| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/01 | lts (merge base) | 02b72ccb5f9d | C | [report] KASAN: use-after-free Read in ext4_find_extent |
| 2025/06/01 | upstream (ToT) | cd2e103d57e5 | C | Didn't crash |
syzbot |
sign-in | mailing list | source | docs |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/01 | lts (merge base) | 02b72ccb5f9d | C | [report] KASAN: use-after-free Read in ext4_find_extent |
| 2025/06/01 | upstream (ToT) | cd2e103d57e5 | C | Didn't crash |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2026/04/09 20:02 | 7m | retest repro | android14-6.1 | report log | |
| 2026/04/09 20:02 | 6m | retest repro | android14-6.1 | report log | |
| 2026/04/09 20:02 | 7m | retest repro | android14-6.1 | report log | |
| 2026/04/09 20:02 | 16m | retest repro | android14-6.1 | report log | |
| 2026/04/09 20:02 | 12m | retest repro | android14-6.1 | report log | |
| 2026/03/23 08:39 | 8m | retest repro | android14-6.1 | report log | |
| 2026/03/23 08:39 | 7m | retest repro | android14-6.1 | report log | |
| 2026/03/23 08:39 | 6m | retest repro | android14-6.1 | report log | |
| 2026/03/23 08:39 | 9m | retest repro | android14-6.1 | report log |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2025/07/31 06:27 | 1h21m | bisect fix | android14-6.1 | OK (0) job log log | |
| 2025/06/30 20:17 | 1h08m | bisect fix | android14-6.1 | OK (0) job log log |
WARNING: The mand mount option has been deprecated and
and is ignored by this kernel. Remove the mand
option from the mount to silence this warning.
=======================================================
EXT4-fs: Ignoring removed oldalloc option
EXT4-fs: Ignoring removed orlov option
EXT4-fs (loop2): mounted filesystem without journal. Quota mode: writeback.
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953
Read of size 4 at addr ffff88812fa1a018 by task syz.2.17/362
CPU: 0 PID: 362 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x71/0x200 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:420
kasan_report+0x122/0x150 mm/kasan/report.c:524
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953
ext4_ext_remove_space+0x2de/0x40d0 fs/ext4/extents.c:2834
ext4_punch_hole+0x77c/0xbd0 fs/ext4/inode.c:4147
ext4_fallocate+0x2b6/0x1dc0 fs/ext4/extents.c:4767
vfs_fallocate+0x4c5/0x5a0 fs/open.c:324
ioctl_preallocate fs/ioctl.c:290 [inline]
file_ioctl fs/ioctl.c:333 [inline]
do_vfs_ioctl+0x19cb/0x1cd0 fs/ioctl.c:849
__do_sys_ioctl fs/ioctl.c:868 [inline]
__se_sys_ioctl+0x9f/0x1b0 fs/ioctl.c:856
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:856
x64_sys_call+0x58b/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fed5259c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd9d148998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fed52815fa0 RCX: 00007fed5259c799
RDX: 00002000000000c0 RSI: 0000000040305829 RDI: 0000000000000005
RBP: 00007fed52632c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fed52815fac R14: 00007fed52815fa0 R15: 00007fed52815fa0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0004be8680 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12fa1a
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0004be8688 ffffea0004be8688 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffff88812fa19f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88812fa19f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88812fa1a000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88812fa1a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88812fa1a100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
------------[ cut here ]------------
kernel BUG at fs/ext4/extents.c:3190!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 362 Comm: syz.2.17 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:ext4_split_extent_at+0xf62/0xf80 fs/ext4/extents.c:3190
Code: ff ff 44 89 f1 80 e1 07 fe c1 38 c1 0f 8c 3f fb ff ff 4c 89 f7 49 89 f7 e8 9b b7 cf ff 4c 89 fe e9 2c fb ff ff e8 4e 7b 8a ff <0f> 0b e8 47 7b 8a ff 0f 0b e8 40 7b 8a ff 0f 0b e8 39 7b 8a ff 0f
RSP: 0018:ffffc900007a74c0 EFLAGS: 00010293
RAX: ffffffff81e6f382 RBX: 0000000000000000 RCX: ffff8881130b0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000041
RBP: ffffc900007a7630 R08: 0000000000000000 R09: 0000000050000028
R10: dffffc0000000000 R11: fffffbfff0f6e4fd R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8881149b1100
FS: 000055556dd21500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000020000000f000 CR3: 000000010ed76000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_force_split_extent_at fs/ext4/extents.c:338 [inline]
ext4_ext_remove_space+0x652/0x40d0 fs/ext4/extents.c:2881
ext4_punch_hole+0x77c/0xbd0 fs/ext4/inode.c:4147
ext4_fallocate+0x2b6/0x1dc0 fs/ext4/extents.c:4767
vfs_fallocate+0x4c5/0x5a0 fs/open.c:324
ioctl_preallocate fs/ioctl.c:290 [inline]
file_ioctl fs/ioctl.c:333 [inline]
do_vfs_ioctl+0x19cb/0x1cd0 fs/ioctl.c:849
__do_sys_ioctl fs/ioctl.c:868 [inline]
__se_sys_ioctl+0x9f/0x1b0 fs/ioctl.c:856
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:856
x64_sys_call+0x58b/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fed5259c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd9d148998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fed52815fa0 RCX: 00007fed5259c799
RDX: 00002000000000c0 RSI: 0000000040305829 RDI: 0000000000000005
RBP: 00007fed52632c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fed52815fac R14: 00007fed52815fa0 R15: 00007fed52815fa0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_split_extent_at+0xf62/0xf80 fs/ext4/extents.c:3190
Code: ff ff 44 89 f1 80 e1 07 fe c1 38 c1 0f 8c 3f fb ff ff 4c 89 f7 49 89 f7 e8 9b b7 cf ff 4c 89 fe e9 2c fb ff ff e8 4e 7b 8a ff <0f> 0b e8 47 7b 8a ff 0f 0b e8 40 7b 8a ff 0f 0b e8 39 7b 8a ff 0f
RSP: 0018:ffffc900007a74c0 EFLAGS: 00010293
RAX: ffffffff81e6f382 RBX: 0000000000000000 RCX: ffff8881130b0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000041
RBP: ffffc900007a7630 R08: 0000000000000000 R09: 0000000050000028
R10: dffffc0000000000 R11: fffffbfff0f6e4fd R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8881149b1100
FS: 000055556dd21500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc50ba1f000 CR3: 000000010ed76000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/03/26 18:36 | android14-6.1 | c0665c721df9 | 766b6434 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2026/02/26 16:51 | android14-6.1 | 6bfa51973214 | ffa54287 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2026/02/23 16:46 | android14-6.1 | 34c1a8e17200 | 6beca497 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2026/02/16 11:10 | android14-6.1 | edbe3e111301 | 1e62d198 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2026/02/15 18:42 | android14-6.1 | edbe3e111301 | 1e62d198 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2026/02/05 08:55 | android14-6.1 | 775f23d50ca8 | ea10c935 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2026/01/17 19:05 | android14-6.1 | f8a5ad1fcf13 | 20d37d28 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 04:04 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 03:23 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 02:37 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/09/29 02:17 | android14-6.1 | 5303560ee8cf | 001c9061 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/09/03 14:52 | android14-6.1 | 79ccb6ecf51e | 96a211bc | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/08/03 17:31 | android14-6.1 | 3b4ff5af8d36 | 7368264b | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/05/31 08:37 | android14-6.1 | db710ea87c32 | 3d2f584d | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/11/22 21:09 | android14-6.1 | eba111621724 | 4fb8ef37 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2026/03/26 18:05 | android14-6.1 | c0665c721df9 | 766b6434 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2026/03/08 15:12 | android14-6.1 | 6bfa51973214 | 5cb44a80 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2026/02/20 15:56 | android14-6.1 | edbe3e111301 | 17d780d6 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2026/02/12 06:48 | android14-6.1 | edbe3e111301 | 76a109e2 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2026/02/12 06:48 | android14-6.1 | edbe3e111301 | 76a109e2 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:59 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:59 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:58 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/30 18:57 | android14-6.1 | 5e6db7045704 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/12/01 12:36 | android14-6.1 | a92da54b7708 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/11/30 15:55 | android14-6.1 | a92da54b7708 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/09/14 09:34 | android14-6.1 | 0429b7af308c | e2beed91 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:48 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:48 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:46 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:46 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/05/31 08:03 | android14-6.1 | db710ea87c32 | 3d2f584d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent |