syzbot

 sign-in | mailing list | source | docs
🐞 Open [115]
🐞 Fixed [1]
🐞 Invalid [163]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ext4_find_extent (2)

Status: upstream: reported C repro on 2025/05/31 08:45
Bug presence: origin:lts
[Documentation on labels]
Reported-by: syzbot+869401e856e234844286@syzkaller.appspotmail.com
First crash: 7d07h, last: 7d07h
Bug presence (2)
Date Name Commit Repro Result
2025/06/01 lts (merge base) 02b72ccb5f9d C [report] KASAN: use-after-free Read in ext4_find_extent
2025/06/01 upstream (ToT) cd2e103d57e5 C Didn't crash
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in ext4_find_extent C 2 15d 113d 0/2 upstream: reported C repro on 2025/02/13 21:05
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 36 3d02h 894d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport C error done 3 223d 720d 0/2 auto-obsoleted due to no activity on 2025/02/04 04:57
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only C inconclusive 7 13d 689d 0/3 upstream: reported C repro on 2023/07/19 14:49
upstream KASAN: use-after-free Read in ext4_find_extent ext4 2 1326d 1387d 0/28 auto-closed as invalid on 2022/02/17 05:19
linux-6.1 KASAN: use-after-free Read in ext4_find_extent origin:upstream missing-backport C done 1 404d 627d 0/3 upstream: reported C repro on 2023/09/19 00:11
android-5-15 KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts C error 13 6d10h 894d 0/2 upstream: reported C repro on 2022/12/26 07:59
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 764d 889d 22/28 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (4) ext4 C done 48 11h55m 158d 0/28 upstream: reported C repro on 2024/12/30 20:06
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 C error done 31 529d 710d 25/28 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 C 1 708d 894d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953
Read of size 4 at addr ffff88811744d018 by task kworker/u4:3/296

CPU: 0 PID: 296 Comm: kworker/u4:3 Not tainted 6.1.138-syzkaller-00046-gdb710ea87c32 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106
 print_address_description+0x71/0x210 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:427
 kasan_report+0x122/0x150 mm/kasan/report.c:531
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
 ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
 ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953
 ext4_ext_map_blocks+0x1dc/0x6060 fs/ext4/extents.c:4165
 ext4_map_blocks+0x9cb/0x1b60 fs/ext4/inode.c:679
 mpage_map_one_extent fs/ext4/inode.c:2435 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2488 [inline]
 ext4_writepages+0x1260/0x3020 fs/ext4/inode.c:2856
 do_writepages+0x3a9/0x5e0 mm/page-writeback.c:2494
 __writeback_single_inode+0xc6/0xad0 fs/fs-writeback.c:1612
 writeback_sb_inodes+0x9b8/0x1550 fs/fs-writeback.c:1903
 wb_writeback+0x3f1/0x980 fs/fs-writeback.c:2079
 wb_do_writeback fs/fs-writeback.c:2226 [inline]
 wb_workfn+0x350/0xda0 fs/fs-writeback.c:2266
 process_one_work+0x71f/0xc40 kernel/workqueue.c:2299
 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2446
 kthread+0x281/0x320 kernel/kthread.c:386
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00045d1340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11744d
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea00045d1348 ffffea00045d1348 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff88811744cf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811744cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811744d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff88811744d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811744d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_ext_split:1080: inode #15: comm kworker/u4:3: p_ext > EXT_MAX_EXTENT!
EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 1

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/31 08:37 android14-6.1 db710ea87c32 3d2f584d .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/05/31 08:03 android14-6.1 db710ea87c32 3d2f584d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
* Struck through repros no longer work on HEAD.