[BUG] KASAN: slab-use-after-free Write in __schedule

From: Huang Forrest

Date: Fri May 15 2026 - 11:59:24 EST

Hello,

I found the following issue with syzkaller on:

HEAD commit:    7aaa8047eafd (HEAD -> master, tag: v7.0-rc6, origin/master, origin/HEAD) Linux 7.0-rc6.
git tree:       https://github.com/torvalds/linux.git master
console output: https://gist.githubusercontent.com/Forest-kernel/56b58d242f61b58d42365ae9e0248108/raw/96ea65abd6b8dc53a269b74323e2f977229bde03/gistfile1.txt
kernel config:  https://gist.githubusercontent.com/Forest-kernel/354e7c56522ab60f29c8b96e7429e2e3/raw/97bb1e7d6f9406da5bd07e999c3634f250a5db0c/config.txt
dashboard link: N/A for local dashboard
compiler:       gcc (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0
userspace arch: x86_64


I don't have any reproducer for this issue yet.

Suspected root cause:

I suspect this is mainly a lifetime / teardown ordering issue between process exit and the scheduler’s mm_cid path, with io_uring exit making the race easier to hit.

The faulting task is in schedule_timeout ->wait_for_common, waiting on io_wq_put_and_exit / io_uring_clean_tctx as part of do_exit. The freed object was released earlier via exit_mmap → tear_down_vmas, then kfree through RCU (timer softirq), while another path was still tearing down the same mm around exit_group / mmput.

The root cause may be that VMA/mm teardown (including RCU-deferred free) and mm_cid tear-down in context_switch are not properly synchronized—so when io_uring waits for workers during exit and the task schedules, mm_cid still touches memory that tear_down_vmas has already freed.


The following full report also in https://gist.githubusercontent.com/Forest-kernel/9b9a1f117dfcd5459ba7d0dfa8868c90/raw/a75ad4d79d4458245a9cf259a934345faac9d7ec/report

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_write include/linux/instrumented.h:97 [inline]
BUG: KASAN: slab-use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: slab-use-after-free in mm_drop_cid kernel/sched/sched.h:3812 [inline]
BUG: KASAN: slab-use-after-free in mm_cid_schedout kernel/sched/sched.h:3995 [inline]
BUG: KASAN: slab-use-after-free in mm_cid_switch_to kernel/sched/sched.h:4002 [inline]
BUG: KASAN: slab-use-after-free in context_switch kernel/sched/core.c:5287 [inline]
BUG: KASAN: slab-use-after-free in __schedule+0x22fa/0x3ee0 kernel/sched/core.c:6911
Write of size 8 at addr ffff88811bb6cf10 by task syz.6.886/14441

CPU: 4 UID: 0 PID: 14441 Comm: syz.6.886 Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xce/0x610 mm/kasan/report.c:482
 kasan_report+0xce/0x100 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:194 [inline]
 kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
 instrument_atomic_write include/linux/instrumented.h:97 [inline]
 clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
 mm_drop_cid kernel/sched/sched.h:3812 [inline]
 mm_cid_schedout kernel/sched/sched.h:3995 [inline]
 mm_cid_switch_to kernel/sched/sched.h:4002 [inline]
 context_switch kernel/sched/core.c:5287 [inline]
 __schedule+0x22fa/0x3ee0 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x79/0x2e0 kernel/sched/core.c:7008
 schedule_timeout+0x217/0x250 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:100 [inline]
 __wait_for_common+0x2ab/0x3e0 kernel/sched/completion.c:121
 io_wq_exit_workers io_uring/io-wq.c:1367 [inline]
 io_wq_put_and_exit+0x24d/0x720 io_uring/io-wq.c:1398
 io_uring_clean_tctx+0xfa/0x170 io_uring/tctx.c:222
 io_uring_cancel_generic+0x65d/0x8c0 io_uring/cancel.c:650
 io_uring_files_cancel include/linux/io_uring.h:20 [inline]
 do_exit+0x34c/0x28e0 kernel/exit.c:916
 do_group_exit+0xc7/0x280 kernel/exit.c:1118
 get_signal+0x20d2/0x2150 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x7a0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x6b/0x4c0 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x46d/0x580 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0125a4777d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0124486fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000142
RAX: fffffffffffffff8 RBX: 00007f0125cd5fa0 RCX: 00007f0125a4777d
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000005
RBP: 00007f0125ae4d74 R08: 0000000000001100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0125cd6038 R14: 00007f0125cd5fa0 R15: 00007f0124467000
 </TASK>

Allocated by task 14190 on cpu 1 at 62.890762s:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:57
 kasan_save_track+0x17/0x60 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 slab_free_hook mm/slub.c:2637 [inline]
 slab_free mm/slub.c:6165 [inline]
 kmem_cache_free+0x245/0x3d0 mm/slub.c:6295
 tear_down_vmas+0x182/0x3a0 mm/mmap.c:1264
 exit_mmap+0x37f/0x800 mm/mmap.c:1322
 __mmput kernel/fork.c:1175 [inline]
 mmput+0x6c/0x320 kernel/fork.c:1198
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x7c1/0x28e0 kernel/exit.c:964
 do_group_exit+0xc7/0x280 kernel/exit.c:1118
 __do_sys_exit_group kernel/exit.c:1129 [inline]
 __se_sys_exit_group kernel/exit.c:1127 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
 x64_sys_call+0x16cd/0x1760 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 144 on cpu 1 at 62.899562s:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:57
 kasan_save_track+0x17/0x60 mm/kasan/common.c:78
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x43/0x70 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x137/0x3b0 mm/slub.c:6483
 slab_free_after_rcu_debug+0x5d/0x1f0 mm/slub.c:6217
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x521/0x1820 kernel/rcu/tree.c:2869
 handle_softirqs+0x1b8/0x640 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xab/0xe0 kernel/softirq.c:723
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x6c/0x80 arch/x86/kernel/apic/apic.c:1056
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:57
 kasan_record_aux_stack+0x8c/0xa0 mm/kasan/generic.c:556
 __call_rcu_common.constprop.0+0x71/0x9f0 kernel/rcu/tree.c:3131
 tear_down_vmas+0x182/0x3a0 mm/mmap.c:1264
 exit_mmap+0x37f/0x800 mm/mmap.c:1322
 __mmput kernel/fork.c:1175 [inline]
 mmput+0x6c/0x320 kernel/fork.c:1198
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x7c1/0x28e0 kernel/exit.c:964
 do_group_exit+0xc7/0x280 kernel/exit.c:1118
 __do_sys_exit_group kernel/exit.c:1129 [inline]
 __se_sys_exit_group kernel/exit.c:1127 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
 x64_sys_call+0x16cd/0x1760 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88811bb6cf00
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 16 bytes inside of
 freed 32-byte region [ffff88811bb6cf00, ffff88811bb6cf20)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11bb6c
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff888100042780 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88811bb6ce00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
 ffff88811bb6ce80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
>ffff88811bb6cf00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
                         ^
 ffff88811bb6cf80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
 ffff88811bb6d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
netlink: 'syz.8.887': attribute type 32 has an invalid length.
FAT-fs (loop0): error, fat_free_clusters: deleting FAT entry beyond EOF
FAT-fs (loop0): Filesystem has been set read-only
FAT-fs (loop0): error, fat_get_cluster: invalid start cluster (i_pos 0, start 00006c6c)
FAT-fs (loop0): error, fat_get_cluster: invalid start cluster (i_pos 0, start 00006c6c)

Thanks,
Forrest021