syzbot

 sign-in | mailing list | source | docs
🐞 Open [895]
🐞 Fixed [141]
🐞 Invalid [1034]
Missing Backports [73]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in siw_query_port (2)

Status: upstream: reported syz repro on 2024/02/09 22:01
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+3abffbfcd33801a21f2f@syzkaller.appspotmail.com
First crash: 761d, last: 1d23h
Bug presence (2)
Date Name Commit Repro Result
2025/01/19 linux-6.1.y (ToT) 60ceadf9247e syz [report] KASAN: use-after-free Read in siw_query_port
2025/01/19 upstream (ToT) fda5e3f28400 syz Didn't crash
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in siw_query_port (2) 19 107 2d17h 819d 0/3 upstream: reported on 2023/12/13 22:42
upstream KASAN: slab-use-after-free Read in siw_query_port rdma 19 50 919d 1034d 0/29 auto-obsoleted due to no activity on 2023/11/13 22:18
linux-6.1 KASAN: use-after-free Read in siw_query_port 19 5 874d 951d 0/3 auto-obsoleted due to no activity on 2024/01/27 18:37
linux-5.15 KASAN: use-after-free Read in siw_query_port 19 3 964d 991d 0/3 auto-obsoleted due to no activity on 2023/10/29 16:51
upstream KASAN: slab-use-after-free Read in siw_query_port (2) rdma 19 syz error inconclusive 2 456d 469d 0/29 auto-obsoleted due to no activity on 2025/04/27 10:54
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2025/02/03 03:00 2h36m fix candidate upstream OK (0) job log

Sample crash report:
wlan0 speed is unknown, defaulting to 1000
==================================================================
BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
Read of size 4 at addr ffff88801ef440e0 by task kworker/0:13/4381

CPU: 0 PID: 4381 Comm: kworker/0:13 Not tainted 6.1.127-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:427
 kasan_report+0x136/0x160 mm/kasan/report.c:531
 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1483
 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1557
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00007bd100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ef44
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0000a48208 ffff8880b8f41230 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 25467, tgid 25467 (syz-executor), ts 358549384877, free_ts 372664055019
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4328
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5605
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x91/0x1d0 mm/slab_common.c:1077
 __do_kmalloc_node mm/slab_common.c:924 [inline]
 __kmalloc_node+0x111/0x230 mm/slab_common.c:943
 kmalloc_node include/linux/slab.h:589 [inline]
 kvmalloc_node+0x6e/0x180 mm/util.c:581
 kvmalloc include/linux/slab.h:716 [inline]
 kvzalloc include/linux/slab.h:724 [inline]
 alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10688
 ieee80211_if_add+0xe67/0x1890 net/mac80211/iface.c:2175
 ieee80211_register_hw+0x32ff/0x3f10 net/mac80211/main.c:1402
 mac80211_hwsim_new_radio+0x22d9/0x4060 drivers/net/wireless/mac80211_hwsim.c:4582
 hwsim_new_radio_nl+0xc54/0x1190 drivers/net/wireless/mac80211_hwsim.c:5176
 genl_family_rcv_msg_doit net/netlink/genetlink.c:756 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
 genl_rcv_msg+0xc1a/0xf70 net/netlink/genetlink.c:850
 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2493
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
 netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1337
 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1859
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x12a6/0x15b0 mm/page_alloc.c:3384
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3479
 free_large_kmalloc+0xfb/0x190 mm/slab_common.c:913
 device_release+0x91/0x1c0
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x224/0x460 lib/kobject.c:729
 netdev_run_todo+0xed5/0xfe0 net/core/dev.c:10478
 ieee80211_unregister_hw+0xfc/0x290 net/mac80211/main.c:1485
 mac80211_hwsim_del_radio+0x2be/0x4a0 drivers/net/wireless/mac80211_hwsim.c:4683
 hwsim_exit_net+0x5b8/0x660 drivers/net/wireless/mac80211_hwsim.c:5470
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x7f1/0xd20 net/core/net_namespace.c:640
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88801ef43f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801ef44000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88801ef44080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff88801ef44100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88801ef44180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (405):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/01/24 12:14 linux-6.1.y 75cefdf153f5 521b0ce3 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/01/18 21:01 linux-6.1.y 60ceadf9247e f2cb035c .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/03/10 06:38 linux-6.1.y f2ddafa93a25 6972f302 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/03/09 18:21 linux-6.1.y f2ddafa93a25 176bead5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/03/08 15:37 linux-6.1.y f2ddafa93a25 5cb44a80 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/28 07:19 linux-6.1.y 779f9571ac3e 43249bac .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/27 04:54 linux-6.1.y 779f9571ac3e a2f13f71 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/26 17:04 linux-6.1.y 779f9571ac3e ffa54287 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/25 21:52 linux-6.1.y 779f9571ac3e 94a9671e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/24 23:10 linux-6.1.y 779f9571ac3e 787dfb7c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/24 18:44 linux-6.1.y 779f9571ac3e 96b1aa46 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/24 04:34 linux-6.1.y 779f9571ac3e 41d2fa6a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/24 02:38 linux-6.1.y 779f9571ac3e 41d2fa6a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/23 22:48 linux-6.1.y 779f9571ac3e 41d2fa6a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/23 14:43 linux-6.1.y 779f9571ac3e 6beca497 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/22 21:39 linux-6.1.y 779f9571ac3e 6e7b5511 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/21 04:52 linux-6.1.y 779f9571ac3e 6e7b5511 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/18 21:17 linux-6.1.y 8ce36b2849ef 77d4d919 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/14 02:24 linux-6.1.y 8ce36b2849ef 1e62d198 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/05 18:46 linux-6.1.y cd9b81672742 4936e85c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/02/01 11:51 linux-6.1.y cd9b81672742 6b8752f2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/27 17:00 linux-6.1.y cd9b81672742 9a514c2f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/26 02:02 linux-6.1.y cd9b81672742 55756628 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/23 14:24 linux-6.1.y cd9b81672742 e2b1b6e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/21 22:19 linux-6.1.y cd9b81672742 8fc37797 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/20 04:45 linux-6.1.y cd9b81672742 572effc1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/17 12:39 linux-6.1.y bec0e10ee67e 20d37d28 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/12 04:03 linux-6.1.y bec0e10ee67e d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/09 00:31 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/05 11:32 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/03 12:28 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2026/01/02 17:57 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/30 03:27 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/28 10:52 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/25 09:40 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/23 03:44 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/21 09:28 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/20 17:17 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/17 22:04 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/17 14:34 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/13 16:06 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/05 18:35 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/12/04 21:38 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/11/29 13:55 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/11/28 16:24 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/11/27 14:23 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/11/16 23:05 linux-6.1.y f6e38ae624cf f7988ea4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/02/09 22:01 linux-6.1.y f1bb70486c9c 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2025/10/10 14:19 linux-6.1.y 882efbdd9d34 ff1712fe .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in siw_query_port
* Struck through repros no longer work on HEAD.