syzbot |
sign-in | mailing list | source | docs |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| 760646f6-d79a-4dc9-9e17-ce797d2da9ee | moderation | Actionable: ✅ Confident: ✅ | ❓ | KASAN: slab-use-after-free Read in txUnlock (2) | 2026/02/25 04:17 | 2026/02/25 04:17 | 2026/02/25 04:32 | 305c0ec5cd886e2d13738e28e1b2df9b0ec20fc9 |
loop0: detected capacity change from 0 to 32768 ... Log Wrap ... Log Wrap ... Log Wrap ... JFS: metapage_get_blocks failed ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ================================================================== BUG: KASAN: slab-use-after-free in txUnlock+0x95d/0xdf0 fs/jfs/jfs_txnmgr.c:926 Read of size 2 at addr ffff88800020c3e0 by task syz.0.0/5316 CPU: 0 UID: 0 PID: 5316 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 txUnlock+0x95d/0xdf0 fs/jfs/jfs_txnmgr.c:926 txCommit+0x4f20/0x5410 fs/jfs/jfs_txnmgr.c:1336 jfs_truncate_nolock+0x22f/0x340 fs/jfs/inode.c:407 jfs_truncate+0xce/0x140 fs/jfs/inode.c:420 jfs_direct_IO+0x1f4/0x220 fs/jfs/inode.c:350 generic_file_direct_write+0x1db/0x3e0 mm/filemap.c:4248 __generic_file_write_iter+0x11d/0x230 mm/filemap.c:4417 generic_file_write_iter+0x14a/0x680 mm/filemap.c:4457 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_pwritev fs/read_write.c:1155 [inline] __do_sys_pwritev2 fs/read_write.c:1213 [inline] __se_sys_pwritev2+0x184/0x2a0 fs/read_write.c:1204 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa889f9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa88ad74028 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007fa88a215fa0 RCX: 00007fa889f9c629 RDX: 0000000000000001 RSI: 0000200000000240 RDI: 0000000000000004 RBP: 00007fa88a032b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000007800 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fa88a216038 R14: 00007fa88a215fa0 R15: 00007fffc0e085a8 </TASK> Allocated by task 5316: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4501 [inline] slab_alloc_node mm/slub.c:4830 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837 mempool_alloc_noprof+0x1ce/0x300 mm/mempool.c:567 alloc_metapage fs/jfs/jfs_metapage.c:264 [inline] __get_metapage+0x50c/0xde0 fs/jfs/jfs_metapage.c:760 diWrite+0x401/0x1f40 fs/jfs/jfs_imap.c:639 txCommit+0x869/0x5410 fs/jfs/jfs_txnmgr.c:1256 jfs_truncate_nolock+0x22f/0x340 fs/jfs/inode.c:407 jfs_truncate+0xce/0x140 fs/jfs/inode.c:420 jfs_direct_IO+0x1f4/0x220 fs/jfs/inode.c:350 generic_file_direct_write+0x1db/0x3e0 mm/filemap.c:4248 __generic_file_write_iter+0x11d/0x230 mm/filemap.c:4417 generic_file_write_iter+0x14a/0x680 mm/filemap.c:4457 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_pwritev fs/read_write.c:1155 [inline] __do_sys_pwritev2 fs/read_write.c:1213 [inline] __se_sys_pwritev2+0x184/0x2a0 fs/read_write.c:1204 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 79: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2687 [inline] slab_free mm/slub.c:6124 [inline] kmem_cache_free+0x187/0x630 mm/slub.c:6254 mempool_free+0xec/0x130 mm/mempool.c:712 free_metapage fs/jfs/jfs_metapage.c:279 [inline] metapage_release_folio+0x40e/0x540 fs/jfs/jfs_metapage.c:636 shrink_folio_list+0x2226/0x5290 mm/vmscan.c:1491 evict_folios+0x4795/0x5880 mm/vmscan.c:4717 try_to_shrink_lruvec+0xb62/0xfa0 mm/vmscan.c:4880 shrink_one+0x25c/0x710 mm/vmscan.c:4925 shrink_many mm/vmscan.c:4988 [inline] lru_gen_shrink_node mm/vmscan.c:5066 [inline] shrink_node+0x3197/0x3a90 mm/vmscan.c:6046 kswapd_shrink_node mm/vmscan.c:6893 [inline] balance_pgdat mm/vmscan.c:7069 [inline] kswapd+0x1742/0x2e10 mm/vmscan.c:7342 kthread+0x388/0x470 kernel/kthread.c:467 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff88800020c3e0 which belongs to the cache jfs_mp of size 184 The buggy address is located 0 bytes inside of freed 184-byte region [ffff88800020c3e0, ffff88800020c498) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20c flags: 0x7ff00000000000(node=0|zone=0|lastcpupid=0x7ff) page_type: f5(slab) raw: 007ff00000000000 ffff8880304a2c80 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 8797240623, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3255 [inline] allocate_slab+0x77/0x660 mm/slub.c:3444 new_slab mm/slub.c:3502 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7134 refill_sheaf+0x29/0x50 mm/slub.c:2804 alloc_full_sheaf mm/slub.c:2825 [inline] __pcs_replace_empty_main+0x3ef/0x620 mm/slub.c:4588 alloc_from_pcs mm/slub.c:4681 [inline] slab_alloc_node mm/slub.c:4815 [inline] kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4837 mempool_init_node+0x1ea/0x4d0 mm/mempool.c:259 mempool_create_node_noprof+0xb8/0x150 mm/mempool.c:323 metapage_init+0xed/0x150 fs/jfs/jfs_metapage.c:292 init_jfs_fs+0xfd/0x4e0 fs/jfs/super.c:968 do_one_initcall+0x250/0x8d0 init/main.c:1382 do_initcall_level+0x104/0x190 init/main.c:1444 do_initcalls+0x59/0xa0 init/main.c:1460 kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692 page_owner free stack trace missing Memory state around the buggy address: ffff88800020c280: fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 ffff88800020c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88800020c380: 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb ^ ffff88800020c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800020c480: fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/02/21 02:38 | upstream | a95f71ad3e2e | 741f5161 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in txUnlock |