syzbot

 sign-in | mailing list | source | docs
🐞 Open [717]
🐞 Fixed [73]
🐞 Invalid [915]
Missing Backports [119]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in __pagevec_lru_add

Status: upstream: reported on 2025/07/04 09:33
Reported-by: syzbot+271f4510c84ffa32cc1c@syzkaller.appspotmail.com
First crash: 1d03h, last: 1d03h

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in arch_test_bit include/asm-generic/bitops/non-atomic.h:118 [inline]
BUG: KASAN: use-after-free in mapping_unevictable include/linux/pagemap.h:85 [inline]
BUG: KASAN: use-after-free in page_evictable mm/internal.h:102 [inline]
BUG: KASAN: use-after-free in __pagevec_lru_add_fn mm/swap.c:1024 [inline]
BUG: KASAN: use-after-free in __pagevec_lru_add+0x4fc/0x15d4 mm/swap.c:1052
Read of size 8 at addr ffff0000d87b8ef0 by task syz.6.949/8022

CPU: 0 PID: 8022 Comm: syz.6.949 Not tainted 5.15.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x78/0x30c mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xec/0x15c mm/kasan/report.c:451
 __asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
 arch_test_bit include/asm-generic/bitops/non-atomic.h:118 [inline]
 mapping_unevictable include/linux/pagemap.h:85 [inline]
 page_evictable mm/internal.h:102 [inline]
 __pagevec_lru_add_fn mm/swap.c:1024 [inline]
 __pagevec_lru_add+0x4fc/0x15d4 mm/swap.c:1052
 lru_add_drain_cpu+0xb8/0x5a8 mm/swap.c:597
 lru_add_drain+0x8c/0x164 mm/swap.c:701
 exit_mmap+0x288/0x4e0 mm/mmap.c:3207
 __mmput+0xec/0x3b8 kernel/fork.c:1127
 mmput+0x80/0xc8 kernel/fork.c:1148
 exit_mm+0x4a0/0x684 kernel/exit.c:550
 do_exit+0x4ec/0x1f58 kernel/exit.c:870
 do_group_exit+0x100/0x268 kernel/exit.c:997
 get_signal+0x73c/0x1340 kernel/signal.c:2900
 do_signal arch/arm64/kernel/signal.c:893 [inline]
 do_notify_resume+0x35c/0x3128 arch/arm64/kernel/signal.c:946
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
 el0_svc+0xf0/0x1e0 arch/arm64/kernel/entry-common.c:609
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 8004:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x74/0x408 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x1e0/0x3e4 mm/slub.c:3233
 gfs2_glock_get+0x1c0/0xb3c fs/gfs2/glock.c:1133
 gfs2_inode_lookup+0x284/0xb64 fs/gfs2/inode.c:149
 gfs2_dir_search+0x148/0x204 fs/gfs2/dir.c:1665
 gfs2_lookupi+0x3bc/0x530 fs/gfs2/inode.c:332
 gfs2_jindex_hold fs/gfs2/ops_fstype.c:612 [inline]
 init_journal+0x47c/0x1d7c fs/gfs2/ops_fstype.c:756
 init_inodes+0xe0/0x2d4 fs/gfs2/ops_fstype.c:891
 gfs2_fill_super+0x121c/0x19e0 fs/gfs2/ops_fstype.c:1249
 get_tree_bdev+0x358/0x544 fs/super.c:1325
 gfs2_get_tree+0x54/0x1b4 fs/gfs2/ops_fstype.c:1332
 vfs_get_tree+0x90/0x274 fs/super.c:1530
 do_new_mount+0x228/0x810 fs/namespace.c:3014
 path_mount+0x5b4/0x1000 fs/namespace.c:3344
 do_mount fs/namespace.c:3357 [inline]
 __do_sys_mount fs/namespace.c:3565 [inline]
 __se_sys_mount fs/namespace.c:3542 [inline]
 __arm64_sys_mount+0x514/0x5e4 fs/namespace.c:3542
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Freed by task 8013:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0x128/0x1e8 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0xdc/0x3b4 mm/slub.c:3515
 gfs2_glock_dealloc+0xc0/0xd4 fs/gfs2/glock.c:-1
 rcu_do_batch kernel/rcu/tree.c:2523 [inline]
 rcu_core+0x7c8/0x1764 kernel/rcu/tree.c:2763
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2776
 handle_softirqs+0x344/0xbf0 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
 invoke_softirq kernel/softirq.c:457 [inline]
 __irq_exit_rcu+0x240/0x440 kernel/softirq.c:659
 irq_exit+0x14/0x88 kernel/softirq.c:683
 handle_domain_irq+0x14c/0x1fc kernel/irq/irqdesc.c:711
 gic_handle_irq+0x78/0x1c8 drivers/irqchip/irq-gic-v3.c:765

