Dear Linux Kernel Experts, Hello! I am a security researcher focused on testing Linux kernel vulnerabilities. Recently, while testing the v6.13-rc5 Linux kernel, we encountered a crash related to the fs/ext4 kernel module. We have successfully captured the call trace information for this crash. Unfortunately, we have not been able to reproduce the issue in our local environment, so we are unable to provide a PoC (Proof of Concept) at this time. We fully understand the complexity and importance of Linux kernel maintenance, and we would like to share this finding with you for further analysis and confirmation of the root cause. Below is a summary of the relevant information: Kernel Version: v6.13.0-rc5 Kernel Module: fs/ext4/extents.c ————————————————CallTrace———————————————— BUG: KASAN: slab-use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline] BUG: KASAN: slab-use-after-free in ext4_find_extent+0x9b8/0xa00 fs/ext4/extents.c:955 I/O error, dev sr0, sector 1 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 Read of size 4 at addr ffff888104c720ac by task kworker/u16:4/218 Buffer I/O error on dev sr0, logical block 1, async page read CPU: 3 UID: 0 PID: 218 Comm: kworker/u16:4 Not tainted 6.13.0-rc5-00012-g0bc21e701a6f #2 EXT4-fs (loop5): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: writeback wb_workfn (flush-7:2) Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7b/0xa0 lib/dump_stack.c:120 sr 1:0:0:0: [sr0] tag#0 unaligned transfer print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x660 mm/kasan/report.c:489 I/O error, dev sr0, sector 2 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 Buffer I/O error on dev sr0, logical block 2, async page read kasan_report+0xc6/0x100 mm/kasan/report.c:602 ext4_ext_binsearch fs/ext4/extents.c:840 [inline] ext4_find_extent+0x9b8/0xa00 fs/ext4/extents.c:955 ext4_ext_map_blocks+0x1bc/0x4e70 fs/ext4/extents.c:4205 sr 1:0:0:0: [sr0] tag#0 unaligned transfer I/O error, dev sr0, sector 3 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 Buffer I/O error on dev sr0, logical block 3, async page read ext4_map_create_blocks fs/ext4/inode.c:516 [inline] ext4_map_blocks+0x3c8/0x11c0 fs/ext4/inode.c:702 sr 1:0:0:0: [sr0] tag#0 unaligned transfer I/O error, dev sr0, sector 4 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 Buffer I/O error on dev sr0, logical block 4, async page read mpage_map_one_extent fs/ext4/inode.c:2219 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2272 [inline] ext4_do_writepages+0x15b1/0x3040 fs/ext4/inode.c:2735 sr 1:0:0:0: [sr0] tag#0 unaligned transfer I/O error, dev sr0, sector 5 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 Buffer I/O error on dev sr0, logical block 5, async page read ext4_writepages+0x275/0x510 fs/ext4/inode.c:2824 sr 1:0:0:0: [sr0] tag#0 unaligned transfer I/O error, dev sr0, sector 6 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 do_writepages+0x197/0x7b0 mm/page-writeback.c:2702 Buffer I/O error on dev sr0, logical block 6, async page read sr 1:0:0:0: [sr0] tag#0 unaligned transfer I/O error, dev sr0, sector 7 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 Buffer I/O error on dev sr0, logical block 7, async page read sr 1:0:0:0: [sr0] tag#0 unaligned transfer I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 Buffer I/O error on dev sr0, logical block 0, async page read sr 1:0:0:0: [sr0] tag#0 unaligned transfer Buffer I/O error on dev sr0, logical block 1, async page read sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer __writeback_single_inode+0xe5/0x950 fs/fs-writeback.c:1680 sr 1:0:0:0: [sr0] tag#0 unaligned transfer writeback_sb_inodes+0x593/0xd00 fs/fs-writeback.c:1976 sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer wb_writeback+0x188/0x790 fs/fs-writeback.c:2156 sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer wb_do_writeback fs/fs-writeback.c:2303 [inline] wb_workfn+0x1d2/0xa50 fs/fs-writeback.c:2343 sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer process_one_work+0x61a/0x1050 kernel/workqueue.c:3229 sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8cc/0x1160 kernel/workqueue.c:3391 sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer kthread+0x25a/0x330 kernel/kthread.c:389 sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 sr 1:0:0:0: [sr0] tag#0 unaligned transfer sr 1:0:0:0: [sr0] tag#0 unaligned transfer ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 sr 1:0:0:0: [sr0] tag#0 unaligned transfer </TASK> Allocated by task 119: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 sr 1:0:0:0: [sr0] tag#0 unaligned transfer unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:345 sr 1:0:0:0: [sr0] tag#0 unaligned transfer kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4119 [inline] slab_alloc_node mm/slub.c:4168 [inline] kmem_cache_alloc_noprof+0xf5/0x360 mm/slub.c:4175 sr 1:0:0:0: [sr0] tag#0 unaligned transfer getname_flags.part.0+0x48/0x4e0 fs/namei.c:139 sr 1:0:0:0: [sr0] tag#0 unaligned transfer getname_flags include/linux/audit.h:322 [inline] getname+0x84/0xd0 fs/namei.c:223 sr 1:0:0:0: [sr0] tag#0 unaligned transfer do_sys_openat2+0xfb/0x1a0 fs/open.c:1396 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x16b/0x210 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ————————————————CallTrace———————————————— If you need more details or additional test results, please feel free to let us know. Thank you so much for your attention! Please don't hesitate to reach out if you have any suggestions or need further communication. Best regards, Luka
