syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in ax25_release+0x5ca/0x870 net/ax25/af_ax25.c:1061 Read of size 8 at addr ffff888029d8f608 by task syz.1.77/4581 CPU: 1 PID: 4581 Comm: syz.1.77 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106 print_address_description+0x60/0x2d0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xdf/0x130 mm/kasan/report.c:451 ax25_release+0x5ca/0x870 net/ax25/af_ax25.c:1061 __sock_release net/socket.c:651 [inline] sock_close+0xd5/0x240 net/socket.c:1346 __fput+0x234/0x930 fs/file_table.c:311 task_work_run+0x125/0x1a0 kernel/task_work.c:188 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x10f/0x130 kernel/entry/common.c:181 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7fd8975e7749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff657c2558 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007fd89783fda0 RCX: 00007fd8975e7749 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007fd89783fda0 R08: 00000000000000c8 R09: 0000000b657c284f R10: 00000000003ffd14 R11: 0000000000000246 R12: 000000000001611d R13: 00007fff657c2650 R14: ffffffffffffffff R15: 00007fff657c2670 </TASK> Allocated by task 4582: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:607 [inline] kzalloc include/linux/slab.h:738 [inline] ax25_dev_device_up+0x50/0x580 net/ax25/ax25_dev.c:55 ax25_device_event+0x483/0x4f0 net/ax25/af_ax25.c:139 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391 call_netdevice_notifiers_extack net/core/dev.c:2061 [inline] call_netdevice_notifiers net/core/dev.c:2075 [inline] __dev_notify_flags+0x178/0x2d0 net/core/dev.c:-1 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8929 dev_ifsioc+0x147/0xe70 net/core/dev_ioctl.c:324 dev_ioctl+0x55f/0xe50 net/core/dev_ioctl.c:587 sock_do_ioctl+0x222/0x2f0 net/socket.c:1164 sock_ioctl+0x4ed/0x6e0 net/socket.c:1267 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Freed by task 4582: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:46 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1710 [inline] slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736 slab_free mm/slub.c:3504 [inline] kfree+0xef/0x2a0 mm/slub.c:4564 ax25_device_event+0x4b4/0x4f0 net/ax25/af_ax25.c:144 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391 call_netdevice_notifiers_extack net/core/dev.c:2061 [inline] call_netdevice_notifiers net/core/dev.c:2075 [inline] __dev_notify_flags+0x178/0x2d0 net/core/dev.c:-1 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8929 dev_ifsioc+0x147/0xe70 net/core/dev_ioctl.c:324 dev_ioctl+0x55f/0xe50 net/core/dev_ioctl.c:587 sock_do_ioctl+0x222/0x2f0 net/socket.c:1164 sock_ioctl+0x4ed/0x6e0 net/socket.c:1267 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 The buggy address belongs to the object at ffff888029d8f600 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of 192-byte region [ffff888029d8f600, ffff888029d8f6c0) The buggy address belongs to the page: page:ffffea0000a763c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29d8f flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0001cda0c0 0000000700000007 ffff888016841a00 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4329, ts 78057653386, free_ts 77995734151 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487 __alloc_pages_node include/linux/gfp.h:570 [inline] alloc_slab_page mm/slub.c:1782 [inline] allocate_slab mm/slub.c:1917 [inline] new_slab+0xb6/0x4b0 mm/slub.c:1980 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3013 __slab_alloc mm/slub.c:3100 [inline] slab_alloc_node mm/slub.c:3191 [inline] __kmalloc_node+0x200/0x3b0 mm/slub.c:4456 kmalloc_array_node include/linux/slab.h:700 [inline] kcalloc_node include/linux/slab.h:705 [inline] memcg_alloc_page_obj_cgroups+0x81/0x120 mm/memcontrol.c:2839 memcg_slab_post_alloc_hook mm/slab.h:313 [inline] slab_post_alloc_hook+0xba/0x380 mm/slab.h:526 slab_alloc_node mm/slub.c:3225 [inline] slab_alloc mm/slub.c:3233 [inline] kmem_cache_alloc+0x100/0x290 mm/slub.c:3238 __d_alloc+0x2a/0x6f0 fs/dcache.c:1749 d_alloc+0x4a/0x250 fs/dcache.c:1828 lookup_one_qstr_excl+0xc6/0x240 fs/namei.c:1567 filename_create+0x21e/0x450 fs/namei.c:3844 do_symlinkat+0xb3/0x6c0 fs/namei.c:4456 __do_sys_symlinkat fs/namei.c:4483 [inline] __se_sys_symlinkat fs/namei.c:4480 [inline] __x64_sys_symlinkat+0x95/0xa0 fs/namei.c:4480 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare mm/page_alloc.c:1391 [inline] free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317 free_unref_page+0x94/0x280 mm/page_alloc.c:3396 free_slab mm/slub.c:2020 [inline] discard_slab mm/slub.c:2026 [inline] __unfreeze_partials+0x1a5/0x200 mm/slub.c:2512 put_cpu_partial+0x12d/0x190 mm/slub.c:2592 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519 slab_alloc_node mm/slub.c:3225 [inline] slab_alloc mm/slub.c:3233 [inline] kmem_cache_alloc+0x100/0x290 mm/slub.c:3238 getname_flags+0xb5/0x500 fs/namei.c:138 user_path_at_empty+0x2a/0x190 fs/namei.c:2890 do_readlinkat+0xd4/0x480 fs/stat.c:442 __do_sys_readlink fs/stat.c:475 [inline] __se_sys_readlink fs/stat.c:472 [inline] __x64_sys_readlink+0x7b/0x90 fs/stat.c:472 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Memory state around the buggy address: ffff888029d8f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888029d8f580: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff888029d8f600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888029d8f680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888029d8f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/12/16 05:53 | linux-5.15.y | 68efe5a6c16a | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/12/03 16:17 | linux-5.15.y | cc5ec8769306 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/12/01 10:39 | linux-5.15.y | cc5ec8769306 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/23 11:49 | linux-5.15.y | cc5ec8769306 | 4fb8ef37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/23 04:00 | linux-5.15.y | cc5ec8769306 | 4fb8ef37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/22 22:38 | linux-5.15.y | cc5ec8769306 | 4fb8ef37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/22 14:48 | linux-5.15.y | cc5ec8769306 | 4fb8ef37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/14 02:28 | linux-5.15.y | cc5ec8769306 | 07e030de | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/13 22:37 | linux-5.15.y | cc5ec8769306 | 07e030de | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/11 04:13 | linux-5.15.y | cc5ec8769306 | 4e1406b4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/11 02:46 | linux-5.15.y | cc5ec8769306 | 4e1406b4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/03 06:28 | linux-5.15.y | cc5ec8769306 | 2c50b6a9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/11/02 06:18 | linux-5.15.y | cc5ec8769306 | 2c50b6a9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/25 08:15 | linux-5.15.y | ac56c046adf4 | c0460fcd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/24 23:37 | linux-5.15.y | ac56c046adf4 | c0460fcd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/24 09:51 | linux-5.15.y | ac56c046adf4 | c0460fcd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/22 11:23 | linux-5.15.y | ac56c046adf4 | 252fbbad | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/18 19:26 | linux-5.15.y | 29e53a5b1c4f | 1c8c8cd8 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/17 03:53 | linux-5.15.y | 29e53a5b1c4f | 19568248 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/16 19:41 | linux-5.15.y | 29e53a5b1c4f | 19568248 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/11 01:08 | linux-5.15.y | 29e53a5b1c4f | ff1712fe | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/06 20:19 | linux-5.15.y | 29e53a5b1c4f | 91305dbe | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/06 07:00 | linux-5.15.y | 29e53a5b1c4f | 49379ee0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/10/05 13:17 | linux-5.15.y | 29e53a5b1c4f | 49379ee0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/28 05:22 | linux-5.15.y | 43bb85222e53 | 001c9061 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/27 03:38 | linux-5.15.y | 43bb85222e53 | 001c9061 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/27 03:37 | linux-5.15.y | 43bb85222e53 | 001c9061 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/26 18:14 | linux-5.15.y | 43bb85222e53 | 0abd0691 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/26 07:15 | linux-5.15.y | 43bb85222e53 | 0abd0691 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/23 04:20 | linux-5.15.y | 43bb85222e53 | 0ac7291c | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/21 21:50 | linux-5.15.y | 43bb85222e53 | 67c37560 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/21 19:20 | linux-5.15.y | 43bb85222e53 | 67c37560 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/21 14:28 | linux-5.15.y | 43bb85222e53 | 67c37560 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/21 03:44 | linux-5.15.y | 43bb85222e53 | 67c37560 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/20 22:09 | linux-5.15.y | 43bb85222e53 | 67c37560 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/20 11:46 | linux-5.15.y | 43bb85222e53 | 67c37560 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/18 23:49 | linux-5.15.y | 43bb85222e53 | e2beed91 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/18 13:14 | linux-5.15.y | 43bb85222e53 | e2beed91 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/17 17:25 | linux-5.15.y | 43bb85222e53 | e2beed91 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/14 09:13 | linux-5.15.y | 43bb85222e53 | e2beed91 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/11 15:54 | linux-5.15.y | de9476bb4f1b | fdeaa69b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/09/11 09:18 | linux-5.15.y | de9476bb4f1b | fdeaa69b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/02/26 18:02 | linux-5.15.y | c16c81c81336 | d34966d1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in ax25_release | ||
| 2025/08/28 02:19 | linux-5.15.y | c79648372d02 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | KASAN: use-after-free Read in ax25_release |