syzbot


KASAN: slab-use-after-free Read in fuse_copy_do

Status: moderation: reported on 2026/07/01 06:07
Subsystems: fuse
[Documentation on labels]
Reported-by: syzbot+5373c08d744f8fe8f41f@syzkaller.appspotmail.com
First crash: 6d18h, last: 6d18h
✨ AI Jobs (5)
ID Workflow Result Correct Bug Created Started Finished Revision Error
b8db1876-fa9e-4057-8f6c-2dd1db484b40 moderation 💥 KASAN: slab-use-after-free Read in fuse_copy_do 2026/07/04 00:00 2026/07/04 00:00 2026/07/04 00:02 93f579545ae410f5bccfa141d2e7bf03178f036c
failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=arm64" "CROSS_COMPILE=aarch64-linux-gnu-" "CC=ccache clang" "LD=ld.lld" "O=/app/work...
truncated to first 200 bytes; open job for full error
39ba396f-56a6-49fd-adf3-127bbcdefd0d assessment-security 💥 KASAN: slab-use-after-free Read in fuse_copy_do 2026/07/03 00:01 2026/07/03 00:01 2026/07/03 00:19 93f579545ae410f5bccfa141d2e7bf03178f036c
failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=arm64" "CROSS_COMPILE=aarch64-linux-gnu-" "CC=ccache clang" "LD=ld.lld" "O=/app/work...
truncated to first 200 bytes; open job for full error
243aa5c2-7d41-4850-b827-9f6c9b58c1b0 moderation 💥 KASAN: slab-use-after-free Read in fuse_copy_do 2026/07/02 00:01 2026/07/02 00:01 2026/07/02 00:23 93f579545ae410f5bccfa141d2e7bf03178f036c
failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=arm64" "CROSS_COMPILE=aarch64-linux-gnu-" "CC=ccache clang" "LD=ld.lld" "O=/app/work...
truncated to first 200 bytes; open job for full error
0e1c3aa4-ebc1-4cb3-9d81-8fec5efdf0dd assessment-security 💥 KASAN: slab-use-after-free Read in fuse_copy_do 2026/06/30 00:01 2026/06/30 00:01 2026/06/30 00:01 fff8d0a0e302881e84edbe2230016e3bec252ec6
failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "92e3f6ef4ffb1f65e7774f4611c27fb764b3bc14"]: exit status 128
error: insuffici...
truncated to first 200 bytes; open job for full error
afa13ef7-4fa8-47a1-8892-1ea41bcbfa54 assessment-security 💥 KASAN: slab-use-after-free Read in fuse_copy_do 2026/06/29 00:00 2026/06/29 00:00 2026/06/29 00:00 fb92f11c4789d9647a75c09c983dbee5c8488ccf
failed to run ["git" "-c" "core.hooksPath=/dev/null" "checkout" "92e3f6ef4ffb1f65e7774f4611c27fb764b3bc14"]: exit status 128
error: Could not read 23997b17256ca0184953e2c4954dccb29b175f37
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Read in fuse_copy_do fuse 12 C done 10 543d 583d 28/29 fixed on 2025/05/06 15:33
linux-4.14 KASAN: use-after-free Read in fuse_copy_do 19 C 1 1222d 1326d 0/1 upstream: reported C repro on 2022/11/15 20:38
linux-4.19 KASAN: use-after-free Read in fuse_copy_do 19 C error 1 1326d 1326d 0/1 upstream: reported C repro on 2022/11/15 07:48
upstream KASAN: use-after-free Write in fuse_copy_do fuse 22 C 15 121d 122d 0/29 auto-obsoleted due to no activity on 2026/05/13 11:17

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in fuse_copy_do+0x1a0/0x38c fs/fuse/dev.c:-1
Read of size 64 at addr ffff0000cbe00888 by task syz.7.1148/9889

CPU: 1 UID: 0 PID: 9889 Comm: syz.7.1148 Tainted: G             L      syzkaller #0 PREEMPT 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xb0/0x238 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:482
 kasan_report+0x8c/0xc4 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x17c/0x1ac mm/kasan/generic.c:200
 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105
 fuse_copy_do+0x1a0/0x38c fs/fuse/dev.c:-1
 fuse_copy_one+0xc4/0x130 fs/fuse/dev.c:1215
 fuse_copy_args+0x2a8/0x398 fs/fuse/dev.c:1233
 fuse_dev_do_read+0xac8/0xfe8 fs/fuse/dev.c:1507
 fuse_dev_read+0x140/0x1c8 fs/fuse/dev.c:1586
 new_sync_read fs/read_write.c:493 [inline]
 vfs_read+0x498/0x8c8 fs/read_write.c:574
 ksys_read+0x12c/0x228 fs/read_write.c:717
 __do_sys_read fs/read_write.c:726 [inline]
 __se_sys_read fs/read_write.c:724 [inline]
 __arm64_sys_read+0x7c/0x90 fs/read_write.c:724
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

Allocated by task 9885:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:78
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x2d4/0x624 mm/slub.c:5420
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 fuse_new_init fs/fuse/inode.c:1519 [inline]
 fuse_send_init+0x64/0x630 fs/fuse/inode.c:1579
 fuse_fill_super+0x100/0x124 fs/fuse/inode.c:1990
 vfs_get_super+0xb8/0x148 fs/super.c:1327
 get_tree_nodev+0x2c/0x3c fs/super.c:1346
 fuse_get_tree+0x240/0x324 fs/fuse/inode.c:2055
 vfs_get_tree+0x90/0x28c fs/super.c:1754
 fc_mount+0x24/0xac fs/namespace.c:1193
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x2a4/0x538 fs/namespace.c:3834
 path_mount+0x5f0/0xa88 fs/namespace.c:4154
 do_mount+0xe8/0x148 fs/namespace.c:4167
 __do_sys_mount fs/namespace.c:4383 [inline]
 __se_sys_mount fs/namespace.c:4360 [inline]
 __arm64_sys_mount+0x334/0x380 fs/namespace.c:4360
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

Freed by task 9885:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:78
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6251 [inline]
 kfree+0x188/0x690 mm/slub.c:6566
 process_init_reply+0xdc/0x1b30 fs/fuse/inode.c:1503
 fuse_send_init+0x378/0x630 fs/fuse/inode.c:1594
 fuse_fill_super+0x100/0x124 fs/fuse/inode.c:1990
 vfs_get_super+0xb8/0x148 fs/super.c:1327
 get_tree_nodev+0x2c/0x3c fs/super.c:1346
 fuse_get_tree+0x240/0x324 fs/fuse/inode.c:2055
 vfs_get_tree+0x90/0x28c fs/super.c:1754
 fc_mount+0x24/0xac fs/namespace.c:1193
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x2a4/0x538 fs/namespace.c:3834
 path_mount+0x5f0/0xa88 fs/namespace.c:4154
 do_mount+0xe8/0x148 fs/namespace.c:4167
 __do_sys_mount fs/namespace.c:4383 [inline]
 __se_sys_mount fs/namespace.c:4360 [inline]
 __arm64_sys_mount+0x334/0x380 fs/namespace.c:4360
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

The buggy address belongs to the object at ffff0000cbe00800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 136 bytes inside of
 freed 512-byte region [ffff0000cbe00800, ffff0000cbe00a00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10be00
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 05ffc00000000002 fffffdffc32f8001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cbe00780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000cbe00800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000cbe00880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff0000cbe00900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000cbe00980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/27 06:02 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 92e3f6ef4ffb fb92f11c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in fuse_copy_do
* Struck through repros no longer work on HEAD.