* [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
@ 2025-06-18 12:56 syzbot
2025-06-19 9:52 ` Jan Kara
0 siblings, 1 reply; 15+ messages in thread
From: syzbot @ 2025-06-18 12:56 UTC (permalink / raw)
To: akpm, david, jack, jgg, jhubbard, linux-kernel, linux-mm, peterx,
ryan.roberts, syzkaller-bugs, will
Hello,
syzbot found the following issue on:
HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
The issue was bisected to:
commit 3b61a3f08949297815b2c77ae2696f54cd339419
Author: Ryan Roberts <ryan.roberts@arm.com>
Date: Mon Jun 9 09:27:27 2025 +0000
mm/filemap: allow arch to request folio size for exec memory
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11b0a5d4580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13b0a5d4580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15b0a5d4580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8e4be574cb8c40140a2a@syzkaller.appspotmail.com
Fixes: 3b61a3f08949 ("mm/filemap: allow arch to request folio size for exec memory")
==================================================================
BUG: KASAN: slab-use-after-free in do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
Read of size 8 at addr ffff88806bda3410 by task syz-executor164/6247
CPU: 0 UID: 0 PID: 6247 Comm: syz-executor164 Not tainted 6.16.0-rc1-next-20250613-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
filemap_fault+0x62c/0x1200 mm/filemap.c:3444
__do_fault+0x135/0x390 mm/memory.c:5187
do_read_fault mm/memory.c:5608 [inline]
do_fault mm/memory.c:5742 [inline]
do_pte_missing mm/memory.c:4269 [inline]
handle_pte_fault mm/memory.c:6087 [inline]
__handle_mm_fault+0x37ed/0x5620 mm/memory.c:6230
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6399
faultin_page mm/gup.c:1186 [inline]
__get_user_pages+0x1aef/0x30b0 mm/gup.c:1488
populate_vma_page_range+0x29f/0x3a0 mm/gup.c:1922
__mm_populate+0x24c/0x380 mm/gup.c:2025
mm_populate include/linux/mm.h:3354 [inline]
vm_mmap_pgoff+0x3f0/0x4c0 mm/util.c:584
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f580d0c3919
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f580d07c208 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f580d14d348 RCX: 00007f580d0c3919
RDX: 0000000001000006 RSI: 0000000000b36000 RDI: 0000200000000000
RBP: 00007f580d14d340 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 00007f580d11a270
R13: 00002000000001d8 R14: 00002000000005c0 R15: 00002000000001c0
</TASK>
Allocated by task 6247:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
vm_area_alloc+0x24/0x140 mm/vma_init.c:31
__mmap_new_vma mm/vma.c:2452 [inline]
__mmap_region mm/vma.c:2662 [inline]
mmap_region+0xe0d/0x2080 mm/vma.c:2732
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6249:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4693
rcu_do_batch kernel/rcu/tree.c:2582 [inline]
rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2838
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4643 [inline]
kmem_cache_free+0x2f6/0x400 mm/slub.c:4745
remove_vma mm/vma.c:465 [inline]
vms_complete_munmap_vmas+0x626/0x8a0 mm/vma.c:1288
__mmap_complete mm/vma.c:2518 [inline]
__mmap_region mm/vma.c:2670 [inline]
mmap_region+0x1221/0x2080 mm/vma.c:2732
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88806bda33c0
which belongs to the cache vm_area_struct of size 256
The buggy address is located 80 bytes inside of
freed 256-byte region [ffff88806bda33c0, ffff88806bda34c0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6bda3
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88814040ab40 ffffea0001b656c0 0000000000000003
raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5532, tgid 5532 (rm), ts 56329480650, free_ts 52472185128
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4204
vm_area_dup+0x2b/0x680 mm/vma_init.c:122
__split_vma+0x1a9/0xa00 mm/vma.c:512
vms_gather_munmap_vmas+0x2de/0x12b0 mm/vma.c:1354
__mmap_prepare mm/vma.c:2351 [inline]
__mmap_region mm/vma.c:2641 [inline]
mmap_region+0x71a/0x2080 mm/vma.c:2732
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5212 tgid 5212 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
__slab_free+0x326/0x400 mm/slub.c:4554
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x224/0x4f0 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822
security_inode_getattr+0x12f/0x330 security/security.c:2377
vfs_getattr fs/stat.c:259 [inline]
vfs_statx_path fs/stat.c:299 [inline]
vfs_statx+0x18e/0x550 fs/stat.c:356
vfs_fstatat+0x118/0x170 fs/stat.c:375
__do_sys_newfstatat fs/stat.c:542 [inline]
__se_sys_newfstatat fs/stat.c:536 [inline]
__x64_sys_newfstatat+0x116/0x190 fs/stat.c:536
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88806bda3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806bda3380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88806bda3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88806bda3480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88806bda3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
[not found] <20250619082423.1156-1-hdanton@sina.com>
@ 2025-06-19 9:27 ` syzbot
0 siblings, 0 replies; 15+ messages in thread
From: syzbot @ 2025-06-19 9:27 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
[ T1] NET: Registered PF_CAIF protocol family
[ 24.858546][ T1] NET: Registered PF_IEEE802154 protocol family
[ 24.865885][ T1] Key type dns_resolver registered
[ 24.871090][ T1] Key type ceph registered
[ 24.876288][ T1] libceph: loaded (mon/osd proto 15/24)
[ 24.884263][ T1] batman_adv: B.A.T.M.A.N. advanced 2025.2 (compatibility version 15) loaded
[ 24.894245][ T1] openvswitch: Open vSwitch switching datapath
[ 24.903135][ T1] NET: Registered PF_VSOCK protocol family
[ 24.909310][ T1] mpls_gso: MPLS GSO support
[ 24.940272][ T1] IPI shorthand broadcast: enabled
[ 26.791823][ T1] sched_clock: Marking stable (26730019966, 52777718)->(26793217984, -10420300)
[ 26.807012][ T1] registered taskstats version 1
[ 26.827752][ T1] Loading compiled-in X.509 certificates
[ 26.863200][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: b0b377692fc411d7236ea8f3768d6795102ecba9'
[ 27.236170][ T1] zswap: loaded using pool 842/zsmalloc
[ 27.245377][ T1] Demotion targets for Node 0: null
[ 27.250727][ T1] Demotion targets for Node 1: null
[ 27.256079][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 30.066600][ T1] Key type .fscrypt registered
[ 30.071493][ T1] Key type fscrypt-provisioning registered
[ 30.086084][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 30.117948][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 30.126712][ T1] Key type big_key registered
[ 30.131565][ T1] Key type encrypted registered
[ 30.136642][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 30.143441][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 30.149878][ T1] Loading compiled-in module X.509 certificates
[ 30.182451][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: b0b377692fc411d7236ea8f3768d6795102ecba9'
[ 30.193491][ T1] ima: Allocated hash algorithm: sha256
[ 30.199640][ T1] ima: No architecture policies found
[ 30.205622][ T1] evm: Initialising EVM extended attributes:
[ 30.211605][ T1] evm: security.selinux (disabled)
[ 30.216747][ T1] evm: security.SMACK64 (disabled)
[ 30.222132][ T1] evm: security.SMACK64EXEC (disabled)
[ 30.227790][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 30.233738][ T1] evm: security.SMACK64MMAP (disabled)
[ 30.239331][ T1] evm: security.apparmor
[ 30.243617][ T1] evm: security.ima
[ 30.247628][ T1] evm: security.capability
[ 30.252479][ T1] evm: HMAC attrs: 0x1
[ 30.259868][ T1] PM: Magic number: 13:101:273
[ 30.265655][ T1] usb usb13: hash matches
[ 30.270343][ T1] usb usb1-port1: hash matches
[ 30.275292][ T1] tty ttyy1: hash matches
[ 30.279826][ T1] tty tty10: hash matches
[ 30.284210][ T1] net lo: hash matches
[ 30.288574][ T1] netconsole: network logging started
[ 30.294945][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 30.308726][ T1] rdma_rxe: loaded
[ 30.313912][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 30.325214][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 30.334078][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 30.343538][ T1] clk: Disabling unused clocks
[ 30.345985][ T9] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 30.348482][ T1] ALSA device list:
[ 30.358089][ T9] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 30.364326][ T1] #0: Dummy 1
[ 30.374437][ T1] #1: Loopback 1
[ 30.378185][ T1] #2: Virtual MIDI Card 1
[ 30.386515][ T1] md: Waiting for all devices to be available before autodetect
[ 30.394317][ T1] md: If you don't use raid, use raid=noautodetect
[ 30.400836][ T1] md: Autodetecting RAID arrays.
[ 30.405881][ T1] md: autorun ...
[ 30.409516][ T1] md: ... autorun DONE.
[ 30.575909][ T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[ 30.585025][ T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[ 30.597892][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 30.624198][ T1] devtmpfs: mounted
[ 30.704264][ T1] Freeing unused kernel image (initmem) memory: 26212K
[ 30.715021][ T1] Write protecting the kernel read-only data: 210944k
[ 30.733240][ T1] Freeing unused kernel image (text/rodata gap) memory: 1172K
[ 30.745123][ T1] Freeing unused kernel image (rodata/data gap) memory: 508K
[ 30.875501][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 30.883698][ T1] x86/mm: Checking user space page tables
[ 30.994480][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 31.007496][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 31.017701][ T1] Run /sbin/init as init process
[ 31.590358][ T5171] mount (5171) used greatest stack depth: 24104 bytes left
[ 31.661528][ T5172] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[ 31.817727][ T5177] modprobe (5177) used greatest stack depth: 23416 bytes left
[ 31.830101][ T5176] mount (5176) used greatest stack depth: 21736 bytes left
Starting syslogd: OK
Starting acpid: [ 32.410716][ T5191] acpid (5191) used greatest stack depth: 21096 bytes left
OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [ 33.188666][ T5206] udevd[5206]: starting version 3.2.14
[ 33.492691][ T5207] udevd[5207]: starting eudev-3.2.14
[ 33.501115][ T5206] udevd (5206) used greatest stack depth: 20056 bytes left
[ 33.915611][ T5207] ------------[ cut here ]------------
[ 33.921482][ T5207] WARNING: ./include/linux/rwsem.h:203 at remove_vma+0x21e/0x290, CPU#1: udevd/5207
[ 33.931072][ T5207] Modules linked in:
[ 33.935154][ T5207] CPU: 1 UID: 0 PID: 5207 Comm: udevd Not tainted 6.16.0-rc2-next-20250618-syzkaller-03311-g6e5ab6fee68d-dirty #0 PREEMPT(full)
[ 33.948955][ T5207] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 33.959417][ T5207] RIP: 0010:remove_vma+0x21e/0x290
[ 33.964649][ T5207] Code: 2e ab ff 4c 89 f7 e8 81 b4 0b 00 eb 05 e8 8a 2e ab ff 48 89 df 5b 41 5c 41 5d 41 5e 41 5f 5d e9 98 e5 f4 ff e8 73 2e ab ff 90 <0f> 0b 90 e9 83 fe ff ff 48 c7 c1 30 9e a1 8f 80 e1 07 80 c1 03 38
[ 33.984690][ T5207] RSP: 0018:ffffc90002fa7a28 EFLAGS: 00010293
[ 33.990797][ T5207] RAX: ffffffff821528cd RBX: ffff88802ec31b40 RCX: ffff8880618b3c00
[ 33.998843][ T5207] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 34.006900][ T5207] RBP: 0000000000000000 R08: ffff8880618b3c00 R09: 0000000000000002
[ 34.014952][ T5207] R10: 0000000000000003 R11: 0000000000000000 R12: dffffc0000000000
[ 34.022997][ T5207] R13: 1ffff1100c116063 R14: ffff88802ec31b50 R15: ffffc90002fa7c50
[ 34.031175][ T5207] FS: 00007f5f52b67880(0000) GS:ffff888125d3d000(0000) knlGS:0000000000000000
[ 34.040218][ T5207] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 34.046903][ T5207] CR2: 00007f5f52b8bd00 CR3: 0000000060c72000 CR4: 00000000003526f0
[ 34.054963][ T5207] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 34.063269][ T5207] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 34.071278][ T5207] Call Trace:
[ 34.074654][ T5207] <TASK>
[ 34.077614][ T5207] vms_complete_munmap_vmas+0x54c/0x7c0
[ 34.083363][ T5207] do_vmi_align_munmap+0x358/0x420
[ 34.088517][ T5207] ? __pfx_filemap_map_pages+0x10/0x10
[ 34.094109][ T5207] ? __pfx_do_vmi_align_munmap+0x10/0x10
[ 34.099837][ T5207] do_vmi_munmap+0x253/0x2e0
[ 34.104743][ T5207] __vm_munmap+0x23b/0x3d0
[ 34.109213][ T5207] ? __pfx___vm_munmap+0x10/0x10
[ 34.114279][ T5207] __x64_sys_munmap+0x60/0x70
[ 34.119000][ T5207] do_syscall_64+0xfa/0x3b0
[ 34.123691][ T5207] ? lockdep_hardirqs_on+0x9c/0x150
[ 34.128925][ T5207] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 34.135178][ T5207] ? clear_bhb_loop+0x60/0xb0
[ 34.139894][ T5207] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 34.145879][ T5207] RIP: 0033:0x7f5f5251e097
[ 34.150327][ T5207] Code: 73 01 c3 48 8b 0d 61 2d 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 31 2d 0d 00 f7 d8 64 89 01 48
[ 34.170167][ T5207] RSP: 002b:00007ffde341e0a8 EFLAGS: 00000206 ORIG_RAX: 000000000000000b
[ 34.178753][ T5207] RAX: ffffffffffffffda RBX: 00005648cc15fbf0 RCX: 00007f5f5251e097
[ 34.187010][ T5207] RDX: 0000000000000000 RSI: 00000000009480e8 RDI: 00007f5f51a00000
[ 34.195088][ T5207] RBP: 00005648cc15f910 R08: 00005648cc161670 R09: 0000000000000006
[ 34.203334][ T5207] R10: 3fffffffffffffff R11: 0000000000000206 R12: 000056488f485588
[ 34.211336][ T5207] R13: 000056488f486100 R14: 0000000000000001 R15: 0000000000000000
[ 34.219830][ T5207] </TASK>
[ 34.222964][ T5207] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 34.230367][ T5207] CPU: 1 UID: 0 PID: 5207 Comm: udevd Not tainted 6.16.0-rc2-next-20250618-syzkaller-03311-g6e5ab6fee68d-dirty #0 PREEMPT(full)
[ 34.243855][ T5207] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 34.254037][ T5207] Call Trace:
[ 34.257344][ T5207] <TASK>
[ 34.260296][ T5207] dump_stack_lvl+0x99/0x250
[ 34.264939][ T5207] ? __asan_memcpy+0x40/0x70
[ 34.269568][ T5207] ? __pfx_dump_stack_lvl+0x10/0x10
[ 34.274902][ T5207] ? __pfx__printk+0x10/0x10
[ 34.279553][ T5207] panic+0x2db/0x790
[ 34.283606][ T5207] ? __pfx_panic+0x10/0x10
[ 34.288088][ T5207] __warn+0x334/0x4c0
[ 34.292128][ T5207] ? remove_vma+0x21e/0x290
[ 34.296682][ T5207] ? remove_vma+0x21e/0x290
[ 34.301229][ T5207] report_bug+0x2be/0x4f0
[ 34.305594][ T5207] ? remove_vma+0x21e/0x290
[ 34.310140][ T5207] ? remove_vma+0x21e/0x290
[ 34.314684][ T5207] ? remove_vma+0x220/0x290
[ 34.319221][ T5207] handle_bug+0x84/0x160
[ 34.323513][ T5207] exc_invalid_op+0x1a/0x50
[ 34.328064][ T5207] asm_exc_invalid_op+0x1a/0x20
[ 34.332947][ T5207] RIP: 0010:remove_vma+0x21e/0x290
[ 34.338093][ T5207] Code: 2e ab ff 4c 89 f7 e8 81 b4 0b 00 eb 05 e8 8a 2e ab ff 48 89 df 5b 41 5c 41 5d 41 5e 41 5f 5d e9 98 e5 f4 ff e8 73 2e ab ff 90 <0f> 0b 90 e9 83 fe ff ff 48 c7 c1 30 9e a1 8f 80 e1 07 80 c1 03 38
[ 34.358023][ T5207] RSP: 0018:ffffc90002fa7a28 EFLAGS: 00010293
[ 34.364200][ T5207] RAX: ffffffff821528cd RBX: ffff88802ec31b40 RCX: ffff8880618b3c00
[ 34.372181][ T5207] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 34.380153][ T5207] RBP: 0000000000000000 R08: ffff8880618b3c00 R09: 0000000000000002
[ 34.388132][ T5207] R10: 0000000000000003 R11: 0000000000000000 R12: dffffc0000000000
[ 34.396124][ T5207] R13: 1ffff1100c116063 R14: ffff88802ec31b50 R15: ffffc90002fa7c50
[ 34.404130][ T5207] ? remove_vma+0x21d/0x290
[ 34.408657][ T5207] ? remove_vma+0x21d/0x290
[ 34.413179][ T5207] vms_complete_munmap_vmas+0x54c/0x7c0
[ 34.418772][ T5207] do_vmi_align_munmap+0x358/0x420
[ 34.423913][ T5207] ? __pfx_filemap_map_pages+0x10/0x10
[ 34.429479][ T5207] ? __pfx_do_vmi_align_munmap+0x10/0x10
[ 34.435182][ T5207] do_vmi_munmap+0x253/0x2e0
[ 34.439810][ T5207] __vm_munmap+0x23b/0x3d0
[ 34.444593][ T5207] ? __pfx___vm_munmap+0x10/0x10
[ 34.449596][ T5207] __x64_sys_munmap+0x60/0x70
[ 34.454304][ T5207] do_syscall_64+0xfa/0x3b0
[ 34.458917][ T5207] ? lockdep_hardirqs_on+0x9c/0x150
[ 34.464131][ T5207] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 34.470645][ T5207] ? clear_bhb_loop+0x60/0xb0
[ 34.475341][ T5207] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 34.481330][ T5207] RIP: 0033:0x7f5f5251e097
[ 34.485760][ T5207] Code: 73 01 c3 48 8b 0d 61 2d 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 31 2d 0d 00 f7 d8 64 89 01 48
[ 34.505485][ T5207] RSP: 002b:00007ffde341e0a8 EFLAGS: 00000206 ORIG_RAX: 000000000000000b
[ 34.513924][ T5207] RAX: ffffffffffffffda RBX: 00005648cc15fbf0 RCX: 00007f5f5251e097
[ 34.521924][ T5207] RDX: 0000000000000000 RSI: 00000000009480e8 RDI: 00007f5f51a00000
[ 34.530022][ T5207] RBP: 00005648cc15f910 R08: 00005648cc161670 R09: 0000000000000006
[ 34.538134][ T5207] R10: 3fffffffffffffff R11: 0000000000000206 R12: 000056488f485588
[ 34.546199][ T5207] R13: 000056488f486100 R14: 0000000000000001 R15: 0000000000000000
[ 34.554295][ T5207] </TASK>
[ 34.557640][ T5207] Kernel Offset: disabled
[ 34.561960][ T5207] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4033099088=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 0e8da31f2d4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=0e8da31f2d4312fc3ad5c1e2e221075831885e0e -X github.com/google/syzkaller/prog.gitRevisionDate=20250613-131303" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0e8da31f2d4312fc3ad5c1e2e221075831885e0e\"
/usr/bin/ld: /tmp/ccK7dhHx.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1726fe82580000
Tested on:
commit: 6e5ab6fe Add linux-next specific files for 20250618
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=70c73b370b132354
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=120afe82580000
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
2025-06-18 12:56 syzbot
@ 2025-06-19 9:52 ` Jan Kara
2025-06-19 10:57 ` Ryan Roberts
2025-06-21 1:20 ` Hillf Danton
0 siblings, 2 replies; 15+ messages in thread
From: Jan Kara @ 2025-06-19 9:52 UTC (permalink / raw)
To: ryan.roberts
Cc: akpm, david, jack, jgg, jhubbard, linux-kernel, linux-mm, peterx,
syzkaller-bugs, will
Hi,
On Wed 18-06-25 05:56:30, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
>
> The issue was bisected to:
>
> commit 3b61a3f08949297815b2c77ae2696f54cd339419
> Author: Ryan Roberts <ryan.roberts@arm.com>
> Date: Mon Jun 9 09:27:27 2025 +0000
>
> mm/filemap: allow arch to request folio size for exec memory
Indeed. The crash is in:
fpin = maybe_unlock_mmap_for_io(vmf, fpin);
if (vm_flags & VM_EXEC) {
/*
* Allow arch to request a preferred minimum folio order for
* executable memory. This can often be beneficial to
* performance if (e.g.) arm64 can contpte-map the folio.
* Executable memory rarely benefits from readahead, due to its
* random access nature, so set async_size to 0.
*
* Limit to the boundaries of the VMA to avoid reading in any
* pad that might exist between sections, which would be a waste
* of memory.
*/
struct vm_area_struct *vma = vmf->vma;
unsigned long start = vma->vm_pgoff;
^^^^ here
which is not surprising because we've unlocked mmap_sem (or vma lock) just
above this if and thus vma could have been released before we got here. The
easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's
nothing in there that would be problematic with the locks still held.
unsigned long end = start + ((vma->vm_end - vma->vm_start) >> PAGE_SHIFT);
unsigned long ra_end;
ra->order = exec_folio_order();
ra->start = round_down(vmf->pgoff, 1UL << ra->order);
ra->start = max(ra->start, start);
ra_end = round_up(ra->start + ra->ra_pages, 1UL << ra->order);
ra_end = min(ra_end, end);
ra->size = ra_end - ra->start;
ra->async_size = 0;
} else {
Honza
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11b0a5d4580000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=13b0a5d4580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=15b0a5d4580000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8e4be574cb8c40140a2a@syzkaller.appspotmail.com
> Fixes: 3b61a3f08949 ("mm/filemap: allow arch to request folio size for exec memory")
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
> Read of size 8 at addr ffff88806bda3410 by task syz-executor164/6247
>
> CPU: 0 UID: 0 PID: 6247 Comm: syz-executor164 Not tainted 6.16.0-rc1-next-20250613-syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:408 [inline]
> print_report+0xd2/0x2b0 mm/kasan/report.c:521
> kasan_report+0x118/0x150 mm/kasan/report.c:634
> do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
> filemap_fault+0x62c/0x1200 mm/filemap.c:3444
> __do_fault+0x135/0x390 mm/memory.c:5187
> do_read_fault mm/memory.c:5608 [inline]
> do_fault mm/memory.c:5742 [inline]
> do_pte_missing mm/memory.c:4269 [inline]
> handle_pte_fault mm/memory.c:6087 [inline]
> __handle_mm_fault+0x37ed/0x5620 mm/memory.c:6230
> handle_mm_fault+0x40a/0x8e0 mm/memory.c:6399
> faultin_page mm/gup.c:1186 [inline]
> __get_user_pages+0x1aef/0x30b0 mm/gup.c:1488
> populate_vma_page_range+0x29f/0x3a0 mm/gup.c:1922
> __mm_populate+0x24c/0x380 mm/gup.c:2025
> mm_populate include/linux/mm.h:3354 [inline]
> vm_mmap_pgoff+0x3f0/0x4c0 mm/util.c:584
> ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f580d0c3919
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f580d07c208 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
> RAX: ffffffffffffffda RBX: 00007f580d14d348 RCX: 00007f580d0c3919
> RDX: 0000000001000006 RSI: 0000000000b36000 RDI: 0000200000000000
> RBP: 00007f580d14d340 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000028011 R11: 0000000000000246 R12: 00007f580d11a270
> R13: 00002000000001d8 R14: 00002000000005c0 R15: 00002000000001c0
> </TASK>
>
> Allocated by task 6247:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> unpoison_slab_object mm/kasan/common.c:319 [inline]
> __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
> kasan_slab_alloc include/linux/kasan.h:250 [inline]
> slab_post_alloc_hook mm/slub.c:4148 [inline]
> slab_alloc_node mm/slub.c:4197 [inline]
> kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
> vm_area_alloc+0x24/0x140 mm/vma_init.c:31
> __mmap_new_vma mm/vma.c:2452 [inline]
> __mmap_region mm/vma.c:2662 [inline]
> mmap_region+0xe0d/0x2080 mm/vma.c:2732
> do_mmap+0xc45/0x10d0 mm/mmap.c:561
> vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
> ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Freed by task 6249:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
> poison_slab_object mm/kasan/common.c:247 [inline]
> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
> kasan_slab_free include/linux/kasan.h:233 [inline]
> slab_free_hook mm/slub.c:2381 [inline]
> slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4693
> rcu_do_batch kernel/rcu/tree.c:2582 [inline]
> rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2838
> handle_softirqs+0x283/0x870 kernel/softirq.c:579
> __do_softirq kernel/softirq.c:613 [inline]
> invoke_softirq kernel/softirq.c:453 [inline]
> __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
> irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
> sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
>
> Last potentially related work creation:
> kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
> kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
> slab_free_hook mm/slub.c:2342 [inline]
> slab_free mm/slub.c:4643 [inline]
> kmem_cache_free+0x2f6/0x400 mm/slub.c:4745
> remove_vma mm/vma.c:465 [inline]
> vms_complete_munmap_vmas+0x626/0x8a0 mm/vma.c:1288
> __mmap_complete mm/vma.c:2518 [inline]
> __mmap_region mm/vma.c:2670 [inline]
> mmap_region+0x1221/0x2080 mm/vma.c:2732
> do_mmap+0xc45/0x10d0 mm/mmap.c:561
> vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> The buggy address belongs to the object at ffff88806bda33c0
> which belongs to the cache vm_area_struct of size 256
> The buggy address is located 80 bytes inside of
> freed 256-byte region [ffff88806bda33c0, ffff88806bda34c0)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6bda3
> ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000000 ffff88814040ab40 ffffea0001b656c0 0000000000000003
> raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5532, tgid 5532 (rm), ts 56329480650, free_ts 52472185128
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
> prep_new_page mm/page_alloc.c:1712 [inline]
> get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
> __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
> alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
> alloc_slab_page mm/slub.c:2451 [inline]
> allocate_slab+0x8a/0x3b0 mm/slub.c:2619
> new_slab mm/slub.c:2673 [inline]
> ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
> __slab_alloc mm/slub.c:3949 [inline]
> __slab_alloc_node mm/slub.c:4024 [inline]
> slab_alloc_node mm/slub.c:4185 [inline]
> kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4204
> vm_area_dup+0x2b/0x680 mm/vma_init.c:122
> __split_vma+0x1a9/0xa00 mm/vma.c:512
> vms_gather_munmap_vmas+0x2de/0x12b0 mm/vma.c:1354
> __mmap_prepare mm/vma.c:2351 [inline]
> __mmap_region mm/vma.c:2641 [inline]
> mmap_region+0x71a/0x2080 mm/vma.c:2732
> do_mmap+0xc45/0x10d0 mm/mmap.c:561
> vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
> ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 5212 tgid 5212 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1248 [inline]
> __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
> __slab_free+0x326/0x400 mm/slub.c:4554
> qlink_free mm/kasan/quarantine.c:163 [inline]
> qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
> kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
> __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
> kasan_slab_alloc include/linux/kasan.h:250 [inline]
> slab_post_alloc_hook mm/slub.c:4148 [inline]
> slab_alloc_node mm/slub.c:4197 [inline]
> __do_kmalloc_node mm/slub.c:4327 [inline]
> __kmalloc_noprof+0x224/0x4f0 mm/slub.c:4340
> kmalloc_noprof include/linux/slab.h:909 [inline]
> tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
> tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
> tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822
> security_inode_getattr+0x12f/0x330 security/security.c:2377
> vfs_getattr fs/stat.c:259 [inline]
> vfs_statx_path fs/stat.c:299 [inline]
> vfs_statx+0x18e/0x550 fs/stat.c:356
> vfs_fstatat+0x118/0x170 fs/stat.c:375
> __do_sys_newfstatat fs/stat.c:542 [inline]
> __se_sys_newfstatat fs/stat.c:536 [inline]
> __x64_sys_newfstatat+0x116/0x190 fs/stat.c:536
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffff88806bda3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88806bda3380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
> >ffff88806bda3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88806bda3480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff88806bda3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
2025-06-19 9:52 ` Jan Kara
@ 2025-06-19 10:57 ` Ryan Roberts
2025-06-19 12:21 ` Will Deacon
2025-06-21 1:20 ` Hillf Danton
1 sibling, 1 reply; 15+ messages in thread
From: Ryan Roberts @ 2025-06-19 10:57 UTC (permalink / raw)
To: Jan Kara
Cc: akpm, david, jgg, jhubbard, linux-kernel, linux-mm, peterx,
syzkaller-bugs, will
On 19/06/2025 10:52, Jan Kara wrote:
> Hi,
>
> On Wed 18-06-25 05:56:30, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
>> git tree: linux-next
>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
>> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
>> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
>>
>> The issue was bisected to:
>>
>> commit 3b61a3f08949297815b2c77ae2696f54cd339419
>> Author: Ryan Roberts <ryan.roberts@arm.com>
>> Date: Mon Jun 9 09:27:27 2025 +0000
>>
>> mm/filemap: allow arch to request folio size for exec memory
>
> Indeed. The crash is in:
>
> fpin = maybe_unlock_mmap_for_io(vmf, fpin);
> if (vm_flags & VM_EXEC) {
> /*
> * Allow arch to request a preferred minimum folio order for
> * executable memory. This can often be beneficial to
> * performance if (e.g.) arm64 can contpte-map the folio.
> * Executable memory rarely benefits from readahead, due to its
> * random access nature, so set async_size to 0.
> *
> * Limit to the boundaries of the VMA to avoid reading in any
> * pad that might exist between sections, which would be a waste
> * of memory.
> */
> struct vm_area_struct *vma = vmf->vma;
> unsigned long start = vma->vm_pgoff;
> ^^^^ here
> which is not surprising because we've unlocked mmap_sem (or vma lock) just
> above this if and thus vma could have been released before we got here. The
> easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's
> nothing in there that would be problematic with the locks still held.
Thanks for the quick analysis, Jan! Ouch...
This is still in mm-unstable I believe, so I'll send a fix-up patch to Andrew to
move the unlock as you suggest.
By the way, I don't think I was included on the original report; Is there a way
I can sign up to be included on patched I authored in future?
Thanks,
Ryan
>
> unsigned long end = start + ((vma->vm_end - vma->vm_start) >> PAGE_SHIFT);
> unsigned long ra_end;
>
> ra->order = exec_folio_order();
> ra->start = round_down(vmf->pgoff, 1UL << ra->order);
> ra->start = max(ra->start, start);
> ra_end = round_up(ra->start + ra->ra_pages, 1UL << ra->order);
> ra_end = min(ra_end, end);
> ra->size = ra_end - ra->start;
> ra->async_size = 0;
> } else {
>
> Honza
>
>>
>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11b0a5d4580000
>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13b0a5d4580000
>> console output: https://syzkaller.appspot.com/x/log.txt?x=15b0a5d4580000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+8e4be574cb8c40140a2a@syzkaller.appspotmail.com
>> Fixes: 3b61a3f08949 ("mm/filemap: allow arch to request folio size for exec memory")
>>
>> ==================================================================
>> BUG: KASAN: slab-use-after-free in do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
>> Read of size 8 at addr ffff88806bda3410 by task syz-executor164/6247
>>
>> CPU: 0 UID: 0 PID: 6247 Comm: syz-executor164 Not tainted 6.16.0-rc1-next-20250613-syzkaller #0 PREEMPT(full)
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
>> print_address_description mm/kasan/report.c:408 [inline]
>> print_report+0xd2/0x2b0 mm/kasan/report.c:521
>> kasan_report+0x118/0x150 mm/kasan/report.c:634
>> do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
>> filemap_fault+0x62c/0x1200 mm/filemap.c:3444
>> __do_fault+0x135/0x390 mm/memory.c:5187
>> do_read_fault mm/memory.c:5608 [inline]
>> do_fault mm/memory.c:5742 [inline]
>> do_pte_missing mm/memory.c:4269 [inline]
>> handle_pte_fault mm/memory.c:6087 [inline]
>> __handle_mm_fault+0x37ed/0x5620 mm/memory.c:6230
>> handle_mm_fault+0x40a/0x8e0 mm/memory.c:6399
>> faultin_page mm/gup.c:1186 [inline]
>> __get_user_pages+0x1aef/0x30b0 mm/gup.c:1488
>> populate_vma_page_range+0x29f/0x3a0 mm/gup.c:1922
>> __mm_populate+0x24c/0x380 mm/gup.c:2025
>> mm_populate include/linux/mm.h:3354 [inline]
>> vm_mmap_pgoff+0x3f0/0x4c0 mm/util.c:584
>> ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
>> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x7f580d0c3919
>> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
>> RSP: 002b:00007f580d07c208 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
>> RAX: ffffffffffffffda RBX: 00007f580d14d348 RCX: 00007f580d0c3919
>> RDX: 0000000001000006 RSI: 0000000000b36000 RDI: 0000200000000000
>> RBP: 00007f580d14d340 R08: 0000000000000005 R09: 0000000000000000
>> R10: 0000000000028011 R11: 0000000000000246 R12: 00007f580d11a270
>> R13: 00002000000001d8 R14: 00002000000005c0 R15: 00002000000001c0
>> </TASK>
>>
>> Allocated by task 6247:
>> kasan_save_stack mm/kasan/common.c:47 [inline]
>> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
>> unpoison_slab_object mm/kasan/common.c:319 [inline]
>> __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
>> kasan_slab_alloc include/linux/kasan.h:250 [inline]
>> slab_post_alloc_hook mm/slub.c:4148 [inline]
>> slab_alloc_node mm/slub.c:4197 [inline]
>> kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
>> vm_area_alloc+0x24/0x140 mm/vma_init.c:31
>> __mmap_new_vma mm/vma.c:2452 [inline]
>> __mmap_region mm/vma.c:2662 [inline]
>> mmap_region+0xe0d/0x2080 mm/vma.c:2732
>> do_mmap+0xc45/0x10d0 mm/mmap.c:561
>> vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
>> ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
>> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> Freed by task 6249:
>> kasan_save_stack mm/kasan/common.c:47 [inline]
>> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
>> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
>> poison_slab_object mm/kasan/common.c:247 [inline]
>> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
>> kasan_slab_free include/linux/kasan.h:233 [inline]
>> slab_free_hook mm/slub.c:2381 [inline]
>> slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4693
>> rcu_do_batch kernel/rcu/tree.c:2582 [inline]
>> rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2838
>> handle_softirqs+0x283/0x870 kernel/softirq.c:579
>> __do_softirq kernel/softirq.c:613 [inline]
>> invoke_softirq kernel/softirq.c:453 [inline]
>> __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
>> irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
>> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
>> sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
>> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
>>
>> Last potentially related work creation:
>> kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
>> kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
>> slab_free_hook mm/slub.c:2342 [inline]
>> slab_free mm/slub.c:4643 [inline]
>> kmem_cache_free+0x2f6/0x400 mm/slub.c:4745
>> remove_vma mm/vma.c:465 [inline]
>> vms_complete_munmap_vmas+0x626/0x8a0 mm/vma.c:1288
>> __mmap_complete mm/vma.c:2518 [inline]
>> __mmap_region mm/vma.c:2670 [inline]
>> mmap_region+0x1221/0x2080 mm/vma.c:2732
>> do_mmap+0xc45/0x10d0 mm/mmap.c:561
>> vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
>> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> The buggy address belongs to the object at ffff88806bda33c0
>> which belongs to the cache vm_area_struct of size 256
>> The buggy address is located 80 bytes inside of
>> freed 256-byte region [ffff88806bda33c0, ffff88806bda34c0)
>>
>> The buggy address belongs to the physical page:
>> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6bda3
>> ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
>> page_type: f5(slab)
>> raw: 00fff00000000000 ffff88814040ab40 ffffea0001b656c0 0000000000000003
>> raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
>> page dumped because: kasan: bad access detected
>> page_owner tracks the page as allocated
>> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5532, tgid 5532 (rm), ts 56329480650, free_ts 52472185128
>> set_page_owner include/linux/page_owner.h:32 [inline]
>> post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
>> prep_new_page mm/page_alloc.c:1712 [inline]
>> get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
>> __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
>> alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
>> alloc_slab_page mm/slub.c:2451 [inline]
>> allocate_slab+0x8a/0x3b0 mm/slub.c:2619
>> new_slab mm/slub.c:2673 [inline]
>> ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
>> __slab_alloc mm/slub.c:3949 [inline]
>> __slab_alloc_node mm/slub.c:4024 [inline]
>> slab_alloc_node mm/slub.c:4185 [inline]
>> kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4204
>> vm_area_dup+0x2b/0x680 mm/vma_init.c:122
>> __split_vma+0x1a9/0xa00 mm/vma.c:512
>> vms_gather_munmap_vmas+0x2de/0x12b0 mm/vma.c:1354
>> __mmap_prepare mm/vma.c:2351 [inline]
>> __mmap_region mm/vma.c:2641 [inline]
>> mmap_region+0x71a/0x2080 mm/vma.c:2732
>> do_mmap+0xc45/0x10d0 mm/mmap.c:561
>> vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
>> ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
>> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> page last free pid 5212 tgid 5212 stack trace:
>> reset_page_owner include/linux/page_owner.h:25 [inline]
>> free_pages_prepare mm/page_alloc.c:1248 [inline]
>> __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
>> __slab_free+0x326/0x400 mm/slub.c:4554
>> qlink_free mm/kasan/quarantine.c:163 [inline]
>> qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
>> kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
>> __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
>> kasan_slab_alloc include/linux/kasan.h:250 [inline]
>> slab_post_alloc_hook mm/slub.c:4148 [inline]
>> slab_alloc_node mm/slub.c:4197 [inline]
>> __do_kmalloc_node mm/slub.c:4327 [inline]
>> __kmalloc_noprof+0x224/0x4f0 mm/slub.c:4340
>> kmalloc_noprof include/linux/slab.h:909 [inline]
>> tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
>> tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
>> tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822
>> security_inode_getattr+0x12f/0x330 security/security.c:2377
>> vfs_getattr fs/stat.c:259 [inline]
>> vfs_statx_path fs/stat.c:299 [inline]
>> vfs_statx+0x18e/0x550 fs/stat.c:356
>> vfs_fstatat+0x118/0x170 fs/stat.c:375
>> __do_sys_newfstatat fs/stat.c:542 [inline]
>> __se_sys_newfstatat fs/stat.c:536 [inline]
>> __x64_sys_newfstatat+0x116/0x190 fs/stat.c:536
>> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> Memory state around the buggy address:
>> ffff88806bda3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88806bda3380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>>> ffff88806bda3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff88806bda3480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>> ffff88806bda3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>>
>> If the report is already addressed, let syzbot know by replying with:
>> #syz fix: exact-commit-title
>>
>> If you want syzbot to run the reproducer, reply with:
>> #syz test: git://repo/address.git branch-or-commit-hash
>> If you attach or paste a git patch, syzbot will apply it before testing.
>>
>> If you want to overwrite report's subsystems, reply with:
>> #syz set subsystems: new-subsystem
>> (See the list of subsystem names on the web dashboard)
>>
>> If the report is a duplicate of another one, reply with:
>> #syz dup: exact-subject-of-another-report
>>
>> If you want to undo deduplication, reply with:
>> #syz undup
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
[not found] <20250619105754.1184-1-hdanton@sina.com>
@ 2025-06-19 12:20 ` syzbot
0 siblings, 0 replies; 15+ messages in thread
From: syzbot @ 2025-06-19 12:20 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
8.060206][ T1] tipc: Started in single node mode
[ 18.066277][ T1] NET: Registered PF_SMC protocol family
[ 18.072296][ T1] 9pnet: Installing 9P2000 support
[ 18.078212][ T1] NET: Registered PF_CAIF protocol family
[ 18.088922][ T1] NET: Registered PF_IEEE802154 protocol family
[ 18.096048][ T1] Key type dns_resolver registered
[ 18.101198][ T1] Key type ceph registered
[ 18.106486][ T1] libceph: loaded (mon/osd proto 15/24)
[ 18.114157][ T1] batman_adv: B.A.T.M.A.N. advanced 2025.2 (compatibility version 15) loaded
[ 18.123195][ T1] openvswitch: Open vSwitch switching datapath
[ 18.131604][ T1] NET: Registered PF_VSOCK protocol family
[ 18.137780][ T1] mpls_gso: MPLS GSO support
[ 18.164145][ T1] IPI shorthand broadcast: enabled
[ 19.716421][ T1] sched_clock: Marking stable (19680020590, 33543153)->(19712331250, 1232493)
[ 19.728186][ T1] registered taskstats version 1
[ 19.753013][ T1] Loading compiled-in X.509 certificates
[ 19.781618][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 296561ebce14783e289c94f2cfb024577813ccec'
[ 20.094263][ T1] zswap: loaded using pool 842/zsmalloc
[ 20.103313][ T1] Demotion targets for Node 0: null
[ 20.108630][ T1] Demotion targets for Node 1: null
[ 20.113924][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 22.585672][ T1] Key type .fscrypt registered
[ 22.590444][ T1] Key type fscrypt-provisioning registered
[ 22.603902][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 22.631354][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 22.639931][ T1] Key type big_key registered
[ 22.644686][ T1] Key type encrypted registered
[ 22.649515][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 22.656219][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 22.662702][ T1] Loading compiled-in module X.509 certificates
[ 22.688107][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 296561ebce14783e289c94f2cfb024577813ccec'
[ 22.698982][ T1] ima: Allocated hash algorithm: sha256
[ 22.704992][ T1] ima: No architecture policies found
[ 22.710910][ T1] evm: Initialising EVM extended attributes:
[ 22.716913][ T1] evm: security.selinux (disabled)
[ 22.722101][ T1] evm: security.SMACK64 (disabled)
[ 22.727229][ T1] evm: security.SMACK64EXEC (disabled)
[ 22.732666][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 22.738556][ T1] evm: security.SMACK64MMAP (disabled)
[ 22.744015][ T1] evm: security.apparmor
[ 22.748242][ T1] evm: security.ima
[ 22.752019][ T1] evm: security.capability
[ 22.756425][ T1] evm: HMAC attrs: 0x1
[ 22.762722][ T1] PM: Magic number: 13:316:178
[ 22.767792][ T1] video4linux video66: hash matches
[ 22.773689][ T1] tty ttyr4: hash matches
[ 22.778110][ T1] acpi device:0e: hash matches
[ 22.782870][ T1] platform: hash matches
[ 22.787384][ T1] netconsole: network logging started
[ 22.793382][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 22.805238][ T1] rdma_rxe: loaded
[ 22.809949][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 22.821056][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 22.829173][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 22.839864][ T1] clk: Disabling unused clocks
[ 22.845005][ T1] ALSA device list:
[ 22.847438][ T43] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 22.848817][ T1] #0: Dummy 1
[ 22.848828][ T1] #1: Loopback 1
[ 22.858367][ T43] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 22.861771][ T1] #2: Virtual MIDI Card 1
[ 22.882507][ T1] md: Waiting for all devices to be available before autodetect
[ 22.890180][ T1] md: If you don't use raid, use raid=noautodetect
[ 22.896709][ T1] md: Autodetecting RAID arrays.
[ 22.901709][ T1] md: autorun ...
[ 22.905358][ T1] md: ... autorun DONE.
[ 23.036082][ T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[ 23.044467][ T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[ 23.057100][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 23.089367][ T1] devtmpfs: mounted
[ 23.166388][ T1] Freeing unused kernel image (initmem) memory: 26276K
[ 23.179409][ T1] Write protecting the kernel read-only data: 210944k
[ 23.198386][ T1] Freeing unused kernel image (text/rodata gap) memory: 948K
[ 23.209141][ T1] Freeing unused kernel image (rodata/data gap) memory: 492K
[ 23.312697][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 23.320966][ T1] x86/mm: Checking user space page tables
[ 23.408798][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 23.421580][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 23.431499][ T1] Run /sbin/init as init process
[ 23.909158][ T5168] mount (5168) used greatest stack depth: 24104 bytes left
[ 23.976839][ T5169] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[ 24.177307][ T5173] mount (5173) used greatest stack depth: 21736 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [ 25.289404][ T5203] udevd[5203]: starting version 3.2.14
[ 25.593118][ T5204] udevd[5204]: starting eudev-3.2.14
[ 25.599909][ T5203] udevd (5203) used greatest stack depth: 20200 bytes left
[ 25.951253][ T5204] ------------[ cut here ]------------
[ 25.957028][ T5204] WARNING: ./include/linux/rwsem.h:203 at vms_complete_munmap_vmas+0x725/0x9f0, CPU#0: udevd/5204
[ 25.967794][ T5204] Modules linked in:
[ 25.971808][ T5204] CPU: 0 UID: 0 PID: 5204 Comm: udevd Not tainted 6.16.0-rc2-next-20250619-syzkaller-03877-g2c923c845768-dirty #0 PREEMPT(full)
[ 25.985130][ T5204] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 25.995263][ T5204] RIP: 0010:vms_complete_munmap_vmas+0x725/0x9f0
[ 26.001611][ T5204] Code: ff 48 8b 7c 24 30 48 c7 c6 ff ff ff ff e8 c3 c9 4f 09 48 85 c0 74 7c 49 89 c5 e8 96 ba aa ff e9 f8 fd ff ff e8 8c ba aa ff 90 <0f> 0b 90 e9 55 fe ff ff 48 c7 c1 30 bd a1 8f 80 e1 07 80 c1 03 38
[ 26.021362][ T5204] RSP: 0018:ffffc9000394fa58 EFLAGS: 00010293
[ 26.027502][ T5204] RAX: ffffffff8215ae04 RBX: ffff8880257fc010 RCX: ffff88807eb5da00
[ 26.035552][ T5204] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 26.043540][ T5204] RBP: 0000000000000000 R08: ffff88807eb5da00 R09: 0000000000000002
[ 26.051593][ T5204] R10: 0000000000000003 R11: 0000000000000000 R12: dffffc0000000000
[ 26.059856][ T5204] R13: ffff8880257fc000 R14: ffffc9000394fc50 R15: 1ffffffff1f437a6
[ 26.067859][ T5204] FS: 00007f55163fc880(0000) GS:ffff888125c28000(0000) knlGS:0000000000000000
[ 26.076810][ T5204] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.083393][ T5204] CR2: 00007f5516482d00 CR3: 00000000327c6000 CR4: 00000000003526f0
[ 26.091446][ T5204] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 26.099463][ T5204] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 26.107481][ T5204] Call Trace:
[ 26.110771][ T5204] <TASK>
[ 26.113748][ T5204] do_vmi_align_munmap+0x358/0x420
[ 26.118969][ T5204] ? __pfx_filemap_map_pages+0x10/0x10
[ 26.124484][ T5204] ? __pfx_do_vmi_align_munmap+0x10/0x10
[ 26.130163][ T5204] do_vmi_munmap+0x253/0x2e0
[ 26.134804][ T5204] __vm_munmap+0x23b/0x3d0
[ 26.139239][ T5204] ? __pfx___vm_munmap+0x10/0x10
[ 26.144251][ T5204] __x64_sys_munmap+0x60/0x70
[ 26.148947][ T5204] do_syscall_64+0xfa/0x3b0
[ 26.153473][ T5204] ? lockdep_hardirqs_on+0x9c/0x150
[ 26.158726][ T5204] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 26.164829][ T5204] ? clear_bhb_loop+0x60/0xb0
[ 26.169517][ T5204] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 26.175448][ T5204] RIP: 0033:0x7f5515d1e097
[ 26.179885][ T5204] Code: 73 01 c3 48 8b 0d 61 2d 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 31 2d 0d 00 f7 d8 64 89 01 48
[ 26.199536][ T5204] RSP: 002b:00007ffe3dfc7708 EFLAGS: 00000206 ORIG_RAX: 000000000000000b
[ 26.208009][ T5204] RAX: ffffffffffffffda RBX: 000055e9c90a2bf0 RCX: 00007f5515d1e097
[ 26.216011][ T5204] RDX: 0000000000000000 RSI: 00000000009480e8 RDI: 00007f5515200000
[ 26.224020][ T5204] RBP: 000055e9c90a2910 R08: 000055e9c90a4670 R09: 0000000000000006
[ 26.232131][ T5204] R10: 3fffffffffffffff R11: 0000000000000206 R12: 000055e9b3063588
[ 26.240149][ T5204] R13: 000055e9b3064100 R14: 0000000000000001 R15: 0000000000000000
[ 26.248180][ T5204] </TASK>
[ 26.251207][ T5204] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 26.258491][ T5204] CPU: 0 UID: 0 PID: 5204 Comm: udevd Not tainted 6.16.0-rc2-next-20250619-syzkaller-03877-g2c923c845768-dirty #0 PREEMPT(full)
[ 26.271771][ T5204] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 26.281834][ T5204] Call Trace:
[ 26.285130][ T5204] <TASK>
[ 26.288070][ T5204] dump_stack_lvl+0x99/0x250
[ 26.292702][ T5204] ? __asan_memcpy+0x40/0x70
[ 26.297308][ T5204] ? __pfx_dump_stack_lvl+0x10/0x10
[ 26.302522][ T5204] ? __pfx__printk+0x10/0x10
[ 26.307141][ T5204] panic+0x2db/0x790
[ 26.311054][ T5204] ? __pfx_panic+0x10/0x10
[ 26.315504][ T5204] __warn+0x334/0x4c0
[ 26.319495][ T5204] ? vms_complete_munmap_vmas+0x725/0x9f0
[ 26.325227][ T5204] ? vms_complete_munmap_vmas+0x725/0x9f0
[ 26.330953][ T5204] report_bug+0x2be/0x4f0
[ 26.335295][ T5204] ? vms_complete_munmap_vmas+0x725/0x9f0
[ 26.341005][ T5204] ? vms_complete_munmap_vmas+0x725/0x9f0
[ 26.346711][ T5204] ? vms_complete_munmap_vmas+0x727/0x9f0
[ 26.352423][ T5204] handle_bug+0x84/0x160
[ 26.356655][ T5204] exc_invalid_op+0x1a/0x50
[ 26.361143][ T5204] asm_exc_invalid_op+0x1a/0x20
[ 26.365974][ T5204] RIP: 0010:vms_complete_munmap_vmas+0x725/0x9f0
[ 26.372295][ T5204] Code: ff 48 8b 7c 24 30 48 c7 c6 ff ff ff ff e8 c3 c9 4f 09 48 85 c0 74 7c 49 89 c5 e8 96 ba aa ff e9 f8 fd ff ff e8 8c ba aa ff 90 <0f> 0b 90 e9 55 fe ff ff 48 c7 c1 30 bd a1 8f 80 e1 07 80 c1 03 38
[ 26.391882][ T5204] RSP: 0018:ffffc9000394fa58 EFLAGS: 00010293
[ 26.397939][ T5204] RAX: ffffffff8215ae04 RBX: ffff8880257fc010 RCX: ffff88807eb5da00
[ 26.405896][ T5204] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 26.413940][ T5204] RBP: 0000000000000000 R08: ffff88807eb5da00 R09: 0000000000000002
[ 26.421915][ T5204] R10: 0000000000000003 R11: 0000000000000000 R12: dffffc0000000000
[ 26.429895][ T5204] R13: ffff8880257fc000 R14: ffffc9000394fc50 R15: 1ffffffff1f437a6
[ 26.437863][ T5204] ? vms_complete_munmap_vmas+0x724/0x9f0
[ 26.443590][ T5204] ? vms_complete_munmap_vmas+0x724/0x9f0
[ 26.449326][ T5204] do_vmi_align_munmap+0x358/0x420
[ 26.454423][ T5204] ? __pfx_filemap_map_pages+0x10/0x10
[ 26.459875][ T5204] ? __pfx_do_vmi_align_munmap+0x10/0x10
[ 26.465511][ T5204] do_vmi_munmap+0x253/0x2e0
[ 26.470128][ T5204] __vm_munmap+0x23b/0x3d0
[ 26.474530][ T5204] ? __pfx___vm_munmap+0x10/0x10
[ 26.479472][ T5204] __x64_sys_munmap+0x60/0x70
[ 26.484136][ T5204] do_syscall_64+0xfa/0x3b0
[ 26.488624][ T5204] ? lockdep_hardirqs_on+0x9c/0x150
[ 26.493810][ T5204] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 26.499855][ T5204] ? clear_bhb_loop+0x60/0xb0
[ 26.504527][ T5204] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 26.510417][ T5204] RIP: 0033:0x7f5515d1e097
[ 26.514823][ T5204] Code: 73 01 c3 48 8b 0d 61 2d 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 31 2d 0d 00 f7 d8 64 89 01 48
[ 26.534422][ T5204] RSP: 002b:00007ffe3dfc7708 EFLAGS: 00000206 ORIG_RAX: 000000000000000b
[ 26.542831][ T5204] RAX: ffffffffffffffda RBX: 000055e9c90a2bf0 RCX: 00007f5515d1e097
[ 26.550793][ T5204] RDX: 0000000000000000 RSI: 00000000009480e8 RDI: 00007f5515200000
[ 26.558745][ T5204] RBP: 000055e9c90a2910 R08: 000055e9c90a4670 R09: 0000000000000006
[ 26.566697][ T5204] R10: 3fffffffffffffff R11: 0000000000000206 R12: 000055e9b3063588
[ 26.574660][ T5204] R13: 000055e9b3064100 R14: 0000000000000001 R15: 0000000000000000
[ 26.582623][ T5204] </TASK>
[ 26.585847][ T5204] Kernel Offset: disabled
[ 26.590156][ T5204] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3755319018=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 0e8da31f2d4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=0e8da31f2d4312fc3ad5c1e2e221075831885e0e -X github.com/google/syzkaller/prog.gitRevisionDate=20250613-131303" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0e8da31f2d4312fc3ad5c1e2e221075831885e0e\"
/usr/bin/ld: /tmp/cc5ohoFQ.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=129d850c580000
Tested on:
commit: 2c923c84 Add linux-next specific files for 20250619
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=58afc4b78b52b7e3
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=1707b5d4580000
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
2025-06-19 10:57 ` Ryan Roberts
@ 2025-06-19 12:21 ` Will Deacon
2025-06-19 12:29 ` Ryan Roberts
0 siblings, 1 reply; 15+ messages in thread
From: Will Deacon @ 2025-06-19 12:21 UTC (permalink / raw)
To: Ryan Roberts
Cc: Jan Kara, akpm, david, jgg, jhubbard, linux-kernel, linux-mm,
peterx, syzkaller-bugs
On Thu, Jun 19, 2025 at 11:57:05AM +0100, Ryan Roberts wrote:
> On 19/06/2025 10:52, Jan Kara wrote:
> > Hi,
> >
> > On Wed 18-06-25 05:56:30, syzbot wrote:
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
> >> git tree: linux-next
> >> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
> >> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
> >>
> >> Downloadable assets:
> >> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
> >> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
> >> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
> >>
> >> The issue was bisected to:
> >>
> >> commit 3b61a3f08949297815b2c77ae2696f54cd339419
> >> Author: Ryan Roberts <ryan.roberts@arm.com>
> >> Date: Mon Jun 9 09:27:27 2025 +0000
> >>
> >> mm/filemap: allow arch to request folio size for exec memory
> >
> > Indeed. The crash is in:
> >
> > fpin = maybe_unlock_mmap_for_io(vmf, fpin);
> > if (vm_flags & VM_EXEC) {
> > /*
> > * Allow arch to request a preferred minimum folio order for
> > * executable memory. This can often be beneficial to
> > * performance if (e.g.) arm64 can contpte-map the folio.
> > * Executable memory rarely benefits from readahead, due to its
> > * random access nature, so set async_size to 0.
> > *
> > * Limit to the boundaries of the VMA to avoid reading in any
> > * pad that might exist between sections, which would be a waste
> > * of memory.
> > */
> > struct vm_area_struct *vma = vmf->vma;
> > unsigned long start = vma->vm_pgoff;
> > ^^^^ here
> > which is not surprising because we've unlocked mmap_sem (or vma lock) just
> > above this if and thus vma could have been released before we got here. The
> > easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's
> > nothing in there that would be problematic with the locks still held.
>
> Thanks for the quick analysis, Jan! Ouch...
>
> This is still in mm-unstable I believe, so I'll send a fix-up patch to Andrew to
> move the unlock as you suggest.
>
> By the way, I don't think I was included on the original report; Is there a way
> I can sign up to be included on patched I authored in future?
Your address looks like it's on To:
https://lore.kernel.org/r/6852b77e.a70a0220.79d0a.0214.GAE@google.com
but maybe you redirect syzbot reports to the SP^H^HIMPORTANT folder?
Will
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
2025-06-19 12:21 ` Will Deacon
@ 2025-06-19 12:29 ` Ryan Roberts
0 siblings, 0 replies; 15+ messages in thread
From: Ryan Roberts @ 2025-06-19 12:29 UTC (permalink / raw)
To: Will Deacon
Cc: Jan Kara, akpm, david, jgg, jhubbard, linux-kernel, linux-mm,
peterx, syzkaller-bugs
On 19/06/2025 13:21, Will Deacon wrote:
> On Thu, Jun 19, 2025 at 11:57:05AM +0100, Ryan Roberts wrote:
>> On 19/06/2025 10:52, Jan Kara wrote:
>>> Hi,
>>>
>>> On Wed 18-06-25 05:56:30, syzbot wrote:
>>>> Hello,
>>>>
>>>> syzbot found the following issue on:
>>>>
>>>> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
>>>> git tree: linux-next
>>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
>>>> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
>>>>
>>>> Downloadable assets:
>>>> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
>>>> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
>>>>
>>>> The issue was bisected to:
>>>>
>>>> commit 3b61a3f08949297815b2c77ae2696f54cd339419
>>>> Author: Ryan Roberts <ryan.roberts@arm.com>
>>>> Date: Mon Jun 9 09:27:27 2025 +0000
>>>>
>>>> mm/filemap: allow arch to request folio size for exec memory
>>>
>>> Indeed. The crash is in:
>>>
>>> fpin = maybe_unlock_mmap_for_io(vmf, fpin);
>>> if (vm_flags & VM_EXEC) {
>>> /*
>>> * Allow arch to request a preferred minimum folio order for
>>> * executable memory. This can often be beneficial to
>>> * performance if (e.g.) arm64 can contpte-map the folio.
>>> * Executable memory rarely benefits from readahead, due to its
>>> * random access nature, so set async_size to 0.
>>> *
>>> * Limit to the boundaries of the VMA to avoid reading in any
>>> * pad that might exist between sections, which would be a waste
>>> * of memory.
>>> */
>>> struct vm_area_struct *vma = vmf->vma;
>>> unsigned long start = vma->vm_pgoff;
>>> ^^^^ here
>>> which is not surprising because we've unlocked mmap_sem (or vma lock) just
>>> above this if and thus vma could have been released before we got here. The
>>> easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's
>>> nothing in there that would be problematic with the locks still held.
>>
>> Thanks for the quick analysis, Jan! Ouch...
>>
>> This is still in mm-unstable I believe, so I'll send a fix-up patch to Andrew to
>> move the unlock as you suggest.
>>
>> By the way, I don't think I was included on the original report; Is there a way
>> I can sign up to be included on patched I authored in future?
>
> Your address looks like it's on To:
>
> https://lore.kernel.org/r/6852b77e.a70a0220.79d0a.0214.GAE@google.com
>
> but maybe you redirect syzbot reports to the SP^H^HIMPORTANT folder?
Hmm... Another email fail from me I guess. I don't have any rule that I'm aware
of and I don't see it in any of the folders that I do redirect to, nor in the
trash. Anyway, it's almost certainly my error. Thanks for pointing it out.
>
> Will
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
[not found] <20250619133753.1203-1-hdanton@sina.com>
@ 2025-06-19 13:39 ` syzbot
0 siblings, 0 replies; 15+ messages in thread
From: syzbot @ 2025-06-19 13:39 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master: failed to run ["git" "fetch" "--force" "6e274abda436d30078c0e5fb9703cc1905bba23f" "master"]: exit status 128
fatal: unable to connect to git.kernel.org:
git.kernel.org[0: 172.105.4.254]: errno=Connection refused
git.kernel.org[1: 2600:3c04:e001:324:0:1991:8:25]: errno=Network is unreachable
Tested on:
commit: [unknown
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=127dfe82580000
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
[not found] <20250620030111.1259-1-hdanton@sina.com>
@ 2025-06-20 3:35 ` syzbot
0 siblings, 0 replies; 15+ messages in thread
From: syzbot @ 2025-06-20 3:35 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in do_sync_mmap_readahead
==================================================================
BUG: KASAN: slab-use-after-free in do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
Read of size 8 at addr ffff88805ddc6a50 by task syz.1.161/7593
CPU: 1 UID: 0 PID: 7593 Comm: syz.1.161 Not tainted 6.16.0-rc2-next-20250619-syzkaller-03877-g2c923c845768-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
filemap_fault+0x62c/0x1200 mm/filemap.c:3444
__do_fault+0x135/0x390 mm/memory.c:5187
do_read_fault mm/memory.c:5608 [inline]
do_fault mm/memory.c:5742 [inline]
do_pte_missing mm/memory.c:4269 [inline]
handle_pte_fault mm/memory.c:6087 [inline]
__handle_mm_fault+0x37ed/0x5620 mm/memory.c:6230
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6399
faultin_page mm/gup.c:1186 [inline]
__get_user_pages+0x1aef/0x30b0 mm/gup.c:1488
populate_vma_page_range+0x29f/0x3a0 mm/gup.c:1922
__mm_populate+0x24c/0x380 mm/gup.c:2025
mm_populate include/linux/mm.h:3372 [inline]
vm_mmap_pgoff+0x3f0/0x4c0 mm/util.c:584
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc98df8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc98edd4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007fc98e1b5fa0 RCX: 00007fc98df8e929
RDX: 0000000001000006 RSI: 0000000000b36000 RDI: 0000200000000000
RBP: 00007fc98e010b39 R08: 0000000000000006 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc98e1b5fa0 R15: 00007fffd4637e18
</TASK>
Allocated by task 7593:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4179 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4235
vm_area_alloc+0x24/0x140 mm/vma_init.c:31
__mmap_new_vma mm/vma.c:2469 [inline]
__mmap_region mm/vma.c:2679 [inline]
mmap_region+0xe0d/0x2080 mm/vma.c:2749
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 15:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2416 [inline]
slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4729
rcu_do_batch kernel/rcu/tree.c:2582 [inline]
rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2838
handle_softirqs+0x286/0x870 kernel/softirq.c:579
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:968
smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
slab_free_hook mm/slub.c:2377 [inline]
slab_free mm/slub.c:4679 [inline]
kmem_cache_free+0x2f6/0x400 mm/slub.c:4781
remove_vma mm/vma.c:449 [inline]
vms_complete_munmap_vmas+0x6a6/0xab0 mm/vma.c:1275
__mmap_complete mm/vma.c:2535 [inline]
__mmap_region mm/vma.c:2687 [inline]
mmap_region+0x1221/0x2080 mm/vma.c:2749
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88805ddc6a00
which belongs to the cache vm_area_struct of size 256
The buggy address is located 80 bytes inside of
freed 256-byte region [ffff88805ddc6a00, ffff88805ddc6b00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ddc6
memcg:ffff88802850ff01
anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801bad4b40 ffffea00009f9e40 0000000000000005
raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff88802850ff01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7260, tgid 7260 (cmp), ts 149257300647, free_ts 149219699845
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2486 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2654
new_slab mm/slub.c:2708 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3890
__slab_alloc mm/slub.c:3980 [inline]
__slab_alloc_node mm/slub.c:4055 [inline]
slab_alloc_node mm/slub.c:4216 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4235
vm_area_dup+0x2b/0x680 mm/vma_init.c:122
__split_vma+0x1a9/0xa00 mm/vma.c:496
vms_gather_munmap_vmas+0x2de/0x12b0 mm/vma.c:1342
__mmap_prepare mm/vma.c:2368 [inline]
__mmap_region mm/vma.c:2658 [inline]
mmap_region+0x71a/0x2080 mm/vma.c:2749
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 3479 tgid 3479 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
pagetable_free include/linux/mm.h:2903 [inline]
pagetable_dtor_free include/linux/mm.h:3001 [inline]
__tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290
rcu_do_batch kernel/rcu/tree.c:2582 [inline]
rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2838
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffff88805ddc6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ddc6980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88805ddc6a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805ddc6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ddc6b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
Tested on:
commit: 2c923c84 Add linux-next specific files for 20250619
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10f2f5d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=58afc4b78b52b7e3
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=17c2f5d4580000
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
[not found] <20250620055500.1295-1-hdanton@sina.com>
@ 2025-06-20 6:57 ` syzbot
0 siblings, 0 replies; 15+ messages in thread
From: syzbot @ 2025-06-20 6:57 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
596589][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 27.603669][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 27.612030][ T1] NET: Registered PF_PHONET protocol family
[ 27.619226][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 27.624904][ T1] sctp: Hash tables configured (bind 32/56)
[ 27.633622][ T1] NET: Registered PF_RDS protocol family
[ 27.640981][ T1] Registered RDS/infiniband transport
[ 27.647953][ T1] Registered RDS/tcp transport
[ 27.653173][ T1] tipc: Activated (version 2.0.0)
[ 27.659306][ T1] NET: Registered PF_TIPC protocol family
[ 27.667111][ T1] tipc: Started in single node mode
[ 27.673627][ T1] NET: Registered PF_SMC protocol family
[ 27.679893][ T1] 9pnet: Installing 9P2000 support
[ 27.686223][ T1] NET: Registered PF_CAIF protocol family
[ 27.698111][ T1] NET: Registered PF_IEEE802154 protocol family
[ 27.705116][ T1] Key type dns_resolver registered
[ 27.710323][ T1] Key type ceph registered
[ 27.715773][ T1] libceph: loaded (mon/osd proto 15/24)
[ 27.724864][ T1] batman_adv: B.A.T.M.A.N. advanced 2025.2 (compatibility version 15) loaded
[ 27.735532][ T1] openvswitch: Open vSwitch switching datapath
[ 27.745784][ T1] NET: Registered PF_VSOCK protocol family
[ 27.752455][ T1] mpls_gso: MPLS GSO support
[ 27.791829][ T1] IPI shorthand broadcast: enabled
[ 28.853017][ T4368] kworker/u8:5 (4368) used greatest stack depth: 25544 bytes left
[ 29.545777][ T1] sched_clock: Marking stable (29480023419, 60586956)->(29548520009, -7909634)
[ 29.559295][ T1] registered taskstats version 1
[ 29.587631][ T1] Loading compiled-in X.509 certificates
[ 29.629727][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 9544ed9c381b9ee60e03c33019a0775f61856505'
[ 30.041269][ T1] zswap: loaded using pool 842/zsmalloc
[ 30.050869][ T1] Demotion targets for Node 0: null
[ 30.056261][ T1] Demotion targets for Node 1: null
[ 30.061859][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 33.228886][ T1] Key type .fscrypt registered
[ 33.233756][ T1] Key type fscrypt-provisioning registered
[ 33.249155][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 33.284299][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 33.293561][ T1] Key type big_key registered
[ 33.298857][ T1] Key type encrypted registered
[ 33.304175][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 33.311287][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 33.317886][ T1] Loading compiled-in module X.509 certificates
[ 33.356852][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 9544ed9c381b9ee60e03c33019a0775f61856505'
[ 33.367969][ T1] ima: Allocated hash algorithm: sha256
[ 33.373914][ T1] ima: No architecture policies found
[ 33.379932][ T1] evm: Initialising EVM extended attributes:
[ 33.385960][ T1] evm: security.selinux (disabled)
[ 33.391455][ T1] evm: security.SMACK64 (disabled)
[ 33.396585][ T1] evm: security.SMACK64EXEC (disabled)
[ 33.402069][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 33.408143][ T1] evm: security.SMACK64MMAP (disabled)
[ 33.413994][ T1] evm: security.apparmor
[ 33.418456][ T1] evm: security.ima
[ 33.422434][ T1] evm: security.capability
[ 33.427069][ T1] evm: HMAC attrs: 0x1
[ 33.434168][ T1] PM: Magic number: 13:923:822
[ 33.439967][ T1] video4linux v4l-touch0: hash matches
[ 33.446106][ T1] block loop10: hash matches
[ 33.451222][ T1] tty ptyt2: hash matches
[ 33.455932][ T1] netconsole: network logging started
[ 33.462668][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 33.475283][ T1] rdma_rxe: loaded
[ 33.480368][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 33.492268][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 33.501017][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 33.510851][ T9] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 33.511215][ T1] clk: Disabling unused clocks
[ 33.524683][ T9] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 33.526178][ T1] ALSA device list:
[ 33.538940][ T1] #0: Dummy 1
[ 33.542650][ T1] #1: Loopback 1
[ 33.546384][ T1] #2: Virtual MIDI Card 1
[ 33.555198][ T1] md: Waiting for all devices to be available before autodetect
[ 33.562972][ T1] md: If you don't use raid, use raid=noautodetect
[ 33.569582][ T1] md: Autodetecting RAID arrays.
[ 33.574788][ T1] md: autorun ...
[ 33.578693][ T1] md: ... autorun DONE.
[ 33.739773][ T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[ 33.749322][ T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[ 33.762960][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 33.773900][ T1] devtmpfs: mounted
[ 33.875119][ T1] Freeing unused kernel image (initmem) memory: 26276K
[ 33.889782][ T1] Write protecting the kernel read-only data: 210944k
[ 33.913533][ T1] Freeing unused kernel image (text/rodata gap) memory: 948K
[ 33.925400][ T1] Freeing unused kernel image (rodata/data gap) memory: 492K
[ 34.137917][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 34.146494][ T1] x86/mm: Checking user space page tables
[ 34.329365][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 34.343651][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 34.353892][ T1] Run /sbin/init as init process
[ 34.394256][ T1]
[ 34.396622][ T1] =====================================
[ 34.402211][ T1] WARNING: bad unlock balance detected!
[ 34.407859][ T1] 6.16.0-rc2-next-20250619-syzkaller-03877-g2c923c845768-dirty #0 Not tainted
[ 34.416889][ T1] -------------------------------------
[ 34.422537][ T1] swapper/0/1 is trying to release lock (vm_lock) at:
[ 34.429320][ T1] [<ffffffff82090441>] get_user_pages_remote+0x2f1/0xad0
[ 34.436517][ T1] but there are no more locks to release!
[ 34.442250][ T1]
[ 34.442250][ T1] other info that might help us debug this:
[ 34.450415][ T1] 1 lock held by swapper/0/1:
[ 34.455282][ T1] #0: ffff88801a471760 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock_maybe_expand+0xbc/0x3c0
[ 34.466037][ T1]
[ 34.466037][ T1] stack backtrace:
[ 34.471986][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc2-next-20250619-syzkaller-03877-g2c923c845768-dirty #0 PREEMPT(full)
[ 34.472011][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 34.472029][ T1] Call Trace:
[ 34.472039][ T1] <TASK>
[ 34.472048][ T1] dump_stack_lvl+0x189/0x250
[ 34.472081][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 34.472108][ T1] ? __pfx__printk+0x10/0x10
[ 34.472127][ T1] ? print_lock_name+0xde/0x100
[ 34.472146][ T1] ? get_user_pages_remote+0x2f1/0xad0
[ 34.472170][ T1] print_unlock_imbalance_bug+0xdc/0xf0
[ 34.472199][ T1] lock_release+0x269/0x3e0
[ 34.472222][ T1] ? get_user_pages_remote+0x2f1/0xad0
[ 34.472247][ T1] __get_user_pages+0x2dc7/0x3020
[ 34.472285][ T1] ? __pfx___get_user_pages+0x10/0x10
[ 34.472312][ T1] get_user_pages_remote+0x2f1/0xad0
[ 34.472339][ T1] ? __pfx_get_user_pages_remote+0x10/0x10
[ 34.472362][ T1] ? down_read+0x1ad/0x2e0
[ 34.472386][ T1] ? mmap_read_lock_maybe_expand+0xc6/0x3c0
[ 34.472405][ T1] get_arg_page+0x104/0x330
[ 34.472429][ T1] ? __pfx_get_arg_page+0x10/0x10
[ 34.472452][ T1] ? __pfx___might_resched+0x10/0x10
[ 34.472478][ T1] ? create_init_stack_vma+0x523/0x680
[ 34.472506][ T1] copy_string_kernel+0x191/0x2a0
[ 34.472531][ T1] kernel_execve+0x5a2/0x9f0
[ 34.472559][ T1] ? __pfx_kernel_init+0x10/0x10
[ 34.472580][ T1] try_to_run_init_process+0x13/0x60
[ 34.472604][ T1] ? __pfx_kernel_init+0x10/0x10
[ 34.472630][ T1] kernel_init+0xad/0x1d0
[ 34.472649][ T1] ? __pfx_kernel_init+0x10/0x10
[ 34.472668][ T1] ret_from_fork+0x3fc/0x770
[ 34.472694][ T1] ? __pfx_ret_from_fork+0x10/0x10
[ 34.472720][ T1] ? __switch_to_asm+0x39/0x70
[ 34.472736][ T1] ? __switch_to_asm+0x33/0x70
[ 34.472752][ T1] ? __pfx_kernel_init+0x10/0x10
[ 34.472773][ T1] ret_from_fork_asm+0x1a/0x30
[ 34.472797][ T1] </TASK>
[ 97.551206][ T9] cfg80211: failed to load regulatory.db
[ 202.580574][ C0] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
[ 202.588016][ C0] rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P1
[ 202.595200][ C0] rcu: (detected by 0, t=10502 jiffies, g=3113, q=77 ncpus=2)
[ 202.603497][ C0] task:swapper/0 state:R running task stack:18840 pid:1 tgid:1 ppid:0 task_flags:0x0140 flags:0x00004002
[ 202.617438][ C0] Call Trace:
[ 202.621217][ C0] <IRQ>
[ 202.624138][ C0] sched_show_task+0x49d/0x630
[ 202.628927][ C0] ? __pfx_sched_show_task+0x10/0x10
[ 202.634220][ C0] ? rcu_dump_cpu_stacks+0x79/0x4e0
[ 202.639427][ C0] ? wq_watchdog_touch+0xef/0x180
[ 202.644461][ C0] print_other_cpu_stall+0xfa6/0x1370
[ 202.649853][ C0] ? __pfx_print_other_cpu_stall+0x10/0x10
[ 202.655786][ C0] ? rcu_is_watching+0x15/0xb0
[ 202.660753][ C0] ? rcu_is_watching+0x15/0xb0
[ 202.665646][ C0] rcu_sched_clock_irq+0x9d1/0x1090
[ 202.670878][ C0] ? __pfx_rcu_sched_clock_irq+0x10/0x10
[ 202.676623][ C0] update_process_times+0x23c/0x2f0
[ 202.681946][ C0] tick_nohz_handler+0x39a/0x520
[ 202.686907][ C0] ? __pfx_tick_nohz_handler+0x10/0x10
[ 202.692408][ C0] __hrtimer_run_queues+0x4e0/0xc60
[ 202.697758][ C0] ? __pfx___hrtimer_run_queues+0x10/0x10
[ 202.703594][ C0] ? read_tsc+0x9/0x20
[ 202.707700][ C0] hrtimer_interrupt+0x45b/0xaa0
[ 202.712854][ C0] __sysvec_apic_timer_interrupt+0x10b/0x410
[ 202.719067][ C0] sysvec_apic_timer_interrupt+0xa1/0xc0
[ 202.724828][ C0] </IRQ>
[ 202.727779][ C0] <TASK>
[ 202.730737][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 202.737352][ C0] RIP: 0010:mtree_range_walk+0x6b7/0x840
[ 202.743593][ C0] Code: 9f 52 bf f6 e9 47 fb ff ff e8 a5 2a 5b f6 89 d8 e9 09 fb ff ff e8 99 2a 5b f6 48 8b 54 24 08 48 8d 7a 3f 48 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 19 01 00 00 8b 44 24 04 88 42 3f 4c 8d 72
[ 202.764005][ C0] RSP: 0000:ffffc90000067760 EFLAGS: 00000a07
[ 202.770192][ C0] RAX: 1ffff9200000cf21 RBX: 0000000000000001 RCX: ffff8881404c8000
[ 202.778278][ C0] RDX: ffffc900000678d0 RSI: ffff88801a471500 RDI: ffffc9000006790f
[ 202.787151][ C0] RBP: dffffc0000000000 R08: ffff8881404c8000 R09: 0000000000000004
[ 202.795319][ C0] R10: 0000000000000003 R11: 0000000000000000 R12: 00007fffffffe000
[ 202.803574][ C0] R13: 00007fffffffefff R14: ffff88801a471500 R15: ffff88802dc03e00
[ 202.811580][ C0] mas_walk+0xc6/0x2e0
[ 202.815671][ C0] ? lock_vma_under_rcu+0x3c8/0x710
[ 202.821095][ C0] lock_vma_under_rcu+0x1be/0x710
[ 202.826211][ C0] ? lock_vma_under_rcu+0xf8/0x710
[ 202.831323][ C0] ? __pfx_lock_vma_under_rcu+0x10/0x10
[ 202.836979][ C0] __get_user_pages+0x404/0x3020
[ 202.841960][ C0] ? __pfx___get_user_pages+0x10/0x10
[ 202.847542][ C0] ? mmap_read_lock_maybe_expand+0xbc/0x3c0
[ 202.853459][ C0] ? rcu_is_watching+0x15/0xb0
[ 202.858511][ C0] ? is_valid_gup_args+0x11f/0x200
[ 202.863664][ C0] get_user_pages_remote+0x2f1/0xad0
[ 202.868997][ C0] ? __pfx_get_user_pages_remote+0x10/0x10
[ 202.874986][ C0] ? down_read+0x1ad/0x2e0
[ 202.879586][ C0] ? mmap_read_lock_maybe_expand+0xc6/0x3c0
[ 202.885490][ C0] get_arg_page+0x104/0x330
[ 202.890016][ C0] ? __pfx_get_arg_page+0x10/0x10
[ 202.895261][ C0] ? __pfx___might_resched+0x10/0x10
[ 202.900673][ C0] copy_string_kernel+0x191/0x2a0
[ 202.905734][ C0] kernel_execve+0x673/0x9f0
[ 202.910444][ C0] ? __pfx_kernel_init+0x10/0x10
[ 202.915485][ C0] try_to_run_init_process+0x13/0x60
[ 202.921105][ C0] ? __pfx_kernel_init+0x10/0x10
[ 202.926068][ C0] kernel_init+0xad/0x1d0
[ 202.930515][ C0] ? __pfx_kernel_init+0x10/0x10
[ 202.935512][ C0] ret_from_fork+0x3fc/0x770
[ 202.940312][ C0] ? __pfx_ret_from_fork+0x10/0x10
[ 202.945721][ C0] ? __switch_to_asm+0x39/0x70
[ 202.950593][ C0] ? __switch_to_asm+0x33/0x70
[ 202.955365][ C0] ? __pfx_kernel_init+0x10/0x10
[ 202.960497][ C0] ret_from_fork_asm+0x1a/0x30
[ 202.965371][ C0] </TASK>
[ 328.590772][ T36] kworker/u8:2 (36) used greatest stack depth: 23608 bytes left
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2886964739=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 0e8da31f2d4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=0e8da31f2d4312fc3ad5c1e2e221075831885e0e -X github.com/google/syzkaller/prog.gitRevisionDate=20250613-131303" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0e8da31f2d4312fc3ad5c1e2e221075831885e0e\"
/usr/bin/ld: /tmp/cci5PNSq.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=158b9d0c580000
Tested on:
commit: 2c923c84 Add linux-next specific files for 20250619
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=58afc4b78b52b7e3
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=14979370580000
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
[not found] <20250620094529.1318-1-hdanton@sina.com>
@ 2025-06-20 10:20 ` syzbot
0 siblings, 0 replies; 15+ messages in thread
From: syzbot @ 2025-06-20 10:20 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in do_sync_mmap_readahead
==================================================================
BUG: KASAN: slab-use-after-free in do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
Read of size 8 at addr ffff888028ba3410 by task syz.3.92/7189
CPU: 1 UID: 0 PID: 7189 Comm: syz.3.92 Not tainted 6.16.0-rc2-next-20250619-syzkaller-03877-g2c923c845768-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
do_sync_mmap_readahead+0x4bf/0x830 mm/filemap.c:3282
filemap_fault+0x62c/0x1200 mm/filemap.c:3444
__do_fault+0x138/0x390 mm/memory.c:5187
do_read_fault mm/memory.c:5608 [inline]
do_fault mm/memory.c:5742 [inline]
do_pte_missing mm/memory.c:4269 [inline]
handle_pte_fault mm/memory.c:6087 [inline]
__handle_mm_fault+0x37ed/0x5620 mm/memory.c:6230
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6399
faultin_page mm/gup.c:1186 [inline]
__get_user_pages+0x1b0c/0x3210 mm/gup.c:1491
populate_vma_page_range+0x29f/0x3a0 mm/gup.c:1931
__mm_populate+0x24c/0x380 mm/gup.c:2034
mm_populate include/linux/mm.h:3372 [inline]
vm_mmap_pgoff+0x3f0/0x4c0 mm/util.c:584
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdcf798e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdcf87cc038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007fdcf7bb5fa0 RCX: 00007fdcf798e929
RDX: 0000000001000006 RSI: 0000000000b36000 RDI: 0000200000000000
RBP: 00007fdcf7a10b39 R08: 0000000000000006 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fdcf7bb5fa0 R15: 00007fff64f68fd8
</TASK>
Allocated by task 7189:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4179 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4235
vm_area_alloc+0x24/0x140 mm/vma_init.c:31
__mmap_new_vma mm/vma.c:2469 [inline]
__mmap_region mm/vma.c:2679 [inline]
mmap_region+0xe0d/0x2080 mm/vma.c:2749
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:607
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 7194:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2416 [inline]
slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4729
rcu_do_batch kernel/rcu/tree.c:2582 [inline]
rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2838
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
slab_free_hook mm/slub.c:2377 [inline]
slab_free mm/slub.c:4679 [inline]
kmem_cache_free+0x2f6/0x400 mm/slub.c:4781
remove_vma mm/vma.c:449 [inline]
vms_complete_munmap_vmas+0x6a6/0xab0 mm/vma.c:1275
__mmap_complete mm/vma.c:2535 [inline]
__mmap_region mm/vma.c:2687 [inline]
mmap_region+0x1221/0x2080 mm/vma.c:2749
do_mmap+0xc45/0x10d0 mm/mmap.c:561
vm_mmap_pgoff+0x31b/0x4c0 mm/util.c:579
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888028ba33c0
which belongs to the cache vm_area_struct of size 256
The buggy address is located 80 bytes inside of
freed 256-byte region [ffff888028ba33c0, ffff888028ba34c0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28ba3
memcg:ffff888079f4d581
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88814047eb40 dead000000000122 0000000000000000
raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff888079f4d581
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7181, tgid 7181 (syz.2.91), ts 155840311602, free_ts 155832927152
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2486 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2654
new_slab mm/slub.c:2708 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3890
__slab_alloc mm/slub.c:3980 [inline]
__slab_alloc_node mm/slub.c:4055 [inline]
slab_alloc_node mm/slub.c:4216 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4235
vm_area_dup+0x2b/0x680 mm/vma_init.c:122
__split_vma+0x1a9/0xa00 mm/vma.c:496
split_vma mm/vma.c:579 [inline]
vma_modify+0x23e/0x460 mm/vma.c:1606
vma_modify_flags+0x1e8/0x230 mm/vma.c:1632
mprotect_fixup+0x400/0x9b0 mm/mprotect.c:658
do_mprotect_pkey+0x8cd/0xce0 mm/mprotect.c:832
__do_sys_mprotect mm/mprotect.c:853 [inline]
__se_sys_mprotect mm/mprotect.c:850 [inline]
__x64_sys_mprotect+0x80/0x90 mm/mprotect.c:850
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 49 tgid 49 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
rcu_do_batch kernel/rcu/tree.c:2582 [inline]
rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2838
handle_softirqs+0x286/0x870 kernel/softirq.c:579
do_softirq+0xec/0x180 kernel/softirq.c:480
__local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:910 [inline]
__dev_queue_xmit+0x1cd7/0x3a70 net/core/dev.c:4738
dev_queue_xmit include/linux/netdevice.h:3355 [inline]
batadv_send_skb_packet+0x44f/0x6d0 net/batman-adv/send.c:108
batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]
batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]
batadv_iv_send_outstanding_bat_ogm_packet+0x62f/0x7e0 net/batman-adv/bat_iv_ogm.c:1708
process_one_work kernel/workqueue.c:3239 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3322
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3403
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888028ba3300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888028ba3380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888028ba3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888028ba3480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888028ba3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 2c923c84 Add linux-next specific files for 20250619
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=146c5370580000
kernel config: https://syzkaller.appspot.com/x/.config?x=58afc4b78b52b7e3
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=1493f5d4580000
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
[not found] <20250620114122.1338-1-hdanton@sina.com>
@ 2025-06-20 13:09 ` syzbot
0 siblings, 0 replies; 15+ messages in thread
From: syzbot @ 2025-06-20 13:09 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+8e4be574cb8c40140a2a@syzkaller.appspotmail.com
Tested-by: syzbot+8e4be574cb8c40140a2a@syzkaller.appspotmail.com
Tested on:
commit: 5d4809e2 Add linux-next specific files for 20250620
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13495d0c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=58afc4b78b52b7e3
dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=11fe8182580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
2025-06-19 9:52 ` Jan Kara
2025-06-19 10:57 ` Ryan Roberts
@ 2025-06-21 1:20 ` Hillf Danton
2025-06-23 12:51 ` Ryan Roberts
1 sibling, 1 reply; 15+ messages in thread
From: Hillf Danton @ 2025-06-21 1:20 UTC (permalink / raw)
To: Jan Kara
Cc: ryan.roberts, david, jhubbard, linux-kernel, linux-mm,
syzkaller-bugs
On Thu, 19 Jun 2025 11:52:43 +0200 Jan Kara wrote
> On Wed 18-06-25 05:56:30, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
> > git tree: linux-next
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
> > compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
> >
> > The issue was bisected to:
> >
> > commit 3b61a3f08949297815b2c77ae2696f54cd339419
> > Author: Ryan Roberts <ryan.roberts@arm.com>
> > Date: Mon Jun 9 09:27:27 2025 +0000
> >
> > mm/filemap: allow arch to request folio size for exec memory
>
> Indeed. The crash is in:
>
> fpin = maybe_unlock_mmap_for_io(vmf, fpin);
> if (vm_flags & VM_EXEC) {
> /*
> * Allow arch to request a preferred minimum folio order for
> * executable memory. This can often be beneficial to
> * performance if (e.g.) arm64 can contpte-map the folio.
> * Executable memory rarely benefits from readahead, due to its
> * random access nature, so set async_size to 0.
> *
> * Limit to the boundaries of the VMA to avoid reading in any
> * pad that might exist between sections, which would be a waste
> * of memory.
> */
> struct vm_area_struct *vma = vmf->vma;
> unsigned long start = vma->vm_pgoff;
> ^^^^ here
> which is not surprising because we've unlocked mmap_sem (or vma lock) just
> above this if and thus vma could have been released before we got here. The
> easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's
> nothing in there that would be problematic with the locks still held.
>
In the fault path (arch/arm64/mm/fault.c), vma is locked for read.
do_page_fault()
vma = lock_vma_under_rcu(mm, addr)
handle_mm_fault()
While in the mmap path [1], mm is locked for write but vma is removed without
locking vma for write.
vm_mmap_pgoff()
mmap_write_lock_killable(mm)
do_mmap()
mmap_regionC()
__mmap_region()
__mmap_complete()
vms_complete_munmap_vmas()
remove_vma()
Thus the correct fix looks like locking vma in both mmap and gup pathes [2].
[1] https://lore.kernel.org/lkml/685535d2.a00a0220.137b3.0045.GAE@google.com/
[2] https://lore.kernel.org/lkml/68555d6e.a00a0220.137b3.004c.GAE@google.com/
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
2025-06-21 1:20 ` Hillf Danton
@ 2025-06-23 12:51 ` Ryan Roberts
2025-06-24 0:30 ` Hillf Danton
0 siblings, 1 reply; 15+ messages in thread
From: Ryan Roberts @ 2025-06-23 12:51 UTC (permalink / raw)
To: Hillf Danton, Jan Kara
Cc: david, jhubbard, linux-kernel, linux-mm, syzkaller-bugs
On 21/06/2025 02:20, Hillf Danton wrote:
> On Thu, 19 Jun 2025 11:52:43 +0200 Jan Kara wrote
>> On Wed 18-06-25 05:56:30, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
>>> git tree: linux-next
>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
>>> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
>>>
>>> The issue was bisected to:
>>>
>>> commit 3b61a3f08949297815b2c77ae2696f54cd339419
>>> Author: Ryan Roberts <ryan.roberts@arm.com>
>>> Date: Mon Jun 9 09:27:27 2025 +0000
>>>
>>> mm/filemap: allow arch to request folio size for exec memory
>>
>> Indeed. The crash is in:
>>
>> fpin = maybe_unlock_mmap_for_io(vmf, fpin);
>> if (vm_flags & VM_EXEC) {
>> /*
>> * Allow arch to request a preferred minimum folio order for
>> * executable memory. This can often be beneficial to
>> * performance if (e.g.) arm64 can contpte-map the folio.
>> * Executable memory rarely benefits from readahead, due to its
>> * random access nature, so set async_size to 0.
>> *
>> * Limit to the boundaries of the VMA to avoid reading in any
>> * pad that might exist between sections, which would be a waste
>> * of memory.
>> */
>> struct vm_area_struct *vma = vmf->vma;
>> unsigned long start = vma->vm_pgoff;
>> ^^^^ here
>> which is not surprising because we've unlocked mmap_sem (or vma lock) just
>> above this if and thus vma could have been released before we got here. The
>> easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's
>> nothing in there that would be problematic with the locks still held.
>>
> In the fault path (arch/arm64/mm/fault.c), vma is locked for read.
>
> do_page_fault()
> vma = lock_vma_under_rcu(mm, addr)
> handle_mm_fault()
>
> While in the mmap path [1], mm is locked for write but vma is removed without
> locking vma for write.
>
> vm_mmap_pgoff()
> mmap_write_lock_killable(mm)
> do_mmap()
> mmap_regionC()
> __mmap_region()
> __mmap_complete()
> vms_complete_munmap_vmas()
> remove_vma()
>
> Thus the correct fix looks like locking vma in both mmap and gup pathes [2].
Hi Hillf,
do_sync_mmap_readahead() was already accessing the vma prior to my change, but
it was doing so before calling maybe_unlock_mmap_for_io(). I think that you are
saying that there exists a separate race whereby it's possible for a vma to be
removed even when the vma is locked?
In which case, I think we need both fixes? FWIW, Andrew has already updated
mm-unstable to include the fix to ensure we don't access the vma after calling
maybe_unlock_mmap_for_io().
Thanks,
Ryan
>
> [1] https://lore.kernel.org/lkml/685535d2.a00a0220.137b3.0045.GAE@google.com/
> [2] https://lore.kernel.org/lkml/68555d6e.a00a0220.137b3.004c.GAE@google.com/
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead
2025-06-23 12:51 ` Ryan Roberts
@ 2025-06-24 0:30 ` Hillf Danton
0 siblings, 0 replies; 15+ messages in thread
From: Hillf Danton @ 2025-06-24 0:30 UTC (permalink / raw)
To: Ryan Roberts
Cc: david, jhubbard, linux-kernel, Jan Kara, linux-mm, syzkaller-bugs
On Mon, 23 Jun 2025 13:51:37 +0100 Ryan Roberts wrote:
> On 21/06/2025 02:20, Hillf Danton wrote:
> > On Thu, 19 Jun 2025 11:52:43 +0200 Jan Kara wrote
> >> On Wed 18-06-25 05:56:30, syzbot wrote:
> >>> Hello,
> >>>
> >>> syzbot found the following issue on:
> >>>
> >>> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613
> >>> git tree: linux-next
> >>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000
> >>> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f
> >>> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a
> >>> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000
> >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000
> >>>
> >>> Downloadable assets:
> >>> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz
> >>> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz
> >>> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz
> >>>
> >>> The issue was bisected to:
> >>>
> >>> commit 3b61a3f08949297815b2c77ae2696f54cd339419
> >>> Author: Ryan Roberts <ryan.roberts@arm.com>
> >>> Date: Mon Jun 9 09:27:27 2025 +0000
> >>>
> >>> mm/filemap: allow arch to request folio size for exec memory
> >>
> >> Indeed. The crash is in:
> >>
> >> fpin = maybe_unlock_mmap_for_io(vmf, fpin);
> >> if (vm_flags & VM_EXEC) {
> >> /*
> >> * Allow arch to request a preferred minimum folio order for
> >> * executable memory. This can often be beneficial to
> >> * performance if (e.g.) arm64 can contpte-map the folio.
> >> * Executable memory rarely benefits from readahead, due to its
> >> * random access nature, so set async_size to 0.
> >> *
> >> * Limit to the boundaries of the VMA to avoid reading in any
> >> * pad that might exist between sections, which would be a waste
> >> * of memory.
> >> */
> >> struct vm_area_struct *vma = vmf->vma;
> >> unsigned long start = vma->vm_pgoff;
> >> ^^^^ here
> >> which is not surprising because we've unlocked mmap_sem (or vma lock) just
> >> above this if and thus vma could have been released before we got here. The
> >> easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's
> >> nothing in there that would be problematic with the locks still held.
> >>
> > In the fault path (arch/arm64/mm/fault.c), vma is locked for read.
> >
> > do_page_fault()
> > vma = lock_vma_under_rcu(mm, addr)
> > handle_mm_fault()
> >
> > While in the mmap path [1], mm is locked for write but vma is removed without
> > locking vma for write.
> >
> > vm_mmap_pgoff()
> > mmap_write_lock_killable(mm)
> > do_mmap()
> > mmap_regionC()
> > __mmap_region()
> > __mmap_complete()
> > vms_complete_munmap_vmas()
> > remove_vma()
> >
> > Thus the correct fix looks like locking vma in both mmap and gup pathes [2].
>
> Hi Hillf,
>
> do_sync_mmap_readahead() was already accessing the vma prior to my change, but
> it was doing so before calling maybe_unlock_mmap_for_io(). I think that you are
> saying that there exists a separate race whereby it's possible for a vma to be
> removed even when the vma is locked?
>
The comment above faultin_page() [3] shows that mmap_lock plays its role.
/*
* mmap_lock must be held on entry. If @flags has FOLL_UNLOCKABLE but not
* FOLL_NOWAIT, the mmap_lock may be released. If it is, *@locked will be set
* to 0 and -EBUSY returned.
*/
> In which case, I think we need both fixes? FWIW, Andrew has already updated
We can revisit this once syzbot reports again.
> mm-unstable to include the fix to ensure we don't access the vma after calling
> maybe_unlock_mmap_for_io().
>
> Thanks,
> Ryan
>
> >
> > [1] https://lore.kernel.org/lkml/685535d2.a00a0220.137b3.0045.GAE@google.com/
> > [2] https://lore.kernel.org/lkml/68555d6e.a00a0220.137b3.004c.GAE@google.com/
[3] https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/mm/gup.c#n1143
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2025-06-24 0:30 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20250619133753.1203-1-hdanton@sina.com>
2025-06-19 13:39 ` [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead syzbot
[not found] <20250620114122.1338-1-hdanton@sina.com>
2025-06-20 13:09 ` syzbot
[not found] <20250620094529.1318-1-hdanton@sina.com>
2025-06-20 10:20 ` syzbot
[not found] <20250620055500.1295-1-hdanton@sina.com>
2025-06-20 6:57 ` syzbot
[not found] <20250620030111.1259-1-hdanton@sina.com>
2025-06-20 3:35 ` syzbot
[not found] <20250619105754.1184-1-hdanton@sina.com>
2025-06-19 12:20 ` syzbot
[not found] <20250619082423.1156-1-hdanton@sina.com>
2025-06-19 9:27 ` syzbot
2025-06-18 12:56 syzbot
2025-06-19 9:52 ` Jan Kara
2025-06-19 10:57 ` Ryan Roberts
2025-06-19 12:21 ` Will Deacon
2025-06-19 12:29 ` Ryan Roberts
2025-06-21 1:20 ` Hillf Danton
2025-06-23 12:51 ` Ryan Roberts
2025-06-24 0:30 ` Hillf Danton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).