From: syzbot <syzbot+bc1aabf52d0a31e91f96@syzkaller.appspotmail.com>
To: johannes@sipsolutions.net, linux-kernel@vger.kernel.org,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [wireless?] KASAN: slab-out-of-bounds Read in ieee80211_add_virtual_monitor
Date: Fri, 28 Nov 2025 07:04:32 -0800 [thread overview]
Message-ID: <6929ba00.a70a0220.d98e3.0142.GAE@google.com> (raw)
In-Reply-To: <69198244.a70a0220.3124cb.0074.GAE@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 7d31f578f323 Add linux-next specific files for 20251128
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1448fe12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ec890b8333fce099
dashboard link: https://syzkaller.appspot.com/bug?extid=bc1aabf52d0a31e91f96
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102b9f42580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e3e92580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9bcc6eb60940/disk-7d31f578.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/895bc1bfae48/vmlinux-7d31f578.xz
kernel image: https://storage.googleapis.com/syzbot-assets/48f15e4679f3/bzImage-7d31f578.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc1aabf52d0a31e91f96@syzkaller.appspotmail.com
mac80211_hwsim hwsim5 syzkaller0: entered promiscuous mode
mac80211_hwsim hwsim5 syzkaller0: entered allmulticast mode
==================================================================
BUG: KASAN: slab-out-of-bounds in ieee80211_add_virtual_monitor+0xa42/0xce0 net/mac80211/iface.c:1255
Read of size 1 at addr ffff8880753b7d90 by task syz.0.17/6029
CPU: 0 UID: 0 PID: 6029 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ieee80211_add_virtual_monitor+0xa42/0xce0 net/mac80211/iface.c:1255
ieee80211_do_stop+0x1786/0x1f70 net/mac80211/iface.c:746
ieee80211_stop+0x1b1/0x240 net/mac80211/iface.c:828
__dev_close_many+0x344/0x6b0 net/core/dev.c:1756
__dev_close net/core/dev.c:1768 [inline]
__dev_change_flags+0x2be/0x680 net/core/dev.c:9733
netif_change_flags+0x88/0x1a0 net/core/dev.c:9798
dev_change_flags+0x130/0x260 net/core/dev_api.c:68
dev_ioctl+0x7b4/0x1150 net/core/dev_ioctl.c:842
sock_do_ioctl+0x22c/0x300 net/socket.c:1274
sock_ioctl+0x576/0x790 net/socket.c:1381
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5875f8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc52c16018 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f58761e5fa0 RCX: 00007f5875f8f749
RDX: 0000200000000000 RSI: 0000000000008914 RDI: 0000000000000006
RBP: 00007f5876013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f58761e5fa0 R14: 00007f58761e5fa0 R15: 0000000000000003
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880753b5d40 pfn:0x753b4
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888026064282
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f8(unknown)
raw: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
raw: ffff8880753b5d40 0000000000000000 00000000f8000000 ffff888026064282
head: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
head: ffff8880753b5d40 0000000000000000 00000000f8000000 ffff888026064282
head: 00fff00000000002 ffffea0001d4ed01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 6029, tgid 6029 (syz.0.17), ts 111996806551, free_ts 111081173010
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
prep_new_page mm/page_alloc.c:1854 [inline]
get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
___kmalloc_large_node+0x4e/0x150 mm/slub.c:5593
__kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:5624
__do_kmalloc_node mm/slub.c:5640 [inline]
__kvmalloc_node_noprof+0x6e/0x920 mm/slub.c:7129
alloc_netdev_mqs+0xa8/0x1200 net/core/dev.c:12011
ieee80211_if_add+0x45c/0x1370 net/mac80211/iface.c:2227
ieee80211_add_iface+0xb5/0x5a0 net/mac80211/cfg.c:217
rdev_add_virtual_intf net/wireless/rdev-ops.h:50 [inline]
_nl80211_new_interface net/wireless/nl80211.c:4706 [inline]
nl80211_new_interface+0x883/0x1130 net/wireless/nl80211.c:4764
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
page last free pid 6006 tgid 6006 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
__slab_free+0x21b/0x2a0 mm/slub.c:5999
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4948 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
kmem_cache_alloc_noprof+0x37d/0x710 mm/slub.c:5265
vm_area_dup+0x2b/0x680 mm/vma_init.c:123
__split_vma+0x1a9/0xa00 mm/vma.c:508
split_vma mm/vma.c:591 [inline]
vma_modify+0x952/0x1a70 mm/vma.c:1634
vma_modify_flags+0x208/0x2e0 mm/vma.c:1654
mprotect_fixup+0x43c/0xa30 mm/mprotect.c:756
do_mprotect_pkey+0x8c5/0xcd0 mm/mprotect.c:930
__do_sys_mprotect mm/mprotect.c:951 [inline]
__se_sys_mprotect mm/mprotect.c:948 [inline]
__x64_sys_mprotect+0x80/0x90 mm/mprotect.c:948
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880753b7c80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff8880753b7d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff8880753b7d80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff8880753b7e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff8880753b7e80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
next prev parent reply other threads:[~2025-11-28 15:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-16 7:50 [syzbot] [wireless?] KASAN: slab-out-of-bounds Read in ieee80211_add_virtual_monitor syzbot
2025-11-28 15:04 ` syzbot [this message]
2025-12-04 12:41 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 559e608c46553c107dbba19dae0854af7b219400 syzbot
2025-12-04 12:43 ` Forwarded: #syz test https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next 8f7aa3d3c7323f4ca2768a9e74ebbe359c4f8f88 syzbot
2025-12-04 12:44 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git bc04acf4aeca588496124a6cf54bfce3db327039 syzbot
[not found] <a070ad887e83969f83c8e8ce805e30b262a832fb.camel@yandex.ru>
2025-12-04 13:55 ` [syzbot] [wireless?] KASAN: slab-out-of-bounds Read in ieee80211_add_virtual_monitor syzbot
[not found] <82b033a0697247a7717c9a74831f88b4af1532a1.camel@yandex.ru>
2025-12-04 14:32 ` syzbot
[not found] <b0ff5a33311bffd6f18f941968dd78fb3170f9a1.camel@yandex.ru>
2025-12-04 15:30 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6929ba00.a70a0220.d98e3.0142.GAE@google.com \
--to=syzbot+bc1aabf52d0a31e91f96@syzkaller.appspotmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.