Message-ID: <CALm_T+3QM_YMGV4XZ5ihKkkmbswgLgNBSXhMNHn+giZuz9TW6Q@mail.gmail.com>
Date: Thu, 6 Mar 2025 10:49:52 +0800
From: Luka <luka.2016.cs@...il.com>
To: "Theodore Ts'o" <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>
Cc: linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Potential Linux Crash: WARNING in ext4_invalidate_folio in Linux
 kernel v6.13-rc5

Dear Linux Kernel Experts,

Hello!

I am a security researcher focused on testing Linux kernel
vulnerabilities. Recently, while testing the v6.13-rc5 Linux kernel,
we encountered a crash related to the fs/ext4 kernel module. We have
successfully captured the call trace information for this crash.

Unfortunately, we have not been able to reproduce the issue in our
local environment, so we are unable to provide a PoC (Proof of
Concept) at this time.

We fully understand the complexity and importance of Linux kernel
maintenance, and we would like to share this finding with you for
further analysis and confirmation of the root cause. Below is a
summary of the relevant information:

Kernel Version: v6.13.0-rc5

Kernel Module: fs/ext4/inode.c

————————————————CallTrace————————————————

WARNING: CPU: 2 PID: 295 at fs/ext4/inode.c:3210
ext4_invalidate_folio+0x88/0x190 fs/ext4/inode.c:3210
Modules linked in:
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:ext4_invalidate_folio+0x88/0x190 fs/ext4/inode.c:3210
Code: ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85
f2 00 00 00 48 8b 45 00 a9 00 00 01 00 74 09 e8 b9 c1 a1 ff 90 <0f> 0b
90 e8 b0 c1 a1 ff 4c 89 ea 4c 89 e6 48 89 df 5b 5d 41 5c 41
RSP: 0018:ffff888004c2f868 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffea00044e1400 RCX: ffffffff8ce543e7
RDX: ffff8881030e3300 RSI: 0000000000000008 RDI: ffff88811687cb28
RBP: ffff88811687cb28 R08: 0000000000000000 R09: ffffed1022d0f965
R10: ffff88811687cb2f R11: 0000000000032001 R12: 0000000000000000
R13: 0000000000001000 R14: ffff888004c2fae8 R15: ffff888004c2fb68
FS: 000055558187d480(0000) GS:ffff88811b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002b325d907028 CR3: 0000000007746000 CR4: 0000000000350ef0
Call Trace:
<TASK>
folio_invalidate mm/truncate.c:126 [inline]
truncate_cleanup_folio+0x241/0x350 mm/truncate.c:146
truncate_inode_pages_range+0x1fd/0x880 mm/truncate.c:326
ext4_evict_inode+0x22d/0x1330 fs/ext4/inode.c:198
evict+0x337/0x7c0 fs/inode.c:796
iput_final fs/inode.c:1946 [inline]
iput fs/inode.c:1972 [inline]
iput+0x4c3/0x6a0 fs/inode.c:1958
do_unlinkat+0x4fa/0x690 fs/namei.c:4594
__do_sys_unlink fs/namei.c:4635 [inline]
__se_sys_unlink fs/namei.c:4633 [inline]
__x64_sys_unlink+0xbc/0x100 fs/namei.c:4633
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd4ce0d7b7b
Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66
2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc04bc7738 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd4ce0d7b7b
RDX: 00007ffc04bc7760 RSI: 00007ffc04bc77f0 RDI: 00007ffc04bc77f0
RBP: 00007ffc04bc77f0 R08: 0000000000000000 R09: 00007ffc04bc75c0
audit: type=1326 audit(1737757667.836:10): auid=0 uid=0 gid=0 ses=4
subj=system_u:system_r:kernel_t:s0 pid=4049 comm="syz-executor.7"
exe="/syz-executor.7" sig=9 arch=c000003e syscall=231 compat=0
ip=0x7f16c19e842d code=0x0
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffc04bc88d0
R13: 00007fd4ce19667b R14: 000000000000e790 R15: 000000000000000d
</TASK>

————————————————CallTrace————————————————

If you need more details or additional test results, please feel free
to let us know. Thank you so much for your attention! Please don't
hesitate to reach out if you have any suggestions or need further
communication.

Best regards,
Luka

Powered by blists - more mailing lists