| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-use-after-free Read in fib6_add net | 12 | 29d | 41d | 0/29 | upstream: reported on 2025/05/21 02:51 |
syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1034 [inline] BUG: KASAN: slab-use-after-free in fib6_add+0x42a7/0x4700 net/ipv6/ip6_fib.c:1490 Write of size 8 at addr ffff888000cce440 by task syz-executor.1/1220 CPU: 2 PID: 1220 Comm: syz-executor.1 Not tainted 6.6.0-syzkaller-12401-g8f6f76a6a29f #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 hlist_add_head include/linux/list.h:1034 [inline] fib6_add+0x42a7/0x4700 net/ipv6/ip6_fib.c:1490 __ip6_ins_rt net/ipv6/route.c:1303 [inline] ip6_route_add+0x8d/0x150 net/ipv6/route.c:3847 rt6_add_dflt_router+0x24b/0x480 net/ipv6/route.c:4375 ndisc_router_discovery+0xa26/0x3550 net/ipv6/ndisc.c:1384 ndisc_rcv+0x3de/0x5f0 net/ipv6/ndisc.c:1856 icmpv6_rcv+0x10cb/0x1750 net/ipv6/icmp.c:979 ip6_protocol_deliver_rcu+0x33b/0x13d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xce/0x440 net/ipv6/ip6_input.c:492 ip6_mc_input+0x48b/0xf40 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x563/0x720 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5527 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x133/0x700 net/core/dev.c:5786 tun_rx_batched+0x429/0x780 drivers/net/tun.c:1579 tun_get_user+0x29e3/0x3bc0 drivers/net/tun.c:2002 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x64f/0xdf0 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fa322a7b82f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 b9 80 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 0c 81 02 00 48 RSP: 002b:00007fa323764090 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa322b9bf80 RCX: 00007fa322a7b82f RDX: 00000000000003b6 RSI: 0000000020000600 RDI: 00000000000000c8 RBP: 00007fa322ac847a R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000003b6 R11: 0000000000000293 R12: 0000000000000000 R13: 000000000000000b R14: 00007fa322b9bf80 R15: 00007ffcc44ee8b8 </TASK> Allocated by task 1208: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc+0x60/0x100 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x337/0x1e70 net/ipv6/route.c:3749 ip6_route_add+0x26/0x150 net/ipv6/route.c:3843 rt6_add_dflt_router+0x24b/0x480 net/ipv6/route.c:4375 ndisc_router_discovery+0xa26/0x3550 net/ipv6/ndisc.c:1384 ndisc_rcv+0x3de/0x5f0 net/ipv6/ndisc.c:1856 icmpv6_rcv+0x10cb/0x1750 net/ipv6/icmp.c:979 ip6_protocol_deliver_rcu+0x33b/0x13d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xce/0x440 net/ipv6/ip6_input.c:492 ip6_mc_input+0x48b/0xf40 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x563/0x720 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5527 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x133/0x700 net/core/dev.c:5786 tun_rx_batched+0x429/0x780 drivers/net/tun.c:1579 tun_get_user+0x29e3/0x3bc0 drivers/net/tun.c:2002 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x64f/0xdf0 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 0: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x138/0x190 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:164 [inline] __cache_free mm/slab.c:3370 [inline] __do_kmem_cache_free mm/slab.c:3557 [inline] __kmem_cache_free+0xcc/0x3d0 mm/slab.c:3564 rcu_do_batch kernel/rcu/tree.c:2153 [inline] rcu_core+0x830/0x1c50 kernel/rcu/tree.c:2417 __do_softirq+0x21a/0x968 kernel/softirq.c:553 Last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2667 fib6_info_release include/net/ip6_fib.h:332 [inline] fib6_info_release include/net/ip6_fib.h:329 [inline] ndisc_router_discovery+0x2820/0x3550 net/ipv6/ndisc.c:1599 ndisc_rcv+0x3de/0x5f0 net/ipv6/ndisc.c:1856 icmpv6_rcv+0x10cb/0x1750 net/ipv6/icmp.c:979 ip6_protocol_deliver_rcu+0x33b/0x13d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xce/0x440 net/ipv6/ip6_input.c:492 ip6_mc_input+0x48b/0xf40 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x563/0x720 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5527 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x133/0x700 net/core/dev.c:5786 tun_rx_batched+0x429/0x780 drivers/net/tun.c:1579 tun_get_user+0x29e3/0x3bc0 drivers/net/tun.c:2002 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x64f/0xdf0 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Second to last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2667 in_dev_finish_destroy+0x15c/0x1d0 net/ipv4/devinet.c:258 in_dev_put include/linux/inetdevice.h:279 [inline] inetdev_destroy net/ipv4/devinet.c:332 [inline] inetdev_event+0x1660/0x1980 net/ipv4/devinet.c:1623 notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1965 call_netdevice_notifiers_extack net/core/dev.c:2003 [inline] call_netdevice_notifiers net/core/dev.c:2017 [inline] unregister_netdevice_many_notify+0x858/0x1980 net/core/dev.c:10983 ip6gre_exit_batch_net+0x40d/0x5b0 net/ipv6/ip6_gre.c:1643 ops_exit_list+0x125/0x170 net/core/net_namespace.c:175 cleanup_net+0x505/0xb20 net/core/net_namespace.c:614 process_one_work+0x884/0x15c0 kernel/workqueue.c:2630 process_scheduled_works kernel/workqueue.c:2703 [inline] worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 The buggy address belongs to the object at ffff888000cce400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888000cce400, ffff888000cce600) The buggy address belongs to the physical page: page:ffffea0000033380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xcce flags: 0x7ff00000000800(slab|node=0|zone=0|lastcpupid=0x7ff) page_type: 0x4() raw: 007ff00000000800 ffff888013040600 ffffea000156ee90 ffffea00018e1b90 raw: 0000000000000000 ffff888000cce000 0000000100000004 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 5202, tgid 5202 (syz-executor.1), ts 142600045742, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1544 [inline] get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568 __alloc_pages_node include/linux/gfp.h:238 [inline] kmem_getpages mm/slab.c:1356 [inline] cache_grow_begin+0x99/0x3a0 mm/slab.c:2550 cache_alloc_refill+0x294/0x3a0 mm/slab.c:2923 ____cache_alloc mm/slab.c:2999 [inline] ____cache_alloc mm/slab.c:2982 [inline] __do_cache_alloc mm/slab.c:3182 [inline] slab_alloc_node mm/slab.c:3230 [inline] __kmem_cache_alloc_node+0x3ba/0x460 mm/slab.c:3521 kmalloc_trace+0x25/0xe0 mm/slab_common.c:1098 kmalloc include/linux/slab.h:600 [inline] kzalloc include/linux/slab.h:721 [inline] inetdev_init+0x66/0x570 net/ipv4/devinet.c:269 inetdev_event+0x1185/0x1980 net/ipv4/devinet.c:1555 notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1965 call_netdevice_notifiers_extack net/core/dev.c:2003 [inline] call_netdevice_notifiers net/core/dev.c:2017 [inline] register_netdevice+0xf98/0x14a0 net/core/dev.c:10197 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:343 [inline] nsim_create+0x46f/0x600 drivers/net/netdevsim/netdev.c:395 __nsim_dev_port_add+0x494/0x8a0 drivers/net/netdevsim/dev.c:1390 nsim_dev_port_add_all drivers/net/netdevsim/dev.c:1446 [inline] nsim_drv_probe+0xdbb/0x1490 drivers/net/netdevsim/dev.c:1604 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x234/0xc90 drivers/base/dd.c:658 page_owner free stack trace missing Memory state around the buggy address: ffff888000cce300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888000cce380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888000cce400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888000cce480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888000cce500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023/11/03 23:22 | upstream | 8f6f76a6a29f | 500bfdc4 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in fib6_add | ||
| 2023/11/02 19:24 | git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes | 3fec323339a4 | b5f07fd3 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu2-riscv64 | KASAN: slab-use-after-free Write in fib6_add |