Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com>
To: eraykrdg1@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
Date: Wed, 19 Nov 2025 17:27:03 -0800	[thread overview]
Message-ID: <691e6e67.a70a0220.d98e3.0023.GAE@google.com> (raw)
In-Reply-To: <CAHxJ8O-Y021tSY0w==hGmrwMt46ay=vT=zvwuGEfxEEN5SW7LA@mail.gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent

==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff888060ccb018 by task kworker/u8:0/12

CPU: 0 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
 ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
 ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
 ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
 ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
 ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
 ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
 ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
 ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
 ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x60ccb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_MOVABLE|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL), pid 10925, tgid 10924 (syz.0.1091), ts 292203567761, free_ts 292265476069
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
 prep_new_page mm/page_alloc.c:1853 [inline]
 get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1020
 __filemap_get_folio+0x3f2/0xaf0 mm/filemap.c:2012
 grow_dev_folio fs/buffer.c:1050 [inline]
 grow_buffers fs/buffer.c:1116 [inline]
 __getblk_slow fs/buffer.c:1134 [inline]
 bdev_getblk+0x1ad/0x660 fs/buffer.c:1461
 __getblk include/linux/buffer_head.h:380 [inline]
 sb_getblk include/linux/buffer_head.h:386 [inline]
 __ext4_get_inode_loc+0x561/0x1040 fs/ext4/inode.c:4837
 __ext4_get_inode_loc_noinmem fs/ext4/inode.c:4950 [inline]
 __ext4_iget+0x451/0x4220 fs/ext4/inode.c:5225
 __ext4_fill_super fs/ext4/super.c:5512 [inline]
 ext4_fill_super+0x4637/0x61e0 fs/ext4/super.c:5736
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1698
 vfs_get_tree+0x92/0x2b0 fs/super.c:1758
 fc_mount fs/namespace.c:1199 [inline]
 do_new_mount_fc fs/namespace.c:3642 [inline]
 do_new_mount+0x302/0xa10 fs/namespace.c:3718
 do_mount fs/namespace.c:4041 [inline]
 __do_sys_mount fs/namespace.c:4229 [inline]
 __se_sys_mount+0x313/0x410 fs/namespace.c:4206
page last free pid 8941 tgid 8941 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1394 [inline]
 free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
 folios_put_refs+0x584/0x670 mm/swap.c:1002
 folio_batch_release include/linux/pagevec.h:101 [inline]
 mapping_try_invalidate+0x324/0x410 mm/truncate.c:579
 ext4_put_super+0x813/0xc40 fs/ext4/super.c:1348
 generic_shutdown_super+0x135/0x2c0 fs/super.c:642
 kill_block_super+0x44/0x90 fs/super.c:1729
 ext4_kill_sb+0x68/0xb0 fs/ext4/super.c:7403
 deactivate_locked_super+0xbc/0x130 fs/super.c:473
 cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888060ccaf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888060ccaf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888060ccb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff888060ccb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888060ccb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit:         23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=128cba12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14657692580000

next      parent reply	other threads:[~2025-11-20  1:27 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAHxJ8O-Y021tSY0w==hGmrwMt46ay=vT=zvwuGEfxEEN5SW7LA@mail.gmail.com>
2025-11-20  1:27 ` syzbot [this message]
     [not found] <CAHxJ8O8xhXVne3ghaMNk1Ttgj35hfK1_Rk-WyDe+sC-qM7XPPQ@mail.gmail.com>
2025-11-21 22:01 ` [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
     [not found] <CAHxJ8O-T9Dtjz2TAzJ4NZRHjEoMkqc9sLSjFQn2WFG8Et57UFg@mail.gmail.com>
2025-11-20 19:07 ` syzbot
     [not found] <CAHxJ8O_vfXVmYBidWof5vvx4POOzdLdwyD7NxBuwPp+5Ot6PAQ@mail.gmail.com>
2025-11-20 18:21 ` syzbot
     [not found] <CAHxJ8O-6VrfyR-Yp7yQLu+W=zo9yPVTjfj6ic-Fiq6dF1-tmwQ@mail.gmail.com>
2025-11-20 16:11 ` syzbot
     [not found] <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
2025-11-20 13:38 ` syzbot
     [not found] <CAHxJ8O8P7PcMPfFktS39H_PH7_z8UwmL5oJeVpjetHxU7haGug@mail.gmail.com>
2025-11-20 12:15 ` syzbot
     [not found] <CAHxJ8O8WbUF8HROrpL-FkCjmqhRZ2Et6nsSzA9Oo4viTHZWf5A@mail.gmail.com>
2025-11-20  2:13 ` syzbot
     [not found] <CADfthj1tCCoMeUbBD77N+nrPeit7t6LTpScLgtAUzPgbqfuNcg@mail.gmail.com>
2025-11-19 17:53 ` syzbot
     [not found] <CADfthj1-m1WoipkSJmZ=1fe23T_7Bn=_n0iLTBHdUwXF-i7YQA@mail.gmail.com>
2025-11-19  8:13 ` syzbot
2024-12-30 20:06 syzbot
2025-03-27 23:44 ` syzbot
2025-03-28 17:10   ` Ojaswin Mujoo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=691e6e67.a70a0220.d98e3.0023.GAE@google.com \
    --to=syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com \
    --cc=eraykrdg1@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox