syzbot

 sign-in | mailing list | source | docs
🐞 Open [1560]
Subsystems
🐞 Fixed [6212]
🐞 Invalid [15671]
Missing Backports [179]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: global-out-of-bounds Read in fib6_clean_node (2)

Status: upstream: reported on 2025/05/01 14:38
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+ef84446be20ce6c5e514@syzkaller.appspotmail.com
First crash: 2d02h, last: 11h51m
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] KASAN: global-out-of-bounds Read in fib6_clean_node (2) 0 (1) 2025/05/01 14:38
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: global-out-of-bounds Read in fib6_clean_node net 4 49d 51d 0/28 closed as invalid on 2025/04/08 14:38

Sample crash report:
netlink: 'syz.3.3459': attribute type 1 has an invalid length.
8021q: adding VLAN 0 to HW filter on device bond3
==================================================================
BUG: KASAN: global-out-of-bounds in fib6_clean_node+0x35d/0x590 net/ipv6/ip6_fib.c:2198
Read of size 8 at addr ffffffff99cdf5e8 by task syz.3.3459/18181

CPU: 1 UID: 0 PID: 18181 Comm: syz.3.3459 Not tainted 6.15.0-rc4-syzkaller-00052-g4f79eaa2ceac #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xb4/0x290 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 fib6_clean_node+0x35d/0x590 net/ipv6/ip6_fib.c:2198
 fib6_walk_continue+0x678/0x910 net/ipv6/ip6_fib.c:2124
 fib6_walk+0x149/0x290 net/ipv6/ip6_fib.c:2172
 fib6_clean_tree net/ipv6/ip6_fib.c:2252 [inline]
 __fib6_clean_all+0x234/0x380 net/ipv6/ip6_fib.c:2268
 rt6_sync_down_dev+0xf9/0x150 net/ipv6/route.c:4951
 addrconf_notify+0x929/0x1010 net/ipv6/addrconf.c:3714
 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85
 __dev_notify_flags+0x21b/0x2e0 net/core/dev.c:9419
 rtnl_configure_link net/core/rtnetlink.c:-1 [inline]
 rtnl_newlink_create+0x606/0xaf0 net/core/rtnetlink.c:3843
 __rtnl_newlink net/core/rtnetlink.c:3950 [inline]
 rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4065
 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955
 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534
 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
 netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:727
 ____sys_sendmsg+0x505/0x830 net/socket.c:2566
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
 __sys_sendmsg net/socket.c:2652 [inline]
 __do_sys_sendmsg net/socket.c:2657 [inline]
 __se_sys_sendmsg net/socket.c:2655 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffa40f8e969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffa3edf6038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ffa411b5fa0 RCX: 00007ffa40f8e969
RDX: 0000000000000000 RSI: 0000200000000080 RDI: 0000000000000003
RBP: 00007ffa41010ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ffa411b5fa0 R15: 00007ffde1ab00f8
 </TASK>

The buggy address belongs to the variable:
 binder_devices+0x8/0x20

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19cdf
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea00006737c8 ffffea00006737c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff99cdf480: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffffff99cdf500: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
>ffffffff99cdf580: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
                                                          ^
 ffffffff99cdf600: 00 00 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff99cdf680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/01 21:34 upstream 4f79eaa2ceac 51b137cd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/01 12:48 upstream 4f79eaa2ceac ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/01 10:57 upstream 4f79eaa2ceac ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/02 14:24 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d 2bfec9c0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in fib6_clean_node
2025/04/30 23:18 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in fib6_clean_node
* Struck through repros no longer work on HEAD.