syzbot

 sign-in | mailing list | source | docs
🐞 Open [1459]
Subsystems
🐞 Fixed [6838]
🐞 Invalid [17730]
Missing Backports [227]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits

Status: upstream: reported C repro on 2024/10/17 21:21
Subsystems: ocfs2
[Documentation on labels]
Reported-by: syzbot+af14efe17dfa46173239@syzkaller.appspotmail.com
First crash: 451d, last: 26d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: slab-out-of-bounds Read in ocfs2_block_group_alloc (log)
Repro: C syz .config
  
Discussions (2)
Title Replies (including bot) Last reply
[PATCH] ocfs2: Add check for total number of chains in chain list 3 (3) 2025/12/24 06:38
[syzbot] [ocfs2?] KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits 1 (3) 2025/12/20 09:17
Last patch testing requests (11)
Created Duration User Patch Repo Result
2025/12/27 14:25 20m retest repro upstream OK log
2025/12/27 14:25 22m retest repro upstream OK log
2025/12/27 14:25 22m retest repro upstream OK log
2025/12/27 14:25 22m retest repro upstream OK log
2025/12/20 08:45 27m activprithvi@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 36c254515dc6592c44db77b84908358979dd6b50 OK log
2025/12/13 08:03 27m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/12/13 08:03 29m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/11/14 16:13 14m retest repro upstream report log
2025/08/17 08:04 18m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/08/03 07:07 17m retest repro upstream report log
2025/07/11 00:41 13m retest repro upstream report log

Sample crash report:
=======================================================
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
==================================================================
BUG: KASAN: slab-use-after-free in ocfs2_find_smallest_chain fs/ocfs2/suballoc.c:413 [inline]
BUG: KASAN: slab-use-after-free in ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:430 [inline]
BUG: KASAN: slab-use-after-free in ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
BUG: KASAN: slab-use-after-free in ocfs2_reserve_suballoc_bits+0xca0/0x4254 fs/ocfs2/suballoc.c:832
Read of size 4 at addr ffff0000da706004 by task syz-executor256/6434

CPU: 1 UID: 0 PID: 6434 Comm: syz-executor256 Not tainted 6.14.0-rc2-syzkaller-ga64dcfb451e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:489
 kasan_report+0xd8/0x138 mm/kasan/report.c:602
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 ocfs2_find_smallest_chain fs/ocfs2/suballoc.c:413 [inline]
 ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:430 [inline]
 ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
 ocfs2_reserve_suballoc_bits+0xca0/0x4254 fs/ocfs2/suballoc.c:832
 ocfs2_reserve_new_metadata_blocks+0x384/0x848 fs/ocfs2/suballoc.c:982
 ocfs2_mknod+0xdc8/0x2438 fs/ocfs2/namei.c:347
 ocfs2_create+0x194/0x4d4 fs/ocfs2/namei.c:673
 lookup_open fs/namei.c:3651 [inline]
 open_last_lookups fs/namei.c:3750 [inline]
 path_openat+0x13ec/0x2b1c fs/namei.c:3986
 do_filp_open+0x1e8/0x404 fs/namei.c:4016
 do_sys_openat2+0x124/0x1b8 fs/open.c:1428
 do_sys_open fs/open.c:1443 [inline]
 __do_sys_openat fs/open.c:1459 [inline]
 __se_sys_openat fs/open.c:1454 [inline]
 __arm64_sys_openat+0x1f0/0x240 fs/open.c:1454
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 6417:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4115 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 kmem_cache_alloc_noprof+0x254/0x410 mm/slub.c:4171
 vm_area_dup+0x30/0x274 kernel/fork.c:487
 dup_mmap kernel/fork.c:694 [inline]
 dup_mm kernel/fork.c:1700 [inline]
 copy_mm+0xb04/0x1cc0 kernel/fork.c:1752
 copy_process+0x152c/0x322c kernel/fork.c:2403
 kernel_clone+0x1d8/0x82c kernel/fork.c:2815
 __do_sys_clone kernel/fork.c:2958 [inline]
 __se_sys_clone kernel/fork.c:2926 [inline]
 __arm64_sys_clone+0x1f8/0x24c kernel/fork.c:2926
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 6418:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4609 [inline]
 kmem_cache_free+0x198/0x554 mm/slub.c:4711
 __vm_area_free+0xfc/0x148 kernel/fork.c:515
 remove_vma+0x124/0x154 mm/vma.c:417
 exit_mmap+0x598/0xda0 mm/mmap.c:1308
 __mmput+0xec/0x3dc kernel/fork.c:1356
 mmput+0x70/0xac kernel/fork.c:1378
 exec_mmap+0x56c/0x68c fs/exec.c:1011
 begin_new_exec+0x698/0x1228 fs/exec.c:1267
 load_elf_binary+0x6f8/0x1f24 fs/binfmt_elf.c:1002
 search_binary_handler fs/exec.c:1775 [inline]
 exec_binprm fs/exec.c:1807 [inline]
 bprm_execve+0x7ec/0x11fc fs/exec.c:1859
 do_execveat_common+0x6f0/0x880 fs/exec.c:1966
 do_execve fs/exec.c:2040 [inline]
 __do_sys_execve fs/exec.c:2116 [inline]
 __se_sys_execve fs/exec.c:2111 [inline]
 __arm64_sys_execve+0x98/0xb0 fs/exec.c:2111
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000da706000
 which belongs to the cache vm_area_struct of size 184
The buggy address is located 4 bytes inside of
 freed 184-byte region [ffff0000da706000, ffff0000da7060b8)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a706
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000000 ffff0000c18a8b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000da705f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000da705f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000da706000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff0000da706080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa
 ffff0000da706100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (41):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/17 11:47 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a64dcfb451e2 40a34ec9 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits
2025/09/28 06:33 upstream 51a24b7deaae 001c9061 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in ocfs2_reserve_suballoc_bits
2025/06/09 16:38 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d7fa1af5b33e 4826c28e .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2024/10/13 21:17 upstream 36c254515dc6 084d8178 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits
2025/10/31 16:07 upstream d127176862a9 2c50b6a9 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits
2025/04/12 11:59 upstream e618ee89561b 0bd6db41 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits
2025/03/21 06:07 upstream 5fc319360819 62330552 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits
2025/02/06 05:03 upstream 92514ef226f5 577d049b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits
2025/10/27 07:23 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b98c94eed4a9 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in ocfs2_reserve_suballoc_bits
2025/06/09 18:40 upstream 19272b37aa4f 4826c28e .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-upstream-fs KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/03/24 23:59 upstream 38fec10eb60d 875573af .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in ocfs2_reserve_suballoc_bits
2025/03/24 23:59 upstream 38fec10eb60d 875573af .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in ocfs2_reserve_suballoc_bits
2025/02/18 09:13 upstream 2408a807bfc3 429ea007 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-upstream-fs KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2024/10/30 06:56 upstream c1e939a21eb1 66aeb999 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/11/29 01:42 upstream e538109ac71d d1b870e1 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in ocfs2_reserve_suballoc_bits
2025/11/26 15:35 upstream 30f09200cc4a c116feb4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/10/15 06:22 upstream 9b332cece987 b6605ba8 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in ocfs2_reserve_suballoc_bits
2025/10/08 16:08 upstream 0d97f2067c16 7e2882b3 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in ocfs2_reserve_suballoc_bits
2025/10/06 11:10 upstream fd94619c4336 91305dbe .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/10/03 18:26 upstream e406d57be7bd 49379ee0 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/10/01 11:59 upstream 50c19e20ed2e 3af39644 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/09/28 06:00 upstream 51a24b7deaae 001c9061 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/09/15 22:25 upstream f83ec76bf285 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/09/03 07:21 upstream e6b9dce0aeeb 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/09/03 03:23 upstream e6b9dce0aeeb 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/08/20 18:25 upstream b19a97d57c15 bd178e57 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/06/12 15:17 upstream 2c4a1f3fe03e 98683f8f .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/03/24 05:32 upstream 586de92313fc 875573af .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in ocfs2_reserve_suballoc_bits
2025/01/03 04:57 upstream 0bc21e701a6f d3ccff63 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in ocfs2_reserve_suballoc_bits
2025/10/27 07:23 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b98c94eed4a9 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/10/23 02:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 143937ca51cc c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/09/09 08:25 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c199ef1fa61a d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/08/18 02:10 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/07/19 14:49 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci aaef6f251176 7117feec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/06/09 15:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d7fa1af5b33e 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/04/30 13:48 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in ocfs2_reserve_suballoc_bits
2025/03/10 10:18 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 77c95b8c7a16 163f510d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2025/02/17 10:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a64dcfb451e2 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2024/11/30 10:57 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7b1d1d4cfac0 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2024/11/26 20:05 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7b1d1d4cfac0 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
2024/11/23 01:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7b1d1d4cfac0 68da6d95 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ocfs2_reserve_suballoc_bits
* Struck through repros no longer work on HEAD.