[BUG] KASAN: use-after-free Read in ext4_find_extent

Next message: Juergen Gross: "[PATCH 17/32] x86/resctrl: Stop using 32-bit MSR interfaces"
Previous message: Juergen Gross: "[PATCH 29/32] hwmon: Stop using 32-bit MSR interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xianying Wang

Date: Mon Jun 29 2026 - 02:11:42 EST

Hi,

I would like to report a KASAN use-after-free triggered by a syzkaller
reproducer in the ext4 filesystem writeback path.

The issue was observed on Linux 7.1-rc5 with KASAN enabled. The crash
happens in the background writeback worker while it is flushing dirty
pages from an ext4 filesystem mounted from a crafted image.

Based on the execution context, the issue appears to be related to the
interaction between corrupted ext4 inode metadata and the
writeback/extent mapping path. After the crafted image causes
ext4_reserve_inode_write() to detect a corrupt filesystem, dirty pages
still remain pending for writeback. When the background writeback
worker later tries to map blocks for these pages, ext4_find_extent()
appears to access a stale extent path, extent block, or metadata page
that has already been released.

So the suspected problem is that the ext4 error handling path after
corrupted inode metadata does not fully prevent later writeback from
walking invalid or freed extent metadata, which results in a
use-after-free in ext4_find_extent().

This can be reproduced on:

HEAD commit:

e7ae89a0c97ce2b68b0983cd01eda67cf373517d

report: https://pastebin.com/raw/VRd13DKh

console output :https://pastebin.com/raw/GU72hhyf

kernel config : https://pastebin.com/raw/fUwrL2uz

C reproducer : https://pastebin.com/raw/7cc4hyXf

Let me know if you need more details or testing.

Best regards,

Xianying