Re: [syzbot] [lsm?] KASAN: slab-use-after-free Read in security_inode_follow_link

Next message: Pratik Vishwakarma: "[PATCH] x86/CPU/AMD: Add family 0x1a models 0xd0 through 0xef"
Previous message: Rosen Penev: "[PATCH] tty: serial: mpc52xx_uart: add bounds check for psc_num array index"
In reply to: syzbot: "Forwarded: [PATCH] bpf: defer bpffs symlink inode freeing until RCU grace period"
Next in thread: syzbot: "Re: [syzbot] [lsm?] KASAN: slab-use-after-free Read in security_inode_follow_link"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Sat May 30 2026 - 02:14:48 EST

> Date: Fri, 29 May 2026 13:01:28 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: eb3f4b7426cf Merge tag 'nfsd-7.1-2' of git://git.kernel.or..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17dae52e580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8118209836970b54
> dashboard link: https://syzkaller.appspot.com/bug?extid=0962e3a1af6d5e26a52c
> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14427ed2580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109e452e580000

#syz test

--- x/fs/namei.c
+++ y/fs/namei.c
@@ -5561,7 +5561,6 @@ retry_deleg:
goto exit_drop_write;
}
inode = dentry->d_inode;
- ihold(inode);
error = security_path_unlink(&path, dentry);
if (error)
goto exit_end_dirop;
@@ -5569,7 +5568,6 @@ retry_deleg:
dentry, &delegated_inode);
exit_end_dirop:
end_dirop(dentry);
- iput(inode); /* truncate the inode here */
if (is_delegated(&delegated_inode)) {
error = break_deleg_wait(&delegated_inode);
if (!error)
--