Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in d_alloc_parallel

Next message: Pankaj Gupta: "Re: [PATCH v6 04/12] nvdimm: virtio_pmem: stop allocating child flush bio"
Previous message: Yousef Alhouseen: "[PATCH] drm/amdgpu: reject mapping info for unmapped BOs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Wed Jun 24 2026 - 13:22:05 EST

On Sat, Jun 20, 2026 at 1:56 AM syzbot
<syzbot+bcc49cd0a89969bb101a@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
> BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
> Read of size 1 at addr ffff8880273bb728 by task kworker/u8:2/1377
>
> CPU: 1 UID: 0 PID: 1377 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
> Call Trace:
> <TASK>
> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
> print_address_description+0x55/0x1e0 mm/kasan/report.c:378
> print_report+0x58/0x70 mm/kasan/report.c:482
> kasan_report+0x117/0x150 mm/kasan/report.c:595
> __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
> kasan_check_byte include/linux/kasan.h:402 [inline]
> lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5844
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
> _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
> rt_mutex_slowunlock+0xbf/0x8b0 kernel/locking/rtmutex.c:1430
> spin_unlock include/linux/spinlock_rt.h:109 [inline]
> d_alloc_parallel+0x103d/0x1630 fs/dcache.c:2826

This is another case where a spinlock is dropped on a dentry kept
alive by RCU in an RT kernel.

#syz dup: [syzbot] [fs?] KASAN: slab-use-after-free Read in shrink_dcache_tree