ci2 starts bisection 2025-09-16 19:13:57.181601984 +0000 UTC m=+431949.056417121 bisecting fixing commit since 59e9a72288571b476bbe39902c89aed0423905bf building syzkaller on 26d77996cd6057592f0d7212c9017e8b62be66e8 ensuring issue is reproducible on original commit 59e9a72288571b476bbe39902c89aed0423905bf testing commit 59e9a72288571b476bbe39902c89aed0423905bf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9544c6a2d516731e894355c7857b8490d428a1622838bd5b70a5489031482d65 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_dirtied representative crash: KASAN: use-after-free Read in f2fs_inode_dirtied, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 59e9a72288571b476bbe39902c89aed0423905bf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6cc4a8bfd71aba90e9c6dd1f2f1b25487c71e40bfa592a22aeff288a1150085 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed kconfig minimization: base=4788 full=6022 leaves diff=244 split chunks (needed=false): <244> split chunk #0 of len 244 into 5 parts testing without sub-chunk 1/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 59e9a72288571b476bbe39902c89aed0423905bf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 27abf6734c3d91d78c66a80dc425455fc4b15eb39e6dde7e845c3085d0ddc622 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 59e9a72288571b476bbe39902c89aed0423905bf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2ac6b32d7ecdac7cac5fbd22327f68c0ab0cd592aae1d9ef88d2eec41933f2de all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 59e9a72288571b476bbe39902c89aed0423905bf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 956e1dc31afc2b4a602a78e320e89cca067c5adcfa8a3ea95f71bfa8cd84a6b8 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 59e9a72288571b476bbe39902c89aed0423905bf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 83a7802d63bc2a59e9487b8779e14de84991b2dd42fc8feb591f716f343a1382 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 59e9a72288571b476bbe39902c89aed0423905bf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 59e9a72288571b476bbe39902c89aed0423905bf: net/socket.c:1128: undefined reference to `wext_handle_ioctl' net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS ZEROPLUS_FF] disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing current HEAD 911f602c2237b4e5cad1e1f53bfcf6190a37a764 testing commit 911f602c2237b4e5cad1e1f53bfcf6190a37a764 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a005038bef87a87cfc96bbfaee3bcee6214096fc5217b3c049836dcede7776e run #0: ignore: lost connection to test machine run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect start 911f602c2237b4e5cad1e1f53bfcf6190a37a764 59e9a72288571b476bbe39902c89aed0423905bf Bisecting: 619 revisions left to test after this (roughly 9 steps) [2083e7d4fb47e3dc6047ac00b1f03fb125e2b3e2] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class determine whether the revision contains the guilty commit checking the merge base 01e7e36b8606e5d4fddf795938010f7bfa3aa277 no existing result, test the revision testing commit 01e7e36b8606e5d4fddf795938010f7bfa3aa277 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3bce9edcae64996738b56aa636835b0f300a70d333c0a1c07882de66a7e29ee2 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] testing commit 2083e7d4fb47e3dc6047ac00b1f03fb125e2b3e2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 14b32a6af368eaf63bd1aa813a6a80916e801fbb0827232ba1292238bd81c5ba all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 2083e7d4fb47e3dc6047ac00b1f03fb125e2b3e2 Bisecting: 309 revisions left to test after this (roughly 8 steps) [01fa91dd315fc3d90581367d18fb52616b65f197] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions determine whether the revision contains the guilty commit revision 01e7e36b8606e5d4fddf795938010f7bfa3aa277 crashed and is reachable testing commit 01fa91dd315fc3d90581367d18fb52616b65f197 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 53ecaa8cfacb13b848fef388afb9518bf3f1c3863d084a81b1dda81b4a382daf all runs: OK false negative chance: 0.000 # git bisect bad 01fa91dd315fc3d90581367d18fb52616b65f197 Bisecting: 154 revisions left to test after this (roughly 7 steps) [810cd546a29bfac90ed1328ea01d693d4bd11cb1] drbd: add missing kref_get in handle_write_conflicts determine whether the revision contains the