Re: [BUG] KASAN: slab-use-after-free Write in sk_skb_reason_drop
From: Eric Dumazet
Date: Thu Apr 23 2026 - 10:17:45 EST
On Thu, Apr 23, 2026 at 6:41 AM Eulgyu Kim <eulgyukim@xxxxxxxxx> wrote:
>
> Hello,
>
> We encountered a "KASAN: slab-use-after-free Write in sk_skb_reason_drop"
> on kernel version v7.0.
>
> As this memory corruption bug seems to require `CAP_NET_ADMIN`,
> we report this in public mailing list.
>
> We have included the following items below:
> - C reproducer (~100 lines)
> - kernel delay patch
> - KASAN crash log
>
> To reliably trigger the race condition bug, we patched the kernel
> to inject a delay at a specific point.
>
> The kernel config used is the same as the syzbot configuration.
>
> Unfortunately, we do not have a fix ready for this bug yet.
> As this issue was identified via fuzzing and we have limited background,
> we find it challenging to propose a correct fix or evaluate
> its potential severity.
>
> We hope this report helps address the issue. Please let us know
> if any further information is needed.
It seems we need to add a barrier on tfile->napi_mutex
to prevent tun_napi_del() messing with concurrent tun_get_user()
Something like:
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index b183189f185354051bded95f43bd77ee4f7cde24..e85f9db4afe724e25f45e9b142fa678a244a533e
100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -289,8 +289,11 @@ static void tun_napi_disable(struct tun_file *tfile)
static void tun_napi_del(struct tun_file *tfile)
{
- if (tfile->napi_enabled)
+ if (tfile->napi_enabled) {
+ mutex_lock(&tfile->napi_mutex);
netif_napi_del(&tfile->napi);
+ mutex_unlock(&tfile->napi_mutex);
+ }
}
static bool tun_napi_frags_enabled(const struct tun_file *tfile)