| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/04/08 | upstream (ToT) | 0af2f6be1b42 | C | [report] unregister_netdevice: waiting for DEV to become free |
syzbot |
sign-in | mailing list | source | docs |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/04/08 | upstream (ToT) | 0af2f6be1b42 | C | [report] unregister_netdevice: waiting for DEV to become free |
================================================================== BUG: KASAN: use-after-free in rose_get_neigh+0x1b2/0x6e0 net/rose/rose_route.c:692 Read of size 1 at addr ffff88807b195c30 by task syz.2.12138/31312 CPU: 1 PID: 31312 Comm: syz.2.12138 Not tainted 6.1.132-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:427 kasan_report+0x136/0x160 mm/kasan/report.c:531 rose_get_neigh+0x1b2/0x6e0 net/rose/rose_route.c:692 rose_connect+0x456/0x1160 net/rose/af_rose.c:816 __sys_connect_file net/socket.c:2011 [inline] __sys_connect+0x2c9/0x300 net/socket.c:2028 __do_sys_connect net/socket.c:2038 [inline] __se_sys_connect net/socket.c:2035 [inline] __x64_sys_connect+0x76/0x80 net/socket.c:2035 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7fc1c518d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc1c5fd5038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007fc1c53a5fa0 RCX: 00007fc1c518d169 RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000008 RBP: 00007fc1c520e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fc1c53a5fa0 R15: 00007ffcb526fa98 </TASK> Allocated by task 4469: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:563 [inline] rose_add_node+0x209/0xda0 net/rose/rose_route.c:85 rose_rt_ioctl+0xa64/0xec0 net/rose/rose_route.c:747 rose_ioctl+0x2ca/0x8d0 net/rose/af_rose.c:1380 sock_do_ioctl+0x152/0x450 net/socket.c:1204 sock_ioctl+0x484/0x770 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 31312: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674 rose_rt_device_down+0x6e1/0x730 net/rose/rose_route.c:522 rose_device_event+0x5fd/0x690 net/rose/af_rose.c:248 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:455 __dev_notify_flags+0x1fd/0x3f0 net/core/dev.c:-1 dev_change_flags+0xe7/0x190 net/core/dev.c:8702 dev_ifsioc+0x177/0x1150 net/core/dev_ioctl.c:327 dev_ioctl+0x508/0xf70 net/core/dev_ioctl.c:588 sock_do_ioctl+0x26b/0x450 net/socket.c:1218 sock_ioctl+0x484/0x770 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff88807b195c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 48 bytes inside of 512-byte region [ffff88807b195c00, ffff88807b195e00) The buggy address belongs to the physical page: page:ffffea0001ec6500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b194 head:ffffea0001ec6500 order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888017c41c80 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4356, tgid 4356 (kworker/0:5), ts 546629160253, free_ts 546439797578 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2532 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4328 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5606 alloc_slab_page+0x6a/0x150 mm/slub.c:1794 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1026 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] mca_alloc net/ipv6/mcast.c:880 [inline] __ipv6_dev_mc_inc+0x426/0xa80 net/ipv6/mcast.c:936 addrconf_join_solict net/ipv6/addrconf.c:2198 [inline] addrconf_dad_begin net/ipv6/addrconf.c:4042 [inline] addrconf_dad_work+0x444/0x16e0 net/ipv6/addrconf.c:4167 process_one_work+0x917/0x1260 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1459 [inline] free_pcp_prepare mm/page_alloc.c:1509 [inline] free_unref_page_prepare+0x12a6/0x15b0 mm/page_alloc.c:3384 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3479 __stack_depot_save+0x409/0x470 lib/stackdepot.c:506 kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x60/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x10c/0x2d0 mm/slub.c:3429 xas_alloc lib/xarray.c:377 [inline] xas_create+0x10cf/0x16c0 lib/xarray.c:679 xas_store+0x9f/0x1960 lib/xarray.c:789 memcg_list_lru_alloc+0x7ed/0xd20 mm/list_lru.c:520 memcg_slab_pre_alloc_hook mm/slab.h:494 [inline] slab_pre_alloc_hook+0x2a1/0x300 mm/slab.h:715 slab_alloc_node mm/slub.c:3318 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x4a/0x2d0 mm/slub.c:3429 alloc_inode_sb include/linux/fs.h:3245 [inline] alloc_inode fs/inode.c:263 [inline] new_inode_pseudo+0x81/0x1d0 fs/inode.c:1063 __ns_get_path+0x252/0x650 fs/nsfs.c:80 ns_get_path_cb fs/nsfs.c:118 [inline] ns_get_path+0x51/0x90 fs/nsfs.c:144 proc_ns_get_link+0xf5/0x1f0 fs/proc/namespaces.c:61 Memory state around the buggy address: ffff88807b195b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807b195b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807b195c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807b195c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807b195d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/04/06 22:24 | linux-6.1.y | 8e60a714ba3b | 1c65791e | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/01 12:08 | linux-6.1.y | 8e60a714ba3b | 36d76a97 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/16 19:44 | linux-6.1.y | 420102835862 | a95239b1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/16 19:44 | linux-6.1.y | 420102835862 | a95239b1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/09 00:13 | linux-6.1.y | 3dfebb87d7eb | a775275d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/07 20:09 | linux-6.1.y | 3dfebb87d7eb | a2ada0e7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/06 16:25 | linux-6.1.y | 8e60a714ba3b | 1c65791e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/01 13:36 | linux-6.1.y | 8e60a714ba3b | 36d76a97 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/01 13:36 | linux-6.1.y | 8e60a714ba3b | 36d76a97 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/16 18:20 | linux-6.1.y | 420102835862 | a95239b1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/04 07:13 | linux-6.1.y | 8e60a714ba3b | d7ae3a11 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/04/01 11:22 | linux-6.1.y | 8e60a714ba3b | 36d76a97 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/03/17 17:21 | linux-6.1.y | 344a09659766 | 948c34e4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in rose_get_neigh | ||
| 2025/03/17 15:45 | linux-6.1.y | 344a09659766 | 948c34e4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in rose_get_neigh |