From: syzbot <syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com>
To: eraykrdg1@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
Date: Thu, 20 Nov 2025 05:38:02 -0800 [thread overview]
Message-ID: <691f19ba.a70a0220.d98e3.002d.GAE@google.com> (raw)
In-Reply-To: <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff8880618f1018 by task kworker/u8:6/1096
CPU: 1 UID: 0 PID: 1096 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f8288ec9 pfn:0x618f1
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001863c88 ffffea0001863c08 0000000000000000
raw: 00000007f8288ec9 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6155, tgid 6155 (syz-executor), ts 131175623082, free_ts 136501716604
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5126 [inline]
do_anonymous_page mm/memory.c:5183 [inline]
do_pte_missing mm/memory.c:4360 [inline]
handle_pte_fault mm/memory.c:6195 [inline]
__handle_mm_fault+0x2a8b/0x5400 mm/memory.c:6336
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6505
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6155 tgid 6155 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
vms_clear_ptes+0x42c/0x540 mm/vma.c:1235
vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1277
do_vmi_align_munmap+0x364/0x440 mm/vma.c:1536
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584
__vm_munmap+0x207/0x380 mm/vma.c:3156
__do_sys_munmap mm/mmap.c:1080 [inline]
__se_sys_munmap mm/mmap.c:1077 [inline]
__x64_sys_munmap+0x60/0x70 mm/mmap.c:1077
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880618f0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880618f0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880618f1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880618f1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880618f1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1002f692580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=111dba12580000
next parent reply other threads:[~2025-11-20 13:38 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
2025-11-20 13:38 ` syzbot [this message]
[not found] <CAHxJ8O8xhXVne3ghaMNk1Ttgj35hfK1_Rk-WyDe+sC-qM7XPPQ@mail.gmail.com>
2025-11-21 22:01 ` [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
[not found] <CAHxJ8O-T9Dtjz2TAzJ4NZRHjEoMkqc9sLSjFQn2WFG8Et57UFg@mail.gmail.com>
2025-11-20 19:07 ` syzbot
[not found] <CAHxJ8O_vfXVmYBidWof5vvx4POOzdLdwyD7NxBuwPp+5Ot6PAQ@mail.gmail.com>
2025-11-20 18:21 ` syzbot
[not found] <CAHxJ8O-6VrfyR-Yp7yQLu+W=zo9yPVTjfj6ic-Fiq6dF1-tmwQ@mail.gmail.com>
2025-11-20 16:11 ` syzbot
[not found] <CAHxJ8O8P7PcMPfFktS39H_PH7_z8UwmL5oJeVpjetHxU7haGug@mail.gmail.com>
2025-11-20 12:15 ` syzbot
[not found] <CAHxJ8O8WbUF8HROrpL-FkCjmqhRZ2Et6nsSzA9Oo4viTHZWf5A@mail.gmail.com>
2025-11-20 2:13 ` syzbot
[not found] <CAHxJ8O-Y021tSY0w==hGmrwMt46ay=vT=zvwuGEfxEEN5SW7LA@mail.gmail.com>
2025-11-20 1:27 ` syzbot
[not found] <CADfthj1tCCoMeUbBD77N+nrPeit7t6LTpScLgtAUzPgbqfuNcg@mail.gmail.com>
2025-11-19 17:53 ` syzbot
[not found] <CADfthj1-m1WoipkSJmZ=1fe23T_7Bn=_n0iLTBHdUwXF-i7YQA@mail.gmail.com>
2025-11-19 8:13 ` syzbot
2024-12-30 20:06 syzbot
2025-03-27 23:44 ` syzbot
2025-03-28 17:10 ` Ojaswin Mujoo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=691f19ba.a70a0220.d98e3.002d.GAE@google.com \
--to=syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com \
--cc=eraykrdg1@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.