqcTFM1ylYFtVyh5oubdmvmBeerFqnA6eRP2Xn f+7w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-60247-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-60247-linux.lists.archive=gmail.com@vger.kernel.org" X-Forwarded-Encrypted: i=2; AJvYcCW+Wk1jjgoT9sw86sjMDYdwW6Vl0vYRdpO8rdBzzxy/4HqdHxzmMhsw5PnGqgPW1rW8TE10Duh5UaHD3omERIsS2ziXNqvNQoeVJz4lCw== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id cz11-20020a17090ad44b00b00296623d582csi2677641pjb.166.2024.02.09.18.25.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Feb 2024 18:25:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-60247-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-60247-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-60247-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 3ECD52890FF for ; Sat, 10 Feb 2024 02:25:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DFECB4C7B; Sat, 10 Feb 2024 02:25:51 +0000 (UTC) Received: from r3-17.sinamail.sina.com.cn (r3-17.sinamail.sina.com.cn [202.108.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEADC2119 for ; Sat, 10 Feb 2024 02:25:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.108.3.17 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707531951; cv=none; b=pFdsO68VLGNit55yz8T4AxQBovGErMku8ap6SeNk0WxA3eBKQ9o0bUXJuVwXwiij3/wrznqv21h4Fxw9DdPZacFIJGqBW9SpwHy7qwsI3S6pjy5VHA8z2P/fKeUnBdhx1DRuk2yX3MClbwbOkDVojOQzBkoPxezyg8z3cZrvIFI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707531951; c=relaxed/simple; bh=RJLEaSg+FYQoepQjpqTmkY6iVzwvm2LFLKLBMAIgNwQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FMuB119zr4ZyS5t+ZGd0uYp03Gh/hsL8EPIKs1vZjN2msSW2/hzhaJGGQAHQhoVjvhDd1nrEJcmHZhMjB4RJwNcGdgSMlfMczZyDvzHX7kvCdwp9G/ZgMker+Tm0geRe0weXgaAiLX+cKJpt6RldGnyGAno6OVbgT6Zhug+8aJE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=202.108.3.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([114.249.59.61]) by sina.com (10.182.253.22) with ESMTP id 65C6DE7F00006955; Sat, 10 Feb 2024 10:25:05 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 7644666816216 X-SMAIL-UIID: 861C7A751C854AFB8BA62E992CAFFF89-20240210-102505-1 From: Hillf Danton To: syzbot Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [kernel?] KASAN: slab-use-after-free Read in __unix_gc Date: Sat, 10 Feb 2024 10:24:51 +0800 Message-ID: <20240210022453.773-1-hdanton@sina.com> In-Reply-To: <000000000000ee09930610f42470@google.com> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Fri, 09 Feb 2024 06:57:17 -0800 > HEAD commit: e7689879d14e ethtool: do not use rtnl in ethnl_default_dum.. > git tree: net-next > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165f9cec180000 #syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git e7689879d14e --- x/net/unix/garbage.c +++ y/net/unix/garbage.c @@ -119,6 +119,7 @@ void unix_inflight(struct user_struct *u if (!u->inflight) { WARN_ON_ONCE(!list_empty(&u->link)); list_add_tail(&u->link, &gc_inflight_list); + sock_hold(&u->sk); } else { WARN_ON_ONCE(list_empty(&u->link)); } @@ -350,6 +351,11 @@ static void __unix_gc(struct work_struct } #endif + list_for_each_entry_safe(u, next, &gc_candidates, link) { + list_del(&u->link); + sock_put(&u->sk); + } + spin_lock(&unix_gc_lock); /* All candidates should have been detached by now. */ --