syzbot

 sign-in | mailing list | source | docs
🐞 Open [101]
🐞 Fixed [70]
🐞 Invalid [204]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in exact_lock

Status: premoderation: reported on 2025/02/23 13:56
Reported-by: syzbot+6cc6d855f569ac7bf692@syzkaller.appspotmail.com
First crash: 14d, last: 4d09h
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in exact_lock 1 807d 807d 0/2 auto-obsoleted due to no activity on 2023/04/22 15:12

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in get_disk_and_module block/genhd.c:1787 [inline]
BUG: KASAN: use-after-free in exact_lock+0x38/0xd0 block/genhd.c:677
Read of size 8 at addr ffff8881095e4460 by task syz.0.4445/18142

CPU: 1 PID: 18142 Comm: syz.0.4445 Tainted: G        W         5.10.234-syzkaller-00023-g3f5f2283d684 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x81/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:452
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
 get_disk_and_module block/genhd.c:1787 [inline]
 exact_lock+0x38/0xd0 block/genhd.c:677
 kobj_lookup+0x294/0x430 drivers/base/map.c:119
 get_gendisk+0xf7/0x3d0 block/genhd.c:1001
 bdev_get_gendisk fs/block_dev.c:1110 [inline]
 __blkdev_get+0x18c/0x12f0 fs/block_dev.c:1474
 blkdev_get fs/block_dev.c:1653 [inline]
 blkdev_open+0x241/0x480 fs/block_dev.c:1770
 do_dentry_open+0x7c1/0x10d0 fs/open.c:819
 vfs_open+0x73/0x80 fs/open.c:942
 do_open fs/namei.c:3391 [inline]
 path_openat+0x2660/0x3000 fs/namei.c:3509
 do_filp_open+0x21c/0x460 fs/namei.c:3536
 do_sys_openat2+0x13f/0x710 fs/open.c:1217
 do_sys_open fs/open.c:1233 [inline]
 __do_sys_openat fs/open.c:1249 [inline]
 __se_sys_openat fs/open.c:1244 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1244
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f3633291169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f36318fb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f36334a9fa0 RCX: 00007f3633291169
RDX: 0000000000000000 RSI: 0000400000004280 RDI: ffffffffffffff9c
RBP: 00007f36333122a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f36334a9fa0 R15: 00007ffe8e17dcd8

Allocated by task 9936:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:430 [inline]
 ____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:509
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:518
 kasan_kmalloc include/linux/kasan.h:254 [inline]
 __kmalloc+0x1aa/0x330 mm/slub.c:4033
 __kmalloc_node include/linux/slab.h:418 [inline]
 kmalloc_node include/linux/slab.h:575 [inline]
 kvmalloc_node+0x82/0x130 mm/util.c:612
 kvmalloc include/linux/mm.h:822 [inline]
 kvmalloc_array include/linux/mm.h:840 [inline]
 alloc_fdtable+0xcf/0x260 fs/file.c:132
 dup_fd+0x7af/0xb30 fs/file.c:350
 copy_files+0xe6/0x200 kernel/fork.c:1541
 copy_process+0x10ac/0x3340 kernel/fork.c:2171
 kernel_clone+0x21e/0x9e0 kernel/fork.c:2574
 __do_sys_clone kernel/fork.c:2700 [inline]
 __se_sys_clone kernel/fork.c:2684 [inline]
 __x64_sys_clone+0x23f/0x290 kernel/fork.c:2684
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 17764:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x121/0x160 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1595 [inline]
 slab_free_freelist_hook+0xc0/0x190 mm/slub.c:1621
 slab_free mm/slub.c:3203 [inline]
 kfree+0xc3/0x270 mm/slub.c:4191
 kvfree+0x35/0x40 mm/util.c:647
 __free_fdtable fs/file.c:36 [inline]
 put_files_struct+0x27f/0x320 fs/file.c:460
 exit_files+0x80/0xa0 fs/file.c:485
 do_exit+0xc4d/0x2a50 kernel/exit.c:858
 do_group_exit+0x141/0x310 kernel/exit.c:985
 __do_sys_exit_group kernel/exit.c:996 [inline]
 __se_sys_exit_group kernel/exit.c:994 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:994
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd3/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2976 [inline]
 call_rcu+0x135/0x11f0 kernel/rcu/tree.c:3050
 netlink_release+0x13ad/0x17d0 net/netlink/af_netlink.c:796
 __sock_release net/socket.c:597 [inline]
 sock_close+0xdf/0x270 net/socket.c:1286
 __fput+0x33d/0x7b0 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x129/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xbf/0xd0 kernel/entry/common.c:172
 exit_to_user_mode_prepare kernel/entry/common.c:199 [inline]
 syscall_exit_to_user_mode+0xa2/0x1a0 kernel/entry/common.c:274
 do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Second to last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xd3/0x100 mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:2976 [inline]
 call_rcu+0x135/0x11f0 kernel/rcu/tree.c:3050
 netlink_release+0x13ad/0x17d0 net/netlink/af_netlink.c:796
 __sock_release net/socket.c:597 [inline]
 sock_release+0x7e/0x140 net/socket.c:625
 netlink_kernel_release+0x4d/0x60 net/netlink/af_netlink.c:2089
 diag_net_exit+0x40/0x60 net/core/sock_diag.c:324
 ops_exit_list net/core/net_namespace.c:185 [inline]
 cleanup_net+0x66c/0xcb0 net/core/net_namespace.c:609
 process_one_work+0x6dc/0xbd0 kernel/workqueue.c:2301
 worker_thread+0xaea/0x1510 kernel/workqueue.c:2447
 kthread+0x34b/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

The buggy address belongs to the object at ffff8881095e4000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1120 bytes inside of
 2048-byte region [ffff8881095e4000, ffff8881095e4800)
The buggy address belongs to the page:
page:ffffea0004257800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1095e0
head:ffffea0004257800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042d80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 2123997223, free_ts 0
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x166/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5348
 allocate_slab mm/slub.c:1808 [inline]
 new_slab+0x80/0x400 mm/slub.c:1869
 new_slab_objects mm/slub.c:2627 [inline]
 ___slab_alloc+0x302/0x4b0 mm/slub.c:2791
 __slab_alloc+0x63/0xa0 mm/slub.c:2831
 slab_alloc_node mm/slub.c:2913 [inline]
 slab_alloc mm/slub.c:2955 [inline]
 kmem_cache_alloc_trace+0x1bd/0x2e0 mm/slub.c:2972
 kmem_cache_alloc_node_trace include/linux/slab.h:440 [inline]
 kmalloc_node include/linux/slab.h:570 [inline]
 kzalloc_node include/linux/slab.h:675 [inline]
 __alloc_disk_node+0x76/0x570 block/genhd.c:1727
 loop_add+0x32d/0x750 drivers/block/loop.c:2158
 loop_init+0x225/0x263 drivers/block/loop.c:2403
 do_one_initcall+0x189/0x620 init/main.c:1197
 do_initcall_level+0x186/0x304 init/main.c:1270
 do_initcalls+0x4e/0x8e init/main.c:1286
 do_basic_setup+0x88/0x91 init/main.c:1306
 kernel_init_freeable+0x2be/0x3f5 init/main.c:1510
 kernel_init+0x11/0x280 init/main.c:1397
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881095e4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881095e4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881095e4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8881095e4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881095e4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (53):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/03/04 20:53 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/04 15:50 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/04 08:41 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/04 03:21 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/03 16:47 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/03 14:40 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/03 13:06 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/03 06:56 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/03 06:40 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/03 04:56 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/03 03:17 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/02 22:18 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/02 21:00 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/02 20:19 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/02 14:02 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/02 13:34 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/02 06:27 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/02 04:19 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/28 23:37 android13-5.10-lts 3f5f2283d684 67cf5345 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/28 12:42 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/28 09:54 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/28 08:25 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/28 08:22 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/28 05:20 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/28 02:32 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 23:33 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 20:05 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 19:58 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 19:50 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 18:01 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 16:59 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 16:37 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 15:38 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 15:10 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 13:25 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 09:17 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 08:16 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 07:56 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/27 07:56 android13-5.10-lts 3f5f2283d684 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/26 14:59 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/25 10:12 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/25 08:11 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/24 10:25 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/24 09:58 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/24 07:53 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/24 00:13 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/23 18:58 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/02/23 13:55 android13-5.10-lts 3f5f2283d684 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in exact_lock
2025/03/05 06:30 android13-5.10-lts 3f5f2283d684 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in exact_lock
* Struck through repros no longer work on HEAD.