Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 6.13.0-rc2. This issue was discovered using our custom vulnerability discovery tool. HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2) Affected File: fs/ext4/inode.c File: fs/ext4/inode.c Function: ext4_writepages Detailed Call Stack: ------------[ cut here begin]------------ kernel BUG at fs/ext4/inode.c:2732! invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 2 PID: 9 Comm: kworker/u8:0 Not tainted 5.15.169 #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: writeback wb_workfn (flush-7:5) RIP: 0010:ext4_writepages+0x2832/0x32f0 fs/ext4/inode.c:2732 Code: d1 ff e9 cd e6 ff ff e8 6c c0 a2 ff 0f 0b 8b 84 24 bc 00 00 00 4c 8b 74 24 38 31 db 89 44 24 18 e9 5b fa ff ff e8 4e c0 a2 ff <0f> 0b e8 47 c0 a2 ff 0f b6 ac 24 0b 01 00 00 89 5c 24 18 e9 2a ea RSP: 0018:ffff8881009773f0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff819f9669 RDX: ffff888100968000 RSI: ffffffff819faf02 RDI: 0000000000000007 RBP: ffff888007c458a0 R08: 0000000000000000 R09: ffff888007c458a7 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888101d08000 R14: ffff888007c45af0 R15: 00000000000000bc FS: 0000000000000000(0000) GS:ffff88811af00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffca25eaff8 CR3: 0000000021b40000 CR4: 0000000000350ee0 9pnet: p9_fd_create_tcp (13248): problem connecting socket to 127.0.0.1 Call Trace: <TASK> do_writepages+0x22a/0x770 mm/page-writeback.c:2386 __writeback_single_inode+0x10a/0xae0 fs/fs-writeback.c:1647 writeback_sb_inodes+0x566/0xfd0 fs/fs-writeback.c:1930 wb_writeback+0x281/0x920 fs/fs-writeback.c:2104 wb_do_writeback fs/fs-writeback.c:2247 [inline] wb_workfn+0x1a4/0xeb0 fs/fs-writeback.c:2288 process_one_work+0xa3d/0x15a0 kernel/workqueue.c:2310 worker_thread+0x62e/0x1330 kernel/workqueue.c:2457 kthread+0x3c3/0x4a0 kernel/kthread.c:334 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:287 </TASK> ------------[ cut here end]------------ Root Cause: The crash is triggered by a kernel bug within the Ext4 filesystem's inode handling, specifically at line 2732 in fs/ext4/inode.c. The ext4_writepages function attempts to execute an invalid opcode (0x0000), which is indicative of corrupted or uninitialized code. This invalid opcode likely results from memory corruption or improper handling of inode structures during the writeback process. The KernelAddressSANitizer (KASAN) has detected a null pointer dereference in the range [0x40-0x47], suggesting that a critical pointer within the Ext4 inode or related structures was either not properly initialized or was corrupted before the write operation. The issue manifests during the writeback workqueue (wb_workfn), where the kernel attempts to flush inodes to disk. Additionally, the presence of a message related to 9pnet: p9_fd_create_tcp indicates potential interactions with network filesystem operations, which might exacerbate or contribute to the memory corruption. Consequently, when the Ext4 subsystem tries to process these corrupted inodes, it executes invalid instructions, leading to a kernel panic and system crash. This highlights a serious flaw in the Ext4 writeback mechanism, potentially caused by concurrent operations, faulty memory management, or bugs in related filesystem interactions. Thank you for your time and attention. Best regards Wall
