syzbot

 sign-in | mailing list | source | docs
🐞 Open [780]
🐞 Fixed [123]
🐞 Invalid [821]
Missing Backports [74]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in gfs2_invalidate_folio

Status: upstream: reported on 2025/05/16 19:32
Reported-by: syzbot+ad31dfa0b430a4497f2a@syzkaller.appspotmail.com
First crash: 78d, last: 1d10h
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-use-after-free Read in gfs2_invalidate_folio gfs2 19 C 40 6d05h 478d 0/29 upstream: reported C repro on 2024/04/11 16:17

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in list_empty include/linux/list.h:292 [inline]
BUG: KASAN: use-after-free in gfs2_discard fs/gfs2/aops.c:618 [inline]
BUG: KASAN: use-after-free in gfs2_invalidate_folio+0x455/0xa70 fs/gfs2/aops.c:656
Read of size 8 at addr ffff888026b2f168 by task syz-executor/4271

CPU: 1 PID: 4271 Comm: syz-executor Not tainted 6.1.147-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x200 mm/kasan/report.c:418
 kasan_report+0x10b/0x140 mm/kasan/report.c:522
 list_empty include/linux/list.h:292 [inline]
 gfs2_discard fs/gfs2/aops.c:618 [inline]
 gfs2_invalidate_folio+0x455/0xa70 fs/gfs2/aops.c:656
 folio_invalidate mm/truncate.c:158 [inline]
 truncate_cleanup_folio+0x218/0x5e0 mm/truncate.c:178
 truncate_inode_pages_range+0x237/0xff0 mm/truncate.c:368
 gfs2_evict_inode+0xab5/0x1170 fs/gfs2/super.c:1511
 evict+0x485/0x870 fs/inode.c:705
 gfs2_put_super+0x412/0x8c0 fs/gfs2/super.c:616
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7c/0xe0 fs/super.c:1470
 deactivate_locked_super+0x93/0xf0 fs/super.c:332
 cleanup_mnt+0x463/0x4f0 fs/namespace.c:1182
 task_work_run+0x1ca/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fc82e38fe97
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffe66cac1b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000064 RCX: 00007fc82e38fe97
RDX: 0000000000000200 RSI: 0000000000000009 RDI: 00007ffe66cad360
RBP: 00007fc82e411bdd R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe66cad360
R13: 00007fc82e411bdd R14: 000055556c0f34a8 R15: 00007ffe66cae430
 </TASK>

Allocated by task 4643:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 __kasan_slab_alloc+0x6b/0x80 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x4b/0x480 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc+0x123/0x2f0 mm/slub.c:3422
 kmem_cache_zalloc include/linux/slab.h:689 [inline]
 gfs2_alloc_bufdata fs/gfs2/trans.c:168 [inline]
 gfs2_trans_add_data+0x1fb/0x610 fs/gfs2/trans.c:209
 gfs2_unstuffer_page fs/gfs2/bmap.c:83 [inline]
 __gfs2_unstuff_inode fs/gfs2/bmap.c:121 [inline]
 gfs2_unstuff_dinode+0xf61/0x1770 fs/gfs2/bmap.c:168
 gfs2_adjust_quota+0x234/0x810 fs/gfs2/quota.c:847
 gfs2_set_dqblk+0x96e/0xc10 fs/gfs2/quota.c:1738
 quota_setquota+0x4ac/0x530 fs/quota/quota.c:310
 __do_sys_quotactl fs/quota/quota.c:960 [inline]
 __se_sys_quotactl+0x295/0x6b0 fs/quota/quota.c:916
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 4271:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 kmem_cache_free+0xf7/0x290 mm/slub.c:3683
 trans_drain fs/gfs2/log.c:1023 [inline]
 gfs2_log_flush+0x1902/0x24e0 fs/gfs2/log.c:1161
 gfs2_kill_sb+0x50/0xd0 fs/gfs2/ops_fstype.c:1729
 deactivate_locked_super+0x93/0xf0 fs/super.c:332
 cleanup_mnt+0x463/0x4f0 fs/namespace.c:1182
 task_work_run+0x1ca/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff888026b2f150
 which belongs to the cache gfs2_bufdata of size 80
The buggy address is located 24 bytes inside of
 80-byte region [ffff888026b2f150, ffff888026b2f1a0)

The buggy address belongs to the physical page:
page:ffffea00009acbc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26b2f
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881486ea500
raw: 0000000000000000 0000000080240024 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 4591, tgid 4590 (syz.4.52), ts 74907823551, free_ts 74756654157
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
 alloc_slab_page+0x5d/0x160 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x87/0x2c0 mm/slub.c:1992
 ___slab_alloc+0xbc6/0x1220 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc+0x1b7/0x2f0 mm/slub.c:3422
 kmem_cache_zalloc include/linux/slab.h:689 [inline]
 gfs2_alloc_bufdata fs/gfs2/trans.c:168 [inline]
 gfs2_trans_add_meta+0x34e/0xc60 fs/gfs2/trans.c:250
 init_dinode+0x97/0xa30 fs/gfs2/inode.c:479
 gfs2_create_inode+0xfb1/0x1400 fs/gfs2/inode.c:747
 gfs2_atomic_open+0xce/0x210 fs/gfs2/inode.c:1293
 atomic_open fs/namei.c:3345 [inline]
 lookup_open fs/namei.c:3453 [inline]
 open_last_lookups fs/namei.c:3550 [inline]
 path_openat+0xe20/0x2e70 fs/namei.c:3780
 do_filp_open+0x1c1/0x3c0 fs/namei.c:3810
 do_sys_openat2+0x142/0x490 fs/open.c:1318
 do_sys_open fs/open.c:1334 [inline]
 __do_sys_open fs/open.c:1342 [inline]
 __se_sys_open fs/open.c:1338 [inline]
 __x64_sys_open+0x11b/0x140 fs/open.c:1338
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page_list+0xbb/0x8e0 mm/page_alloc.c:3525
 release_pages+0x1f92/0x2200 mm/swap.c:1035
 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
 tlb_flush_mmu+0xff/0x210 mm/mmu_gather.c:261
 tlb_finish_mmu+0xbd/0x1c0 mm/mmu_gather.c:361
 exit_mmap+0x343/0x8e0 mm/mmap.c:3258
 __mmput+0x118/0x3c0 kernel/fork.c:1200
 exit_mm+0x1e6/0x2c0 kernel/exit.c:565
 do_exit+0x8c1/0x2400 kernel/exit.c:867
 do_group_exit+0x217/0x2d0 kernel/exit.c:1022
 __do_sys_exit_group kernel/exit.c:1033 [inline]
 __se_sys_exit_group kernel/exit.c:1031 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1031
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Memory state around the buggy address:
 ffff888026b2f000: fa fb fb fb fb fb fb fb fb fb fc fc fc fc fa fb
 ffff888026b2f080: fb fb fb fb fb fb fb fb fc fc fc fc fa fb fb fb
>ffff888026b2f100: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb
                                                          ^
 ffff888026b2f180: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb
 ffff888026b2f200: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/08/01 21:38 linux-6.1.y 3594f306da12 40127d41 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in gfs2_invalidate_folio
2025/05/16 19:32 linux-6.1.y 02b72ccb5f9d cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in gfs2_invalidate_folio
* Struck through repros no longer work on HEAD.