syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Rank 🛈 | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| linux-6.6 | KASAN: slab-use-after-free Read in gfs2_invalidate_folio | 19 | 13 | 8h21m | 114d | 0/2 | upstream: reported on 2025/08/04 00:39 | |||
| upstream | KASAN: slab-use-after-free Read in gfs2_invalidate_folio gfs2 | 19 | C | error | 118 | 6h43m | 593d | 0/29 | upstream: reported C repro on 2024/04/11 16:17 |
================================================================== BUG: KASAN: use-after-free in list_empty include/linux/list.h:292 [inline] BUG: KASAN: use-after-free in gfs2_discard fs/gfs2/aops.c:618 [inline] BUG: KASAN: use-after-free in gfs2_invalidate_folio+0x455/0xa70 fs/gfs2/aops.c:656 Read of size 8 at addr ffff88807acc32b8 by task syz-executor/4266 CPU: 1 PID: 4266 Comm: syz-executor Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0xa8/0x210 mm/kasan/report.c:420 kasan_report+0x10b/0x140 mm/kasan/report.c:524 list_empty include/linux/list.h:292 [inline] gfs2_discard fs/gfs2/aops.c:618 [inline] gfs2_invalidate_folio+0x455/0xa70 fs/gfs2/aops.c:656 folio_invalidate mm/truncate.c:158 [inline] truncate_cleanup_folio+0x218/0x5e0 mm/truncate.c:178 truncate_inode_pages_range+0x237/0xff0 mm/truncate.c:368 gfs2_evict_inode+0xab5/0x1170 fs/gfs2/super.c:1511 evict+0x485/0x870 fs/inode.c:705 dispose_list fs/inode.c:738 [inline] evict_inodes+0x604/0x690 fs/inode.c:792 generic_shutdown_super+0x93/0x340 fs/super.c:480 kill_block_super+0x7c/0xe0 fs/super.c:1470 deactivate_locked_super+0x93/0xf0 fs/super.c:332 cleanup_mnt+0x463/0x4f0 fs/namespace.c:1191 task_work_run+0x1ca/0x250 kernel/task_work.c:203 exit_task_work include/linux/task_work.h:39 [inline] do_exit+0x93e/0x2400 kernel/exit.c:880 do_group_exit+0x217/0x2d0 kernel/exit.c:1022 __do_sys_exit_group kernel/exit.c:1033 [inline] __se_sys_exit_group kernel/exit.c:1031 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1031 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f4298b8f749 Code: Unable to access opcode bytes at 0x7f4298b8f71f. RSP: 002b:00007ffd89dbdfe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f4298c13da2 RCX: 00007f4298b8f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000005 R08: 00007ffd89dbbd87 R09: 00007ffd89dbf240 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd89dbf240 R13: 00007f4298c13d7d R14: 000000000001123f R15: 00007ffd89dbf280 </TASK> Allocated by task 4444: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x6b/0x80 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x4b/0x480 mm/slab.h:737 slab_alloc_node mm/slub.c:3359 [inline] slab_alloc mm/slub.c:3367 [inline] __kmem_cache_alloc_lru mm/slub.c:3374 [inline] kmem_cache_alloc+0x123/0x2f0 mm/slub.c:3383 kmem_cache_zalloc include/linux/slab.h:689 [inline] gfs2_alloc_bufdata fs/gfs2/trans.c:168 [inline] gfs2_trans_add_data+0x1fb/0x610 fs/gfs2/trans.c:209 gfs2_page_add_databufs+0x1eb/0x270 fs/gfs2/aops.c:57 gfs2_iomap_page_done+0xe0/0x180 fs/gfs2/bmap.c:978 iomap_write_end+0x762/0xda0 fs/iomap/buffered-io.c:739 iomap_write_iter fs/iomap/buffered-io.c:802 [inline] iomap_file_buffered_write+0x4ce/0x880 fs/iomap/buffered-io.c:847 gfs2_file_buffered_write+0x4fe/0x880 fs/gfs2/file.c:1057 gfs2_file_write_iter+0x42c/0xdf0 fs/gfs2/file.c:1158 call_write_iter include/linux/fs.h:2265 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x44c/0x960 fs/read_write.c:584 ksys_write+0x143/0x240 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 4451: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1755 slab_free mm/slub.c:3687 [inline] kmem_cache_free+0xf7/0x290 mm/slub.c:3709 trans_drain fs/gfs2/log.c:1023 [inline] gfs2_log_flush+0x1902/0x24e0 fs/gfs2/log.c:1161 gfs2_inplace_reserve+0x192f/0x3420 fs/gfs2/rgrp.c:2188 do_grow fs/gfs2/bmap.c:2067 [inline] gfs2_setattr_size+0x44b/0x810 fs/gfs2/bmap.c:2138 gfs2_setattr+0x256/0x410 fs/gfs2/inode.c:2003 notify_change+0xc74/0xf40 fs/attr.c:499 do_truncate+0x197/0x220 fs/open.c:65 do_sys_ftruncate+0x312/0x3c0 fs/open.c:193 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff88807acc32a0 which belongs to the cache gfs2_bufdata of size 80 The buggy address is located 24 bytes inside of 80-byte region [ffff88807acc32a0, ffff88807acc32f0) The buggy address belongs to the physical page: page:ffffea0001eb30c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7acc3 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 0000000000000000 dead000000000122 ffff88801b7f98c0 raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 4402, tgid 4401 (syz.2.10), ts 69717755405, free_ts 69680306297 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614 alloc_slab_page+0x5d/0x160 mm/slub.c:1799 allocate_slab mm/slub.c:1944 [inline] new_slab+0x87/0x2c0 mm/slub.c:1997 ___slab_alloc+0xbc6/0x1230 mm/slub.c:3154 __slab_alloc mm/slub.c:3240 [inline] slab_alloc_node mm/slub.c:3325 [inline] slab_alloc mm/slub.c:3367 [inline] __kmem_cache_alloc_lru mm/slub.c:3374 [inline] kmem_cache_alloc+0x1b7/0x2f0 mm/slub.c:3383 kmem_cache_zalloc include/linux/slab.h:689 [inline] gfs2_alloc_bufdata fs/gfs2/trans.c:168 [inline] gfs2_trans_add_meta+0x34e/0xc60 fs/gfs2/trans.c:250 do_gfs2_set_flags fs/gfs2/file.c:264 [inline] gfs2_fileattr_set+0x7d9/0xa10 fs/gfs2/file.c:310 vfs_fileattr_set+0x842/0xaf0 fs/ioctl.c:696 ioctl_setflags fs/ioctl.c:728 [inline] do_vfs_ioctl+0x16c1/0x1d10 fs/ioctl.c:839 __do_sys_ioctl fs/ioctl.c:868 [inline] __se_sys_ioctl+0x83/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1459 [inline] free_pcp_prepare mm/page_alloc.c:1509 [inline] free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479 __vunmap+0x856/0xa00 mm/vmalloc.c:2726 free_work+0x56/0x80 mm/vmalloc.c:97 process_one_work+0x898/0x1160 kernel/workqueue.c:2292 worker_thread+0xaa2/0x1250 kernel/workqueue.c:2439 kthread+0x29d/0x330 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88807acc3180: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb ffff88807acc3200: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb >ffff88807acc3280: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fc fc ^ ffff88807acc3300: fc fc fa fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88807acc3380: fa fb fb fb fb fb fb fb fb fb fc fc fc fc fa fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/11/24 19:38 | linux-6.1.y | f6e38ae624cf | bf6fe8fe | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/11/24 19:36 | linux-6.1.y | f6e38ae624cf | bf6fe8fe | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/11/24 19:33 | linux-6.1.y | f6e38ae624cf | bf6fe8fe | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/10/07 21:47 | linux-6.1.y | 882efbdd9d34 | 8ef35d49 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/10/07 21:47 | linux-6.1.y | 882efbdd9d34 | 8ef35d49 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/09/07 09:03 | linux-6.1.y | 28c695c365e1 | d291dd2d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/09/05 22:48 | linux-6.1.y | 28c695c365e1 | d291dd2d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/09/05 21:46 | linux-6.1.y | 28c695c365e1 | d291dd2d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/09/05 20:56 | linux-6.1.y | 28c695c365e1 | d291dd2d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/08/18 14:57 | linux-6.1.y | 0bc96de781b4 | 1804e95e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/08/18 00:25 | linux-6.1.y | 0bc96de781b4 | 1804e95e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/08/18 00:21 | linux-6.1.y | 0bc96de781b4 | 1804e95e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/08/01 21:38 | linux-6.1.y | 3594f306da12 | 40127d41 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in gfs2_invalidate_folio | ||
| 2025/05/16 19:32 | linux-6.1.y | 02b72ccb5f9d | cfde8269 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in gfs2_invalidate_folio |