KASAN: use-after-free Read in do_page

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: global-out-of-bounds Read in do_page_fault riscv				1	1008d	1004d	0/28	auto-obsoleted due to no activity on 2022/11/28 23:54
upstream	KASAN: stack-out-of-bounds Read in do_page_fault net				1	871d	867d	0/28	auto-obsoleted due to no activity on 2023/04/15 09:50

upstream

KASAN: global-out-of-bounds Read in do_page_fault riscv

1008d

1004d

0/28

auto-obsoleted due to no activity on 2022/11/28 23:54

upstream

KASAN: stack-out-of-bounds Read in do_page_fault net

871d

867d

0/28

auto-obsoleted due to no activity on 2023/04/15 09:50


Created	Duration	User	Repo	Result
2025/05/19 18:14	14m	retest repro	android12-5.4	error
2025/05/19 18:14	15m	retest repro	android12-5.4	error
2025/05/19 18:14	19m	retest repro	android12-5.4	error
2025/05/19 18:14	20m	retest repro	android12-5.4	error
2025/04/01 06:14	15m	retest repro	android12-5.4	report log
2025/04/01 06:14	1h04m	retest repro	android12-5.4	report log
2025/01/04 01:07	2m	retest repro	android12-5.4	error
2024/10/19 17:26	8m	retest repro	android12-5.4	report log
2024/08/10 09:48	8m	retest repro	android12-5.4	report log
2024/06/01 09:05	6m	retest repro	android12-5.4	report log

================================================================== BUG: KASAN: use-after-free in user_mode arch/x86/include/asm/ptrace.h:131 [inline] BUG: KASAN: use-after-free in trace_page_fault_entries arch/x86/mm/fault.c:1516 [inline] BUG: KASAN: use-after-free in do_page_fault+0x6d/0x320 arch/x86/mm/fault.c:1528 Read of size 8 at addr ffff8881ecc2ff60 by task syz-executor174/434 CPU: 0 PID: 434 Comm: syz-executor174 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: The buggy address belongs to the page: page:ffffea0007b30bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 ffffea0007b34808 ffffea0007b30b88 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x35e/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894 alloc_slab_page+0x3c/0x3b0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x93/0x420 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x29e/0x420 mm/slub.c:2667 __slab_alloc+0x63/0xa0 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842 getname_flags+0xb9/0x500 fs/namei.c:141 user_path_at_empty+0x2f/0x50 fs/namei.c:2703 user_path_at include/linux/namei.h:49 [inline] vfs_statx+0x116/0x200 fs/stat.c:187 vfs_fstatat include/linux/fs.h:3389 [inline] __do_sys_newfstatat fs/stat.c:367 [inline] __se_sys_newfstatat+0xcc/0x350 fs/stat.c:361 __x64_sys_newfstatat+0x9b/0xb0 fs/stat.c:361 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4956 [inline] __free_pages+0x8c/0x110 mm/page_alloc.c:4962 __free_slab+0x218/0x2d0 mm/slub.c:1774 free_slab mm/slub.c:1789 [inline] discard_slab mm/slub.c:1795 [inline] unfreeze_partials+0x165/0x1a0 mm/slub.c:2288 put_cpu_partial+0xc1/0x180 mm/slub.c:2324 __slab_free+0x2be/0x380 mm/slub.c:2971 do_slab_free mm/slub.c:3068 [inline] ___cache_free+0xbb/0xd0 mm/slub.c:3087 qlink_free+0x23/0x30 mm/kasan/quarantine.c:148 qlist_free_all+0x5f/0xb0 mm/kasan/quarantine.c:167 quarantine_reduce+0x1a8/0x200 mm/kasan/quarantine.c:260 __kasan_kmalloc+0x42/0x200 mm/kasan/common.c:507 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] __kmalloc+0x106/0x2f0 mm/slub.c:3909 kmalloc_array include/linux/slab.h:618 [inline] realloc_stack_state kernel/bpf/verifier.c:595 [inline] realloc_func_state+0x305/0x5b0 kernel/bpf/verifier.c:611 check_stack_write+0xda/0x1b10 kernel/bpf/verifier.c:1926 check_mem_access+0x9b4/0x1c30 kernel/bpf/verifier.c:2920 Memory state around the buggy address: ffff8881ecc2fe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881ecc2fe80: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 >ffff8881ecc2ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881ecc2ff80: ff ff ff ff ff ff ff ff f1 f1 f1 f1 00 f2 f2 f2 ffff8881ecc30000: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== PANIC: double fault, error_code: 0x0 CPU: 0 PID: 434 Comm: syz-executor174 Tainted: G B 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:perf_trace_x86_exceptions+0x18/0x360 arch/x86/include/asm/trace/exceptions.h:14 Code: 98 31 00 e9 9b fe ff ff e8 c5 22 f9 02 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec c0 00 00 00 <48> 89 4c 24 30 48 89 54 24 28 48 89 74 24 20 49 89 fd 65 48 8b 04 RSP: 0018:ffff8881ebbebf80 EFLAGS: 00010082 RAX: ffff8881ee267090 RBX: ffffe8ffffc152b8 RCX: 0000000000000000 RDX: ffff8881ebbec0d8 RSI: ffffe8ffffc152b8 RDI: ffffffff85cb57a0 RBP: ffff8881ebbec080 R08: dffffc0000000000 R09: fffffbfff0c576a6 R10: fffffbfff0c576a6 R11: 1ffffffff0c576a5 R12: ffff8881ee267090 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881ebbec0d8 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881ebbebf78 CR3: 00000001f5c2a000 CR4: 00000000003406b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ---------------- Code disassembly (best guess): 0: 98 cwtl 1: 31 00 xor %eax,(%rax) 3: e9 9b fe ff ff jmp 0xfffffea3 8: e8 c5 22 f9 02 call 0x2f922d2 d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 12: 55 push %rbp 13: 48 89 e5 mov %rsp,%rbp 16: 41 57 push %r15 18: 41 56 push %r14 1a: 41 55 push %r13 1c: 41 54 push %r12 1e: 53 push %rbx 1f: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp 23: 48 81 ec c0 00 00 00 sub $0xc0,%rsp * 2a: 48 89 4c 24 30 mov %rcx,0x30(%rsp) <-- trapping instruction 2f: 48 89 54 24 28 mov %rdx,0x28(%rsp) 34: 48 89 74 24 20 mov %rsi,0x20(%rsp) 39: 49 89 fd mov %rdi,%r13 3c: 65 gs 3d: 48 rex.W 3e: 8b .byte 0x8b 3f: 04 .byte 0x4

Crashes (31):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/05/04 04:45	android12-5.4	cd8e74fa0fa3	b0714e37	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/05/04 01:51	android12-5.4	cd8e74fa0fa3	b0714e37	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/05/04 03:20	android12-5.4	cd8e74fa0fa3	b0714e37	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Read in do_page_fault
2025/05/04 00:21	android12-5.4	cd8e74fa0fa3	b0714e37	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Read in do_page_fault
2025/02/08 07:26	android12-5.4	cb850525fc3e	ef44b750	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Read in do_page_fault
2024/04/25 07:31	android12-5.4	2d5d8240a7cb	8bdc0f22	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Read in do_page_fault
2025/05/23 10:30	android12-5.4	cd8e74fa0fa3	fa44301a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/05/03 21:35	android12-5.4	cd8e74fa0fa3	b0714e37	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/05/01 15:02	android12-5.4	cd8e74fa0fa3	51b137cd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/04/27 15:47	android12-5.4	cd8e74fa0fa3	c6b4fb39	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/04/22 18:59	android12-5.4	986c38813dff	2a20f901	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/03/17 09:15	android12-5.4	6b07fcd94a6a	948c34e4	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/03/14 12:30	android12-5.4	6b07fcd94a6a	e2826670	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/03/12 21:33	android12-5.4	6b07fcd94a6a	1a5d9317	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/03/02 10:35	android12-5.4	6b07fcd94a6a	c3901742	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/02/28 10:48	android12-5.4	6b07fcd94a6a	6a8fcbc4	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/02/18 04:44	android12-5.4	39762b7a60e9	429ea007	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/02/13 06:56	android12-5.4	39762b7a60e9	b27c2402	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/02/08 06:44	android12-5.4	cb850525fc3e	ef44b750	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2024/05/18 09:02	android12-5.4	51cf29fc2bfc	c0f1611a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2024/05/15 10:04	android12-5.4	51cf29fc2bfc	94b087b1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2024/05/15 06:43	android12-5.4	51cf29fc2bfc	fdb4c10c	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2024/05/08 11:04	android12-5.4	51cf29fc2bfc	4cf3f9b3	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2024/05/03 16:32	android12-5.4	51cf29fc2bfc	dd26401e	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2024/04/25 07:03	android12-5.4	2d5d8240a7cb	8bdc0f22	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2024/04/21 01:17	android12-5.4	2d5d8240a7cb	af24b050	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Read in do_page_fault
2025/04/03 23:45	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Read in do_page_fault
2025/03/11 05:42	android12-5.4	6b07fcd94a6a	16256247	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: stack-out-of-bounds Read in do_page_fault
2025/03/02 04:28	android12-5.4	6b07fcd94a6a	c3901742	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: stack-out-of-bounds Read in do_page_fault
2024/05/12 07:30	android12-5.4	51cf29fc2bfc	9026e142	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: stack-out-of-bounds Read in do_page_fault
2024/04/28 02:58	android12-5.4	2d5d8240a7cb	07b455f9	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: stack-out-of-bounds Read in do_page_fault

Crashes (31):

Assets (help?)

2025/05/04 04:45

android12-5.4