syzbot

 sign-in | mailing list | source | docs
🐞 Open [1592]
Subsystems
🐞 Fixed [6233]
🐞 Invalid [15780]
Missing Backports [183]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: global-out-of-bounds Read in fib6_clean_node (2)

Status: upstream: reported on 2025/05/01 14:38
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+ef84446be20ce6c5e514@syzkaller.appspotmail.com
First crash: 16d, last: 4d01h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] KASAN: global-out-of-bounds Read in fib6_clean_node (2) 0 (1) 2025/05/01 14:38
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: global-out-of-bounds Read in fib6_clean_node net 4 63d 65d 0/28 closed as invalid on 2025/04/08 14:38

Sample crash report:
netdevsim netdevsim6 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
==================================================================
BUG: KASAN: global-out-of-bounds in fib6_clean_node+0x35d/0x590 net/ipv6/ip6_fib.c:2198
Read of size 8 at addr ffffffff99d16868 by task kworker/u8:9/5987

CPU: 0 UID: 0 PID: 5987 Comm: kworker/u8:9 Not tainted 6.15.0-rc6-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xb4/0x290 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 fib6_clean_node+0x35d/0x590 net/ipv6/ip6_fib.c:2198
 fib6_walk_continue+0x67b/0x910 net/ipv6/ip6_fib.c:2124
 fib6_walk+0x149/0x290 net/ipv6/ip6_fib.c:2172
 fib6_clean_tree net/ipv6/ip6_fib.c:2252 [inline]
 __fib6_clean_all+0x234/0x380 net/ipv6/ip6_fib.c:2268
 rt6_sync_down_dev net/ipv6/route.c:4951 [inline]
 rt6_disable_ip+0x120/0x720 net/ipv6/route.c:4956
 addrconf_ifdown+0x15d/0x1880 net/ipv6/addrconf.c:3857
 addrconf_notify+0x1bc/0x1010 net/ipv6/addrconf.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]
 call_netdevice_notifiers net/core/dev.c:2228 [inline]
 dev_close_many+0x29c/0x410 net/core/dev.c:1731
 unregister_netdevice_many_notify+0x619/0x2330 net/core/dev.c:11932
 unregister_netdevice_many net/core/dev.c:12034 [inline]
 unregister_netdevice_queue+0x33c/0x380 net/core/dev.c:11877
 unregister_netdevice include/linux/netdevice.h:3374 [inline]
 nsim_destroy+0x1f6/0x670 drivers/net/netdevsim/netdev.c:1064
 __nsim_dev_port_del+0x14d/0x1b0 drivers/net/netdevsim/dev.c:1428
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline]
 nsim_dev_reload_destroy+0x288/0x490 drivers/net/netdevsim/dev.c:1661
 nsim_dev_reload_down+0x8a/0xc0 drivers/net/netdevsim/dev.c:968
 devlink_reload+0x1b6/0x8d0 net/devlink/dev.c:461
 devlink_pernet_pre_exit+0x1d9/0x3d0 net/devlink/core.c:509
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 cleanup_net+0x594/0xbd0 net/core/net_namespace.c:634
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the variable:
 binder_devices+0x8/0x20

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19d16
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea0000674588 ffffea0000674588 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff99d16700: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffffff99d16780: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
>ffffffff99d16800: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
                                                          ^
 ffffffff99d16880: 00 00 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff99d16900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/13 05:21 upstream 82f2b0b97b36 f6671af7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/12 06:09 upstream cd802e7e5f1e 77908e5f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/11 12:57 upstream 3ce9925823c7 77908e5f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/11 00:55 upstream bec6f00f120e 77908e5f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/10 20:04 upstream 0e1329d4045c 77908e5f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/08 10:41 upstream d76bb1ebb558 dbf35fa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/07 02:10 upstream 0d8d44db295c 350f4ffc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/06 03:01 upstream 01f95500a162 ae98e6b9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/05 22:59 upstream 92a09c47464d 6ca47dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/04 06:33 upstream 2a239ffbebb5 b0714e37 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/04 03:06 upstream 2a239ffbebb5 b0714e37 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/04 03:01 upstream 2a239ffbebb5 b0714e37 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/03 11:07 upstream 95d3481af6dc b0714e37 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/01 21:34 upstream 4f79eaa2ceac 51b137cd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/01 12:48 upstream 4f79eaa2ceac ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/01 10:57 upstream 4f79eaa2ceac ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/06 07:05 upstream 01f95500a162 ae98e6b9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/05 17:04 upstream 92a09c47464d 6ca47dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/07 23:05 bpf-next 43745d11bfd9 dbf35fa1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/13 02:02 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c32f8dc5aaf9 f6671af7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/04 23:33 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d b0714e37 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/03 06:03 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d b0714e37 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in fib6_clean_node
2025/05/02 14:24 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d 2bfec9c0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in fib6_clean_node
2025/04/30 23:18 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in fib6_clean_node
* Struck through repros no longer work on HEAD.