lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c6ac5a28-d680-43b4-ab66-f719edb84ab1@kernel.org>
Date: Sat, 10 Jan 2026 09:35:40 +0800
From: Chao Yu <chao@...nel.org>
To: 白烁冉 <baishuoran@...eu.edu.cn>,
 Jaegeuk Kim <jaegeuk@...nel.org>
Cc: chao@...nel.org, Kun Hu <huk23@...udan.edu.cn>,
 Jiaji Qin <jjtan24@...udan.edu.cn>, linux-kernel@...r.kernel.org,
 syzkaller@...glegroups.com
Subject: Re: WARNING: duplicate kmem_cache creation in f2fs_init_xattr_caches
 on mount failure

On 1/9/2026 6:14 PM, 白烁冉 wrote:
> Dear Maintainers,
> 
> 
> When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash was triggered.

Hi, Shuoran,

I can see the bug was triggered in 6.16.0-rc7 instead of last kernel,
could you please test w/ last kernel? I suspect the bug has already
been fixed by below patch.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f27ef42bb0b7c0740c5616ec577ec188b8a1d05

Thanks,

> 
> 
> HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
> git tree: upstream
> Output:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/2%20BUG%3A%20spinlock%20bad%20magic%20in%20wg_index_hashtable_insert/2report.txt
> Kernel config: https://github.com/pghk13/Kernel-Bug/blob/main/0219_6.13rc7_todo/config.txt
> C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/2%20BUG%3A%20spinlock%20bad%20magic%20in%20wg_index_hashtable_insert/2repro.c
> Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/2%20BUG%3A%20spinlock%20bad%20magic%20in%20wg_index_hashtable_insert/2repro.c
> 
> 
> 
> 
> This warning is triggered in __kmem_cache_create_args() at mm/slab_common.c:307, when attempting to create a slab cache named f2fs_xattr_entry-7:3 that already exists.
> The call originates from the F2FS mount path, specifically f2fs_init_xattr_caches() at fs/f2fs/xattr.c:843 (via f2fs_kmem_cache_create() at fs/f2fs/f2fs.h:2926).
> This indicates that, when f2fs_fill_super() aborts the mount due to an invalid superblock, the error handling path may fail to properly destroy the previously created xattr caches, leading to a second attempt to create a slab cache with the same name during a subsequent mount.
> We have reproduced this issue several times on 6.16-rc7 again.
> 
> 
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn>
> 
> 
> 
> kmem_cache of name 'f2fs_xattr_entry-7:3' already exists
> WARNING: CPU: 0 PID: 10175 at mm/slab_common.c:109 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
> WARNING: CPU: 0 PID: 10175 at mm/slab_common.c:109 __kmem_cache_create_args+0xa9/0x360 mm/slab_common.c:307
> Modules linked in:
> CPU: 0 UID: 0 PID: 10175 Comm: syz-executor284 Not tainted 6.16.0-rc7 #4 PREEMPT(full)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
> RIP: 0010:__kmem_cache_create_args+0xa9/0x360 mm/slab_common.c:307
> Code: 98 48 3d 30 28 03 87 74 25 48 8b 7d 60 4c 89 e6 e8 0c b5 e2 03 85 c0 75 e0 90 48 c7 c7 b0 67 89 86 4c 89 e6 e8 28 35 c4 ff 90 <0f> 0b 90 90 be 20 00 00 00 4c 89 e7 e8 66 b5 e2 03 48 85 c0 0f 85
> RSP: 0018:ffa000000f5dbc28 EFLAGS: 00010296
> RAX: 0000000000000000 RBX: 0000000000040000 RCX: ffffffff81465fc2
> RDX: 0000000000000000 RSI: ff110000123e0000 RDI: 0000000000000002
> RBP: ff11000015631f00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000000 R12: ffa000000f5dbc88
> R13: 00000000000000cc R14: ffa000000f5dbc68 R15: ff1100001b654000
> FS:  0000555569202880(0000) GS:ff110000b5156000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f846c5f5000 CR3: 0000000043110000 CR4: 0000000000751ef0
> PKRU: 55555554
> Call Trace:
>   <TASK>
>   __kmem_cache_create include/linux/slab.h:353 [inline]
>   f2fs_kmem_cache_create fs/f2fs/f2fs.h:2926 [inline]
>   f2fs_init_xattr_caches+0x81/0xb0 fs/f2fs/xattr.c:843
>   f2fs_fill_super+0x12b9/0x3ba0 fs/f2fs/super.c:4677
>   mount_bdev+0x12c/0x190 fs/super.c:1738
>   legacy_get_tree+0x37/0xb0 fs/fs_context.c:666
>   vfs_get_tree+0x31/0x140 fs/super.c:1804
>   do_new_mount fs/namespace.c:3902 [inline]
>   path_mount+0xb16/0x1070 fs/namespace.c:4226
>   do_mount+0x5f/0x90 fs/namespace.c:4239
>   __do_sys_mount fs/namespace.c:4450 [inline]
>   __se_sys_mount fs/namespace.c:4427 [inline]
>   __x64_sys_mount+0x1e5/0x280 fs/namespace.c:4427
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xc1/0x480 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f84745e3f4e
> Code: 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd11804a88 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f84745e3f4e
> RDX: 00000000200004c0 RSI: 0000000020000040 RDI: 00007ffd11804ad0
> RBP: 00007ffd11804ad0 R08: 00007ffd11804b10 R09: 0000000000000000
> R10: 0000000002008410 R11: 0000000000000286 R12: 0000000000000003
> R13: 00007ffd11804b10 R14: 0000555569202840 R15: 0000000002008410
>   </TASK>
> 2026/01/09 17:15:23 reproducing crash 'BUG: spinlock bad magic in wg_index_hashtable_insert': final repro crashed as (corrupted=false):
> F2FS-fs (loop3): Invalid log_blocksize (268), supports only 12
> F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock
> ------------[ cut here ]------------
> kmem_cache of name 'f2fs_xattr_entry-7:3' already exists
> WARNING: CPU: 0 PID: 10175 at mm/slab_common.c:109 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
> WARNING: CPU: 0 PID: 10175 at mm/slab_common.c:109 __kmem_cache_create_args+0xa9/0x360 mm/slab_common.c:307
> Modules linked in:
> CPU: 0 UID: 0 PID: 10175 Comm: syz-executor284 Not tainted 6.16.0-rc7 #4 PREEMPT(full)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
> RIP: 0010:__kmem_cache_create_args+0xa9/0x360 mm/slab_common.c:307
> Code: 98 48 3d 30 28 03 87 74 25 48 8b 7d 60 4c 89 e6 e8 0c b5 e2 03 85 c0 75 e0 90 48 c7 c7 b0 67 89 86 4c 89 e6 e8 28 35 c4 ff 90 <0f> 0b 90 90 be 20 00 00 00 4c 89 e7 e8 66 b5 e2 03 48 85 c0 0f 85
> RSP: 0018:ffa000000f5dbc28 EFLAGS: 00010296
> RAX: 0000000000000000 RBX: 0000000000040000 RCX: ffffffff81465fc2
> RDX: 0000000000000000 RSI: ff110000123e0000 RDI: 0000000000000002
> RBP: ff11000015631f00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000000 R12: ffa000000f5dbc88
> R13: 00000000000000cc R14: ffa000000f5dbc68 R15: ff1100001b654000
> FS:  0000555569202880(0000) GS:ff110000b5156000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f846c5f5000 CR3: 0000000043110000 CR4: 0000000000751ef0
> PKRU: 55555554
> Call Trace:
>   <TASK>
>   __kmem_cache_create include/linux/slab.h:353 [inline]
>   f2fs_kmem_cache_create fs/f2fs/f2fs.h:2926 [inline]
>   f2fs_init_xattr_caches+0x81/0xb0 fs/f2fs/xattr.c:843
>   f2fs_fill_super+0x12b9/0x3ba0 fs/f2fs/super.c:4677
>   mount_bdev+0x12c/0x190 fs/super.c:1738
>   legacy_get_tree+0x37/0xb0 fs/fs_context.c:666
>   vfs_get_tree+0x31/0x140 fs/super.c:1804
>   do_new_mount fs/namespace.c:3902 [inline]
>   path_mount+0xb16/0x1070 fs/namespace.c:4226
>   do_mount+0x5f/0x90 fs/namespace.c:4239
>   __do_sys_mount fs/namespace.c:4450 [inline]
>   __se_sys_mount fs/namespace.c:4427 [inline]
>   __x64_sys_mount+0x1e5/0x280 fs/namespace.c:4427
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xc1/0x480 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f84745e3f4e
> Code: 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd11804a88 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f84745e3f4e
> RDX: 00000000200004c0 RSI: 0000000020000040 RDI: 00007ffd11804ad0
> RBP: 00007ffd11804ad0 R08: 00007ffd11804b10 R09: 0000000000000000
> R10: 0000000002008410 R11: 0000000000000286 R12: 0000000000000003
> R13: 00007ffd11804b10 R14: 0000555569202840 R15: 0000000002008410
>   </TASK>
> 
> ------------------------------
> thanks,
> Kun Hu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