syzbot

 sign-in | mailing list | source | docs
🐞 Open [133]
🐞 Fixed [69]
🐞 Invalid [295]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in unaccount_page_cache_page (3)

Status: premoderation: reported on 2024/12/31 14:15
Reported-by: syzbot+29b5af9192239d0a42cc@syzkaller.appspotmail.com
First crash: 533d, last: 1d10h
Similar bugs (7)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in unaccount_page_cache_page 19 118 834d 1309d 0/2 auto-obsoleted due to no activity on 2024/05/01 01:14
android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page 19 150 787d 1316d 0/2 auto-obsoleted due to no activity on 2024/06/10 16:28
android-54 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page 19 2 868d 950d 0/2 auto-obsoleted due to no activity on 2024/04/30 10:15
android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page (2) 19 1 673d 673d 0/2 auto-obsoleted due to no activity on 2024/11/11 21:33
android-5-15 KASAN: use-after-free Read in unaccount_page_cache_page (2) 19 193 1d22h 664d 0/2 premoderation: reported on 2024/08/23 02:36
android-54 KASAN: use-after-free Read in unaccount_page_cache_page 19 143 1100d 1313d 0/2 auto-obsoleted due to no activity on 2023/08/23 09:09
android-54 KASAN: use-after-free Read in unaccount_page_cache_page (2) 19 5 392d 417d 0/2 auto-obsoleted due to no activity on 2025/08/20 03:09

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
BUG: KASAN: use-after-free in unaccount_page_cache_page+0x9dc/0xac0 mm/filemap.c:175
Read of size 4 at addr ffff888118d9a470 by task syz.2.1984/7419

CPU: 1 PID: 7419 Comm: syz.2.1984 Tainted: G        W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x100/0x140 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 cleancache_fs_enabled_mapping include/linux/cleancache.h:56 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:110 [inline]
 unaccount_page_cache_page+0x9dc/0xac0 mm/filemap.c:175
 __delete_from_page_cache+0xc3/0x470 mm/filemap.c:243
 __remove_mapping+0x581/0x6b0 mm/vmscan.c:985
 shrink_page_list+0x21ee/0x4160 mm/vmscan.c:1498
 shrink_inactive_list+0x90c/0xef0 mm/vmscan.c:2075
 shrink_list mm/vmscan.c:2294 [inline]
 shrink_lruvec+0x2806/0x2d70 mm/vmscan.c:5473
 shrink_node_memcgs mm/vmscan.c:5660 [inline]
 shrink_node+0xee0/0x2690 mm/vmscan.c:5690
 shrink_zones mm/vmscan.c:5896 [inline]
 do_try_to_free_pages+0x602/0x1590 mm/vmscan.c:5954
 try_to_free_mem_cgroup_pages+0x261/0x610 mm/vmscan.c:6272
 try_charge+0x426/0x1580 mm/memcontrol.c:2745
 __mem_cgroup_charge+0x148/0x6d0 mm/memcontrol.c:6871
 mem_cgroup_charge include/linux/memcontrol.h:458 [inline]
 shmem_add_to_page_cache+0x569/0xe10 mm/shmem.c:699
 shmem_getpage_gfp+0x907/0x20f0 mm/shmem.c:1952
 shmem_getpage mm/shmem.c:161 [inline]
 shmem_file_read_iter+0x286/0x870 mm/shmem.c:2574
 call_read_iter include/linux/fs.h:2060 [inline]
 generic_file_splice_read+0x3ea/0x5f0 fs/splice.c:311
 do_splice_to fs/splice.c:791 [inline]
 splice_direct_to_actor+0x40a/0xb20 fs/splice.c:870
 do_splice_direct+0x1c2/0x2d0 fs/splice.c:979
 do_sendfile+0x8df/0x1040 fs/read_write.c:1257
 __do_sys_sendfile64 fs/read_write.c:1318 [inline]
 __se_sys_sendfile64 fs/read_write.c:1304 [inline]
 __x64_sys_sendfile64+0x199/0x1f0 fs/read_write.c:1304
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f54955eae59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5494045028 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f5495863fa0 RCX: 00007f54955eae59
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004
RBP: 00007f5495680d6f R08: 0000000000000000 R09: 0000000000000000
R10: 000000007e78a6f1 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5495864038 R14: 00007f5495863fa0 R15: 00007fffb7169708

The buggy address belongs to the page:
page:ffffea0004636680 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x118d9a
flags: 0x4000000000000000()
raw: 4000000000000000 ffffea0004823f48 ffffea000467a7c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 7306, ts 267558493401, free_ts 267592715101
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x176/0x190 mm/page_alloc.c:2462
 get_page_from_freelist+0x225f/0x23f0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x29a/0x640 mm/page_alloc.c:5384
 __vmalloc_area_node mm/vmalloc.c:-1 [inline]
 __vmalloc_node_range+0x388/0x7a0 mm/vmalloc.c:2629
 vmalloc_user+0x73/0x80 mm/vmalloc.c:2758
 kcov_mmap+0x2b/0x130 kernel/kcov.c:465
 call_mmap include/linux/fs.h:2071 [inline]
 mmap_file+0x60/0xb0 mm/util.c:1085
 __mmap_region mm/mmap.c:1884 [inline]
 mmap_region+0x11fd/0x19c0 mm/mmap.c:3075
 do_mmap+0x85f/0xf50 mm/mmap.c:1661
 vm_mmap_pgoff+0x1f4/0x350 mm/util.c:543
 ksys_mmap_pgoff+0x16f/0x1e0 mm/mmap.c:1712
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0xfa/0x110 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare mm/page_alloc.c:1421 [inline]
 free_unref_page_prepare+0x2b7/0x2d0 mm/page_alloc.c:3336
 free_unref_page mm/page_alloc.c:3391 [inline]
 free_the_page mm/page_alloc.c:5443 [inline]
 __free_pages+0x146/0x390 mm/page_alloc.c:5454
 __vunmap+0x801/0x980 mm/vmalloc.c:2307
 __vfree mm/vmalloc.c:2356 [inline]
 vfree+0x61/0x90 mm/vmalloc.c:2387
 kcov_mmap+0x8f/0x130 kernel/kcov.c:489
 call_mmap include/linux/fs.h:2071 [inline]
 mmap_file+0x60/0xb0 mm/util.c:1085
 __mmap_region mm/mmap.c:1884 [inline]
 mmap_region+0x11fd/0x19c0 mm/mmap.c:3075
 do_mmap+0x85f/0xf50 mm/mmap.c:1661
 vm_mmap_pgoff+0x1f4/0x350 mm/util.c:543
 ksys_mmap_pgoff+0x16f/0x1e0 mm/mmap.c:1712
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0xfa/0x110 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff888118d9a300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888118d9a380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888118d9a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff888118d9a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888118d9a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (137):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/16 22:08 android13-5.10-lts a36936eeef1e a3998659 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/16 18:34 android13-5.10-lts a36936eeef1e a3998659 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/15 14:05 android13-5.10-lts a36936eeef1e 50bb0618 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/14 09:01 android13-5.10-lts d11359bcf2ac 1d2f3589 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/11 06:08 android13-5.10-lts d11359bcf2ac b754d2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/10 16:53 android13-5.10-lts d11359bcf2ac f79bac11 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/07 12:52 android13-5.10-lts 4a079a5d30eb cc095639 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/05 23:28 android13-5.10-lts 4a079a5d30eb cc095639 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/02 16:10 android13-5.10-lts 4a079a5d30eb 62fe1528 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/02 07:19 android13-5.10-lts 4a079a5d30eb 1095583b .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/06/02 03:11 android13-5.10-lts 4a079a5d30eb 1095583b .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/26 18:22 android13-5.10-lts f5a34916f66d a3e47276 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/25 03:51 android13-5.10-lts f5a34916f66d c69befb3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/24 09:59 android13-5.10-lts f5a34916f66d c69befb3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/22 10:58 android13-5.10-lts f5a34916f66d 70ae9b03 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/19 21:31 android13-5.10-lts f5a34916f66d 223544dc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/11 16:37 android13-5.10-lts 03e51c8e07e0 845acb1c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/09 13:59 android13-5.10-lts 5feb5545d40a 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/02 15:46 android13-5.10-lts 7ae299a5827a a0d91488 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/01 22:47 android13-5.10-lts 7ae299a5827a 753c55b9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/01 17:34 android13-5.10-lts 7ae299a5827a 753c55b9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/04/29 06:23 android13-5.10-lts 7ae299a5827a 95008c03 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/04/28 14:09 android13-5.10-lts 7ae299a5827a ce741359 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/04/28 00:07 android13-5.10-lts d8c55bf860fd ce741359 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/04/26 16:39 android13-5.10-lts d8c55bf860fd 9c2d0995 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/04/17 00:28 android13-5.10-lts cc0ae2abdc73 de0a551d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/04/11 13:41 android13-5.10-lts cc0ae2abdc73 38c8e246 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/03/31 17:37 android13-5.10-lts cc0ae2abdc73 aeea1c72 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/03/24 08:02 android13-5.10-lts 9136079e403a baf8bf12 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/03/02 22:39 android13-5.10-lts dad37bbb13a8 b9dd6534 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/03/02 04:46 android13-5.10-lts dad37bbb13a8 43249bac .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/24 14:16 android13-5.10-lts e8b14e1cefe8 96b1aa46 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/19 16:15 android13-5.10-lts e8b14e1cefe8 746545b8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/16 20:53 android13-5.10-lts e8b14e1cefe8 5d52cba5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/16 08:28 android13-5.10-lts e8b14e1cefe8 1e62d198 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/12 11:56 android13-5.10-lts ee0977df88b5 76a109e2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/10 16:57 android13-5.10-lts 0be127d3b2ec 91d776d3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/03 18:18 android13-5.10-lts 186f761c519d 6df4c87a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/02/01 18:08 android13-5.10-lts 186f761c519d 6b8752f2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/01/19 09:47 android13-5.10-lts e253c52bbdfc a9fc5226 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/01/19 03:44 android13-5.10-lts e253c52bbdfc 20d37d28 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/01/18 11:04 android13-5.10-lts e253c52bbdfc 20d37d28 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/01/18 07:50 android13-5.10-lts e253c52bbdfc 20d37d28 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/01/09 00:17 android13-5.10-lts e253c52bbdfc d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/01/01 20:41 android13-5.10-lts e253c52bbdfc d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page
2026/05/27 00:34 android13-5.10-lts f5a34916f66d 2b01f00e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
2026/05/22 18:34 android13-5.10-lts f5a34916f66d 5f091fcc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
2026/05/10 00:16 android13-5.10-lts 5feb5545d40a 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
2026/03/28 17:38 android13-5.10-lts cc0ae2abdc73 b5ceaad2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
2026/01/16 12:16 android13-5.10-lts e253c52bbdfc d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 general protection fault in unaccount_page_cache_page
2025/12/09 16:39 android13-5.10-lts 9286af17ed5f d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
* Struck through repros no longer work on HEAD.