syzbot

 sign-in | mailing list | source | docs
🐞 Open [119]
🐞 Fixed [0]
🐞 Invalid [0]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: slab-use-after-free Write in txEnd

Status: upstream: reported C repro on 2025/06/22 11:35
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+0fe128755b76a85ee16d@syzkaller.appspotmail.com
First crash: 6d21h, last: 1d05h
Bug presence (1)
Date Name Commit Repro Result
2025/06/29 upstream (ToT) dfba48a70cb6 C [report] general protection fault in lmLogSync
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in txEnd jfs C error 1247 1h06m 918d 0/29 upstream: reported C repro on 2022/12/23 23:37
linux-5.15 KASAN: use-after-free Write in txEnd origin:upstream C 306 1d18h 501d 0/3 upstream: reported C repro on 2024/02/14 01:53
linux-6.1 KASAN: use-after-free Write in txEnd origin:upstream C 328 2d22h 474d 0/3 upstream: reported C repro on 2024/03/11 13:53
linux-4.14 general protection fault in txEnd jfs fat C 1 848d 915d 0/1 upstream: reported C repro on 2022/12/27 07:15

Sample crash report:
 ... Log Wrap ... Log Wrap ... Log Wrap ...
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: slab-use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: slab-use-after-free in txEnd+0x32d/0x520 fs/jfs/jfs_txnmgr.c:554
Write of size 8 at addr ffff88807b18f840 by task jfsCommit/110

CPU: 1 PID: 110 Comm: jfsCommit Not tainted 6.6.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xac/0x230 mm/kasan/report.c:475
 kasan_report+0x117/0x150 mm/kasan/report.c:588
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x288/0x290 mm/kasan/generic.c:187
 instrument_atomic_write include/linux/instrumented.h:82 [inline]
 clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
 txEnd+0x32d/0x520 fs/jfs/jfs_txnmgr.c:554
 txLazyCommit fs/jfs/jfs_txnmgr.c:2684 [inline]
 jfs_lazycommit+0x5a6/0xa60 fs/jfs/jfs_txnmgr.c:2732
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>

Allocated by task 5888:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 open_inline_log fs/jfs/jfs_logmgr.c:1159 [inline]
 lmLogOpen+0x2df/0xfb0 fs/jfs/jfs_logmgr.c:1069
 jfs_mount_rw+0xea/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x592/0xac0 fs/jfs/super.c:565
 mount_bdev+0x22b/0x2d0 fs/super.c:1643
 legacy_get_tree+0xea/0x180 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x280 fs/super.c:1764
 do_new_mount+0x24b/0xa40 fs/namespace.c:3366
 do_mount fs/namespace.c:3706 [inline]
 __do_sys_mount fs/namespace.c:3915 [inline]
 __se_sys_mount+0x2da/0x3c0 fs/namespace.c:3892
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 5770:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:522
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1806 [inline]
 slab_free_freelist_hook+0x130/0x1b0 mm/slub.c:1832
 slab_free mm/slub.c:3816 [inline]
 __kmem_cache_free+0xba/0x1f0 mm/slub.c:3829
 lmLogClose+0x297/0x520 fs/jfs/jfs_logmgr.c:-1
 jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
 generic_shutdown_super+0x134/0x2b0 fs/super.c:693
 kill_block_super+0x44/0x90 fs/super.c:1660
 deactivate_locked_super+0x97/0x100 fs/super.c:481
 cleanup_mnt+0x429/0x4c0 fs/namespace.c:1250
 task_work_run+0x1ce/0x250 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
 do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88807b18f800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
 freed 1024-byte region [ffff88807b18f800, ffff88807b18fc00)

The buggy address belongs to the physical page:
page:ffffea0001ec6200 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807b18c800 pfn:0x7b188
head:ffffea0001ec6200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888017841dc0 ffffea0001f4d800 0000000000000002
raw: ffff88807b18c800 000000008010000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5683, tgid 5683 (dhcpcd-run-hook), ts 70145139194, free_ts 70112034238
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
 prep_new_page mm/page_alloc.c:1561 [inline]
 get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
 alloc_slab_page+0x5d/0x170 mm/slub.c:1876
 allocate_slab mm/slub.c:2023 [inline]
 new_slab+0x87/0x2e0 mm/slub.c:2076
 ___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
 __slab_alloc mm/slub.c:3329 [inline]
 __slab_alloc_node mm/slub.c:3382 [inline]
 slab_alloc_node mm/slub.c:3475 [inline]
 __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0xa4/0x240 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 load_elf_phdrs+0x136/0x230 fs/binfmt_elf.c:512
 load_elf_binary+0x956/0x2700 fs/binfmt_elf.c:986
 search_binary_handler fs/exec.c:1775 [inline]
 exec_binprm fs/exec.c:1817 [inline]
 bprm_execve+0xaeb/0x16f0 fs/exec.c:1892
 do_execveat_common+0x51b/0x6c0 fs/exec.c:1998
 do_execve fs/exec.c:2072 [inline]
 __do_sys_execve fs/exec.c:2148 [inline]
 __se_sys_execve fs/exec.c:2143 [inline]
 __x64_sys_execve+0x92/0xa0 fs/exec.c:2143
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1154 [inline]
 free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
 __slab_free+0x35e/0x410 mm/slub.c:3722
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook+0x6e/0x4d0 mm/slab.h:767
 slab_alloc_node mm/slub.c:3485 [inline]
 slab_alloc mm/slub.c:3493 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3500 [inline]
 kmem_cache_alloc+0x11e/0x2e0 mm/slub.c:3509
 anon_vma_chain_alloc mm/rmap.c:142 [inline]
 __anon_vma_prepare+0x68/0x430 mm/rmap.c:196
 anon_vma_prepare include/linux/rmap.h:159 [inline]
 do_anonymous_page mm/memory.c:4147 [inline]
 do_pte_missing mm/memory.c:3686 [inline]
 handle_pte_fault mm/memory.c:5025 [inline]
 __handle_mm_fault mm/memory.c:5166 [inline]
 handle_mm_fault+0x3cf1/0x4920 mm/memory.c:5331
 do_user_addr_fault+0x738/0x12e0 arch/x86/mm/fault.c:1373
 handle_page_fault arch/x86/mm/fault.c:1465 [inline]
 exc_page_fault+0x67/0x110 arch/x86/mm/fault.c:1521
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:608

Memory state around the buggy address:
 ffff88807b18f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807b18f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807b18f800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88807b18f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b18f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/25 17:00 linux-6.6.y 6282921b6825 26d77996 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-6-kasan KASAN: slab-use-after-free Write in txEnd
2025/06/28 03:48 linux-6.6.y 3f5b4c104b7d fc9d8ee5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Write in txEnd
2025/06/24 19:24 linux-6.6.y 6282921b6825 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Write in txEnd
2025/06/22 11:35 linux-6.6.y 6282921b6825 d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Write in txEnd
* Struck through repros no longer work on HEAD.