KASAN: vmalloc-out-of-bounds Read in fanotify

ID	Workflow	Correct	Bug	Created	Started	Finished	Revision	Error
c8b71416-c99c-4e98-8a57-f25aedeaf84c	assessment-security	💥	KASAN: vmalloc-out-of-bounds Read in fanotify_read	2026/06/30 00:00	2026/06/30 00:00	2026/06/30 00:00	fff8d0a0e302881e84edbe2230016e3bec252ec6	failed to run ["git" "-c" "core.hooksPath=/dev/null" "checkout" "92e3f6ef4ffb1f65e7774f4611c27fb764b3bc14"]: exit status 128 error: Could not read 23997b17256ca0184953e2c4954dccb29b175f37
21ce7bfe-c953-497b-8e05-9bfc1274d2be	assessment-security	💥	KASAN: vmalloc-out-of-bounds Read in fanotify_read	2026/06/27 00:00	2026/06/27 00:00	2026/06/27 00:00	7ff32d8bb9773a5f02d3db4c8207fc9251ebedc5	failed to run ["git" "-c" "core.hooksPath=/dev/null" "checkout" "92e3f6ef4ffb1f65e7774f4611c27fb764b3bc14"]: exit status 128 fatal: unable to read tree (8c0e9110d5746386621b881b9e72384d6faee05d)
4728fea9-35b1-4c1e-8f24-86b0e76c983f	assessment-security	💥	KASAN: vmalloc-out-of-bounds Read in fanotify_read	2026/06/25 00:00	2026/06/25 00:00	2026/06/25 00:00	2e5297c5126f27e51eeef9157f2111c5beb11e4f	failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "92e3f6ef4ffb1f65e7774f4611c27fb764b3bc14"]: exit status 128 error: insuffici... truncated to first 200 bytes; open job for full error

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: stack-out-of-bounds Read in fanotify_read fs	17				1	475d	471d	0/29	auto-obsoleted due to no activity on 2025/06/09 03:57

Kernel

Title

Rank 🛈

upstream

KASAN: stack-out-of-bounds Read in fanotify_read fs

475d

471d

0/29

auto-obsoleted due to no activity on 2025/06/09 03:57

================================================================== BUG: KASAN: vmalloc-out-of-bounds in copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline] BUG: KASAN: vmalloc-out-of-bounds in copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline] BUG: KASAN: vmalloc-out-of-bounds in copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline] BUG: KASAN: vmalloc-out-of-bounds in fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032 Read of size 8 at addr ffff800092bb7b08 by task syz.6.1374/10180 CPU: 0 UID: 0 PID: 10180 Comm: syz.6.1374 Tainted: G L syzkaller #0 PREEMPT Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xb0/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0x8c/0xc4 mm/kasan/report.c:595 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline] copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline] copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline] fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032 do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1 vfs_readv+0x258/0x520 fs/read_write.c:1022 do_readv+0x134/0x2a8 fs/read_write.c:1082 __do_sys_readv fs/read_write.c:1167 [inline] __se_sys_readv fs/read_write.c:1164 [inline] __arm64_sys_readv+0x80/0x94 fs/read_write.c:1164 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 The buggy address belongs to a vmalloc virtual mapping Memory state around the buggy address: ffff800092bb7a00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff800092bb7a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffff800092bb7b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff800092bb7b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff800092bb7c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== Unable to handle kernel paging request at virtual address ffff800092bb7b08 KASAN: probably user-memory-access in range [0x0000000495dbd840-0x0000000495dbd847] Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000021b33c000 [ffff800092bb7b08] pgd=0000000000000000, p4d=10000002215ef003, pud=10000002215f0003, pmd=10000001051dd403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 10180 Comm: syz.6.1374 Tainted: G B L syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline] pc : copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline] pc : copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline] pc : fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032 lr : copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline] lr : copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline] lr : copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline] lr : fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032 sp : ffff800092ca7740 x29: ffff800092ca79b0 x28: ffff0000d47fc8f0 x27: 0000000000000000 x26: ffff800092bb7b08 x25: dfff800000000000 x24: 1fffe00019037740 x23: ffff0000c81bba00 x22: ffff0000d50f9000 x21: 0000000020000300 x20: 00000000000000cb x19: 0000000020000300 x18: 1fffe00035beb820 x17: 0000000000000003 x16: ffff800088a0b000 x15: ffff800088abda60 x14: ffff0001adf5c10c x13: 0000000000000001 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000080000 x9 : 0000000000000000 x8 : ffff0000c81bba00 x7 : 0000000000000000 x6 : ffff80008048076c x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f40a4 x2 : 0000000000000000 x1 : ffff0000c81bba00 x0 : 0000000000000001 Call trace: copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline] (P) copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline] (P) copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline] (P) fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032 (P) do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1 vfs_readv+0x258/0x520 fs/read_write.c:1022 do_readv+0x134/0x2a8 fs/read_write.c:1082 __do_sys_readv fs/read_write.c:1167 [inline] __se_sys_readv fs/read_write.c:1164 [inline] __arm64_sys_readv+0x80/0x94 fs/read_write.c:1164 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Code: 38796908 34000068 aa1a03e0 97f75966 (f9400348) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 38796908 ldrb w8, [x8, x25] 4: 34000068 cbz w8, 0x10 8: aa1a03e0 mov x0, x26 c: 97f75966 bl 0xffffffffffdd65a4 * 10: f9400348 ldr x8, [x26] <-- trapping instruction

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/06/23 12:22	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	92e3f6ef4ffb	4b1d8f01	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: vmalloc-out-of-bounds Read in fanotify_read

Crashes (1):

Assets (help?)