{"api_version":"1","generated_at":"2026-05-01T19:11:38+00:00","cve":"CVE-2026-43016","urls":{"html":"https://cve.report/CVE-2026-43016","api":"https://cve.report/api/cve/CVE-2026-43016.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43016","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43016"},"summary":{"title":"bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().\n\nsyzbot reported use-after-free of AF_UNIX socket's sk->sk_socket\nin sk_psock_verdict_data_ready(). [0]\n\nIn unix_stream_sendmsg(), the peer socket's ->sk_data_ready() is\ncalled after dropping its unix_state_lock().\n\nAlthough the sender socket holds the peer's refcount, it does not\nprevent the peer's sock_orphan(), and the peer's sk_socket might\nbe freed after one RCU grace period.\n\nLet's fetch the peer's sk->sk_socket and sk->sk_socket->ops under\nRCU in sk_psock_verdict_data_ready().\n\n[0]:\nBUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\nRead of size 8 at addr ffff8880594da860 by task syz.4.1842/11013\n\nCPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nCall Trace:\n <TASK>\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\n unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482\n sock_sendmsg_nosec net/socket.c:721 [inline]\n __sock_sendmsg net/socket.c:736 [inline]\n ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639\n __sys_sendmsg net/socket.c:2671 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7facf899c819\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819\nRDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004\nRBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78\n </TASK>\n\nAllocated by task 11013:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4538 [inline]\n slab_alloc_node mm/slub.c:4866 [inline]\n kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885\n sock_alloc_inode+0x28/0xc0 net/socket.c:316\n alloc_inode+0x6a/0x1b0 fs/inode.c:347\n new_inode_pseudo include/linux/fs.h:3003 [inline]\n sock_alloc net/socket.c:631 [inline]\n __sock_create+0x12d/0x9d0 net/socket.c:1562\n sock_create net/socket.c:1656 [inline]\n __sys_socketpair+0x1c4/0x560 net/socket.c:1803\n __do_sys_socketpair net/socket.c:1856 [inline]\n __se_sys_socketpair net/socket.c:1853 [inline]\n __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 15:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:253 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285\n kasan_slab_free include/linux/kasan.h:235 [inline]\n slab_free_hook mm/slub.c:2685 [inline]\n slab_free mm/slub.c:6165 [inline]\n kmem_cache_free+0x187/0x630 mm/slub.c:6295\n rcu_do_batch kernel/rcu/tree.c:\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-01 15:16:45","updated_at":"2026-05-01 15:24:14"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/af95bc39a83d82ae6ad253986335037256888b3f","name":"https://git.kernel.org/stable/c/af95bc39a83d82ae6ad253986335037256888b3f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ad8391d37f334ee73ba91926f8b4e4cf6d31ea04","name":"https://git.kernel.org/stable/c/ad8391d37f334ee73ba91926f8b4e4cf6d31ea04","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/68187f18a89be4b6237d28ae1313b5adf76238c6","name":"https://git.kernel.org/stable/c/68187f18a89be4b6237d28ae1313b5adf76238c6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8d597e3e74027900ffa81b8ff47ab51999a3e110","name":"https://git.kernel.org/stable/c/8d597e3e74027900ffa81b8ff47ab51999a3e110","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/18861f87a043e78b1f901cae4237e755ed7ef095","name":"https://git.kernel.org/stable/c/18861f87a043e78b1f901cae4237e755ed7ef095","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43016","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43016","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b 8d597e3e74027900ffa81b8ff47ab51999a3e110 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b 68187f18a89be4b6237d28ae1313b5adf76238c6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b 18861f87a043e78b1f901cae4237e755ed7ef095 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b af95bc39a83d82ae6ad253986335037256888b3f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b ad8391d37f334ee73ba91926f8b4e4cf6d31ea04 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.134 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.81 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.22 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.12 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/core/skmsg.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"8d597e3e74027900ffa81b8ff47ab51999a3e110","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"68187f18a89be4b6237d28ae1313b5adf76238c6","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"18861f87a043e78b1f901cae4237e755ed7ef095","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"af95bc39a83d82ae6ad253986335037256888b3f","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"ad8391d37f334ee73ba91926f8b4e4cf6d31ea04","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/core/skmsg.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.15"},{"lessThan":"5.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.134","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.81","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.22","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.12","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.134","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.81","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.22","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.12","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"5.15","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().\n\nsyzbot reported use-after-free of AF_UNIX socket's sk->sk_socket\nin sk_psock_verdict_data_ready(). [0]\n\nIn unix_stream_sendmsg(), the peer socket's ->sk_data_ready() is\ncalled after dropping its unix_state_lock().\n\nAlthough the sender socket holds the peer's refcount, it does not\nprevent the peer's sock_orphan(), and the peer's sk_socket might\nbe freed after one RCU grace period.\n\nLet's fetch the peer's sk->sk_socket and sk->sk_socket->ops under\nRCU in sk_psock_verdict_data_ready().\n\n[0]:\nBUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\nRead of size 8 at addr ffff8880594da860 by task syz.4.1842/11013\n\nCPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nCall Trace:\n <TASK>\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\n unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482\n sock_sendmsg_nosec net/socket.c:721 [inline]\n __sock_sendmsg net/socket.c:736 [inline]\n ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639\n __sys_sendmsg net/socket.c:2671 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7facf899c819\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819\nRDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004\nRBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78\n </TASK>\n\nAllocated by task 11013:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4538 [inline]\n slab_alloc_node mm/slub.c:4866 [inline]\n kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885\n sock_alloc_inode+0x28/0xc0 net/socket.c:316\n alloc_inode+0x6a/0x1b0 fs/inode.c:347\n new_inode_pseudo include/linux/fs.h:3003 [inline]\n sock_alloc net/socket.c:631 [inline]\n __sock_create+0x12d/0x9d0 net/socket.c:1562\n sock_create net/socket.c:1656 [inline]\n __sys_socketpair+0x1c4/0x560 net/socket.c:1803\n __do_sys_socketpair net/socket.c:1856 [inline]\n __se_sys_socketpair net/socket.c:1853 [inline]\n __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 15:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:253 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285\n kasan_slab_free include/linux/kasan.h:235 [inline]\n slab_free_hook mm/slub.c:2685 [inline]\n slab_free mm/slub.c:6165 [inline]\n kmem_cache_free+0x187/0x630 mm/slub.c:6295\n rcu_do_batch kernel/rcu/tree.c:\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-01T14:15:20.887Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/8d597e3e74027900ffa81b8ff47ab51999a3e110"},{"url":"https://git.kernel.org/stable/c/68187f18a89be4b6237d28ae1313b5adf76238c6"},{"url":"https://git.kernel.org/stable/c/18861f87a043e78b1f901cae4237e755ed7ef095"},{"url":"https://git.kernel.org/stable/c/af95bc39a83d82ae6ad253986335037256888b3f"},{"url":"https://git.kernel.org/stable/c/ad8391d37f334ee73ba91926f8b4e4cf6d31ea04"}],"title":"bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43016","datePublished":"2026-05-01T14:15:20.887Z","dateReserved":"2026-05-01T14:12:55.974Z","dateUpdated":"2026-05-01T14:15:20.887Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-01 15:16:45","lastModifiedDate":"2026-05-01 15:24:14","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43016","Ordinal":"1","Title":"bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_ve","CVE":"CVE-2026-43016","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43016","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().\n\nsyzbot reported use-after-free of AF_UNIX socket's sk->sk_socket\nin sk_psock_verdict_data_ready(). [0]\n\nIn unix_stream_sendmsg(), the peer socket's ->sk_data_ready() is\ncalled after dropping its unix_state_lock().\n\nAlthough the sender socket holds the peer's refcount, it does not\nprevent the peer's sock_orphan(), and the peer's sk_socket might\nbe freed after one RCU grace period.\n\nLet's fetch the peer's sk->sk_socket and sk->sk_socket->ops under\nRCU in sk_psock_verdict_data_ready().\n\n[0]:\nBUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\nRead of size 8 at addr ffff8880594da860 by task syz.4.1842/11013\n\nCPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nCall Trace:\n <TASK>\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\n unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482\n sock_sendmsg_nosec net/socket.c:721 [inline]\n __sock_sendmsg net/socket.c:736 [inline]\n ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639\n __sys_sendmsg net/socket.c:2671 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7facf899c819\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819\nRDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004\nRBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78\n </TASK>\n\nAllocated by task 11013:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4538 [inline]\n slab_alloc_node mm/slub.c:4866 [inline]\n kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885\n sock_alloc_inode+0x28/0xc0 net/socket.c:316\n alloc_inode+0x6a/0x1b0 fs/inode.c:347\n new_inode_pseudo include/linux/fs.h:3003 [inline]\n sock_alloc net/socket.c:631 [inline]\n __sock_create+0x12d/0x9d0 net/socket.c:1562\n sock_create net/socket.c:1656 [inline]\n __sys_socketpair+0x1c4/0x560 net/socket.c:1803\n __do_sys_socketpair net/socket.c:1856 [inline]\n __se_sys_socketpair net/socket.c:1853 [inline]\n __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 15:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:253 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285\n kasan_slab_free include/linux/kasan.h:235 [inline]\n slab_free_hook mm/slub.c:2685 [inline]\n slab_free mm/slub.c:6165 [inline]\n kmem_cache_free+0x187/0x630 mm/slub.c:6295\n rcu_do_batch kernel/rcu/tree.c:\n---truncated---","Type":"Description","Title":"bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_ve"}]}}}