Last potentially related work creation:
 kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
 kasan_record_aux_stack+0xcc/0x114 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3007 [inline]
 call_rcu+0x110/0x8f0 kernel/rcu/tree.c:3087
 gfs2_glock_free+0x910/0xc48 fs/gfs2/glock.c:171
 __gfs2_glock_put+0x244/0x4a0 fs/gfs2/glock.c:285
 gfs2_glock_put+0x48/0x58 fs/gfs2/glock.c:307
 gfs2_glock_put_eventually fs/gfs2/super.c:1159 [inline]
 gfs2_evict_inode+0xb20/0xe58 fs/gfs2/super.c:1438
 evict+0x3c8/0x810 fs/inode.c:647
 iput_final fs/inode.c:1769 [inline]
 iput+0x6c4/0x77c fs/inode.c:1795
 gfs2_jindex_free+0x2d0/0x380 fs/gfs2/super.c:75
 init_journal+0x778/0x1d7c fs/gfs2/ops_fstype.c:873
 init_inodes+0xe0/0x2d4 fs/gfs2/ops_fstype.c:891
 gfs2_fill_super+0x121c/0x19e0 fs/gfs2/ops_fstype.c:1249
 get_tree_bdev+0x358/0x544 fs/super.c:1325
 gfs2_get_tree+0x54/0x1b4 fs/gfs2/ops_fstype.c:1332
 vfs_get_tree+0x90/0x274 fs/super.c:1530
 do_new_mount+0x228/0x810 fs/namespace.c:3014
 path_mount+0x5b4/0x1000 fs/namespace.c:3344
 do_mount fs/namespace.c:3357 [inline]
 __do_sys_mount fs/namespace.c:3565 [inline]
 __se_sys_mount fs/namespace.c:3542 [inline]
 __arm64_sys_mount+0x514/0x5e4 fs/namespace.c:3542
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Second to last potentially related work creation:
 kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
 kasan_record_aux_stack+0xcc/0x114 mm/kasan/generic.c:348
 insert_work+0x64/0x388 kernel/workqueue.c:1366
 __queue_work+0xb30/0x1054 kernel/workqueue.c:1532
 __queue_delayed_work kernel/workqueue.c:1679 [inline]
 queue_delayed_work_on+0x208/0x324 kernel/workqueue.c:1715
 queue_delayed_work include/linux/workqueue.h:527 [inline]
 __gfs2_glock_queue_work fs/gfs2/glock.c:251 [inline]
 gfs2_glock_queue_work fs/gfs2/glock.c:265 [inline]
 do_xmote+0x694/0xf90 fs/gfs2/glock.c:825
 run_queue+0x3fc/0x6c0 fs/gfs2/glock.c:872
 glock_work_func+0x208/0x458 fs/gfs2/glock.c:1039
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:855

The buggy address belongs to the object at ffff0000d87b8a90
 which belongs to the cache gfs2_glock(aspace) of size 1224
The buggy address is located 1120 bytes inside of
 1224-byte region [ffff0000d87b8a90, ffff0000d87b8f58)
The buggy address belongs to the page:
page:000000005a721ec6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1187b8
head:000000005a721ec6 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c68cdc80
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d87b8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000d87b8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000d87b8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff0000d87b8f00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff0000d87b8f80: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/04 09:33 linux-5.15.y 3dea0e7f549e 76ad128c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in __pagevec_lru_add
* Struck through repros no longer work on HEAD.