[LTP] [PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().
kernel test robot
oliver.sang@intel.com
Wed Sep 17 08:37:16 CEST 2025
Hello,
kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in__inet_accept" on:
commit: d465aa09942825d93a377c3715c464e8f6827f13 ("[PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().")
url: https://github.com/intel-lab-lkp/linux/commits/Kuniyuki-Iwashima/tcp-Save-lock_sock-for-memcg-in-inet_csk_accept/20250911-032312
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git net
patch link: https://lore.kernel.org/all/20250910192057.1045711-2-kuniyu@google.com/
patch subject: [PATCH v8 bpf-next/net 1/6] tcp: Save lock_sock() for memcg in inet_csk_accept().
in testcase: ltp
version: ltp-x86_64-c6660a3e0-1_20250913
with following parameters:
test: net.features
config: x86_64-rhel-9.4-ltp
compiler: gcc-14
test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz (Haswell) with 16G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202509171359.658ddb38-lkp@intel.com
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250917/202509171359.658ddb38-lkp@intel.com
we saw a lot of "BUG:KASAN:slab-out-of-bounds_in__inet_accept" issue in dmesg
uploaded to above link, below is just one example:
[ 468.984291][T30180] ==================================================================
[ 468.992753][T30180] BUG: KASAN: slab-out-of-bounds in __inet_accept+0x5c6/0x640
[ 469.000550][T30180] Read of size 1 at addr ffff88810df4ea20 by task netstress/30180
[ 469.008720][T30180]
[ 469.011389][T30180] CPU: 0 UID: 0 PID: 30180 Comm: netstress Not tainted 6.17.0-rc2-00437-gd465aa099428 #1 PREEMPT(voluntary)
[ 469.011393][T30180] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
[ 469.011395][T30180] Call Trace:
[ 469.011396][T30180] <TASK>
[ 469.011398][T30180] dump_stack_lvl+0x47/0x70
[ 469.011403][T30180] print_address_description+0x88/0x320
[ 469.011408][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011410][T30180] print_report+0x106/0x1f4
[ 469.011413][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011415][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011417][T30180] kasan_report+0xb5/0xf0
[ 469.011421][T30180] ? __inet_accept+0x5c6/0x640
[ 469.011424][T30180] __inet_accept+0x5c6/0x640
[ 468.992753][T30180] BUG: KASAN: slab-out-of-bounds in __inet_accept+0x5c6/0x640
[ 469.011427][T30180] inet_accept+0xe2/0x170
[ 469.000550][T30180] Read of size 1 at addr ffff88810df4ea20 by task netstress/30180
[ 469.011430][T30180] do_accept+0x2e5/0x480
[ 469.008720][T30180]
[ 469.011434][T30180] ? folio_xchg_last_cpupid+0xc5/0x130
[ 469.011389][T30180] CPU: 0 UID: 0 PID: 30180 Comm: netstress Not tainted 6.17.0-rc2-00437-gd465aa099428 #1 PREEMPT(voluntary)
[ 469.011393][T30180] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
[ 469.011437][T30180] ? __pfx_do_accept+0x10/0x10
[ 469.011395][T30180] Call Trace:
[ 469.011441][T30180] ? _raw_spin_lock+0x80/0xe0
[ 469.011396][T30180] <TASK>
[ 469.011444][T30180] ? __pfx__raw_spin_lock+0x10/0x10
[ 469.011398][T30180] dump_stack_lvl+0x47/0x70
[ 469.011447][T30180] ? alloc_fd+0x266/0x410
[ 469.011403][T30180] print_address_description+0x88/0x320
[ 469.011451][T30180] __sys_accept4+0xc4/0x150
[ 469.011454][T30180] ? __pfx___sys_accept4+0x10/0x10
[ 469.011458][T30180] __x64_sys_accept+0x70/0xb0
[ 469.011461][T30180] do_syscall_64+0x7b/0x2c0
[ 469.011466][T30180] ? __pfx___handle_mm_fault+0x10/0x10
[ 469.011468][T30180] ? __pfx_css_rstat_updated+0x10/0x10
[ 469.011471][T30180] ? count_memcg_events+0x253/0x3f0
[ 469.011475][T30180] ? handle_mm_fault+0x382/0x6c0
[ 469.011478][T30180] ? do_user_addr_fault+0x820/0xd60
[ 469.011482][T30180] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 469.011485][T30180] RIP: 0033:0x7f9c169c4687
[ 469.011488][T30180] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[ 469.011490][T30180] RSP: 002b:00007ffff0036ac0 EFLAGS: 00000202 ORIG_RAX: 000000000000002b
[ 469.011494][T30180] RAX: ffffffffffffffda RBX: 00007f9c16932740 RCX: 00007f9c169c4687
[ 469.011496][T30180] RDX: 00007ffff0036b14 RSI: 00007ffff0036b20 RDI: 0000000000000006
[ 469.011498][T30180] RBP: 0000562f1b4e85a0 R08: 0000000000000000 R09: 0000000000000000
[ 469.011500][T30180] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff0036b18
[ 469.011501][T30180] R13: 00007ffff0036b20 R14: 00007ffff0036b14 R15: 0000562f1b4d3e5f
[ 469.011504][T30180] </TASK>
[ 469.011505][T30180]
[ 469.257645][T30180] The buggy address belongs to the object at ffff88810df4e800
[ 469.257645][T30180] which belongs to the cache SCTPv6 of size 1536
[ 469.271959][T30180] The buggy address is located 544 bytes inside of
[ 469.271959][T30180] allocated 1536-byte region [ffff88810df4e800, ffff88810df4ee00)
[ 469.286795][T30180]
[ 469.289353][T30180] The buggy address belongs to the physical page:
[ 469.296000][T30180] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10df48
[ 469.305055][T30180] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 469.313790][T30180] memcg:ffff888223ff8201
[ 469.318241][T30180] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[ 469.326258][T30180] page_type: f5(slab)
[ 469.011408][T30180] ? __inet_accept+0x5c6/0x640
[ 469.330466][T30180] raw: 0017ffffc0000040 ffff888101e08640 dead000000000122 0000000000000000
[ 469.011410][T30180] print_report+0x106/0x1f4
[ 469.339270][T30180] raw: 0000000000000000 0000000080130013 00000000f5000000 ffff888223ff8201
[ 469.011413][T30180] ? __inet_accept+0x5c6/0x640
[ 469.348078][T30180] head: 0017ffffc0000040 ffff888101e08640 dead000000000122 0000000000000000
[ 469.011415][T30180] ? __inet_accept+0x5c6/0x640
[ 469.356993][T30180] head: 0000000000000000 0000000080130013 00000000f5000000 ffff888223ff8201
[ 469.011417][T30180] kasan_report+0xb5/0xf0
[ 469.365914][T30180] head: 0017ffffc0000003 ffffea000437d201 00000000ffffffff 00000000ffffffff
[ 469.011421][T30180] ? __inet_accept+0x5c6/0x640
[ 469.374851][T30180] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 469.011424][T30180] __inet_accept+0x5c6/0x640
[ 469.383788][T30180] page dumped because: kasan: bad access detected
[ 469.011427][T30180] inet_accept+0xe2/0x170
[ 469.390449][T30180]
[ 469.011430][T30180] do_accept+0x2e5/0x480
[ 469.011434][T30180] ? folio_xchg_last_cpupid+0xc5/0x130
[ 469.393031][T30180] Memory state around the buggy address:
[ 469.011437][T30180] ? __pfx_do_accept+0x10/0x10
[ 469.398939][T30180] ffff88810df4e900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011441][T30180] ? _raw_spin_lock+0x80/0xe0
[ 469.407261][T30180] ffff88810df4e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011444][T30180] ? __pfx__raw_spin_lock+0x10/0x10
[ 469.415589][T30180] >ffff88810df4ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011447][T30180] ? alloc_fd+0x266/0x410
[ 469.423933][T30180] ^
[ 469.011451][T30180] __sys_accept4+0xc4/0x150
[ 469.429308][T30180] ffff88810df4ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011454][T30180] ? __pfx___sys_accept4+0x10/0x10
[ 469.437670][T30180] ffff88810df4eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 469.011458][T30180] __x64_sys_accept+0x70/0xb0
[ 469.446024][T30180] ==================================================================
[ 469.011461][T30180] do_syscall_64+0x7b/0x2c0
[ 469.454415][T30180] Disabling lock debugging due to kernel taint
[ 469.011466][T30180] ? __pfx___handle_mm_fault+0x10/0x10
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
More information about the ltp
mailing list