Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com>
To: albinbabuvarghese20@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
Date: Wed, 19 Nov 2025 09:53:02 -0800	[thread overview]
Message-ID: <691e03fe.a70a0220.d98e3.0018.GAE@google.com> (raw)
In-Reply-To: <CADfthj1tCCoMeUbBD77N+nrPeit7t6LTpScLgtAUzPgbqfuNcg@mail.gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent

loop0: detected capacity change from 0 to 1024
EXT4-fs: Ignoring removed oldalloc option
EXT4-fs: Ignoring removed orlov option
EXT4-fs (loop0): stripe (1570) is not aligned with cluster size (16), stripe is disabled
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff88805848d018 by task syz.0.1716/13445

CPU: 1 UID: 0 PID: 13445 Comm: syz.0.1716 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
 ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
 ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
 ext4_map_query_blocks+0x13b/0x930 fs/ext4/inode.c:550
 ext4_map_blocks+0x4b3/0x1740 fs/ext4/inode.c:773
 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910
 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943
 ext4_block_write_begin+0x993/0x1710 fs/ext4/inode.c:1198
 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1
 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129
 generic_perform_write+0x2c5/0x900 mm/filemap.c:4254
 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x5c9/0xb30 fs/read_write.c:686
 ksys_pwrite64 fs/read_write.c:793 [inline]
 __do_sys_pwrite64 fs/read_write.c:801 [inline]
 __se_sys_pwrite64 fs/read_write.c:798 [inline]
 __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb6d7d8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb6d8cd4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fb6d7fb5fa0 RCX: 00007fb6d7d8e929
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007fb6d7e10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000e7c R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fb6d7fb5fa0 R15: 00007ffe519db498
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xc00772c pfn:0x5848d
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 000000000c00772c 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6135, tgid 6130 (syz-execprog), ts 118165039414, free_ts 376890617757
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
 prep_new_page mm/page_alloc.c:1853 [inline]
 get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
 vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
 folio_prealloc+0x30/0x180 mm/memory.c:-1
 alloc_anon_folio mm/memory.c:5126 [inline]
 do_anonymous_page mm/memory.c:5183 [inline]
 do_pte_missing mm/memory.c:4360 [inline]
 handle_pte_fault mm/memory.c:6195 [inline]
 __handle_mm_fault+0x2a8b/0x5400 mm/memory.c:6336
 handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6505
 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6132 tgid 6130 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1394 [inline]
 free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
 folios_put_refs+0x584/0x670 mm/swap.c:1002
 free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
 madvise_finish_tlb mm/madvise.c:1790 [inline]
 do_madvise+0x208/0x270 mm/madvise.c:1979
 __do_sys_madvise mm/madvise.c:1987 [inline]
 __se_sys_madvise mm/madvise.c:1985 [inline]
 __x64_sys_madvise+0xa7/0xc0 mm/madvise.c:1985
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805848cf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805848cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805848d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff88805848d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805848d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit:         8b690556 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e90742580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=169cce0a580000

next      parent reply	other threads:[~2025-11-19 17:53 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CADfthj1tCCoMeUbBD77N+nrPeit7t6LTpScLgtAUzPgbqfuNcg@mail.gmail.com>
2025-11-19 17:53 ` syzbot [this message]
     [not found] <CAHxJ8O8xhXVne3ghaMNk1Ttgj35hfK1_Rk-WyDe+sC-qM7XPPQ@mail.gmail.com>
2025-11-21 22:01 ` [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
     [not found] <CAHxJ8O-T9Dtjz2TAzJ4NZRHjEoMkqc9sLSjFQn2WFG8Et57UFg@mail.gmail.com>
2025-11-20 19:07 ` syzbot
     [not found] <CAHxJ8O_vfXVmYBidWof5vvx4POOzdLdwyD7NxBuwPp+5Ot6PAQ@mail.gmail.com>
2025-11-20 18:21 ` syzbot
     [not found] <CAHxJ8O-6VrfyR-Yp7yQLu+W=zo9yPVTjfj6ic-Fiq6dF1-tmwQ@mail.gmail.com>
2025-11-20 16:11 ` syzbot
     [not found] <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
2025-11-20 13:38 ` syzbot
     [not found] <CAHxJ8O8P7PcMPfFktS39H_PH7_z8UwmL5oJeVpjetHxU7haGug@mail.gmail.com>
2025-11-20 12:15 ` syzbot
     [not found] <CAHxJ8O8WbUF8HROrpL-FkCjmqhRZ2Et6nsSzA9Oo4viTHZWf5A@mail.gmail.com>
2025-11-20  2:13 ` syzbot
     [not found] <CAHxJ8O-Y021tSY0w==hGmrwMt46ay=vT=zvwuGEfxEEN5SW7LA@mail.gmail.com>
2025-11-20  1:27 ` syzbot
     [not found] <CADfthj1-m1WoipkSJmZ=1fe23T_7Bn=_n0iLTBHdUwXF-i7YQA@mail.gmail.com>
2025-11-19  8:13 ` syzbot
2024-12-30 20:06 syzbot
2025-03-27 23:44 ` syzbot
2025-03-28 17:10   ` Ojaswin Mujoo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=691e03fe.a70a0220.d98e3.0018.GAE@google.com \
    --to=syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com \
    --cc=albinbabuvarghese20@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.