syzbot

 sign-in | mailing list | source | docs
🐞 Open [1463]
Subsystems
🐞 Fixed [6818]
🐞 Invalid [17652]
Missing Backports [225]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in __ocfs2_flush_truncate_log

Status: upstream: reported C repro on 2024/09/28 20:44
Subsystems: ocfs2
[Documentation on labels]
Reported-by: syzbot+4d55dad3a9e8e9f7d2b5@syzkaller.appspotmail.com
First crash: 461d, last: 19d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Read in __ocfs2_flush_truncate_log (log)
Repro: syz .config
  
Fix bisection: the issue occurs on the latest tested release (bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ocfs2?] KASAN: use-after-free Read in __ocfs2_flush_truncate_log 1 (20) 2025/10/29 06:27
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in __ocfs2_flush_truncate_log origin:lts-only 19 C error 3 102d 218d 0/3 upstream: reported C repro on 2025/05/25 11:09
Last patch testing requests (27)
Created Duration User Patch Repo Result
2025/12/25 06:03 19m retest repro upstream OK log
2025/12/25 02:43 19m retest repro upstream OK log
2025/12/25 02:43 19m retest repro upstream OK log
2025/12/25 02:43 19m retest repro upstream OK log
2025/12/25 02:43 23m retest repro upstream OK log
2025/12/25 02:43 19m retest repro upstream OK log
2025/12/24 13:37 35m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2025/12/24 13:37 30m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2025/12/24 11:39 21m retest repro upstream OK log
2025/12/24 11:39 21m retest repro upstream OK log
2025/10/29 06:27 1h55m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y OK log
2025/10/29 06:25 1h08m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y OK log
2025/10/29 06:21 1h00m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y report log
2025/10/28 18:22 24m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y OK log
2025/10/28 18:20 33m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y error
2025/10/28 18:19 5m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y error
2025/10/28 10:41 0m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.12.y error
2025/10/28 10:41 0m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.1.y error
2025/10/28 10:40 0m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-5.10.y error
2025/10/24 07:15 32m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y OK log
2025/10/24 07:15 45m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y OK log
2025/10/24 07:11 28m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y report log
2025/10/22 12:13 23m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2 OK log
2025/10/22 10:28 21m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2 OK log
2025/10/20 10:23 21m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 211ddde0823f1442e4ad052a2f30f050145ccada OK log
2025/10/20 10:20 23m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 211ddde0823f1442e4ad052a2f30f050145ccada OK log
2024/09/29 04:48 19m lizhi.xu@windriver.com patch upstream OK log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
BUG: KASAN: use-after-free in __ocfs2_flush_truncate_log+0x824/0x1240 fs/ocfs2/alloc.c:6054
Read of size 4 at addr ffff88804a142ac0 by task syz-executor176/5299

CPU: 0 UID: 0 PID: 5299 Comm: syz-executor176 Not tainted 6.13.0-rc3-syzkaller-00209-g499551201b5f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
 __ocfs2_flush_truncate_log+0x824/0x1240 fs/ocfs2/alloc.c:6054
 ocfs2_flush_truncate_log+0x4f/0x70 fs/ocfs2/alloc.c:6076
 ocfs2_sync_fs+0x125/0x390 fs/ocfs2/super.c:402
 sync_filesystem+0x1c8/0x230 fs/sync.c:66
 generic_shutdown_super+0x72/0x2d0 fs/super.c:621
 kill_block_super+0x44/0x90 fs/super.c:1710
 deactivate_locked_super+0xc4/0x130 fs/super.c:473
 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
 task_work_run+0x24f/0x310 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x13f/0x340 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcc3027d9a7
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffe09a23458 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fcc3027d9a7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe09a23510
RBP: 00007ffe09a23510 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffe09a24580
R13: 000055559072a7c0 R14: 431bde82d7b634db R15: 00007ffe09a245a0
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4a142
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00012850c8 ffffea000115ce08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff88804a142980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804a142a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88804a142a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff88804a142b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804a142b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (41):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/12/22 00:41 upstream 499551201b5f d7f584ee .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/02/12 19:17 upstream 09fbf3d50205 b27c2402 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in __ocfs2_flush_truncate_log
2025/10/27 11:22 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b98c94eed4a9 c0460fcd .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2024/12/24 10:40 upstream f07044dd0df0 444551c4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2024/12/10 14:42 upstream 7cb1b4663150 cfc402b4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2024/10/08 03:11 upstream 87d6aab2389e d7906eff .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/05/30 17:47 upstream f66bc387efbe 3d2f584d .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-snapshot-upstream-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2024/10/07 09:18 upstream 2a130b7e1fcd d7906eff .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2024/09/24 20:38 upstream abf2050f51fd 5643e0e9 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/01 09:33 linux-next 3b9b1f8df454 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/01 08:15 linux-next 3b9b1f8df454 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/01 07:54 linux-next 3b9b1f8df454 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/01 07:54 linux-next 3b9b1f8df454 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/01 07:53 linux-next 3b9b1f8df454 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/06/30 07:20 linux-next 2aeda9592360 fc9d8ee5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/12/10 11:36 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 05c93f3395ed d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/11/27 07:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b5fb0949b675 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/29 20:19 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b98c94eed4a9 fd2207e7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/20 10:39 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bf45a62baffc 1c8c8cd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/10/20 00:47 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bf45a62baffc 1c8c8cd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/09/26 07:57 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 35aa5763e111 0abd0691 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/09/14 11:30 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8736259279a3 e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/09/12 17:30 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8736259279a3 e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/09/08 14:27 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b320789d6883 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/08/29 23:22 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 3e1beec6 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/06/16 02:59 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 39dfc971e42d 5f4b362d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/05/10 02:10 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c32f8dc5aaf9 bb813bcc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in __ocfs2_flush_truncate_log
2025/05/30 18:19 upstream f66bc387efbe 3d2f584d .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-upstream-fs KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2024/12/26 20:37 upstream 9b2ffa6148b1 d3ccff63 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in __ocfs2_flush_truncate_log
2024/10/08 02:43 upstream 87d6aab2389e d7906eff .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in __ocfs2_flush_truncate_log
2024/10/04 04:24 upstream 7ec462100ef9 d7906eff .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2024/10/01 04:58 upstream e32cde8d2bd7 bbd4e0a4 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2025/10/30 10:40 upstream e53642b87a4f fd2207e7 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2025/09/14 06:18 upstream 5cd64d4f9268 e2beed91 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in __ocfs2_flush_truncate_log
2025/05/30 17:01 upstream f66bc387efbe 3d2f584d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2025/01/19 17:42 upstream fda5e3f28400 f2cb035c .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in __ocfs2_flush_truncate_log
2024/12/13 04:57 upstream 150b567e0d57 3547e30f .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2024/10/10 03:58 upstream b983b271662b 0278d004 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in __ocfs2_flush_truncate_log
2024/11/30 22:54 linux-next f486c8aa16b8 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in __ocfs2_flush_truncate_log
2025/02/19 14:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e6747d19291c 9a14138f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
2024/10/22 04:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 86cada34bc3a a93682b3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in __ocfs2_flush_truncate_log
* Struck through repros no longer work on HEAD.