lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANypQFbytMi2F2==XxAK5QuJw5NnS3d2OrnjdYTjqvRA3vqG4g@mail.gmail.com>
Date: Tue, 20 Jan 2026 20:12:47 +0800
From: Jiaming Zhang <r772577952@...il.com>
To: cem@...nel.org, linux-xfs@...r.kernel.org
Cc: brauner@...nel.org, "Darrick J. Wong" <djwong@...nel.org>, linux-kernel@...r.kernel.org, 
	mjguzik@...il.com, syzkaller@...glegroups.com
Subject: [Linux Kernel Bug] general protection fault in xchk_metadata_inode_forks

Dear Linux kernel developers and maintainers,

We are writing to report a general protection fault discovered in the
xfs subsystem with our generated syzkaller specifications. This issue
is reproducible on the latest version of linux (v6.19-rc6, commit
24d479d26b25bce5faea3ddd9fa8f3a6c3129ea7). The KASAN report from
kernel is listed below (formatted by syz-symbolize):

---

loop2: detected capacity change from 0 to 32768
xfs: Deprecated parameter 'ikeep'
XFS: ikeep mount option is deprecated.
XFS (loop2): Mounting V5 Filesystem 9f91832a-3b79-45c3-9d6d-ed0bc7357fe4
XFS (loop2): Ending clean mount
XFS (loop2): Quotacheck needed: Please wait.
XFS (loop2): Quotacheck: Done.
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 13187 Comm: syz.2.19 Not tainted 6.19.0-rc6 #31 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:xchk_metadata_inode_subtype fs/xfs/scrub/common.c:1398 [inline]
RIP: 0010:xchk_metadata_inode_forks+0xf3/0x8f0 fs/xfs/scrub/common.c:1418
Code: 00 00 00 48 8b 7c 24 08 be 0b 00 00 00 e8 25 c8 03 00 49 89 c7
4c 8d 60 10 4c 89 e0 48 c1 e8 03 49 bd 00 00 00 00 00 fc ff df <42> 80
3c 28 00 74 08 4c 89 e7 e8 5e 4b a0 fe 4d 8b 24 24 49 83 c4
RSP: 0018:ffffc9000a6af2a0 EFLAGS: 00010247
RAX: 0000000000000000 RBX: ffff888046c67c08 RCX: ffff888000361ec0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801a441b40
RBP: ffffc9000a6af370 R08: 0000000000006dc0 R09: 00000000ffffffff
R10: dffffc0000000000 R11: fffffbfff1c0d107 R12: 0000000000000004
R13: dffffc0000000000 R14: 1ffff11008d8cf81 R15: fffffffffffffff4
FS:  00007f5877ffe640(0000) GS:ffff8880ec5e0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f627486f000 CR3: 0000000026294000 CR4: 0000000000752ef0
PKRU: 00000000
Call Trace:
 <TASK>
 xchk_quota_data_fork+0xd0/0x5e0 fs/xfs/scrub/quota.c:271
 xchk_quota+0x193/0x420 fs/xfs/scrub/quota.c:314
 xfs_scrub_metadata+0xc08/0x1920 fs/xfs/scrub/scrub.c:-1
 xfs_ioc_scrubv_metadata+0x74a/0xaf0 fs/xfs/scrub/scrub.c:981
 xfs_file_ioctl+0x751/0x1560 fs/xfs/xfs_ioctl.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f58789b459d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5877ffdf98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f5878c45fa0 RCX: 00007f58789b459d
RDX: 00002000000000c0 RSI: 00000000c0285840 RDI: 0000000000000004
RBP: 00007f5877ffe010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007f5878c46038 R14: 00007f5878c45fa0 R15: 00007f5877fde000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:xchk_metadata_inode_subtype fs/xfs/scrub/common.c:1398 [inline]
RIP: 0010:xchk_metadata_inode_forks+0xf3/0x8f0 fs/xfs/scrub/common.c:1418
Code: 00 00 00 48 8b 7c 24 08 be 0b 00 00 00 e8 25 c8 03 00 49 89 c7
4c 8d 60 10 4c 89 e0 48 c1 e8 03 49 bd 00 00 00 00 00 fc ff df <42> 80
3c 28 00 74 08 4c 89 e7 e8 5e 4b a0 fe 4d 8b 24 24 49 83 c4
RSP: 0018:ffffc9000a6af2a0 EFLAGS: 00010247
RAX: 0000000000000000 RBX: ffff888046c67c08 RCX: ffff888000361ec0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801a441b40
RBP: ffffc9000a6af370 R08: 0000000000006dc0 R09: 00000000ffffffff
R10: dffffc0000000000 R11: fffffbfff1c0d107 R12: 0000000000000004
R13: dffffc0000000000 R14: 1ffff11008d8cf81 R15: fffffffffffffff4
FS:  00007f5877ffe640(0000) GS:ffff8880ec5e0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f62748ab000 CR3: 0000000026294000 CR4: 0000000000752ef0
PKRU: 00000000
----------------
Code disassembly (best guess):
   0: 00 00                 add    %al,(%rax)
   2: 00 48 8b              add    %cl,-0x75(%rax)
   5: 7c 24                 jl     0x2b
   7: 08 be 0b 00 00 00     or     %bh,0xb(%rsi)
   d: e8 25 c8 03 00        call   0x3c837
  12: 49 89 c7              mov    %rax,%r15
  15: 4c 8d 60 10           lea    0x10(%rax),%r12
  19: 4c 89 e0              mov    %r12,%rax
  1c: 48 c1 e8 03           shr    $0x3,%rax
  20: 49 bd 00 00 00 00 00  movabs $0xdffffc0000000000,%r13
  27: fc ff df
* 2a: 42 80 3c 28 00        cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f: 74 08                 je     0x39
  31: 4c 89 e7              mov    %r12,%rdi
  34: e8 5e 4b a0 fe        call   0xfea04b97
  39: 4d 8b 24 24           mov    (%r12),%r12
  3d: 49                    rex.WB
  3e: 83                    .byte 0x83
  3f: c4                    .byte 0xc4

---

The root cause of this issue is that the function
xchk_metadata_inode_subtype() calls xchk_scrub_create_subord(), which
may return ERR_PTR(-ENOMEM). However, the function does not check
validity of the returned value and directly dereferences it
(https://github.com/torvalds/linux/blob/v6.19-rc6/fs/xfs/scrub/common.c#L1397-L1398),
leading to a system crash.

We can fix this issue by checking validity of return value:
```
--- a/fs/xfs/scrub/common.c
+++ b/fs/xfs/scrub/common.c
@@ -1395,6 +1395,9 @@ xchk_metadata_inode_subtype(
  int     error;

  sub = xchk_scrub_create_subord(sc, scrub_type);
+ if (IS_ERR(sub))
+   return PTR_ERR(sub);
+
  error = sub->sc.ops->scrub(&sub->sc);
  xchk_scrub_free_subord(sub);
  return error;
```

After applying the above changes, the reproducer ran for ~25 minutes
without triggering any issues.

If the above solutions are acceptable, we are happy to submit patches :)

The kernel console output, kernel config, and syzkaller reproducer are
also attached to help with analysis.

Please let me know if any further information is required.

Best Regards,
Jiaming Zhang

Download attachment "report" of type "application/octet-stream" (4677 bytes)

Download attachment "repro.syz" of type "application/octet-stream" (51751 bytes)

View attachment ".config" of type "text/xml" (273663 bytes)

Download attachment "kernel.log" of type "application/octet-stream" (231892 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