* [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir
@ 2025-10-02 0:10 syzbot
2025-10-02 5:09 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr syzbot
` (21 more replies)
0 siblings, 22 replies; 46+ messages in thread
From: syzbot @ 2025-10-02 0:10 UTC (permalink / raw)
To: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso
Hello,
syzbot found the following issue on:
HEAD commit: 50c19e20ed2e Merge tag 'nolibc-20250928-for-6.18-1' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15bd8092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f30a7c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1109e942580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-50c19e20.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/33a22a854fe0/vmlinux-50c19e20.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e68f79994eb8/bzImage-50c19e20.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/921fccc3cfcf/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=16c42092580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
Read of size 1 at addr ffff8880528ccb57 by task syz.0.24/5691
CPU: 0 UID: 0 PID: 5691 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x1101/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f807b98eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f807c806038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f807bbe6090 RCX: 00007f807b98eec9
RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c
RBP: 00007f807ba11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f807bbe6128 R14: 00007f807bbe6090 R15: 00007ffea28141a8
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fe26f59e pfn:0x528cc
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00014a3348 ffffea00014a3208 0000000000000000
raw: 00000007fe26f59e 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5688, tgid 5688 (rm), ts 112106822009, free_ts 112155145845
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:4997 [inline]
do_anonymous_page mm/memory.c:5054 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 5688 tgid 5688 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952
folios_put_refs+0x559/0x640 mm/swap.c:999
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:264
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
exit_mmap+0x44c/0xb50 mm/mmap.c:1293
__mmput+0x118/0x430 kernel/fork.c:1130
exit_mm+0x1da/0x2c0 kernel/exit.c:582
do_exit+0x648/0x2300 kernel/exit.c:949
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880528cca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880528cca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880528ccb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880528ccb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880528ccc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 46+ messages in thread* Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot @ 2025-10-02 5:09 ` syzbot 2025-10-02 6:18 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot ` (20 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 5:09 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Add bounds validation for inline directory xattr data to prevent use-after-free when accessing corrupted filesystems. ext4_find_inline_entry() performs two directory searches: first in the i_block area, then in the extended attribute (xattr) area of the inode. When calculating inline_start for the xattr area via ext4_get_inline_xattr_pos(), the function trusts the e_value_offs field from disk without validating the resulting pointer stays within the inode's boundaries. A corrupted filesystem can craft a malicious e_value_offs value that causes inline_start to point outside the inode's allocated space, potentially into freed memory. When ext4_search_dir() attempts to access this invalid pointer, it results in a KASAN use-after-free. Fix this by validating that inline_start and inline_start + inline_size remain within the inode's boundaries before calling ext4_search_dir(). Return -EFSCORRUPTED if the bounds check fails. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inline.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index 1b094a4f3866..28ac90a8d5a2 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -1617,7 +1617,15 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc); inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE; - + void *inode_start = ext4_raw_inode(&is.iloc); + void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb); + + if (inline_start < inode_start || + inline_start >= inode_end || + inline_start + inline_size > inode_end) { + ret = -EFSCORRUPTED; + goto out; + } ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, dir, fname, 0, res_dir); if (ret == 1) -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot 2025-10-02 5:09 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr syzbot @ 2025-10-02 6:18 ` syzbot 2025-10-02 6:28 ` syzbot ` (19 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 6:18 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject system.data xattr with external inode storage Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting malformed inline directory xattr entries during validation. ext4 uses the system.data xattr to store inline directory entries within the inode. This xattr must always use inline storage (e_value_inum == 0). However, a corrupted filesystem can craft a system.data xattr entry with e_value_inum != 0, bypassing the existing validation in check_xattrs() which only validates e_value_offs when e_value_inum == 0. Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos() reads the corrupt e_value_offs and calculates an inline_start pointer that can point outside the inode buffer, potentially into freed memory. When ext4_search_dir() attempts to access this invalid pointer, it results in a KASAN use-after-free. Fix this by explicitly validating that system.data xattr entries always have e_value_inum == 0 in check_xattrs(). This catches the corruption at validation time during inode load, before the corrupt pointer can be used. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/xattr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..a9057d0f9e24 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -251,6 +251,13 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, err_str = "invalid ea_ino"; goto errout; } + if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM && + entry->e_name_len == sizeof(EXT4_XATTR_SYSTEM_DATA) - 1 && + !memcmp(entry->e_name, EXT4_XATTR_SYSTEM_DATA, entry->e_name_len) && + ea_ino != 0) { + err_str = "system.data xattr cannot use external inode storage"; + goto errout; + } if (size > EXT4_XATTR_SIZE_MAX) { err_str = "e_value size too large"; goto errout; -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot 2025-10-02 5:09 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr syzbot 2025-10-02 6:18 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot @ 2025-10-02 6:28 ` syzbot 2025-10-02 9:38 ` syzbot ` (18 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 6:28 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject system.data xattr with external inode storage Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting malformed inline directory xattr entries during validation. ext4 uses the system.data xattr to store inline directory entries within the inode. This xattr must always use inline storage (e_value_inum == 0). However, a corrupted filesystem can craft a system.data xattr entry with e_value_inum != 0, bypassing the existing validation in check_xattrs() which only validates e_value_offs when e_value_inum == 0. Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos() reads the corrupt e_value_offs and calculates an inline_start pointer that can point outside the inode buffer, potentially into freed memory. When ext4_search_dir() attempts to access this invalid pointer, it results in a KASAN use-after-free. Fix this by explicitly validating that system.data xattr entries always have e_value_inum == 0 in check_xattrs(). This catches the corruption at validation time during inode load, before the corrupt pointer can be used. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/xattr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..8680f649ea7e 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -251,6 +251,13 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, err_str = "invalid ea_ino"; goto errout; } + if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM && + entry->e_name_len == 4 && + !memcmp(entry->e_name, "data", 4) && + ea_ino != 0) { + err_str = "system.data xattr cannot use external inode storage"; + goto errout; + } if (size > EXT4_XATTR_SIZE_MAX) { err_str = "e_value size too large"; goto errout; -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (2 preceding siblings ...) 2025-10-02 6:28 ` syzbot @ 2025-10-02 9:38 ` syzbot 2025-10-02 10:01 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot ` (17 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 9:38 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject system.data xattr with external inode storage Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inline directory xattr entries that claim to use external inode storage. ext4 uses the system.data xattr to store inline directory entries within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set, the system.data xattr must use inline storage (e_value_inum == 0). However, a corrupted filesystem can craft a system.data xattr entry with e_value_inum != 0, creating an inconsistency. The existing validation in check_xattrs() skips e_value_offs validation when e_value_inum != 0, allowing a corrupt e_value_offs to pass through unchecked. Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos() reads the corrupt e_value_offs and calculates an inline_start pointer that can point outside the inode buffer, potentially into freed memory. When ext4_search_dir() attempts to access this invalid pointer, it results in a KASAN use-after-free. Fix this by validating in check_xattrs() that if an inode has the inline data flag set, the system.data xattr entry must have e_value_inum == 0. This enforces the consistency between the inode flag and xattr storage type, catching the corruption at validation time during inode load before the corrupt pointer can be used. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/xattr.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 8680f649ea7e..827f2b6175d0 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, struct ext4_xattr_entry *e = entry; int err = -EFSCORRUPTED; char *err_str; - + printk(KERN_WARNING "ext_check_xattrs: entered in function\n"); if (bh) { if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) { @@ -251,12 +251,18 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, err_str = "invalid ea_ino"; goto errout; } - if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM && - entry->e_name_len == 4 && - !memcmp(entry->e_name,"data", 4) && - ea_ino != 0) { + if (ext4_has_inline_data(inode) && ea_ino != 0) { err_str = "system.data xattr cannot use external inode storage"; - goto errout; + goto errout; + } + if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM && + entry->e_name_len == 4 && + !memcmp(entry->e_name, "data", 4)) { + printk(KERN_ERR "Found system.data xattr: ea_ino=%lu\n", ea_ino); + if (ext4_has_inline_data(inode) && ea_ino != 0) { + err_str = "system.data xattr cannot use external inode storage"; + goto errout; + } } if (size > EXT4_XATTR_SIZE_MAX) { err_str = "e_value size too large"; -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (3 preceding siblings ...) 2025-10-02 9:38 ` syzbot @ 2025-10-02 10:01 ` syzbot 2025-10-02 22:57 ` syzbot ` (16 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 10:01 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..d76800c65317 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { + if (ext4_has_inline_data(inode)) { + ext4_error_inode(inode, function, line, 0, + "inline data flag set but i_extra_isize is zero"); + ret = -EFSCORRUPTED; + goto bad_inode; + } /* The extra space is currently unused. Use it. */ BUILD_BUG_ON(sizeof(struct ext4_inode) & 3); ei->i_extra_isize = sizeof(struct ext4_inode) - -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (4 preceding siblings ...) 2025-10-02 10:01 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot @ 2025-10-02 22:57 ` syzbot 2025-10-02 23:54 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot ` (15 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 22:57 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- Changes in v2: - Use ext4_test_inode_flag() instead of ext4_has_inline_data() as suggested by Theodore Ts'o, since i_inline_off is not yet initialized at this point in ext4_iget() --- fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..fe30d4192c7d 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, + "inline data flag set but i_extra_isize is zero"); + ret = -EFSCORRUPTED; + goto bad_inode; + } /* The extra space is currently unused. Use it. */ BUILD_BUG_ON(sizeof(struct ext4_inode) & 3); ei->i_extra_isize = sizeof(struct ext4_inode) - -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (5 preceding siblings ...) 2025-10-02 22:57 ` syzbot @ 2025-10-02 23:54 ` syzbot 2025-10-03 0:23 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr syzbot ` (14 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 23:54 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject system.data xattr with external inode storage Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inline directory xattr entries that claim to use external inode storage. ext4 uses the "system.data" xattr to store inline directory entries within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set, the system.data xattr must use inline storage (e_value_inum == 0). However, a corrupted filesystem can craft a system.data xattr entry with e_value_inum != 0, creating an inconsistency. The existing validation in check_xattrs() skips e_value_offs validation when e_value_inum != 0, allowing a corrupt e_value_offs to pass through unchecked. Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos() reads the corrupt e_value_offs and calculates an inline_start pointer that can point outside the inode buffer, potentially into freed memory. When ext4_search_dir() attempts to access this invalid pointer, it results in a KASAN use-after-free. Fix this by validating in check_xattrs() that if an inode has the inline data flag set, the system.data xattr entry must have e_value_inum == 0. This enforces the consistency between the inode flag and xattr storage type, catching the corruption at validation time during inode load before the corrupt pointer can be used. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..d082fff675ac 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { + if (ext4_has_inline_data(inode)) { + ext4_error_inode(inode, function, line, 0, + "inline data flag set but i_extra_isize is zero"); + ret = -EFSCORRUPTED; + goto bad_inode; + } /* The extra space is currently unused. Use it. */ BUILD_BUG_ON(sizeof(struct ext4_inode) & 3); ei->i_extra_isize = sizeof(struct ext4_inode) - -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (6 preceding siblings ...) 2025-10-02 23:54 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot @ 2025-10-03 0:23 ` syzbot 2025-10-03 1:07 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot ` (13 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 0:23 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Add bounds validation for inline directory xattr data to prevent use-after-free when accessing corrupted filesystems. ext4_find_inline_entry() performs two directory searches: first in the i_block area, then in the extended attribute (xattr) area of the inode. When calculating inline_start for the xattr area via ext4_get_inline_xattr_pos(), the function trusts the e_value_offs field from disk without validating the resulting pointer stays within the inode's boundaries. A corrupted filesystem can craft a malicious e_value_offs value that causes inline_start to point outside the inode's allocated space, potentially into freed memory. When ext4_search_dir() attempts to access this invalid pointer, it results in a KASAN use-after-free. Fix this by validating that inline_start and inline_start + inline_size remain within the inode's boundaries before calling ext4_search_dir(). Return -EFSCORRUPTED if the bounds check fails. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inline.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index 1b094a4f3866..28ac90a8d5a2 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -1617,7 +1617,15 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc); inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE; - + void *inode_start = ext4_raw_inode(&is.iloc); + void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb); + + if (inline_start < inode_start || + inline_start >= inode_end || + inline_start + inline_size > inode_end) { + ret = -EFSCORRUPTED; + goto out; + } ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, dir, fname, 0, res_dir); if (ret == 1) -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (7 preceding siblings ...) 2025-10-03 0:23 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr syzbot @ 2025-10-03 1:07 ` syzbot 2025-10-03 1:40 ` syzbot ` (12 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 1:07 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..8682ee8f1e50 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5414,6 +5414,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_sync_tid = tid; ei->i_datasync_tid = tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { @@ -5422,6 +5429,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_extra_isize = sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret = ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (8 preceding siblings ...) 2025-10-03 1:07 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot @ 2025-10-03 1:40 ` syzbot 2025-10-03 2:02 ` syzbot ` (11 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 1:40 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 13 ++++++++++++- fs/ext4/xattr.c | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..257e9b1c6416 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode, if (EXT4_INODE_HAS_XATTR_SPACE(inode) && *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { int err; - + ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0, + "wow this inode has extra space"); err = xattr_check_inode(inode, IHDR(inode, raw_inode), ITAIL(inode, raw_inode)); if (err) @@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode, return err; } else EXT4_I(inode)->i_inline_off = 0; + return 0; } @@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_sync_tid = tid; ei->i_datasync_tid = tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { @@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_extra_isize = sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret = ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..9b4a6978b313 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, struct ext4_xattr_entry *e = entry; int err = -EFSCORRUPTED; char *err_str; - + ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xattrs"); if (bh) { if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (9 preceding siblings ...) 2025-10-03 1:40 ` syzbot @ 2025-10-03 2:02 ` syzbot 2025-10-03 3:02 ` syzbot ` (10 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 2:02 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 13 ++++++++++++- fs/ext4/xattr.c | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..257e9b1c6416 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode, if (EXT4_INODE_HAS_XATTR_SPACE(inode) && *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { int err; - + ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0, + "wow this inode has extra space"); err = xattr_check_inode(inode, IHDR(inode, raw_inode), ITAIL(inode, raw_inode)); if (err) @@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode, return err; } else EXT4_I(inode)->i_inline_off = 0; + return 0; } @@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_sync_tid = tid; ei->i_datasync_tid = tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { @@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_extra_isize = sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret = ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..9b4a6978b313 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, struct ext4_xattr_entry *e = entry; int err = -EFSCORRUPTED; char *err_str; - + ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xattrs"); if (bh) { if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (10 preceding siblings ...) 2025-10-03 2:02 ` syzbot @ 2025-10-03 3:02 ` syzbot 2025-10-03 3:16 ` syzbot ` (9 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 3:02 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 13 ++++++++++++- fs/ext4/xattr.c | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..257e9b1c6416 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode, if (EXT4_INODE_HAS_XATTR_SPACE(inode) && *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { int err; - + ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0, + "wow this inode has extra space"); err = xattr_check_inode(inode, IHDR(inode, raw_inode), ITAIL(inode, raw_inode)); if (err) @@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode, return err; } else EXT4_I(inode)->i_inline_off = 0; + return 0; } @@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_sync_tid = tid; ei->i_datasync_tid = tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { @@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_extra_isize = sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret = ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..9b4a6978b313 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, struct ext4_xattr_entry *e = entry; int err = -EFSCORRUPTED; char *err_str; - + ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xattrs"); if (bh) { if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (11 preceding siblings ...) 2025-10-03 3:02 ` syzbot @ 2025-10-03 3:16 ` syzbot 2025-10-03 4:02 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_size " syzbot ` (8 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 3:16 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes:https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inline.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index 1b094a4f3866..d6541e661dfa 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -1614,9 +1614,19 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE) goto out; - + inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc); inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE; + void *inode_start = ext4_raw_inode(&is.iloc); + void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb); + + if (inline_start < inode_start || + inline_start >= inode_end || + inline_start + inline_size > inode_end) { + printk(KERN_WARNING "found error in ext4_find_inline_entry\n"); + ret = -EFSCORRUPTED; + goto out; + } ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, dir, fname, 0, res_dir); -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_size is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (12 preceding siblings ...) 2025-10-03 3:16 ` syzbot @ 2025-10-03 4:02 ` syzbot 2025-10-03 6:17 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize " syzbot ` (7 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 4:02 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_size is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes:https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inline.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index 1b094a4f3866..d6541e661dfa 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -1614,9 +1614,19 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE) goto out; - + inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc); inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE; + void *inode_start = ext4_raw_inode(&is.iloc); + void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb); + + if (inline_start < inode_start || + inline_start >= inode_end || + inline_start + inline_size > inode_end) { + printk(KERN_WARNING "found error in ext4_find_inline_entry\n"); + ret = -EFSCORRUPTED; + goto out; + } ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, dir, fname, 0, res_dir); -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (13 preceding siblings ...) 2025-10-03 4:02 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_size " syzbot @ 2025-10-03 6:17 ` syzbot 2025-10-03 8:14 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot ` (6 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 6:17 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 13 ++++++++++++- fs/ext4/xattr.c | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..257e9b1c6416 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode, if (EXT4_INODE_HAS_XATTR_SPACE(inode) && *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { int err; - + ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0, + "wow this inode has extra space"); err = xattr_check_inode(inode, IHDR(inode, raw_inode), ITAIL(inode, raw_inode)); if (err) @@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode, return err; } else EXT4_I(inode)->i_inline_off = 0; + return 0; } @@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_sync_tid = tid; ei->i_datasync_tid = tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { @@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_extra_isize = sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret = ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..9b4a6978b313 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, struct ext4_xattr_entry *e = entry; int err = -EFSCORRUPTED; char *err_str; - + ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xattrs"); if (bh) { if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (14 preceding siblings ...) 2025-10-03 6:17 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize " syzbot @ 2025-10-03 8:14 ` syzbot 2025-10-03 8:36 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot ` (5 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 8:14 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject system.data xattr with external inode storage Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inline directory xattr entries that claim to use external inode storage. ext4 uses the "system.data" xattr to store inline directory entries within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set, the system.data xattr must use inline storage (e_value_inum == 0). However, a corrupted filesystem can craft a system.data xattr entry with e_value_inum != 0, creating an inconsistency. The existing validation in check_xattrs() skips e_value_offs validation when e_value_inum != 0, allowing a corrupt e_value_offs to pass through unchecked. Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos() reads the corrupt e_value_offs and calculates an inline_start pointer that can point outside the inode buffer, potentially into freed memory. When ext4_search_dir() attempts to access this invalid pointer, it results in a KASAN use-after-free. Fix this by validating in check_xattrs() that if an inode has the inline data flag set, the system.data xattr entry must have e_value_inum == 0. This enforces the consistency between the inode flag and xattr storage type, catching the corruption at validation time during inode load before the corrupt pointer can be used. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..d082fff675ac 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { + if (ext4_has_inline_data(inode)) { + ext4_error_inode(inode, function, line, 0, + "inline data flag set but i_extra_isize is zero"); + ret = -EFSCORRUPTED; + goto bad_inode; + } /* The extra space is currently unused. Use it. */ BUILD_BUG_ON(sizeof(struct ext4_inode) & 3); ei->i_extra_isize = sizeof(struct ext4_inode) - -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (15 preceding siblings ...) 2025-10-03 8:14 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot @ 2025-10-03 8:36 ` syzbot 2025-10-03 9:09 ` syzbot ` (4 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 8:36 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 13 ++++++++++++- fs/ext4/xattr.c | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..257e9b1c6416 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode, if (EXT4_INODE_HAS_XATTR_SPACE(inode) && *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { int err; - + ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0, + "wow this inode has extra space"); err = xattr_check_inode(inode, IHDR(inode, raw_inode), ITAIL(inode, raw_inode)); if (err) @@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode, return err; } else EXT4_I(inode)->i_inline_off = 0; + return 0; } @@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_sync_tid = tid; ei->i_datasync_tid = tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { @@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_extra_isize = sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret = ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..9b4a6978b313 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, struct ext4_xattr_entry *e = entry; int err = -EFSCORRUPTED; char *err_str; - + ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xattrs"); if (bh) { if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (16 preceding siblings ...) 2025-10-03 8:36 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot @ 2025-10-03 9:09 ` syzbot 2025-10-14 13:41 ` kerne test robot 2025-11-08 5:34 ` Forwarded: potential fix syzbot ` (3 subsequent siblings) 21 siblings, 1 reply; 46+ messages in thread From: syzbot @ 2025-10-03 9:09 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize == 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/inode.c | 13 ++++++++++++- fs/ext4/xattr.c | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..257e9b1c6416 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode, if (EXT4_INODE_HAS_XATTR_SPACE(inode) && *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { int err; - + ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0, + "wow this inode has extra space"); err = xattr_check_inode(inode, IHDR(inode, raw_inode), ITAIL(inode, raw_inode)); if (err) @@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode, return err; } else EXT4_I(inode)->i_inline_off = 0; + return 0; } @@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_sync_tid = tid; ei->i_datasync_tid = tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize == 0) { @@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ei->i_extra_isize = sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret = ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..9b4a6978b313 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh, struct ext4_xattr_entry *e = entry; int err = -EFSCORRUPTED; char *err_str; - + ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xattrs"); if (bh) { if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks != cpu_to_le32(1)) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Re: Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero 2025-10-03 9:09 ` syzbot @ 2025-10-14 13:41 ` kerne test robot 0 siblings, 0 replies; 46+ messages in thread From: kerne test robot @ 2025-10-14 13:41 UTC (permalink / raw) To: syzbot Cc: oe-lkp, lkp, Deepanshu Kartikey, linux-ext4, linux-kernel, syzkaller-bugs, oliver.sang Hello, kernel test robot noticed "xfstests.generic.482.fail" on: commit: a0c31dc212c0f22e40ee114504562030264e1246 ("Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero") url: https://github.com/intel-lab-lkp/linux/commits/syzbot/Forwarded-PATCH-ext4-reject-inline-data-flag-when-i_extra_isize-is-zero/20251003-171522 base: https://git.kernel.org/cgit/linux/kernel/git/tytso/ext4.git dev patch link: https://lore.kernel.org/all/68df92d7.050a0220.2c17c1.0020.GAE@google.com/ patch subject: Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero in testcase: xfstests version: xfstests-x86_64-5a9cd3ef-1_20250910 with following parameters: disk: 4HDD fs: ext4 test: generic-482 config: x86_64-rhel-9.4-func compiler: gcc-14 test machine: 8 threads Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (Skylake) with 16G memory (please refer to attached dmesg/kmsg for entire log/backtrace) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <oliver.sang@intel.com> | Closes: https://lore.kernel.org/oe-lkp/202510142118.8033d04d-lkp@intel.com 2025-10-09 22:02:09 cd /lkp/benchmarks/xfstests 2025-10-09 22:02:10 export TEST_DIR=/fs/sda1 2025-10-09 22:02:10 export TEST_DEV=/dev/sda1 2025-10-09 22:02:10 export FSTYP=ext4 2025-10-09 22:02:10 export SCRATCH_MNT=/fs/scratch 2025-10-09 22:02:10 mkdir /fs/scratch -p 2025-10-09 22:02:10 export SCRATCH_DEV=/dev/sda4 2025-10-09 22:02:10 export LOGWRITES_DEV=/dev/sda2 2025-10-09 22:02:10 echo generic/482 2025-10-09 22:02:10 ./check -E tests/exclude/ext4 generic/482 FSTYP -- ext4 PLATFORM -- Linux/x86_64 lkp-skl-d07 6.17.0-rc4-00019-ga0c31dc212c0 #1 SMP PREEMPT_DYNAMIC Fri Oct 10 05:40:27 CST 2025 MKFS_OPTIONS -- -F /dev/sda4 MOUNT_OPTIONS -- -o acl,user_xattr /dev/sda4 /fs/scratch generic/482 [failed, exit status 1]- output mismatch (see /lkp/benchmarks/xfstests/results//generic/482.out.bad) --- tests/generic/482.out 2025-09-10 01:40:16.000000000 +0000 +++ /lkp/benchmarks/xfstests/results//generic/482.out.bad 2025-10-09 22:03:12.185850079 +0000 @@ -1,2 +1,3 @@ QA output created by 482 -Silence is golden +_check_generic_filesystem: filesystem on /dev/mapper/thin-vol.482 is inconsistent +(see /lkp/benchmarks/xfstests/results//generic/482.full for details) ... (Run 'diff -u /lkp/benchmarks/xfstests/tests/generic/482.out /lkp/benchmarks/xfstests/results//generic/482.out.bad' to see the entire diff) Ran: generic/482 Failures: generic/482 Failed 1 of 1 tests The kernel config and materials to reproduce are available at: https://download.01.org/0day-ci/archive/20251014/202510142118.8033d04d-lkp@intel.com -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki ^ permalink raw reply [flat|nested] 46+ messages in thread
* Forwarded: potential fix 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (17 preceding siblings ...) 2025-10-03 9:09 ` syzbot @ 2025-11-08 5:34 ` syzbot 2025-11-08 17:54 ` Forwarded: test fix syzbot ` (2 subsequent siblings) 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-08 5:34 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: potential fix Author: rpthibeault@gmail.com #syz test ^ permalink raw reply [flat|nested] 46+ messages in thread
* Forwarded: test fix 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (18 preceding siblings ...) 2025-11-08 5:34 ` Forwarded: potential fix syzbot @ 2025-11-08 17:54 ` syzbot 2025-11-13 22:29 ` syzbot 2025-11-14 0:13 ` syzbot 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-08 17:54 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: test fix Author: rpthibeault@gmail.com #syz test ^ permalink raw reply [flat|nested] 46+ messages in thread
* Forwarded: test fix 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (19 preceding siblings ...) 2025-11-08 17:54 ` Forwarded: test fix syzbot @ 2025-11-13 22:29 ` syzbot 2025-11-14 0:13 ` syzbot 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-13 22:29 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: test fix Author: rpthibeault@gmail.com #syz test ^ permalink raw reply [flat|nested] 46+ messages in thread
* Forwarded: test fix 2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot ` (20 preceding siblings ...) 2025-11-13 22:29 ` syzbot @ 2025-11-14 0:13 ` syzbot 21 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-14 0:13 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: test fix Author: rpthibeault@gmail.com #syz test ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251002050906.2082433-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251002050906.2082433-1-kartikey406@gmail.com> @ 2025-10-02 5:30 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 5:30 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11a12092580000 kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=15d256e2580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251002061821.2163863-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251002061821.2163863-1-kartikey406@gmail.com> @ 2025-10-02 6:26 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 6:26 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: fs/ext4/xattr.c:255:35: error: use of undeclared identifier 'EXT4_XATTR_SYSTEM_DATA' fs/ext4/xattr.c:256:30: error: use of undeclared identifier 'EXT4_XATTR_SYSTEM_DATA' Tested on: commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=159a56e2580000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251002062804.2167179-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251002062804.2167179-1-kartikey406@gmail.com> @ 2025-10-02 6:49 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 6:49 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in ext4_search_dir ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 Read of size 1 at addr ffff88804907506b by task syz.0.23/5978 CPU: 0 UID: 0 PID: 5978 Comm: syz.0.23 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621 __ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542 ext4_lookup_entry fs/ext4/namei.c:1703 [inline] ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771 lookup_open fs/namei.c:3774 [inline] open_last_lookups fs/namei.c:3895 [inline] path_openat+0x10fe/0x3830 fs/namei.c:4131 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f999878eec9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9997ddd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f99989e6090 RCX: 00007f999878eec9 RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 00007f9998811f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f99989e6128 R14: 00007f99989e6090 R15: 00007fffca9efab8 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xc002573 pfn:0x49075 flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 dead000000000100 dead000000000122 0000000000000000 raw: 000000000c002573 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5609, tgid 5609 (syz-execprog), ts 124343619274, free_ts 141401086768 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline] vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470 folio_prealloc+0x30/0x180 mm/memory.c:-1 alloc_anon_folio mm/memory.c:4997 [inline] do_anonymous_page mm/memory.c:5054 [inline] do_pte_missing mm/memory.c:4232 [inline] handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 page last free pid 78 tgid 78 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952 shrink_folio_list+0x2977/0x4cd0 mm/vmscan.c:1568 evict_folios+0x471e/0x57c0 mm/vmscan.c:4744 try_to_shrink_lruvec+0x8a3/0xb50 mm/vmscan.c:4907 shrink_one+0x21b/0x7c0 mm/vmscan.c:4952 shrink_many mm/vmscan.c:5015 [inline] lru_gen_shrink_node mm/vmscan.c:5093 [inline] shrink_node+0x314e/0x3760 mm/vmscan.c:6078 kswapd_shrink_node mm/vmscan.c:6938 [inline] balance_pgdat mm/vmscan.c:7121 [inline] kswapd+0x147c/0x2830 mm/vmscan.c:7386 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888049074f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888049074f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888049075000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888049075080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888049075100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15a92092580000 kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=15786334580000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251002093807.2387597-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251002093807.2387597-1-kartikey406@gmail.com> @ 2025-10-02 9:48 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 9:48 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file fs/ext4/xattr.c Hunk #2 FAILED at 251. 1 out of 2 hunks FAILED Tested on: commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=1676fd04580000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251002100108.2390216-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251002100108.2390216-1-kartikey406@gmail.com> @ 2025-10-02 10:32 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 10:32 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=175d4ee2580000 kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=162fe092580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251002225742.2395560-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251002225742.2395560-1-kartikey406@gmail.com> @ 2025-10-02 23:34 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-02 23:34 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in ext4_search_dir loop0: detected capacity change from 1024 to 767 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 Read of size 1 at addr ffff888047fa1c98 by task syz.0.17/6004 CPU: 0 UID: 0 PID: 6004 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621 __ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542 ext4_lookup_entry fs/ext4/namei.c:1703 [inline] ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771 lookup_open fs/namei.c:3774 [inline] open_last_lookups fs/namei.c:3895 [inline] path_openat+0x10fe/0x3830 fs/namei.c:4131 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f67b018eec9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f67b1082038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f67b03e5fa0 RCX: 00007f67b018eec9 RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 00007f67b0211f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f67b03e6038 R14: 00007f67b03e5fa0 R15: 00007ffc3955f658 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1cf pfn:0x47fa1 flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 ffffea0001321d08 ffffea0001457388 0000000000000000 raw: 00000000000001cf 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5999, tgid 5999 (dhcpcd-run-hook), ts 97515739076, free_ts 97930783293 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline] vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470 folio_prealloc+0x30/0x180 mm/memory.c:-1 wp_page_copy mm/memory.c:3552 [inline] do_wp_page+0x1231/0x5800 mm/memory.c:4013 handle_pte_fault mm/memory.c:6068 [inline] __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 page last free pid 5999 tgid 5999 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952 folios_put_refs+0x559/0x640 mm/swap.c:999 free_pages_and_swap_cache+0x4be/0x520 mm/swap_state.c:267 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:397 [inline] tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497 exit_mmap+0x44c/0xb50 mm/mmap.c:1293 __mmput+0x118/0x430 kernel/fork.c:1130 exit_mm+0x1da/0x2c0 kernel/exit.c:582 do_exit+0x648/0x2300 kernel/exit.c:949 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 __do_sys_exit_group kernel/exit.c:1113 [inline] __se_sys_exit_group kernel/exit.c:1111 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888047fa1b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888047fa1c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888047fa1c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888047fa1d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888047fa1d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: f79e7722 Merge tag 'media/v6.18-1' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1176c92f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=7f967f2c97bd611a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=11f18458580000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251002235337.2398242-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251002235337.2398242-1-kartikey406@gmail.com> @ 2025-10-03 0:16 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 0:16 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in ext4_search_dir ================================================================== BUG: KASAN: slab-use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 Read of size 1 at addr ffff8880431675a2 by task syz.0.23/5968 CPU: 0 UID: 0 PID: 5968 Comm: syz.0.23 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621 __ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542 ext4_lookup_entry fs/ext4/namei.c:1703 [inline] ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771 lookup_open fs/namei.c:3774 [inline] open_last_lookups fs/namei.c:3895 [inline] path_openat+0x10fe/0x3830 fs/namei.c:4131 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_creat fs/open.c:1528 [inline] __se_sys_creat fs/open.c:1522 [inline] __x64_sys_creat+0x8f/0xc0 fs/open.c:1522 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbd45f8eec9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbd46dca038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 00007fbd461e6180 RCX: 00007fbd45f8eec9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000100 RBP: 00007fbd46011f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fbd461e6218 R14: 00007fbd461e6180 R15: 00007ffcda6a16e8 </TASK> Allocated by task 5956: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:333 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:359 kasan_slab_alloc include/linux/kasan.h:252 [inline] slab_post_alloc_hook mm/slub.c:4944 [inline] slab_alloc_node mm/slub.c:5243 [inline] kmem_cache_alloc_noprof+0x37b/0x720 mm/slub.c:5250 alloc_empty_file+0x55/0x1d0 fs/file_table.c:237 path_openat+0x107/0x3830 fs/namei.c:4120 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 15: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2512 [inline] slab_free_after_rcu_debug+0x12c/0x2a0 mm/slub.c:6622 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:622 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063 smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548 slab_free_hook mm/slub.c:2473 [inline] slab_free mm/slub.c:6564 [inline] kmem_cache_free+0x4ac/0x6b0 mm/slub.c:6674 task_work_run+0x1d4/0x260 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x6b5/0x2300 kernel/exit.c:961 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 __do_sys_exit_group kernel/exit.c:1113 [inline] __se_sys_exit_group kernel/exit.c:1111 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Second to last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548 task_work_add+0xb1/0x420 kernel/task_work.c:65 __fput_deferred+0x154/0x390 fs/file_table.c:529 remove_vma+0xdf/0x130 mm/vma.c:466 exit_mmap+0x537/0xb40 mm/mmap.c:1305 __mmput+0x118/0x430 kernel/fork.c:1130 exit_mm+0x1da/0x2c0 kernel/exit.c:582 do_exit+0x648/0x2300 kernel/exit.c:949 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 __do_sys_exit_group kernel/exit.c:1113 [inline] __se_sys_exit_group kernel/exit.c:1111 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888043167540 which belongs to the cache filp of size 360 The buggy address is located 98 bytes inside of freed 360-byte region [ffff888043167540, ffff8880431676a8) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43167 memcg:ffff888055e55d81 flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 04fff00000000000 ffff88801b2caa00 ffffea000106a200 dead000000000004 raw: 0000000000000000 0000000000090009 00000000f5000000 ffff888055e55d81 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5911, tgid 5911 (rm), ts 147988563881, free_ts 147968362581 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:3028 [inline] allocate_slab+0x96/0x360 mm/slub.c:3201 new_slab mm/slub.c:3255 [inline] ___slab_alloc+0xe75/0x1920 mm/slub.c:4625 __slab_alloc+0x65/0x100 mm/slub.c:4744 __slab_alloc_node mm/slub.c:4820 [inline] slab_alloc_node mm/slub.c:5231 [inline] kmem_cache_alloc_noprof+0x40d/0x720 mm/slub.c:5250 alloc_empty_file+0x55/0x1d0 fs/file_table.c:237 path_openat+0x107/0x3830 fs/namei.c:4120 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 15 tgid 15 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895 pagetable_free include/linux/mm.h:2898 [inline] pagetable_dtor_free include/linux/mm.h:2996 [inline] __tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220 __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:622 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063 smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888043167480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888043167500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888043167580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888043167600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888043167680: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ================================================================== Tested on: commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=162265cd980000 kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=14d4a85b980000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003002303.2398961-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003002303.2398961-1-kartikey406@gmail.com> @ 2025-10-03 0:44 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 0:44 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10341ee2580000 kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1030d942580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003010657.2402278-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003010657.2402278-1-kartikey406@gmail.com> @ 2025-10-03 1:28 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 1:28 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in ext4_search_dir ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 Read of size 1 at addr ffff888043c0f1b3 by task syz.0.17/6052 CPU: 0 UID: 0 PID: 6052 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621 __ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542 ext4_lookup_entry fs/ext4/namei.c:1703 [inline] ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771 lookup_open fs/namei.c:3774 [inline] open_last_lookups fs/namei.c:3895 [inline] path_openat+0x10fe/0x3830 fs/namei.c:4131 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc79498eec9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc7958bb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fc794be6090 RCX: 00007fc79498eec9 RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 00007fc794a11f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fc794be6128 R14: 00007fc794be6090 R15: 00007ffe09140cb8 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fe0644ad pfn:0x43c0f flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 ffffea00010f0408 ffffea00010f0548 0000000000000000 raw: 00000007fe0644ad 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6053, tgid 6053 (modprobe), ts 152683869333, free_ts 152820788321 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline] vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470 folio_prealloc+0x30/0x180 mm/memory.c:-1 alloc_anon_folio mm/memory.c:4997 [inline] do_anonymous_page mm/memory.c:5054 [inline] do_pte_missing mm/memory.c:4232 [inline] handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 page last free pid 6053 tgid 6053 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952 folios_put_refs+0x559/0x640 mm/swap.c:999 free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:264 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:397 [inline] tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497 exit_mmap+0x444/0xb40 mm/mmap.c:1293 __mmput+0x118/0x430 kernel/fork.c:1130 exit_mm+0x1da/0x2c0 kernel/exit.c:582 do_exit+0x648/0x2300 kernel/exit.c:949 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 __do_sys_exit_group kernel/exit.c:1113 [inline] __se_sys_exit_group kernel/exit.c:1111 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888043c0f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888043c0f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888043c0f180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888043c0f200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888043c0f280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14e31214580000 kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=14980304580000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003014049.2407777-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003014049.2407777-1-kartikey406@gmail.com> @ 2025-10-03 2:02 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 2:02 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10b1c92f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=11a49334580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003020223.2408483-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003020223.2408483-1-kartikey406@gmail.com> @ 2025-10-03 2:23 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 2:23 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=114b1214580000 kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0 dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=11731214580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003030202.2409492-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003030202.2409492-1-kartikey406@gmail.com> @ 2025-10-03 3:23 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 3:23 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' .. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=106ecee2580000 kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=120ecee2580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003031625.2411015-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003031625.2411015-1-kartikey406@gmail.com> @ 2025-10-03 3:43 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 3:43 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' .. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=115aa85b980000 kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=17c6aa7c580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003040153.2411696-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003040153.2411696-1-kartikey406@gmail.com> @ 2025-10-03 4:23 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 4:23 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' .. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=117c0304580000 kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=159c0304580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003061658.2515919-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003061658.2515919-1-kartikey406@gmail.com> @ 2025-10-03 6:38 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 6:38 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' .. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=134ad942580000 kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=100165cd980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003081442.2555454-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003081442.2555454-1-kartikey406@gmail.com> @ 2025-10-03 8:35 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 8:35 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in ext4_search_dir loop0: detected capacity change from 1024 to 767 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 Read of size 1 at addr ffff888047c19e53 by task syz.0.25/5994 CPU: 0 UID: 0 PID: 5994 Comm: syz.0.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469 ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621 __ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542 ext4_lookup_entry fs/ext4/namei.c:1703 [inline] ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771 lookup_open fs/namei.c:3774 [inline] open_last_lookups fs/namei.c:3895 [inline] path_openat+0x10fe/0x3830 fs/namei.c:4131 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_creat fs/open.c:1528 [inline] __se_sys_creat fs/open.c:1522 [inline] __x64_sys_creat+0x8f/0xc0 fs/open.c:1522 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f30dc98eec9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f30dd80c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 00007f30dcbe5fa0 RCX: 00007f30dc98eec9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000100 RBP: 00007f30dca11f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f30dcbe6038 R14: 00007f30dcbe5fa0 R15: 00007ffd1c506f18 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1ce pfn:0x47c19 flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 ffffea00011f0688 ffffea00011f6088 0000000000000000 raw: 00000000000001ce 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5999, tgid 5999 (cmp), ts 160342984478, free_ts 160390502500 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850 prep_new_page mm/page_alloc.c:1858 [inline] get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline] vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470 folio_prealloc+0x30/0x180 mm/memory.c:-1 wp_page_copy mm/memory.c:3679 [inline] do_wp_page+0x1231/0x5800 mm/memory.c:4140 handle_pte_fault mm/memory.c:6193 [inline] __handle_mm_fault+0x1033/0x5400 mm/memory.c:6318 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6487 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 page last free pid 5999 tgid 5999 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1394 [inline] free_unref_folios+0xdb3/0x14f0 mm/page_alloc.c:2963 folios_put_refs+0x584/0x670 mm/swap.c:1002 free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:397 [inline] tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497 exit_mmap+0x444/0xb40 mm/mmap.c:1293 __mmput+0x118/0x430 kernel/fork.c:1133 exit_mm+0x1da/0x2c0 kernel/exit.c:582 do_exit+0x648/0x2300 kernel/exit.c:954 do_group_exit+0x21c/0x2d0 kernel/exit.c:1107 __do_sys_exit_group kernel/exit.c:1118 [inline] __se_sys_exit_group kernel/exit.c:1116 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1116 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888047c19d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888047c19d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888047c19e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888047c19e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888047c19f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' .. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=126965cd980000 kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=13911ee2580000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003083604.2556017-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003083604.2556017-1-kartikey406@gmail.com> @ 2025-10-03 8:57 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 8:57 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' .. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1047c92f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=139576e2580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <20251003090932.2559979-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <20251003090932.2559979-1-kartikey406@gmail.com> @ 2025-10-03 9:30 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-10-03 9:30 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' .. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=142d76e2580000 kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=163e9334580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <aQ7WfQOMTIDiPBin@rpthibeault-XPS-13-9305>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <aQ7WfQOMTIDiPBin@rpthibeault-XPS-13-9305> @ 2025-11-08 5:55 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-08 5:55 UTC (permalink / raw) To: linux-kernel, rpthibeault, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: e811c33b Merge tag 'drm-fixes-2025-11-08' of https://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1388b812580000 kernel config: https://syzkaller.appspot.com/x/.config?x=486aa0235ebabcac dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=13dd3bcd980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <aQ-D6qQkBA6XUgyD@rpthibeault-XPS-13-9305>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <aQ-D6qQkBA6XUgyD@rpthibeault-XPS-13-9305> @ 2025-11-08 18:16 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-08 18:16 UTC (permalink / raw) To: linux-kernel, rpthibeault, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: 0d7bee10 Merge tag 'x86-urgent-2025-11-08' of git://gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1791c412580000 kernel config: https://syzkaller.appspot.com/x/.config?x=486aa0235ebabcac dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1721c412580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <aRZbvQgQgxVbfgow@rpthibeault-XPS-13-9305>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <aRZbvQgQgxVbfgow@rpthibeault-XPS-13-9305> @ 2025-11-13 22:48 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-13 22:48 UTC (permalink / raw) To: linux-kernel, rpthibeault, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in bdev_release INFO: task udevd:5853 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:22952 pid:5853 tgid:5853 ppid:4730 task_flags:0x400140 flags:0x00080001 Call Trace: <TASK> context_switch kernel/sched/core.c:5325 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6929 __schedule_loop kernel/sched/core.c:7011 [inline] schedule+0x165/0x360 kernel/sched/core.c:7026 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7083 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 bdev_release+0x1a9/0x650 block/bdev.c:1128 blkdev_release+0x15/0x20 block/fops.c:709 __fput+0x44c/0xa70 fs/file_table.c:468 fput_close_sync+0x119/0x200 fs/file_table.c:573 __do_sys_close fs/open.c:1589 [inline] __se_sys_close fs/open.c:1574 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1574 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f75dfaa7407 RSP: 002b:00007ffee7019520 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 00007f75e0285880 RCX: 00007f75dfaa7407 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009 RBP: 00007f75e02856e8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000009 </TASK> INFO: task syz.3.281:6689 blocked for more than 145 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.3.281 state:D stack:25736 pid:6689 tgid:6688 ppid:5743 task_flags:0x400140 flags:0x00080002 Call Trace: <TASK> context_switch kernel/sched/core.c:5325 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6929 __schedule_loop kernel/sched/core.c:7011 [inline] schedule+0x165/0x360 kernel/sched/core.c:7026 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7083 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 loop_reread_partitions drivers/block/loop.c:448 [inline] loop_set_status+0xaa1/0xe30 drivers/block/loop.c:1293 loop_set_status_old drivers/block/loop.c:1380 [inline] lo_ioctl+0x9e9/0x1c60 drivers/block/loop.c:1570 blkdev_ioctl+0x5af/0x6d0 block/ioctl.c:705 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc10af8eec9 RSP: 002b:00007fc10a5fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fc10b1e5fa0 RCX: 00007fc10af8eec9 RDX: 0000200000000300 RSI: 0000000000004c02 RDI: 0000000000000003 RBP: 00007fc10b011f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fc10b1e6038 R14: 00007fc10b1e5fa0 R15: 00007ffc7e3d2b48 </TASK> INFO: task syz.0.283:6697 blocked for more than 151 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.283 state:D stack:25640 pid:6697 tgid:6690 ppid:5734 task_flags:0x400140 flags:0x00080002 Call Trace: <TASK> context_switch kernel/sched/core.c:5325 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6929 __schedule_loop kernel/sched/core.c:7011 [inline] schedule+0x165/0x360 kernel/sched/core.c:7026 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7083 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 bdev_open+0xe0/0xd30 block/bdev.c:945 bdev_file_open_by_dev+0x1be/0x240 block/bdev.c:1059 setup_bdev_super+0x5a/0x5b0 fs/super.c:1609 get_tree_bdev_flags+0x366/0x4d0 fs/super.c:1689 vfs_get_tree+0x92/0x2b0 fs/super.c:1751 fc_mount fs/namespace.c:1208 [inline] do_new_mount_fc fs/namespace.c:3651 [inline] do_new_mount+0x302/0xa10 fs/namespace.c:3727 do_mount fs/namespace.c:4050 [inline] __do_sys_mount fs/namespace.c:4238 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4215 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f646db9066a RSP: 002b:00007f646e99ce68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f646e99cef0 RCX: 00007f646db9066a Tested on: commit: 9b9e4370 Merge tag 'slab-for-6.18-rc6' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15a9c914580000 kernel config: https://syzkaller.appspot.com/x/.config?x=486aa0235ebabcac dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1649c914580000 ^ permalink raw reply [flat|nested] 46+ messages in thread
[parent not found: <aRZ0EwX9Ajg38Sei@rpthibeault-XPS-13-9305>]
* Re: [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir [not found] <aRZ0EwX9Ajg38Sei@rpthibeault-XPS-13-9305> @ 2025-11-14 0:34 ` syzbot 0 siblings, 0 replies; 46+ messages in thread From: syzbot @ 2025-11-14 0:34 UTC (permalink / raw) To: linux-kernel, rpthibeault, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Tested on: commit: 9b9e4370 Merge tag 'slab-for-6.18-rc6' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1315c914580000 kernel config: https://syzkaller.appspot.com/x/.config?x=486aa0235ebabcac dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=11fcd7cd980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 46+ messages in thread
end of thread, other threads:[~2025-11-14 0:34 UTC | newest]
Thread overview: 46+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-02 0:10 [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot
2025-10-02 5:09 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr syzbot
2025-10-02 6:18 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot
2025-10-02 6:28 ` syzbot
2025-10-02 9:38 ` syzbot
2025-10-02 10:01 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot
2025-10-02 22:57 ` syzbot
2025-10-02 23:54 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot
2025-10-03 0:23 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr syzbot
2025-10-03 1:07 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot
2025-10-03 1:40 ` syzbot
2025-10-03 2:02 ` syzbot
2025-10-03 3:02 ` syzbot
2025-10-03 3:16 ` syzbot
2025-10-03 4:02 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_size " syzbot
2025-10-03 6:17 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize " syzbot
2025-10-03 8:14 ` Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage syzbot
2025-10-03 8:36 ` Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero syzbot
2025-10-03 9:09 ` syzbot
2025-10-14 13:41 ` kerne test robot
2025-11-08 5:34 ` Forwarded: potential fix syzbot
2025-11-08 17:54 ` Forwarded: test fix syzbot
2025-11-13 22:29 ` syzbot
2025-11-14 0:13 ` syzbot
[not found] <20251002050906.2082433-1-kartikey406@gmail.com>
2025-10-02 5:30 ` [syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir syzbot
[not found] <20251002061821.2163863-1-kartikey406@gmail.com>
2025-10-02 6:26 ` syzbot
[not found] <20251002062804.2167179-1-kartikey406@gmail.com>
2025-10-02 6:49 ` syzbot
[not found] <20251002093807.2387597-1-kartikey406@gmail.com>
2025-10-02 9:48 ` syzbot
[not found] <20251002100108.2390216-1-kartikey406@gmail.com>
2025-10-02 10:32 ` syzbot
[not found] <20251002225742.2395560-1-kartikey406@gmail.com>
2025-10-02 23:34 ` syzbot
[not found] <20251002235337.2398242-1-kartikey406@gmail.com>
2025-10-03 0:16 ` syzbot
[not found] <20251003002303.2398961-1-kartikey406@gmail.com>
2025-10-03 0:44 ` syzbot
[not found] <20251003010657.2402278-1-kartikey406@gmail.com>
2025-10-03 1:28 ` syzbot
[not found] <20251003014049.2407777-1-kartikey406@gmail.com>
2025-10-03 2:02 ` syzbot
[not found] <20251003020223.2408483-1-kartikey406@gmail.com>
2025-10-03 2:23 ` syzbot
[not found] <20251003030202.2409492-1-kartikey406@gmail.com>
2025-10-03 3:23 ` syzbot
[not found] <20251003031625.2411015-1-kartikey406@gmail.com>
2025-10-03 3:43 ` syzbot
[not found] <20251003040153.2411696-1-kartikey406@gmail.com>
2025-10-03 4:23 ` syzbot
[not found] <20251003061658.2515919-1-kartikey406@gmail.com>
2025-10-03 6:38 ` syzbot
[not found] <20251003081442.2555454-1-kartikey406@gmail.com>
2025-10-03 8:35 ` syzbot
[not found] <20251003083604.2556017-1-kartikey406@gmail.com>
2025-10-03 8:57 ` syzbot
[not found] <20251003090932.2559979-1-kartikey406@gmail.com>
2025-10-03 9:30 ` syzbot
[not found] <aQ7WfQOMTIDiPBin@rpthibeault-XPS-13-9305>
2025-11-08 5:55 ` syzbot
[not found] <aQ-D6qQkBA6XUgyD@rpthibeault-XPS-13-9305>
2025-11-08 18:16 ` syzbot
[not found] <aRZbvQgQgxVbfgow@rpthibeault-XPS-13-9305>
2025-11-13 22:48 ` syzbot
[not found] <aRZ0EwX9Ajg38Sei@rpthibeault-XPS-13-9305>
2025-11-14 0:34 ` syzbot
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.