syzbot

 sign-in | mailing list | source | docs
🐞 Open [825]
🐞 Fixed [84]
🐞 Invalid [1075]
Missing Backports [127]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in sysv_new_block

Status: upstream: reported C repro on 2024/10/20 05:31
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+bc2a78caad1e0b7874c4@syzkaller.appspotmail.com
First crash: 376d, last: 20d
Bug presence (3)
Date Name Commit Repro Result
2025/05/14 linux-5.15.y (ToT) 3b8db0e4f263 C [report] KASAN: use-after-free Read in sysv_new_inode
2024/10/20 upstream (ToT) 715ca9dd687f C [report] KASAN: slab-out-of-bounds Read in sysv_new_inode
2025/05/14 upstream (ToT) 9f35e33144ae C Didn't crash
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in sysv_new_block sysv 19 C error 4 1036d 1066d 0/1 upstream: reported C repro on 2022/11/30 03:11
upstream KASAN: use-after-free Read in sysv_new_block fs 19 C error done 1105 219d 1064d 0/29 auto-obsoleted due to no activity on 2025/06/23 14:42
linux-6.1 KASAN: use-after-free Read in sysv_new_block origin:upstream missing-backport 19 C inconclusive 94 52d 367d 0/3 upstream: reported C repro on 2024/10/28 12:55
linux-4.14 KASAN: use-after-free Read in sysv_new_block 19 C 1 974d 1058d 0/1 upstream: reported C repro on 2022/12/08 01:50
Last patch testing requests (7)
Created Duration User Patch Repo Result
2025/10/05 22:34 12m retest repro linux-5.15.y report log
2025/09/19 19:00 15m retest repro linux-5.15.y report log
2025/07/27 09:53 9m retest repro linux-5.15.y report log
2025/06/28 07:11 12m retest repro linux-5.15.y report log
2025/04/10 23:14 12m retest repro linux-5.15.y report log
2025/04/10 23:14 10m retest repro linux-5.15.y report log
2025/04/10 23:14 10m retest repro linux-5.15.y report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2025/10/10 13:10 1h23m bisect fix linux-5.15.y OK (0) job log log
2025/07/28 20:37 1h33m bisect fix linux-5.15.y OK (0) job log log
2025/06/13 07:52 2h59m bisect fix linux-5.15.y OK (0) job log log

Sample crash report:
loop0: rw=0, want=6491538, limit=128
Buffer I/O error on dev loop0, logical block 3245768, async page read
unable to read i-node block
==================================================================
BUG: KASAN: use-after-free in sysv_new_block+0x788/0x960 fs/sysv/balloc.c:113
Read of size 4 at addr ffff888067d410c8 by task syz-executor212/4171

CPU: 0 PID: 4171 Comm: syz-executor212 Not tainted 5.15.177-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 sysv_new_block+0x788/0x960 fs/sysv/balloc.c:113
 alloc_branch fs/sysv/itree.c:134 [inline]
 get_block+0x2e7/0x1790 fs/sysv/itree.c:253
 __block_write_begin_int+0x60b/0x1650 fs/buffer.c:2012
 __block_write_begin fs/buffer.c:2062 [inline]
 block_write_begin+0x4f/0xc0 fs/buffer.c:2122
 sysv_write_begin+0x36/0x70 fs/sysv/itree.c:487
 __page_symlink+0x15b/0x2a0 fs/namei.c:5177
 sysv_symlink+0xcb/0x180 fs/sysv/namei.c:86
 vfs_symlink+0x247/0x3d0 fs/namei.c:4429
 do_symlinkat+0x1fd/0x600 fs/namei.c:4458
 __do_sys_symlink fs/namei.c:4480 [inline]
 __se_sys_symlink fs/namei.c:4478 [inline]
 __x64_sys_symlink+0x7a/0x90 fs/namei.c:4478
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f6604317189
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc40bcd578 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007f660435b640 RCX: 00007f6604317189
RDX: 0000000000000000 RSI: 000000002000acc0 RDI: 000000002000ad80
RBP: 00007f660435b204 R08: 0000000000009e80 R09: 0000000000000000
R10: 00007ffc40bcd440 R11: 0000000000000246 R12: 00007f660435b185
R13: 00007f660435b07d R14: 0000000000000003 R15: 00007f66043976a0
 </TASK>

The buggy address belongs to the page:
page:ffffea00019f5040 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x67d41
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00019f5088 ffffea00019f5008 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, ts 13654342636, free_ts 14564151430
 split_map_pages+0x246/0x510 mm/compaction.c:99
 isolate_freepages_range+0x47c/0x4e0 mm/compaction.c:749
 alloc_contig_range+0xc2b/0xf90 mm/page_alloc.c:9258
 __alloc_contig_pages mm/page_alloc.c:9282 [inline]
 alloc_contig_pages+0x3ea/0x4e0 mm/page_alloc.c:9362
 debug_vm_pgtable_alloc_huge_page+0xb9/0x110 mm/debug_vm_pgtable.c:1085
 init_args+0xc62/0xf50 mm/debug_vm_pgtable.c:1207
 debug_vm_pgtable+0xaa/0x470 mm/debug_vm_pgtable.c:1245
 do_one_initcall+0x22b/0x7a0 init/main.c:1302
 do_initcall_level+0x157/0x210 init/main.c:1375
 do_initcalls+0x49/0x90 init/main.c:1391
 kernel_init_freeable+0x425/0x5c0 init/main.c:1615
 kernel_init+0x19/0x290 init/main.c:1506
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 free_contig_range+0x95/0xf0 mm/page_alloc.c:9384
 destroy_args+0xfe/0x980 mm/debug_vm_pgtable.c:1018
 debug_vm_pgtable+0x40d/0x470 mm/debug_vm_pgtable.c:1331
 do_one_initcall+0x22b/0x7a0 init/main.c:1302
 do_initcall_level+0x157/0x210 init/main.c:1375
 do_initcalls+0x49/0x90 init/main.c:1391
 kernel_init_freeable+0x425/0x5c0 init/main.c:1615
 kernel_init+0x19/0x290 init/main.c:1506
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Memory state around the buggy address:
 ffff888067d40f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888067d41000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888067d41080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff888067d41100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888067d41180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (118):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/01/31 09:53 linux-5.15.y 003148680b79 4c6ac32f .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2024/10/20 05:57 linux-5.15.y 584a40a22cb9 cd6fc0a3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2024/10/20 06:07 linux-5.15.y 584a40a22cb9 cd6fc0a3 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/09/01 22:29 linux-5.15.y 01879f56bdde 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/06/13 16:39 linux-5.15.y 1c700860e8bc 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/05/13 11:51 linux-5.15.y 3b8db0e4f263 f6671af7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/04/28 08:14 linux-5.15.y f7347f400572 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/23 23:16 linux-5.15.y 0c935c049b5c 875573af .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/23 03:43 linux-5.15.y 0c935c049b5c 4e8d3850 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/22 18:19 linux-5.15.y 0c935c049b5c c6512ef7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/21 20:53 linux-5.15.y 0c935c049b5c c6512ef7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/21 12:28 linux-5.15.y 0c935c049b5c 62330552 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/20 16:51 linux-5.15.y 0c935c049b5c 9209bc22 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/18 05:48 linux-5.15.y 0c935c049b5c ce3352cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/16 11:08 linux-5.15.y 0c935c049b5c e2826670 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/15 23:24 linux-5.15.y 0c935c049b5c e2826670 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/10 21:42 linux-5.15.y c16c81c81336 16256247 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/09 08:52 linux-5.15.y c16c81c81336 163f510d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/09 01:06 linux-5.15.y c16c81c81336 163f510d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/07 06:06 linux-5.15.y c16c81c81336 831e3629 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/02 23:59 linux-5.15.y c16c81c81336 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/02 11:07 linux-5.15.y c16c81c81336 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/01 10:21 linux-5.15.y c16c81c81336 67cf5345 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/03/01 08:31 linux-5.15.y c16c81c81336 67cf5345 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/27 16:39 linux-5.15.y c16c81c81336 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/25 06:52 linux-5.15.y c16c81c81336 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/24 01:41 linux-5.15.y c16c81c81336 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/24 01:39 linux-5.15.y c16c81c81336 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/24 00:39 linux-5.15.y c16c81c81336 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/22 00:59 linux-5.15.y c16c81c81336 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/16 18:38 linux-5.15.y c16c81c81336 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/15 03:13 linux-5.15.y c16c81c81336 1022af74 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/10 18:56 linux-5.15.y c16c81c81336 43f51a00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/10 01:04 linux-5.15.y c16c81c81336 ef44b750 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/09 15:10 linux-5.15.y c16c81c81336 ef44b750 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/09 15:07 linux-5.15.y c16c81c81336 ef44b750 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/02/04 13:19 linux-5.15.y c16c81c81336 8f267cef .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/01/31 09:10 linux-5.15.y 003148680b79 4c6ac32f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2024/10/20 05:31 linux-5.15.y 584a40a22cb9 cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in sysv_new_block
2025/08/03 23:35 linux-5.15.y c79648372d02 7368264b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/04/20 04:31 linux-5.15.y f7347f400572 2a20f901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/03/27 13:27 linux-5.15.y 0c935c049b5c 20510e88 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/03/19 08:06 linux-5.15.y 0c935c049b5c 8d0a2921 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/03/19 03:42 linux-5.15.y 0c935c049b5c 8d0a2921 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/03/18 15:23 linux-5.15.y 0c935c049b5c 22a6c2b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/03/17 05:30 linux-5.15.y 0c935c049b5c e2826670 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/03/16 19:57 linux-5.15.y 0c935c049b5c e2826670 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/03/07 03:48 linux-5.15.y c16c81c81336 831e3629 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2025/02/13 02:08 linux-5.15.y c16c81c81336 b27c2402 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in sysv_new_block
2024/11/25 20:30 linux-5.15.y 0a51d2d4527b 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in sysv_new_block
* Struck through repros no longer work on HEAD.