syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in br_multicast_has_router_adjacent+0x3b3/0x490 net/bridge/br_multicast.c:4820 Read of size 8 at addr ffff888022b6b9a8 by task kworker/u4:6/4281 CPU: 0 PID: 4281 Comm: kworker/u4:6 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Workqueue: bat_events batadv_mcast_mla_update Call Trace: <TASK> dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106 print_address_description+0x60/0x2d0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xdf/0x130 mm/kasan/report.c:451 br_multicast_has_router_adjacent+0x3b3/0x490 net/bridge/br_multicast.c:4820 batadv_mcast_mla_rtr_flags_bridge_get net/batman-adv/multicast.c:204 [inline] batadv_mcast_mla_rtr_flags_get net/batman-adv/multicast.c:233 [inline] batadv_mcast_mla_flags_get net/batman-adv/multicast.c:257 [inline] __batadv_mcast_mla_update net/batman-adv/multicast.c:876 [inline] batadv_mcast_mla_update+0x527/0x3150 net/batman-adv/multicast.c:915 process_one_work+0x85f/0x1010 kernel/workqueue.c:2310 worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457 kthread+0x436/0x520 kernel/kthread.c:334 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 </TASK> Allocated by task 151: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522 kmalloc_reserve net/core/skbuff.c:356 [inline] pskb_expand_head+0x127/0x10f0 net/core/skbuff.c:1709 __skb_cow include/linux/skbuff.h:3406 [inline] skb_cow_head include/linux/skbuff.h:3440 [inline] batadv_skb_head_push+0x162/0x1f0 net/batman-adv/soft-interface.c:73 batadv_send_skb_packet+0xf7/0x5f0 net/batman-adv/send.c:86 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x698/0x840 net/batman-adv/bat_iv_ogm.c:1703 process_one_work+0x85f/0x1010 kernel/workqueue.c:2310 worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457 kthread+0x436/0x520 kernel/kthread.c:334 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 Freed by task 151: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:46 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1710 [inline] slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736 slab_free mm/slub.c:3504 [inline] kfree+0xef/0x2a0 mm/slub.c:4564 skb_free_head net/core/skbuff.c:655 [inline] skb_release_data+0x6b8/0x800 net/core/skbuff.c:677 skb_release_all net/core/skbuff.c:742 [inline] __kfree_skb net/core/skbuff.c:756 [inline] kfree_skb_reason+0xaf/0x110 net/core/skbuff.c:776 kfree_skb include/linux/skbuff.h:1118 [inline] __netif_receive_skb_core+0x3116/0x3690 net/core/dev.c:5525 __netif_receive_skb_one_core net/core/dev.c:5549 [inline] __netif_receive_skb+0x74/0x290 net/core/dev.c:5665 process_backlog+0x370/0x790 net/core/dev.c:6542 __napi_poll+0xc0/0x430 net/core/dev.c:7101 napi_poll net/core/dev.c:7168 [inline] net_rx_action+0x4d4/0xa10 net/core/dev.c:7258 handle_softirqs+0x339/0x830 kernel/softirq.c:576 do_softirq+0x142/0x210 kernel/softirq.c:477 __local_bh_enable_ip+0x180/0x1c0 kernel/softirq.c:401 rcu_read_unlock_bh include/linux/rcupdate.h:810 [inline] __dev_queue_xmit+0x1cbf/0x2f80 net/core/dev.c:4341 batadv_send_skb_packet+0x384/0x5f0 net/batman-adv/send.c:108 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x698/0x840 net/batman-adv/bat_iv_ogm.c:1703 process_one_work+0x85f/0x1010 kernel/workqueue.c:2310 worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457 kthread+0x436/0x520 kernel/kthread.c:334 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 Last potentially related work creation: kasan_save_stack+0x35/0x60 mm/kasan/common.c:38 kasan_record_aux_stack+0xb8/0x100 mm/kasan/generic.c:348 __call_rcu kernel/rcu/tree.c:3011 [inline] call_rcu+0x189/0x950 kernel/rcu/tree.c:3091 br_del_if+0x158/0x3a0 net/bridge/br_if.c:749 do_set_master net/core/rtnetlink.c:2566 [inline] do_setlink+0xf17/0x3d60 net/core/rtnetlink.c:2791 rtnl_group_changelink net/core/rtnetlink.c:3301 [inline] __rtnl_newlink net/core/rtnetlink.c:3465 [inline] rtnl_newlink+0xf8d/0x1a50 net/core/rtnetlink.c:3577 rtnetlink_rcv_msg+0x844/0xf30 net/core/rtnetlink.c:5687 netlink_rcv_skb+0x1f5/0x440 net/netlink/af_netlink.c:2507 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x774/0x920 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8ba/0xbe0 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:706 [inline] __sock_sendmsg net/socket.c:718 [inline] ____sys_sendmsg+0x5b7/0x8f0 net/socket.c:2445 ___sys_sendmsg+0x236/0x2e0 net/socket.c:2499 __sys_sendmsg net/socket.c:2528 [inline] __do_sys_sendmsg net/socket.c:2537 [inline] __se_sys_sendmsg+0x1af/0x290 net/socket.c:2535 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 The buggy address belongs to the object at ffff888022b6b800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of 1024-byte region [ffff888022b6b800, ffff888022b6bc00) The buggy address belongs to the page: page:ffffea00008ada00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22b68 head:ffffea00008ada00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea000084fe00 0000000300000003 ffff888016c41dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4194, ts 55628657995, free_ts 55606522626 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5501 alloc_slab_page mm/slub.c:1780 [inline] allocate_slab mm/slub.c:1917 [inline] new_slab+0xc0/0x4b0 mm/slub.c:1980 ___slab_alloc+0x80a/0xdd0 mm/slub.c:3013 __slab_alloc mm/slub.c:3100 [inline] slab_alloc_node mm/slub.c:3191 [inline] __kmalloc_node_track_caller+0x1fc/0x3a0 mm/slub.c:4963 kmalloc_reserve net/core/skbuff.c:356 [inline] __alloc_skb+0x22c/0x750 net/core/skbuff.c:427 alloc_skb include/linux/skbuff.h:1162 [inline] nlmsg_new include/net/netlink.h:964 [inline] rtmsg_fib+0xe7/0x4b0 net/ipv4/fib_semantics.c:520 fib_table_insert+0xd36/0x1bb0 net/ipv4/fib_trie.c:1379 fib_magic+0x2e1/0x3c0 net/ipv4/fib_frontend.c:1106 fib_add_ifaddr+0x3f7/0x5e0 net/ipv4/fib_frontend.c:1150 fib_netdev_event+0x35c/0x480 net/ipv4/fib_frontend.c:1488 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391 call_netdevice_notifiers_extack net/core/dev.c:2074 [inline] call_netdevice_notifiers net/core/dev.c:2088 [inline] __dev_notify_flags+0x194/0x300 net/core/dev.c:8917 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8955 do_setlink+0xcdb/0x3d60 net/core/rtnetlink.c:2784 __rtnl_newlink net/core/rtnetlink.c:3455 [inline] rtnl_newlink+0x1658/0x1a50 net/core/rtnetlink.c:3577 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare mm/page_alloc.c:1391 [inline] free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317 free_unref_page+0x8f/0x2a0 mm/page_alloc.c:3396 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519 slab_alloc_node mm/slub.c:3225 [inline] kmem_cache_alloc_node+0x12d/0x2d0 mm/slub.c:3261 __alloc_skb+0xf4/0x750 net/core/skbuff.c:415 alloc_skb include/linux/skbuff.h:1162 [inline] alloc_skb_with_frags+0xa7/0x730 net/core/skbuff.c:6170 sock_alloc_send_pskb+0x87f/0x9a0 net/core/sock.c:2536 unix_dgram_sendmsg+0x5fc/0x18a0 net/unix/af_unix.c:1809 sock_sendmsg_nosec net/socket.c:706 [inline] __sock_sendmsg net/socket.c:718 [inline] __sys_sendto+0x46d/0x620 net/socket.c:2072 __do_sys_sendto net/socket.c:2084 [inline] __se_sys_sendto net/socket.c:2080 [inline] __x64_sys_sendto+0xda/0xf0 net/socket.c:2080 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Memory state around the buggy address: ffff888022b6b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888022b6b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888022b6b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888022b6ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888022b6ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/05/06 01:49 | linux-5.15.y | ef251c45f1cd | 26da2c66 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan | KASAN: use-after-free Read in br_multicast_has_router_adjacent |