* [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent
@ 2025-05-25 18:12 syzbot
2025-05-26 14:53 ` syzbot
` (6 more replies)
0 siblings, 7 replies; 15+ messages in thread
From: syzbot @ 2025-05-25 18:12 UTC (permalink / raw)
To: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso
Hello,
syzbot found the following issue on:
HEAD commit: d0c22de9995b Merge tag 'input-for-v6.15-rc7' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e00df4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1de0d8596cea805
dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16931170580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14683ad4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cf852e5656de/disk-d0c22de9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/761933abe01b/vmlinux-d0c22de9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/187857154891/bzImage-d0c22de9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/992dec4e0af9/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=151468e8580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x41b6/0x4af0 fs/ext4/extents.c:2084
Read of size 4 at addr ffff88802db31c18 by task syz-executor706/7034
CPU: 1 UID: 0 PID: 7034 Comm: syz-executor706 Not tainted 6.15.0-rc7-syzkaller-00152-gd0c22de9995b #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xb4/0x290 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
ext4_ext_insert_extent+0x41b6/0x4af0 fs/ext4/extents.c:2084
ext4_ext_map_blocks+0x179c/0x67c0 fs/ext4/extents.c:4400
ext4_map_create_blocks fs/ext4/inode.c:520 [inline]
ext4_map_blocks+0x807/0x1740 fs/ext4/inode.c:706
_ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:785
ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:818
ext4_block_write_begin+0x543/0x1290 fs/ext4/inode.c:1067
ext4_write_begin+0x6f6/0x12c0 fs/ext4/ext4_jbd2.h:-1
ext4_da_write_begin+0x33a/0xa60 fs/ext4/inode.c:2932
generic_perform_write+0x2c4/0x910 mm/filemap.c:4103
ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x54b/0xa90 fs/read_write.c:684
ksys_pwrite64 fs/read_write.c:791 [inline]
__do_sys_pwrite64 fs/read_write.c:799 [inline]
__se_sys_pwrite64 fs/read_write.c:796 [inline]
__x64_sys_pwrite64+0x193/0x220 fs/read_write.c:796
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0078162e09
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0078117218 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f00781ea6c8 RCX: 00007f0078162e09
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007f00781ea6c0 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000fecc R11: 0000000000000246 R12: 00007f00781b7630
R13: 0000200000000000 R14: 00002000000000c0 R15: 00007f00781b706b
</TASK>
Allocated by task 5844:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4147 [inline]
slab_alloc_node mm/slub.c:4196 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4203
getname_flags+0xb8/0x540 fs/namei.c:146
getname include/linux/fs.h:2852 [inline]
__do_sys_symlink fs/namei.c:4770 [inline]
__se_sys_symlink fs/namei.c:4768 [inline]
__x64_sys_symlink+0x6a/0x90 fs/namei.c:4768
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5844:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kmem_cache_free+0x192/0x3f0 mm/slub.c:4744
do_symlinkat+0x39f/0x3f0 fs/namei.c:4757
__do_sys_symlink fs/namei.c:4770 [inline]
__se_sys_symlink fs/namei.c:4768 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4768
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88802db31100
which belongs to the cache names_cache of size 4096
The buggy address is located 2840 bytes inside of
freed 4096-byte region [ffff88802db31100, ffff88802db32100)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2db30
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b2b8780 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b2b8780 0000000000000000 dead000000000001
head: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000b6cc01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5844, tgid 5844 (udevd), ts 111781614645, free_ts 111672478666
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1d8/0x230 mm/page_alloc.c:1714
prep_new_page mm/page_alloc.c:1722 [inline]
get_page_from_freelist+0x21c7/0x22a0 mm/page_alloc.c:3684
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4966
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2301
alloc_slab_page mm/slub.c:2450 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2618
new_slab mm/slub.c:2672 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3858
__slab_alloc mm/slub.c:3948 [inline]
__slab_alloc_node mm/slub.c:4023 [inline]
slab_alloc_node mm/slub.c:4184 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4203
getname_flags+0xb8/0x540 fs/namei.c:146
getname include/linux/fs.h:2852 [inline]
__do_sys_symlink fs/namei.c:4770 [inline]
__se_sys_symlink fs/namei.c:4768 [inline]
__x64_sys_symlink+0x5d/0x90 fs/namei.c:4768
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5189 tgid 5189 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1258 [inline]
__free_frozen_pages+0xb05/0xcd0 mm/page_alloc.c:2721
discard_slab mm/slub.c:2716 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3185
put_cpu_partial+0x17c/0x250 mm/slub.c:3260
__slab_free+0x2f7/0x400 mm/slub.c:4512
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4147 [inline]
slab_alloc_node mm/slub.c:4196 [inline]
__do_kmalloc_node mm/slub.c:4326 [inline]
__kmalloc_noprof+0x224/0x4f0 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822
security_inode_getattr+0x12f/0x330 security/security.c:2377
vfs_getattr fs/stat.c:256 [inline]
vfs_fstat fs/stat.c:278 [inline]
__do_sys_newfstat fs/stat.c:546 [inline]
__se_sys_newfstat fs/stat.c:543 [inline]
__x64_sys_newfstat+0xfe/0x200 fs/stat.c:543
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88802db31b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802db31b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802db31c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802db31c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802db31d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent 2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot @ 2025-05-26 14:53 ` syzbot 2025-09-30 15:20 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() syzbot ` (5 subsequent siblings) 6 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-05-26 14:53 UTC (permalink / raw) To: adilger.kernel, akpm, dave.hansen, linux-ext4, linux-kernel, syzkaller-bugs, tytso syzbot has bisected this issue to: commit 665575cff098b696995ddaddf4646a4099941f5e Author: Dave Hansen <dave.hansen@linux.intel.com> Date: Fri Feb 28 20:37:22 2025 +0000 filemap: move prefaulting out of hot write path bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14435170580000 start commit: d0c22de9995b Merge tag 'input-for-v6.15-rc7' of git://git... git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=16435170580000 console output: https://syzkaller.appspot.com/x/log.txt?x=12435170580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a1de0d8596cea805 dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16931170580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14683ad4580000 Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com Fixes: 665575cff098 ("filemap: move prefaulting out of hot write path") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 15+ messages in thread
* Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() 2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot 2025-05-26 14:53 ` syzbot @ 2025-09-30 15:20 ` syzbot 2025-10-01 23:11 ` kernel test robot 2025-09-30 20:57 ` Forwarded: [PATCH] ext4: fix use-after-free in extent header access syzbot ` (4 subsequent siblings) 6 siblings, 1 reply; 15+ messages in thread From: syzbot @ 2025-09-30 15:20 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master syzbot reported a use-after-free bug in ext4_ext_insert_extent() where fex->ee_block is accessed after the extent header has been freed. This occurs when the extent header is corrupted or freed by a concurrent thread during a write operation. The issue is triggered when multiple threads perform concurrent writes to the same file. After commit 665575cff098 ("filemap: move prefaulting out of hot write path"), the write path no longer prefaults pages, creating a race window where: 1. Thread A enters ext4_ext_insert_extent() and gets extent header pointer 2. Thread B modifies the extent tree, potentially freeing the header 3. Thread A dereferences fex->ee_block from the freed header, causing UAF Fix this by validating the extent header's magic number and ensuring it has valid entries before dereferencing the last extent pointer. Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 Fixes: 665575cff098 ("filemap: move prefaulting out of hot write path") Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/extents.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ca5499e9412b..d71b0fff41cc 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -2083,6 +2083,12 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, /* probably next leaf has space for us? */ fex = EXT_LAST_EXTENT(eh); next = EXT_MAX_BLOCKS; + if (le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || + le16_to_cpu(eh->eh_entries) == 0) { + EXT4_ERROR_INODE(inode, "corrupted extent header"); + err = -EFSCORRUPTED; + goto errout; + } if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block)) next = ext4_ext_next_leaf_block(path); if (next != EXT_MAX_BLOCKS) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() 2025-09-30 15:20 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() syzbot @ 2025-10-01 23:11 ` kernel test robot 0 siblings, 0 replies; 15+ messages in thread From: kernel test robot @ 2025-10-01 23:11 UTC (permalink / raw) To: syzbot, linux-kernel, syzkaller-bugs; +Cc: oe-kbuild-all Hi syzbot, kernel test robot noticed the following build warnings: [auto build test WARNING on tytso-ext4/dev] [also build test WARNING on linus/master v6.17 next-20250929] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/syzbot/Forwarded-PATCH-ext4-fix-use-after-free-in-ext4_ext_insert_extent/20250930-232453 base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev patch link: https://lore.kernel.org/r/68dbf53f.a00a0220.102ee.004a.GAE%40google.com patch subject: Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() config: arc-randconfig-r073-20251001 (https://download.01.org/0day-ci/archive/20251002/202510020639.uRHSs90S-lkp@intel.com/config) compiler: arc-linux-gcc (GCC) 13.4.0 If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510020639.uRHSs90S-lkp@intel.com/ New smatch warnings: fs/ext4/extents.c:2089 ext4_ext_insert_extent() warn: inconsistent indenting Old smatch warnings: arch/arc/include/asm/thread_info.h:62 current_thread_info() error: uninitialized symbol 'sp'. fs/ext4/extents.c:4456 ext4_ext_map_blocks() error: uninitialized symbol 'ex'. fs/ext4/extents.c:4456 ext4_ext_map_blocks() error: uninitialized symbol 'depth'. vim +2089 fs/ext4/extents.c 1969 1970 /* 1971 * ext4_ext_insert_extent: 1972 * tries to merge requested extent into the existing extent or 1973 * inserts requested extent as new one into the tree, 1974 * creating new leaf in the no-space case. 1975 */ 1976 struct ext4_ext_path * 1977 ext4_ext_insert_extent(handle_t *handle, struct inode *inode, 1978 struct ext4_ext_path *path, 1979 struct ext4_extent *newext, int gb_flags) 1980 { 1981 struct ext4_extent_header *eh; 1982 struct ext4_extent *ex, *fex; 1983 struct ext4_extent *nearex; /* nearest extent */ 1984 int depth, len, err = 0; 1985 ext4_lblk_t next; 1986 int mb_flags = 0, unwritten; 1987 1988 if (gb_flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) 1989 mb_flags |= EXT4_MB_DELALLOC_RESERVED; 1990 if (unlikely(ext4_ext_get_actual_len(newext) == 0)) { 1991 EXT4_ERROR_INODE(inode, "ext4_ext_get_actual_len(newext) == 0"); 1992 err = -EFSCORRUPTED; 1993 goto errout; 1994 } 1995 depth = ext_depth(inode); 1996 ex = path[depth].p_ext; 1997 eh = path[depth].p_hdr; 1998 if (unlikely(path[depth].p_hdr == NULL)) { 1999 EXT4_ERROR_INODE(inode, "path[%d].p_hdr == NULL", depth); 2000 err = -EFSCORRUPTED; 2001 goto errout; 2002 } 2003 2004 /* try to insert block into found extent and return */ 2005 if (ex && !(gb_flags & EXT4_GET_BLOCKS_PRE_IO)) { 2006 2007 /* 2008 * Try to see whether we should rather test the extent on 2009 * right from ex, or from the left of ex. This is because 2010 * ext4_find_extent() can return either extent on the 2011 * left, or on the right from the searched position. This 2012 * will make merging more effective. 2013 */ 2014 if (ex < EXT_LAST_EXTENT(eh) && 2015 (le32_to_cpu(ex->ee_block) + 2016 ext4_ext_get_actual_len(ex) < 2017 le32_to_cpu(newext->ee_block))) { 2018 ex += 1; 2019 goto prepend; 2020 } else if ((ex > EXT_FIRST_EXTENT(eh)) && 2021 (le32_to_cpu(newext->ee_block) + 2022 ext4_ext_get_actual_len(newext) < 2023 le32_to_cpu(ex->ee_block))) 2024 ex -= 1; 2025 2026 /* Try to append newex to the ex */ 2027 if (ext4_can_extents_be_merged(inode, ex, newext)) { 2028 ext_debug(inode, "append [%d]%d block to %u:[%d]%d" 2029 "(from %llu)\n", 2030 ext4_ext_is_unwritten(newext), 2031 ext4_ext_get_actual_len(newext), 2032 le32_to_cpu(ex->ee_block), 2033 ext4_ext_is_unwritten(ex), 2034 ext4_ext_get_actual_len(ex), 2035 ext4_ext_pblock(ex)); 2036 err = ext4_ext_get_access(handle, inode, 2037 path + depth); 2038 if (err) 2039 goto errout; 2040 unwritten = ext4_ext_is_unwritten(ex); 2041 ex->ee_len = cpu_to_le16(ext4_ext_get_actual_len(ex) 2042 + ext4_ext_get_actual_len(newext)); 2043 if (unwritten) 2044 ext4_ext_mark_unwritten(ex); 2045 nearex = ex; 2046 goto merge; 2047 } 2048 2049 prepend: 2050 /* Try to prepend newex to the ex */ 2051 if (ext4_can_extents_be_merged(inode, newext, ex)) { 2052 ext_debug(inode, "prepend %u[%d]%d block to %u:[%d]%d" 2053 "(from %llu)\n", 2054 le32_to_cpu(newext->ee_block), 2055 ext4_ext_is_unwritten(newext), 2056 ext4_ext_get_actual_len(newext), 2057 le32_to_cpu(ex->ee_block), 2058 ext4_ext_is_unwritten(ex), 2059 ext4_ext_get_actual_len(ex), 2060 ext4_ext_pblock(ex)); 2061 err = ext4_ext_get_access(handle, inode, 2062 path + depth); 2063 if (err) 2064 goto errout; 2065 2066 unwritten = ext4_ext_is_unwritten(ex); 2067 ex->ee_block = newext->ee_block; 2068 ext4_ext_store_pblock(ex, ext4_ext_pblock(newext)); 2069 ex->ee_len = cpu_to_le16(ext4_ext_get_actual_len(ex) 2070 + ext4_ext_get_actual_len(newext)); 2071 if (unwritten) 2072 ext4_ext_mark_unwritten(ex); 2073 nearex = ex; 2074 goto merge; 2075 } 2076 } 2077 2078 depth = ext_depth(inode); 2079 eh = path[depth].p_hdr; 2080 if (le16_to_cpu(eh->eh_entries) < le16_to_cpu(eh->eh_max)) 2081 goto has_space; 2082 2083 /* probably next leaf has space for us? */ 2084 fex = EXT_LAST_EXTENT(eh); 2085 next = EXT_MAX_BLOCKS; 2086 if (le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || 2087 le16_to_cpu(eh->eh_entries) == 0) { 2088 EXT4_ERROR_INODE(inode, "corrupted extent header"); > 2089 err = -EFSCORRUPTED; 2090 goto errout; 2091 } 2092 if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block)) 2093 next = ext4_ext_next_leaf_block(path); 2094 if (next != EXT_MAX_BLOCKS) { 2095 struct ext4_ext_path *npath; 2096 2097 ext_debug(inode, "next leaf block - %u\n", next); 2098 npath = ext4_find_extent(inode, next, NULL, gb_flags); 2099 if (IS_ERR(npath)) { 2100 err = PTR_ERR(npath); 2101 goto errout; 2102 } 2103 BUG_ON(npath->p_depth != path->p_depth); 2104 eh = npath[depth].p_hdr; 2105 if (le16_to_cpu(eh->eh_entries) < le16_to_cpu(eh->eh_max)) { 2106 ext_debug(inode, "next leaf isn't full(%d)\n", 2107 le16_to_cpu(eh->eh_entries)); 2108 ext4_free_ext_path(path); 2109 path = npath; 2110 goto has_space; 2111 } 2112 ext_debug(inode, "next leaf has no free space(%d,%d)\n", 2113 le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max)); 2114 ext4_free_ext_path(npath); 2115 } 2116 2117 /* 2118 * There is no free space in the found leaf. 2119 * We're gonna add a new leaf in the tree. 2120 */ 2121 if (gb_flags & EXT4_GET_BLOCKS_METADATA_NOFAIL) 2122 mb_flags |= EXT4_MB_USE_RESERVED; 2123 path = ext4_ext_create_new_leaf(handle, inode, mb_flags, gb_flags, 2124 path, newext); 2125 if (IS_ERR(path)) 2126 return path; 2127 depth = ext_depth(inode); 2128 eh = path[depth].p_hdr; 2129 2130 has_space: 2131 nearex = path[depth].p_ext; 2132 2133 err = ext4_ext_get_access(handle, inode, path + depth); 2134 if (err) 2135 goto errout; 2136 2137 if (!nearex) { 2138 /* there is no extent in this leaf, create first one */ 2139 ext_debug(inode, "first extent in the leaf: %u:%llu:[%d]%d\n", 2140 le32_to_cpu(newext->ee_block), 2141 ext4_ext_pblock(newext), 2142 ext4_ext_is_unwritten(newext), 2143 ext4_ext_get_actual_len(newext)); 2144 nearex = EXT_FIRST_EXTENT(eh); 2145 } else { 2146 if (le32_to_cpu(newext->ee_block) 2147 > le32_to_cpu(nearex->ee_block)) { 2148 /* Insert after */ 2149 ext_debug(inode, "insert %u:%llu:[%d]%d before: " 2150 "nearest %p\n", 2151 le32_to_cpu(newext->ee_block), 2152 ext4_ext_pblock(newext), 2153 ext4_ext_is_unwritten(newext), 2154 ext4_ext_get_actual_len(newext), 2155 nearex); 2156 nearex++; 2157 } else { 2158 /* Insert before */ 2159 BUG_ON(newext->ee_block == nearex->ee_block); 2160 ext_debug(inode, "insert %u:%llu:[%d]%d after: " 2161 "nearest %p\n", 2162 le32_to_cpu(newext->ee_block), 2163 ext4_ext_pblock(newext), 2164 ext4_ext_is_unwritten(newext), 2165 ext4_ext_get_actual_len(newext), 2166 nearex); 2167 } 2168 len = EXT_LAST_EXTENT(eh) - nearex + 1; 2169 if (len > 0) { 2170 ext_debug(inode, "insert %u:%llu:[%d]%d: " 2171 "move %d extents from 0x%p to 0x%p\n", 2172 le32_to_cpu(newext->ee_block), 2173 ext4_ext_pblock(newext), 2174 ext4_ext_is_unwritten(newext), 2175 ext4_ext_get_actual_len(newext), 2176 len, nearex, nearex + 1); 2177 memmove(nearex + 1, nearex, 2178 len * sizeof(struct ext4_extent)); 2179 } 2180 } 2181 2182 le16_add_cpu(&eh->eh_entries, 1); 2183 path[depth].p_ext = nearex; 2184 nearex->ee_block = newext->ee_block; 2185 ext4_ext_store_pblock(nearex, ext4_ext_pblock(newext)); 2186 nearex->ee_len = newext->ee_len; 2187 2188 merge: 2189 /* try to merge extents */ 2190 if (!(gb_flags & EXT4_GET_BLOCKS_PRE_IO)) 2191 ext4_ext_try_to_merge(handle, inode, path, nearex); 2192 2193 /* time to correct all indexes above */ 2194 err = ext4_ext_correct_indexes(handle, inode, path); 2195 if (err) 2196 goto errout; 2197 2198 err = ext4_ext_dirty(handle, inode, path + path->p_depth); 2199 if (err) 2200 goto errout; 2201 2202 return path; 2203 2204 errout: 2205 ext4_free_ext_path(path); 2206 return ERR_PTR(err); 2207 } 2208 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki ^ permalink raw reply [flat|nested] 15+ messages in thread
* Forwarded: [PATCH] ext4: fix use-after-free in extent header access 2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot 2025-05-26 14:53 ` syzbot 2025-09-30 15:20 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() syzbot @ 2025-09-30 20:57 ` syzbot 2025-09-30 22:05 ` syzbot ` (3 subsequent siblings) 6 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 20:57 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: fix use-after-free in extent header access Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master syzbot reported multiple use-after-free bugs when accessing extent headers in various ext4 functions. These occur because extent headers can be freed by concurrent operations while other threads still hold pointers to them. The issue is triggered by racing threads performing concurrent writes to the same file. After commit 665575cff098 ("filemap: move prefaulting out of hot write path"), the write path no longer prefaults pages in the hot path, creating a wider race window where: 1. Thread A calls ext4_find_extent() and gets a path with extent headers 2. Thread A's write attempt fails, entering the slow path 3. During the gap, Thread B modifies the extent tree, freeing nodes 4. Thread A continues using the now-freed extent headers, causing UAF Fix this by validating the extent header in ext4_find_extent() before returning the path. This ensures all callers receive a valid extent path, fixing the race at a single point rather than adding checks throughout the codebase. This addresses crashes in ext4_ext_insert_extent(), ext4_ext_binsearch(), and potentially other locations that use extent paths. Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 Fixes: 665575cff098 ("filemap: move prefaulting out of hot write path") Cc: stable@vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/extents.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ca5499e9412b..04ceae5b0a34 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -4200,6 +4200,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, unsigned int allocated_clusters = 0; struct ext4_allocation_request ar; ext4_lblk_t cluster_offset; + struct ext4_extent_header *eh; ext_debug(inode, "blocks %u/%u requested\n", map->m_lblk, map->m_len); trace_ext4_ext_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); @@ -4212,7 +4213,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, } depth = ext_depth(inode); - + eh = path[depth].p_hdr; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header after find_extent"); + err = -EFSCORRUPTED; + goto out; + } /* * consistent leaf must not be empty; * this situation is possible, though, _during_ tree modification; -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Forwarded: [PATCH] ext4: fix use-after-free in extent header access 2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot ` (2 preceding siblings ...) 2025-09-30 20:57 ` Forwarded: [PATCH] ext4: fix use-after-free in extent header access syzbot @ 2025-09-30 22:05 ` syzbot 2025-09-30 22:49 ` Forwarded: [PATCH] ext4: add defensive checks for extent header corruption syzbot ` (2 subsequent siblings) 6 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 22:05 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: fix use-after-free in extent header access Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master syzbot reported use-after-free bugs when accessing extent headers in ext4_ext_insert_extent() and ext4_ext_correct_indexes(). These occur when the extent path structure becomes invalid during operations. The crashes show two patterns: 1. In ext4_ext_map_blocks(), the extent header can be corrupted after ext4_find_extent() returns, particularly during concurrent writes to the same file. 2. In ext4_ext_correct_indexes(), accessing path[depth] causes a use-after-free, indicating the path structure itself is corrupted. This is partially exposed by commit 665575cff098 ("filemap: move prefaulting out of hot write path") which changed timing windows in the write path, making these races more likely to occur. Fix this by adding validation checks: - In ext4_ext_map_blocks(): validate the extent header after getting the path from ext4_find_extent() - In ext4_ext_correct_indexes(): validate the path pointer before dereferencing and check extent header magic While these checks are defensive and don't address the root cause of path corruption, they prevent kernel crashes from invalid memory access. A more comprehensive fix to path lifetime management may be needed in the future. Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 Fixes: 665575cff098 ("filemap: move prefaulting out of hot write path") Cc: stable@vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/extents.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ca5499e9412b..903578d5f68d 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -1708,7 +1708,9 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, struct ext4_extent *ex; __le32 border; int k, err = 0; - + if (!path || depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { + return -EFSCORRUPTED; + } eh = path[depth].p_hdr; ex = path[depth].p_ext; @@ -4200,6 +4202,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, unsigned int allocated_clusters = 0; struct ext4_allocation_request ar; ext4_lblk_t cluster_offset; + struct ext4_extent_header *eh; ext_debug(inode, "blocks %u/%u requested\n", map->m_lblk, map->m_len); trace_ext4_ext_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); @@ -4212,7 +4215,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, } depth = ext_depth(inode); - + eh = path[depth].p_hdr; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header after find_extent"); + err = -EFSCORRUPTED; + goto out; + } /* * consistent leaf must not be empty; * this situation is possible, though, _during_ tree modification; -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Forwarded: [PATCH] ext4: add defensive checks for extent header corruption 2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot ` (3 preceding siblings ...) 2025-09-30 22:05 ` syzbot @ 2025-09-30 22:49 ` syzbot 2025-09-30 23:09 ` Forwarded: [PATCH] ext4: add validation checks for corrupted extent headers syzbot 2025-10-01 0:10 ` syzbot 6 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 22:49 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: add defensive checks for extent header corruption Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master syzbot reported use-after-free bugs when accessing extent headers in multiple locations. Testing revealed crashes in both ext4_ext_map_blocks() and ext4_ext_correct_indexes() where extent headers or paths contain invalid data. The crashes occur when: 1. In ext4_ext_map_blocks(): After ext4_find_extent() returns, the extent header at path[depth] can be corrupted 2. In ext4_ext_correct_indexes(): The path structure itself may be invalid when accessed at path[depth] These issues are more easily triggered after commit 665575cff098 ("filemap: move prefaulting out of hot write path") which changed timing in write paths, though the underlying vulnerability appears to be pre-existing. Add defensive validation checks: - In ext4_ext_map_blocks(): Validate extent header magic after getting path - In ext4_ext_correct_indexes(): Check path validity before dereferencing These checks prevent crashes but don't address the root cause of how these structures become corrupted. Further investigation is needed for a complete fix. Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/extents.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ca5499e9412b..04d2328ee1d4 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -1708,7 +1708,8 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, struct ext4_extent *ex; __le32 border; int k, err = 0; - + if (!path || depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) + return -EFSCORRUPTED; eh = path[depth].p_hdr; ex = path[depth].p_ext; @@ -4200,19 +4201,26 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, unsigned int allocated_clusters = 0; struct ext4_allocation_request ar; ext4_lblk_t cluster_offset; + struct ext4_extent_header *eh; ext_debug(inode, "blocks %u/%u requested\n", map->m_lblk, map->m_len); trace_ext4_ext_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); - + depth = ext_depth(inode); + if (depth == 0) + eh = ext_inode_hdr(inode); + else + eh = path[depth].p_hdr; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header at depth %d", depth); + err = -EFSCORRUPTED; + goto out; + } /* find extent for this block */ path = ext4_find_extent(inode, map->m_lblk, NULL, flags); if (IS_ERR(path)) { err = PTR_ERR(path); goto out; } - - depth = ext_depth(inode); - /* * consistent leaf must not be empty; * this situation is possible, though, _during_ tree modification; -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Forwarded: [PATCH] ext4: add validation checks for corrupted extent headers 2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot ` (4 preceding siblings ...) 2025-09-30 22:49 ` Forwarded: [PATCH] ext4: add defensive checks for extent header corruption syzbot @ 2025-09-30 23:09 ` syzbot 2025-10-01 0:10 ` syzbot 6 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 23:09 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: add validation checks for corrupted extent headers Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master syzbot reported use-after-free bugs in extent tree operations, particularly in ext4_ext_binsearch_idx() and ext4_ext_binsearch() called from ext4_find_extent(), as well as crashes in ext4_ext_correct_indexes() and ext4_ext_map_blocks(). The crashes occur when extent headers contain invalid data (wrong magic number or freed memory). This can happen during concurrent operations on the same inode where extent tree modifications lead to stale pointers. Add validation checks at key points: 1. In ext4_find_extent(): validate extent headers before calling ext4_ext_binsearch_idx() and ext4_ext_binsearch() 2. In ext4_ext_correct_indexes(): validate path and depth before dereferencing path[depth] 3. In ext4_ext_map_blocks(): validate extent header after getting the path from ext4_find_extent() These defensive checks prevent crashes from invalid extent headers, though the root cause of the corruption needs further investigation. The checks ensure the code fails gracefully with -EFSCORRUPTED rather than crashing on invalid memory access. Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/extents.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ca5499e9412b..ef3870afb8fb 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -930,7 +930,11 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, while (i) { ext_debug(inode, "depth %d: num %d, max %d\n", ppos, le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max)); - + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header before binsearch_idx"); + ret = -EFSCORRUPTED; + goto err; + } ext4_ext_binsearch_idx(inode, path + ppos, block); path[ppos].p_block = ext4_idx_pblock(path[ppos].p_idx); path[ppos].p_depth = i; @@ -952,12 +956,17 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, path[ppos].p_ext = NULL; path[ppos].p_idx = NULL; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header before binsearch"); + ret = -EFSCORRUPTED; + goto err; + } /* find extent */ ext4_ext_binsearch(inode, path + ppos, block); /* if not an empty leaf */ if (path[ppos].p_ext) path[ppos].p_block = ext4_ext_pblock(path[ppos].p_ext); - + ext4_ext_show_path(inode, path); return path; @@ -1708,7 +1717,8 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, struct ext4_extent *ex; __le32 border; int k, err = 0; - + if (!path || depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) + return -EFSCORRUPTED; eh = path[depth].p_hdr; ex = path[depth].p_ext; @@ -4200,6 +4210,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, unsigned int allocated_clusters = 0; struct ext4_allocation_request ar; ext4_lblk_t cluster_offset; + struct ext4_extent_header *eh; ext_debug(inode, "blocks %u/%u requested\n", map->m_lblk, map->m_len); trace_ext4_ext_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); @@ -4212,7 +4223,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, } depth = ext_depth(inode); - + eh = path[depth].p_hdr; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header at depth %d", depth); + err = -EFSCORRUPTED; + goto out; + } /* * consistent leaf must not be empty; * this situation is possible, though, _during_ tree modification; -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Forwarded: [PATCH] ext4: add validation checks for corrupted extent headers 2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot ` (5 preceding siblings ...) 2025-09-30 23:09 ` Forwarded: [PATCH] ext4: add validation checks for corrupted extent headers syzbot @ 2025-10-01 0:10 ` syzbot 6 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-10-01 0:10 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: add validation checks for corrupted extent headers Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master syzbot reported use-after-free bugs in extent tree operations, particularly in ext4_ext_binsearch_idx() and ext4_ext_binsearch() called from ext4_find_extent(), as well as crashes in ext4_ext_correct_indexes() and ext4_ext_map_blocks(). The crashes occur when extent headers contain invalid data (wrong magic number or freed memory). This can happen during concurrent operations on the same inode where extent tree modifications lead to stale pointers. Add validation checks at key points: 1. In ext4_find_extent(): validate extent headers before calling ext4_ext_binsearch_idx() and ext4_ext_binsearch() 2. In ext4_ext_correct_indexes(): validate path and depth before dereferencing path[depth] 3. In ext4_ext_map_blocks(): validate extent header after getting the path from ext4_find_extent() These defensive checks prevent crashes from invalid extent headers, though the root cause of the corruption needs further investigation. The checks ensure the code fails gracefully with -EFSCORRUPTED rather than crashing on invalid memory access. Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ext4/extents.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ca5499e9412b..fef9db80d65c 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -930,7 +930,11 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, while (i) { ext_debug(inode, "depth %d: num %d, max %d\n", ppos, le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max)); - + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max)) { + EXT4_ERROR_INODE(inode, "invalid extent header before binsearch_idx"); + ret = -EFSCORRUPTED; + goto err; + } ext4_ext_binsearch_idx(inode, path + ppos, block); path[ppos].p_block = ext4_idx_pblock(path[ppos].p_idx); path[ppos].p_depth = i; @@ -952,12 +956,17 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, path[ppos].p_ext = NULL; path[ppos].p_idx = NULL; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max)) { + EXT4_ERROR_INODE(inode, "invalid extent header before binsearch"); + ret = -EFSCORRUPTED; + goto err; + } /* find extent */ ext4_ext_binsearch(inode, path + ppos, block); /* if not an empty leaf */ if (path[ppos].p_ext) path[ppos].p_block = ext4_ext_pblock(path[ppos].p_ext); - + ext4_ext_show_path(inode, path); return path; @@ -1708,7 +1717,8 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, struct ext4_extent *ex; __le32 border; int k, err = 0; - + if (!path || depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) + return -EFSCORRUPTED; eh = path[depth].p_hdr; ex = path[depth].p_ext; @@ -4200,6 +4210,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, unsigned int allocated_clusters = 0; struct ext4_allocation_request ar; ext4_lblk_t cluster_offset; + struct ext4_extent_header *eh; ext_debug(inode, "blocks %u/%u requested\n", map->m_lblk, map->m_len); trace_ext4_ext_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); @@ -4212,7 +4223,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, } depth = ext_depth(inode); - + eh = path[depth].p_hdr; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max)) { + EXT4_ERROR_INODE(inode, "invalid extent header at depth %d", depth); + err = -EFSCORRUPTED; + goto out; + } /* * consistent leaf must not be empty; * this situation is possible, though, _during_ tree modification; -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
[parent not found: <20250930152023.319472-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent [not found] <20250930152023.319472-1-kartikey406@gmail.com> @ 2025-09-30 17:03 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 17:03 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in ext4_find_extent ================================================================== BUG: KASAN: slab-use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline] BUG: KASAN: slab-use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956 Read of size 4 at addr ffff88807e32ee18 by task syz.0.121/7280 CPU: 1 UID: 0 PID: 7280 Comm: syz.0.121 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_ext_binsearch fs/ext4/extents.c:841 [inline] ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956 ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4214 ext4_map_query_blocks+0x13b/0x930 fs/ext4/inode.c:550 ext4_map_blocks+0x4b3/0x1740 fs/ext4/inode.c:773 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943 ext4_block_write_begin+0x990/0x1710 fs/ext4/inode.c:1198 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129 generic_perform_write+0x2c2/0x900 mm/filemap.c:4175 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c6/0xb30 fs/read_write.c:686 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2f49d8e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2f4ab1e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f2f49fb5fa0 RCX: 00007f2f49d8e969 RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004 RBP: 00007f2f49e10ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2f49fb5fa0 R15: 00007ffdd4fbb178 </TASK> Allocated by task 6267: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4376 [inline] __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x1c1/0x3b0 security/tomoyo/file.c:771 security_file_open+0xb1/0x270 security/security.c:3144 do_dentry_open+0x384/0x13f0 fs/open.c:942 vfs_open+0x3b/0x340 fs/open.c:1095 do_open fs/namei.c:3975 [inline] path_openat+0x2ee5/0x3830 fs/namei.c:4134 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6267: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2422 [inline] slab_free mm/slub.c:4695 [inline] kfree+0x18e/0x440 mm/slub.c:4894 tomoyo_realpath_from_path+0x598/0x5d0 security/tomoyo/realpath.c:286 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x1c1/0x3b0 security/tomoyo/file.c:771 security_file_open+0xb1/0x270 security/security.c:3144 do_dentry_open+0x384/0x13f0 fs/open.c:942 vfs_open+0x3b/0x340 fs/open.c:1095 do_open fs/namei.c:3975 [inline] path_openat+0x2ee5/0x3830 fs/namei.c:4134 do_filp_open+0x1fa/0x410 fs/namei.c:4161 do_sys_openat2+0x121/0x1c0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807e32e000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3608 bytes inside of freed 4096-byte region [ffff88807e32e000, ffff88807e32f000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e328 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801a042140 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88801a042140 0000000000000000 dead000000000001 head: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001f8ca01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5163, tgid 5163 (rcS), ts 23112480838, free_ts 21314138532 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2492 [inline] allocate_slab+0x8a/0x370 mm/slub.c:2660 new_slab mm/slub.c:2714 [inline] ___slab_alloc+0xbeb/0x1420 mm/slub.c:3901 __slab_alloc mm/slub.c:3992 [inline] __slab_alloc_node mm/slub.c:4067 [inline] slab_alloc_node mm/slub.c:4228 [inline] __kmalloc_cache_noprof+0x296/0x3d0 mm/slub.c:4402 kmalloc_noprof include/linux/slab.h:905 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x183/0x1f70 security/tomoyo/audit.c:255 tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:587 tomoyo_path_perm+0x392/0x4b0 security/tomoyo/file.c:838 security_inode_getattr+0x12f/0x330 security/security.c:2377 vfs_getattr fs/stat.c:259 [inline] vfs_statx_path fs/stat.c:299 [inline] vfs_statx+0x18e/0x550 fs/stat.c:356 vfs_fstatat+0x118/0x170 fs/stat.c:375 __do_sys_newfstatat fs/stat.c:542 [inline] __se_sys_newfstatat fs/stat.c:536 [inline] __x64_sys_newfstatat+0x116/0x190 fs/stat.c:536 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbb1/0xd20 mm/page_alloc.c:2895 __free_pages mm/page_alloc.c:5260 [inline] free_contig_range+0x1bd/0x4a0 mm/page_alloc.c:7091 destroy_args+0x69/0x660 mm/debug_vm_pgtable.c:958 debug_vm_pgtable+0x39f/0x3b0 mm/debug_vm_pgtable.c:1345 do_one_initcall+0x233/0x820 init/main.c:1271 do_initcall_level+0x104/0x190 init/main.c:1333 do_initcalls+0x59/0xa0 init/main.c:1349 kernel_init_freeable+0x334/0x4b0 init/main.c:1581 kernel_init+0x1d/0x1d0 init/main.c:1471 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88807e32ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807e32ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807e32ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807e32ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807e32ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 30d4efb2 Merge tag 'for-linus-6.18-rc1-tag' of git://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16a00a7c580000 kernel config: https://syzkaller.appspot.com/x/.config?x=7a4d61c2af99e8dd dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=119d2334580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <20250930205715.615436-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent [not found] <20250930205715.615436-1-kartikey406@gmail.com> @ 2025-09-30 21:17 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 21:17 UTC (permalink / raw) To: kartikey406, linux-kernel, stable, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in ext4_ext_correct_indexes ================================================================== BUG: KASAN: use-after-free in ext4_ext_correct_indexes+0x72/0x5b0 fs/ext4/extents.c:1712 Read of size 8 at addr ffff888078dca350 by task syz.2.45/6689 CPU: 0 UID: 0 PID: 6689 Comm: syz.2.45 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_ext_correct_indexes+0x72/0x5b0 fs/ext4/extents.c:1712 ext4_ext_insert_extent+0x1fdd/0x4af0 fs/ext4/extents.c:2188 ext4_ext_map_blocks+0x1bbe/0x3880 fs/ext4/extents.c:4410 ext4_map_create_blocks fs/ext4/inode.c:609 [inline] ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943 ext4_block_write_begin+0x990/0x1710 fs/ext4/inode.c:1198 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129 generic_perform_write+0x2c2/0x900 mm/filemap.c:4175 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c6/0xb30 fs/read_write.c:686 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9e7b78e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9e7a9fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f9e7b9b5fa0 RCX: 00007f9e7b78e969 RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004 RBP: 00007f9e7b810ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f9e7b9b5fa0 R15: 00007fff3dade2a8 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888078dcadc0 pfn:0x78dca flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea00016119c8 ffffea00018708c8 0000000000000000 raw: ffff888078dcadc0 ffff888079136c60 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x440dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_COMP), pid 6328, tgid 6328 (syz-executor), ts 132604632127, free_ts 133183234936 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline] alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507 pagetable_alloc_noprof include/linux/mm.h:2881 [inline] __pte_alloc_one_noprof include/asm-generic/pgalloc.h:75 [inline] pte_alloc_one+0x21/0x170 arch/x86/mm/pgtable.c:18 __pte_alloc+0x25/0x1a0 mm/memory.c:452 copy_pte_range mm/memory.c:1107 [inline] copy_pmd_range+0x6a91/0x71d0 mm/memory.c:1261 copy_pud_range mm/memory.c:1298 [inline] copy_p4d_range mm/memory.c:1322 [inline] copy_page_range+0xc14/0x1270 mm/memory.c:1410 dup_mmap+0xf57/0x1ac0 mm/mmap.c:1834 dup_mm kernel/fork.c:1485 [inline] copy_mm+0x13c/0x4b0 kernel/fork.c:1537 copy_process+0x1706/0x3c00 kernel/fork.c:2179 kernel_clone+0x224/0x7c0 kernel/fork.c:2609 __do_sys_clone kernel/fork.c:2752 [inline] __se_sys_clone kernel/fork.c:2736 [inline] __x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2736 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 920 tgid 920 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbb1/0xd20 mm/page_alloc.c:2895 pagetable_free include/linux/mm.h:2898 [inline] pagetable_dtor_free include/linux/mm.h:2996 [inline] __tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220 __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0xa3/0xc0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 Memory state around the buggy address: ffff888078dca200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888078dca280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888078dca300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888078dca380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888078dca400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: 755fa5b4 Merge tag 'cgroup-for-6.18' of git://git.kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14fea42c580000 kernel config: https://syzkaller.appspot.com/x/.config?x=9c0c1e13e3c8731f dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=16fb6942580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <20250930220502.771163-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent [not found] <20250930220502.771163-1-kartikey406@gmail.com> @ 2025-09-30 22:23 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 22:23 UTC (permalink / raw) To: kartikey406, linux-kernel, stable, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-out-of-bounds Read in ext4_find_extent EXT4-fs (loop4): stripe (1570) is not aligned with cluster size (16), stripe is disabled ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_ext_binsearch fs/ext4/extents.c:841 [inline] BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956 Read of size 4 at addr ffff8880739bce18 by task syz.4.64/6825 CPU: 1 UID: 0 PID: 6825 Comm: syz.4.64 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_ext_binsearch fs/ext4/extents.c:841 [inline] ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956 ext4_ext_map_blocks+0x27c/0x3880 fs/ext4/extents.c:4211 ext4_map_query_blocks+0x13b/0x930 fs/ext4/inode.c:550 ext4_map_blocks+0x4b3/0x1740 fs/ext4/inode.c:773 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943 ext4_block_write_begin+0x990/0x1710 fs/ext4/inode.c:1198 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129 generic_perform_write+0x2c2/0x900 mm/filemap.c:4175 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f105318e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f1054026038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f10533b5fa0 RCX: 00007f105318e969 RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004 RBP: 00007f1053210ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f10533b5fa0 R15: 00007ffeabbc1e38 </TASK> Allocated by task 6341: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4376 [inline] __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] __register_sysctl_table+0x72/0x1340 fs/proc/proc_sysctl.c:1379 __addrconf_sysctl_register+0x328/0x4c0 net/ipv6/addrconf.c:7321 addrconf_sysctl_register+0x168/0x1c0 net/ipv6/addrconf.c:7369 ipv6_add_dev+0xd46/0x1370 net/ipv6/addrconf.c:460 addrconf_notify+0x794/0x1010 net/ipv6/addrconf.c:3650 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline] call_netdevice_notifiers net/core/dev.c:2281 [inline] register_netdevice+0x1608/0x1ae0 net/core/dev.c:11244 register_netdev+0x40/0x60 net/core/dev.c:11322 sit_init_net+0x228/0x5c0 net/ipv6/sit.c:1867 ops_init+0x359/0x5c0 net/core/net_namespace.c:137 setup_net+0xfe/0x320 net/core/net_namespace.c:445 copy_net_ns+0x34e/0x4e0 net/core/net_namespace.c:580 create_new_namespaces+0x3f3/0x720 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11c/0x170 kernel/nsproxy.c:218 ksys_unshare+0x4c8/0x8c0 kernel/fork.c:3132 __do_sys_unshare kernel/fork.c:3203 [inline] __se_sys_unshare kernel/fork.c:3201 [inline] __x64_sys_unshare+0x38/0x50 kernel/fork.c:3201 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880739bc000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 1504 bytes to the right of allocated 2104-byte region [ffff8880739bc000, ffff8880739bc838) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x739b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff888027c52441 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801a04b500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000040004 00000000f5000000 ffff888027c52441 head: 00fff00000000040 ffff88801a04b500 dead000000000122 0000000000000000 head: 0000000000000000 0000000000040004 00000000f5000000 ffff888027c52441 head: 00fff00000000003 ffffea0001ce6e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6341, tgid 6341 (syz-executor), ts 124779228140, free_ts 121882435080 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2492 [inline] allocate_slab+0x8a/0x370 mm/slub.c:2660 new_slab mm/slub.c:2714 [inline] ___slab_alloc+0xbeb/0x1420 mm/slub.c:3901 __slab_alloc mm/slub.c:3992 [inline] __slab_alloc_node mm/slub.c:4067 [inline] slab_alloc_node mm/slub.c:4228 [inline] __kmalloc_cache_noprof+0x296/0x3d0 mm/slub.c:4402 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] snmp6_alloc_dev net/ipv6/addrconf.c:362 [inline] ipv6_add_dev+0x6ca/0x1370 net/ipv6/addrconf.c:413 addrconf_notify+0x794/0x1010 net/ipv6/addrconf.c:3650 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline] call_netdevice_notifiers net/core/dev.c:2281 [inline] register_netdevice+0x1608/0x1ae0 net/core/dev.c:11244 register_netdev+0x40/0x60 net/core/dev.c:11322 sit_init_net+0x228/0x5c0 net/ipv6/sit.c:1867 ops_init+0x359/0x5c0 net/core/net_namespace.c:137 setup_net+0xfe/0x320 net/core/net_namespace.c:445 copy_net_ns+0x34e/0x4e0 net/core/net_namespace.c:580 page last free pid 6267 tgid 6267 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbb1/0xd20 mm/page_alloc.c:2895 vfree+0x25a/0x400 mm/vmalloc.c:3434 kcov_put kernel/kcov.c:439 [inline] kcov_close+0x28/0x50 kernel/kcov.c:535 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d1/0x260 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x6b5/0x2300 kernel/exit.c:961 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 get_signal+0x125e/0x1310 kernel/signal.c:3034 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff8880739bcd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880739bcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880739bce00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880739bce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880739bcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Tested on: commit: 22bdd6e6 Merge tag 'x86_apic_for_v6.18_rc1' of git://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=134485cd980000 kernel config: https://syzkaller.appspot.com/x/.config?x=6899ea2dd30a3ed1 dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=114e8260580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <20250930224931.907701-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent [not found] <20250930224931.907701-1-kartikey406@gmail.com> @ 2025-09-30 23:27 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 23:27 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in ext4_ext_map_blocks EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. Oops: general protection fault, probably for non-canonical address 0xdffffc000000000a: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] CPU: 1 UID: 0 PID: 6473 Comm: syz.1.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:ext4_ext_map_blocks+0x2a1/0x38f0 fs/ext4/extents.c:4212 Code: 24 58 45 0f b7 3f 31 ff 44 89 fe e8 59 a6 51 ff 45 85 ff 74 29 e8 af a2 51 ff 4b 8d 1c 7f c1 e3 04 48 83 c3 20 89 d8 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 f0 10 b5 ff 48 8b 1b eb 0c e8 86 RSP: 0018:ffffc90003e8f060 EFLAGS: 00010206 RAX: 000000000000000a RBX: 0000000000000050 RCX: ffff88807cc91e40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc90003e8f270 R08: ffffffff8f5ae037 R09: 1ffffffff1eb5c06 R10: dffffc0000000000 R11: fffffbfff1eb5c07 R12: ffffc90003e8f460 R13: 1ffff920007d1e24 R14: dffffc0000000000 R15: 0000000000000001 FS: 00007f8b97f5d6c0(0000) GS:ffff8881264d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000004000 CR3: 000000007a25c000 CR4: 00000000003526f0 Call Trace: <TASK> ext4_map_create_blocks fs/ext4/inode.c:609 [inline] ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943 ext4_block_write_begin+0x990/0x1710 fs/ext4/inode.c:1198 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129 generic_perform_write+0x2c2/0x900 mm/filemap.c:4175 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8b9718e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8b97f5d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f8b973b5fa0 RCX: 00007f8b9718e969 RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004 RBP: 00007f8b97210ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f8b973b5fa0 R15: 00007ffea2f11788 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_ext_map_blocks+0x2a1/0x38f0 fs/ext4/extents.c:4212 Code: 24 58 45 0f b7 3f 31 ff 44 89 fe e8 59 a6 51 ff 45 85 ff 74 29 e8 af a2 51 ff 4b 8d 1c 7f c1 e3 04 48 83 c3 20 89 d8 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 f0 10 b5 ff 48 8b 1b eb 0c e8 86 RSP: 0018:ffffc90003e8f060 EFLAGS: 00010206 RAX: 000000000000000a RBX: 0000000000000050 RCX: ffff88807cc91e40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc90003e8f270 R08: ffffffff8f5ae037 R09: 1ffffffff1eb5c06 R10: dffffc0000000000 R11: fffffbfff1eb5c07 R12: ffffc90003e8f460 R13: 1ffff920007d1e24 R14: dffffc0000000000 R15: 0000000000000001 FS: 00007f8b97f5d6c0(0000) GS:ffff8881263d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555839b2c950 CR3: 000000007a25c000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess): 0: 24 58 and $0x58,%al 2: 45 0f b7 3f movzwl (%r15),%r15d 6: 31 ff xor %edi,%edi 8: 44 89 fe mov %r15d,%esi b: e8 59 a6 51 ff call 0xff51a669 10: 45 85 ff test %r15d,%r15d 13: 74 29 je 0x3e 15: e8 af a2 51 ff call 0xff51a2c9 1a: 4b 8d 1c 7f lea (%r15,%r15,2),%rbx 1e: c1 e3 04 shl $0x4,%ebx 21: 48 83 c3 20 add $0x20,%rbx 25: 89 d8 mov %ebx,%eax 27: c1 e8 03 shr $0x3,%eax * 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 f0 10 b5 ff call 0xffb51129 39: 48 8b 1b mov (%rbx),%rbx 3c: eb 0c jmp 0x4a 3e: e8 .byte 0xe8 3f: 86 .byte 0x86 Tested on: commit: 22bdd6e6 Merge tag 'x86_apic_for_v6.18_rc1' of git://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1664d05b980000 kernel config: https://syzkaller.appspot.com/x/.config?x=6899ea2dd30a3ed1 dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=14057c14580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <20250930230857.946230-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent [not found] <20250930230857.946230-1-kartikey406@gmail.com> @ 2025-09-30 23:45 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-09-30 23:45 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-out-of-bounds Read in ext4_ext_insert_extent EXT4-fs (loop4): stripe (1570) is not aligned with cluster size (16), stripe is disabled ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_ext_insert_extent+0x41b6/0x4af0 fs/ext4/extents.c:2096 Read of size 4 at addr ffff88805b641c18 by task syz.4.165/7385 CPU: 0 UID: 0 PID: 7385 Comm: syz.4.165 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_ext_insert_extent+0x41b6/0x4af0 fs/ext4/extents.c:2096 ext4_ext_map_blocks+0x1bc9/0x3890 fs/ext4/extents.c:4420 ext4_map_create_blocks fs/ext4/inode.c:609 [inline] ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943 ext4_block_write_begin+0x993/0x1710 fs/ext4/inode.c:1198 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129 generic_perform_write+0x2c2/0x900 mm/filemap.c:4175 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbff2b8e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbff3a58038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007fbff2db5fa0 RCX: 00007fbff2b8e969 RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004 RBP: 00007fbff2c10ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fbff2db5fa0 R15: 00007ffc69cdac78 </TASK> Allocated by task 6339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4376 [inline] __kvmalloc_node_noprof+0x30d/0x5f0 mm/slub.c:5067 alloc_netdev_mqs+0xa3/0x11b0 net/core/dev.c:11812 rtnl_create_link+0x31f/0xd10 net/core/rtnetlink.c:3633 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3815 __rtnl_newlink net/core/rtnetlink.c:3942 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4057 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6946 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 __sys_sendto+0x3bd/0x520 net/socket.c:2231 __do_sys_sendto net/socket.c:2238 [inline] __se_sys_sendto net/socket.c:2234 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2234 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88805b640000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 3696 bytes to the right of allocated 3496-byte region [ffff88805b640000, ffff88805b640da8) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5b640 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88802ed031c1 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801a04b500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000040004 00000000f5000000 ffff88802ed031c1 head: 00fff00000000040 ffff88801a04b500 dead000000000122 0000000000000000 head: 0000000000000000 0000000000040004 00000000f5000000 ffff88802ed031c1 head: 00fff00000000003 ffffea00016d9001 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6339, tgid 6339 (syz-executor), ts 122638337757, free_ts 82614727744 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2492 [inline] allocate_slab+0x8a/0x370 mm/slub.c:2660 new_slab mm/slub.c:2714 [inline] ___slab_alloc+0xbeb/0x1420 mm/slub.c:3901 __slab_alloc mm/slub.c:3992 [inline] __slab_alloc_node mm/slub.c:4067 [inline] slab_alloc_node mm/slub.c:4228 [inline] __do_kmalloc_node mm/slub.c:4375 [inline] __kvmalloc_node_noprof+0x429/0x5f0 mm/slub.c:5067 alloc_netdev_mqs+0xa3/0x11b0 net/core/dev.c:11812 rtnl_create_link+0x31f/0xd10 net/core/rtnetlink.c:3633 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3815 __rtnl_newlink net/core/rtnetlink.c:3942 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4057 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6946 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 page last free pid 5876 tgid 5876 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbb1/0xd20 mm/page_alloc.c:2895 vfree+0x25a/0x400 mm/vmalloc.c:3434 kcov_put kernel/kcov.c:439 [inline] kcov_close+0x28/0x50 kernel/kcov.c:535 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d1/0x260 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x6b5/0x2300 kernel/exit.c:961 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102 get_signal+0x125e/0x1310 kernel/signal.c:3034 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88805b641b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88805b641b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88805b641c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88805b641c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88805b641d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Tested on: commit: 22bdd6e6 Merge tag 'x86_apic_for_v6.18_rc1' of git://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=108366e2580000 kernel config: https://syzkaller.appspot.com/x/.config?x=6899ea2dd30a3ed1 dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=13088092580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <20251001001017.1094774-1-kartikey406@gmail.com>]
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent [not found] <20251001001017.1094774-1-kartikey406@gmail.com> @ 2025-10-01 0:44 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2025-10-01 0:44 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in ext4_ext_insert_extent ================================================================== BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x41b6/0x4af0 fs/ext4/extents.c:2096 Read of size 4 at addr ffff888044a48c18 by task syz.1.185/7323 CPU: 0 UID: 0 PID: 7323 Comm: syz.1.185 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ext4_ext_insert_extent+0x41b6/0x4af0 fs/ext4/extents.c:2096 ext4_ext_map_blocks+0xf2d/0x2890 fs/ext4/extents.c:4420 ext4_map_create_blocks fs/ext4/inode.c:609 [inline] ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943 ext4_block_write_begin+0x990/0x1710 fs/ext4/inode.c:1198 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129 generic_perform_write+0x2c2/0x900 mm/filemap.c:4175 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f35f338e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f35f42db038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f35f35b5fa0 RCX: 00007f35f338e969 RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004 RBP: 00007f35f3410ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f35f35b5fa0 R15: 00007ffcbdfba708 </TASK> Allocated by task 6265: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4376 [inline] __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822 security_inode_getattr+0x12f/0x330 security/security.c:2416 vfs_getattr fs/stat.c:259 [inline] vfs_statx_path fs/stat.c:299 [inline] vfs_statx+0x18e/0x550 fs/stat.c:356 vfs_fstatat+0x118/0x170 fs/stat.c:375 __do_sys_newfstatat fs/stat.c:542 [inline] __se_sys_newfstatat fs/stat.c:536 [inline] __x64_sys_newfstatat+0x116/0x190 fs/stat.c:536 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6265: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2422 [inline] slab_free mm/slub.c:4695 [inline] kfree+0x18e/0x440 mm/slub.c:4894 tomoyo_realpath_from_path+0x598/0x5d0 security/tomoyo/realpath.c:286 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822 security_inode_getattr+0x12f/0x330 security/security.c:2416 vfs_getattr fs/stat.c:259 [inline] vfs_statx_path fs/stat.c:299 [inline] vfs_statx+0x18e/0x550 fs/stat.c:356 vfs_fstatat+0x118/0x170 fs/stat.c:375 __do_sys_newfstatat fs/stat.c:542 [inline] __se_sys_newfstatat fs/stat.c:536 [inline] __x64_sys_newfstatat+0x116/0x190 fs/stat.c:536 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888044a48000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3096 bytes inside of freed 4096-byte region [ffff888044a48000, ffff888044a49000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44a48 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801a042140 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88801a042140 dead000000000122 0000000000000000 head: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001129201 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6265, tgid 6265 (syz-executor), ts 162534949588, free_ts 162514529707 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2492 [inline] allocate_slab+0x8a/0x370 mm/slub.c:2660 new_slab mm/slub.c:2714 [inline] ___slab_alloc+0xbeb/0x1420 mm/slub.c:3901 __slab_alloc mm/slub.c:3992 [inline] __slab_alloc_node mm/slub.c:4067 [inline] slab_alloc_node mm/slub.c:4228 [inline] __do_kmalloc_node mm/slub.c:4375 [inline] __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822 security_inode_getattr+0x12f/0x330 security/security.c:2416 vfs_getattr fs/stat.c:259 [inline] vfs_statx_path fs/stat.c:299 [inline] vfs_statx+0x18e/0x550 fs/stat.c:356 vfs_fstatat+0x118/0x170 fs/stat.c:375 __do_sys_newfstatat fs/stat.c:542 [inline] __se_sys_newfstatat fs/stat.c:536 [inline] __x64_sys_newfstatat+0x116/0x190 fs/stat.c:536 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5185 tgid 5185 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbb1/0xd20 mm/page_alloc.c:2895 discard_slab mm/slub.c:2758 [inline] __put_partials+0x156/0x1a0 mm/slub.c:3223 put_cpu_partial+0x17c/0x250 mm/slub.c:3298 __slab_free+0x2d5/0x3c0 mm/slub.c:4565 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4191 [inline] slab_alloc_node mm/slub.c:4240 [inline] __do_kmalloc_node mm/slub.c:4375 [inline] __kmalloc_noprof+0x224/0x4f0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x213/0x4b0 security/tomoyo/file.c:822 security_inode_getattr+0x12f/0x330 security/security.c:2416 vfs_getattr fs/stat.c:259 [inline] vfs_fstat fs/stat.c:281 [inline] __do_sys_newfstat fs/stat.c:555 [inline] __se_sys_newfstat fs/stat.c:550 [inline] __x64_sys_newfstat+0xfc/0x200 fs/stat.c:550 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888044a48b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888044a48b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888044a48c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888044a48c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888044a48d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 4b81e2eb Merge tag 'timers-vdso-2025-09-29' of git://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11af6942580000 kernel config: https://syzkaller.appspot.com/x/.config?x=cb6d0df33502bde3 dashboard link: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=134f6942580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2025-10-01 23:11 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot
2025-05-26 14:53 ` syzbot
2025-09-30 15:20 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() syzbot
2025-10-01 23:11 ` kernel test robot
2025-09-30 20:57 ` Forwarded: [PATCH] ext4: fix use-after-free in extent header access syzbot
2025-09-30 22:05 ` syzbot
2025-09-30 22:49 ` Forwarded: [PATCH] ext4: add defensive checks for extent header corruption syzbot
2025-09-30 23:09 ` Forwarded: [PATCH] ext4: add validation checks for corrupted extent headers syzbot
2025-10-01 0:10 ` syzbot
[not found] <20250930152023.319472-1-kartikey406@gmail.com>
2025-09-30 17:03 ` [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot
[not found] <20250930205715.615436-1-kartikey406@gmail.com>
2025-09-30 21:17 ` syzbot
[not found] <20250930220502.771163-1-kartikey406@gmail.com>
2025-09-30 22:23 ` syzbot
[not found] <20250930224931.907701-1-kartikey406@gmail.com>
2025-09-30 23:27 ` syzbot
[not found] <20250930230857.946230-1-kartikey406@gmail.com>
2025-09-30 23:45 ` syzbot
[not found] <20251001001017.1094774-1-kartikey406@gmail.com>
2025-10-01 0:44 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox