Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in mas_walk

["Liam R. Howlett" <Liam.Howlett@oracle.com>]

* Suren Baghdasaryan <surenb@google.com> [260212 16:31]:
> On Thu, Feb 12, 2026 at 12:56 PM Liam R. Howlett
> <Liam.Howlett@oracle.com> wrote:
> >
> > * syzbot <syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com> [260212 14:22]:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    192c0159402e Merge tag 'powerpc-7.0-1' of git://git.kernel..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=1304cc02580000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=aaa1d655bee4457b
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=54245a237762e7cbecf0
> > > compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13d40ffa580000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1704cc02580000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/a42150718371/disk-192c0159.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/4cda72c184d0/vmlinux-192c0159.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/404b09fd74ca/bzImage-192c0159.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com
> >
> > This looks like the mm is not reference counted correctly.
> >
> > The maple tree has been destroyed via exit_mmap() while
> > do_user_addr_fault() is executing.
> >
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-use-after-free in ma_dead_node lib/maple_tree.c:572 [inline]
> > > BUG: KASAN: slab-use-after-free in mte_dead_node lib/maple_tree.c:587 [inline]
> > > BUG: KASAN: slab-use-after-free in mas_start lib/maple_tree.c:1207 [inline]
> >
> > This shows it is the root node that is incorrect (which is stored in the
> > mm_struct directly).
> >
> > > BUG: KASAN: slab-use-after-free in mas_state_walk lib/maple_tree.c:3291 [inline]
> > > BUG: KASAN: slab-use-after-free in mas_walk+0x8cf/0x9b0 lib/maple_tree.c:4599
> > > Read of size 8 at addr ffff888078907400 by task syz.0.18/6008
> > >
> > > CPU: 0 UID: 0 PID: 6008 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> > > Call Trace:
> > >  <TASK>
> > >  __dump_stack lib/dump_stack.c:94 [inline]
> > >  dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
> > >  print_address_description mm/kasan/report.c:378 [inline]
> > >  print_report+0x156/0x4c9 mm/kasan/report.c:482
> > >  kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
> > >  ma_dead_node lib/maple_tree.c:572 [inline]
> > >  mte_dead_node lib/maple_tree.c:587 [inline]
> > >  mas_start lib/maple_tree.c:1207 [inline]
> > >  mas_state_walk lib/maple_tree.c:3291 [inline]
> > >  mas_walk+0x8cf/0x9b0 lib/maple_tree.c:4599
> > >  lock_vma_under_rcu+0x101/0x5a0 mm/mmap_lock.c:253
> > >  do_user_addr_fault+0x41f/0x12f0 arch/x86/mm/fault.c:1325
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > >  handle_page_fault arch/x86/mm/fault.c:1474 [inline]
> > >  exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527
> > >  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
> > > RIP: 0033:0x342000
> > > Code: Unable to access opcode bytes at 0x341fd6.
> > > RSP: 002b:000000000000000e EFLAGS: 00010246
> > > RAX: 0000000000000000 RBX: 00007ff2e4816090 RCX: 00007ff2e459bf79
> > > RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0002000020003b4a
> > > RBP: 00007ff2e46327e0 R08: 0000000000000103 R09: 0000000000000000
> > > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > > R13: 00007ff2e4816128 R14: 00007ff2e4816090 R15: 00007ffc4f622688
> > >  </TASK>
> > >
> > > Allocated by task 5934:
> > >  kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
> > >  kasan_save_track+0x14/0x30 mm/kasan/common.c:78
> > >  unpoison_slab_object mm/kasan/common.c:340 [inline]
> > >  __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366
> > >  kasan_slab_alloc include/linux/kasan.h:253 [inline]
> > >  slab_post_alloc_hook mm/slub.c:4953 [inline]
> > >  slab_alloc_node mm/slub.c:5263 [inline]
> > >  kmem_cache_alloc_noprof+0x2ad/0x780 mm/slub.c:5270
> > >  mt_alloc_one lib/maple_tree.c:174 [inline]
> > >  mas_dup_build lib/maple_tree.c:6299 [inline]
> > >  __mt_dup+0x5a8/0xc20 lib/maple_tree.c:6382
> > >  dup_mmap+0x36d/0x1e20 mm/mmap.c:1744
> > >  dup_mm kernel/fork.c:1530 [inline]
> > >  copy_mm kernel/fork.c:1582 [inline]
> > >  copy_process+0x7371/0x79b0 kernel/fork.c:2223
> > >  kernel_clone+0xfc/0x930 kernel/fork.c:2654
> > >  __do_sys_clone+0xd9/0x120 kernel/fork.c:2795
> > >  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > >  do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
> > >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > >
> > > Freed by task 6003:
> > >  kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
> > >  kasan_save_track+0x14/0x30 mm/kasan/common.c:78
> > >  kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
> > >  poison_slab_object mm/kasan/common.c:253 [inline]
> > >  __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285
> > >  kasan_slab_free include/linux/kasan.h:235 [inline]
> > >  slab_free_hook mm/slub.c:2540 [inline]
> > >  slab_free mm/slub.c:6674 [inline]
> > >  kfree+0x1c7/0x690 mm/slub.c:6886
> > >  mt_destroy_walk+0xc0a/0xfa0 lib/maple_tree.c:5028
> > >  mte_destroy_walk lib/maple_tree.c:5049 [inline]
> > >  mte_destroy_walk lib/maple_tree.c:5040 [inline]
> > >  __mt_destroy+0x2d7/0x390 lib/maple_tree.c:6446
> >
> > __mt_destroy() is called with rcu disabled because the last mm_struct
> > user should be gone.
> >
> > exit_mmap() is only called when there are no mm users left, and then the
> > mm is write locked before removing the rcu protection on the tree.
> >
> > It appears that somehow the fault has the mm without holding a reference
> > to it.
> 
> I tried reproducing on my qemu with the same head commit, config and
> using C reproducer and it did not reproduce. I think the only
> difference I have is the GCC version I used. Mine is gcc (Debian
> 15.2.0-3) 15.2.0.
> 

I get futex issues before I see this issue - but it could be related.

I was planning to add some debug tomorrow to see if I could figure it
out.

> >
> >
> > >  exit_mmap+0x5d3/0xae0 mm/mmap.c:1312
> > >  __mmput+0x12a/0x410 kernel/fork.c:1174
> > >  mmput+0x67/0x80 kernel/fork.c:1197
> > >  exit_mm kernel/exit.c:581 [inline]
> > >  do_exit+0x78a/0x2a30 kernel/exit.c:959
> > >  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
> > >  __do_sys_exit_group kernel/exit.c:1123 [inline]
> > >  __se_sys_exit_group kernel/exit.c:1121 [inline]
> > >  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
> > >  x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
> > >  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > >  do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
> > >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > >
> >
> >