syzbot

 sign-in | mailing list | source | docs
🐞 Open [126]
🐞 Fixed [2]
🐞 Invalid [225]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ext4_find_extent (2)

Status: upstream: reported C repro on 2025/05/31 08:45
Bug presence: origin:lts
[Documentation on labels]
Reported-by: syzbot+869401e856e234844286@syzkaller.appspotmail.com
First crash: 272d, last: 17h29m
Bug presence (2)
Date Name Commit Repro Result
2025/06/01 lts (merge base) 02b72ccb5f9d C [report] KASAN: use-after-free Read in ext4_find_extent
2025/06/01 upstream (ToT) cd2e103d57e5 C Didn't crash
Similar bugs (12)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in ext4_find_extent 19 C 2 280d 378d 0/2 upstream: reported C repro on 2025/02/13 21:05
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 19 C error inconclusive 97 1h29m 1159d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport 19 C error done 3 488d 985d 0/2 auto-obsoleted due to no activity on 2025/02/04 04:57
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only 19 C inconclusive 7 18d 953d 0/3 upstream: reported C repro on 2023/07/19 14:49
linux-6.6 KASAN: use-after-free Read in ext4_find_extent origin:upstream 19 C error 8 62d 63d 0/2 upstream: reported C repro on 2025/12/25 19:30
upstream KASAN: use-after-free Read in ext4_find_extent ext4 19 2 1591d 1652d 0/29 auto-closed as invalid on 2022/02/17 05:19
linux-6.1 KASAN: use-after-free Read in ext4_find_extent origin:upstream missing-backport 19 C done 64 6d10h 892d 0/3 upstream: reported C repro on 2023/09/19 00:11
android-5-15 KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts 19 C error 117 3d13h 1159d 0/2 upstream: reported C repro on 2022/12/26 07:59
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 19 C error 2 1029d 1154d 22/29 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (4) ext4 19 C done 268 4h58m 423d 0/29 upstream: reported C repro on 2024/12/30 20:06
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 19 C error done 31 794d 975d 25/29 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 17 C 1 973d 1159d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20
Last patch testing requests (9)
Created Duration User Patch Repo Result
2026/02/01 04:45 6m retest repro android14-6.1 report log
2026/02/01 04:45 30m retest repro android14-6.1 report log
2026/02/01 04:45 40m retest repro android14-6.1 report log
2026/02/01 04:45 19m retest repro android14-6.1 report log
2026/02/01 04:45 7m retest repro android14-6.1 report log
2026/01/15 01:26 15m retest repro android14-6.1 report log
2026/01/15 01:26 19m retest repro android14-6.1 report log
2025/12/16 08:24 6m retest repro android14-6.1 report log
2025/12/16 08:24 1h15m retest repro android14-6.1 report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2025/07/31 06:27 1h21m bisect fix android14-6.1 OK (0) job log log
2025/06/30 20:17 1h08m bisect fix android14-6.1 OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953
Read of size 4 at addr ffff88812fd13018 by task kworker/u4:2/43

CPU: 1 PID: 43 Comm: kworker/u4:2 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: writeback wb_workfn (flush-7:2)
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 print_address_description+0x71/0x200 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:420
 kasan_report+0x122/0x150 mm/kasan/report.c:524
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
 ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
 ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953
 ext4_ext_map_blocks+0x207/0x61d0 fs/ext4/extents.c:4166
 ext4_map_blocks+0x9d8/0x1b70 fs/ext4/inode.c:679
 mpage_map_one_extent fs/ext4/inode.c:2435 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2488 [inline]
 ext4_writepages+0x1409/0x30e0 fs/ext4/inode.c:2856
 do_writepages+0x3a4/0x5f0 mm/page-writeback.c:2494
 __writeback_single_inode+0xc6/0xad0 fs/fs-writeback.c:1622
 writeback_sb_inodes+0xa10/0x15d0 fs/fs-writeback.c:1913
 wb_writeback+0x40b/0x9d0 fs/fs-writeback.c:2089
 wb_do_writeback fs/fs-writeback.c:2236 [inline]
 wb_workfn+0x378/0xeb0 fs/fs-writeback.c:2276
 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302
 worker_thread+0xa29/0x11e0 kernel/workqueue.c:2449
 kthread+0x281/0x320 kernel/kthread.c:386
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0004bf44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12fd13
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0004bf44c8 ffffea0004bf44c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff88812fd12f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812fd12f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88812fd13000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^

Crashes (29):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/02/26 16:51 android14-6.1 6bfa51973214 ffa54287 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/02/23 16:46 android14-6.1 34c1a8e17200 6beca497 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/02/16 11:10 android14-6.1 edbe3e111301 1e62d198 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/02/15 18:42 android14-6.1 edbe3e111301 1e62d198 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/02/05 08:55 android14-6.1 775f23d50ca8 ea10c935 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/01/17 19:05 android14-6.1 f8a5ad1fcf13 20d37d28 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/10/24 04:04 android14-6.1 22c0b7236c43 c0460fcd .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/10/24 03:23 android14-6.1 22c0b7236c43 c0460fcd .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/10/24 02:37 android14-6.1 22c0b7236c43 c0460fcd .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/09/29 02:17 android14-6.1 5303560ee8cf 001c9061 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/09/03 14:52 android14-6.1 79ccb6ecf51e 96a211bc .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/08/03 17:31 android14-6.1 3b4ff5af8d36 7368264b .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/05/31 08:37 android14-6.1 db710ea87c32 3d2f584d .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/11/22 21:09 android14-6.1 eba111621724 4fb8ef37 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/02/20 15:56 android14-6.1 edbe3e111301 17d780d6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/02/12 06:48 android14-6.1 edbe3e111301 76a109e2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2026/02/12 06:48 android14-6.1 edbe3e111301 76a109e2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/12/30 18:59 android14-6.1 5e6db7045704 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/12/30 18:59 android14-6.1 5e6db7045704 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/12/30 18:58 android14-6.1 5e6db7045704 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/12/30 18:57 android14-6.1 5e6db7045704 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/12/01 12:36 android14-6.1 a92da54b7708 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/11/30 15:55 android14-6.1 a92da54b7708 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/09/14 09:34 android14-6.1 0429b7af308c e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/08/28 01:48 android14-6.1 47b374a18638 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/08/28 01:48 android14-6.1 47b374a18638 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/08/28 01:46 android14-6.1 47b374a18638 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/08/28 01:46 android14-6.1 47b374a18638 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
2025/05/31 08:03 android14-6.1 db710ea87c32 3d2f584d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in ext4_find_extent
* Struck through repros no longer work on HEAD.