KASAN: use-after-free Read in copy_folio_from_iter

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
8223e7f3-7640-42dc-b996-61f90494f969	moderation	Actionable: ✅ Confident: ✅	❓	KASAN: use-after-free Read in copy_folio_from_iter_atomic (2)	2026/02/06 07:06	2026/02/06 10:41	2026/02/06 10:57	9b618abc0cd923b36c7a5ebc58a21174112d8f70
5341452b-7632-40d9-b1ea-e67237b901a6	moderation	Actionable: ✅ Confident: ✅	❓	KASAN: use-after-free Read in copy_folio_from_iter_atomic (2)	2026/01/15 09:42	2026/01/15 09:42	2026/01/15 10:09	a9d6a79219801d2130df3b1a792c57f0e5428e9f

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in copy_folio_from_iter_atomic jfs	19				3	188d	250d	0/29	auto-obsoleted due to no activity on 2025/11/17 22:24

Kernel

Title

Rank 🛈

upstream

KASAN: use-after-free Read in copy_folio_from_iter_atomic jfs

188d

250d

0/29

auto-obsoleted due to no activity on 2025/11/17 22:24

================================================================== BUG: KASAN: use-after-free in memcpy_from_iter lib/iov_iter.c:85 [inline] BUG: KASAN: use-after-free in iterate_bvec include/linux/iov_iter.h:123 [inline] BUG: KASAN: use-after-free in iterate_and_advance2 include/linux/iov_iter.h:306 [inline] BUG: KASAN: use-after-free in iterate_and_advance include/linux/iov_iter.h:330 [inline] BUG: KASAN: use-after-free in __copy_from_iter lib/iov_iter.c:261 [inline] BUG: KASAN: use-after-free in copy_folio_from_iter_atomic+0xa6c/0x1950 lib/iov_iter.c:491 Read of size 4096 at addr ffff88803177d000 by task kworker/u8:9/1219 CPU: 0 UID: 0 PID: 1219 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: loop1 loop_workfn Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 memcpy_from_iter lib/iov_iter.c:85 [inline] iterate_bvec include/linux/iov_iter.h:123 [inline] iterate_and_advance2 include/linux/iov_iter.h:306 [inline] iterate_and_advance include/linux/iov_iter.h:330 [inline] __copy_from_iter lib/iov_iter.c:261 [inline] copy_folio_from_iter_atomic+0xa6c/0x1950 lib/iov_iter.c:491 generic_perform_write+0x5b1/0x8b0 mm/filemap.c:4332 shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490 lo_rw_aio+0xc80/0xf00 include/linux/percpu-rwsem.h:-1 do_req_filebacked drivers/block/loop.c:434 [inline] loop_handle_cmd drivers/block/loop.c:1947 [inline] loop_process_work+0x637/0x11b0 drivers/block/loop.c:1982 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340 worker_thread+0x89f/0xd90 kernel/workqueue.c:3421 kthread+0x726/0x8b0 kernel/kthread.c:463 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803177d000 pfn:0x3177d flags: 0x80000000000000(node=0|zone=1) raw: 0080000000000000 ffffea00016beb08 ffffea00009e42c8 0000000000000000 raw: ffff88803177d000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xdc0(GFP_KERNEL|__GFP_ZERO), pid 6876, tgid 6875 (syz.1.137), ts 163020649815, free_ts 163886382057 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486 alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline] alloc_pages_noprof+0xce/0x1e0 mm/mempolicy.c:2577 lbmLogInit fs/jfs/jfs_logmgr.c:1815 [inline] lmLogInit+0x357/0x1a00 fs/jfs/jfs_logmgr.c:1269 open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline] lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1691 vfs_get_tree+0x92/0x2a0 fs/super.c:1751 fc_mount fs/namespace.c:1199 [inline] do_new_mount_fc fs/namespace.c:3636 [inline] do_new_mount+0x329/0xa50 fs/namespace.c:3712 do_mount fs/namespace.c:4035 [inline] __do_sys_mount fs/namespace.c:4224 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4201 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5804 tgid 5804 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xfc1/0x1130 mm/page_alloc.c:2973 lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline] lmLogShutdown+0x44e/0x850 fs/jfs/jfs_logmgr.c:1683 lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459 jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x135/0x2c0 fs/super.c:643 kill_block_super+0x44/0x90 fs/super.c:1722 deactivate_locked_super+0xbc/0x130 fs/super.c:474 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1318 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88803177cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88803177cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88803177d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88803177d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88803177d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================

Crashes (3):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2026/01/20 08:26	upstream	24d479d26b25	572effc1	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in copy_folio_from_iter_atomic
2026/01/02 00:33	upstream	b69053dd3ffb	d6526ea3	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in copy_folio_from_iter_atomic
2025/12/25 20:48	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	8f0b4cce4481	d6526ea3	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: use-after-free Read in copy_folio_from_iter_atomic

Crashes (3):

Assets (help?)