syzbot |
sign-in | mailing list | source | docs | 🏰 |
================================================================== BUG: KASAN: slab-use-after-free in inet_frag_queue_insert+0x97b/0xc30 net/ipv4/inet_fragment.c:448 Read of size 4 at addr ffff88804fff9d0c by task kworker/u32:63/7009 CPU: 0 UID: 0 PID: 7009 Comm: kworker/u32:63 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: events_unbound cfg80211_wiphy_work Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595 inet_frag_queue_insert+0x97b/0xc30 net/ipv4/inet_fragment.c:448 ip6_frag_queue net/ipv6/reassembly.c:194 [inline] ipv6_frag_rcv+0x164f/0x4390 net/ipv6/reassembly.c:387 ip6_protocol_deliver_rcu+0xf8e/0x1500 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 ip6_mc_input+0x513/0xf50 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:480 [inline] dst_input include/net/dst.h:478 [inline] ip6_rcv_finish+0x3b1/0x550 net/ipv6/ip6_input.c:79 ip_sabotage_in+0x21e/0x290 net/bridge/br_netfilter_hooks.c:990 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_slow+0xbf/0x220 net/netfilter/core.c:623 nf_hook.constprop.0+0x2a6/0x750 include/linux/netfilter.h:273 NF_HOOK include/linux/netfilter.h:316 [inline] ipv6_rcv+0xa4/0x610 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:6156 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6269 netif_receive_skb_internal net/core/dev.c:6355 [inline] netif_receive_skb+0x139/0x820 net/core/dev.c:6414 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_pass_frame_up+0x346/0x490 net/bridge/br_input.c:70 br_handle_frame_finish+0x84f/0x1f00 net/bridge/br_input.c:235 br_nf_hook_thresh+0x30d/0x420 net/bridge/br_netfilter_hooks.c:1167 br_nf_pre_routing_finish_ipv6+0x769/0xfb0 net/bridge/br_netfilter_ipv6.c:154 NF_HOOK include/linux/netfilter.h:318 [inline] br_nf_pre_routing_ipv6+0x39c/0x8b0 net/bridge/br_netfilter_ipv6.c:184 br_nf_pre_routing+0x93b/0x1510 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_bridge_pre net/bridge/br_input.c:291 [inline] br_handle_frame+0xcdd/0x1520 net/bridge/br_input.c:442 __netif_receive_skb_core.constprop.0+0x6c5/0x3550 net/core/dev.c:6043 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:6154 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6269 process_backlog+0x37a/0x1580 net/core/dev.c:6620 __napi_poll.constprop.0+0xaf/0x450 net/core/dev.c:7684 napi_poll net/core/dev.c:7747 [inline] net_rx_action+0xa40/0xf20 net/core/dev.c:7899 handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622 do_softirq kernel/softirq.c:523 [inline] do_softirq+0xac/0xe0 kernel/softirq.c:510 </IRQ> <TASK> __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450 spin_unlock_bh include/linux/spinlock.h:395 [inline] cfg80211_inform_single_bss_data+0x959/0x1e20 net/wireless/scan.c:2388 cfg80211_inform_bss_data+0x237/0x3a00 net/wireless/scan.c:3226 cfg80211_inform_bss_frame_data+0x247/0x790 net/wireless/scan.c:3317 ieee80211_bss_info_update+0x310/0xab0 net/mac80211/scan.c:230 ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline] ieee80211_ibss_rx_queued_mgmt+0x1919/0x2f80 net/mac80211/ibss.c:1602 ieee80211_iface_process_skb net/mac80211/iface.c:1748 [inline] ieee80211_iface_work+0xbff/0x13d0 net/mac80211/iface.c:1802 cfg80211_wiphy_work+0x446/0x5c0 net/wireless/core.c:440 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6513: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4501 [inline] slab_alloc_node mm/slub.c:4830 [inline] kmem_cache_alloc_noprof+0x241/0x6e0 mm/slub.c:4837 skb_clone+0x190/0x400 net/core/skbuff.c:2120 deliver_clone net/bridge/br_forward.c:125 [inline] maybe_deliver+0xd4/0x180 net/bridge/br_forward.c:191 br_flood+0x193/0x650 net/bridge/br_forward.c:238 br_handle_frame_finish+0xf57/0x1f00 net/bridge/br_input.c:229 br_nf_hook_thresh+0x30d/0x420 net/bridge/br_netfilter_hooks.c:1167 br_nf_pre_routing_finish_ipv6+0x769/0xfb0 net/bridge/br_netfilter_ipv6.c:154 NF_HOOK include/linux/netfilter.h:318 [inline] br_nf_pre_routing_ipv6+0x39c/0x8b0 net/bridge/br_netfilter_ipv6.c:184 br_nf_pre_routing+0x93b/0x1510 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_bridge_pre net/bridge/br_input.c:291 [inline] br_handle_frame+0xcdd/0x1520 net/bridge/br_input.c:442 __netif_receive_skb_core.constprop.0+0x6c5/0x3550 net/core/dev.c:6043 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:6154 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6269 process_backlog+0x37a/0x1580 net/core/dev.c:6620 __napi_poll.constprop.0+0xaf/0x450 net/core/dev.c:7684 napi_poll net/core/dev.c:7747 [inline] net_rx_action+0xa40/0xf20 net/core/dev.c:7899 handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622 do_softirq kernel/softirq.c:523 [inline] do_softirq+0xac/0xe0 kernel/softirq.c:510 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450 spin_unlock_bh include/linux/spinlock.h:395 [inline] ieee80211_ibss_work+0x382/0x1050 net/mac80211/ibss.c:1662 ieee80211_iface_work+0xc13/0x13d0 net/mac80211/iface.c:1824 cfg80211_wiphy_work+0x446/0x5c0 net/wireless/core.c:440 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6996: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2687 [inline] slab_free mm/slub.c:6124 [inline] kmem_cache_free+0x124/0x6a0 mm/slub.c:6254 kfree_skbmem+0x19a/0x210 net/core/skbuff.c:1151 __kfree_skb net/core/skbuff.c:1218 [inline] sk_skb_reason_drop+0x10f/0x1b0 net/core/skbuff.c:1255 kfree_skb_reason include/linux/skbuff.h:1322 [inline] inet_frag_rbtree_purge+0xf0/0x150 net/ipv4/inet_fragment.c:316 inet_frag_queue_flush net/ipv4/inet_fragment.c:329 [inline] fqdir_pre_exit+0x198/0x270 net/ipv4/inet_fragment.c:247 ops_pre_exit_list net/core/net_namespace.c:161 [inline] ops_undo_list+0x187/0xab0 net/core/net_namespace.c:234 cleanup_net+0x499/0x920 net/core/net_namespace.c:704 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff88804fff9cc0 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 76 bytes inside of freed 240-byte region [ffff88804fff9cc0, ffff88804fff9db0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4fff8 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801c3523c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000190019 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88801c3523c0 dead000000000100 dead000000000122 head: 0000000000000000 0000000000190019 00000000f5000000 0000000000000000 head: 00fff00000000001 ffffea00013ffe01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5993, tgid 5993 (kworker/1:4), ts 674350180835, free_ts 660272621779 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2484 alloc_slab_page mm/slub.c:3253 [inline] allocate_slab mm/slub.c:3444 [inline] new_slab+0x43a/0x6d0 mm/slub.c:3502 ___slab_alloc+0x2a0/0x850 mm/slub.c:4376 __slab_alloc_node mm/slub.c:4442 [inline] slab_alloc_node mm/slub.c:4818 [inline] kmem_cache_alloc_noprof+0x360/0x6e0 mm/slub.c:4837 skb_clone+0x190/0x400 net/core/skbuff.c:2120 deliver_clone net/bridge/br_forward.c:125 [inline] maybe_deliver+0xd4/0x180 net/bridge/br_forward.c:191 br_flood+0x193/0x650 net/bridge/br_forward.c:238 br_handle_frame_finish+0xf57/0x1f00 net/bridge/br_input.c:229 br_nf_hook_thresh+0x30d/0x420 net/bridge/br_netfilter_hooks.c:1167 br_nf_pre_routing_finish_ipv6+0x769/0xfb0 net/bridge/br_netfilter_ipv6.c:154 NF_HOOK include/linux/netfilter.h:318 [inline] br_nf_pre_routing_ipv6+0x39c/0x8b0 net/bridge/br_netfilter_ipv6.c:184 br_nf_pre_routing+0x93b/0x1510 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_bridge_pre net/bridge/br_input.c:291 [inline] br_handle_frame+0xcdd/0x1520 net/bridge/br_input.c:442 page last free pid 5637 tgid 5637 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4501 [inline] slab_alloc_node mm/slub.c:4830 [inline] kmem_cache_alloc_node_noprof+0x25a/0x6f0 mm/slub.c:4882 __alloc_skb+0x140/0x710 net/core/skbuff.c:702 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xe0/0x810 net/core/skbuff.c:6750 sock_alloc_send_pskb+0x801/0x980 net/core/sock.c:2995 unix_dgram_sendmsg+0x3c7/0x1820 net/unix/af_unix.c:2125 unix_seqpacket_sendmsg+0x12a/0x1d0 net/unix/af_unix.c:2526 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x566/0x610 net/socket.c:1195 do_iter_readv_writev+0x6ee/0x920 fs/read_write.c:829 vfs_writev+0x360/0xe10 fs/read_write.c:1059 do_writev+0x28a/0x340 fs/read_write.c:1105 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88804fff9c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff88804fff9c80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff88804fff9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88804fff9d80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ffff88804fff9e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/02/24 16:48 | upstream | 7dff99b35460 | 96b1aa46 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in inet_frag_queue_insert |