| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2026/02/22 | upstream (ToT) | fa5c82f4d2bb | C | [report] KASAN: use-after-free Read in __ext4_check_dir_entry |
syzbot |
sign-in | mailing list | source | docs |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2026/02/22 | upstream (ToT) | fa5c82f4d2bb | C | [report] KASAN: use-after-free Read in __ext4_check_dir_entry |
EXT4-fs error (device loop0): ext4_orphan_get:1403: comm syz.0.19: couldn't read orphan inode 15 (err -117) EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. EXT4-fs warning (device loop0): dx_probe:833: inode #2: comm syz.0.19: Unrecognised inode hash code 4 EXT4-fs warning (device loop0): dx_probe:966: inode #2: comm syz.0.19: Corrupt directory, running e2fsck is recommended ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x73c/0x8e0 fs/ext4/dir.c:85 Read of size 2 at addr ffff88805cc07003 by task syz.0.19/5921 CPU: 0 PID: 5921 Comm: syz.0.19 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xa8/0x210 mm/kasan/report.c:468 kasan_report+0x117/0x150 mm/kasan/report.c:581 __ext4_check_dir_entry+0x73c/0x8e0 fs/ext4/dir.c:85 ext4_readdir+0x11f7/0x3a80 fs/ext4/dir.c:261 iterate_dir+0x1c2/0x580 fs/readdir.c:106 __do_sys_getdents64 fs/readdir.c:405 [inline] __se_sys_getdents64+0xf6/0x270 fs/readdir.c:390 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f430df9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe7186ec68 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007f430e215fa0 RCX: 00007f430df9c629 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 RBP: 00007f430e032b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f430e215fac R14: 00007f430e215fa0 R15: 00007f430e215fa0 </TASK> The buggy address belongs to the physical page: page:ffffea00017301c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x5cc07 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 ffffea0001b6c588 ffffea0001730008 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5916, tgid 5916 (syz.0.17), ts 87922739760, free_ts 88114513540 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1c1/0x200 mm/page_alloc.c:1581 prep_new_page mm/page_alloc.c:1588 [inline] get_page_from_freelist+0x1951/0x19e0 mm/page_alloc.c:3220 __alloc_pages+0x1f0/0x460 mm/page_alloc.c:4486 __folio_alloc+0x10/0x20 mm/page_alloc.c:4518 vma_alloc_folio+0x47a/0x8f0 mm/mempolicy.c:2242 shmem_alloc_folio+0x1a9/0x2a0 mm/shmem.c:1679 shmem_alloc_and_acct_folio+0x1e6/0x6d0 mm/shmem.c:1704 shmem_get_folio_gfp+0xcde/0x2aa0 mm/shmem.c:2041 shmem_get_folio mm/shmem.c:2164 [inline] shmem_write_begin+0xf2/0x420 mm/shmem.c:2706 generic_perform_write+0x2fe/0x5c0 mm/filemap.c:4031 shmem_file_write_iter+0xfb/0x120 mm/shmem.c:2883 call_write_iter include/linux/fs.h:2018 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x46c/0x990 fs/read_write.c:584 ksys_write+0x150/0x260 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1181 [inline] free_unref_page_prepare+0x7b2/0x8c0 mm/page_alloc.c:2365 free_unref_page_list+0xbe/0x860 mm/page_alloc.c:2504 release_pages+0x1f7a/0x2200 mm/swap.c:1022 __folio_batch_release+0x71/0xe0 mm/swap.c:1042 folio_batch_release include/linux/pagevec.h:83 [inline] shmem_undo_range+0x630/0x1b20 mm/shmem.c:1026 shmem_truncate_range mm/shmem.c:1135 [inline] shmem_evict_inode+0x245/0x9e0 mm/shmem.c:1264 evict+0x4ca/0x8d0 fs/inode.c:705 __dentry_kill+0x431/0x650 fs/dcache.c:611 dentry_kill+0xb8/0x290 fs/dcache.c:-1 dput+0xfe/0x1e0 fs/dcache.c:918 __fput+0x5e5/0x970 fs/file_table.c:392 task_work_run+0x1d4/0x260 kernel/task_work.c:245 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302 do_syscall_64+0x61/0xa0 arch/x86/entry/common.c:82 Memory state around the buggy address: ffff88805cc06f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88805cc06f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88805cc07000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88805cc07080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88805cc07100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/02/22 03:12 | linux-6.6.y | 7a137e9bfa0e | 6e7b5511 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] | ci2-linux-6-6-kasan | KASAN: use-after-free Read in __ext4_check_dir_entry |