syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1340]
Subsystems
🐞 Fixed [7058]
🐞 Invalid [18491]
Missing Backports [222]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KASAN: use-after-free Read in copy_folio_from_iter_atomic (2)

Status: upstream: reported on 2026/03/30 09:56
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+6cc93ec9a4035badb85f@syzkaller.appspotmail.com
First crash: 110d, last: 1h44m
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
8223e7f3-7640-42dc-b996-61f90494f969 moderation Actionable: ✅  Confident: ✅  KASAN: use-after-free Read in copy_folio_from_iter_atomic (2) 2026/02/06 07:06 2026/02/06 10:41 2026/02/06 10:57 9b618abc0cd923b36c7a5ebc58a21174112d8f70
5341452b-7632-40d9-b1ea-e67237b901a6 moderation Actionable: ✅  Confident: ✅  KASAN: use-after-free Read in copy_folio_from_iter_atomic (2) 2026/01/15 09:42 2026/01/15 09:42 2026/01/15 10:09 a9d6a79219801d2130df3b1a792c57f0e5428e9f
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] KASAN: use-after-free Read in copy_folio_from_iter_atomic (2) 0 (1) 2026/03/30 09:56
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in copy_folio_from_iter_atomic jfs 19 3 237d 300d 0/29 auto-obsoleted due to no activity on 2025/11/17 22:24

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in memcpy_from_iter lib/iov_iter.c:85 [inline]
BUG: KASAN: use-after-free in iterate_bvec include/linux/iov_iter.h:123 [inline]
BUG: KASAN: use-after-free in iterate_and_advance2 include/linux/iov_iter.h:306 [inline]
BUG: KASAN: use-after-free in iterate_and_advance include/linux/iov_iter.h:330 [inline]
BUG: KASAN: use-after-free in __copy_from_iter lib/iov_iter.c:261 [inline]
BUG: KASAN: use-after-free in copy_folio_from_iter_atomic+0xa6c/0x1950 lib/iov_iter.c:491
Read of size 4096 at addr ffff88803177d000 by task kworker/u8:9/1219

CPU: 0 UID: 0 PID: 1219 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: loop1 loop_workfn
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 memcpy_from_iter lib/iov_iter.c:85 [inline]
 iterate_bvec include/linux/iov_iter.h:123 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:306 [inline]
 iterate_and_advance include/linux/iov_iter.h:330 [inline]
 __copy_from_iter lib/iov_iter.c:261 [inline]
 copy_folio_from_iter_atomic+0xa6c/0x1950 lib/iov_iter.c:491
 generic_perform_write+0x5b1/0x8b0 mm/filemap.c:4332
 shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490
 lo_rw_aio+0xc80/0xf00 include/linux/percpu-rwsem.h:-1
 do_req_filebacked drivers/block/loop.c:434 [inline]
 loop_handle_cmd drivers/block/loop.c:1947 [inline]
 loop_process_work+0x637/0x11b0 drivers/block/loop.c:1982
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
 worker_thread+0x89f/0xd90 kernel/workqueue.c:3421
 kthread+0x726/0x8b0 kernel/kthread.c:463
 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803177d000 pfn:0x3177d
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea00016beb08 ffffea00009e42c8 0000000000000000
raw: ffff88803177d000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xdc0(GFP_KERNEL|__GFP_ZERO), pid 6876, tgid 6875 (syz.1.137), ts 163020649815, free_ts 163886382057
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
 prep_new_page mm/page_alloc.c:1892 [inline]
 get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
 alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
 alloc_pages_noprof+0xce/0x1e0 mm/mempolicy.c:2577
 lbmLogInit fs/jfs/jfs_logmgr.c:1815 [inline]
 lmLogInit+0x357/0x1a00 fs/jfs/jfs_logmgr.c:1269
 open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
 lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1691
 vfs_get_tree+0x92/0x2a0 fs/super.c:1751
 fc_mount fs/namespace.c:1199 [inline]
 do_new_mount_fc fs/namespace.c:3636 [inline]
 do_new_mount+0x329/0xa50 fs/namespace.c:3712
 do_mount fs/namespace.c:4035 [inline]
 __do_sys_mount fs/namespace.c:4224 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4201
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5804 tgid 5804 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xfc1/0x1130 mm/page_alloc.c:2973
 lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline]
 lmLogShutdown+0x44e/0x850 fs/jfs/jfs_logmgr.c:1683
 lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459
 jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
 generic_shutdown_super+0x135/0x2c0 fs/super.c:643
 kill_block_super+0x44/0x90 fs/super.c:1722
 deactivate_locked_super+0xbc/0x130 fs/super.c:474
 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1318
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88803177cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88803177cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88803177d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88803177d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88803177d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (87):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/20 08:26 upstream 24d479d26b25 572effc1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/01/02 00:33 upstream b69053dd3ffb d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 19:48 linux-next e6efabc0afca 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 18:38 linux-next e6efabc0afca 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 16:47 linux-next e6efabc0afca 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 15:45 linux-next e6efabc0afca 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 14:42 linux-next 1c7cc4904160 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 12:58 linux-next 1c7cc4904160 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 11:41 linux-next 1c7cc4904160 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 11:07 linux-next 1c7cc4904160 362d1323 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 09:04 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 08:02 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 06:44 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 05:23 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 02:10 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 00:29 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 00:17 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/14 00:11 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:56 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:52 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:50 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:49 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:44 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:39 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:38 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:37 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:08 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:02 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 23:01 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 22:47 linux-next 1c7cc4904160 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 22:19 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 22:15 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 22:10 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 21:56 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 21:40 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 21:39 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 18:47 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 18:42 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 18:31 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 18:19 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 18:05 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 17:33 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 17:25 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 17:19 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/04/13 17:19 linux-next 1c7cc4904160 9530ccf9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in copy_folio_from_iter_atomic
2025/12/25 20:48 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f0b4cce4481 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in copy_folio_from_iter_atomic
* Struck through repros no longer work on HEAD.