* [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
@ 2024-12-30 20:06 syzbot
2025-03-27 23:44 ` syzbot
0 siblings, 1 reply; 13+ messages in thread
From: syzbot @ 2024-12-30 20:06 UTC (permalink / raw)
To: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso
Hello,
syzbot found the following issue on:
HEAD commit: 573067a5a685 Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=136d1018580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cd7202b56d469648
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1790a0b0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ee82c4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d3b5c855aa0/disk-573067a5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c06fc1ead83/vmlinux-573067a5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3390e59b9e4b/Image-573067a5.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/ef6b4e51a02a/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/1e15bbc4371d/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
Read of size 4 at addr ffff0000e2d145a0 by task kworker/u8:4/45
CPU: 1 UID: 0 PID: 45 Comm: kworker/u8:4 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: writeback wb_workfn (flush-7:0)
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x198/0x538 mm/kasan/report.c:489
kasan_report+0xd8/0x138 mm/kasan/report.c:602
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
ext4_ext_map_blocks+0x2b0/0x6600 fs/ext4/extents.c:4205
ext4_map_create_blocks fs/ext4/inode.c:516 [inline]
ext4_map_blocks+0x710/0x15d0 fs/ext4/inode.c:702
mpage_map_one_extent fs/ext4/inode.c:2219 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2272 [inline]
ext4_do_writepages+0x195c/0x318c fs/ext4/inode.c:2735
ext4_writepages+0x198/0x308 fs/ext4/inode.c:2824
do_writepages+0x304/0x7d0 mm/page-writeback.c:2702
__writeback_single_inode+0x15c/0x15a4 fs/fs-writeback.c:1680
writeback_sb_inodes+0x650/0x1088 fs/fs-writeback.c:1976
wb_writeback+0x3e0/0xe9c fs/fs-writeback.c:2156
wb_do_writeback fs/fs-writeback.c:2303 [inline]
wb_workfn+0x38c/0x1048 fs/fs-writeback.c:2343
process_one_work+0x7a8/0x15cc kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x97c/0xeec kernel/workqueue.c:3391
kthread+0x288/0x310 kernel/kthread.c:389
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff9b78a pfn:0x122d14
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000ffff9b78a 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e2d14480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e2d14500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e2d14580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e2d14600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e2d14680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
2024-12-30 20:06 syzbot
@ 2025-03-27 23:44 ` syzbot
2025-03-28 17:10 ` Ojaswin Mujoo
0 siblings, 1 reply; 13+ messages in thread
From: syzbot @ 2025-03-27 23:44 UTC (permalink / raw)
To: adilger.kernel, jack, linux-ext4, linux-kernel, ojaswin,
ritesh.list, syzkaller-bugs, tytso
syzbot has bisected this issue to:
commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
Author: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Date: Sat Mar 25 08:13:39 2023 +0000
ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1566b43f980000
start commit: 1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1766b43f980000
console output: https://syzkaller.appspot.com/x/log.txt?x=1366b43f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=2edddb53537e0320
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1623343f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1123343f980000
Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
2025-03-27 23:44 ` syzbot
@ 2025-03-28 17:10 ` Ojaswin Mujoo
0 siblings, 0 replies; 13+ messages in thread
From: Ojaswin Mujoo @ 2025-03-28 17:10 UTC (permalink / raw)
To: syzbot
Cc: adilger.kernel, jack, linux-ext4, linux-kernel, ritesh.list,
syzkaller-bugs, tytso
On Thu, Mar 27, 2025 at 04:44:03PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
> Author: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> Date: Sat Mar 25 08:13:39 2023 +0000
>
> ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1566b43f980000
> start commit: 1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
> git tree: upstream
> final oops: https://syzkaller.appspot.com/x/report.txt?x=1766b43f980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1366b43f980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2edddb53537e0320
> dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1623343f980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1123343f980000
>
> Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
> Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Okay, so I'm able to replicate this with the patch whereas it does not
hit without it, so the bisect seems right.
In my environment, at the time UAF hits, I also see the following logs:
[ 139.893083][ T9] EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:0: !
[ 139.894260][ T9] EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 17
[ 139.894278][ T9] EXT4-fs (loop0): This should not happen!! Data will be lost
[ 139.894278][ T9]
[ 139.897505][ T1098] EXT4-fs error (device loop4): ext4_map_blocks:730: inode #15: block 131075: comm )
[ 139.897607][ T1098] EXT4-fs (loop4): Delayed block allocation failed for inode 15 at logical offset 17
[ 139.897624][ T1098] EXT4-fs (loop4): This should not happen!! Data will be lost
ext4_ext4_split:1078 is
if (unlikely(path[depth].p_ext > EXT_MAX_EXTENT(path[depth].p_hdr))) {
and ext4_map_blocks:730 is check_block_validity failure in map blocks.
I'm still trying to make sense of the logs and the UAF and will update
when I have more information.
Regards,
ojaswin
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CADfthj1-m1WoipkSJmZ=1fe23T_7Bn=_n0iLTBHdUwXF-i7YQA@mail.gmail.com>
@ 2025-11-19 8:13 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-19 8:13 UTC (permalink / raw)
To: albinbabuvarghese20, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel panic: KASAN: panic_on_warn set ...
>ffff88806ecb8c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88806ecb8c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88806ecb8d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Kernel panic - not syncing: KASAN: panic_on_warn set ...
CPU: 1 UID: 0 PID: 15465 Comm: syz.0.2193 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x99/0x250 lib/dump_stack.c:120
vpanic+0x237/0x6d0 kernel/panic.c:489
panic+0xb9/0xc0 kernel/panic.c:626
check_panic_on_warn+0x89/0xb0 kernel/panic.c:376
end_report+0x78/0x160 mm/kasan/report.c:227
kasan_report+0x129/0x150 mm/kasan/report.c:597
ext4_ext_rm_leaf fs/ext4/extents.c:2630 [inline]
ext4_ext_remove_space+0x3211/0x42f0 fs/ext4/extents.c:2968
ext4_ext_truncate+0x17e/0x300 fs/ext4/extents.c:4487
ext4_truncate+0xb4f/0x12e0 fs/ext4/inode.c:4614
ext4_truncate_failed_write fs/ext4/truncate.h:22 [inline]
ext4_write_end+0x76e/0x9f0 fs/ext4/inode.c:1486
ext4_da_write_end+0x84/0xcf0 fs/ext4/inode.c:3277
generic_perform_write+0x62a/0x900 mm/filemap.c:4275
ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd18e38e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd18f1a9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fd18e5b5fa0 RCX: 00007fd18e38e929
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007fd18e410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000e7c R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fd18e5b5fa0 R15: 00007ffe86830148
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: 8b690556 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1419e97c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1144b212580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CADfthj1tCCoMeUbBD77N+nrPeit7t6LTpScLgtAUzPgbqfuNcg@mail.gmail.com>
@ 2025-11-19 17:53 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-19 17:53 UTC (permalink / raw)
To: albinbabuvarghese20, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
loop0: detected capacity change from 0 to 1024
EXT4-fs: Ignoring removed oldalloc option
EXT4-fs: Ignoring removed orlov option
EXT4-fs (loop0): stripe (1570) is not aligned with cluster size (16), stripe is disabled
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff88805848d018 by task syz.0.1716/13445
CPU: 1 UID: 0 PID: 13445 Comm: syz.0.1716 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_query_blocks+0x13b/0x930 fs/ext4/inode.c:550
ext4_map_blocks+0x4b3/0x1740 fs/ext4/inode.c:773
_ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910
ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943
ext4_block_write_begin+0x993/0x1710 fs/ext4/inode.c:1198
ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1
ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129
generic_perform_write+0x2c5/0x900 mm/filemap.c:4254
ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb6d7d8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb6d8cd4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fb6d7fb5fa0 RCX: 00007fb6d7d8e929
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007fb6d7e10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000e7c R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fb6d7fb5fa0 R15: 00007ffe519db498
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xc00772c pfn:0x5848d
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 000000000c00772c 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6135, tgid 6130 (syz-execprog), ts 118165039414, free_ts 376890617757
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5126 [inline]
do_anonymous_page mm/memory.c:5183 [inline]
do_pte_missing mm/memory.c:4360 [inline]
handle_pte_fault mm/memory.c:6195 [inline]
__handle_mm_fault+0x2a8b/0x5400 mm/memory.c:6336
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6505
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6132 tgid 6130 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
madvise_finish_tlb mm/madvise.c:1790 [inline]
do_madvise+0x208/0x270 mm/madvise.c:1979
__do_sys_madvise mm/madvise.c:1987 [inline]
__se_sys_madvise mm/madvise.c:1985 [inline]
__x64_sys_madvise+0xa7/0xc0 mm/madvise.c:1985
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805848cf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805848cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805848d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88805848d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805848d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 8b690556 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e90742580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=169cce0a580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O-Y021tSY0w==hGmrwMt46ay=vT=zvwuGEfxEEN5SW7LA@mail.gmail.com>
@ 2025-11-20 1:27 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 1:27 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff888060ccb018 by task kworker/u8:0/12
CPU: 0 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x60ccb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_MOVABLE|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL), pid 10925, tgid 10924 (syz.0.1091), ts 292203567761, free_ts 292265476069
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1020
__filemap_get_folio+0x3f2/0xaf0 mm/filemap.c:2012
grow_dev_folio fs/buffer.c:1050 [inline]
grow_buffers fs/buffer.c:1116 [inline]
__getblk_slow fs/buffer.c:1134 [inline]
bdev_getblk+0x1ad/0x660 fs/buffer.c:1461
__getblk include/linux/buffer_head.h:380 [inline]
sb_getblk include/linux/buffer_head.h:386 [inline]
__ext4_get_inode_loc+0x561/0x1040 fs/ext4/inode.c:4837
__ext4_get_inode_loc_noinmem fs/ext4/inode.c:4950 [inline]
__ext4_iget+0x451/0x4220 fs/ext4/inode.c:5225
__ext4_fill_super fs/ext4/super.c:5512 [inline]
ext4_fill_super+0x4637/0x61e0 fs/ext4/super.c:5736
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1698
vfs_get_tree+0x92/0x2b0 fs/super.c:1758
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3642 [inline]
do_new_mount+0x302/0xa10 fs/namespace.c:3718
do_mount fs/namespace.c:4041 [inline]
__do_sys_mount fs/namespace.c:4229 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4206
page last free pid 8941 tgid 8941 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
folio_batch_release include/linux/pagevec.h:101 [inline]
mapping_try_invalidate+0x324/0x410 mm/truncate.c:579
ext4_put_super+0x813/0xc40 fs/ext4/super.c:1348
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1729
ext4_kill_sb+0x68/0xb0 fs/ext4/super.c:7403
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888060ccaf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888060ccaf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888060ccb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888060ccb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888060ccb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=128cba12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=14657692580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O8WbUF8HROrpL-FkCjmqhRZ2Et6nsSzA9Oo4viTHZWf5A@mail.gmail.com>
@ 2025-11-20 2:13 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 2:13 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff88806fbac08c by task kworker/u8:3/49
CPU: 0 UID: 0 PID: 49 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fdb995cf pfn:0x6fbac
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001899f48 ffffea0001a80508 0000000000000000
raw: 00000007fdb995cf 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6178, tgid 6178 (udevd), ts 265882608890, free_ts 265892368035
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5126 [inline]
do_anonymous_page mm/memory.c:5183 [inline]
do_pte_missing mm/memory.c:4360 [inline]
handle_pte_fault mm/memory.c:6195 [inline]
__handle_mm_fault+0x2a8b/0x5400 mm/memory.c:6336
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6505
do_user_addr_fault+0x764/0x1380 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6178 tgid 6178 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
folios_put include/linux/mm.h:1484 [inline]
folio_batch_move_lru+0x2a5/0x330 mm/swap.c:179
lru_add_drain_cpu+0x119/0x880 mm/swap.c:648
lru_add_drain+0x122/0x3e0 mm/swap.c:737
__folio_batch_release+0x48/0x90 mm/swap.c:1059
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x49e/0x14b0 mm/shmem.c:1119
shmem_truncate_range mm/shmem.c:1231 [inline]
shmem_evict_inode+0x272/0xa70 mm/shmem.c:1359
evict+0x504/0x9c0 fs/inode.c:810
__dentry_kill+0x209/0x660 fs/dcache.c:669
dput+0x19f/0x2b0 fs/dcache.c:911
do_renameat2+0x6b2/0xa50 fs/namei.c:5366
__do_sys_rename fs/namei.c:5411 [inline]
__se_sys_rename fs/namei.c:5409 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5409
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88806fbabf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806fbac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806fbac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88806fbac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88806fbac180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=166c0514580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12f57692580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O8P7PcMPfFktS39H_PH7_z8UwmL5oJeVpjetHxU7haGug@mail.gmail.com>
@ 2025-11-20 12:15 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 12:15 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff88805f4ebd18 by task kworker/u8:3/50
CPU: 1 UID: 0 PID: 50 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x5f4eb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001ab2448 ffffea0001b7a848 0000000000000000
raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE|__GFP_COMP), pid 6484, tgid 6483 (syz.0.20), ts 137862241539, free_ts 137891188282
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1020
__filemap_get_folio+0x3f2/0xaf0 mm/filemap.c:2012
write_begin_get_folio include/linux/pagemap.h:784 [inline]
ext4_write_begin+0x4c8/0x19a0 fs/ext4/inode.c:1318
ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129
generic_perform_write+0x2c5/0x900 mm/filemap.c:4254
ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
page last free pid 6341 tgid 6341 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
folio_batch_release include/linux/pagevec.h:101 [inline]
truncate_inode_pages_range+0x346/0xda0 mm/truncate.c:408
ext4_evict_inode+0x1aa/0xee0 fs/ext4/inode.c:185
evict+0x504/0x9c0 fs/inode.c:810
dispose_list fs/inode.c:852 [inline]
evict_inodes+0x64c/0x6d0 fs/inode.c:906
generic_shutdown_super+0x9a/0x2c0 fs/super.c:627
kill_block_super+0x44/0x90 fs/super.c:1729
ext4_kill_sb+0x68/0xb0 fs/ext4/super.c:7403
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805f4ebc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805f4ebc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805f4ebd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88805f4ebd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805f4ebe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12608c2a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=16dbca12580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
@ 2025-11-20 13:38 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 13:38 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff8880618f1018 by task kworker/u8:6/1096
CPU: 1 UID: 0 PID: 1096 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f8288ec9 pfn:0x618f1
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001863c88 ffffea0001863c08 0000000000000000
raw: 00000007f8288ec9 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6155, tgid 6155 (syz-executor), ts 131175623082, free_ts 136501716604
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5126 [inline]
do_anonymous_page mm/memory.c:5183 [inline]
do_pte_missing mm/memory.c:4360 [inline]
handle_pte_fault mm/memory.c:6195 [inline]
__handle_mm_fault+0x2a8b/0x5400 mm/memory.c:6336
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6505
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6155 tgid 6155 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
vms_clear_ptes+0x42c/0x540 mm/vma.c:1235
vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1277
do_vmi_align_munmap+0x364/0x440 mm/vma.c:1536
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584
__vm_munmap+0x207/0x380 mm/vma.c:3156
__do_sys_munmap mm/mmap.c:1080 [inline]
__se_sys_munmap mm/mmap.c:1077 [inline]
__x64_sys_munmap+0x60/0x70 mm/mmap.c:1077
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880618f0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880618f0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880618f1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880618f1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880618f1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1002f692580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=111dba12580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O-6VrfyR-Yp7yQLu+W=zo9yPVTjfj6ic-Fiq6dF1-tmwQ@mail.gmail.com>
@ 2025-11-20 16:11 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 16:11 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Tested-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=159b997c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=13abba12580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O_vfXVmYBidWof5vvx4POOzdLdwyD7NxBuwPp+5Ot6PAQ@mail.gmail.com>
@ 2025-11-20 18:21 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 18:21 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff888072543018 by task kworker/u8:3/49
CPU: 1 UID: 0 PID: 49 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f7902757 pfn:0x72543
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 00000007f7902757 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6138, tgid 6138 (syz-executor), ts 130428789605, free_ts 136080635031
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5126 [inline]
do_anonymous_page mm/memory.c:5183 [inline]
do_pte_missing mm/memory.c:4360 [inline]
handle_pte_fault mm/memory.c:6195 [inline]
__handle_mm_fault+0x2a8b/0x5400 mm/memory.c:6336
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6505
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6138 tgid 6138 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
vms_clear_ptes+0x42c/0x540 mm/vma.c:1235
vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1277
do_vmi_align_munmap+0x364/0x440 mm/vma.c:1536
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584
__vm_munmap+0x207/0x380 mm/vma.c:3156
__do_sys_munmap mm/mmap.c:1080 [inline]
__se_sys_munmap mm/mmap.c:1077 [inline]
__x64_sys_munmap+0x60/0x70 mm/mmap.c:1077
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888072542f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888072542f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888072543000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888072543080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888072543100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 8e621c9a Merge tag 'net-6.18-rc7' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bc2a12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11f6f692580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O-T9Dtjz2TAzJ4NZRHjEoMkqc9sLSjFQn2WFG8Et57UFg@mail.gmail.com>
@ 2025-11-20 19:07 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 19:07 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff88806ecb8e18 by task kworker/u8:9/3520
CPU: 1 UID: 0 PID: 3520 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x288/0x6ac0 fs/ext4/extents.c:4208
ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
ext4_convert_unwritten_extents+0x2ae/0x5d0 fs/ext4/extents.c:4976
ext4_convert_unwritten_io_end_vec+0xff/0x170 fs/ext4/extents.c:5016
ext4_end_io_end+0xc7/0x410 fs/ext4/page-io.c:199
ext4_do_flush_completed_IO fs/ext4/page-io.c:290 [inline]
ext4_end_io_rsv_work+0x262/0x330 fs/ext4/page-io.c:305
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2f pfn:0x6ecb8
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001bb2dc8 ffffea0001bb2e48 0000000000000000
raw: 000000000000002f 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 8356, tgid 8355 (syz.0.469), ts 208003260519, free_ts 208144424942
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x2356/0x2430 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof+0x39/0x70 mm/mempolicy.c:2435
shmem_alloc_folio mm/shmem.c:1870 [inline]
shmem_alloc_and_add_folio+0x423/0xf40 mm/shmem.c:1912
shmem_get_folio_gfp+0x59d/0x1660 mm/shmem.c:2535
shmem_get_folio mm/shmem.c:2641 [inline]
shmem_write_begin+0xf7/0x2b0 mm/shmem.c:3291
generic_perform_write+0x2c5/0x900 mm/filemap.c:4254
shmem_file_write_iter+0xf8/0x120 mm/shmem.c:3466
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6436 tgid 6436 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xe5d/0x15f0 mm/page_alloc.c:2958
folios_put_refs+0x584/0x670 mm/swap.c:1002
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x49e/0x14b0 mm/shmem.c:1119
shmem_truncate_range mm/shmem.c:1231 [inline]
shmem_evict_inode+0x272/0xa70 mm/shmem.c:1359
evict+0x504/0x9c0 fs/inode.c:810
__dentry_kill+0x209/0x660 fs/dcache.c:669
dput+0x19f/0x2b0 fs/dcache.c:911
__fput+0x68e/0xa70 fs/file_table.c:476
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88806ecb8d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88806ecb8d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806ecb8e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88806ecb8e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88806ecb8f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 8e621c9a Merge tag 'net-6.18-rc7' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14babe0a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=115ef692580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
[not found] <CAHxJ8O8xhXVne3ghaMNk1Ttgj35hfK1_Rk-WyDe+sC-qM7XPPQ@mail.gmail.com>
@ 2025-11-21 22:01 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-21 22:01 UTC (permalink / raw)
To: eraykrdg1, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Tested-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Tested on:
commit: 2eba5e05 Merge tag 'loongarch-fixes-6.18-2' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10454c2a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e611fe59206f39f
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=13a1aa12580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2025-11-21 22:01 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAHxJ8O_vfXVmYBidWof5vvx4POOzdLdwyD7NxBuwPp+5Ot6PAQ@mail.gmail.com>
2025-11-20 18:21 ` [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
[not found] <CAHxJ8O8xhXVne3ghaMNk1Ttgj35hfK1_Rk-WyDe+sC-qM7XPPQ@mail.gmail.com>
2025-11-21 22:01 ` syzbot
[not found] <CAHxJ8O-T9Dtjz2TAzJ4NZRHjEoMkqc9sLSjFQn2WFG8Et57UFg@mail.gmail.com>
2025-11-20 19:07 ` syzbot
[not found] <CAHxJ8O-6VrfyR-Yp7yQLu+W=zo9yPVTjfj6ic-Fiq6dF1-tmwQ@mail.gmail.com>
2025-11-20 16:11 ` syzbot
[not found] <CAHxJ8O_9bpgRjjjD=D4YpwM+FvvKh-OqeHP4kZhBVbL+zXOMgA@mail.gmail.com>
2025-11-20 13:38 ` syzbot
[not found] <CAHxJ8O8P7PcMPfFktS39H_PH7_z8UwmL5oJeVpjetHxU7haGug@mail.gmail.com>
2025-11-20 12:15 ` syzbot
[not found] <CAHxJ8O8WbUF8HROrpL-FkCjmqhRZ2Et6nsSzA9Oo4viTHZWf5A@mail.gmail.com>
2025-11-20 2:13 ` syzbot
[not found] <CAHxJ8O-Y021tSY0w==hGmrwMt46ay=vT=zvwuGEfxEEN5SW7LA@mail.gmail.com>
2025-11-20 1:27 ` syzbot
[not found] <CADfthj1tCCoMeUbBD77N+nrPeit7t6LTpScLgtAUzPgbqfuNcg@mail.gmail.com>
2025-11-19 17:53 ` syzbot
[not found] <CADfthj1-m1WoipkSJmZ=1fe23T_7Bn=_n0iLTBHdUwXF-i7YQA@mail.gmail.com>
2025-11-19 8:13 ` syzbot
2024-12-30 20:06 syzbot
2025-03-27 23:44 ` syzbot
2025-03-28 17:10 ` Ojaswin Mujoo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox