Dear Linux Kernel Experts, Hello! I am a security researcher focused on testing Linux kernel vulnerabilities. Recently, while testing the v6.13-rc5 Linux kernel, we encountered a crash related to the fs/ext4 kernel module. We have successfully captured the call trace information for this crash. Unfortunately, we have not been able to reproduce the issue in our local environment, so we are unable to provide a PoC (Proof of Concept) at this time. We fully understand the complexity and importance of Linux kernel maintenance, and we would like to share this finding with you for further analysis and confirmation of the root cause. Below is a summary of the relevant information: Kernel Version: v6.13.0-rc5 Kernel Module: fs/ext4/extents.c ————————————————CallTrace———————————————— BUG: KASAN: use-after-free in ext4_ext_rm_leaf fs/ext4/extents.c:2623 [inline] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x3401/0x37f0 fs/ext4/extents.c:2961 Read of size 4 at addr ffff888116add7f8 by task syz-executor.5/9417 CPU: 2 UID: 0 PID: 9417 Comm: syz-executor.5 Not tainted 6.13.0-rc5-00012-g0bc21e701a6f #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7b/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x660 mm/kasan/report.c:489 kasan_report+0xc6/0x100 mm/kasan/report.c:602 ext4_ext_rm_leaf fs/ext4/extents.c:2623 [inline] ext4_ext_remove_space+0x3401/0x37f0 fs/ext4/extents.c:2961 ext4_ext_truncate+0x1c6/0x260 fs/ext4/extents.c:4466 ext4_truncate+0x6bb/0xea0 fs/ext4/inode.c:4217 ext4_evict_inode+0x64c/0x1330 fs/ext4/inode.c:263 evict+0x337/0x7c0 fs/inode.c:796 iput_final fs/inode.c:1946 [inline] iput fs/inode.c:1972 [inline] iput+0x4c3/0x6a0 fs/inode.c:1958 do_unlinkat+0x4fa/0x690 fs/namei.c:4594 __do_sys_unlink fs/namei.c:4635 [inline] __se_sys_unlink fs/namei.c:4633 [inline] __x64_sys_unlink+0xbc/0x100 fs/namei.c:4633 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f381a667b7b Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffec5a26028 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f381a667b7b RDX: 00007ffec5a26050 RSI: 00007ffec5a260e0 RDI: 00007ffec5a260e0 RBP: 00007ffec5a260e0 R08: 0000000000000000 R09: 00007ffec5a25eb0 R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffec5a271e0 R13: 00007f381a72667b R14: 000000000002b7da R15: 000000000000001d </TASK> ————————————————CallTrace———————————————— If you need more details or additional test results, please feel free to let us know. Thank you so much for your attention! Please don't hesitate to reach out if you have any suggestions or need further communication. Best regards, Luka
