[moderation] [fs?] KASAN: vmalloc-out-of-bounds Read in fanotify_read
1 view
Skip to first unread message
syzbot
Jun 27, 2026, 8:32:27 AM (yesterday) Jun 27
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 92e3f6ef4ffb Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=171df4e6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4a42e870a0b0ae0
dashboard link: https://syzkaller.appspot.com/bug?extid=9cffbbb502957f124c89
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
userspace arch: arm64
CC: [amir...@gmail.com ja...@suse.cz linux-...@vger.kernel.org linux-...@vger.kernel.org rep...@google.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75ce25b4a6ef/disk-92e3f6ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/14bda28d7d38/vmlinux-92e3f6ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/247283a18992/Image-92e3f6ef.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9cffbb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
BUG: KASAN: vmalloc-out-of-bounds in copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
BUG: KASAN: vmalloc-out-of-bounds in copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
BUG: KASAN: vmalloc-out-of-bounds in fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
Read of size 8 at addr ffff800092bb7b08 by task syz.6.1374/10180
CPU: 0 UID: 0 PID: 10180 Comm: syz.6.1374 Tainted: G L syzkaller #0 PREEMPT
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xb0/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0x8c/0xc4 mm/kasan/report.c:595
__asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1
vfs_readv+0x258/0x520 fs/read_write.c:1022
do_readv+0x134/0x2a8 fs/read_write.c:1082
__do_sys_readv fs/read_write.c:1167 [inline]
__se_sys_readv fs/read_write.c:1164 [inline]
__arm64_sys_readv+0x80/0x94 fs/read_write.c:1164
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
The buggy address belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffff800092bb7a00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800092bb7a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffff800092bb7b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff800092bb7b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800092bb7c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Unable to handle kernel paging request at virtual address ffff800092bb7b08
KASAN: probably user-memory-access in range [0x0000000495dbd840-0x0000000495dbd847]
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000021b33c000
[ffff800092bb7b08] pgd=0000000000000000, p4d=10000002215ef003, pud=10000002215f0003, pmd=10000001051dd403, pte=0000000000000000
Internal error: Oops: 0000000096000007 [#1] SMP
Modules linked in:
CPU: 0 UID: 0 PID: 10180 Comm: syz.6.1374 Tainted: G B L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
pc : copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
pc : copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
pc : fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
lr : copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
lr : copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
lr : copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
lr : fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
sp : ffff800092ca7740
x29: ffff800092ca79b0 x28: ffff0000d47fc8f0 x27: 0000000000000000
x26: ffff800092bb7b08 x25: dfff800000000000 x24: 1fffe00019037740
x23: ffff0000c81bba00 x22: ffff0000d50f9000 x21: 0000000020000300
x20: 00000000000000cb x19: 0000000020000300 x18: 1fffe00035beb820
x17: 0000000000000003 x16: ffff800088a0b000 x15: ffff800088abda60
x14: ffff0001adf5c10c x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000080000 x9 : 0000000000000000
x8 : ffff0000c81bba00 x7 : 0000000000000000 x6 : ffff80008048076c
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f40a4
x2 : 0000000000000000 x1 : ffff0000c81bba00 x0 : 0000000000000001
Call trace:
copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline] (P)
copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline] (P)
copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline] (P)
fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032 (P)
do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1
vfs_readv+0x258/0x520 fs/read_write.c:1022
do_readv+0x134/0x2a8 fs/read_write.c:1082
__do_sys_readv fs/read_write.c:1167 [inline]
__se_sys_readv fs/read_write.c:1164 [inline]
__arm64_sys_readv+0x80/0x94 fs/read_write.c:1164
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
Code: 38796908 34000068 aa1a03e0 97f75966 (f9400348)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 38796908 ldrb w8, [x8, x25]
4: 34000068 cbz w8, 0x10
8: aa1a03e0 mov x0, x26
c: 97f75966 bl 0xffffffffffdd65a4
* 10: f9400348 ldr x8, [x26] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 92e3f6ef4ffb Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=171df4e6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4a42e870a0b0ae0
dashboard link: https://syzkaller.appspot.com/bug?extid=9cffbbb502957f124c89
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
userspace arch: arm64
CC: [amir...@gmail.com ja...@suse.cz linux-...@vger.kernel.org linux-...@vger.kernel.org rep...@google.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75ce25b4a6ef/disk-92e3f6ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/14bda28d7d38/vmlinux-92e3f6ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/247283a18992/Image-92e3f6ef.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9cffbb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
BUG: KASAN: vmalloc-out-of-bounds in copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
BUG: KASAN: vmalloc-out-of-bounds in copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
BUG: KASAN: vmalloc-out-of-bounds in fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
Read of size 8 at addr ffff800092bb7b08 by task syz.6.1374/10180
CPU: 0 UID: 0 PID: 10180 Comm: syz.6.1374 Tainted: G L syzkaller #0 PREEMPT
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xb0/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0x8c/0xc4 mm/kasan/report.c:595
__asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1
vfs_readv+0x258/0x520 fs/read_write.c:1022
do_readv+0x134/0x2a8 fs/read_write.c:1082
__do_sys_readv fs/read_write.c:1167 [inline]
__se_sys_readv fs/read_write.c:1164 [inline]
__arm64_sys_readv+0x80/0x94 fs/read_write.c:1164
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
The buggy address belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffff800092bb7a00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800092bb7a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffff800092bb7b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff800092bb7b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800092bb7c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Unable to handle kernel paging request at virtual address ffff800092bb7b08
KASAN: probably user-memory-access in range [0x0000000495dbd840-0x0000000495dbd847]
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000021b33c000
[ffff800092bb7b08] pgd=0000000000000000, p4d=10000002215ef003, pud=10000002215f0003, pmd=10000001051dd403, pte=0000000000000000
Internal error: Oops: 0000000096000007 [#1] SMP
Modules linked in:
CPU: 0 UID: 0 PID: 10180 Comm: syz.6.1374 Tainted: G B L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
pc : copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
pc : copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
pc : fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
lr : copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline]
lr : copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline]
lr : copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline]
lr : fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032
sp : ffff800092ca7740
x29: ffff800092ca79b0 x28: ffff0000d47fc8f0 x27: 0000000000000000
x26: ffff800092bb7b08 x25: dfff800000000000 x24: 1fffe00019037740
x23: ffff0000c81bba00 x22: ffff0000d50f9000 x21: 0000000020000300
x20: 00000000000000cb x19: 0000000020000300 x18: 1fffe00035beb820
x17: 0000000000000003 x16: ffff800088a0b000 x15: ffff800088abda60
x14: ffff0001adf5c10c x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000080000 x9 : 0000000000000000
x8 : ffff0000c81bba00 x7 : 0000000000000000 x6 : ffff80008048076c
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f40a4
x2 : 0000000000000000 x1 : ffff0000c81bba00 x0 : 0000000000000001
Call trace:
copy_range_info_to_user fs/notify/fanotify/fanotify_user.c:682 [inline] (P)
copy_info_records_to_user fs/notify/fanotify/fanotify_user.c:813 [inline] (P)
copy_event_to_user fs/notify/fanotify/fanotify_user.c:944 [inline] (P)
fanotify_read+0x13d8/0x23a4 fs/notify/fanotify/fanotify_user.c:1032 (P)
do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1
vfs_readv+0x258/0x520 fs/read_write.c:1022
do_readv+0x134/0x2a8 fs/read_write.c:1082
__do_sys_readv fs/read_write.c:1167 [inline]
__se_sys_readv fs/read_write.c:1164 [inline]
__arm64_sys_readv+0x80/0x94 fs/read_write.c:1164
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
Code: 38796908 34000068 aa1a03e0 97f75966 (f9400348)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 38796908 ldrb w8, [x8, x25]
4: 34000068 cbz w8, 0x10
8: aa1a03e0 mov x0, x26
c: 97f75966 bl 0xffffffffffdd65a4
* 10: f9400348 ldr x8, [x26] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages