From: syzbot <syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com>
To: eraykrdg1@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
Date: Thu, 20 Nov 2025 05:38:02 -0800 [thread overview]
Message-ID: <691f19ba.a70a0220.d98e3.002d.GAE@google.com> (raw)
In-Reply-To: <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff8880618f1018 by task kworker/u8:6/1096
CPU: 1 UID: 0 PID: 1096 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f8288ec9 pfn:0x618f1
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001863c88 ffffea0001863c08 0000000000000000
raw: 00000007f8288ec9 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6155, tgid 6155 (syz-executor), ts 131175623082, free_ts 136501716604
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5126 [inline]
do_anonymous_page mm/memory.c:5183 [inline]
do_pte_missing mm/memory.c:4360 [inline]
handle_pte_fault mm/memory.c:6195 [inline]
__handle_mm_fault+0x2a8b/0x5400 mm/memory.c:6336
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6505
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6155 tgid 6155 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
vms_clear_ptes+0x42c/0x540 mm/vma.c:1235
vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1277
do_vmi_align_munmap+0x364/0x440 mm/vma.c:1536
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584
__vm_munmap+0x207/0x380 mm/vma.c:3156
__do_sys_munmap mm/mmap.c:1080 [inline]
__se_sys_munmap mm/mmap.c:1077 [inline]
__x64_sys_munmap+0x60/0x70 mm/mmap.c:1077
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880618f0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880618f0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880618f1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880618f1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880618f1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1002f692580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=111dba12580000
next parent reply other threads:[~2025-11-20 13:38 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
2025-11-20 13:38 ` syzbot [this message]
[not found] <CAHxJ8O8xhXVne3ghaMNk1Ttgj35hfK1_Rk-WyDe+sC-qM7XPPQ@mail.gmail.com>
2025-11-21 22:01 ` [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
[not found] <CAHxJ8O-T9Dtjz2TAzJ4NZRHjEoMkqc9sLSjFQn2WFG8Et57UFg@mail.gmail.com>
2025-11-20 19:07 ` syzbot
[not found] <CAHxJ8O_vfXVmYBidWof5vvx4POOzdLdwyD7NxBuwPp+5Ot6PAQ@mail.gmail.com>
2025-11-20 18:21 ` syzbot
[not found] <CAHxJ8O-6VrfyR-Yp7yQLu+W=zo9yPVTjfj6ic-Fiq6dF1-tmwQ@mail.gmail.com>
2025-11-20 16:11 ` syzbot
[not found] <CAHxJ8O8P7PcMPfFktS39H_PH7_z8UwmL5oJeVpjetHxU7haGug@mail.gmail.com>
2025-11-20 12:15 ` syzbot
[not found] <CAHxJ8O8WbUF8HROrpL-FkCjmqhRZ2Et6nsSzA9Oo4viTHZWf5A@mail.gmail.com>
2025-11-20 2:13 ` syzbot
[not found] <CAHxJ8O-Y021tSY0w==hGmrwMt46ay=vT=zvwuGEfxEEN5SW7LA@mail.gmail.com>
2025-11-20 1:27 ` syzbot
[not found] <CADfthj1tCCoMeUbBD77N+nrPeit7t6LTpScLgtAUzPgbqfuNcg@mail.gmail.com>
2025-11-19 17:53 ` syzbot
[not found] <CADfthj1-m1WoipkSJmZ=1fe23T_7Bn=_n0iLTBHdUwXF-i7YQA@mail.gmail.com>
2025-11-19 8:13 ` syzbot
2024-12-30 20:06 syzbot
2025-03-27 23:44 ` syzbot
2025-03-28 17:10 ` Ojaswin Mujoo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=691f19ba.a70a0220.d98e3.002d.GAE@google.com \
--to=syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com \
--cc=eraykrdg1@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox