syzbot

 sign-in | mailing list | source | docs
🐞 Open [824]
🐞 Fixed [84]
🐞 Invalid [1112]
Missing Backports [129]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Write in inode2sd

Status: upstream: reported C repro on 2024/10/21 11:36
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+402adb3a62ec268f3703@syzkaller.appspotmail.com
First crash: 397d, last: 25d
Fix bisection: the issue occurs on the latest tested release (bisect log)
Crash: KASAN: use-after-free Write in inode2sd (log)
Repro: C syz .config
  
Bug presence (3)
Date Name Commit Repro Result
2024/12/10 linux-5.15.y (ToT) 0a51d2d4527b C [report] KASAN: use-after-free Write in inode2sd
2024/10/26 upstream (ToT) 850925a8133c C [report] KASAN: use-after-free Write in inode2sd
2024/12/10 upstream (ToT) 7cb1b4663150 C Didn't crash
Last patch testing requests (4)
Created Duration User Patch Repo Result
2025/10/28 17:25 13m retest repro linux-5.15.y report log
2025/10/28 17:25 20m retest repro linux-5.15.y report log
2025/08/09 15:57 20m retest repro linux-5.15.y report log
2024/11/08 13:13 14m retest repro linux-5.15.y report log
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2025/08/27 14:18 11h26m fix candidate upstream OK (3) job log
2025/07/23 09:47 12h08m fix candidate upstream error job log
2025/06/13 10:56 12h05m fix candidate upstream error job log
2025/05/29 20:50 2h35m bisect fix linux-5.15.y OK (0) job log log
2025/04/26 14:14 2h52m bisect fix linux-5.15.y OK (0) job log log
2025/03/23 12:16 2h41m bisect fix linux-5.15.y OK (0) job log log
2025/02/20 20:16 3h04m bisect fix linux-5.15.y OK (0) job log log
2025/01/19 19:33 3h07m bisect fix linux-5.15.y OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in inode2sd+0x6c4/0xbc0 fs/reiserfs/inode.c:1378
Write of size 2 at addr ffff888057aecde0 by task syz.3.20/4491

CPU: 1 PID: 4491 Comm: syz.3.20 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 inode2sd+0x6c4/0xbc0 fs/reiserfs/inode.c:1378
 update_stat_data fs/reiserfs/inode.c:1439 [inline]
 reiserfs_update_sd_size+0x914/0xe30 fs/reiserfs/inode.c:1505
 reiserfs_update_sd fs/reiserfs/reiserfs.h:3099 [inline]
 reiserfs_do_truncate+0xe5a/0x13e0 fs/reiserfs/stree.c:2036
 reiserfs_truncate_file+0x632/0xdc0 fs/reiserfs/inode.c:2318
 reiserfs_setattr+0xaa7/0x1010 fs/reiserfs/inode.c:3409
 notify_change+0xbcd/0xee0 fs/attr.c:505
 do_truncate+0x197/0x220 fs/open.c:65
 vfs_truncate+0x262/0x2f0 fs/open.c:111
 do_sys_truncate+0xdc/0x190 fs/open.c:134
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f0d32072ec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0d316c1038 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007f0d322ca090 RCX: 00007f0d32072ec9
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00002000000000c0
RBP: 00007f0d320f5f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0d322ca128 R14: 00007f0d322ca090 R15: 00007ffdac92b318
 </TASK>

The buggy address belongs to the page:
page:ffffea00015ebb00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x100 pfn:0x57aec
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00015eae88 ffff88813fffb8b8 0000000000000000
raw: 0000000000000100 0000000000000001 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 4327, ts 88105838077, free_ts 88145740024
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_pages_vma+0x393/0x7c0 mm/mempolicy.c:2146
 do_anonymous_page mm/memory.c:3838 [inline]
 handle_pte_fault mm/memory.c:4648 [inline]
 __handle_mm_fault mm/memory.c:4785 [inline]
 handle_mm_fault+0x2382/0x43c0 mm/memory.c:4883
 do_user_addr_fault+0x489/0xc80 arch/x86/mm/fault.c:1357
 handle_page_fault arch/x86/mm/fault.c:1445 [inline]
 exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1501
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606
 copy_user_enhanced_fast_string+0xe/0x40 arch/x86/lib/copy_user_64.S:205
 copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:58 [inline]
 copyout lib/iov_iter.c:157 [inline]
 copy_page_to_iter_iovec lib/iov_iter.c:228 [inline]
 __copy_page_to_iter lib/iov_iter.c:861 [inline]
 copy_page_to_iter+0x49e/0x910 lib/iov_iter.c:889
 filemap_read+0x1d94/0x2480 mm/filemap.c:2698
 blkdev_read_iter+0x11d/0x150 block/fops.c:563
 call_read_iter include/linux/fs.h:2166 [inline]
 new_sync_read fs/read_write.c:404 [inline]
 vfs_read+0x725/0xcf0 fs/read_write.c:485
 ksys_read+0x14d/0x250 fs/read_write.c:623
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page_list+0x122/0x7e0 mm/page_alloc.c:3433
 release_pages+0x184b/0x1bb0 mm/swap.c:963
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x164/0x2e0 mm/mmu_gather.c:338
 unmap_region+0x315/0x360 mm/mmap.c:2669
 __do_munmap+0x9d3/0xdc0 mm/mmap.c:2899
 __vm_munmap+0x137/0x230 mm/mmap.c:2952
 __do_sys_munmap mm/mmap.c:2978 [inline]
 __se_sys_munmap mm/mmap.c:2974 [inline]
 __x64_sys_munmap+0x67/0x70 mm/mmap.c:2974
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff888057aecc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888057aecd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888057aecd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff888057aece00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888057aece80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/10/14 12:24 linux-5.15.y 29e53a5b1c4f b6605ba8 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan KASAN: use-after-free Write in inode2sd
2024/10/21 11:36 linux-5.15.y 584a40a22cb9 cd6fc0a3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-5-15-kasan KASAN: use-after-free Write in inode2sd
2025/10/14 09:41 linux-5.15.y 29e53a5b1c4f b6605ba8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Write in inode2sd
2025/10/14 09:39 linux-5.15.y 29e53a5b1c4f b6605ba8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Write in inode2sd
* Struck through repros no longer work on HEAD.