syzbot

 sign-in | mailing list | source | docs
🐞 Open [461]
🐞 Fixed [21]
🐞 Invalid [161]
Missing Backports [18]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in z_erofs_transform_plain

Status: upstream: reported C repro on 2025/06/24 12:21
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+a94f033f5bdbb0bd6999@syzkaller.appspotmail.com
First crash: 253d, last: 22h14m
Fix commit to backport (bisect log) :
tree: upstream
commit 1ca01520148af399899ed66af5c78330bb9ecaf2
Author: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Wed Dec 6 09:10:56 2023 +0000

  erofs: refine z_erofs_transform_plain() for sub-page block support

  
Bug presence (2)
Date Name Commit Repro Result
2026/03/04 linux-6.6.y (ToT) 7a137e9bfa0e C [report] KASAN: slab-use-after-free Read in z_erofs_transform_plain
2026/03/04 upstream (ToT) 0031c06807cf C Didn't crash
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in z_erofs_transform_plain (2) erofs 19 C error 5 12d 8d19h 25/29 upstream: reported C repro on 2026/02/24 07:45
linux-6.1 KASAN: use-after-free Read in z_erofs_transform_plain origin:lts-only 19 C inconclusive 357 8h26m 756d 0/3 upstream: reported C repro on 2024/02/07 05:17
upstream KASAN: use-after-free Read in z_erofs_transform_plain erofs 19 C done 4 1108d 1185d 22/29 fixed on 2023/02/24 13:50
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2025/07/11 02:01 9h29m fix candidate upstream OK (1) job log

Sample crash report:
erofs: (device loop3): mounted with root inode @ nid 36.
==================================================================
BUG: KASAN: use-after-free in memcpy_to_page include/linux/highmem.h:427 [inline]
BUG: KASAN: use-after-free in z_erofs_transform_plain+0x38c/0x460 fs/erofs/decompressor.c:346
Read of size 4096 at addr ffff88805b35d000 by task syz.3.222/6170

CPU: 0 PID: 6170 Comm: syz.3.222 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xa8/0x210 mm/kasan/report.c:468
 kasan_report+0x117/0x150 mm/kasan/report.c:581
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x241/0x290 mm/kasan/generic.c:187
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 memcpy_to_page include/linux/highmem.h:427 [inline]
 z_erofs_transform_plain+0x38c/0x460 fs/erofs/decompressor.c:346
 z_erofs_decompress_pcluster fs/erofs/zdata.c:1296 [inline]
 z_erofs_decompress_queue+0x1780/0x26f0 fs/erofs/zdata.c:1377
 z_erofs_runqueue+0x1913/0x1aa0 fs/erofs/zdata.c:1774
 z_erofs_read_folio+0x323/0x5c0 fs/erofs/zdata.c:1859
 filemap_read_folio+0x172/0x760 mm/filemap.c:2420
 filemap_update_page mm/filemap.c:2504 [inline]
 filemap_get_pages+0x13c7/0x1e90 mm/filemap.c:2618
 filemap_read+0x402/0xf00 mm/filemap.c:2690
 __kernel_read+0x2f3/0x710 fs/read_write.c:428
 integrity_kernel_read+0x8a/0xd0 security/integrity/iint.c:221
 ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:485 [inline]
 ima_calc_file_shash security/integrity/ima/ima_crypto.c:516 [inline]
 ima_calc_file_hash+0x91d/0x1910 security/integrity/ima/ima_crypto.c:573
 ima_collect_measurement+0x4d4/0xa20 security/integrity/ima/ima_api.c:290
 process_measurement+0x128e/0x1d70 security/integrity/ima/ima_main.c:370
 ima_file_check+0xcc/0x110 security/integrity/ima/ima_main.c:568
 do_open fs/namei.c:3642 [inline]
 path_openat+0x28b7/0x3230 fs/namei.c:3797
 do_filp_open+0x1f5/0x430 fs/namei.c:3824
 do_sys_openat2+0x134/0x1d0 fs/open.c:1421
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __x64_sys_openat+0x139/0x160 fs/open.c:1447
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f0d5bf9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff00e64608 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f0d5c215fa0 RCX: 00007f0d5bf9c799
RDX: 0000000000121140 RSI: 0000200000000000 RDI: ffffffffffffff9c
RBP: 00007f0d5c032bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000013d R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0d5c215fac R14: 00007f0d5c215fa0 R15: 00007f0d5c215fa0
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00016cd740 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5b35d
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea00009a8ac8 ffffea000163dd88 0000000000000000
raw: 0000000000000000 0000000000100000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 5835, tgid 5835 (syz-executor), ts 77851046263, free_ts 95849794675
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1c1/0x200 mm/page_alloc.c:1581
 prep_new_page mm/page_alloc.c:1588 [inline]
 get_page_from_freelist+0x1951/0x19e0 mm/page_alloc.c:3220
 __alloc_pages+0x1f0/0x460 mm/page_alloc.c:4486
 alloc_slab_page+0x5d/0x160 mm/slub.c:1881
 allocate_slab mm/slub.c:2028 [inline]
 new_slab+0x87/0x2d0 mm/slub.c:2081
 ___slab_alloc+0xc5d/0x12f0 mm/slub.c:3253
 __slab_alloc mm/slub.c:3339 [inline]
 __slab_alloc_node mm/slub.c:3392 [inline]
 slab_alloc_node mm/slub.c:3485 [inline]
 __kmem_cache_alloc_node+0x19e/0x250 mm/slub.c:3534
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0xa4/0x230 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 __register_sysctl_table+0x6e/0x1240 fs/proc/proc_sysctl.c:1373
 __ip_vs_lblc_init+0x1bc/0x260 net/netfilter/ipvs/ip_vs_lblc.c:576
 ops_init+0x397/0x640 net/core/net_namespace.c:139
 setup_net+0x3b6/0xa30 net/core/net_namespace.c:343
 copy_net_ns+0x36d/0x5e0 net/core/net_namespace.c:520
 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:228
 ksys_unshare+0x4ce/0x8b0 kernel/fork.c:3439
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1181 [inline]
 free_unref_page_prepare+0x7b2/0x8c0 mm/page_alloc.c:2365
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2458
 __slab_free+0x35a/0x400 mm/slub.c:3736
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x75/0xd0 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:306
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook+0x6e/0x4b0 mm/slab.h:767
 slab_alloc_node mm/slub.c:3495 [inline]
 kmem_cache_alloc_node+0x14c/0x320 mm/slub.c:3540
 __alloc_skb+0x103/0x2c0 net/core/skbuff.c:643
 alloc_skb include/linux/skbuff.h:1284 [inline]
 mld_newpack+0x154/0xbe0 net/ipv6/mcast.c:1743
 add_grhead+0x5a/0x2a0 net/ipv6/mcast.c:1854
 add_grec+0x13ad/0x1660 net/ipv6/mcast.c:1992
 mld_send_initial_cr+0xed/0x240 net/ipv6/mcast.c:2237
 ipv6_mc_dad_complete+0x88/0x210 net/ipv6/mcast.c:2248
 addrconf_dad_completed+0x776/0xd90 net/ipv6/addrconf.c:4322
 addrconf_dad_work+0xc90/0x1530 net/ipv6/addrconf.c:-1

Memory state around the buggy address:
 ffff88805b35cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88805b35cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88805b35d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88805b35d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805b35d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (49):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/03/04 04:01 linux-6.6.y 7a137e9bfa0e 4180d919 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/10/30 12:18 linux-6.6.y e5bbb12db2c7 fd2207e7 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/06/26 03:12 linux-6.6.y 6282921b6825 26d77996 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2026/03/04 01:06 linux-6.6.y 7a137e9bfa0e 4180d919 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/11/30 00:54 linux-6.6.y 1e89a1be4fe9 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/09/20 19:37 linux-6.6.y af1544b5d072 67c37560 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/09/19 18:20 linux-6.6.y af1544b5d072 67c37560 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/09/19 02:14 linux-6.6.y 60a9e718726f e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/09/18 09:56 linux-6.6.y 60a9e718726f e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/08/10 02:27 linux-6.6.y 3a8ababb8b6a 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/08/10 02:27 linux-6.6.y 3a8ababb8b6a 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/07/01 22:12 linux-6.6.y 3f5b4c104b7d 091a06cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/06/24 12:21 linux-6.6.y 6282921b6825 e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: use-after-free Read in z_erofs_transform_plain
2025/12/27 03:28 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/11/30 13:44 linux-6.6.y 1e89a1be4fe9 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/10/30 11:36 linux-6.6.y e5bbb12db2c7 fd2207e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/09/30 18:03 linux-6.6.y 147338df3487 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/09/17 10:51 linux-6.6.y 60a9e718726f e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/09/16 22:38 linux-6.6.y 60a9e718726f e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/09/15 08:52 linux-6.6.y 60a9e718726f e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/09/15 02:17 linux-6.6.y 60a9e718726f e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/09/13 10:43 linux-6.6.y 60a9e718726f e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/09/08 23:32 linux-6.6.y 355bd0b51d2f d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/08/10 02:09 linux-6.6.y 3a8ababb8b6a 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/08/10 02:06 linux-6.6.y 3a8ababb8b6a 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/29 01:41 linux-6.6.y dbcb8d8e4163 6654ea9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/29 01:40 linux-6.6.y dbcb8d8e4163 6654ea9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/07/29 01:34 linux-6.6.y dbcb8d8e4163 6654ea9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/29 01:34 linux-6.6.y dbcb8d8e4163 6654ea9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/23 16:56 linux-6.6.y d96eb99e2f0e e1dd4f22 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/07/23 16:56 linux-6.6.y d96eb99e2f0e e1dd4f22 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/03 10:22 linux-6.6.y 3f5b4c104b7d 115ceea7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/07/03 10:19 linux-6.6.y 3f5b4c104b7d 115ceea7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/03 10:19 linux-6.6.y 3f5b4c104b7d 115ceea7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/02 05:45 linux-6.6.y 3f5b4c104b7d bc80e4f0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/01 22:19 linux-6.6.y 3f5b4c104b7d 091a06cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/07/01 22:15 linux-6.6.y 3f5b4c104b7d 091a06cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/07/01 22:15 linux-6.6.y 3f5b4c104b7d 091a06cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/07/01 09:06 linux-6.6.y 3f5b4c104b7d 6e83b42d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/06/27 08:19 linux-6.6.y 6282921b6825 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/06/27 08:18 linux-6.6.y 6282921b6825 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/06/27 07:58 linux-6.6.y 6282921b6825 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/06/27 07:55 linux-6.6.y 6282921b6825 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/06/27 07:55 linux-6.6.y 6282921b6825 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/06/24 12:31 linux-6.6.y 6282921b6825 e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/06/24 12:30 linux-6.6.y 6282921b6825 e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/06/24 12:25 linux-6.6.y 6282921b6825 e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-use-after-free Read in z_erofs_transform_plain
2025/06/24 12:25 linux-6.6.y 6282921b6825 e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2025/06/24 12:21 linux-6.6.y 6282921b6825 e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
* Struck through repros no longer work on HEAD.