| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/01 | lts (merge base) | 02b72ccb5f9d | C | [report] KASAN: use-after-free Read in ext4_find_extent |
| 2025/06/01 | upstream (ToT) | cd2e103d57e5 | C | Didn't crash |
syzbot |
sign-in | mailing list | source | docs |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/01 | lts (merge base) | 02b72ccb5f9d | C | [report] KASAN: use-after-free Read in ext4_find_extent |
| 2025/06/01 | upstream (ToT) | cd2e103d57e5 | C | Didn't crash |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2026/02/01 04:45 | 6m | retest repro | android14-6.1 | report log | |
| 2026/02/01 04:45 | 30m | retest repro | android14-6.1 | report log | |
| 2026/02/01 04:45 | 40m | retest repro | android14-6.1 | report log | |
| 2026/02/01 04:45 | 19m | retest repro | android14-6.1 | report log | |
| 2026/02/01 04:45 | 7m | retest repro | android14-6.1 | report log | |
| 2026/01/15 01:26 | 15m | retest repro | android14-6.1 | report log | |
| 2026/01/15 01:26 | 19m | retest repro | android14-6.1 | report log | |
| 2025/12/16 08:24 | 6m | retest repro | android14-6.1 | report log | |
| 2025/12/16 08:24 | 1h15m | retest repro | android14-6.1 | report log |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2025/07/31 06:27 | 1h21m | bisect fix | android14-6.1 | OK (0) job log log | |
| 2025/06/30 20:17 | 1h08m | bisect fix | android14-6.1 | OK (0) job log log |
================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953 Read of size 4 at addr ffff88812edefe18 by task kworker/u4:3/326 CPU: 1 PID: 326 Comm: kworker/u4:3 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: writeback wb_workfn (flush-7:2) Call Trace: <TASK> __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 print_address_description+0x71/0x200 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:420 kasan_report+0x122/0x150 mm/kasan/report.c:524 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350 ext4_ext_binsearch fs/ext4/extents.c:837 [inline] ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953 ext4_ext_map_blocks+0x207/0x61d0 fs/ext4/extents.c:4166 ext4_map_blocks+0x9d8/0x1b70 fs/ext4/inode.c:679 mpage_map_one_extent fs/ext4/inode.c:2435 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2488 [inline] ext4_writepages+0x1409/0x30e0 fs/ext4/inode.c:2856 do_writepages+0x3a4/0x5f0 mm/page-writeback.c:2494 __writeback_single_inode+0xc6/0xad0 fs/fs-writeback.c:1622 writeback_sb_inodes+0xa10/0x15d0 fs/fs-writeback.c:1913 wb_writeback+0x40b/0x9d0 fs/fs-writeback.c:2089 wb_do_writeback fs/fs-writeback.c:2236 [inline] wb_workfn+0x378/0xeb0 fs/fs-writeback.c:2276 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302 worker_thread+0xa29/0x11e0 kernel/workqueue.c:2449 kthread+0x281/0x320 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> The buggy address belongs to the physical page: page:ffffea0004bb7bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12edef flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004bb5748 ffffea0004bb7b48 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 380, tgid 380 (syz-executor), ts 28979855549, free_ts 29045941344 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2643 prep_new_page+0x1c/0x110 mm/page_alloc.c:2650 get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4554 __alloc_pages+0x1d9/0x480 mm/page_alloc.c:5868 __folio_alloc+0x12/0x40 mm/page_alloc.c:5900 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] alloc_page_vma include/linux/gfp.h:283 [inline] wp_page_copy+0x2a3/0x15a0 mm/memory.c:3210 do_wp_page+0x9f2/0xfc0 mm/memory.c:-1 handle_pte_fault mm/memory.c:5189 [inline] __handle_mm_fault mm/memory.c:5313 [inline] handle_mm_fault+0x1124/0x26c0 mm/memory.c:5453 do_user_addr_fault+0x905/0x1050 arch/x86/mm/fault.c:1323 handle_page_fault arch/x86/mm/fault.c:1466 [inline] exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1522 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1551 [inline] free_pcp_prepare mm/page_alloc.c:1625 [inline] free_unref_page_prepare+0x742/0x750 mm/page_alloc.c:3589 free_unref_page_list+0x117/0x8c0 mm/page_alloc.c:3740 release_pages+0xaf2/0xb50 mm/swap.c:1048 free_pages_and_swap_cache+0x86/0xa0 mm/swap_state.c:315 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu mm/mmu_gather.c:261 [inline] tlb_finish_mmu+0x1aa/0x370 mm/mmu_gather.c:361 exit_mmap+0x412/0xc10 mm/mmap.c:3384 __mmput+0x93/0x360 kernel/fork.c:1309 mmput+0x4b/0x150 kernel/fork.c:1333 exit_mm kernel/exit.c:568 [inline] do_exit+0x994/0x2660 kernel/exit.c:873 do_group_exit+0x210/0x2d0 kernel/exit.c:1028 __do_sys_exit_group kernel/exit.c:1039 [inline] __se_sys_exit_group kernel/exit.c:1037 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1037 x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Memory state around the buggy address: ffff88812edefd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812edefd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88812edefe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88812edefe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812edeff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: comm kworker/u4:3: lblock 0 mapped to illegal pblock 0 (length 1) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 71748523475265: comm kworker/u4:3: lblock 0 mapped to illegal pblock 71748523475265 (length 1) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 512: comm kworker/u4:3: lblock 0 mapped to illegal pblock 512 (length 1) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 118173431786593: comm kworker/u4:3: lblock 0 mapped to illegal pblock 118173431786593 (length 1) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 1653562406152: comm kworker/u4:3: lblock 0 mapped to illegal pblock 1653562406152 (length 1) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 126969739568179: comm kworker/u4:3: lblock 0 mapped to illegal pblock 126969739568179 (length 1) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 161344741474247: comm kworker/u4:3: lblock 0 mapped to illegal pblock 161344741474247 (length 1) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 71748523475265: comm kworker/u4:3: lblock 0 mapped to illegal pblock 71748523475265 (length 1) EXT4-fs (loop2): Remounting filesystem read-only
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/02/05 08:55 | android14-6.1 | 775f23d50ca8 | ea10c935 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2026/01/17 19:05 | android14-6.1 | f8a5ad1fcf13 | 20d37d28 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 04:04 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 03:23 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 02:37 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/09/29 02:17 | android14-6.1 | 5303560ee8cf | 001c9061 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/09/03 14:52 | android14-6.1 | 79ccb6ecf51e | 96a211bc | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/08/03 17:31 | android14-6.1 | 3b4ff5af8d36 | 7368264b | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/05/31 08:37 | android14-6.1 | db710ea87c32 | 3d2f584d | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/11/22 21:09 | android14-6.1 | eba111621724 | 4fb8ef37 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:59 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:59 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:58 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:57 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/01 12:36 | android14-6.1 | a92da54b7708 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/11/30 15:55 | android14-6.1 | a92da54b7708 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/09/14 09:34 | android14-6.1 | 0429b7af308c | e2beed91 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:48 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:48 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:46 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:46 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/05/31 08:03 | android14-6.1 | db710ea87c32 | 3d2f584d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent |