From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Suren Baghdasaryan <surenb@google.com>
Cc: syzbot <syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com>,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, lorenzo.stoakes@oracle.com,
shakeel.butt@linux.dev, syzkaller-bugs@googlegroups.com,
vbabka@suse.cz
Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in mas_walk
Date: Fri, 13 Feb 2026 12:53:33 -0500 [thread overview]
Message-ID: <tny76q4g6yvmc57feuphsrfnz65s7be3yrvj4x5xgjc7nxyhag@nsx7eu6ljudj> (raw)
In-Reply-To: <CAJuCfpEo-Lj1fetH5GtRX0q_jPP0c_VFgWgNBH3=pJ8Sza-8-Q@mail.gmail.com>
* Suren Baghdasaryan <surenb@google.com> [260213 01:00]:
> On Fri, Feb 13, 2026 at 2:53 AM Liam R. Howlett <Liam.Howlett@oracle.com> wrote:
> >
> > * Suren Baghdasaryan <surenb@google.com> [260212 16:31]:
> > > On Thu, Feb 12, 2026 at 12:56 PM Liam R. Howlett
> > > <Liam.Howlett@oracle.com> wrote:
> > > >
> > > > * syzbot <syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com> [260212 14:22]:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following issue on:
> > > > >
> > > > > HEAD commit: 192c0159402e Merge tag 'powerpc-7.0-1' of git://git.kernel..
> > > > > git tree: upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1304cc02580000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=aaa1d655bee4457b
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=54245a237762e7cbecf0
> > > > > compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d40ffa580000
> > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1704cc02580000
> > > > >
> > > > > Downloadable assets:
> > > > > disk image: https://storage.googleapis.com/syzbot-assets/a42150718371/disk-192c0159.raw.xz
> > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/4cda72c184d0/vmlinux-192c0159.xz
> > > > > kernel image: https://storage.googleapis.com/syzbot-assets/404b09fd74ca/bzImage-192c0159.xz
> > > > >
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com
> > > >
> > > > This looks like the mm is not reference counted correctly.
> > > >
> > > > The maple tree has been destroyed via exit_mmap() while
> > > > do_user_addr_fault() is executing.
> > > >
> > > > >
> > > > > ==================================================================
> > > > > BUG: KASAN: slab-use-after-free in ma_dead_node lib/maple_tree.c:572 [inline]
> > > > > BUG: KASAN: slab-use-after-free in mte_dead_node lib/maple_tree.c:587 [inline]
> > > > > BUG: KASAN: slab-use-after-free in mas_start lib/maple_tree.c:1207 [inline]
> > > >
> > > > This shows it is the root node that is incorrect (which is stored in the
> > > > mm_struct directly).
> > > >
> > > > > BUG: KASAN: slab-use-after-free in mas_state_walk lib/maple_tree.c:3291 [inline]
> > > > > BUG: KASAN: slab-use-after-free in mas_walk+0x8cf/0x9b0 lib/maple_tree.c:4599
> > > > > Read of size 8 at addr ffff888078907400 by task syz.0.18/6008
> > > > >
> > > > > CPU: 0 UID: 0 PID: 6008 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
> > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> > > > > Call Trace:
> > > > > <TASK>
> > > > > __dump_stack lib/dump_stack.c:94 [inline]
> > > > > dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
> > > > > print_address_description mm/kasan/report.c:378 [inline]
> > > > > print_report+0x156/0x4c9 mm/kasan/report.c:482
> > > > > kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
> > > > > ma_dead_node lib/maple_tree.c:572 [inline]
> > > > > mte_dead_node lib/maple_tree.c:587 [inline]
> > > > > mas_start lib/maple_tree.c:1207 [inline]
> > > > > mas_state_walk lib/maple_tree.c:3291 [inline]
> > > > > mas_walk+0x8cf/0x9b0 lib/maple_tree.c:4599
> > > > > lock_vma_under_rcu+0x101/0x5a0 mm/mmap_lock.c:253
> > > > > do_user_addr_fault+0x41f/0x12f0 arch/x86/mm/fault.c:1325
> > > >
> > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > >
> > > > > handle_page_fault arch/x86/mm/fault.c:1474 [inline]
> > > > > exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527
> > > > > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
> > > > > RIP: 0033:0x342000
> > > > > Code: Unable to access opcode bytes at 0x341fd6.
> > > > > RSP: 002b:000000000000000e EFLAGS: 00010246
> > > > > RAX: 0000000000000000 RBX: 00007ff2e4816090 RCX: 00007ff2e459bf79
> > > > > RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0002000020003b4a
> > > > > RBP: 00007ff2e46327e0 R08: 0000000000000103 R09: 0000000000000000
> > > > > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > > > > R13: 00007ff2e4816128 R14: 00007ff2e4816090 R15: 00007ffc4f622688
> > > > > </TASK>
> > > > >
> > > > > Allocated by task 5934:
> > > > > kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
> > > > > kasan_save_track+0x14/0x30 mm/kasan/common.c:78
> > > > > unpoison_slab_object mm/kasan/common.c:340 [inline]
> > > > > __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366
> > > > > kasan_slab_alloc include/linux/kasan.h:253 [inline]
> > > > > slab_post_alloc_hook mm/slub.c:4953 [inline]
> > > > > slab_alloc_node mm/slub.c:5263 [inline]
> > > > > kmem_cache_alloc_noprof+0x2ad/0x780 mm/slub.c:5270
> > > > > mt_alloc_one lib/maple_tree.c:174 [inline]
> > > > > mas_dup_build lib/maple_tree.c:6299 [inline]
> > > > > __mt_dup+0x5a8/0xc20 lib/maple_tree.c:6382
> > > > > dup_mmap+0x36d/0x1e20 mm/mmap.c:1744
> > > > > dup_mm kernel/fork.c:1530 [inline]
> > > > > copy_mm kernel/fork.c:1582 [inline]
> > > > > copy_process+0x7371/0x79b0 kernel/fork.c:2223
> > > > > kernel_clone+0xfc/0x930 kernel/fork.c:2654
> > > > > __do_sys_clone+0xd9/0x120 kernel/fork.c:2795
> > > > > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > > > > do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
> > > > > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > > >
> > > > > Freed by task 6003:
> > > > > kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
> > > > > kasan_save_track+0x14/0x30 mm/kasan/common.c:78
> > > > > kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
> > > > > poison_slab_object mm/kasan/common.c:253 [inline]
> > > > > __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285
> > > > > kasan_slab_free include/linux/kasan.h:235 [inline]
> > > > > slab_free_hook mm/slub.c:2540 [inline]
> > > > > slab_free mm/slub.c:6674 [inline]
> > > > > kfree+0x1c7/0x690 mm/slub.c:6886
> > > > > mt_destroy_walk+0xc0a/0xfa0 lib/maple_tree.c:5028
> > > > > mte_destroy_walk lib/maple_tree.c:5049 [inline]
> > > > > mte_destroy_walk lib/maple_tree.c:5040 [inline]
> > > > > __mt_destroy+0x2d7/0x390 lib/maple_tree.c:6446
> > > >
> > > > __mt_destroy() is called with rcu disabled because the last mm_struct
> > > > user should be gone.
> > > >
> > > > exit_mmap() is only called when there are no mm users left, and then the
> > > > mm is write locked before removing the rcu protection on the tree.
> > > >
> > > > It appears that somehow the fault has the mm without holding a reference
> > > > to it.
> > >
> > > I tried reproducing on my qemu with the same head commit, config and
> > > using C reproducer and it did not reproduce. I think the only
> > > difference I have is the GCC version I used. Mine is gcc (Debian
> > > 15.2.0-3) 15.2.0.
> > >
> >
> > I get futex issues before I see this issue - but it could be related.
> >
> > I was planning to add some debug tomorrow to see if I could figure it
> > out.
>
> Thanks Hillf!
> Makes sense. The reproduced does use PROCMAP_QUERY. The fix
> https://lore.kernel.org/all/20260212234050.03FC6C19421@smtp.kernel.org/
> did not reach Linus' tree yet.
Yes, thank you Hillf [1].
Happy to see it's already not a problem, and especially happy that I
don't need to dig deeper.
Cheers,
Liam
[1]. https://lore.kernel.org/all/20260213033815.3016-1-hdanton@sina.com/
prev parent reply other threads:[~2026-02-13 17:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 19:22 syzbot
2026-02-12 20:55 ` Liam R. Howlett
2026-02-12 21:30 ` Suren Baghdasaryan
2026-02-13 2:52 ` Liam R. Howlett
2026-02-13 6:00 ` Suren Baghdasaryan
2026-02-13 17:53 ` Liam R. Howlett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tny76q4g6yvmc57feuphsrfnz65s7be3yrvj4x5xgjc7nxyhag@nsx7eu6ljudj \
--to=liam.howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=shakeel.butt@linux.dev \
--cc=surenb@google.com \
--cc=syzbot+54245a237762e7cbecf0@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox