syzbot

 sign-in | mailing list | source | docs
🐞 Open [832]
🐞 Fixed [87]
🐞 Invalid [1218]
Missing Backports [132]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: slab-out-of-bounds Read in lmWriteRecord

Status: upstream: reported C repro on 2026/01/15 07:37
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+22cb558f3492e9e8282d@syzkaller.appspotmail.com
First crash: 26d, last: 19d
Bug presence (1)
Date Name Commit Repro Result
2026/01/18 upstream (ToT) e84d960149e7 C [report] UBSAN: array-index-out-of-bounds in dtInsertEntry
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: slab-out-of-bounds Read in lmWriteRecord 19 2 44d 73d 0/3 upstream: reported on 2025/11/28 11:20
linux-5.15 general protection fault in lmWriteRecord 2 1 389d 389d 0/3 auto-obsoleted due to no activity on 2025/04/26 22:02
Last patch testing requests (3)
Created Duration User Patch Repo Result
2026/02/04 12:27 11m retest repro linux-5.15.y error
2026/02/04 12:27 13m retest repro linux-5.15.y report log
2026/02/04 12:27 13m retest repro linux-5.15.y error

Sample crash report:
loop0: detected capacity change from 0 to 32768
UFO tlock:0xffffc90002b42288
==================================================================
BUG: KASAN: use-after-free in lmWriteRecord+0x4c8/0x1aa0 fs/jfs/jfs_logmgr.c:433
Read of size 32 at addr ffff888022682e00 by task syz.0.17/4321

CPU: 1 PID: 4321 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x27b/0x290 mm/kasan/generic.c:189
 memcpy+0x25/0x60 mm/kasan/shadow.c:65
 lmWriteRecord+0x4c8/0x1aa0 fs/jfs/jfs_logmgr.c:433
 lmLog+0x6f6/0xa30 fs/jfs/jfs_logmgr.c:314
 dtLog fs/jfs/jfs_txnmgr.c:1653 [inline]
 txLog fs/jfs/jfs_txnmgr.c:1401 [inline]
 txCommit+0x1c2b/0x51c0 fs/jfs/jfs_txnmgr.c:1265
 jfs_mkdir+0x875/0xa70 fs/jfs/namei.c:290
 vfs_mkdir+0x387/0x570 fs/namei.c:4073
 do_mkdirat+0x1d7/0x5a0 fs/namei.c:4098
 __do_sys_mkdirat fs/namei.c:4113 [inline]
 __se_sys_mkdirat fs/namei.c:4111 [inline]
 __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4111
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f5dc8ffbe97
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd245f9938 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007ffd245f99c0 RCX: 00007f5dc8ffbe97
RDX: 00000000000001ff RSI: 0000200000000000 RDI: 00000000ffffff9c
RBP: 00002000000002c0 R08: 0000200000000080 R09: 0000000000000000
R10: 00002000000002c0 R11: 0000000000000246 R12: 0000200000000000
R13: 00007ffd245f9980 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Allocated by task 4214:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x9c/0xd0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
 kmem_cache_zalloc include/linux/slab.h:728 [inline]
 __kernfs_new_node+0xd6/0x680 fs/kernfs/dir.c:593
 kernfs_new_node+0x148/0x250 fs/kernfs/dir.c:669
 __kernfs_create_file+0x47/0x2e0 fs/kernfs/file.c:985
 sysfs_add_file_mode_ns+0x2d4/0x3a0 fs/sysfs/file.c:317
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x489/0xcf0 fs/sysfs/group.c:149
 internal_create_groups fs/sysfs/group.c:189 [inline]
 sysfs_create_groups+0x55/0x120 fs/sysfs/group.c:215
 device_add_groups drivers/base/core.c:2491 [inline]
 device_add_attrs+0x83/0x6a0 drivers/base/core.c:2639
 device_add+0x64b/0xfb0 drivers/base/core.c:3363
 netdev_register_kobject+0x176/0x310 net/core/net-sysfs.c:2014
 register_netdevice+0x1019/0x16b0 net/core/dev.c:10397
 __ip_tunnel_create+0x2bf/0x380 net/ipv4/ip_tunnel.c:267
 ip_tunnel_init_net+0x232/0x6b0 net/ipv4/ip_tunnel.c:1084
 ops_init+0x357/0x600 net/core/net_namespace.c:138
 setup_net+0x38d/0x9f0 net/core/net_namespace.c:333
 copy_net_ns+0x348/0x5b0 net/core/net_namespace.c:503
 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x116/0x160 kernel/nsproxy.c:226
 ksys_unshare+0x4bc/0x890 kernel/fork.c:3175
 __do_sys_unshare kernel/fork.c:3249 [inline]
 __se_sys_unshare kernel/fork.c:3247 [inline]
 __x64_sys_unshare+0x34/0x40 kernel/fork.c:3247
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 1234:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kmem_cache_free+0x8f/0x210 mm/slub.c:3520
 kernfs_put+0x319/0x490 fs/kernfs/dir.c:547
 kernfs_remove_by_name_ns+0x99/0x100 fs/kernfs/dir.c:1567
 kernfs_remove_by_name include/linux/kernfs.h:598 [inline]
 remove_files fs/sysfs/group.c:28 [inline]
 sysfs_remove_group+0xf8/0x290 fs/sysfs/group.c:289
 sysfs_remove_groups+0x50/0xa0 fs/sysfs/group.c:313
 device_del+0x620/0xa70 drivers/base/core.c:3599
 unregister_netdevice_many+0x141e/0x18f0 net/core/dev.c:11161
 ip_tunnel_delete_nets+0x318/0x360 net/ipv4/ip_tunnel.c:1137
 ops_exit_list net/core/net_namespace.c:177 [inline]
 cleanup_net+0x77b/0xb80 net/core/net_namespace.c:635
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

The buggy address belongs to the object at ffff888022682d98
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 104 bytes inside of
 168-byte region [ffff888022682d98, ffff888022682e40)
The buggy address belongs to the page:
page:ffffea000089a080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22682
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8880169e9b40
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4214, ts 56496306825, free_ts 56360879643
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x195/0x290 mm/slub.c:3238
 kmem_cache_zalloc include/linux/slab.h:728 [inline]
 __kernfs_new_node+0xd6/0x680 fs/kernfs/dir.c:593
 kernfs_new_node+0x148/0x250 fs/kernfs/dir.c:669
 __kernfs_create_file+0x47/0x2e0 fs/kernfs/file.c:985
 sysfs_add_file_mode_ns+0x2d4/0x3a0 fs/sysfs/file.c:317
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x489/0xcf0 fs/sysfs/group.c:149
 internal_create_groups fs/sysfs/group.c:189 [inline]
 sysfs_create_groups+0x55/0x120 fs/sysfs/group.c:215
 create_dir lib/kobject.c:100 [inline]
 kobject_add_internal+0x7a5/0xd00 lib/kobject.c:263
 kobject_add_varg lib/kobject.c:398 [inline]
 kobject_init_and_add+0x122/0x190 lib/kobject.c:481
 netdev_queue_add_kobject net/core/net-sysfs.c:1666 [inline]
 netdev_queue_update_kobjects+0x19c/0x3e0 net/core/net-sysfs.c:1711
 register_queue_kobjects net/core/net-sysfs.c:1772 [inline]
 netdev_register_kobject+0x265/0x310 net/core/net-sysfs.c:2018
 register_netdevice+0x1019/0x16b0 net/core/dev.c:10397
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 __vunmap+0x8ab/0xa40 mm/vmalloc.c:2628
 kcov_put kernel/kcov.c:417 [inline]
 kcov_close+0x27/0x50 kernel/kcov.c:519
 __fput+0x234/0x930 fs/file_table.c:311
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0x61e/0x20a0 kernel/exit.c:883
 do_group_exit+0x12e/0x300 kernel/exit.c:997
 get_signal+0x6ca/0x12c0 kernel/signal.c:2900
 arch_do_signal_or_restart+0xc1/0x1300 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff888022682d00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff888022682d80: fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888022682e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff888022682e80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888022682f00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/15 09:49 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan KASAN: use-after-free Read in lmWriteRecord
2026/01/15 09:03 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan KASAN: use-after-free Read in lmWriteRecord
2026/01/15 08:22 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan KASAN: use-after-free Read in lmWriteRecord
2026/01/15 07:37 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: slab-out-of-bounds Read in lmWriteRecord
2026/01/21 11:01 linux-5.15.y 9eec9a14ee10 6f1aa2f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in lmWriteRecord
* Struck through repros no longer work on HEAD.