From: syzbot <syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] unregister_netdevice: waiting for DEV to become free (8)
Date: Mon, 25 Aug 2025 06:51:02 -0700 [thread overview]
Message-ID: <68ac6a46.a70a0220.303e5.0004.GAE@google.com> (raw)
In-Reply-To: <20250825123519.5453-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in j1939_netdev_stop
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:409 [inline]
BUG: KASAN: use-after-free in dev_net include/linux/netdevice.h:2718 [inline]
BUG: KASAN: use-after-free in j1939_can_rx_unregister net/can/j1939/main.c:202 [inline]
BUG: KASAN: use-after-free in __j1939_rx_release net/can/j1939/main.c:218 [inline]
BUG: KASAN: use-after-free in kref_put_mutex include/linux/kref.h:86 [inline]
BUG: KASAN: use-after-free in j1939_netdev_stop+0x2ab/0x2d0 net/can/j1939/main.c:311
Read of size 8 at addr ffff888023f80108 by task syz.0.17/6524
CPU: 0 UID: 0 PID: 6524 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
read_pnet include/net/net_namespace.h:409 [inline]
dev_net include/linux/netdevice.h:2718 [inline]
j1939_can_rx_unregister net/can/j1939/main.c:202 [inline]
__j1939_rx_release net/can/j1939/main.c:218 [inline]
kref_put_mutex include/linux/kref.h:86 [inline]
j1939_netdev_stop+0x2ab/0x2d0 net/can/j1939/main.c:311
j1939_sk_release+0x5c3/0x8e0 net/can/j1939/socket.c:651
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x86f/0x2bf0 kernel/exit.c:961
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f408338ebe9
Code: Unable to access opcode bytes at 0x7f408338ebbf.
RSP: 002b:00007f4084235038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: 0000000000000024 RBX: 00007f40835b5fa0 RCX: 00007f408338ebe9
RDX: 0000000000000000 RSI: 0000200000000200 RDI: 0000000000000003
RBP: 00007f4083411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f40835b6038 R14: 00007f40835b5fa0 R15: 00007ffd085a2ed8
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888023f80000 pfn:0x23f80
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000174f608 ffffea0000c2c208 0000000000000000
raw: ffff888023f80000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 6440, tgid 6440 (syz-executor), ts 122667010586, free_ts 125938931446
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
___kmalloc_large_node+0xed/0x160 mm/slub.c:4306
__kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4337
__do_kmalloc_node mm/slub.c:4353 [inline]
__kvmalloc_node_noprof.cold+0xb/0x65 mm/slub.c:5052
alloc_netdev_mqs+0xd2/0x1530 net/core/dev.c:11812
rtnl_create_link+0xc08/0xf90 net/core/rtnetlink.c:3633
vxcan_newlink+0x2f8/0x640 drivers/net/can/vxcan.c:208
rtnl_newlink_create net/core/rtnetlink.c:3825 [inline]
__rtnl_newlink net/core/rtnetlink.c:3942 [inline]
rtnl_newlink+0xc45/0x2000 net/core/rtnetlink.c:4057
rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6946
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg net/socket.c:729 [inline]
__sys_sendto+0x4a3/0x520 net/socket.c:2228
page last free pid 6524 tgid 6523 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
device_release+0xa1/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
netdev_run_todo+0x7e9/0x1320 net/core/dev.c:11513
rtnl_unlock net/core/rtnetlink.c:157 [inline]
rtnl_net_unlock include/linux/rtnetlink.h:135 [inline]
rtnl_dellink+0x3da/0xa80 net/core/rtnetlink.c:3563
rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6946
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg net/socket.c:729 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
__sys_sendmsg+0x16d/0x220 net/socket.c:2700
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888023f80000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888023f80080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888023f80100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888023f80180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888023f80200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 1b237f19 Linux 6.17-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b66862580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d4703ac89d9e185a
dashboard link: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1417b862580000
next prev parent reply other threads:[~2025-08-25 13:51 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-10 1:34 [Bridge] [syzbot] [net?] unregister_netdevice: waiting for DEV to become free (8) syzbot
2023-06-10 1:34 ` syzbot
2023-06-21 7:07 ` [Bridge] " Ziqi Zhao
2023-06-21 7:07 ` Ziqi Zhao
2023-06-21 8:46 ` [Bridge] " Dongliang Mu
2023-06-21 8:46 ` Dongliang Mu
2023-06-26 5:50 ` [Bridge] [PATCH] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock Ziqi Zhao
2023-06-26 5:50 ` Ziqi Zhao
2023-08-19 8:10 ` [Bridge] [PATCH] net: bridge: Fix refcnt issues in dev_ioctl Ziqi Zhao
2023-08-19 8:10 ` Ziqi Zhao
2023-08-19 9:25 ` [Bridge] " Nikolay Aleksandrov
2023-08-19 9:25 ` Nikolay Aleksandrov
2023-08-19 22:50 ` [Bridge] " Ziqi Zhao
2023-08-19 22:50 ` Ziqi Zhao
2023-08-22 10:40 ` [Bridge] " Nikolay Aleksandrov
2023-08-22 10:40 ` Nikolay Aleksandrov
2023-08-23 9:38 ` [Bridge] " Ziqi Zhao
2023-08-23 9:38 ` Ziqi Zhao
2024-02-12 15:28 ` [Bridge] " Alexander Ofitserov
2025-08-25 12:35 ` [syzbot] [net?] unregister_netdevice: waiting for DEV to become free (8) Hillf Danton
2025-08-25 13:51 ` syzbot [this message]
2025-08-26 1:50 ` Hillf Danton
2025-08-26 2:48 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2025-08-25 11:01 [PATCH] can: j1939: implement NETDEV_UNREGISTER notification handler Tetsuo Handa
2025-08-25 13:35 ` [syzbot] [net?] unregister_netdevice: waiting for DEV to become free (8) syzbot
2025-11-19 12:20 Tetsuo Handa
2025-11-19 13:09 ` [syzbot] [net?] " syzbot
2025-11-19 13:13 Tetsuo Handa
2025-11-19 13:57 ` [syzbot] [net?] " syzbot
2025-11-19 14:00 Tetsuo Handa
2025-11-19 14:47 ` [syzbot] [net?] " syzbot
2026-03-02 10:56 Tetsuo Handa
2026-03-02 11:21 ` [syzbot] [net?] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68ac6a46.a70a0220.303e5.0004.GAE@google.com \
--to=syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.