syzbot |
sign-in | mailing list | source | docs |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| 6bb0a4d8-8089-4a88-aa58-d098636af10c | repro | ❓ | KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache (2) | 2026/03/06 20:43 | 2026/03/06 20:43 | 2026/03/06 20:51 | 31e9c887f7dc24e04b3ca70d0d54fc34141844b0 |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [fs?] KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache (2) | 0 (1) | 2026/01/21 08:28 |
================================================================== BUG: KASAN: slab-use-after-free in proc_invalidate_siblings_dcache+0x6a0/0x6b0 fs/proc/inode.c:114 Read of size 8 at addr ffffaf801c58ab18 by task sshd/3177 CPU: 1 UID: 0 PID: 3177 Comm: sshd Not tainted syzkaller #0 PREEMPT Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff8007afc2>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:149 [<ffffffff800032f8>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:155 [<ffffffff80060e34>] __dump_stack lib/dump_stack.c:94 [inline] [<ffffffff80060e34>] dump_stack_lvl+0x114/0x1ac lib/dump_stack.c:120 [<ffffffff8000dd02>] print_address_description mm/kasan/report.c:378 [inline] [<ffffffff8000dd02>] print_report+0x296/0x5bc mm/kasan/report.c:482 [<ffffffff80b4ff44>] kasan_report+0xf0/0x220 mm/kasan/report.c:595 [<ffffffff80b51e46>] __asan_report_load8_noabort+0x12/0x1c mm/kasan/report_generic.c:381 [<ffffffff80eaa394>] proc_invalidate_siblings_dcache+0x6a0/0x6b0 fs/proc/inode.c:114 [<ffffffff80ebf564>] proc_flush_pid+0x20/0x2c fs/proc/base.c:3478 [<ffffffff80156036>] release_task+0xbca/0x18e8 kernel/exit.c:291 [<ffffffff8015840e>] wait_task_zombie kernel/exit.c:1274 [inline] [<ffffffff8015840e>] wait_consider_task+0x16ba/0x36ec kernel/exit.c:1501 [<ffffffff8015dcbe>] do_wait_thread kernel/exit.c:1564 [inline] [<ffffffff8015dcbe>] __do_wait+0x1fa/0x7d8 kernel/exit.c:1682 [<ffffffff8015e4a4>] do_wait+0x208/0x6b0 kernel/exit.c:1716 [<ffffffff8015fd66>] kernel_wait4+0x18a/0x5c8 kernel/exit.c:1875 [<ffffffff801602f6>] __do_sys_wait4+0x152/0x160 kernel/exit.c:1903 [<ffffffff8016066e>] __se_sys_wait4 kernel/exit.c:1899 [inline] [<ffffffff8016066e>] __riscv_sys_wait4+0x8a/0xd8 kernel/exit.c:1899 [<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112 [<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344 [<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232 Allocated by task 3177: stack_trace_save+0xa0/0xd4 kernel/stacktrace.c:122 kasan_save_stack+0x3e/0x68 mm/kasan/common.c:57 kasan_save_track+0x16/0x28 mm/kasan/common.c:78 kasan_save_alloc_info+0x30/0x40 mm/kasan/generic.c:570 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x7c/0x84 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x1f6/0x830 mm/slub.c:5270 alloc_pid+0xb8/0x1230 kernel/pid.c:183 copy_process+0x40e0/0x7330 kernel/fork.c:2237 kernel_clone+0x120/0xe0c kernel/fork.c:2651 __do_sys_clone+0xfe/0x140 kernel/fork.c:2792 __se_sys_clone kernel/fork.c:2760 [inline] __riscv_sys_clone+0xa0/0x110 kernel/fork.c:2760 syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112 do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344 handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232 Freed by task 1: stack_trace_save+0xa0/0xd4 kernel/stacktrace.c:122 kasan_save_stack+0x3e/0x68 mm/kasan/common.c:57 kasan_save_track+0x16/0x28 mm/kasan/common.c:78 kasan_save_free_info+0x40/0x5c mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5e/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6674 [inline] kmem_cache_free+0x208/0x8d0 mm/slub.c:6785 put_pid.part.0+0xf8/0x138 kernel/pid.c:100 put_pid+0x24/0x38 kernel/pid.c:94 proc_free_inode+0x4a/0xbc fs/proc/inode.c:76 i_callback+0x42/0x90 fs/inode.c:325 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0x950/0x1ce0 kernel/rcu/tree.c:2857 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2874 handle_softirqs+0x442/0x1198 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0x2de/0x534 kernel/softirq.c:723 irq_exit_rcu+0x10/0xf4 kernel/softirq.c:739 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:446 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:396 Last potentially related work creation: stack_trace_save+0xa0/0xd4 kernel/stacktrace.c:122 kasan_save_stack+0x3e/0x68 mm/kasan/common.c:57 kasan_record_aux_stack+0xfc/0x170 mm/kasan/generic.c:556 __call_rcu_common.constprop.0+0x9a/0x99c kernel/rcu/tree.c:3119 call_rcu+0xc/0x14 kernel/rcu/tree.c:3239 free_pid+0x254/0x330 kernel/pid.c:147 free_pids+0x4c/0x90 kernel/pid.c:159 release_task+0xbe2/0x18e8 kernel/exit.c:295 wait_task_zombie kernel/exit.c:1274 [inline] wait_consider_task+0x16ba/0x36ec kernel/exit.c:1501 do_wait_thread kernel/exit.c:1564 [inline] __do_wait+0x1fa/0x7d8 kernel/exit.c:1682 do_wait+0x208/0x6b0 kernel/exit.c:1716 kernel_wait4+0x18a/0x5c8 kernel/exit.c:1875 __do_sys_wait4+0x152/0x160 kernel/exit.c:1903 __se_sys_wait4 kernel/exit.c:1899 [inline] __riscv_sys_wait4+0x8a/0xd8 kernel/exit.c:1899 syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112 do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344 handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232 The buggy address belongs to the object at ffffaf801c58aa80 which belongs to the cache pid of size 272 The buggy address is located 152 bytes inside of freed 272-byte region [ffffaf801c58aa80, ffffaf801c58ab90) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c58a head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xffe000000000040(head|node=0|zone=0|lastcpupid=0x7ff) page_type: f5(slab) raw: 0ffe000000000040 ffffaf8011e93780 dead000000000100 dead000000000122 raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 head: 0ffe000000000040 ffffaf8011e93780 dead000000000100 dead000000000122 head: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 head: 0ffe000000000001 ffff8d8000716281 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, tgid 12 (kworker/u8:0), ts 89386775300, free_ts 0 __set_page_owner+0x92/0x4b0 mm/page_owner.c:341 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xe6/0x1d8 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0xfbc/0x3ab8 mm/page_alloc.c:3945 __alloc_frozen_pages_noprof+0x216/0x20c8 mm/page_alloc.c:5240 alloc_pages_mpol+0x1f0/0x598 mm/mempolicy.c:2486 alloc_frozen_pages_noprof+0x154/0x2c8 mm/mempolicy.c:2557 alloc_slab_page mm/slub.c:3075 [inline] allocate_slab mm/slub.c:3248 [inline] new_slab+0x35a/0x418 mm/slub.c:3302 ___slab_alloc+0xc80/0x17f0 mm/slub.c:4656 __slab_alloc.isra.0+0x6c/0x110 mm/slub.c:4779 __slab_alloc_node mm/slub.c:4855 [inline] slab_alloc_node mm/slub.c:5251 [inline] kmem_cache_alloc_noprof+0x438/0x830 mm/slub.c:5270 alloc_pid+0xb8/0x1230 kernel/pid.c:183 copy_process+0x40e0/0x7330 kernel/fork.c:2237 kernel_clone+0x120/0xe0c kernel/fork.c:2651 user_mode_thread+0xd2/0x110 kernel/fork.c:2727 call_usermodehelper_exec_work kernel/umh.c:171 [inline] call_usermodehelper_exec_work+0xca/0x198 kernel/umh.c:157 process_one_work+0x930/0x1e14 kernel/workqueue.c:3257 page_owner free stack trace missing Memory state around the buggy address: ffffaf801c58aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffaf801c58aa80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffffaf801c58ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffffaf801c58ab80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffaf801c58ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/02/16 05:44 | git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next | 18be4ca5cb4e | 1e62d198 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu2-riscv64 | KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache | |||
| 2026/01/17 03:35 | git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next | 8f0b4cce4481 | 56f88057 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu2-riscv64 | KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache |