Kernel Bug: KASAN: use-after-free Read in ext4_find_extente
7 views
Skip to first unread message
Liebes Wang
Mar 18, 2026, 6:55:29 AM (3 days ago) Mar 18
to liba...@huawei.com, Zhang Yi, Theodore Ts'o, linux-...@vger.kernel.org, syzk...@googlegroups.com
Dear Linux maintainers and reviewers:
We are reporting a Linux kernel bug titled **KASAN: use-after-free
Read in ext4_find_extente**.
Linux version: 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c (mainline latest)
The bisection log shows the first introduced commit is
6347558764911f88acac06ab996e162f0c8a212d
6347558764911 ext4: refactor choose group to scan group
The test case, kernel config and full bisection log are attached.
The report is (The full reports are attached):
This report is generated at kernel version 6.19.0-rc2
(report-6.19.log). But we still verified this crash can be reproduced
at the latest kernel version (latest_repro.log).
----
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x9ab/0xa00 fs/ext4/extents.c:956
Read of size 4 at addr ff1100031ebe1400 by task syz.7.2557/41017
CPU: 0 UID: 0 PID: 41017 Comm: syz.7.2557 Tainted: G L
6.19.0-rc2-gccd1cdca5cd4 #1 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x5f0 mm/kasan/report.c:482
kasan_report+0xca/0x100 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0x9ab/0xa00 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x24a/0x6110 fs/ext4/extents.c:4208
ext4_map_query_blocks+0x110/0x900 fs/ext4/inode.c:549
ext4_map_blocks+0x49d/0x1250 fs/ext4/inode.c:778
_ext4_get_block+0x237/0x580 fs/ext4/inode.c:916
ext4_block_write_begin+0x9a6/0x1230 fs/ext4/inode.c:1203
ext4_write_begin+0x84e/0x1540 fs/ext4/inode.c:1364
generic_perform_write+0x3e8/0x900 mm/filemap.c:4314
ext4_buffered_write_iter+0x11a/0x430 fs/ext4/file.c:299
ext4_file_write_iter+0xa51/0x1c70 fs/ext4/file.c:723
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xc0b/0x1170 fs/read_write.c:686
ksys_write+0x121/0x240 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x72/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f1ec558feed
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1ec63f5008 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1ec57c5fa0 RCX: 00007f1ec558feed
RDX: 000000000000f000 RSI: 0000400000000080 RDI: 0000000000000004
RBP: 00007f1ec56317f4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1ec57c5fa0 R15: 00007ffcbfa0a660
</TASK>
We are reporting a Linux kernel bug titled **KASAN: use-after-free
Read in ext4_find_extente**.
Linux version: 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c (mainline latest)
The bisection log shows the first introduced commit is
6347558764911f88acac06ab996e162f0c8a212d
6347558764911 ext4: refactor choose group to scan group
The test case, kernel config and full bisection log are attached.
The report is (The full reports are attached):
This report is generated at kernel version 6.19.0-rc2
(report-6.19.log). But we still verified this crash can be reproduced
at the latest kernel version (latest_repro.log).
----
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x9ab/0xa00 fs/ext4/extents.c:956
Read of size 4 at addr ff1100031ebe1400 by task syz.7.2557/41017
CPU: 0 UID: 0 PID: 41017 Comm: syz.7.2557 Tainted: G L
6.19.0-rc2-gccd1cdca5cd4 #1 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x5f0 mm/kasan/report.c:482
kasan_report+0xca/0x100 mm/kasan/report.c:595
ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
ext4_find_extent+0x9ab/0xa00 fs/ext4/extents.c:956
ext4_ext_map_blocks+0x24a/0x6110 fs/ext4/extents.c:4208
ext4_map_query_blocks+0x110/0x900 fs/ext4/inode.c:549
ext4_map_blocks+0x49d/0x1250 fs/ext4/inode.c:778
_ext4_get_block+0x237/0x580 fs/ext4/inode.c:916
ext4_block_write_begin+0x9a6/0x1230 fs/ext4/inode.c:1203
ext4_write_begin+0x84e/0x1540 fs/ext4/inode.c:1364
generic_perform_write+0x3e8/0x900 mm/filemap.c:4314
ext4_buffered_write_iter+0x11a/0x430 fs/ext4/file.c:299
ext4_file_write_iter+0xa51/0x1c70 fs/ext4/file.c:723
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xc0b/0x1170 fs/read_write.c:686
ksys_write+0x121/0x240 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x72/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f1ec558feed
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1ec63f5008 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1ec57c5fa0 RCX: 00007f1ec558feed
RDX: 000000000000f000 RSI: 0000400000000080 RDI: 0000000000000004
RBP: 00007f1ec56317f4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1ec57c5fa0 R15: 00007ffcbfa0a660
</TASK>
Reply all
Reply to author
Forward
0 new messages