From: syzbot <syzbot+6cc93ec9a4035badb85f@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, baolin.wang@linux.alibaba.com,
hughd@google.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] KASAN: use-after-free Read in copy_folio_from_iter_atomic (2)
Date: Mon, 30 Mar 2026 02:56:26 -0700 [thread overview]
Message-ID: <69ca48ca.050a0220.183828.001a.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 24d479d26b25 Linux 6.19-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15454e3a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c33bf4a3a0c7a4f1
dashboard link: https://syzkaller.appspot.com/bug?extid=6cc93ec9a4035badb85f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f0555f920605/disk-24d479d2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae277d28fcd2/vmlinux-24d479d2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b4f8db4a51a6/bzImage-24d479d2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6cc93ec9a4035badb85f@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in memcpy_from_iter lib/iov_iter.c:85 [inline]
BUG: KASAN: use-after-free in iterate_bvec include/linux/iov_iter.h:123 [inline]
BUG: KASAN: use-after-free in iterate_and_advance2 include/linux/iov_iter.h:306 [inline]
BUG: KASAN: use-after-free in iterate_and_advance include/linux/iov_iter.h:330 [inline]
BUG: KASAN: use-after-free in __copy_from_iter lib/iov_iter.c:261 [inline]
BUG: KASAN: use-after-free in copy_folio_from_iter_atomic+0xa6c/0x1950 lib/iov_iter.c:491
Read of size 4096 at addr ffff88803177d000 by task kworker/u8:9/1219
CPU: 0 UID: 0 PID: 1219 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: loop1 loop_workfn
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
memcpy_from_iter lib/iov_iter.c:85 [inline]
iterate_bvec include/linux/iov_iter.h:123 [inline]
iterate_and_advance2 include/linux/iov_iter.h:306 [inline]
iterate_and_advance include/linux/iov_iter.h:330 [inline]
__copy_from_iter lib/iov_iter.c:261 [inline]
copy_folio_from_iter_atomic+0xa6c/0x1950 lib/iov_iter.c:491
generic_perform_write+0x5b1/0x8b0 mm/filemap.c:4332
shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490
lo_rw_aio+0xc80/0xf00 include/linux/percpu-rwsem.h:-1
do_req_filebacked drivers/block/loop.c:434 [inline]
loop_handle_cmd drivers/block/loop.c:1947 [inline]
loop_process_work+0x637/0x11b0 drivers/block/loop.c:1982
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0x89f/0xd90 kernel/workqueue.c:3421
kthread+0x726/0x8b0 kernel/kthread.c:463
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803177d000 pfn:0x3177d
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea00016beb08 ffffea00009e42c8 0000000000000000
raw: ffff88803177d000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xdc0(GFP_KERNEL|__GFP_ZERO), pid 6876, tgid 6875 (syz.1.137), ts 163020649815, free_ts 163886382057
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
alloc_pages_noprof+0xce/0x1e0 mm/mempolicy.c:2577
lbmLogInit fs/jfs/jfs_logmgr.c:1815 [inline]
lmLogInit+0x357/0x1a00 fs/jfs/jfs_logmgr.c:1269
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1691
vfs_get_tree+0x92/0x2a0 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount+0x329/0xa50 fs/namespace.c:3712
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5804 tgid 5804 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_frozen_pages+0xfc1/0x1130 mm/page_alloc.c:2973
lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline]
lmLogShutdown+0x44e/0x850 fs/jfs/jfs_logmgr.c:1683
lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:643
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:474
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1318
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88803177cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88803177cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88803177d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88803177d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88803177d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2026-03-30 9:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 9:56 syzbot [this message]
2026-04-16 10:23 ` [syzbot] [mm?] KASAN: use-after-free Read in copy_folio_from_iter_atomic (2) syzbot
2026-04-17 20:43 ` Forwarded: " syzbot
2026-04-20 4:08 ` syzbot
2026-04-20 4:11 ` syzbot
2026-04-23 13:26 ` Forwarded: [PATCH 1/1] jfs: try syzbot fix syzbot
2026-04-24 21:16 ` Forwarded: Re: [syzbot] [mm?] KASAN: use-after-free Read in copy_folio_from_iter_atomic (2) syzbot
2026-04-25 11:24 ` Forwarded: [PATCH] jfs: fix use-after-free on log shutdown syzbot
[not found] <CAAMO5pgGENy_VO0b3uSEPpns6L_AZesZHW3fWv9=muqUFtKvyQ@mail.gmail.com>
2026-04-17 21:19 ` [syzbot] [mm?] KASAN: use-after-free Read in copy_folio_from_iter_atomic (2) syzbot
[not found] <CAAMO5pjxksZntoLX-6fCrsGFVE6Z+-goCM6xJ0pby-S5XKph+g@mail.gmail.com>
2026-04-20 4:18 ` syzbot
[not found] <CAAMO5ph3W9SPGJEqB4A7ObR0G=2LdGNXLev1Y6rMRQDmN2e51Q@mail.gmail.com>
2026-04-20 4:18 ` syzbot
[not found] <20260423132557.28264-2-jakovnovak30@gmail.com>
2026-04-23 13:57 ` syzbot
[not found] <20260424211614.47023-1-mashiro.chen@mailbox.org>
2026-04-24 21:23 ` syzbot
[not found] <20260425112428.81709-1-mashiro.chen@mailbox.org>
2026-04-25 12:02 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69ca48ca.050a0220.183828.001a.GAE@google.com \
--to=syzbot+6cc93ec9a4035badb85f@syzkaller.appspotmail.com \
--cc=akpm@linux-foundation.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.