[BUG] general protection fault in ipv6_renew_options

From: Harriet W
Date: Fri May 16 2025 - 03:18:54 EST

Next message: Kairui Song: "Re: [linus:master] [mm, swap] b487a2da35: BUG:soft_lockup-CPU##stuck_for#s![stress-ng-swap:#]"
Previous message: Chen Ni: "[PATCH] ALSA: usb: fcp: Use USB API functions rather than constants"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

When I test the Linux kernel (commit
0c3836482481200ead7b416ca80c68a29cfdaabd), I encountered a kernel
panic issue related to improper protocol family handling in socket
operations, specifically in the sock_kmalloc(）function
(net/core/sock.c:2686).

The issue is that the sendmsg() call interprets the accepted TCPv6
socket as a TIPC socket, and the kernel proceeds without validating
the socket's protocol family, leading to access of uninitialized
sk_prot fields.This leads to a null-ptr dereference in sock_kmalloc().

This crash can be triggered by executing the C reproducer for multiple
times.The full crash report is attached to this email. Please feel
free to contact me for additional information or steps to reproduce.

This can be reproduced on:

HEAD commit:

0c3836482481200ead7b416ca80c68a29cfdaabd

report: https://pastebin.com/raw/Fh27JF8p

console output : https://pastebin.com/raw/46Gj5gPm

kernel config : https://pastebin.com/raw/cdj4sjkD

C reproducer : https://pastebin.com/raw/R5AQ1PG4

Next message: Kairui Song: "Re: [linus:master] [mm, swap] b487a2da35: BUG:soft_lockup-CPU##stuck_for#s![stress-ng-swap:#]"
Previous message: Chen Ni: "[PATCH] ALSA: usb: fcp: Use USB API functions rather than constants"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]