KFENCE: use-after-free read in xfs_inode_item

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-use-after-free Read in xfs_inode_item_push xfs	19	C	error		241	1d17h	554d	0/29	upstream: reported C repro on 2024/04/10 12:45
linux-6.1	KASAN: use-after-free Read in xfs_inode_item_push (2)	19				1	406d	406d	0/3	auto-obsoleted due to no activity on 2024/12/14 11:37
upstream	KASAN: use-after-free Read in xfs_inode_item_push xfs	19				16	754d	980d	0/29	auto-obsoleted due to no activity on 2024/01/02 00:00
linux-6.1	KASAN: use-after-free Read in xfs_inode_item_push	19				1	901d	901d	0/3	auto-obsoleted due to no activity on 2023/08/23 09:03
linux-5.15	KASAN: use-after-free Read in xfs_inode_item_push (2) origin:lts-only	19	C		inconclusive	2	131d	259d	0/3	upstream: reported C repro on 2025/01/31 01:44
linux-5.15	KASAN: use-after-free Read in xfs_inode_item_push	19				2	881d	883d	0/3	auto-obsoleted due to no activity on 2023/08/28 08:02

================================================================== BUG: KFENCE: use-after-free read in xfs_inode_item_push+0x28a/0x2e0 fs/xfs/xfs_inode_item.c:776 Use-after-free read at 0xffff88823bc1c030 (in kfence-#13): xfs_inode_item_push+0x28a/0x2e0 fs/xfs/xfs_inode_item.c:776 xfsaild_push_item fs/xfs/xfs_trans_ail.c:414 [inline] xfsaild_push fs/xfs/xfs_trans_ail.c:486 [inline] xfsaild+0xc58/0x25b0 fs/xfs/xfs_trans_ail.c:671 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 kfence-#13: 0xffff88823bc1c000-0xffff88823bc1c107, size=264, cache=xfs_ili allocated by task 6181 on cpu 0 at 118.056553s: kmem_cache_zalloc include/linux/slab.h:711 [inline] xfs_inode_item_init+0x33/0xc0 fs/xfs/xfs_inode_item.c:871 xfs_trans_ijoin+0xd8/0x120 fs/xfs/libxfs/xfs_trans_inode.c:36 xfs_init_new_inode+0xb9e/0xec0 fs/xfs/xfs_inode.c:901 xfs_qm_qino_alloc+0x473/0x950 fs/xfs/xfs_qm.c:790 xfs_qm_init_quotainos+0x4d5/0x6c0 fs/xfs/xfs_qm.c:1584 xfs_qm_init_quotainfo+0x125/0x10c0 fs/xfs/xfs_qm.c:643 xfs_qm_mount_quotas+0xa0/0x600 fs/xfs/xfs_qm.c:1460 xfs_mountfs+0x1641/0x1d20 fs/xfs/xfs_mount.c:962 xfs_fs_fill_super+0x112f/0x13a0 fs/xfs/xfs_super.c:1738 get_tree_bdev+0x3e4/0x510 fs/super.c:1591 vfs_get_tree+0x8c/0x280 fs/super.c:1764 do_new_mount+0x24b/0xa40 fs/namespace.c:3377 do_mount fs/namespace.c:3717 [inline] __do_sys_mount fs/namespace.c:3926 [inline] __se_sys_mount+0x2da/0x3c0 fs/namespace.c:3903 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 freed by task 5789 on cpu 1 at 118.649159s: xfs_inode_free_callback+0x14f/0x1c0 fs/xfs/xfs_icache.c:145 rcu_do_batch kernel/rcu/tree.c:2194 [inline] rcu_core+0xcc4/0x1720 kernel/rcu/tree.c:2467 handle_softirqs+0x280/0x820 kernel/softirq.c:578 do_softirq+0xed/0x180 kernel/softirq.c:479 __local_bh_enable_ip+0x178/0x1c0 kernel/softirq.c:406 do_ip_getsockopt+0xb56/0x1800 net/ipv4/ip_sockglue.c:1601 ip_getsockopt+0xbc/0x210 net/ipv4/ip_sockglue.c:1773 do_sock_getsockopt+0x368/0x440 net/socket.c:2384 __sys_getsockopt net/socket.c:2413 [inline] __do_sys_getsockopt net/socket.c:2423 [inline] __se_sys_getsockopt net/socket.c:2420 [inline] __x64_sys_getsockopt+0x1d6/0x280 net/socket.c:2420 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 CPU: 1 PID: 6189 Comm: xfsaild/loop0 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:xfs_inode_item_push+0x28a/0x2e0 fs/xfs/xfs_inode_item.c:776 Code: e8 db c5 f3 ff eb 0a e8 c4 8f 59 fe bd 02 00 00 00 48 b8 00 00 00 00 00 fc ff df 41 80 3c 06 00 74 08 48 89 df e8 56 e7 b0 fe <48> 8b 3b 48 83 c7 40 e8 5a 13 4c 07 89 e8 e9 60 fe ff ff 89 e9 80 RSP: 0018:ffffc900033e7c60 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88823bc1c030 RCX: ffff88805aab9e00 RDX: 0000000000000000 RSI: ffffffff8d1b51d0 RDI: 00000000fffffffb RBP: 0000000000000002 R08: ffff88805aab9e00 R09: 0000000000000002 R10: 00000000fffffff5 R11: 0000000000000000 R12: ffff888078ee9898 R13: 1ffff1100f1dd31b R14: 1ffff11047783806 R15: ffff8880637e16c0 FS: 0000000000000000(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bc1c030 CR3: 0000000063810000 CR4: 00000000003506e0 Call Trace: <TASK> xfsaild_push_item fs/xfs/xfs_trans_ail.c:414 [inline] xfsaild_push fs/xfs/xfs_trans_ail.c:486 [inline] xfsaild+0xc58/0x25b0 fs/xfs/xfs_trans_ail.c:671 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 </TASK> ================================================================== ---------------- Code disassembly (best guess): 0: e8 db c5 f3 ff call 0xfff3c5e0 5: eb 0a jmp 0x11 7: e8 c4 8f 59 fe call 0xfe598fd0 c: bd 02 00 00 00 mov $0x2,%ebp 11: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 18: fc ff df 1b: 41 80 3c 06 00 cmpb $0x0,(%r14,%rax,1) 20: 74 08 je 0x2a 22: 48 89 df mov %rbx,%rdi 25: e8 56 e7 b0 fe call 0xfeb0e780 * 2a: 48 8b 3b mov (%rbx),%rdi <-- trapping instruction 2d: 48 83 c7 40 add $0x40,%rdi 31: e8 5a 13 4c 07 call 0x74c1390 36: 89 e8 mov %ebp,%eax 38: e9 60 fe ff ff jmp 0xfffffe9d 3d: 89 e9 mov %ebp,%ecx 3f: 80 .byte 0x80

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/10/05 22:42	linux-6.6.y	f34f16e5c632	49379ee0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-6-6-kasan	KFENCE: use-after-free read in xfs_inode_item_push
2025/10/12 14:09	linux-6.6.y	655054d2c3c1	ff1712fe	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-6-6-kasan	KASAN: slab-use-after-free Read in xfs_inode_item_push

Crashes (2):

Assets (help?)