guilty commit revision 01e7e36b8606e5d4fddf795938010f7bfa3aa277 crashed and is reachable testing commit 810cd546a29bfac90ed1328ea01d693d4bd11cb1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c248e37ec713454a6f78fdf567fad1bcc09ae3845a7e9c0359389c925b173787 all runs: OK false negative chance: 0.000 # git bisect bad 810cd546a29bfac90ed1328ea01d693d4bd11cb1 Bisecting: 77 revisions left to test after this (roughly 6 steps) [25bfa98cc1a71385ece9716e01a127865b111e72] dmaengine: mv_xor: Fix missing check after DMA map and missing unmap determine whether the revision contains the guilty commit revision 2083e7d4fb47e3dc6047ac00b1f03fb125e2b3e2 crashed and is reachable testing commit 25bfa98cc1a71385ece9716e01a127865b111e72 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0a71565fa52af180535b4cefaddd5ea5686d6adf8188c17c135c420c981f5862 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 25bfa98cc1a71385ece9716e01a127865b111e72 Bisecting: 38 revisions left to test after this (roughly 5 steps) [3f638e0b28bde7c3354a0df938ab3a96739455d1] ipv6: reject malicious packets in ipv6_gso_segment() determine whether the revision contains the guilty commit revision 25bfa98cc1a71385ece9716e01a127865b111e72 crashed and is reachable testing commit 3f638e0b28bde7c3354a0df938ab3a96739455d1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a185d995481f550aa5da87c05fad6ef5a0ef8e92bbfbbe699d30352a7e85df2d all runs: OK false negative chance: 0.000 # git bisect bad 3f638e0b28bde7c3354a0df938ab3a96739455d1 Bisecting: 19 revisions left to test after this (roughly 4 steps) [9535e440fe5bc6c5ac7cfb407e53bf788b8bf8d4] f2fs: fix to avoid panic in f2fs_evict_inode determine whether the revision contains the guilty commit revision 25bfa98cc1a71385ece9716e01a127865b111e72 crashed and is reachable testing commit 9535e440fe5bc6c5ac7cfb407e53bf788b8bf8d4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e7bf52c9a398671125d43444bf11353138fd052377824d9fff7dd2a1cf5f5a6 all runs: OK false negative chance: 0.000 # git bisect bad 9535e440fe5bc6c5ac7cfb407e53bf788b8bf8d4 Bisecting: 9 revisions left to test after this (roughly 3 steps) [77d2993d8b3d8562e1505b5066dedc8cb00fa1ae] bpf: Check flow_dissector ctx accesses are aligned determine whether the revision contains the guilty commit revision 01e7e36b8606e5d4fddf795938010f7bfa3aa277 crashed and is reachable testing commit 77d2993d8b3d8562e1505b5066dedc8cb00fa1ae gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a6744cb7c744a17011338c760eafced6e311a8c7cbfd017923eed23594ff8700 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 77d2993d8b3d8562e1505b5066dedc8cb00fa1ae Bisecting: 4 revisions left to test after this (roughly 2 steps) [d705fc98d374037e27912d292aaf9b3222e674ac] rtc: pcf85063: fix incorrect maximum clock rate handling determine whether the revision contains the guilty commit revision 25bfa98cc1a71385ece9716e01a127865b111e72 crashed and is reachable testing commit d705fc98d374037e27912d292aaf9b3222e674ac gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fa95c39a2420ac45d8157a1b3ee83e9a85819f57da369eaaca76056d64d3e9f6 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good d705fc98d374037e27912d292aaf9b3222e674ac Bisecting: 2 revisions left to test after this (roughly 1 step) [807997ed63d3635fdda6391ba8dae2dfe935bf7c] rtc: rv3028: fix incorrect maximum clock rate handling determine whether the revision contains the guilty commit revision 01e7e36b8606e5d4fddf795938010f7bfa3aa277 crashed and is reachable testing commit 807997ed63d3635fdda6391ba8dae2dfe935bf7c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 51b497fb9d9c281acf79cfef0d811f65294828229e8078d0f74f52ef7a6bb72c all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 807997ed63d3635fdda6391ba8dae2dfe935bf7c Bisecting: 0 revisions left to test after this (roughly 1 step) [4dcd830c420f2190ae32f03626039fde7b57b2ad] f2fs: fix to avoid UAF in f2fs_sync_inode_meta() determine whether the revision contains the guilty commit revision 807997ed63d3635fdda6391ba8dae2dfe935bf7c crashed and is reachable testing commit 4dcd830c420f2190ae32f03626039fde7b57b2ad gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 015601578fc50f6a3b8886a642ec5e41ae25731c129601b9c1de3e17689ce112 all runs: OK false negative chance: 0.000 # git bisect bad 4dcd830c420f2190ae32f03626039fde7b57b2ad Bisecting: 0 revisions left to test after this (roughly 0 steps) [6707f566f03814934cec3192742bcb5050a3b581] f2fs: doc: fix wrong quota mount option description determine whether the revision contains the guilty commit revision 25bfa98cc1a71385ece9716e01a127865b111e72 crashed and is reachable testing commit 6707f566f03814934cec3192742bcb5050a3b581 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5c6f8967fefcd36bc0e14ca1b2bd7f73e129240054299d2e76d9c8d98b9a3256 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 6707f566f03814934cec3192742bcb5050a3b581 4dcd830c420f2190ae32f03626039fde7b57b2ad is the first bad commit commit 4dcd830c420f2190ae32f03626039fde7b57b2ad Author: Chao Yu Date: Tue Jul 8 17:53:39 2025 +0800 f2fs: fix to avoid UAF in f2fs_sync_inode_meta() [ Upstream commit 7c30d79930132466f5be7d0b57add14d1a016bda ] syzbot reported an UAF issue as below: [1] [2] [1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000 ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8 CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 __list_del_entry include/linux/list.h:134 [inline] list_del_init include/linux/list.h:206 [inline] f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553 f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588 f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706 f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734 write_inode fs/fs-writeback.c:1460 [inline] __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677 writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903 __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974 wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081 wb_check_background_flush fs/fs-writeback.c:2151 [inline] wb_do_writeback fs/fs-writeback.c:2239 [inline] wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266 process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299 worker_thread+0xa60/0x1260 kernel/workqueue.c:2446 kthread+0x26d/0x300 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 298: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333 kasan_slab_alloc include/linux/kasan.h:202 [inline] slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768 slab_alloc_node mm/slub.c:3421 [inline] slab_alloc mm/slub.c:3431 [inline] __kmem_cache_alloc_lru mm/slub.c:3438 [inline] kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454 alloc_inode_sb include/linux/fs.h:3255 [inline] f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 alloc_inode fs/inode.c:261 [inline] iget_locked+0x18c/0x7e0 fs/inode.c:1373 f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484 __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689 lookup_slow+0x5a/0x80 fs/namei.c:1706 walk_component+0x2e7/0x410 fs/namei.c:1997 lookup_last fs/namei.c:2454 [inline] path_lookupat+0x16d/0x450 fs/namei.c:2478 filename_lookup+0x251/0x600 fs/namei.c:2507 vfs_statx+0x107/0x4b0 fs/stat.c:229 vfs_fstatat fs/stat.c:267 [inline] vfs_lstat include/linux/fs.h:3434 [inline] __do_sys_newlstat fs/stat.c:423 [inline] __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417 __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417 x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 0: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1745 [inline] slab_free_freelist_hook mm/slub.c:1771 [inline] slab_free mm/slub.c:3686 [inline] kmem_cache_free+0x291/0x560 mm/slub.c:3711 f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584 i_callback+0x4b/0x70 fs/inode.c:250 rcu_do_batch+0x552/0xbe0 kernel/rcu/tree.c:2297 rcu_core+0x502/0xf40 kernel/rcu/tree.c:2557 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574 handle_softirqs+0x1db/0x650 kernel/softirq.c:624 __do_softirq kernel/softirq.c:662 [inline] invoke_softirq kernel/softirq.c:479 [inline] __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711 irq_exit_rcu+0x9/0x10 kernel/softirq.c:723 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691 Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496 __call_rcu_common kernel/rcu/tree.c:2807 [inline] call_rcu+0xdc/0x10f0 kernel/rcu/tree.c:2926 destroy_inode fs/inode.c:316 [inline] evict+0x87d/0x930 fs/inode.c:720 iput_final fs/inode.c:1834 [inline] iput+0x616/0x690 fs/inode.c:1860 do_unlinkat+0x4e1/0x920 fs/namei.c:4396 __do_sys_unlink fs/namei.c:4437 [inline] __se_sys_unlink fs/namei.c:4435 [inline] __x64_sys_unlink+0x49/0x50 fs/namei.c:4435 x64_sys_call+0x289/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff888100567a10 which belongs to the cache f2fs_inode_cache of size 1360 The buggy address is located 952 bytes inside of 1360-byte region [ffff888100567a10, ffff888100567f60) The buggy address belongs to the physical page: page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560 head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80 raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637 prep_new_page+0x1b/0x110 mm/page_alloc.c:2644 get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539 __alloc_pages+0x234/0x610 mm/page_alloc.c:5837 alloc_slab_page+0x6c/0xf0 include/linux/gfp.h:-1 allocate_slab mm/slub.c:1962 [inline] new_slab+0x90/0x3e0 mm/slub.c:2015 ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203 __slab_alloc+0x5d/0xa0 mm/slub.c:3302 slab_alloc_node mm/slub.c:3387 [inline] slab_alloc mm/slub.c:3431 [inline] __kmem_cache_alloc_lru mm/slub.c:3438 [inline] kmem_cache_alloc_lru+0x149/0x270 mm/slub.c:3454 alloc_inode_sb include/linux/fs.h:3255 [inline] f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 alloc_inode fs/inode.c:261 [inline] iget_locked+0x18c/0x7e0 fs/inode.c:1373 f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 f2fs_fill_super+0x5360/0x6dc0 fs/f2fs/super.c:4488 mount_bdev+0x282/0x3b0 fs/super.c:1445 f2fs_mount+0x34/0x40 fs/f2fs/super.c:4743 legacy_get_tree+0xf1/0x190 fs/fs_context.c:632 page_owner free stack trace missing Memory state around the buggy address: ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [2] https://syzkaller.appspot.com/text?tag=CrashLog&x=13654c60580000 [ 24.675720][ T28] audit: type=1400 audit(1745327318.732:72): avc: denied { write } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.705426][ T296] ------------[ cut here ]------------ [ 24.706608][ T28] audit: type=1400 audit(1745327318.732:73): avc: denied { remove_name } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.711550][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540 [ 24.734141][ T28] audit: type=1400 audit(1745327318.732:74): avc: denied { rename } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.742969][ T296] Modules linked in: [ 24.765201][ T28] audit: type=1400 audit(1745327318.732:75): avc: denied { add_name } for pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.768847][ T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0 [ 24.799506][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 24.809401][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540 [ 24.815018][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61 [ 24.834584][ T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293 [ 24.840465][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000 [ 24.848291][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 [ 24.856064][ T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d [ 24.864073][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000 [ 24.871812][ T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c The root cause is w/ a fuzzed image, f2fs may missed to clear FI_DIRTY_INODE flag for target inode, after f2fs_evict_inode(), the inode is still linked in sbi->inode_list[DIRTY_META] global list, once it triggers checkpoint, f2fs_sync_inode_meta() may access the released inode. In f2fs_evict_inode(), let's always call f2fs_inode_synced() to clear FI_DIRTY_INODE flag and drop inode from global dirty list to avoid this UAF issue. Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing") Closes: https://syzkaller.appspot.com/bug?extid=849174b2efaf0d8be6ba Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin fs/f2fs/inode.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) accumulated error probability: 0.00 culprit signature: 015601578fc50f6a3b8886a642ec5e41ae25731c129601b9c1de3e17689ce112 parent signature: 5c6f8967fefcd36bc0e14ca1b2bd7f73e129240054299d2e76d9c8d98b9a3256 revisions tested: 19, total time: 4h4m4.745144893s (build: 1h27m38.381108161s, test: 2h33m21.01567987s) first good commit: 4dcd830c420f2190ae32f03626039fde7b57b2ad f2fs: fix to avoid UAF in f2fs_sync_inode_meta() recipients (to): ["chao@kernel.org" "jaegeuk@kernel.org" "sashal@kernel.org"] recipients (cc): []