Re: net/l2tp: use-after-free write in l2tp_ip6_close
Hi Guillaume, Sorry, I was on vacation last week, couldn't reply. As I can see a fix was already sent upstream. Thanks! On Thu, Nov 10, 2016 at 6:44 PM, Guillaume Nault wrote: > On Mon, Nov 07, 2016 at 11:35:26PM +0100, Andrey Konovalov wrote: >> Hi, >> >> I've got the following error report while running the syzkaller fuzzer: >> >> == >> BUG: KASAN: use-after-free in l2tp_ip6_close+0x239/0x2a0 at addr >> 8800677276d8 >> Write of size 8 by task a.out/8668 >> CPU: 0 PID: 8668 Comm: a.out Not tainted 4.9.0-rc4+ #354 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 >> 8800694d7b00 81b46a64 88006adb5780 8800677276c0 >> 880067727c68 8800677276c0 8800694d7b28 8150a86c >> 8800694d7bb8 88006adb5780 8800e77276d8 8800694d7ba8 >> Call Trace: >> [< inline >] __dump_stack lib/dump_stack.c:15 >> [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 >> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 >> [< inline >] print_address_description mm/kasan/report.c:194 >> [] kasan_report_error+0x1f7/0x4d0 mm/kasan/report.c:283 >> [< inline >] kasan_report mm/kasan/report.c:303 >> [] __asan_report_store8_noabort+0x3e/0x40 >> mm/kasan/report.c:329 >> [< inline >] __write_once_size ./include/linux/compiler.h:272 >> [< inline >] __hlist_del ./include/linux/list.h:622 >> [< inline >] hlist_del_init ./include/linux/list.h:637 >> [] l2tp_ip6_close+0x239/0x2a0 net/l2tp/l2tp_ip6.c:239 >> [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 >> [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 >> [] sock_release+0x8e/0x1d0 net/socket.c:570 >> [] sock_close+0x16/0x20 net/socket.c:1017 >> [] __fput+0x29d/0x720 fs/file_table.c:208 >> [] fput+0x15/0x20 fs/file_table.c:244 >> [] task_work_run+0xf8/0x170 kernel/task_work.c:116 >> [< inline >] exit_task_work ./include/linux/task_work.h:21 >> [] do_exit+0x883/0x2ac0 kernel/exit.c:828 >> [] do_group_exit+0x10e/0x340 kernel/exit.c:931 >> [< inline >] SYSC_exit_group kernel/exit.c:942 >> [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 >> [] entry_SYSCALL_64_fastpath+0x1f/0xc2 >> arch/x86/entry/entry_64.S:209 >> Object at 8800677276c0, in cache L2TP/IPv6 size: 1448 >> Allocated: >> PID = 8692 >> [] save_stack_trace+0x16/0x20 >> arch/x86/kernel/stacktrace.c:57 >> [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 >> [< inline >] set_track mm/kasan/kasan.c:507 >> [] kasan_kmalloc+0xab/0xe0 mm/kasan/kasan.c:598 >> [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 >> [< inline >] slab_post_alloc_hook mm/slab.h:417 >> [< inline >] slab_alloc_node mm/slub.c:2708 >> [< inline >] slab_alloc mm/slub.c:2716 >> [] kmem_cache_alloc+0xb4/0x270 mm/slub.c:2721 >> [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1327 >> [] sk_alloc+0x38/0xaf0 net/core/sock.c:1389 >> [] inet6_create+0x2e5/0xf60 net/ipv6/af_inet6.c:182 >> [] __sock_create+0x37f/0x640 net/socket.c:1153 >> [< inline >] sock_create net/socket.c:1193 >> [< inline >] SYSC_socket net/socket.c:1223 >> [] SyS_socket+0xf0/0x1b0 net/socket.c:1203 >> [] entry_SYSCALL_64_fastpath+0x1f/0xc2 >> arch/x86/entry/entry_64.S:209 >> Freed: >> PID = 8668 >> [] save_stack_trace+0x16/0x20 >> arch/x86/kernel/stacktrace.c:57 >> [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 >> [< inline >] set_track mm/kasan/kasan.c:507 >> [] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 >> [< inline >] slab_free_hook mm/slub.c:1352 >> [< inline >] slab_free_freelist_hook mm/slub.c:1374 >> [< inline >] slab_free mm/slub.c:2951 >> [] kmem_cache_free+0xb3/0x2c0 mm/slub.c:2973 >> [< inline >] sk_prot_free net/core/sock.c:1370 >> [] __sk_destruct+0x319/0x480 net/core/sock.c:1445 >> [] sk_destruct+0x44/0x80 net/core/sock.c:1453 >> [] __sk_free+0x54/0x230 net/core/sock.c:1461 >> [] sk_free+0x23/0x30 net/core/sock.c:1472 >> [< inline >] sock_put ./include/net/sock.h:1591 >> [] sk_common_release+0x294/0x3e0 net/core/sock.c:2745 >> [] l2tp_ip6_close+0x209/0x2a0 net/l2tp/l2tp_ip6.c:243 >> [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 >> [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 >> [] sock_release+0x8e/0x1d0 net/socket.c:570 >> [] sock_close+0x16/0x20 net/socket.c:1017 >> [] __fput+0x29d/0x720 fs/file_table.c:208 >> [] fput+0x15/0x20 fs/file_table.c:244 >> [] task_work_run+0xf8/0x170 kernel/task_work.c:116 >> [< inline >] exit_task_work ./include/linux/task_work.h:21 >> [] do_exit+0x883/0x2ac0 kernel/exit.c:828 >> [] do_group_exit+0x10e/0x340 kernel/exit.c:931 >> [< inline >] SYSC_exit_group kernel/exit.c:942 >> [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 >> [] entry_SYSCALL_64_fastpath+0x1f/0xc2 >> arch/x86/entry/entry_64.S:209 >> Memory state around the buggy address: >> 880067727580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Re: net/l2tp: use-after-free write in l2tp_ip6_close
On Mon, Nov 07, 2016 at 11:35:26PM +0100, Andrey Konovalov wrote: > Hi, > > I've got the following error report while running the syzkaller fuzzer: > > == > BUG: KASAN: use-after-free in l2tp_ip6_close+0x239/0x2a0 at addr > 8800677276d8 > Write of size 8 by task a.out/8668 > CPU: 0 PID: 8668 Comm: a.out Not tainted 4.9.0-rc4+ #354 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > 8800694d7b00 81b46a64 88006adb5780 8800677276c0 > 880067727c68 8800677276c0 8800694d7b28 8150a86c > 8800694d7bb8 88006adb5780 8800e77276d8 8800694d7ba8 > Call Trace: > [< inline >] __dump_stack lib/dump_stack.c:15 > [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 > [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 > [< inline >] print_address_description mm/kasan/report.c:194 > [] kasan_report_error+0x1f7/0x4d0 mm/kasan/report.c:283 > [< inline >] kasan_report mm/kasan/report.c:303 > [] __asan_report_store8_noabort+0x3e/0x40 > mm/kasan/report.c:329 > [< inline >] __write_once_size ./include/linux/compiler.h:272 > [< inline >] __hlist_del ./include/linux/list.h:622 > [< inline >] hlist_del_init ./include/linux/list.h:637 > [] l2tp_ip6_close+0x239/0x2a0 net/l2tp/l2tp_ip6.c:239 > [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 > [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 > [] sock_release+0x8e/0x1d0 net/socket.c:570 > [] sock_close+0x16/0x20 net/socket.c:1017 > [] __fput+0x29d/0x720 fs/file_table.c:208 > [] fput+0x15/0x20 fs/file_table.c:244 > [] task_work_run+0xf8/0x170 kernel/task_work.c:116 > [< inline >] exit_task_work ./include/linux/task_work.h:21 > [] do_exit+0x883/0x2ac0 kernel/exit.c:828 > [] do_group_exit+0x10e/0x340 kernel/exit.c:931 > [< inline >] SYSC_exit_group kernel/exit.c:942 > [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 > [] entry_SYSCALL_64_fastpath+0x1f/0xc2 > arch/x86/entry/entry_64.S:209 > Object at 8800677276c0, in cache L2TP/IPv6 size: 1448 > Allocated: > PID = 8692 > [] save_stack_trace+0x16/0x20 > arch/x86/kernel/stacktrace.c:57 > [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 > [< inline >] set_track mm/kasan/kasan.c:507 > [] kasan_kmalloc+0xab/0xe0 mm/kasan/kasan.c:598 > [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 > [< inline >] slab_post_alloc_hook mm/slab.h:417 > [< inline >] slab_alloc_node mm/slub.c:2708 > [< inline >] slab_alloc mm/slub.c:2716 > [] kmem_cache_alloc+0xb4/0x270 mm/slub.c:2721 > [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1327 > [] sk_alloc+0x38/0xaf0 net/core/sock.c:1389 > [] inet6_create+0x2e5/0xf60 net/ipv6/af_inet6.c:182 > [] __sock_create+0x37f/0x640 net/socket.c:1153 > [< inline >] sock_create net/socket.c:1193 > [< inline >] SYSC_socket net/socket.c:1223 > [] SyS_socket+0xf0/0x1b0 net/socket.c:1203 > [] entry_SYSCALL_64_fastpath+0x1f/0xc2 > arch/x86/entry/entry_64.S:209 > Freed: > PID = 8668 > [] save_stack_trace+0x16/0x20 > arch/x86/kernel/stacktrace.c:57 > [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 > [< inline >] set_track mm/kasan/kasan.c:507 > [] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 > [< inline >] slab_free_hook mm/slub.c:1352 > [< inline >] slab_free_freelist_hook mm/slub.c:1374 > [< inline >] slab_free mm/slub.c:2951 > [] kmem_cache_free+0xb3/0x2c0 mm/slub.c:2973 > [< inline >] sk_prot_free net/core/sock.c:1370 > [] __sk_destruct+0x319/0x480 net/core/sock.c:1445 > [] sk_destruct+0x44/0x80 net/core/sock.c:1453 > [] __sk_free+0x54/0x230 net/core/sock.c:1461 > [] sk_free+0x23/0x30 net/core/sock.c:1472 > [< inline >] sock_put ./include/net/sock.h:1591 > [] sk_common_release+0x294/0x3e0 net/core/sock.c:2745 > [] l2tp_ip6_close+0x209/0x2a0 net/l2tp/l2tp_ip6.c:243 > [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 > [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 > [] sock_release+0x8e/0x1d0 net/socket.c:570 > [] sock_close+0x16/0x20 net/socket.c:1017 > [] __fput+0x29d/0x720 fs/file_table.c:208 > [] fput+0x15/0x20 fs/file_table.c:244 > [] task_work_run+0xf8/0x170 kernel/task_work.c:116 > [< inline >] exit_task_work ./include/linux/task_work.h:21 > [] do_exit+0x883/0x2ac0 kernel/exit.c:828 > [] do_group_exit+0x10e/0x340 kernel/exit.c:931 > [< inline >] SYSC_exit_group kernel/exit.c:942 > [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 > [] entry_SYSCALL_64_fastpath+0x1f/0xc2 > arch/x86/entry/entry_64.S:209 > Memory state around the buggy address: > 880067727580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > 880067727600: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc > >880067727680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb > ^ > 880067727700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > 8800677
Re: net/l2tp: use-after-free write in l2tp_ip6_close
Hi Cong, Tried with your patch, still seeing the reports. Thanks! On Tue, Nov 8, 2016 at 12:02 AM, Cong Wang wrote: > On Mon, Nov 7, 2016 at 2:35 PM, Andrey Konovalov > wrote: >> Hi, >> >> I've got the following error report while running the syzkaller fuzzer: >> >> == >> BUG: KASAN: use-after-free in l2tp_ip6_close+0x239/0x2a0 at addr >> 8800677276d8 >> Write of size 8 by task a.out/8668 >> CPU: 0 PID: 8668 Comm: a.out Not tainted 4.9.0-rc4+ #354 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 >> 8800694d7b00 81b46a64 88006adb5780 8800677276c0 >> 880067727c68 8800677276c0 8800694d7b28 8150a86c >> 8800694d7bb8 88006adb5780 8800e77276d8 8800694d7ba8 >> Call Trace: >> [< inline >] __dump_stack lib/dump_stack.c:15 >> [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 >> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 >> [< inline >] print_address_description mm/kasan/report.c:194 >> [] kasan_report_error+0x1f7/0x4d0 mm/kasan/report.c:283 >> [< inline >] kasan_report mm/kasan/report.c:303 >> [] __asan_report_store8_noabort+0x3e/0x40 >> mm/kasan/report.c:329 >> [< inline >] __write_once_size ./include/linux/compiler.h:272 >> [< inline >] __hlist_del ./include/linux/list.h:622 >> [< inline >] hlist_del_init ./include/linux/list.h:637 >> [] l2tp_ip6_close+0x239/0x2a0 net/l2tp/l2tp_ip6.c:239 >> [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 >> [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 >> [] sock_release+0x8e/0x1d0 net/socket.c:570 >> [] sock_close+0x16/0x20 net/socket.c:1017 >> [] __fput+0x29d/0x720 fs/file_table.c:208 >> [] fput+0x15/0x20 fs/file_table.c:244 >> [] task_work_run+0xf8/0x170 kernel/task_work.c:116 >> [< inline >] exit_task_work ./include/linux/task_work.h:21 >> [] do_exit+0x883/0x2ac0 kernel/exit.c:828 >> [] do_group_exit+0x10e/0x340 kernel/exit.c:931 >> [< inline >] SYSC_exit_group kernel/exit.c:942 >> [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 >> [] entry_SYSCALL_64_fastpath+0x1f/0xc2 >> arch/x86/entry/entry_64.S:209 > > I guess we need to lock the sock for l2tp_ip6_disconnect() too. > > diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c > index ad3468c..ea2ae66 100644 > --- a/net/l2tp/l2tp_ip6.c > +++ b/net/l2tp/l2tp_ip6.c > @@ -410,7 +410,7 @@ static int l2tp_ip6_disconnect(struct sock *sk, int flags) > if (sock_flag(sk, SOCK_ZAPPED)) > return 0; > > - return __udp_disconnect(sk, flags); > + return udp_disconnect(sk, flags); > } > > static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr, > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.
Re: net/l2tp: use-after-free write in l2tp_ip6_close
On Mon, Nov 7, 2016 at 2:35 PM, Andrey Konovalov wrote: > Hi, > > I've got the following error report while running the syzkaller fuzzer: > > == > BUG: KASAN: use-after-free in l2tp_ip6_close+0x239/0x2a0 at addr > 8800677276d8 > Write of size 8 by task a.out/8668 > CPU: 0 PID: 8668 Comm: a.out Not tainted 4.9.0-rc4+ #354 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > 8800694d7b00 81b46a64 88006adb5780 8800677276c0 > 880067727c68 8800677276c0 8800694d7b28 8150a86c > 8800694d7bb8 88006adb5780 8800e77276d8 8800694d7ba8 > Call Trace: > [< inline >] __dump_stack lib/dump_stack.c:15 > [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 > [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 > [< inline >] print_address_description mm/kasan/report.c:194 > [] kasan_report_error+0x1f7/0x4d0 mm/kasan/report.c:283 > [< inline >] kasan_report mm/kasan/report.c:303 > [] __asan_report_store8_noabort+0x3e/0x40 > mm/kasan/report.c:329 > [< inline >] __write_once_size ./include/linux/compiler.h:272 > [< inline >] __hlist_del ./include/linux/list.h:622 > [< inline >] hlist_del_init ./include/linux/list.h:637 > [] l2tp_ip6_close+0x239/0x2a0 net/l2tp/l2tp_ip6.c:239 > [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 > [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 > [] sock_release+0x8e/0x1d0 net/socket.c:570 > [] sock_close+0x16/0x20 net/socket.c:1017 > [] __fput+0x29d/0x720 fs/file_table.c:208 > [] fput+0x15/0x20 fs/file_table.c:244 > [] task_work_run+0xf8/0x170 kernel/task_work.c:116 > [< inline >] exit_task_work ./include/linux/task_work.h:21 > [] do_exit+0x883/0x2ac0 kernel/exit.c:828 > [] do_group_exit+0x10e/0x340 kernel/exit.c:931 > [< inline >] SYSC_exit_group kernel/exit.c:942 > [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 > [] entry_SYSCALL_64_fastpath+0x1f/0xc2 > arch/x86/entry/entry_64.S:209 I guess we need to lock the sock for l2tp_ip6_disconnect() too. diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c index ad3468c..ea2ae66 100644 --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c @@ -410,7 +410,7 @@ static int l2tp_ip6_disconnect(struct sock *sk, int flags) if (sock_flag(sk, SOCK_ZAPPED)) return 0; - return __udp_disconnect(sk, flags); + return udp_disconnect(sk, flags); } static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr,
net/l2tp: use-after-free write in l2tp_ip6_close
Hi, I've got the following error report while running the syzkaller fuzzer: == BUG: KASAN: use-after-free in l2tp_ip6_close+0x239/0x2a0 at addr 8800677276d8 Write of size 8 by task a.out/8668 CPU: 0 PID: 8668 Comm: a.out Not tainted 4.9.0-rc4+ #354 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 8800694d7b00 81b46a64 88006adb5780 8800677276c0 880067727c68 8800677276c0 8800694d7b28 8150a86c 8800694d7bb8 88006adb5780 8800e77276d8 8800694d7ba8 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0xb3/0x10f lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [] kasan_report_error+0x1f7/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [< inline >] __write_once_size ./include/linux/compiler.h:272 [< inline >] __hlist_del ./include/linux/list.h:622 [< inline >] hlist_del_init ./include/linux/list.h:637 [] l2tp_ip6_close+0x239/0x2a0 net/l2tp/l2tp_ip6.c:239 [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [] sock_release+0x8e/0x1d0 net/socket.c:570 [] sock_close+0x16/0x20 net/socket.c:1017 [] __fput+0x29d/0x720 fs/file_table.c:208 [] fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0xf8/0x170 kernel/task_work.c:116 [< inline >] exit_task_work ./include/linux/task_work.h:21 [] do_exit+0x883/0x2ac0 kernel/exit.c:828 [] do_group_exit+0x10e/0x340 kernel/exit.c:931 [< inline >] SYSC_exit_group kernel/exit.c:942 [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:209 Object at 8800677276c0, in cache L2TP/IPv6 size: 1448 Allocated: PID = 8692 [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [< inline >] set_track mm/kasan/kasan.c:507 [] kasan_kmalloc+0xab/0xe0 mm/kasan/kasan.c:598 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 [< inline >] slab_post_alloc_hook mm/slab.h:417 [< inline >] slab_alloc_node mm/slub.c:2708 [< inline >] slab_alloc mm/slub.c:2716 [] kmem_cache_alloc+0xb4/0x270 mm/slub.c:2721 [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1327 [] sk_alloc+0x38/0xaf0 net/core/sock.c:1389 [] inet6_create+0x2e5/0xf60 net/ipv6/af_inet6.c:182 [] __sock_create+0x37f/0x640 net/socket.c:1153 [< inline >] sock_create net/socket.c:1193 [< inline >] SYSC_socket net/socket.c:1223 [] SyS_socket+0xf0/0x1b0 net/socket.c:1203 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:209 Freed: PID = 8668 [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [< inline >] set_track mm/kasan/kasan.c:507 [] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 [< inline >] slab_free_hook mm/slub.c:1352 [< inline >] slab_free_freelist_hook mm/slub.c:1374 [< inline >] slab_free mm/slub.c:2951 [] kmem_cache_free+0xb3/0x2c0 mm/slub.c:2973 [< inline >] sk_prot_free net/core/sock.c:1370 [] __sk_destruct+0x319/0x480 net/core/sock.c:1445 [] sk_destruct+0x44/0x80 net/core/sock.c:1453 [] __sk_free+0x54/0x230 net/core/sock.c:1461 [] sk_free+0x23/0x30 net/core/sock.c:1472 [< inline >] sock_put ./include/net/sock.h:1591 [] sk_common_release+0x294/0x3e0 net/core/sock.c:2745 [] l2tp_ip6_close+0x209/0x2a0 net/l2tp/l2tp_ip6.c:243 [] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415 [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [] sock_release+0x8e/0x1d0 net/socket.c:570 [] sock_close+0x16/0x20 net/socket.c:1017 [] __fput+0x29d/0x720 fs/file_table.c:208 [] fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0xf8/0x170 kernel/task_work.c:116 [< inline >] exit_task_work ./include/linux/task_work.h:21 [] do_exit+0x883/0x2ac0 kernel/exit.c:828 [] do_group_exit+0x10e/0x340 kernel/exit.c:931 [< inline >] SYSC_exit_group kernel/exit.c:942 [] SyS_exit_group+0x1d/0x20 kernel/exit.c:940 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:209 Memory state around the buggy address: 880067727580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880067727600: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc >880067727680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 880067727700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880067727780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == To reproduce run the attached program in a tight parallel loop using stress (https://godoc.org/golang.org/x/tools/cmd/stress): $ gcc -lpthread tmp.c