syzbot


KASAN: use-after-free Read in jfs_lazycommit

Status: upstream: reported C repro on 2023/05/07 23:35
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+46e6acbe2a7c2c6facf8@syzkaller.appspotmail.com
First crash: 845d, last: 2d12h
Fix bisection: the issue occurs on the latest tested release (bisect log)
Crash: KASAN: use-after-free Read in jfs_lazycommit (log)
Repro: C syz .config
  
Bug presence (3)
Date Name Commit Repro Result
2025/04/24 linux-6.1.y (ToT) 420102835862 C [report] KASAN: use-after-free Read in jfs_lazycommit
2023/10/11 upstream (ToT) 1c8b86a3799f C [report] KASAN: slab-use-after-free Read in jfs_lazycommit
2025/04/24 upstream (ToT) a79be02bba5c C Didn't crash
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in jfs_lazycommit jfs 19 C error 1876 2h33m 1063d 0/29 upstream: reported C repro on 2022/10/01 13:43
linux-4.19 KASAN: use-after-free Read in jfs_lazycommit jfs 19 C error 5 934d 1051d 0/1 upstream: reported C repro on 2022/10/13 08:33
linux-5.15 KASAN: use-after-free Read in jfs_lazycommit origin:upstream 19 C error 181 2h29m 846d 0/3 upstream: reported C repro on 2023/05/06 12:04
linux-4.14 KASAN: use-after-free Read in jfs_lazycommit jfs 19 C 6 911d 1053d 0/1 upstream: reported C repro on 2022/10/11 20:09
linux-6.6 KASAN: slab-use-after-free Read in jfs_lazycommit origin:upstream 19 C 19 10d 73d 0/2 upstream: reported C repro on 2025/06/18 00:01
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2025/06/04 02:22 2h42m fix candidate upstream OK (0) job log
2024/06/06 06:18 2h21m bisect fix linux-6.1.y OK (0) job log log
2024/02/25 16:27 2h06m bisect fix linux-6.1.y OK (0) job log log
2024/01/18 03:50 2h03m bisect fix linux-6.1.y OK (0) job log log
2023/12/14 16:53 1h43m bisect fix linux-6.1.y OK (0) job log log
2023/11/14 00:03 2h05m bisect fix linux-6.1.y OK (0) job log log
2023/10/11 12:57 2h06m bisect fix linux-6.1.y OK (0) job log log
2023/08/31 19:19 1h59m bisect fix linux-6.1.y OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in jfs_lazycommit+0x74f/0xa50 fs/jfs/jfs_txnmgr.c:2735
Read of size 4 at addr ffff88801866e094 by task jfsCommit/107

CPU: 0 PID: 107 Comm: jfsCommit Not tainted 6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x220 mm/kasan/report.c:427
 kasan_report+0x10b/0x140 mm/kasan/report.c:531
 jfs_lazycommit+0x74f/0xa50 fs/jfs/jfs_txnmgr.c:2735
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 4281:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 jfs_fill_super+0xd2/0xac0 fs/jfs/super.c:495
 mount_bdev+0x287/0x3c0 fs/super.c:1443
 legacy_get_tree+0xe6/0x180 fs/fs_context.c:632
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x24a/0xa40 fs/namespace.c:3054
 do_mount fs/namespace.c:3397 [inline]
 __do_sys_mount fs/namespace.c:3605 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3582
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 4272:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0xb6/0x1f0 mm/slub.c:3674
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7c/0xe0 fs/super.c:1470
 deactivate_locked_super+0x93/0xf0 fs/super.c:332
 cleanup_mnt+0x463/0x4f0 fs/namespace.c:1182
 task_work_run+0x1ca/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88801866e000
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 148 bytes inside of
 256-byte region [ffff88801866e000, ffff88801866e100)

The buggy address belongs to the physical page:
page:ffffea0000619b80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1866e
head:ffffea0000619b80 order:1 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000619d00 dead000000000004 ffff888017441b40
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2880463538, free_ts 0
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
 alloc_page_interleave+0x24/0x1e0 mm/mempolicy.c:2115
 alloc_slab_page+0x5d/0x160 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x87/0x2c0 mm/slub.c:1992
 ___slab_alloc+0xbc6/0x1220 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 __kmem_cache_alloc_node+0x1a0/0x260 mm/slub.c:3437
 __do_kmalloc_node mm/slab_common.c:935 [inline]
 __kmalloc_node_track_caller+0x9e/0x230 mm/slab_common.c:956
 __do_krealloc mm/slab_common.c:1336 [inline]
 krealloc+0x6a/0x100 mm/slab_common.c:1369
 add_sysfs_param+0xe8/0x930 kernel/params.c:651
 kernel_add_sysfs_param+0xaf/0x11b kernel/params.c:812
 param_sysfs_builtin+0x1f6/0x27c kernel/params.c:851
 param_sysfs_init+0x66/0x6a kernel/params.c:972
 do_one_initcall+0x214/0x7a0 init/main.c:1298
 do_initcall_level+0x137/0x1e4 init/main.c:1371
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88801866df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801866e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801866e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88801866e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801866e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (141):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/09 03:26 linux-6.1.y 58485ff1a74f 4826c28e .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2023/06/07 04:29 linux-6.1.y 76ba310227d2 a4ae4f42 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2023/05/07 23:35 linux-6.1.y ca48fc16c493 90c93c40 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/04/05 00:03 linux-6.1.y 8e60a714ba3b 1c4febdb .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro #1 (corrupt fs)] [mounted in repro #2] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/08/27 18:11 linux-6.1.y 0bc96de781b4 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/27 10:27 linux-6.1.y 0bc96de781b4 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/24 08:40 linux-6.1.y 0bc96de781b4 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/24 00:22 linux-6.1.y 0bc96de781b4 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/21 17:40 linux-6.1.y 0bc96de781b4 3e79b825 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/19 19:43 linux-6.1.y 0bc96de781b4 254a27c1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/15 06:17 linux-6.1.y 3594f306da12 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/14 20:49 linux-6.1.y 3594f306da12 5d8c2ac2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/14 16:58 linux-6.1.y 3594f306da12 5d8c2ac2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/13 07:28 linux-6.1.y 3594f306da12 22ec1469 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/12 09:44 linux-6.1.y 3594f306da12 c06e8995 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/11 17:35 linux-6.1.y 3594f306da12 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/11 16:04 linux-6.1.y 3594f306da12 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/11 08:56 linux-6.1.y 3594f306da12 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/11 08:29 linux-6.1.y 3594f306da12 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/11 07:28 linux-6.1.y 3594f306da12 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/09 21:42 linux-6.1.y 3594f306da12 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/07 14:07 linux-6.1.y 3594f306da12 04cffc22 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/01 21:40 linux-6.1.y 3594f306da12 40127d41 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/07/24 09:30 linux-6.1.y 3594f306da12 0c1d6ded .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/07/23 15:29 linux-6.1.y 3369c6df2fae e1dd4f22 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/07/23 15:25 linux-6.1.y 3369c6df2fae e1dd4f22 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/07/23 13:57 linux-6.1.y 3369c6df2fae e1dd4f22 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/07/22 16:59 linux-6.1.y 3369c6df2fae 8e9d1dc1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/07/09 07:37 linux-6.1.y 04d1ccaa9c28 4d9fdfa4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/06/28 12:54 linux-6.1.y 7e69c33e4858 fc9d8ee5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/06/23 16:00 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/06/09 01:30 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/06/04 00:57 linux-6.1.y da3c5173c55f a30356b7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/06/03 09:25 linux-6.1.y da3c5173c55f a30356b7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/06/02 07:24 linux-6.1.y da3c5173c55f 3d2f584d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/05/30 05:16 linux-6.1.y da3c5173c55f 3d2f584d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/05/29 17:46 linux-6.1.y da3c5173c55f 3d2f584d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/05/23 17:14 linux-6.1.y da3c5173c55f f8cc0c83 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/05/22 14:53 linux-6.1.y da3c5173c55f 0919b50b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/05/22 04:53 linux-6.1.y 325285d9fc86 0919b50b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/05/19 07:09 linux-6.1.y 325285d9fc86 f41472b0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in jfs_lazycommit
2025/08/26 09:25 linux-6.1.y 0bc96de781b4 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/07/19 14:44 linux-6.1.y 3369c6df2fae 7117feec .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/06/26 12:07 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/05/29 11:19 linux-6.1.y da3c5173c55f 3d2f584d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/05/28 07:14 linux-6.1.y da3c5173c55f 874a1386 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/05/13 16:12 linux-6.1.y 02b72ccb5f9d 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in jfs_lazycommit
2025/08/17 10:26 linux-6.1.y 0bc96de781b4 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in jfs_lazycommit
2024/08/18 16:33 linux-6.1.y 117ac406ba90 dbc93b08 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 BUG: unable to handle kernel paging request in jfs_lazycommit
* Struck through repros no longer work on HEAD.