syzbot

 sign-in | mailing list | source | docs
🐞 Open [1436]
Subsystems
🐞 Fixed [6893]
🐞 Invalid [17918]
Missing Backports [224]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: slab-use-after-free Read in ext4_ext_remove_space

Status: upstream: reported C repro on 2025/03/31 11:15
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+b73703b873a33d8eb8f6@syzkaller.appspotmail.com
First crash: 341d, last: 4d00h
Cause bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ext4?] KASAN: slab-use-after-free Read in ext4_ext_remove_space 0 (2) 2025/06/25 14:41
Similar bugs (7)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: out-of-bounds Read in ext4_ext_remove_space origin:upstream missing-backport 24 C error error 30 3d05h 909d 0/2 upstream: reported C repro on 2023/08/04 22:38
android-5-10 KASAN: out-of-bounds Read in ext4_ext_remove_space 24 C error 42 10d 881d 0/2 upstream: reported C repro on 2023/09/02 13:17
upstream KASAN: out-of-bounds Read in ext4_ext_remove_space ext4 17 C error done 8 757d 931d 25/29 fixed on 2024/02/16 19:40
android-6-1 KASAN: out-of-bounds Read in ext4_ext_remove_space missing-backport 17 C error error 6 467d 899d 0/2 auto-obsoleted due to no activity on 2025/01/27 17:01
android-6-1 KASAN: use-after-free Read in ext4_ext_remove_space origin:lts 19 C error 8 12d 194d 0/2 upstream: reported C repro on 2025/07/20 13:48
linux-5.15 KASAN: out-of-bounds Read in ext4_ext_remove_space missing-backport origin:upstream 17 C done 5 44d 739d 0/3 upstream: reported C repro on 2024/01/21 16:07
linux-6.1 KASAN: out-of-bounds Read in ext4_ext_remove_space origin:upstream missing-backport 19 C done 9 45d 757d 0/3 upstream: reported C repro on 2024/01/03 15:27
Last patch testing requests (2)
Created Duration User Patch Repo Result
2025/12/16 19:25 41m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2025/08/10 11:08 39m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_rm_leaf fs/ext4/extents.c:2627 [inline]
BUG: KASAN: use-after-free in ext4_ext_remove_space+0x31a5/0x4260 fs/ext4/extents.c:2965
Read of size 4 at addr ffff888048296c18 by task syz-executor/6133

CPU: 0 UID: 0 PID: 6133 Comm: syz-executor Not tainted syzkaller #0 PREEMPT_{RT,(full)} [  153.247766][ T6133] CPU: 0 UID: 0 PID: 6133 Comm: syz-executor Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 ext4_ext_rm_leaf fs/ext4/extents.c:2627 [inline]
 ext4_ext_remove_space+0x31a5/0x4260 fs/ext4/extents.c:2965
 ext4_ext_truncate+0x17e/0x300 fs/ext4/extents.c:4484
 ext4_truncate+0xb3f/0x1300 fs/ext4/inode.c:4612
 ext4_evict_inode+0x85e/0xe60 fs/ext4/inode.c:260
 evict+0x5f4/0xae0 fs/inode.c:837
 do_unlinkat+0x340/0x570 fs/namei.c:5443
 __do_sys_unlink fs/namei.c:5474 [inline]
 __se_sys_unlink fs/namei.c:5472 [inline]
 __x64_sys_unlink+0x47/0x50 fs/namei.c:5472
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f76aeb7ecf7
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd301bc468 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f76aeb7ecf7
RDX: 00007ffd301bc490 RSI: 00007ffd301bc520 RDI: 00007ffd301bc520
RBP: 00007ffd301bc520 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffd301bd610
R13: 00007f76aec03d7d R14: 0000000000025561 R15: 00007ffd301be6e0
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f3e95e76 pfn:0x48296
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 00000007f3e95e76 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5809, tgid 5809 (syz-executor), ts 102889688362, free_ts 109393720478
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
 prep_new_page mm/page_alloc.c:1865 [inline]
 get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
 folio_alloc_mpol_noprof mm/mempolicy.c:2505 [inline]
 vma_alloc_folio_noprof+0xe4/0x280 mm/mempolicy.c:2540
 folio_prealloc+0x30/0x180 mm/memory.c:-1
 alloc_anon_folio mm/memory.c:5165 [inline]
 do_anonymous_page mm/memory.c:5222 [inline]
 do_pte_missing+0x86a/0x27a0 mm/memory.c:4399
 handle_pte_fault mm/memory.c:6273 [inline]
 __handle_mm_fault mm/memory.c:6411 [inline]
 handle_mm_fault+0xcc1/0x1330 mm/memory.c:6580
 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x71/0xd0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 5809 tgid 5809 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1406 [inline]
 free_unref_folios+0xc28/0x1810 mm/page_alloc.c:3000
 folios_put_refs+0x569/0x670 mm/swap.c:1002
 free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
 vms_clear_ptes+0x42b/0x530 mm/vma.c:1238
 vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1280
 do_vmi_align_munmap+0x372/0x450 mm/vma.c:1539
 do_vmi_munmap+0x253/0x2e0 mm/vma.c:1587
 __vm_munmap+0x207/0x380 mm/vma.c:3203
 __do_sys_munmap mm/mmap.c:1077 [inline]
 __se_sys_munmap mm/mmap.c:1074 [inline]
 __x64_sys_munmap+0x60/0x70 mm/mmap.c:1074
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888048296b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888048296b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888048296c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff888048296c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888048296d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (44):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/08 22:20 upstream 79b95d74470d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2026/01/08 19:49 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e8c40f11c7b0 d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/02/23 08:59 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in ext4_ext_remove_space
2026/01/15 18:40 upstream 944aacb68baf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/11/24 15:03 upstream ac3fd01e4c1e bf6fe8fe .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/11/15 13:13 upstream 7a0892d2836e f7988ea4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/26 16:51 upstream 72761a7e3122 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/26 16:50 upstream 72761a7e3122 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/23 18:28 upstream 43e9ad0c55a3 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/21 10:24 upstream 6548d364a3e8 9832ed61 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/21 10:23 upstream 6548d364a3e8 9832ed61 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/09/09 00:33 upstream f777d1112ee5 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/08/20 03:55 upstream b19a97d57c15 79512909 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/08/17 03:27 upstream 90d970cade8e 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/07/27 09:39 upstream ec2df4364666 fb8f743d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/07/15 09:55 upstream 155a3c003e55 03fcfc4b .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/06/15 19:25 upstream 8c6bc74c7f89 5f4b362d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/06/14 23:07 upstream 4774cfe3543a 5f4b362d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/06/06 06:29 upstream e271ed52b344 6b6b5f21 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/05/21 00:04 upstream a5806cd506af b47f9e02 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_ext_remove_space
2025/05/08 03:40 upstream 707df3375124 dbf35fa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/03/31 11:14 upstream aa918db707fb d3999433 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/03/27 05:50 upstream 1e1ba8d23dae 20510e88 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2025/03/12 17:06 upstream 0fed89a961ea ee70e6db .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_ext_remove_space
2026/01/26 15:03 upstream 63804fed149a 55756628 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/12/02 17:02 upstream 4a26e7032d7d d1b870e1 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/11/04 07:18 upstream 8bb886cb8f3a 686bf657 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/23 08:21 upstream 43e9ad0c55a3 c0460fcd .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/09/30 03:27 upstream 449c2b302c8e 86341da6 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/07/22 06:46 upstream 89be9a83ccf1 1555463b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/07/07 03:44 upstream 772b78c2abd8 4f67c4ae .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/06/26 06:10 upstream 92ca6c498a5e 26d77996 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/12 17:32 linux-next 2b763d465239 ff1712fe .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ext4_ext_remove_space
2026/01/14 10:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 59e4d31a0470 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2026/01/08 18:36 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e8c40f11c7b0 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/12/01 00:36 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 05c93f3395ed d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/11/25 16:30 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 3812f8fa7c83 64219f15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/30 02:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b98c94eed4a9 fd2207e7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/10/27 23:09 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci b98c94eed4a9 fd2207e7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/09/27 17:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 001c9061 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/06/25 14:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9aa9b43d689e 26d77996 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/06/25 12:49 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9aa9b43d689e 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/06/10 10:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d7fa1af5b33e 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
2025/02/23 18:28 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a1c24ab82279 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_ext_remove_space
* Struck through repros no longer work on HEAD.