From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: syzbot <syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, lorenzo.stoakes@oracle.com,
shakeel.butt@linux.dev, surenb@google.com,
syzkaller-bugs@googlegroups.com, vbabka@suse.cz
Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in mas_walk
Date: Thu, 12 Feb 2026 15:55:38 -0500 [thread overview]
Message-ID: <muuhcv22gzsr2a3g4lsu4zqsjkdbjqxn7bszh7r4nuqgq2oc5a@7jqpwr6v2vez> (raw)
In-Reply-To: <698e287a.a70a0220.2c38d7.009f.GAE@google.com>
* syzbot <syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com> [260212 14:22]:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 192c0159402e Merge tag 'powerpc-7.0-1' of git://git.kernel..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1304cc02580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=aaa1d655bee4457b
> dashboard link: https://syzkaller.appspot.com/bug?extid=54245a237762e7cbecf0
> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d40ffa580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1704cc02580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a42150718371/disk-192c0159.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4cda72c184d0/vmlinux-192c0159.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/404b09fd74ca/bzImage-192c0159.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com
This looks like the mm is not reference counted correctly.
The maple tree has been destroyed via exit_mmap() while
do_user_addr_fault() is executing.
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in ma_dead_node lib/maple_tree.c:572 [inline]
> BUG: KASAN: slab-use-after-free in mte_dead_node lib/maple_tree.c:587 [inline]
> BUG: KASAN: slab-use-after-free in mas_start lib/maple_tree.c:1207 [inline]
This shows it is the root node that is incorrect (which is stored in the
mm_struct directly).
> BUG: KASAN: slab-use-after-free in mas_state_walk lib/maple_tree.c:3291 [inline]
> BUG: KASAN: slab-use-after-free in mas_walk+0x8cf/0x9b0 lib/maple_tree.c:4599
> Read of size 8 at addr ffff888078907400 by task syz.0.18/6008
>
> CPU: 0 UID: 0 PID: 6008 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0x156/0x4c9 mm/kasan/report.c:482
> kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
> ma_dead_node lib/maple_tree.c:572 [inline]
> mte_dead_node lib/maple_tree.c:587 [inline]
> mas_start lib/maple_tree.c:1207 [inline]
> mas_state_walk lib/maple_tree.c:3291 [inline]
> mas_walk+0x8cf/0x9b0 lib/maple_tree.c:4599
> lock_vma_under_rcu+0x101/0x5a0 mm/mmap_lock.c:253
> do_user_addr_fault+0x41f/0x12f0 arch/x86/mm/fault.c:1325
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> handle_page_fault arch/x86/mm/fault.c:1474 [inline]
> exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
> RIP: 0033:0x342000
> Code: Unable to access opcode bytes at 0x341fd6.
> RSP: 002b:000000000000000e EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007ff2e4816090 RCX: 00007ff2e459bf79
> RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0002000020003b4a
> RBP: 00007ff2e46327e0 R08: 0000000000000103 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ff2e4816128 R14: 00007ff2e4816090 R15: 00007ffc4f622688
> </TASK>
>
> Allocated by task 5934:
> kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
> kasan_save_track+0x14/0x30 mm/kasan/common.c:78
> unpoison_slab_object mm/kasan/common.c:340 [inline]
> __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366
> kasan_slab_alloc include/linux/kasan.h:253 [inline]
> slab_post_alloc_hook mm/slub.c:4953 [inline]
> slab_alloc_node mm/slub.c:5263 [inline]
> kmem_cache_alloc_noprof+0x2ad/0x780 mm/slub.c:5270
> mt_alloc_one lib/maple_tree.c:174 [inline]
> mas_dup_build lib/maple_tree.c:6299 [inline]
> __mt_dup+0x5a8/0xc20 lib/maple_tree.c:6382
> dup_mmap+0x36d/0x1e20 mm/mmap.c:1744
> dup_mm kernel/fork.c:1530 [inline]
> copy_mm kernel/fork.c:1582 [inline]
> copy_process+0x7371/0x79b0 kernel/fork.c:2223
> kernel_clone+0xfc/0x930 kernel/fork.c:2654
> __do_sys_clone+0xd9/0x120 kernel/fork.c:2795
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Freed by task 6003:
> kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
> kasan_save_track+0x14/0x30 mm/kasan/common.c:78
> kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
> poison_slab_object mm/kasan/common.c:253 [inline]
> __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285
> kasan_slab_free include/linux/kasan.h:235 [inline]
> slab_free_hook mm/slub.c:2540 [inline]
> slab_free mm/slub.c:6674 [inline]
> kfree+0x1c7/0x690 mm/slub.c:6886
> mt_destroy_walk+0xc0a/0xfa0 lib/maple_tree.c:5028
> mte_destroy_walk lib/maple_tree.c:5049 [inline]
> mte_destroy_walk lib/maple_tree.c:5040 [inline]
> __mt_destroy+0x2d7/0x390 lib/maple_tree.c:6446
__mt_destroy() is called with rcu disabled because the last mm_struct
user should be gone.
exit_mmap() is only called when there are no mm users left, and then the
mm is write locked before removing the rcu protection on the tree.
It appears that somehow the fault has the mm without holding a reference
to it.
> exit_mmap+0x5d3/0xae0 mm/mmap.c:1312
> __mmput+0x12a/0x410 kernel/fork.c:1174
> mmput+0x67/0x80 kernel/fork.c:1197
> exit_mm kernel/exit.c:581 [inline]
> do_exit+0x78a/0x2a30 kernel/exit.c:959
> do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
> __do_sys_exit_group kernel/exit.c:1123 [inline]
> __se_sys_exit_group kernel/exit.c:1121 [inline]
> __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
> x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
next prev parent reply other threads:[~2026-02-12 20:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 19:22 syzbot
2026-02-12 20:55 ` Liam R. Howlett [this message]
2026-02-12 21:30 ` Suren Baghdasaryan
2026-02-13 2:52 ` Liam R. Howlett
2026-02-13 6:00 ` Suren Baghdasaryan
2026-02-13 17:53 ` Liam R. Howlett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=muuhcv22gzsr2a3g4lsu4zqsjkdbjqxn7bszh7r4nuqgq2oc5a@7jqpwr6v2vez \
--to=liam.howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=shakeel.butt@linux.dev \
--cc=surenb@google.com \
--cc=syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox