[v6.1] KASAN: use-after-free Read in ieee80211_monitor_select_queue
0 views
Skip to first unread message
syzbot
2:14 AM (17 hours ago) 2:14 AM
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1989cd3d56e2 Linux 6.1.167
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15c13752580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=610e40369bc02181bad0
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/edd05d4d1a68/disk-1989cd3d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdc3181e838d/vmlinux-1989cd3d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a78aef5a3a25/Image-1989cd3d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+610e40...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ieee80211_monitor_select_queue+0x20c/0x210 net/mac80211/iface.c:909
Read of size 2 at addr ffff0000f4aa11fb by task syz.1.674/6372
CPU: 0 PID: 6372 Comm: syz.1.674 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
print_address_description+0x88/0x218 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:420
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report_generic.c:349
ieee80211_monitor_select_queue+0x20c/0x210 net/mac80211/iface.c:909
netdev_core_pick_tx+0x130/0x320 net/core/dev.c:4233
__dev_queue_xmit+0x738/0x3118 net/core/dev.c:4319
dev_queue_xmit+0x24/0x34 include/linux/netdevice.h:3051
packet_snd net/packet/af_packet.c:3127 [inline]
packet_sendmsg+0x2f9c/0x3fd0 net/packet/af_packet.c:3158
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x5c8/0x938 net/socket.c:2518
___sys_sendmsg net/socket.c:2572 [inline]
__sys_sendmsg+0x288/0x374 net/socket.c:2601
__do_sys_sendmsg net/socket.c:2610 [inline]
__se_sys_sendmsg net/socket.c:2608 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 0:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:53
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0xa0/0xb8 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:936 [inline]
__kmalloc_node_track_caller+0xe0/0x16c mm/slab_common.c:956
kmalloc_reserve net/core/skbuff.c:446 [inline]
__alloc_skb+0x264/0x714 net/core/skbuff.c:515
skb_copy+0x104/0x5f0 net/core/skbuff.c:1732
mac80211_hwsim_tx_frame_no_nl+0xb54/0x111c drivers/net/wireless/mac80211_hwsim.c:1729
mac80211_hwsim_tx_frame+0x1c0/0x1f4 drivers/net/wireless/mac80211_hwsim.c:2058
mac80211_hwsim_beacon_tx+0x4c8/0x914 drivers/net/wireless/mac80211_hwsim.c:2121
__iterate_interfaces+0x204/0x484 net/mac80211/util.c:788
ieee80211_iterate_active_interfaces_atomic+0xd4/0x180 net/mac80211/util.c:824
mac80211_hwsim_beacon+0xc8/0x1b8 drivers/net/wireless/mac80211_hwsim.c:2147
__run_hrtimer kernel/time/hrtimer.c:1747 [inline]
__hrtimer_run_queues+0x438/0xc3c kernel/time/hrtimer.c:1811
hrtimer_run_softirq+0x160/0x400 kernel/time/hrtimer.c:1828
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
The buggy address belongs to the object at ffff0000f4aa1000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 507 bytes inside of
512-byte region [ffff0000f4aa1000, ffff0000f4aa1200)
The buggy address belongs to the physical page:
page:00000000102b86b9 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000f4aa2800 pfn:0x134aa0
head:00000000102b86b9 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00033b5908 fffffc0003916d08 ffff0000c0002600
raw: ffff0000f4aa2800 0000000000100008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000f4aa1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000f4aa1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000f4aa1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000f4aa1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000f4aa1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1989cd3d56e2 Linux 6.1.167
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15c13752580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=610e40369bc02181bad0
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/edd05d4d1a68/disk-1989cd3d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdc3181e838d/vmlinux-1989cd3d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a78aef5a3a25/Image-1989cd3d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+610e40...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ieee80211_monitor_select_queue+0x20c/0x210 net/mac80211/iface.c:909
Read of size 2 at addr ffff0000f4aa11fb by task syz.1.674/6372
CPU: 0 PID: 6372 Comm: syz.1.674 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
print_address_description+0x88/0x218 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:420
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report_generic.c:349
ieee80211_monitor_select_queue+0x20c/0x210 net/mac80211/iface.c:909
netdev_core_pick_tx+0x130/0x320 net/core/dev.c:4233
__dev_queue_xmit+0x738/0x3118 net/core/dev.c:4319
dev_queue_xmit+0x24/0x34 include/linux/netdevice.h:3051
packet_snd net/packet/af_packet.c:3127 [inline]
packet_sendmsg+0x2f9c/0x3fd0 net/packet/af_packet.c:3158
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x5c8/0x938 net/socket.c:2518
___sys_sendmsg net/socket.c:2572 [inline]
__sys_sendmsg+0x288/0x374 net/socket.c:2601
__do_sys_sendmsg net/socket.c:2610 [inline]
__se_sys_sendmsg net/socket.c:2608 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 0:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:53
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0xa0/0xb8 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:936 [inline]
__kmalloc_node_track_caller+0xe0/0x16c mm/slab_common.c:956
kmalloc_reserve net/core/skbuff.c:446 [inline]
__alloc_skb+0x264/0x714 net/core/skbuff.c:515
skb_copy+0x104/0x5f0 net/core/skbuff.c:1732
mac80211_hwsim_tx_frame_no_nl+0xb54/0x111c drivers/net/wireless/mac80211_hwsim.c:1729
mac80211_hwsim_tx_frame+0x1c0/0x1f4 drivers/net/wireless/mac80211_hwsim.c:2058
mac80211_hwsim_beacon_tx+0x4c8/0x914 drivers/net/wireless/mac80211_hwsim.c:2121
__iterate_interfaces+0x204/0x484 net/mac80211/util.c:788
ieee80211_iterate_active_interfaces_atomic+0xd4/0x180 net/mac80211/util.c:824
mac80211_hwsim_beacon+0xc8/0x1b8 drivers/net/wireless/mac80211_hwsim.c:2147
__run_hrtimer kernel/time/hrtimer.c:1747 [inline]
__hrtimer_run_queues+0x438/0xc3c kernel/time/hrtimer.c:1811
hrtimer_run_softirq+0x160/0x400 kernel/time/hrtimer.c:1828
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
The buggy address belongs to the object at ffff0000f4aa1000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 507 bytes inside of
512-byte region [ffff0000f4aa1000, ffff0000f4aa1200)
The buggy address belongs to the physical page:
page:00000000102b86b9 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000f4aa2800 pfn:0x134aa0
head:00000000102b86b9 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00033b5908 fffffc0003916d08 ffff0000c0002600
raw: ffff0000f4aa2800 0000000000100008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000f4aa1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000f4aa1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000f4aa1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000f4aa1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000f4aa1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages