| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/01 | lts (merge base) | 02b72ccb5f9d | C | [report] KASAN: use-after-free Read in ext4_find_extent |
| 2025/06/01 | upstream (ToT) | cd2e103d57e5 | C | Didn't crash |
syzbot |
sign-in | mailing list | source | docs |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/01 | lts (merge base) | 02b72ccb5f9d | C | [report] KASAN: use-after-free Read in ext4_find_extent |
| 2025/06/01 | upstream (ToT) | cd2e103d57e5 | C | Didn't crash |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2025/10/13 21:35 | 6m | retest repro | android14-6.1 | report log | |
| 2025/10/13 21:35 | 13m | retest repro | android14-6.1 | report log | |
| 2025/09/28 13:09 | 6m | retest repro | android14-6.1 | report log | |
| 2025/08/23 21:20 | 12m | retest repro | android14-6.1 | report log | |
| 2025/06/14 21:11 | 6m | retest repro | android14-6.1 | report log |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2025/07/31 06:27 | 1h21m | bisect fix | android14-6.1 | OK (0) job log log | |
| 2025/06/30 20:17 | 1h08m | bisect fix | android14-6.1 | OK (0) job log log |
================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953 Read of size 4 at addr ffff88810efce0d8 by task kworker/u4:0/8 CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: writeback wb_workfn (flush-7:2) Call Trace: <TASK> __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106 print_address_description+0x71/0x200 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:420 kasan_report+0x122/0x150 mm/kasan/report.c:524 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350 ext4_ext_binsearch fs/ext4/extents.c:837 [inline] ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:953 ext4_ext_map_blocks+0x1dc/0x6060 fs/ext4/extents.c:4166 ext4_map_blocks+0x9cb/0x1b60 fs/ext4/inode.c:679 mpage_map_one_extent fs/ext4/inode.c:2435 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2488 [inline] ext4_writepages+0x1260/0x3020 fs/ext4/inode.c:2856 do_writepages+0x3a9/0x5e0 mm/page-writeback.c:2494 __writeback_single_inode+0xc6/0xad0 fs/fs-writeback.c:1612 writeback_sb_inodes+0x9b8/0x1550 fs/fs-writeback.c:1903 wb_writeback+0x3f1/0x980 fs/fs-writeback.c:2079 wb_do_writeback fs/fs-writeback.c:2226 [inline] wb_workfn+0x350/0xda0 fs/fs-writeback.c:2266 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2449 kthread+0x281/0x320 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Allocated by task 301: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:379 [inline] __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:388 kasan_kmalloc include/linux/kasan.h:212 [inline] kmalloc_trace+0x40/0xb0 mm/slab_common.c:1033 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ref_tracker_alloc+0x139/0x430 lib/ref_tracker.c:85 __netdev_tracker_alloc include/linux/netdevice.h:4085 [inline] netdev_tracker_alloc include/linux/netdevice.h:4097 [inline] fib6_nh_init+0x8e6/0x1ff0 net/ipv6/route.c:3668 ip6_route_info_create+0xa66/0x1510 net/ipv6/route.c:3849 addrconf_f6i_alloc+0x154/0x360 net/ipv6/route.c:4601 fixup_permanent_addr net/ipv6/addrconf.c:3554 [inline] addrconf_permanent_addr+0x21f/0x8c0 net/ipv6/addrconf.c:3593 addrconf_notify+0x7cf/0xe40 net/ipv6/addrconf.c:3665 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xa1/0x110 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:2009 [inline] call_netdevice_notifiers_extack net/core/dev.c:2047 [inline] call_netdevice_notifiers net/core/dev.c:2061 [inline] __dev_notify_flags+0x28f/0x500 net/core/dev.c:-1 dev_change_flags+0xe8/0x1a0 net/core/dev.c:8730 do_setlink+0xc3d/0x3d50 net/core/rtnetlink.c:2833 __rtnl_newlink net/core/rtnetlink.c:3608 [inline] rtnl_newlink+0x17d9/0x2030 net/core/rtnetlink.c:3655 rtnetlink_rcv_msg+0x9f4/0xcf0 net/core/rtnetlink.c:6153 netlink_rcv_skb+0x1f2/0x440 net/netlink/af_netlink.c:2521 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6171 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x8ab/0xa30 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x8aa/0xbc0 net/netlink/af_netlink.c:1873 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] __sys_sendto+0x464/0x5e0 net/socket.c:2143 __do_sys_sendto net/socket.c:2155 [inline] __se_sys_sendto net/socket.c:2151 [inline] __x64_sys_sendto+0xe5/0x100 net/socket.c:2151 x64_sys_call+0x83/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:45 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 8: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1750 [inline] slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776 slab_free mm/slub.c:3712 [inline] __kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728 kfree+0x6f/0xf0 mm/slab_common.c:990 ref_tracker_dir_exit+0x191/0x4c0 lib/ref_tracker.c:27 free_netdev+0x27d/0x490 net/core/dev.c:10835 netdev_run_todo+0xaa4/0xc00 net/core/dev.c:10476 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:147 default_device_exit_batch+0x9be/0xa50 net/core/dev.c:11481 ops_exit_list net/core/net_namespace.c:177 [inline] cleanup_net+0x62d/0xb00 net/core/net_namespace.c:604 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2449 kthread+0x281/0x320 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff88810efce0c0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 24 bytes inside of 32-byte region [ffff88810efce0c0, ffff88810efce0e0) The buggy address belongs to the physical page: page:ffffea00043bf380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10efce flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000001 ffff888100042600 raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 83, tgid 83 (start-stop-daem), ts 3915189756, free_ts 3914171511 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2643 prep_new_page+0x1c/0x110 mm/page_alloc.c:2650 get_page_from_freelist+0x2c7b/0x2cf0 mm/page_alloc.c:4554 __alloc_pages+0x1c3/0x450 mm/page_alloc.c:5868 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1 allocate_slab mm/slub.c:1967 [inline] new_slab+0x98/0x3d0 mm/slub.c:2020 ___slab_alloc+0x6bd/0xb20 mm/slub.c:3177 __slab_alloc+0x5e/0xa0 mm/slub.c:3263 slab_alloc_node mm/slub.c:3348 [inline] __kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423 __do_kmalloc_node mm/slab_common.c:937 [inline] __kmalloc+0xa1/0x1e0 mm/slab_common.c:951 kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:699 [inline] lsm_cred_alloc security/security.c:540 [inline] security_prepare_creds+0x4e/0x150 security/security.c:1738 prepare_creds+0x456/0x640 kernel/cred.c:294 access_override_creds fs/open.c:377 [inline] do_faccessat+0x10e/0xa00 fs/open.c:441 __do_sys_access fs/open.c:506 [inline] __se_sys_access fs/open.c:504 [inline] __x64_sys_access+0x61/0x70 fs/open.c:504 x64_sys_call+0x5a0/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:22 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1551 [inline] free_pcp_prepare mm/page_alloc.c:1625 [inline] free_unref_page_prepare+0x742/0x750 mm/page_alloc.c:3589 free_unref_page+0x8f/0x530 mm/page_alloc.c:3687 free_the_page mm/page_alloc.c:836 [inline] __free_pages+0x67/0x100 mm/page_alloc.c:5957 __vunmap+0x9af/0xb70 mm/vmalloc.c:2739 free_work+0x5a/0x80 mm/vmalloc.c:98 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2449 kthread+0x281/0x320 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88810efcdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88810efce000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc >ffff88810efce080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ^ ffff88810efce100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ffff88810efce180: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc ================================================================== EXT4-fs error (device loop2): ext4_map_blocks:745: inode #15: block 4069883428: comm kworker/u4:0: lblock 36 mapped to illegal pblock 4069883428 (length 1) EXT4-fs (loop2): Delayed block allocation failed for inode 15 at logical offset 36 with max blocks 1 with error 117 EXT4-fs (loop2): This should not happen!! Data will be lost
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/10/24 04:04 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 03:23 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/10/24 02:37 | android14-6.1 | 22c0b7236c43 | c0460fcd | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/09/29 02:17 | android14-6.1 | 5303560ee8cf | 001c9061 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/09/03 14:52 | android14-6.1 | 79ccb6ecf51e | 96a211bc | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/08/03 17:31 | android14-6.1 | 3b4ff5af8d36 | 7368264b | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/05/31 08:37 | android14-6.1 | db710ea87c32 | 3d2f584d | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | |
| 2025/09/14 09:34 | android14-6.1 | 0429b7af308c | e2beed91 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:48 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:48 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:46 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/08/28 01:46 | android14-6.1 | 47b374a18638 | e12e5ba4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent | ||
| 2025/05/31 08:03 | android14-6.1 | db710ea87c32 | 3d2f584d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_find_extent |