syzbot

 sign-in | mailing list | source | docs
🐞 Open [1488]
Subsystems
🐞 Fixed [6543]
🐞 Invalid [16722]
Missing Backports [202]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: slab-use-after-free Read in __netif_receive_skb_core

Status: closed as invalid on 2025/09/01 08:24
Subsystems: net
[Documentation on labels]
First crash: 35d, last: 35d
Similar bugs (8)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in __netif_receive_skb_core wireguard wireless 19 C done 353 732d 2701d 23/29 fixed on 2023/10/12 12:47
upstream KMSAN: uninit-value in __netif_receive_skb_core (4) bpf net 7 1 243d 243d 0/29 auto-obsoleted due to no activity on 2025/04/11 03:48
android-6-1 KASAN: use-after-free Read in __netif_receive_skb_core 19 1 131d 131d 0/2 auto-obsoleted due to no activity on 2025/07/24 04:19
upstream KMSAN: uninit-value in __netif_receive_skb_core (2) bpf net 7 22 506d 600d 0/29 closed as invalid on 2024/05/28 18:05
linux-4.19 KASAN: use-after-free Read in __netif_receive_skb_core 19 syz error 20 1250d 1791d 0/1 upstream: reported syz repro on 2020/10/08 04:31
upstream KASAN: null-ptr-deref Read in __netif_receive_skb_core wireguard 11 8 940d 1219d 0/29 auto-obsoleted due to no activity on 2023/05/19 08:04
linux-4.14 KASAN: use-after-free Read in __netif_receive_skb_core 19 syz error 19 1518d 1936d 0/1 upstream: reported syz repro on 2020/05/16 19:24
upstream KMSAN: uninit-value in __netif_receive_skb_core (3) bpf net 7 3 291d 299d 0/29 closed as invalid on 2024/12/17 17:57

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in skb_zcopy include/linux/skbuff.h:1745 [inline]
BUG: KASAN: slab-use-after-free in skb_orphan_frags_rx include/linux/skbuff.h:3335 [inline]
BUG: KASAN: slab-use-after-free in __netif_receive_skb_core+0x3e04/0x4180 net/core/dev.c:5942
Read of size 1 at addr ffff8880495bc800 by task kworker/u8:0/12

CPU: 1 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted 6.16.0-rc7-syzkaller-00100-gafd8c2c9e2e2 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: events_unbound nsim_dev_trap_report_work
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 skb_zcopy include/linux/skbuff.h:1745 [inline]
 skb_orphan_frags_rx include/linux/skbuff.h:3335 [inline]
 __netif_receive_skb_core+0x3e04/0x4180 net/core/dev.c:5942
 __netif_receive_skb_one_core net/core/dev.c:5975 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6090
 process_backlog+0x60e/0x14f0 net/core/dev.c:6442
 __napi_poll+0xc7/0x480 net/core/dev.c:7414
 napi_poll net/core/dev.c:7478 [inline]
 net_rx_action+0x707/0xe30 net/core/dev.c:7605
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
 nsim_dev_trap_report_work+0x7c7/0xb80 drivers/net/netdevsim/dev.c:851
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 15730:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4249
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:579
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1336 [inline]
 ndisc_alloc_skb+0x9f/0x480 net/ipv6/ndisc.c:423
 ndisc_send_rs+0x2b5/0x630 net/ipv6/ndisc.c:707
 addrconf_rs_timer+0x369/0x670 net/ipv6/addrconf.c:4036
 call_timer_fn+0x17b/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Freed by task 12:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4745
 pskb_expand_head+0x382/0x1150 net/core/skbuff.c:2273
 netif_skb_check_for_xdp net/core/dev.c:5339 [inline]
 netif_receive_generic_xdp net/core/dev.c:5370 [inline]
 do_xdp_generic+0x8c5/0x11a0 net/core/dev.c:5438
 __netif_receive_skb_core+0x1823/0x4180 net/core/dev.c:5788
 __netif_receive_skb_one_core net/core/dev.c:5975 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6090
 netif_receive_skb_internal net/core/dev.c:6176 [inline]
 netif_receive_skb+0x1cb/0x790 net/core/dev.c:6235
 NF_HOOK+0x9d/0x390 include/linux/netfilter.h:318
 br_handle_frame_finish+0x14d1/0x19b0 net/bridge/br_input.c:-1
 br_nf_hook_thresh+0x3c6/0x4a0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0x948/0xd00 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:317 [inline]
 br_nf_pre_routing_ipv6+0x37e/0x6b0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:283 [inline]
 br_handle_frame+0x97f/0x14c0 net/bridge/br_input.c:434
 __netif_receive_skb_core+0x10e1/0x4180 net/core/dev.c:5863
 __netif_receive_skb_one_core net/core/dev.c:5975 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6090
 process_backlog+0x60e/0x14f0 net/core/dev.c:6442
 __napi_poll+0xc7/0x480 net/core/dev.c:7414
 napi_poll net/core/dev.c:7478 [inline]
 net_rx_action+0x707/0xe30 net/core/dev.c:7605
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
 nsim_dev_trap_report_work+0x7c7/0xb80 drivers/net/netdevsim/dev.c:851
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff8880495bc680
 which belongs to the cache skbuff_small_head of size 704
The buggy address is located 384 bytes inside of
 freed 704-byte region [ffff8880495bc680, ffff8880495bc940)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x495bc
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801e6b5b40 ffffea0000c41200 dead000000000004
raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801e6b5b40 ffffea0000c41200 dead000000000004
head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001256f01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 13723, tgid 13719 (syz.2.2142), ts 293818726095, free_ts 285269161565
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 kmem_cache_alloc_node_noprof+0x280/0x3c0 mm/slub.c:4249
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:579
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1336 [inline]
 nlmsg_new include/net/netlink.h:1041 [inline]
 netlink_ack+0x146/0xa50 net/netlink/af_netlink.c:2489
 netlink_rcv_skb+0x28c/0x470 net/netlink/af_netlink.c:2558
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:727
 sock_write_iter+0x258/0x330 net/socket.c:1131
 do_iter_readv_writev+0x56b/0x7f0 fs/read_write.c:-1
page last free pid 5933 tgid 5933 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 kasan_depopulate_vmalloc_pte+0x74/0xa0 mm/kasan/shadow.c:472
 apply_to_pte_range mm/memory.c:3032 [inline]
 apply_to_pmd_range mm/memory.c:3076 [inline]
 apply_to_pud_range mm/memory.c:3112 [inline]
 apply_to_p4d_range mm/memory.c:3148 [inline]
 __apply_to_page_range+0xb92/0x1380 mm/memory.c:3184
 kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:593
 kasan_release_vmalloc_node mm/vmalloc.c:2249 [inline]
 purge_vmap_node+0x214/0x8f0 mm/vmalloc.c:2266
 __purge_vmap_area_lazy+0x7a4/0xb40 mm/vmalloc.c:2356
 drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2390
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff8880495bc700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880495bc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880495bc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880495bc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880495bc900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/30 10:03 net afd8c2c9e2e2 f8f2b4da .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in __netif_receive_skb_core
* Struck through repros no longer work on HEAD.