Hello maintainers, This is a bug report for a kernel BUG found by Syzkaller on the XFS filesystem. The crash occurs on kernel 6.16.0-rc6 at git commit 155a3c003e55. It is an assertion failure in xfs_iwalk_args.constprop.0() located in fs/xfs/xfs_iwalk.c:548. The assertion that fails is !(flags & ~XFS_IWALK_FLAGS_ALL). This seems to be triggered by an ioctl call with the command XFS_IOC_INUMBERS (0x80405880), where the provided arguments contain invalid flags. Here is the full kernel oops log: ================================================================ kernel BUG at fs/xfs/xfs_message.c:102! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 3 UID: 0 PID: 281 Comm: syz-executor167 Not tainted 6.16.0-rc6-00002-g155a3c003e55 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:assfail+0x9d/0xa0 fs/xfs/xfs_message.c:102 Code: 75 22 e8 76 88 3a ff 90 0f 0b 90 5b 5d 41 5c 41 5d e9 87 2d 78 02 48 c7 c7 78 af c3 89 e8 eb 59 6f ff eb ca e8 54 88 3a ff 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f RSP: 0018:ffff8881107877c0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff86122a6c RDX: ffff8881114e9e80 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10220f0e8d R10: 0000000000000001 R11: 737341203a534658 R12: ffffffff88bcbee0 R13: 0000000000000224 R14: ffffffff8611baf0 R15: 0000000000000000 FS: 00005555560fd3c0(0000) GS:ffff8882652aa000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000010 CR3: 000000012023a000 CR4: 00000000000006f0 Call Trace: <TASK> xfs_iwalk_args.constprop.0+0x325/0x3e0 fs/xfs/xfs_iwalk.c:548 xfs_inobt_walk+0x11c/0x170 fs/xfs/xfs_iwalk.c:758 xfs_inumbers+0x294/0x3a0 fs/xfs/xfs_itable.c:471 xfs_ioc_inumbers.constprop.0+0x1d1/0x2b0 fs/xfs/xfs_ioctl.c:340 xfs_file_ioctl+0x11b1/0x1c40 fs/xfs/xfs_ioctl.c:1241 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa8/0x270 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f444b67600d Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffbb37fa88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fffbb37fc88 RCX: 00007f444b67600d RDX: 0000000020000080 RSI: 0000000080405880 RDI: 0000000000000004 RBP: 0000000000000001 R08: 0000000000000000 R09: 00007fffbb37fc88 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fffbb37fc78 R14: 00007f444b6f3530 R15: 0000000000000001 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:assfail+0x9d/0xa0 fs/xfs/xfs_message.c:102 Code: 75 22 e8 76 88 3a ff 90 0f 0b 90 5b 5d 41 5c 41 5d e9 87 2d 78 02 48 c7 c7 78 af c3 89 e8 eb 59 6f ff eb ca e8 54 88 3a ff 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f RSP: 0018:ffff8881107877c0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff86122a6c RDX: ffff8881114e9e80 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10220f0e8d R10: 0000000000000001 R11: 737341203a534658 R12: ffffffff88bcbee0 R13: 0000000000000224 R14: ffffffff8611baf0 R15: 0000000000000000 FS: 00005555560fd3c0(0000) GS:ffff8882652aa000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000010 CR3: 000000012023a000 CR4: 00000000000006f0 journal-offline (282) used greatest stack depth: 25016 bytes left ================================================================ Below is a C reproducer generated by Syzkaller: ================================================================ // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); intptr_t res = 0; memcpy((void*)0x20000000, "/mnt/xfs/testdir\000", 17); syscall(__NR_open, /*dir=*/0x20000000ul, /*flags=*/0x8441ul, /*mode=*/0ul); memcpy((void*)0x20000040, "/mnt/xfs/testdir\000", 17); res = syscall(__NR_open, /*dir=*/0x20000040ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000080 = 0; *(uint64_t*)0x20000088 = 0x8000000000000005; *(uint64_t*)0x20000090 = 0; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80405880, /*arg=*/0x20000080ul); return 0; } ================================================================ Best regards, Cen Zhang
