Re: [syzbot] [bridge?] KASAN: slab-use-after-free Read in br_multicast_has_router_adjacent

[Ido Schimmel]

On Wed, Jun 25, 2025 at 02:27:28AM -0700, syzbot wrote:
> syzbot found the following issue on:
> 
> HEAD commit:    714db279942b CREDITS: Add entry for Shannon Nelson

Which does not include 7544f3f5b0b5 ("bridge: mcast: Fix use-after-free
during router port configuration").

> git tree:       net
> console output: https://syzkaller.appspot.com/x/log.txt?x=11a59b0c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d11f52d3049c3790
> dashboard link: https://syzkaller.appspot.com/bug?extid=f53271ac312b49be132b
> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/4af647f77fe2/disk-714db279.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/df9d2caceadd/vmlinux-714db279.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/f05e60d250ae/bzImage-714db279.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+f53271ac312b49be132b@xxxxxxxxxxxxxxxxxxxxxxxxx
> 
> ==================================================================
> BUG: KASAN: slab-use-after-free in br_multicast_has_router_adjacent+0x401/0x4e0 net/bridge/br_multicast.c:5005

Use-after-free in the multicast router list which should be fixed by
7544f3f5b0b5 ("bridge: mcast: Fix use-after-free during router port
configuration").

[...]

> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title

#syz fix: bridge: mcast: Fix use-after-free during router port configuration