syzbot

 sign-in | mailing list | source | docs
🐞 Open [1578]
Subsystems
🐞 Fixed [6251]
🐞 Invalid [15827]
Missing Backports [185]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in ext4_find_extent (4)

Status: upstream: reported C repro on 2024/12/30 20:06
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
First crash: 148d, last: 2d22h
Cause bisection: introduced by (bisect log) :
commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
Author: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Date: Sat Mar 25 08:13:39 2023 +0000

  ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()

Crash: KASAN: use-after-free Read in ext4_ext_remove_space (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) 1 (3) 2025/03/28 17:10
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in ext4_find_extent C 2 1d02h 99d 0/2 upstream: reported C repro on 2025/02/13 21:05
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 34 6d00h 879d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport C error done 3 208d 705d 0/2 auto-obsoleted due to no activity on 2025/02/04 04:57
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only C inconclusive 7 16d 674d 0/3 upstream: reported C repro on 2023/07/19 14:49
upstream KASAN: use-after-free Read in ext4_find_extent ext4 2 1311d 1372d 0/28 auto-closed as invalid on 2022/02/17 05:19
linux-6.1 KASAN: use-after-free Read in ext4_find_extent origin:upstream missing-backport C done 1 389d 612d 0/3 upstream: reported C repro on 2023/09/19 00:11
android-5-15 KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts C error 12 13d 879d 0/2 upstream: reported C repro on 2022/12/26 07:59
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 750d 874d 22/28 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 C error done 31 514d 696d 25/28 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 C 1 693d 879d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20
Last patch testing requests (6)
Created Duration User Patch Repo Result
2025/03/10 06:06 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/03/10 06:06 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/03/10 06:06 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/03/10 06:06 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/03/10 06:06 23m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/01/09 20:52 1h28m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:955
Read of size 4 at addr ffff8880305a84d0 by task syz-executor203/6176

CPU: 0 UID: 0 PID: 6176 Comm: syz-executor203 Not tainted 6.15.0-rc7-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xb4/0x290 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
 ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:955
 ext4_ext_map_blocks+0x26f/0x67c0 fs/ext4/extents.c:4205
 ext4_map_create_blocks fs/ext4/inode.c:520 [inline]
 ext4_map_blocks+0x807/0x1740 fs/ext4/inode.c:706
 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:785
 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:818
 ext4_block_write_begin+0x546/0x1290 fs/ext4/inode.c:1067
 ext4_write_begin+0x6f6/0x12c0 fs/ext4/ext4_jbd2.h:-1
 ext4_da_write_begin+0x33a/0xa60 fs/ext4/inode.c:2932
 generic_perform_write+0x2c4/0x910 mm/filemap.c:4103
 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
 new_sync_write fs/read_write.c:591 [inline]
 vfs_write+0x54b/0xa90 fs/read_write.c:684
 ksys_pwrite64 fs/read_write.c:791 [inline]
 __do_sys_pwrite64 fs/read_write.c:799 [inline]
 __se_sys_pwrite64 fs/read_write.c:796 [inline]
 __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:796
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe0cfa1ecc9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 1d 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe0cf1c3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fe0cfaa64a8 RCX: 00007fe0cfa1ecc9
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007fe0cfaa64a0 R08: 00007fe0cf1c36c0 R09: 0000000000000000
R10: 000000000000fecc R11: 0000000000000246 R12: 00007fe0cfaa64ac
R13: 000000000000000b R14: 00007ffe9ef5be70 R15: 00007ffe9ef5bf58
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880305a83c0 pfn:0x305a8
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f0(buddy)
raw: 00fff00000000000 ffffea0000c8c788 ffffea0000cbaf88 0000000000000000
raw: ffff8880305a83c0 0000000000000000 00000000f0000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 2, tgid 2 (kthreadd), ts 102490701319, free_ts 104374540589
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1d8/0x230 mm/page_alloc.c:1714
 prep_new_page mm/page_alloc.c:1722 [inline]
 get_page_from_freelist+0x21c7/0x22a0 mm/page_alloc.c:3684
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4966
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2301
 alloc_frozen_pages_noprof mm/mempolicy.c:2372 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2392
 vm_area_alloc_pages mm/vmalloc.c:3592 [inline]
 __vmalloc_area_node mm/vmalloc.c:3670 [inline]
 __vmalloc_node_range_noprof+0x8fe/0x12c0 mm/vmalloc.c:3845
 __vmalloc_node_noprof+0x7d/0x90 mm/vmalloc.c:3908
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct+0x3e7/0x860 kernel/fork.c:1137
 copy_process+0x544/0x3b80 kernel/fork.c:2260
 kernel_clone+0x224/0x7f0 kernel/fork.c:2845
 kernel_thread+0x10c/0x160 kernel/fork.c:2907
 create_kthread kernel/kthread.c:487 [inline]
 kthreadd+0x575/0x770 kernel/kthread.c:847
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 5908 tgid 5908 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1258 [inline]
 __free_frozen_pages+0xb05/0xcd0 mm/page_alloc.c:2721
 vfree+0x1a6/0x330 mm/vmalloc.c:3384
 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3304
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff8880305a8380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880305a8400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880305a8480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff8880305a8500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880305a8580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (44):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/19 10:06 upstream a5806cd506af f41472b0 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/05/08 04:32 upstream 707df3375124 dbf35fa1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/05/02 01:30 upstream 4f79eaa2ceac 51b137cd .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/03/27 12:48 upstream 1e1ba8d23dae 20510e88 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/02/23 19:10 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/02/23 14:46 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1 (corrupt fs)] [mounted in repro #2 (corrupt fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/02/23 13:39 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1 (corrupt fs)] [mounted in repro #2 (corrupt fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/02/23 12:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1 (corrupt fs)] [mounted in repro #2 (corrupt fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/02/23 11:31 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1 (corrupt fs)] [mounted in repro #2 (corrupt fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2024/12/26 20:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 573067a5a685 d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/05/21 01:16 upstream a5806cd506af b47f9e02 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1 (corrupt fs)] [mounted in repro #2 (corrupt fs)] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_find_extent
2025/05/19 23:03 upstream a5806cd506af b84f0537 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/05/19 15:21 upstream a5806cd506af b84f0537 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/05/14 14:57 upstream 9f35e33144ae a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/05/10 04:42 upstream 3013c33dcbd9 77908e5f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ext4_find_extent
2025/04/16 10:06 upstream 1a1d569a75f3 23b969b7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ext4_find_extent
2025/04/16 10:06 upstream 1a1d569a75f3 23b969b7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ext4_find_extent
2025/04/15 21:23 upstream 1a1d569a75f3 23b969b7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/04/07 05:18 upstream 16cd1c265776 1c65791e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ext4_find_extent
2025/04/06 23:27 upstream 16cd1c265776 1c65791e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ext4_find_extent
2025/03/31 05:42 upstream aa918db707fb d3999433 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/03/27 05:50 upstream 1e1ba8d23dae 20510e88 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/03/10 17:09 upstream 80e54e84911a 16256247 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/02/20 16:48 upstream 87a132e73910 50668798 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/02/16 06:37 upstream 496659003dac 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_find_extent
2025/04/16 05:31 upstream 1a1d569a75f3 a95239b1 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_find_extent
2025/03/26 15:11 upstream 1e26c5e28ca5 19e40f48 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_find_extent
2025/03/21 15:40 upstream b3ee1e460951 62330552 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_find_extent
2025/04/07 23:06 linux-next a4cda136f021 a2ada0e7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ext4_find_extent
2025/05/01 23:59 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e0f4c8dd9d2d 51b137cd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/04/28 10:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c72692105976 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/04/27 04:44 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c72692105976 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/04/26 00:08 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c72692105976 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/04/10 03:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2fe2b96c3818 988b336c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/03/15 20:52 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a5618886fdab e2826670 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/03/13 16:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 78e3fd2b7e4b 44be8b44 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/02/24 05:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/02/24 05:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2024/12/26 19:55 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 573067a5a685 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2025/05/14 21:34 upstream 1a80a098c606 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_find_extent
2025/05/09 01:39 upstream 2c89c1b655c0 bb813bcc .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_find_extent
2025/03/21 01:46 upstream 5fc319360819 62330552 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_find_extent
2025/03/15 10:08 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a5618886fdab e2826670 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in ext4_find_extent
2025/01/15 17:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6251d1776bc5 7315a7cf .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in ext4_find_extent
* Struck through repros no longer work on HEAD.