[syzbot] [fs?] KASAN: slab-use-after-free Read in reverse_path_check_proc
10 views
Skip to first unread message
syzbot
May 22, 2026, 3:48:29 PM (13 days ago) May 22
to bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following issue on:
HEAD commit: 80dd246accce Add linux-next specific files for 20260518
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=113cba73980000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a0b5969e136a632
dashboard link: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14dc9fba580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10bffcc8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5e187606d6dc/disk-80dd246a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/96a72e613393/vmlinux-80dd246a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c2905548782c/bzImage-80dd246a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e70e1b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in reverse_path_check_proc+0x5b/0x240 fs/eventpoll.c:1663
Read of size 8 at addr ffff88803777f7e0 by task syz.3.20/6001
CPU: 0 UID: 0 PID: 6001 Comm: syz.3.20 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
reverse_path_check_proc+0x5b/0x240 fs/eventpoll.c:1663
reverse_path_check fs/eventpoll.c:1692 [inline]
ep_insert+0xc6c/0x1820 fs/eventpoll.c:1881
do_epoll_ctl_file+0x8bb/0xed0 fs/eventpoll.c:2651
do_epoll_ctl fs/eventpoll.c:2698 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2715 [inline]
__se_sys_epoll_ctl+0x14e/0x210 fs/eventpoll.c:2706
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f96281fce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f962783d028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00007f9628476090 RCX: 00007f96281fce59
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000006
RBP: 00007f9628292d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000200000000600 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9628476128 R14: 00007f9628476090 R15: 00007ffcab0f8478
</TASK>
Allocated by task 5997:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4583 [inline]
slab_alloc_node mm/slub.c:4912 [inline]
kmem_cache_alloc_noprof+0x33b/0x680 mm/slub.c:4919
ep_attach_file fs/eventpoll.c:1751 [inline]
ep_register_epitem fs/eventpoll.c:1833 [inline]
ep_insert+0x512/0x1820 fs/eventpoll.c:1876
do_epoll_ctl_file+0x8bb/0xed0 fs/eventpoll.c:2651
do_epoll_ctl fs/eventpoll.c:2698 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2715 [inline]
__se_sys_epoll_ctl+0x14e/0x210 fs/eventpoll.c:2706
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5997:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2700 [inline]
slab_free mm/slub.c:6284 [inline]
kmem_cache_free+0x187/0x6c0 mm/slub.c:6411
eventpoll_release_file+0xc2/0x240 fs/eventpoll.c:1386
eventpoll_release include/linux/eventpoll.h:61 [inline]
__fput+0x83c/0xa70 fs/file_table.c:501
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xf3/0x4d0 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88803777f7e0
which belongs to the cache ep_head of size 16
The buggy address is located 0 bytes inside of
freed 16-byte region [ffff88803777f7e0, ffff88803777f7f0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803777f280 pfn:0x3777f
memcg:ffff88802b46c801
flags: 0x80000000000200(workingset|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000200 ffff888140ae73c0 ffffea0000e3c510 ffffea0000d70e90
raw: ffff88803777f280 0000000800800024 00000000f5000000 ffff88802b46c801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4987, tgid 4987 (udevd), ts 71313648267, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f9/0x250 mm/page_alloc.c:1873
prep_new_page mm/page_alloc.c:1881 [inline]
get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3954
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5297
alloc_slab_page mm/slub.c:3289 [inline]
allocate_slab+0x74/0x5e0 mm/slub.c:3404
new_slab mm/slub.c:3447 [inline]
refill_objects+0x33c/0x3d0 mm/slub.c:7226
refill_sheaf mm/slub.c:2827 [inline]
__pcs_replace_empty_main+0x373/0x720 mm/slub.c:4665
alloc_from_pcs mm/slub.c:4763 [inline]
slab_alloc_node mm/slub.c:4897 [inline]
kmem_cache_alloc_noprof+0x433/0x680 mm/slub.c:4919
ep_attach_file fs/eventpoll.c:1751 [inline]
ep_register_epitem fs/eventpoll.c:1833 [inline]
ep_insert+0x512/0x1820 fs/eventpoll.c:1876
do_epoll_ctl_file+0x8bb/0xed0 fs/eventpoll.c:2651
do_epoll_ctl fs/eventpoll.c:2698 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2715 [inline]
__se_sys_epoll_ctl+0x14e/0x210 fs/eventpoll.c:2706
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing
Memory state around the buggy address:
ffff88803777f680: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc
ffff88803777f700: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
>ffff88803777f780: 00 00 fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
^
ffff88803777f800: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
ffff88803777f880: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 80dd246accce Add linux-next specific files for 20260518
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=113cba73980000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a0b5969e136a632
dashboard link: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14dc9fba580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10bffcc8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5e187606d6dc/disk-80dd246a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/96a72e613393/vmlinux-80dd246a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c2905548782c/bzImage-80dd246a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e70e1b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in reverse_path_check_proc+0x5b/0x240 fs/eventpoll.c:1663
Read of size 8 at addr ffff88803777f7e0 by task syz.3.20/6001
CPU: 0 UID: 0 PID: 6001 Comm: syz.3.20 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
reverse_path_check_proc+0x5b/0x240 fs/eventpoll.c:1663
reverse_path_check fs/eventpoll.c:1692 [inline]
ep_insert+0xc6c/0x1820 fs/eventpoll.c:1881
do_epoll_ctl_file+0x8bb/0xed0 fs/eventpoll.c:2651
do_epoll_ctl fs/eventpoll.c:2698 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2715 [inline]
__se_sys_epoll_ctl+0x14e/0x210 fs/eventpoll.c:2706
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f96281fce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f962783d028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00007f9628476090 RCX: 00007f96281fce59
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000006
RBP: 00007f9628292d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000200000000600 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9628476128 R14: 00007f9628476090 R15: 00007ffcab0f8478
</TASK>
Allocated by task 5997:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4583 [inline]
slab_alloc_node mm/slub.c:4912 [inline]
kmem_cache_alloc_noprof+0x33b/0x680 mm/slub.c:4919
ep_attach_file fs/eventpoll.c:1751 [inline]
ep_register_epitem fs/eventpoll.c:1833 [inline]
ep_insert+0x512/0x1820 fs/eventpoll.c:1876
do_epoll_ctl_file+0x8bb/0xed0 fs/eventpoll.c:2651
do_epoll_ctl fs/eventpoll.c:2698 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2715 [inline]
__se_sys_epoll_ctl+0x14e/0x210 fs/eventpoll.c:2706
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5997:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2700 [inline]
slab_free mm/slub.c:6284 [inline]
kmem_cache_free+0x187/0x6c0 mm/slub.c:6411
eventpoll_release_file+0xc2/0x240 fs/eventpoll.c:1386
eventpoll_release include/linux/eventpoll.h:61 [inline]
__fput+0x83c/0xa70 fs/file_table.c:501
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xf3/0x4d0 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88803777f7e0
which belongs to the cache ep_head of size 16
The buggy address is located 0 bytes inside of
freed 16-byte region [ffff88803777f7e0, ffff88803777f7f0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803777f280 pfn:0x3777f
memcg:ffff88802b46c801
flags: 0x80000000000200(workingset|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000200 ffff888140ae73c0 ffffea0000e3c510 ffffea0000d70e90
raw: ffff88803777f280 0000000800800024 00000000f5000000 ffff88802b46c801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4987, tgid 4987 (udevd), ts 71313648267, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f9/0x250 mm/page_alloc.c:1873
prep_new_page mm/page_alloc.c:1881 [inline]
get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3954
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5297
alloc_slab_page mm/slub.c:3289 [inline]
allocate_slab+0x74/0x5e0 mm/slub.c:3404
new_slab mm/slub.c:3447 [inline]
refill_objects+0x33c/0x3d0 mm/slub.c:7226
refill_sheaf mm/slub.c:2827 [inline]
__pcs_replace_empty_main+0x373/0x720 mm/slub.c:4665
alloc_from_pcs mm/slub.c:4763 [inline]
slab_alloc_node mm/slub.c:4897 [inline]
kmem_cache_alloc_noprof+0x433/0x680 mm/slub.c:4919
ep_attach_file fs/eventpoll.c:1751 [inline]
ep_register_epitem fs/eventpoll.c:1833 [inline]
ep_insert+0x512/0x1820 fs/eventpoll.c:1876
do_epoll_ctl_file+0x8bb/0xed0 fs/eventpoll.c:2651
do_epoll_ctl fs/eventpoll.c:2698 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2715 [inline]
__se_sys_epoll_ctl+0x14e/0x210 fs/eventpoll.c:2706
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing
Memory state around the buggy address:
ffff88803777f680: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc
ffff88803777f700: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
>ffff88803777f780: 00 00 fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
^
ffff88803777f800: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
ffff88803777f880: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
May 22, 2026, 5:22:57 PM (13 days ago) May 22
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Fri, 22 May 2026 12:48:27 -0700 [thread overview]
--- x/fs/eventpoll.c
+++ y/fs/eventpoll.c
@@ -456,14 +456,21 @@ static struct kmem_cache *pwq_cache __ro
struct epitems_head {
struct hlist_head epitems;
struct epitems_head *next;
+ struct rcu_head rcu;
};
static struct kmem_cache *ephead_cache __ro_after_init;
+static void __free_ephead(struct rcu_head *r)
+{
+ struct epitems_head *head = container_of(r, struct epitems_head, rcu);
+ kmem_cache_free(ephead_cache, head);
+}
+
static inline void free_ephead(struct epitems_head *head)
{
if (head)
- kmem_cache_free(ephead_cache, head);
+ call_rcu(&head->rcu, __free_ephead);
}
static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 80dd246accce Add linux-next specific files for 20260518
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=113cba73980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2a0b5969e136a632
> dashboard link: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14dc9fba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10bffcc8580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: 80dd246accce Add linux-next specific files for 20260518
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=113cba73980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2a0b5969e136a632
> dashboard link: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14dc9fba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10bffcc8580000
--- x/fs/eventpoll.c
+++ y/fs/eventpoll.c
@@ -456,14 +456,21 @@ static struct kmem_cache *pwq_cache __ro
struct epitems_head {
struct hlist_head epitems;
struct epitems_head *next;
+ struct rcu_head rcu;
};
static struct kmem_cache *ephead_cache __ro_after_init;
+static void __free_ephead(struct rcu_head *r)
+{
+ struct epitems_head *head = container_of(r, struct epitems_head, rcu);
+ kmem_cache_free(ephead_cache, head);
+}
+
static inline void free_ephead(struct epitems_head *head)
{
if (head)
- kmem_cache_free(ephead_cache, head);
+ call_rcu(&head->rcu, __free_ephead);
}
static void list_file(struct file *file, struct ep_ctl_ctx *ctx)
--
syzbot
May 22, 2026, 7:31:04 PM (13 days ago) May 22
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine
Tested on:
commit: c1ecb239 Add linux-next specific files for 20260522
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13a6cac8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=77a9211ff284de54
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine
Tested on:
commit: c1ecb239 Add linux-next specific files for 20260522
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13a6cac8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=77a9211ff284de54
dashboard link: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15adfa73980000
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Zhan Wei
May 28, 2026, 11:40:34 AM (7 days ago) May 28
to syzbot+e70e1b...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test
commit e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into
struct ep_ctl_ctx") moved tfile_check_list from file-scope global
to stack-allocated struct ep_ctl_ctx, replacing the EP_UNACTIVE_PTR
sentinel with NULL because "NULL is the obvious 'empty'
value and the zero-init handle it for free", and describe the
change "No functional change". but its not.
epitems_head->next is overload:
1: as a linked-list next pointer for heads on ctx->tfile_check_list,
2: as a membership flag: ep_remove_file() uses
!smp_load_acquire(&v->next) to mean "this head is not on any
pending ctx->tfile_check_list and is safe to free".
Before e09c77d94003, the EP_UNACTIVE_PTR sentinel made the two role
disjoint: a head on tfile_check_list always has a non-NULL next
(another head, or the sentinel), so v->next == NULL was equivalent
to never list. With the sentinel gone the list is NULL-terminated
and the tail head's ->next is NULL also. ep_remove_file()'s gate
no longer tell never list from list at the tail, and
misfires on the tail.
The reader hold epnested_mutex + rcu_read_lock; the freer hold
ep->mtx + file->f_lock. There is no sharing mutex between them; the
sentinel was the invariant the gate relied on to skip the read side.
The syzbot reproducer hit this within seconds on a multi-CPU VM.
Restore the sentinel: initialize ctx.tfile_check_list to
EP_UNACTIVE_PTR in do_epoll_ctl_file(), and walk it with
"!= EP_UNACTIVE_PTR" termination in reverse_path_check() and
clear_tfile_check_list(). The gate in ep_remove_file() regains its
never list exclusivity and stop misfiring on the tail.
ep_remove_file() itself does not change.
This restores the invariant the file-scope tfile_check_list relied
on before e09c77d94003, preserving the ctx packaging that commit
introduced.
Reported-by: syzbot+e70e1b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
Fixes: e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into struct ep_ctl_ctx")
Suggested-by: Christian Brauner <bra...@kernel.org>
Link: https://lore.kernel.org/all/20260528-rotwild-summt...@brauner.io/
Signed-off-by: Zhan Wei <zhanw...@gmail.com>
---
fs/eventpoll.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..4973a5a5a3e1 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1685,7 +1685,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
{
struct epitems_head *p;
- for (p = ctx->tfile_check_list; p; p = p->next) {
+ for (p = ctx->tfile_check_list; p != EP_UNACTIVE_PTR; p = p->next) {
int error;
path_count_init(ctx);
rcu_read_lock();
@@ -2438,7 +2438,7 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
{
rcu_read_lock();
- while (ctx->tfile_check_list) {
+ while (ctx->tfile_check_list != EP_UNACTIVE_PTR) {
struct epitems_head *head = ctx->tfile_check_list;
ctx->tfile_check_list = head->next;
unlist_file(head);
@@ -2601,7 +2601,9 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
int full_check;
struct eventpoll *ep;
struct epitem *epi;
- struct ep_ctl_ctx ctx = { };
+ struct ep_ctl_ctx ctx = {
+ .tfile_check_list = EP_UNACTIVE_PTR,
+ };
/* The target file descriptor must support poll */
if (!file_can_poll(tf->file))
--
2.43.0
commit e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into
struct ep_ctl_ctx") moved tfile_check_list from file-scope global
to stack-allocated struct ep_ctl_ctx, replacing the EP_UNACTIVE_PTR
sentinel with NULL because "NULL is the obvious 'empty'
value and the zero-init handle it for free", and describe the
change "No functional change". but its not.
epitems_head->next is overload:
1: as a linked-list next pointer for heads on ctx->tfile_check_list,
2: as a membership flag: ep_remove_file() uses
!smp_load_acquire(&v->next) to mean "this head is not on any
pending ctx->tfile_check_list and is safe to free".
Before e09c77d94003, the EP_UNACTIVE_PTR sentinel made the two role
disjoint: a head on tfile_check_list always has a non-NULL next
(another head, or the sentinel), so v->next == NULL was equivalent
to never list. With the sentinel gone the list is NULL-terminated
and the tail head's ->next is NULL also. ep_remove_file()'s gate
no longer tell never list from list at the tail, and
misfires on the tail.
The reader hold epnested_mutex + rcu_read_lock; the freer hold
ep->mtx + file->f_lock. There is no sharing mutex between them; the
sentinel was the invariant the gate relied on to skip the read side.
The syzbot reproducer hit this within seconds on a multi-CPU VM.
Restore the sentinel: initialize ctx.tfile_check_list to
EP_UNACTIVE_PTR in do_epoll_ctl_file(), and walk it with
"!= EP_UNACTIVE_PTR" termination in reverse_path_check() and
clear_tfile_check_list(). The gate in ep_remove_file() regains its
never list exclusivity and stop misfiring on the tail.
ep_remove_file() itself does not change.
This restores the invariant the file-scope tfile_check_list relied
on before e09c77d94003, preserving the ctx packaging that commit
introduced.
Reported-by: syzbot+e70e1b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
Fixes: e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into struct ep_ctl_ctx")
Suggested-by: Christian Brauner <bra...@kernel.org>
Link: https://lore.kernel.org/all/20260528-rotwild-summt...@brauner.io/
Signed-off-by: Zhan Wei <zhanw...@gmail.com>
---
fs/eventpoll.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..4973a5a5a3e1 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1685,7 +1685,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
{
struct epitems_head *p;
- for (p = ctx->tfile_check_list; p; p = p->next) {
+ for (p = ctx->tfile_check_list; p != EP_UNACTIVE_PTR; p = p->next) {
int error;
path_count_init(ctx);
rcu_read_lock();
@@ -2438,7 +2438,7 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
{
rcu_read_lock();
- while (ctx->tfile_check_list) {
+ while (ctx->tfile_check_list != EP_UNACTIVE_PTR) {
struct epitems_head *head = ctx->tfile_check_list;
ctx->tfile_check_list = head->next;
unlist_file(head);
@@ -2601,7 +2601,9 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
int full_check;
struct eventpoll *ep;
struct epitem *epi;
- struct ep_ctl_ctx ctx = { };
+ struct ep_ctl_ctx ctx = {
+ .tfile_check_list = EP_UNACTIVE_PTR,
+ };
/* The target file descriptor must support poll */
if (!file_can_poll(tf->file))
--
2.43.0
Zhan Wei
May 28, 2026, 11:40:34 AM (7 days ago) May 28
to syzbot+e70e1b...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot
May 28, 2026, 12:19:04 PM (7 days ago) May 28
to linux-...@vger.kernel.org, syzkall...@googlegroups.com, zhanw...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine
Tested on:
commit: e7d700e1 Add linux-next specific files for 20260527
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine
Tested on:
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=178429ec580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c4840d777495ef2
dashboard link: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12ac46f2580000
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Zhan Wei
May 28, 2026, 12:59:29 PM (7 days ago) May 28
to syzbot+e70e1b...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
Zhan Wei
May 28, 2026, 12:59:29 PM (7 days ago) May 28
to syzbot+e70e1b...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
Zhan Wei
May 29, 2026, 9:24:40 AM (6 days ago) May 29
to syzbot+e70e1b...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot
May 29, 2026, 9:51:03 AM (6 days ago) May 29
to linux-...@vger.kernel.org, syzkall...@googlegroups.com, zhanw...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine
Tested on:
commit: f7af91ad Add linux-next specific files for 20260528
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine
Tested on:
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=160117a6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=938b3c3730e59c71
dashboard link: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1044cd5e580000
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Zhan Wei
May 29, 2026, 10:25:52 AM (6 days ago) May 29
to Christian Brauner, Alexander Viro, Jan Kara, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzbot+e70e1b...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Zhan Wei
Commit e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into
struct ep_ctl_ctx") moved tfile_check_list from a file-scope global into
the stack-allocated struct ep_ctl_ctx, and in doing so replaced the
EP_UNACTIVE_PTR sentinel with NULL on the grounds that "NULL is the
obvious 'empty' value and zero-init handles it for free", describing the
change as "No functional change". It is not.
epitems_head->next is overloaded with two roles:
1. the "next" pointer that threads a head onto ctx->tfile_check_list;
2. a membership flag: ep_remove_file() uses
!smp_load_acquire(&v->next) to mean "this head is not on any
pending ctx->tfile_check_list and is therefore safe to free".
Before that change the EP_UNACTIVE_PTR sentinel kept the two roles
disjoint: a head on the list always had a non-NULL ->next (another head,
or the sentinel at the tail), so ->next == NULL was equivalent to "never
listed". With the sentinel gone the list is NULL-terminated, so the tail
head's ->next is NULL as well. ep_remove_file()'s gate can no longer
distinguish "never listed" from "listed at the tail", and misfires on
the tail head.
The reader (reverse_path_check_proc) holds epnested_mutex +
rcu_read_lock; the freer (ep_remove_file) holds ep->mtx + file->f_lock.
The two sides share no mutex -- the sentinel was the invariant the gate
relied on to know it could skip the read side. With it gone,
ep_remove_file() frees the tail head while reverse_path_check_proc() is
still walking it, producing the slab-use-after-free read. The syzbot
reproducer hits this within seconds on a multi-CPU VM.
Restore the sentinel: initialize ctx.tfile_check_list to EP_UNACTIVE_PTR
in reverse_path_check() and clear_tfile_check_list(). The tail head's
->next becomes the sentinel again rather than NULL, so
ep_remove_file()'s gate regains its exclusivity and stops misfiring on
the tail. ep_remove_file() itself is unchanged.
This restores the invariant the file-scope tfile_check_list relied on
Reported-by: syzbot+e70e1b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e70e1b6cba8714543f7c
Fixes: e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into struct ep_ctl_ctx")
Suggested-by: Christian Brauner <bra...@kernel.org>
Link: https://lore.kernel.org/all/20260528-rotwild-summt...@brauner.io/
Signed-off-by: Zhan Wei <zhanw...@gmail.com>
---
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a569e98d4a99..abef3bc48cc4 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -429,7 +429,11 @@ struct ep_ctl_ctx {
/*
* Singly-linked list of epitems_head objects collected during
* ep_loop_check_proc(), then walked by reverse_path_check().
- * NULL means empty.
+ * Terminated by EP_UNACTIVE_PTR, not NULL: epitems_head->next
+ * doubles as a membership flag (a NULL ->next means "not on this
+ * list", see ep_remove_file()), so the list uses a non-NULL
+ * sentinel to keep the tail head distinguishable from an unlisted
+ * one.
*/
struct epitems_head *tfile_check_list;
@@ -1685,7 +1689,7 @@ static int reverse_path_check(struct ep_ctl_ctx *ctx)
{
struct epitems_head *p;
- for (p = ctx->tfile_check_list; p; p = p->next) {
+ for (p = ctx->tfile_check_list; p != EP_UNACTIVE_PTR; p = p->next) {
int error;
path_count_init(ctx);
rcu_read_lock();
@@ -2438,7 +2442,7 @@ static int ep_loop_check(struct ep_ctl_ctx *ctx, struct eventpoll *ep,
struct epitems_head *p;
- for (p = ctx->tfile_check_list; p; p = p->next) {
+ for (p = ctx->tfile_check_list; p != EP_UNACTIVE_PTR; p = p->next) {
int error;
path_count_init(ctx);
rcu_read_lock();
static void clear_tfile_check_list(struct ep_ctl_ctx *ctx)
{
rcu_read_lock();
- while (ctx->tfile_check_list) {
+ while (ctx->tfile_check_list != EP_UNACTIVE_PTR) {
struct epitems_head *head = ctx->tfile_check_list;
ctx->tfile_check_list = head->next;
unlist_file(head);
@@ -2601,7 +2605,9 @@ int do_epoll_ctl_file(struct file *f, int op, struct epoll_key *tf,
{
rcu_read_lock();
- while (ctx->tfile_check_list) {
+ while (ctx->tfile_check_list != EP_UNACTIVE_PTR) {
struct epitems_head *head = ctx->tfile_check_list;
ctx->tfile_check_list = head->next;
unlist_file(head);
Christian Brauner
7:54 AM (12 hours ago) 7:54 AM
to Zhan Wei, Christian Brauner, Alexander Viro, Jan Kara, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzbot+e70e1b...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
On Fri, 29 May 2026 22:25:33 +0800, Zhan Wei wrote:
> Commit e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into
> struct ep_ctl_ctx") moved tfile_check_list from a file-scope global into
> the stack-allocated struct ep_ctl_ctx, and in doing so replaced the
> EP_UNACTIVE_PTR sentinel with NULL on the grounds that "NULL is the
> obvious 'empty' value and zero-init handles it for free", describing the
> change as "No functional change". It is not.
>
> [...]
> Commit e09c77d94003 ("eventpoll: hoist CTL_ADD scratch state into
> struct ep_ctl_ctx") moved tfile_check_list from a file-scope global into
> the stack-allocated struct ep_ctl_ctx, and in doing so replaced the
> EP_UNACTIVE_PTR sentinel with NULL on the grounds that "NULL is the
> obvious 'empty' value and zero-init handles it for free", describing the
> change as "No functional change". It is not.
>
Applied to the vfs-7.2.eventpoll branch of the vfs/vfs.git tree.
Patches in the vfs-7.2.eventpoll branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-7.2.eventpoll
[1/1] eventpoll: restore EP_UNACTIVE_PTR sentinel for ctx->tfile_check_list
https://git.kernel.org/vfs/vfs/c/a1e9718b406b
Reply all
Reply to author
Forward
0 new messages