[v6.1] KASAN: use-after-free Read in trylock_super
0 views
Skip to first unread message
syzbot
Feb 5, 2026, 1:22:33 AM (9 days ago) Feb 5
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cd9b81672742 Linux 6.1.161
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1527a402580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f0605c5af04d7603
dashboard link: https://syzkaller.appspot.com/bug?extid=d952595bb165a72b9ca3
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c7d6fd2ef9f/disk-cd9b8167.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/544b7fd5d4e0/vmlinux-cd9b8167.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3454f19d3753/bzImage-cd9b8167.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d95259...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __down_read_trylock kernel/locking/rwsem.c:1292 [inline]
BUG: KASAN: use-after-free in down_read_trylock+0xaf/0x3b0 kernel/locking/rwsem.c:1559
Read of size 8 at addr ffff88804c72e0d8 by task kworker/u4:22/7302
CPU: 0 PID: 7302 Comm: kworker/u4:22 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: writeback wb_workfn (flush-7:7)
Call Trace:
<TASK>
dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0xa8/0x210 mm/kasan/report.c:420
kasan_report+0x10b/0x140 mm/kasan/report.c:524
__down_read_trylock kernel/locking/rwsem.c:1292 [inline]
down_read_trylock+0xaf/0x3b0 kernel/locking/rwsem.c:1559
trylock_super+0x1c/0xf0 fs/super.c:415
__writeback_inodes_wb+0x114/0x3f0 fs/fs-writeback.c:1975
wb_writeback+0x494/0xd50 fs/fs-writeback.c:2089
wb_check_old_data_flush fs/fs-writeback.c:2189 [inline]
wb_do_writeback fs/fs-writeback.c:2242 [inline]
wb_workfn+0xb68/0xee0 fs/fs-writeback.c:2270
process_one_work+0x8a2/0x1160 kernel/workqueue.c:2292
worker_thread+0xaa2/0x1270 kernel/workqueue.c:2439
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Allocated by task 7298:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:936 [inline]
__kmalloc_node_track_caller+0xae/0x230 mm/slab_common.c:956
kmalloc_reserve net/core/skbuff.c:446 [inline]
__alloc_skb+0x22a/0x7e0 net/core/skbuff.c:515
alloc_skb include/linux/skbuff.h:1271 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x28f/0xaf0 drivers/net/netdevsim/dev.c:851
process_one_work+0x8a2/0x1160 kernel/workqueue.c:2292
worker_thread+0xaa2/0x1270 kernel/workqueue.c:2439
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Freed by task 7298:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:237
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1729 [inline]
slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1755
slab_free mm/slub.c:3687 [inline]
__kmem_cache_free+0xb6/0x1f0 mm/slub.c:3700
skb_free_head net/core/skbuff.c:762 [inline]
skb_release_data+0x5db/0x7c0 net/core/skbuff.c:791
skb_release_all net/core/skbuff.c:856 [inline]
__kfree_skb net/core/skbuff.c:870 [inline]
consume_skb+0xa2/0x100 net/core/skbuff.c:1035
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x76b/0xaf0 drivers/net/netdevsim/dev.c:851
process_one_work+0x8a2/0x1160 kernel/workqueue.c:2292
worker_thread+0xaa2/0x1270 kernel/workqueue.c:2439
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Last potentially related work creation:
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
insert_work+0x54/0x3c0 kernel/workqueue.c:1361
__queue_work+0xba3/0xfb0 kernel/workqueue.c:1520
queue_work_on+0x124/0x1f0 kernel/workqueue.c:1548
rcu_do_batch kernel/rcu/tree.c:2297 [inline]
rcu_core+0xa99/0x1740 kernel/rcu/tree.c:2557
handle_softirqs+0x2a1/0x930 kernel/softirq.c:596
__do_softirq kernel/softirq.c:630 [inline]
invoke_softirq kernel/softirq.c:470 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:679
irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
Second to last potentially related work creation:
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
call_rcu+0x14f/0x990 kernel/rcu/tree.c:2849
put_super fs/super.c:311 [inline]
deactivate_locked_super+0xc7/0xf0 fs/super.c:343
cleanup_mnt+0x42c/0x4b0 fs/namespace.c:1191
task_work_run+0x1d0/0x260 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88804c72e000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 216 bytes inside of
4096-byte region [ffff88804c72e000, ffff88804c72f000)
The buggy address belongs to the physical page:
page:ffffea000131ca00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4c728
head:ffffea000131ca00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888017442140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4401, tgid 4401 (udevd), ts 170983221815, free_ts 167959676793
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x1a1e/0x1ab0 mm/page_alloc.c:4328
__alloc_pages+0x1ec/0x4f0 mm/page_alloc.c:5614
alloc_slab_page+0x5d/0x160 mm/slub.c:1799
allocate_slab mm/slub.c:1944 [inline]
new_slab+0x87/0x2c0 mm/slub.c:1997
___slab_alloc+0xbc6/0x1240 mm/slub.c:3154
__slab_alloc mm/slub.c:3240 [inline]
slab_alloc_node mm/slub.c:3325 [inline]
__kmem_cache_alloc_node+0x1a0/0x260 mm/slub.c:3398
__do_kmalloc_node mm/slab_common.c:935 [inline]
__kmalloc+0xa0/0x240 mm/slab_common.c:949
kmalloc include/linux/slab.h:568 [inline]
tomoyo_realpath_from_path+0xdf/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x212/0x440 security/tomoyo/file.c:771
security_file_open+0x5e/0xa0 security/security.c:1681
do_dentry_open+0x305/0x10d0 fs/open.c:869
do_open fs/namei.c:3634 [inline]
path_openat+0x2635/0x2ee0 fs/namei.c:3791
do_filp_open+0x1f1/0x430 fs/namei.c:3818
do_sys_openat2+0x150/0x4b0 fs/open.c:1320
do_sys_open fs/open.c:1336 [inline]
__do_sys_openat fs/open.c:1352 [inline]
__se_sys_openat fs/open.c:1347 [inline]
__x64_sys_openat+0x135/0x160 fs/open.c:1347
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
free_pg_vec net/packet/af_packet.c:4374 [inline]
packet_set_ring+0x1931/0x2410 net/packet/af_packet.c:4593
packet_release+0x760/0xc00 net/packet/af_packet.c:3201
__sock_release net/socket.c:654 [inline]
sock_close+0xd5/0x240 net/socket.c:1399
__fput+0x22c/0x920 fs/file_table.c:320
task_work_run+0x1d0/0x260 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88804c72df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804c72e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804c72e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88804c72e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804c72e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: cd9b81672742 Linux 6.1.161
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1527a402580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f0605c5af04d7603
dashboard link: https://syzkaller.appspot.com/bug?extid=d952595bb165a72b9ca3
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c7d6fd2ef9f/disk-cd9b8167.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/544b7fd5d4e0/vmlinux-cd9b8167.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3454f19d3753/bzImage-cd9b8167.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d95259...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __down_read_trylock kernel/locking/rwsem.c:1292 [inline]
BUG: KASAN: use-after-free in down_read_trylock+0xaf/0x3b0 kernel/locking/rwsem.c:1559
Read of size 8 at addr ffff88804c72e0d8 by task kworker/u4:22/7302
CPU: 0 PID: 7302 Comm: kworker/u4:22 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: writeback wb_workfn (flush-7:7)
Call Trace:
<TASK>
dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0xa8/0x210 mm/kasan/report.c:420
kasan_report+0x10b/0x140 mm/kasan/report.c:524
__down_read_trylock kernel/locking/rwsem.c:1292 [inline]
down_read_trylock+0xaf/0x3b0 kernel/locking/rwsem.c:1559
trylock_super+0x1c/0xf0 fs/super.c:415
__writeback_inodes_wb+0x114/0x3f0 fs/fs-writeback.c:1975
wb_writeback+0x494/0xd50 fs/fs-writeback.c:2089
wb_check_old_data_flush fs/fs-writeback.c:2189 [inline]
wb_do_writeback fs/fs-writeback.c:2242 [inline]
wb_workfn+0xb68/0xee0 fs/fs-writeback.c:2270
process_one_work+0x8a2/0x1160 kernel/workqueue.c:2292
worker_thread+0xaa2/0x1270 kernel/workqueue.c:2439
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Allocated by task 7298:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:936 [inline]
__kmalloc_node_track_caller+0xae/0x230 mm/slab_common.c:956
kmalloc_reserve net/core/skbuff.c:446 [inline]
__alloc_skb+0x22a/0x7e0 net/core/skbuff.c:515
alloc_skb include/linux/skbuff.h:1271 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x28f/0xaf0 drivers/net/netdevsim/dev.c:851
process_one_work+0x8a2/0x1160 kernel/workqueue.c:2292
worker_thread+0xaa2/0x1270 kernel/workqueue.c:2439
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Freed by task 7298:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:237
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1729 [inline]
slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1755
slab_free mm/slub.c:3687 [inline]
__kmem_cache_free+0xb6/0x1f0 mm/slub.c:3700
skb_free_head net/core/skbuff.c:762 [inline]
skb_release_data+0x5db/0x7c0 net/core/skbuff.c:791
skb_release_all net/core/skbuff.c:856 [inline]
__kfree_skb net/core/skbuff.c:870 [inline]
consume_skb+0xa2/0x100 net/core/skbuff.c:1035
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x76b/0xaf0 drivers/net/netdevsim/dev.c:851
process_one_work+0x8a2/0x1160 kernel/workqueue.c:2292
worker_thread+0xaa2/0x1270 kernel/workqueue.c:2439
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Last potentially related work creation:
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
insert_work+0x54/0x3c0 kernel/workqueue.c:1361
__queue_work+0xba3/0xfb0 kernel/workqueue.c:1520
queue_work_on+0x124/0x1f0 kernel/workqueue.c:1548
rcu_do_batch kernel/rcu/tree.c:2297 [inline]
rcu_core+0xa99/0x1740 kernel/rcu/tree.c:2557
handle_softirqs+0x2a1/0x930 kernel/softirq.c:596
__do_softirq kernel/softirq.c:630 [inline]
invoke_softirq kernel/softirq.c:470 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:679
irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
Second to last potentially related work creation:
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
call_rcu+0x14f/0x990 kernel/rcu/tree.c:2849
put_super fs/super.c:311 [inline]
deactivate_locked_super+0xc7/0xf0 fs/super.c:343
cleanup_mnt+0x42c/0x4b0 fs/namespace.c:1191
task_work_run+0x1d0/0x260 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88804c72e000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 216 bytes inside of
4096-byte region [ffff88804c72e000, ffff88804c72f000)
The buggy address belongs to the physical page:
page:ffffea000131ca00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4c728
head:ffffea000131ca00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888017442140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4401, tgid 4401 (udevd), ts 170983221815, free_ts 167959676793
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x1a1e/0x1ab0 mm/page_alloc.c:4328
__alloc_pages+0x1ec/0x4f0 mm/page_alloc.c:5614
alloc_slab_page+0x5d/0x160 mm/slub.c:1799
allocate_slab mm/slub.c:1944 [inline]
new_slab+0x87/0x2c0 mm/slub.c:1997
___slab_alloc+0xbc6/0x1240 mm/slub.c:3154
__slab_alloc mm/slub.c:3240 [inline]
slab_alloc_node mm/slub.c:3325 [inline]
__kmem_cache_alloc_node+0x1a0/0x260 mm/slub.c:3398
__do_kmalloc_node mm/slab_common.c:935 [inline]
__kmalloc+0xa0/0x240 mm/slab_common.c:949
kmalloc include/linux/slab.h:568 [inline]
tomoyo_realpath_from_path+0xdf/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x212/0x440 security/tomoyo/file.c:771
security_file_open+0x5e/0xa0 security/security.c:1681
do_dentry_open+0x305/0x10d0 fs/open.c:869
do_open fs/namei.c:3634 [inline]
path_openat+0x2635/0x2ee0 fs/namei.c:3791
do_filp_open+0x1f1/0x430 fs/namei.c:3818
do_sys_openat2+0x150/0x4b0 fs/open.c:1320
do_sys_open fs/open.c:1336 [inline]
__do_sys_openat fs/open.c:1352 [inline]
__se_sys_openat fs/open.c:1347 [inline]
__x64_sys_openat+0x135/0x160 fs/open.c:1347
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
free_pg_vec net/packet/af_packet.c:4374 [inline]
packet_set_ring+0x1931/0x2410 net/packet/af_packet.c:4593
packet_release+0x760/0xc00 net/packet/af_packet.c:3201
__sock_release net/socket.c:654 [inline]
sock_close+0xd5/0x240 net/socket.c:1399
__fput+0x22c/0x920 fs/file_table.c:320
task_work_run+0x1d0/0x260 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88804c72df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804c72e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804c72e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88804c72e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804c72e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages