syzbot

 sign-in | mailing list | source | docs
🐞 Open [1498]
Subsystems
🐞 Fixed [6527]
🐞 Invalid [16622]
Missing Backports [205]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: slab-use-after-free Read in driver_remove_file

Status: upstream: reported on 2025/07/29 11:26
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+a56aa983ce6a1bf12485@syzkaller.appspotmail.com
First crash: 34d, last: 1d14h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [fs?] KASAN: slab-use-after-free Read in driver_remove_file 0 (1) 2025/07/29 11:26

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in sysfs_remove_file_ns+0x63/0x70 fs/sysfs/file.c:522
Read of size 8 at addr ffff888078db6c30 by task syz.4.1138/11153

CPU: 0 UID: 0 PID: 11153 Comm: syz.4.1138 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 sysfs_remove_file_ns+0x63/0x70 fs/sysfs/file.c:522
 sysfs_remove_file include/linux/sysfs.h:777 [inline]
 driver_remove_file drivers/base/driver.c:201 [inline]
 driver_remove_file+0x4a/0x60 drivers/base/driver.c:197
 remove_bind_files drivers/base/bus.c:605 [inline]
 bus_remove_driver+0x224/0x2c0 drivers/base/bus.c:743
 driver_unregister+0x76/0xb0 drivers/base/driver.c:277
 comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
 do_devconfig_ioctl+0x555/0x710 drivers/comedi/comedi_fops.c:848
 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2173
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl fs/ioctl.c:584 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f4918ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8f4a07d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8f493b5fa0 RCX: 00007f8f4918ebe9
RDX: 0000000000000000 RSI: 0000000040946400 RDI: 0000000000000004
RBP: 00007f8f49211e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8f493b6038 R14: 00007f8f493b5fa0 R15: 00007ffdaa52b328
 </TASK>

Allocated by task 10666:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4365 [inline]
 __kmalloc_noprof+0x223/0x510 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kmalloc_array_noprof include/linux/slab.h:948 [inline]
 __list_lru_init+0xe8/0x4c0 mm/list_lru.c:588
 alloc_super+0x904/0xbd0 fs/super.c:391
 sget_fc+0x116/0xc20 fs/super.c:761
 sget_dev fs/super.c:1406 [inline]
 get_tree_bdev_flags+0x1ba/0x620 fs/super.c:1678
 vfs_get_tree+0x8e/0x340 fs/super.c:1815
 do_new_mount fs/namespace.c:3808 [inline]
 path_mount+0x1513/0x2000 fs/namespace.c:4123
 do_mount fs/namespace.c:4136 [inline]
 __do_sys_mount fs/namespace.c:4347 [inline]
 __se_sys_mount fs/namespace.c:4324 [inline]
 __x64_sys_mount+0x28d/0x310 fs/namespace.c:4324
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5861:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4879
 list_lru_destroy mm/list_lru.c:611 [inline]
 list_lru_destroy+0x152/0x700 mm/list_lru.c:602
 deactivate_locked_super+0xe1/0x1a0 fs/super.c:484
 deactivate_super fs/super.c:507 [inline]
 deactivate_super+0xde/0x100 fs/super.c:503
 cleanup_mnt+0x225/0x450 fs/namespace.c:1375
 task_work_run+0x150/0x240 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888078db6c00
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
 freed 256-byte region [ffff888078db6c00, ffff888078db6d00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888078db7400 pfn:0x78db6
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88801b841b40 ffffea0001d79590 ffffea0000bed310
raw: ffff888078db7400 000000000010000b 00000000f5000000 0000000000000000
head: 00fff00000000240 ffff88801b841b40 ffffea0001d79590 ffffea0000bed310
head: ffff888078db7400 000000000010000b 00000000f5000000 0000000000000000
head: 00fff00000000001 ffffea0001e36d81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5861, tgid 5861 (syz-executor), ts 91940896784, free_ts 91913182591
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab mm/slub.c:2655 [inline]
 new_slab+0x247/0x330 mm/slub.c:2709
 ___slab_alloc+0xcf2/0x1740 mm/slub.c:3891
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3981
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 __do_kmalloc_node mm/slub.c:4364 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 fib_create_info+0x53f/0x46b0 net/ipv4/fib_semantics.c:1402
 fib_table_insert+0x177/0x1c40 net/ipv4/fib_trie.c:1212
 fib_magic+0x4d4/0x5c0 net/ipv4/fib_frontend.c:1133
 fib_add_ifaddr+0x4d2/0x580 net/ipv4/fib_frontend.c:1177
 fib_netdev_event+0x38a/0x710 net/ipv4/fib_frontend.c:1515
 notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9576
page last free pid 23 tgid 23 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0x79c/0x1530 kernel/rcu/tree.c:2861
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 run_ksoftirqd kernel/softirq.c:968 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888078db6b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888078db6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888078db6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff888078db6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888078db6d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in kernfs_root+0x290/0x2a0 fs/kernfs/kernfs-internal.h:76
Read of size 8 at addr ffffffff9ae6f9d0 by task syz.4.1138/11153

CPU: 1 UID: 0 PID: 11153 Comm: syz.4.1138 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 kernfs_root+0x290/0x2a0 fs/kernfs/kernfs-internal.h:76
 kernfs_remove_by_name_ns+0x2e/0x110 fs/kernfs/dir.c:1711
 sysfs_remove_file include/linux/sysfs.h:777 [inline]
 driver_remove_file drivers/base/driver.c:201 [inline]
 driver_remove_file+0x4a/0x60 drivers/base/driver.c:197
 remove_bind_files drivers/base/bus.c:605 [inline]
 bus_remove_driver+0x224/0x2c0 drivers/base/bus.c:743
 driver_unregister+0x76/0xb0 drivers/base/driver.c:277
 comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
 do_devconfig_ioctl+0x555/0x710 drivers/comedi/comedi_fops.c:848
 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2173
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl fs/ioctl.c:584 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f4918ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8f4a07d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8f493b5fa0 RCX: 00007f8f4918ebe9
RDX: 0000000000000000 RSI: 0000000040946400 RDI: 0000000000000004
RBP: 00007f8f49211e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8f493b6038 R14: 00007f8f493b5fa0 R15: 00007ffdaa52b328
 </TASK>

The buggy address belongs to the variable:
 __key.1+0x30/0x40

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ae6f
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea00006b9bc8 ffffea00006b9bc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff9ae6f880: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff9ae6f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
>ffffffff9ae6f980: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
                                                 ^
 ffffffff9ae6fa00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff9ae6fa80: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
==================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in kernfs_root+0x29a/0x2a0 fs/kernfs/kernfs-internal.h:79
Read of size 8 at addr ffffffff9ae6fa18 by task syz.4.1138/11153

CPU: 1 UID: 0 PID: 11153 Comm: syz.4.1138 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 kernfs_root+0x29a/0x2a0 fs/kernfs/kernfs-internal.h:79
 kernfs_remove_by_name_ns+0x2e/0x110 fs/kernfs/dir.c:1711
 sysfs_remove_file include/linux/sysfs.h:777 [inline]
 driver_remove_file drivers/base/driver.c:201 [inline]
 driver_remove_file+0x4a/0x60 drivers/base/driver.c:197
 remove_bind_files drivers/base/bus.c:605 [inline]
 bus_remove_driver+0x224/0x2c0 drivers/base/bus.c:743
 driver_unregister+0x76/0xb0 drivers/base/driver.c:277
 comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
 do_devconfig_ioctl+0x555/0x710 drivers/comedi/comedi_fops.c:848
 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2173
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl fs/ioctl.c:584 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f4918ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8f4a07d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8f493b5fa0 RCX: 00007f8f4918ebe9
RDX: 0000000000000000 RSI: 0000000040946400 RDI: 0000000000000004
RBP: 00007f8f49211e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8f493b6038 R14: 00007f8f493b5fa0 R15: 00007ffdaa52b328
 </TASK>

The buggy address belongs to the variable:
 shadow_nodes_key+0x38/0x40

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ae6f
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea00006b9bc8 ffffea00006b9bc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff9ae6f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
 ffffffff9ae6f980: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
>ffffffff9ae6fa00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
                            ^
 ffffffff9ae6fa80: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
 ffffffff9ae6fb00: 00 00 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
==================================================================
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
BUG: KASAN: null-ptr-deref in rwsem_write_trylock kernel/locking/rwsem.c:268 [inline]
BUG: KASAN: null-ptr-deref in __down_write_common kernel/locking/rwsem.c:1316 [inline]
BUG: KASAN: null-ptr-deref in __down_write kernel/locking/rwsem.c:1326 [inline]
BUG: KASAN: null-ptr-deref in down_write+0xb2/0x200 kernel/locking/rwsem.c:1591
Write of size 8 at addr 0000000000000118 by task syz.4.1138/11153

CPU: 1 UID: 0 PID: 11153 Comm: syz.4.1138 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
 rwsem_write_trylock kernel/locking/rwsem.c:268 [inline]
 __down_write_common kernel/locking/rwsem.c:1316 [inline]
 __down_write kernel/locking/rwsem.c:1326 [inline]
 down_write+0xb2/0x200 kernel/locking/rwsem.c:1591
 kernfs_remove_by_name_ns+0x3d/0x110 fs/kernfs/dir.c:1712
 sysfs_remove_file include/linux/sysfs.h:777 [inline]
 driver_remove_file drivers/base/driver.c:201 [inline]
 driver_remove_file+0x4a/0x60 drivers/base/driver.c:197
 remove_bind_files drivers/base/bus.c:605 [inline]
 bus_remove_driver+0x224/0x2c0 drivers/base/bus.c:743
 driver_unregister+0x76/0xb0 drivers/base/driver.c:277
 comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
 do_devconfig_ioctl+0x555/0x710 drivers/comedi/comedi_fops.c:848
 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2173
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl fs/ioctl.c:584 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f4918ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8f4a07d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8f493b5fa0 RCX: 00007f8f4918ebe9
RDX: 0000000000000000 RSI: 0000000040946400 RDI: 0000000000000004
RBP: 00007f8f49211e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8f493b6038 R14: 00007f8f493b5fa0 R15: 00007ffdaa52b328
 </TASK>
==================================================================

Crashes (67):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/08/20 00:53 upstream b19a97d57c15 79512909 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/17 21:53 upstream 8d561baae505 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/17 18:31 upstream 99bade344cfa 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/13 04:40 upstream 8742b2d8935f 22ec1469 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:07 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:07 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:06 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:06 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:06 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:04 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:04 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:03 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:03 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:03 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:01 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 19:01 upstream 0227b49b5027 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/07 12:13 upstream 6e64f4580381 04cffc22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/06 22:30 upstream 479058002c32 4bd24a3e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/06 05:49 upstream 6bcdbd62bd56 904e669c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/04 05:29 upstream 3c4a063b1f8a 7368264b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/07/22 05:31 upstream 89be9a83ccf1 1555463b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/07/20 12:52 upstream f4a40a4282f4 7117feec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/07/20 12:45 upstream f4a40a4282f4 7117feec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in driver_remove_file
2025/08/21 17:48 upstream 32b7144f806e 3e79b825 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/08/19 16:05 upstream be48bcf004f9 523f460e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/08/19 11:46 upstream be48bcf004f9 523f460e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/08/17 03:28 upstream 90d970cade8e 1804e95e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/08/14 03:52 upstream 91325f31afc1 22ec1469 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 20:03 upstream c30a13538d9f 32a0e5ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/08/09 20:00 upstream c30a13538d9f 32a0e5ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/07/27 22:07 upstream b711733e89a3 fb8f743d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/07/27 14:09 upstream ec2df4364666 fb8f743d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/07/27 01:08 upstream 302f88ff3584 fb8f743d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/07/26 05:34 upstream 5f33ebd2018c fb8f743d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/07/22 16:46 upstream 89be9a83ccf1 8e9d1dc1 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in driver_remove_file
2025/08/22 10:06 upstream 3957a5720157 bf27483f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/21 22:54 upstream 32b7144f806e 3e79b825 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/20 18:23 upstream b19a97d57c15 bd178e57 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/20 06:07 upstream b19a97d57c15 79512909 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/19 10:42 upstream be48bcf004f9 523f460e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/19 08:20 upstream be48bcf004f9 6e8d317a .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/17 09:51 upstream 99bade344cfa 1804e95e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/13 18:36 upstream 8742b2d8935f 22ec1469 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/29 06:03 upstream ced1b9e0392d c4a95487 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/29 06:03 upstream ced1b9e0392d c4a95487 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/29 03:22 upstream ced1b9e0392d c4a95487 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/26 23:48 upstream 302f88ff3584 fb8f743d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/26 23:43 upstream 302f88ff3584 fb8f743d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/25 05:38 upstream 94ce1ac2c9b4 fb8f743d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/24 18:30 upstream 25fae0b93d1d 65d60d73 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/07/21 03:17 upstream 990b11a523a8 7117feec .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in driver_remove_file
2025/08/17 22:24 upstream 8d561baae505 1804e95e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: use-after-free Read in driver_remove_file
* Struck through repros no longer work on HEAD.