[v6.6] KASAN: use-after-free Read in leaf_paste_entries
4 views
Skip to first unread message
syzbot
Jul 5, 2025, 6:19:32 AMJul 5
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f5b4c104b7d Linux 6.6.95
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14a22c8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=747dbf84b0ecd30c
dashboard link: https://syzkaller.appspot.com/bug?extid=c6055b966bf89bcc104a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/421f6e2d0cd1/disk-3f5b4c10.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/90250695b20b/vmlinux-3f5b4c10.xz
kernel image: https://storage.googleapis.com/syzbot-assets/32250e77bce9/bzImage-3f5b4c10.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c6055b...@syzkaller.appspotmail.com
REISERFS (device loop1): Using tea hash to sort names
REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: use-after-free in leaf_paste_entries+0x580/0x1110 fs/reiserfs/lbalance.c:1362
Read of size 2 at addr ffff8880570ea008 by task syz.1.248/6649
CPU: 1 PID: 6649 Comm: syz.1.248 Not tainted 6.6.95-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xac/0x230 mm/kasan/report.c:475
kasan_report+0x117/0x150 mm/kasan/report.c:588
leaf_paste_entries+0x580/0x1110 fs/reiserfs/lbalance.c:1362
leaf_copy_dir_entries+0x699/0x990 fs/reiserfs/lbalance.c:119
leaf_copy_boundary_item+0xb90/0x2180 fs/reiserfs/lbalance.c:168
leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
leaf_move_items+0x8b5/0xe90 fs/reiserfs/lbalance.c:726
leaf_shift_left+0xbd/0x450 fs/reiserfs/lbalance.c:750
balance_leaf_when_delete_left fs/reiserfs/do_balan.c:194 [inline]
balance_leaf_when_delete fs/reiserfs/do_balan.c:272 [inline]
balance_leaf+0x1dc1/0x10da0 fs/reiserfs/do_balan.c:1393
do_balance+0x2fe/0x940 fs/reiserfs/do_balan.c:1888
reiserfs_delete_solid_item+0x8b5/0xec0 fs/reiserfs/stree.c:1460
remove_save_link+0x25a/0x3c0 fs/reiserfs/super.c:540
reiserfs_truncate_file+0x561/0x7c0 fs/reiserfs/inode.c:2318
reiserfs_setattr+0xc0c/0x11a0 fs/reiserfs/inode.c:3392
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fefc538e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fefc51ff038 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007fefc55b5fa0 RCX: 00007fefc538e929
RDX: 0000000000000000 RSI: 00000000003a6000 RDI: 0000200000000080
RBP: 00007fefc5410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fefc55b5fa0 R15: 00007fffc2672618
</TASK>
The buggy address belongs to the physical page:
page:ffffea00015c3a80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x570ea
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea00016b10c8 ffff8880b8f42360 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), pid 6649, tgid 6648 (syz.1.248), ts 116250338485, free_ts 116339215033
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
prep_new_page mm/page_alloc.c:1561 [inline]
get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
__alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
folio_alloc+0x1e/0x30 mm/mempolicy.c:2291
filemap_alloc_folio+0xdf/0x470 mm/filemap.c:1004
__filemap_get_folio+0x3ee/0xbc0 mm/filemap.c:1962
pagecache_get_page+0x2a/0x250 mm/folio-compat.c:99
reiserfs_write_begin+0x54/0x4c0 fs/reiserfs/inode.c:2755
generic_cont_expand_simple+0x13a/0x200 fs/buffer.c:2482
reiserfs_setattr+0x58f/0x11a0 fs/reiserfs/inode.c:3302
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1154 [inline]
free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
free_unref_page_list+0xbe/0x860 mm/page_alloc.c:2475
release_pages+0x1fa0/0x2220 mm/swap.c:1022
__folio_batch_release+0x71/0xe0 mm/swap.c:1042
folio_batch_release include/linux/pagevec.h:83 [inline]
truncate_inode_pages_range+0x358/0xf00 mm/truncate.c:371
truncate_inode_pages mm/truncate.c:448 [inline]
truncate_pagecache mm/truncate.c:741 [inline]
truncate_setsize+0xbd/0xe0 mm/truncate.c:766
reiserfs_setattr+0xbff/0x11a0 fs/reiserfs/inode.c:3391
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff8880570e9f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880570e9f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880570ea000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880570ea080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880570ea100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 3f5b4c104b7d Linux 6.6.95
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14a22c8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=747dbf84b0ecd30c
dashboard link: https://syzkaller.appspot.com/bug?extid=c6055b966bf89bcc104a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/421f6e2d0cd1/disk-3f5b4c10.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/90250695b20b/vmlinux-3f5b4c10.xz
kernel image: https://storage.googleapis.com/syzbot-assets/32250e77bce9/bzImage-3f5b4c10.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c6055b...@syzkaller.appspotmail.com
REISERFS (device loop1): Using tea hash to sort names
REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage.
==================================================================
BUG: KASAN: use-after-free in leaf_paste_entries+0x580/0x1110 fs/reiserfs/lbalance.c:1362
Read of size 2 at addr ffff8880570ea008 by task syz.1.248/6649
CPU: 1 PID: 6649 Comm: syz.1.248 Not tainted 6.6.95-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xac/0x230 mm/kasan/report.c:475
kasan_report+0x117/0x150 mm/kasan/report.c:588
leaf_paste_entries+0x580/0x1110 fs/reiserfs/lbalance.c:1362
leaf_copy_dir_entries+0x699/0x990 fs/reiserfs/lbalance.c:119
leaf_copy_boundary_item+0xb90/0x2180 fs/reiserfs/lbalance.c:168
leaf_copy_items fs/reiserfs/lbalance.c:551 [inline]
leaf_move_items+0x8b5/0xe90 fs/reiserfs/lbalance.c:726
leaf_shift_left+0xbd/0x450 fs/reiserfs/lbalance.c:750
balance_leaf_when_delete_left fs/reiserfs/do_balan.c:194 [inline]
balance_leaf_when_delete fs/reiserfs/do_balan.c:272 [inline]
balance_leaf+0x1dc1/0x10da0 fs/reiserfs/do_balan.c:1393
do_balance+0x2fe/0x940 fs/reiserfs/do_balan.c:1888
reiserfs_delete_solid_item+0x8b5/0xec0 fs/reiserfs/stree.c:1460
remove_save_link+0x25a/0x3c0 fs/reiserfs/super.c:540
reiserfs_truncate_file+0x561/0x7c0 fs/reiserfs/inode.c:2318
reiserfs_setattr+0xc0c/0x11a0 fs/reiserfs/inode.c:3392
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fefc538e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fefc51ff038 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007fefc55b5fa0 RCX: 00007fefc538e929
RDX: 0000000000000000 RSI: 00000000003a6000 RDI: 0000200000000080
RBP: 00007fefc5410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fefc55b5fa0 R15: 00007fffc2672618
</TASK>
The buggy address belongs to the physical page:
page:ffffea00015c3a80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x570ea
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea00016b10c8 ffff8880b8f42360 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), pid 6649, tgid 6648 (syz.1.248), ts 116250338485, free_ts 116339215033
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
prep_new_page mm/page_alloc.c:1561 [inline]
get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
__alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
folio_alloc+0x1e/0x30 mm/mempolicy.c:2291
filemap_alloc_folio+0xdf/0x470 mm/filemap.c:1004
__filemap_get_folio+0x3ee/0xbc0 mm/filemap.c:1962
pagecache_get_page+0x2a/0x250 mm/folio-compat.c:99
reiserfs_write_begin+0x54/0x4c0 fs/reiserfs/inode.c:2755
generic_cont_expand_simple+0x13a/0x200 fs/buffer.c:2482
reiserfs_setattr+0x58f/0x11a0 fs/reiserfs/inode.c:3302
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1154 [inline]
free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
free_unref_page_list+0xbe/0x860 mm/page_alloc.c:2475
release_pages+0x1fa0/0x2220 mm/swap.c:1022
__folio_batch_release+0x71/0xe0 mm/swap.c:1042
folio_batch_release include/linux/pagevec.h:83 [inline]
truncate_inode_pages_range+0x358/0xf00 mm/truncate.c:371
truncate_inode_pages mm/truncate.c:448 [inline]
truncate_pagecache mm/truncate.c:741 [inline]
truncate_setsize+0xbd/0xe0 mm/truncate.c:766
reiserfs_setattr+0xbff/0x11a0 fs/reiserfs/inode.c:3391
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff8880570e9f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880570e9f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880570ea000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880570ea080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880570ea100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 13, 2025, 6:20:17 AM (4 days ago) Oct 13
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages