KASAN: slab-use-after-free Read in proc_invalidate_siblings

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
a1886148-0b63-45a5-9ad6-63fd95b070bf	assessment-security	DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ✅ VMHostTrigger: ❌	❓	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache (2)	2026/05/31 05:52	2026/05/31 05:52	2026/05/31 06:43	6b4a844333e83556da95d61d7f207e7ef5cd4bc6
4792bef1-6cb5-40ff-a508-95dc1e371697	assessment-security		💥	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache (2)	2026/05/14 14:18	2026/05/14 14:18	2026/05/14 14:19	6ccb967e465e832a7bfd7a116ad00d52a0923a5d	failed to run ["git" "pull" "origin" "HEAD" "--depth=1" "--allow-unrelated-histories"]: exit status 128 From /app/workdir/repo/linux * branch HEAD -> FETCH_HEAD Updating files: ... truncated to first 200 bytes; open job for full error
6bb0a4d8-8089-4a88-aa58-d098636af10c	repro		❓	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache (2)	2026/03/06 20:43	2026/03/06 20:43	2026/03/06 20:51	31e9c887f7dc24e04b3ca70d0d54fc34141844b0

Title	Replies (including bot)	Last reply
[syzbot] [fs?] KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache (2)	0 (1)	2026/01/21 08:28

Title

Replies (including bot)

Last reply

[syzbot] [fs?] KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache (2)

0 (1)

2026/01/21 08:28

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache fs	19				1	281d	276d	0/29	auto-obsoleted due to no activity on 2025/12/23 02:53
upstream	general protection fault in proc_invalidate_siblings_dcache fs	2				1	1777d	1773d	0/29	auto-closed as invalid on 2021/11/08 05:37

Rank 🛈

upstream

KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache fs

281d

276d

0/29

auto-obsoleted due to no activity on 2025/12/23 02:53

upstream

general protection fault in proc_invalidate_siblings_dcache fs

1777d

1773d

0/29

auto-closed as invalid on 2021/11/08 05:37

batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: ipvlan2 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: batadv0: Interface activated: ipvlan3 ================================================================== BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 Read of size 1 at addr ffff8880621d8e90 by task syz.1.718/8477 CPU: 0 UID: 0 PID: 8477 Comm: syz.1.718 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574 kasan_check_byte include/linux/kasan.h:402 [inline] lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 rt_mutex_slowunlock+0xbf/0x8b0 kernel/locking/rtmutex.c:1426 proc_invalidate_siblings_dcache+0x3db/0x6c0 fs/proc/inode.c:143 release_task+0x1207/0x16f0 kernel/exit.c:291 exit_notify kernel/exit.c:777 [inline] do_exit+0x1674/0x22c0 kernel/exit.c:988 do_group_exit+0x21b/0x2d0 kernel/exit.c:1119 get_signal+0x1284/0x1330 kernel/signal.c:3038 arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0xa9/0x680 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x353/0x580 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7facd8e0ce59 Code: Unable to access opcode bytes at 0x7facd8e0ce2f. RSP: 002b:00007facd70240e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007facd9086188 RCX: 00007facd8e0ce59 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007facd9086188 RBP: 00007facd9086180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007facd9086218 R14: 00007ffd573e0480 R15: 00007ffd573e0568 </TASK> Allocated by task 8477: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x33c/0x680 mm/slub.c:4918 __d_alloc+0x37/0x6f0 fs/dcache.c:1807 d_alloc_parallel+0xe6/0x1610 fs/dcache.c:2671 __lookup_slow+0x152/0x440 fs/namei.c:1900 lookup_slow+0x53/0x70 fs/namei.c:1932 walk_component fs/namei.c:2278 [inline] link_path_walk+0x1273/0x18d0 fs/namei.c:2649 path_openat+0x2d5/0x38a0 fs/namei.c:4854 do_file_open+0x23e/0x4a0 fs/namei.c:4887 do_sys_openat2+0x113/0x200 fs/open.c:1364 do_sys_open fs/open.c:1370 [inline] __do_sys_openat fs/open.c:1386 [inline] __se_sys_openat fs/open.c:1381 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1381 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 28: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6251 [inline] kmem_cache_free+0x187/0x6c0 mm/slub.c:6378 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core kernel/rcu/tree.c:2869 [inline] rcu_cpu_kthread+0x99e/0x1470 kernel/rcu/tree.c:2957 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 __call_rcu_common kernel/rcu/tree.c:3131 [inline] call_rcu+0xee/0x890 kernel/rcu/tree.c:3251 __dentry_kill+0x4a9/0x690 fs/dcache.c:737 shrink_kill+0xa9/0x2c0 fs/dcache.c:1195 shrink_dentry_list+0x2e3/0x5e0 fs/dcache.c:1222 shrink_dcache_tree+0xe9/0x5d0 fs/dcache.c:-1 shrink_dcache_parent fs/dcache.c:1693 [inline] d_invalidate+0xde/0x210 fs/dcache.c:1775 proc_invalidate_siblings_dcache+0x3d3/0x6c0 fs/proc/inode.c:142 release_task+0x1207/0x16f0 kernel/exit.c:291 wait_task_zombie kernel/exit.c:1281 [inline] wait_consider_task+0x1966/0x2e30 kernel/exit.c:1508 do_wait_thread kernel/exit.c:1571 [inline] __do_wait+0x155/0x740 kernel/exit.c:1689 do_wait+0x1e7/0x510 kernel/exit.c:1723 kernel_wait4+0x232/0x2b0 kernel/exit.c:1882 __do_sys_wait4 kernel/exit.c:1910 [inline] __se_sys_wait4 kernel/exit.c:1906 [inline] __x64_sys_wait4+0x166/0x240 kernel/exit.c:1906 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880621d8dc0 which belongs to the cache dentry of size 376 The buggy address is located 208 bytes inside of freed 376-byte region [ffff8880621d8dc0, ffff8880621d8f38) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880621d8898 pfn:0x621d8 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff8880621d9ef1 flags: 0x80000000000240(workingset|head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000240 ffff88801b6e13c0 ffffea00017f6990 ffffea0000f5d110 raw: ffff8880621d8898 0000000800120010 00000000f5000000 ffff8880621d9ef1 head: 0080000000000240 ffff88801b6e13c0 ffffea00017f6990 ffffea0000f5d110 head: ffff8880621d8898 0000000800120010 00000000f5000000 ffff8880621d9ef1 head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5610, tgid 5610 (syz-executor), ts 140470420342, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x28b2/0x2930 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x33c/0x3d0 mm/slub.c:7272 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4652 alloc_from_pcs mm/slub.c:4750 [inline] slab_alloc_node mm/slub.c:4884 [inline] kmem_cache_alloc_lru_noprof+0x433/0x680 mm/slub.c:4918 __d_alloc+0x37/0x6f0 fs/dcache.c:1807 d_alloc+0x4b/0x190 fs/dcache.c:1886 lookup_one_qstr_excl+0xd8/0x360 fs/namei.c:1801 __start_dirop fs/namei.c:2916 [inline] start_dirop fs/namei.c:2938 [inline] filename_create+0x20e/0x370 fs/namei.c:4950 filename_mkdirat+0xd2/0x520 fs/namei.c:5297 __do_sys_mkdirat fs/namei.c:5325 [inline] __se_sys_mkdirat+0x35/0x150 fs/namei.c:5322 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page_owner free stack trace missing Memory state around the buggy address: ffff8880621d8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff8880621d8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880621d8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880621d8f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa ffff8880621d8f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2026/06/10 19:17	upstream	acb7500801e9	f79bac11	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache
2026/05/17 06:28	upstream	6916d5703ddf	de5aae85	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache
2026/02/16 05:44	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next	18be4ca5cb4e	1e62d198	.config	console log	report		[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu2-riscv64	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache
2026/01/17 03:35	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next	8f0b4cce4481	56f88057	.config	console log	report		[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu2-riscv64	KASAN: slab-use-after-free Read in proc_invalidate_siblings_dcache

Crashes (4):

Assets (help?)