syzbot


KASAN: use-after-free Read in siw_query_port (2)

Status: upstream: reported syz repro on 2024/02/09 22:01
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+3abffbfcd33801a21f2f@syzkaller.appspotmail.com
First crash: 440d, last: 3d22h
Bug presence (2)
Date Name Commit Repro Result
2025/01/19 linux-6.1.y (ToT) 60ceadf9247e C [report] KASAN: use-after-free Read in siw_query_port
2025/01/19 upstream (ToT) fda5e3f28400 C Didn't crash
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in siw_query_port (2) 72 17d 498d 0/3 upstream: reported on 2023/12/13 22:42
upstream KASAN: slab-use-after-free Read in siw_query_port rdma 50 598d 714d 0/28 auto-obsoleted due to no activity on 2023/11/13 22:18
linux-6.1 KASAN: use-after-free Read in siw_query_port 5 554d 630d 0/3 auto-obsoleted due to no activity on 2024/01/27 18:37
linux-5.15 KASAN: use-after-free Read in siw_query_port 3 644d 670d 0/3 auto-obsoleted due to no activity on 2023/10/29 16:51
upstream KASAN: slab-use-after-free Read in siw_query_port (2) rdma syz error inconclusive 2 135d 149d 0/28 upstream: reported syz repro on 2024/11/27 09:48
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2025/02/03 03:00 2h36m fix candidate upstream OK (0) job log

Sample crash report:
wlan0 speed is unknown, defaulting to 1000
==================================================================
BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
Read of size 4 at addr ffff88801ef440e0 by task kworker/0:13/4381

CPU: 0 PID: 4381 Comm: kworker/0:13 Not tainted 6.1.127-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:427
 kasan_report+0x136/0x160 mm/kasan/report.c:531
 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1483
 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1557
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00007bd100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ef44
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0000a48208 ffff8880b8f41230 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 25467, tgid 25467 (syz-executor), ts 358549384877, free_ts 372664055019
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4328
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5605
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x91/0x1d0 mm/slab_common.c:1077
 __do_kmalloc_node mm/slab_common.c:924 [inline]
 __kmalloc_node+0x111/0x230 mm/slab_common.c:943
 kmalloc_node include/linux/slab.h:589 [inline]
 kvmalloc_node+0x6e/0x180 mm/util.c:581
 kvmalloc include/linux/slab.h:716 [inline]
 kvzalloc include/linux/slab.h:724 [inline]
 alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10688
 ieee80211_if_add+0xe67/0x1890 net/mac80211/iface.c:2175
 ieee80211_register_hw+0x32ff/0x3f10 net/mac80211/main.c:1402
 mac80211_hwsim_new_radio+0x22d9/0x4060 drivers/net/wireless/mac80211_hwsim.c:4582
 hwsim_new_radio_nl+0xc54/0x1190 drivers/net/wireless/mac80211_hwsim.c:5176
 genl_family_rcv_msg_doit net/netlink/genetlink.c:756 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
 genl_rcv_msg+0xc1a/0xf70 net/netlink/genetlink.c:850
 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2493
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
 netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1337
 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1859
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x12a6/0x15b0 mm/page_alloc.c:3384
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3479
 free_large_kmalloc+0xfb/0x190 mm/slab_common.c:913
 device_release+0x91/0x1c0
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x224/0x460 lib/kobject.c:729
 netdev_run_todo+0xed5/0xfe0 net/core/dev.c:10478
 ieee80211_unregister_hw+0xfc/0x290 net/mac80211/main.c:1485
 mac80211_hwsim_del_radio+0x2be/0x4a0 drivers/net/wireless/mac80211_hwsim.c:4683
 hwsim_exit_net+0x5b8/0x660 drivers/net/wireless/mac80211_hwsim.c:5470
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x7f1/0xd20 net/core/net_namespace.c:640
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88801ef43f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801ef44000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88801ef44080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff88801ef44100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88801ef44180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (305):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/01/24 12:14 linux-6.1.y 75cefdf153f5 521b0ce3 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/01/18 21:01 linux-6.1.y 60ceadf9247e f2cb035c .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/21 21:28 linux-6.1.y 420102835862 2a20f901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/17 15:17 linux-6.1.y 420102835862 229db4cf .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/17 10:16 linux-6.1.y 420102835862 229db4cf .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/16 02:11 linux-6.1.y 420102835862 a95239b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/15 09:28 linux-6.1.y 420102835862 0bd6db41 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/11 11:29 linux-6.1.y 420102835862 94486846 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/08 14:22 linux-6.1.y 3dfebb87d7eb a775275d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/05 23:36 linux-6.1.y 8e60a714ba3b 1c65791e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/05 13:30 linux-6.1.y 8e60a714ba3b c53ea9c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/05 05:10 linux-6.1.y 8e60a714ba3b c53ea9c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/04 16:35 linux-6.1.y 8e60a714ba3b 1c4febdb .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/04/01 05:25 linux-6.1.y 8e60a714ba3b 36d76a97 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/29 19:52 linux-6.1.y 8e60a714ba3b d3999433 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/29 13:17 linux-6.1.y 8e60a714ba3b cf25e2c2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/29 07:05 linux-6.1.y 8e60a714ba3b cf25e2c2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/24 02:17 linux-6.1.y 344a09659766 875573af .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/23 15:06 linux-6.1.y 344a09659766 4e8d3850 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/21 23:32 linux-6.1.y 344a09659766 c6512ef7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/17 17:08 linux-6.1.y 344a09659766 948c34e4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/14 03:49 linux-6.1.y 344a09659766 e2826670 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/13 22:27 linux-6.1.y 344a09659766 44be8b44 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/13 13:33 linux-6.1.y 344a09659766 44be8b44 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/10 12:25 linux-6.1.y 6ae7ac5c4251 163f510d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/10 07:43 linux-6.1.y 6ae7ac5c4251 163f510d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/09 21:40 linux-6.1.y 6ae7ac5c4251 163f510d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/09 07:32 linux-6.1.y 6ae7ac5c4251 163f510d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/06 23:43 linux-6.1.y 3a8358583626 831e3629 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/02 22:33 linux-6.1.y 3a8358583626 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/02 21:22 linux-6.1.y 3a8358583626 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/02 13:05 linux-6.1.y 3a8358583626 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/02 02:53 linux-6.1.y 3a8358583626 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/24 22:55 linux-6.1.y 3a8358583626 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/20 21:52 linux-6.1.y 0cbb5f65e52f 0808a665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/20 19:48 linux-6.1.y 0cbb5f65e52f 0808a665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/19 23:43 linux-6.1.y 0cbb5f65e52f b257a9b7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/19 12:09 linux-6.1.y 0cbb5f65e52f 9a14138f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/16 20:01 linux-6.1.y 0cbb5f65e52f 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/15 00:47 linux-6.1.y 0cbb5f65e52f 1022af74 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/14 22:53 linux-6.1.y 0cbb5f65e52f 1022af74 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/14 16:57 linux-6.1.y 0cbb5f65e52f 1022af74 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/14 08:10 linux-6.1.y 0cbb5f65e52f d9a046cf .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/13 16:44 linux-6.1.y 0cbb5f65e52f a98a8417 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/12 13:00 linux-6.1.y 0cbb5f65e52f b27c2402 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/11 19:05 linux-6.1.y 0cbb5f65e52f f2baddf5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/02/07 22:44 linux-6.1.y 0cbb5f65e52f ef44b750 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/02/09 22:01 linux-6.1.y f1bb70486c9c 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/03/18 22:09 linux-6.1.y 344a09659766 22a6c2b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in siw_query_port
2025/02/15 10:11 linux-6.1.y 0cbb5f65e52f 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in siw_query_port
* Struck through repros no longer work on HEAD.