[BUG] KASAN: slab-use-after-free in mutex_can_spin_on_owner via adf_dev_up

2 views
Skip to first unread message

Wangz...@outlook.com

unread,
Jan 8, 2026, 5:42:21 AM (4 days ago) Jan 8
to Giovanni Cabiddu, Herbert Xu, syzk...@googlegroups.com
Hello Linux kernel maintainers,

This is a KASAN: slab-use-after-free found by syzkaller.

1. Description
The crash occurs during an ioctl call to the Intel QAT driver. KASAN detected a use-after-free read at owner_on_cpu within the mutex optimistic spinning code. The issue is triggered in adf_dev_up.

2. Environment
Kernel Branch: mainline (torvalds/linux.git)
Kernel Revision: v6.18 (commit 7d0a66e47ff3)
Kernel Config: https://gist.github.com/manual0/b8f4c12ea784620b3db92dbe56afedbb#file-gistfile1-txt
Compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0

3. Reproducer
C Reproducer: Not available
Syzkaller Reproducer: Not available

4. Syzkaller Report
QAT: failed to copy from user cfg_data.
c6xxvf 0000:00:05.0: Starting acceleration device qat_dev0.
==================================================================
BUG: KASAN: slab-use-after-free in owner_on_cpu home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/sched.h:2282 [inline]
BUG: KASAN: slab-use-after-free in mutex_can_spin_on_owner home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:397 [inline]
BUG: KASAN: slab-use-after-free in mutex_optimistic_spin home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:440 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock_common home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:602 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xd0a/0x1160 home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:760
Read of size 4 at addr ffff888104e04fb4 by task syz.2.266/2820

CPU: 3 UID: 0 PID: 2820 Comm: syz.2.266 Tainted: G D 6.18.0 #3 PREEMPT(voluntary)
Tainted: [D]=DIE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack home/wmy/Fuzzer/third_tool/linux-6.18/lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xdb/0x140 home/wmy/Fuzzer/third_tool/linux-6.18/lib/dump_stack.c:120
print_address_description home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/report.c:378 [inline]
print_report+0xcb/0x610 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/report.c:482
kasan_report+0xca/0x100 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/report.c:595
owner_on_cpu home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/sched.h:2282 [inline]
mutex_can_spin_on_owner home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:397 [inline]
mutex_optimistic_spin home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:440 [inline]
__mutex_lock_common home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:602 [inline]
__mutex_lock+0xd0a/0x1160 home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:760
adf_dev_up+0x44/0x14c0 home/wmy/Fuzzer/third_tool/linux-6.18/drivers/crypto/intel/qat/qat_common/adf_init.c:473 [intel_qat]
adf_ctl_ioctl+0x1d6/0x1080 [intel_qat]
vfs_ioctl home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:51 [inline]
__do_sys_ioctl home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:597 [inline]
__se_sys_ioctl home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x194/0x210 home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:583
do_syscall_x64 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc6/0x390 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7eff0917059d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007eff07baef98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007eff093e5fa0 RCX: 00007eff0917059d
RDX: 00002000000002c0 RSI: 0000000040096102 RDI: 0000000000000008
RBP: 00007eff0920e078 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007eff093e6038 R14: 00007eff093e5fa0 R15: 00007eff07b8f000
</TASK>

Allocated by task 150:
kasan_save_stack+0x24/0x50 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:77
unpoison_slab_object home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:342 [inline]
__kasan_slab_alloc+0x59/0x70 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:368
kasan_slab_alloc home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/kasan.h:252 [inline]
slab_post_alloc_hook home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:4978 [inline]
slab_alloc_node home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:5288 [inline]
kmem_cache_alloc_noprof+0x20a/0x6d0 home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:5295
getname_flags.part.0+0x50/0x560 home/wmy/Fuzzer/third_tool/linux-6.18/fs/namei.c:146
getname_flags+0x9a/0xe0 home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/audit.h:345
getname home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/fs.h:2924 [inline]
do_sys_openat2+0xa4/0x1c0 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1431
do_sys_open home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1452 [inline]
__do_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1468 [inline]
__se_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463 [inline]
__x64_sys_openat+0x144/0x200 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463
do_syscall_x64 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc6/0x390 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 150:
kasan_save_stack+0x24/0x50 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/generic.c:587
kasan_save_free_info home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/kasan.h:406 [inline]
poison_slab_object home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x43/0x70 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:284
kasan_slab_free home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/kasan.h:234 [inline]
slab_free_hook home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:2543 [inline]
slab_free home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:6642 [inline]
kmem_cache_free+0x2ad/0x620 home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:6752
putname.part.0+0x120/0x160 home/wmy/Fuzzer/third_tool/linux-6.18/fs/namei.c:297
putname+0x41/0x50 home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/err.h:84
do_sys_openat2+0x141/0x1c0 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1445
do_sys_open home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1452 [inline]
__do_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1468 [inline]
__se_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463 [inline]
__x64_sys_openat+0x144/0x200 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463
do_syscall_x64 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc6/0x390 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888104e04400
which belongs to the cache names_cache of size 4096
The buggy address is located 2996 bytes inside of
freed 4096-byte region [ffff888104e04400, ffff888104e05400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104e00
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100a3fb80 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100a3fb80 dead000000000122 0000000000000000
head: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea0004138001 00000000ffffffff 00000000ffffffff
head: ffff888104e01c40 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888104e04e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888104e04f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888104e04f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888104e05000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888104e05080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Best regards,
Zhi Wang

Reply all
Reply to author
Forward
0 new messages