[v6.1] KASAN: use-after-free Write in __kernfs_remove
0 views
Skip to first unread message
syzbot
Jun 29, 2026, 4:38:29 AM (yesterday) Jun 29
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: fdb6fcb41cc7 Linux 6.1.176
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10999391580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f312e19619d04f50
dashboard link: https://syzkaller.appspot.com/bug?extid=0efffa679f627b85147f
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/be13f594160c/disk-fdb6fcb4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/861f249f1e1c/vmlinux-fdb6fcb4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/59bb274672f8/Image-fdb6fcb4.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0efffa...@syzkaller.appspotmail.com
bond0 (unregistering): (slave team0): Releasing backup interface
bond0 (unregistering): Released all slaves
bond1 (unregistering): (slave geneve2): Releasing backup interface
bond1 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in __rb_erase_augmented include/linux/rbtree_augmented.h:218 [inline]
BUG: KASAN: use-after-free in rb_erase+0x7f4/0xbbc lib/rbtree.c:443
Write of size 8 at addr ffff000000000000 by task kworker/u4:4/1591
CPU: 0 PID: 1591 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Workqueue: netns cleanup_net
Call trace:
dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
print_address_description+0x88/0x218 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:420
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_store8_noabort+0x2c/0x38 mm/kasan/report_generic.c:356
__rb_erase_augmented include/linux/rbtree_augmented.h:218 [inline]
rb_erase+0x7f4/0xbbc lib/rbtree.c:443
kernfs_unlink_sibling fs/kernfs/dir.c:418 [inline]
__kernfs_remove+0x4bc/0x654 fs/kernfs/dir.c:1467
kernfs_remove_by_name_ns+0xe4/0x184 fs/kernfs/dir.c:1667
kernfs_remove_by_name include/linux/kernfs.h:622 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xf4/0x278 fs/sysfs/group.c:288
netdev_queue_update_kobjects+0x3b4/0x444 net/core/net-sysfs.c:1729
remove_queue_kobjects net/core/net-sysfs.c:1828 [inline]
netdev_unregister_kobject+0xf0/0x204 net/core/net-sysfs.c:1981
unregister_netdevice_many_notify+0x1300/0x1900 net/core/dev.c:11051
unregister_netdevice_many net/core/dev.c:11077 [inline]
default_device_exit_batch+0x9d4/0xa70 net/core/dev.c:11549
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x650/0xa90 net/core/net_namespace.c:640
process_one_work+0x7e4/0x13bc kernel/workqueue.c:2292
worker_thread+0x8cc/0xfe8 kernel/workqueue.c:2439
kthread+0x254/0x2e0 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
The buggy address belongs to the physical page:
page:00000000ceb0d921 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x40000
flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 01ffc00000000000 fffffc0000010008 ffff0001fea6db20 0000000000000000
raw: 0000000000000000 000000000000000a 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
Unable to handle kernel paging request at virtual address ffff5fffffffffe0
KASAN: maybe wild-memory-access in range [0xfffeffffffffff00-0xfffeffffffffff07]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000020dcd1000
[ffff5fffffffffe0] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 1591 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Workqueue: netns cleanup_net
pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : __memcpy+0x24/0x240 arch/arm64/lib/memcpy.S:71
lr : kasan_metadata_fetch_row+0x20/0x2c mm/kasan/report_generic.c:156
sp : ffff800025a57470
x29: ffff800025a57470 x28: ffff0000cd630cb0 x27: 1fffe0001cc9ac0a
x26: ffff0000e64d6128 x25: dfff800000000000 x24: ffff0000cd630d20
x23: 1fffe0001cc9ac27 x22: fffeffffffffff00 x21: ffff000000000000
x20: ffff000000000000 x19: ffff000000000000 x18: 1fffe00033e7ff7e
x17: 0000000000000000 x16: ffff8000088f3a30 x15: 0000000000000000
x14: 0000000000000001 x13: 1ffff00004b4ae95 x12: 0000000000000000
x11: ff00800011a33250 x10: 0000000000000000 x9 : 64f659dc8615c100
x8 : dfff800000000000 x7 : 0000000000000000 x6 : 000000000000003a
x5 : ffff800025a57498 x4 : ffff5ffffffffff0 x3 : ffff800011a31b94
x2 : 0000000000000010 x1 : ffff5fffffffffe0 x0 : ffff800025a57488
Call trace:
__memcpy+0x24/0x240 arch/arm64/lib/memcpy.S:70
print_memory_metadata+0x60/0x310 mm/kasan/report.c:396
print_report+0x58/0x68 mm/kasan/report.c:421
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_store8_noabort+0x2c/0x38 mm/kasan/report_generic.c:356
__rb_erase_augmented include/linux/rbtree_augmented.h:218 [inline]
rb_erase+0x7f4/0xbbc lib/rbtree.c:443
kernfs_unlink_sibling fs/kernfs/dir.c:418 [inline]
__kernfs_remove+0x4bc/0x654 fs/kernfs/dir.c:1467
kernfs_remove_by_name_ns+0xe4/0x184 fs/kernfs/dir.c:1667
kernfs_remove_by_name include/linux/kernfs.h:622 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xf4/0x278 fs/sysfs/group.c:288
netdev_queue_update_kobjects+0x3b4/0x444 net/core/net-sysfs.c:1729
remove_queue_kobjects net/core/net-sysfs.c:1828 [inline]
netdev_unregister_kobject+0xf0/0x204 net/core/net-sysfs.c:1981
unregister_netdevice_many_notify+0x1300/0x1900 net/core/dev.c:11051
unregister_netdevice_many net/core/dev.c:11077 [inline]
default_device_exit_batch+0x9d4/0xa70 net/core/dev.c:11549
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x650/0xa90 net/core/net_namespace.c:640
process_one_work+0x7e4/0x13bc kernel/workqueue.c:2292
worker_thread+0x8cc/0xfe8 kernel/workqueue.c:2439
kthread+0x254/0x2e0 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
Code: f100805f 540003c8 f100405f 540000c3 (a9401c26)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: f100805f cmp x2, #0x20
4: 540003c8 b.hi 0x7c // b.pmore
8: f100405f cmp x2, #0x10
c: 540000c3 b.cc 0x24 // b.lo, b.ul, b.last
* 10: a9401c26 ldp x6, x7, [x1] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fdb6fcb41cc7 Linux 6.1.176
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10999391580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f312e19619d04f50
dashboard link: https://syzkaller.appspot.com/bug?extid=0efffa679f627b85147f
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/be13f594160c/disk-fdb6fcb4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/861f249f1e1c/vmlinux-fdb6fcb4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/59bb274672f8/Image-fdb6fcb4.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0efffa...@syzkaller.appspotmail.com
bond0 (unregistering): (slave team0): Releasing backup interface
bond0 (unregistering): Released all slaves
bond1 (unregistering): (slave geneve2): Releasing backup interface
bond1 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in __rb_erase_augmented include/linux/rbtree_augmented.h:218 [inline]
BUG: KASAN: use-after-free in rb_erase+0x7f4/0xbbc lib/rbtree.c:443
Write of size 8 at addr ffff000000000000 by task kworker/u4:4/1591
CPU: 0 PID: 1591 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Workqueue: netns cleanup_net
Call trace:
dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
print_address_description+0x88/0x218 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:420
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_store8_noabort+0x2c/0x38 mm/kasan/report_generic.c:356
__rb_erase_augmented include/linux/rbtree_augmented.h:218 [inline]
rb_erase+0x7f4/0xbbc lib/rbtree.c:443
kernfs_unlink_sibling fs/kernfs/dir.c:418 [inline]
__kernfs_remove+0x4bc/0x654 fs/kernfs/dir.c:1467
kernfs_remove_by_name_ns+0xe4/0x184 fs/kernfs/dir.c:1667
kernfs_remove_by_name include/linux/kernfs.h:622 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xf4/0x278 fs/sysfs/group.c:288
netdev_queue_update_kobjects+0x3b4/0x444 net/core/net-sysfs.c:1729
remove_queue_kobjects net/core/net-sysfs.c:1828 [inline]
netdev_unregister_kobject+0xf0/0x204 net/core/net-sysfs.c:1981
unregister_netdevice_many_notify+0x1300/0x1900 net/core/dev.c:11051
unregister_netdevice_many net/core/dev.c:11077 [inline]
default_device_exit_batch+0x9d4/0xa70 net/core/dev.c:11549
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x650/0xa90 net/core/net_namespace.c:640
process_one_work+0x7e4/0x13bc kernel/workqueue.c:2292
worker_thread+0x8cc/0xfe8 kernel/workqueue.c:2439
kthread+0x254/0x2e0 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
The buggy address belongs to the physical page:
page:00000000ceb0d921 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x40000
flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 01ffc00000000000 fffffc0000010008 ffff0001fea6db20 0000000000000000
raw: 0000000000000000 000000000000000a 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
Unable to handle kernel paging request at virtual address ffff5fffffffffe0
KASAN: maybe wild-memory-access in range [0xfffeffffffffff00-0xfffeffffffffff07]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000020dcd1000
[ffff5fffffffffe0] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 1591 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Workqueue: netns cleanup_net
pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : __memcpy+0x24/0x240 arch/arm64/lib/memcpy.S:71
lr : kasan_metadata_fetch_row+0x20/0x2c mm/kasan/report_generic.c:156
sp : ffff800025a57470
x29: ffff800025a57470 x28: ffff0000cd630cb0 x27: 1fffe0001cc9ac0a
x26: ffff0000e64d6128 x25: dfff800000000000 x24: ffff0000cd630d20
x23: 1fffe0001cc9ac27 x22: fffeffffffffff00 x21: ffff000000000000
x20: ffff000000000000 x19: ffff000000000000 x18: 1fffe00033e7ff7e
x17: 0000000000000000 x16: ffff8000088f3a30 x15: 0000000000000000
x14: 0000000000000001 x13: 1ffff00004b4ae95 x12: 0000000000000000
x11: ff00800011a33250 x10: 0000000000000000 x9 : 64f659dc8615c100
x8 : dfff800000000000 x7 : 0000000000000000 x6 : 000000000000003a
x5 : ffff800025a57498 x4 : ffff5ffffffffff0 x3 : ffff800011a31b94
x2 : 0000000000000010 x1 : ffff5fffffffffe0 x0 : ffff800025a57488
Call trace:
__memcpy+0x24/0x240 arch/arm64/lib/memcpy.S:70
print_memory_metadata+0x60/0x310 mm/kasan/report.c:396
print_report+0x58/0x68 mm/kasan/report.c:421
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_store8_noabort+0x2c/0x38 mm/kasan/report_generic.c:356
__rb_erase_augmented include/linux/rbtree_augmented.h:218 [inline]
rb_erase+0x7f4/0xbbc lib/rbtree.c:443
kernfs_unlink_sibling fs/kernfs/dir.c:418 [inline]
__kernfs_remove+0x4bc/0x654 fs/kernfs/dir.c:1467
kernfs_remove_by_name_ns+0xe4/0x184 fs/kernfs/dir.c:1667
kernfs_remove_by_name include/linux/kernfs.h:622 [inline]
remove_files fs/sysfs/group.c:28 [inline]
sysfs_remove_group+0xf4/0x278 fs/sysfs/group.c:288
netdev_queue_update_kobjects+0x3b4/0x444 net/core/net-sysfs.c:1729
remove_queue_kobjects net/core/net-sysfs.c:1828 [inline]
netdev_unregister_kobject+0xf0/0x204 net/core/net-sysfs.c:1981
unregister_netdevice_many_notify+0x1300/0x1900 net/core/dev.c:11051
unregister_netdevice_many net/core/dev.c:11077 [inline]
default_device_exit_batch+0x9d4/0xa70 net/core/dev.c:11549
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x650/0xa90 net/core/net_namespace.c:640
process_one_work+0x7e4/0x13bc kernel/workqueue.c:2292
worker_thread+0x8cc/0xfe8 kernel/workqueue.c:2439
kthread+0x254/0x2e0 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
Code: f100805f 540003c8 f100405f 540000c3 (a9401c26)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: f100805f cmp x2, #0x20
4: 540003c8 b.hi 0x7c // b.pmore
8: f100405f cmp x2, #0x10
c: 540000c3 b.cc 0x24 // b.lo, b.ul, b.last
* 10: a9401c26 ldp x6, x7, [x1] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages