Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 6.13.0-rc2. This issue was discovered using our custom vulnerability discovery tool. HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2) Affected File: mm/page-writeback.c File: mm/page-writeback.c Function: bdi_set_max_bytes Detailed Call Stack: ------------[ cut here begin]------------ RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline] RIP: 0010:bdi_set_max_bytes+0xa8/0x210 mm/page-writeback.c:818 Code: ff 48 39 d8 0f 82 50 01 00 00 e8 a3 fa e7 ff 48 69 db 40 42 0f 00 48 8d 74 24 48 48 8d 7c 24 28 e8 bd ee ff ff 31 d2 48 89 d8 <48> f7 74 24 48 48 89 c3 3d 40 42 0f 00 0f 87 1d 01 00 00 e8 70 fa loop6: detected capacity change from 0 to 1024 RSP: 0018:ffff888002287b58 EFLAGS: 00010246 RAX: 0000000000e4e1c0 RBX: 0000000000e4e1c0 RCX: ffffffff91bef057 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888002287ab0 RBP: 1ffff11000450f6c R08: 0000000000000000 R09: fffffbfff2ac1c7b R10: ffffffff9560e3df R11: 0000000000032001 R12: ffff888105e59800 R13: dffffc0000000000 R14: ffff888105e59800 R15: ffff888105e5a000 FS: 00002ae5bb0df580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562ba473e6b8 CR3: 0000000104c2e000 CR4: 0000000000350ef0 loop0: p1 p2 p3 Oops: divide error: 0000 [#2] PREEMPT SMP KASAN NOPTI CPU: 3 UID: 0 PID: 72912 Comm: sh Tainted: G UD 6.13.0-rc2-00159-gf932fb9b4074 #1 Tainted: [U]=USER, [D]=DIE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline] RIP: 0010:bdi_set_max_bytes+0xa8/0x210 mm/page-writeback.c:818 Code: ff 48 39 d8 0f 82 50 01 00 00 e8 a3 fa e7 ff 48 69 db 40 42 0f 00 48 8d 74 24 48 48 8d 7c 24 28 e8 bd ee ff ff 31 d2 48 89 d8 <48> f7 74 24 48 48 89 c3 3d 40 42 0f 00 0f 87 1d 01 00 00 e8 70 fa RSP: 0018:ffff88810ff5fb58 EFLAGS: 00010246 RAX: 00000010e1d04700 RBX: 00000010e1d04700 RCX: ffffffff91bef057 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810ff5fab0 RBP: 1ffff11021febf6c R08: 0000000000000000 R09: fffffbfff2ac1c7b R10: ffffffff9560e3df R11: 0000000000032001 R12: ffff888105e59800 R13: dffffc0000000000 R14: ffff888105e59800 R15: ffff888105e5a000 FS: 00002ac2e58dc580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056026cd446b8 CR3: 00000001111da000 CR4: 0000000000350ef0 Call Trace: <TASK> max_bytes_store+0xba/0x120 mm/backing-dev.c:413 dev_attr_store+0x58/0x80 drivers/base/core.c:2439 sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:586 [inline] vfs_write+0x51e/0xc80 fs/read_write.c:679 ksys_write+0x110/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x2ac2e59c8513 Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 RSP: 002b:00007ffdacd3fb18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000056026cd426b0 RCX: 00002ac2e59c8513 RDX: 000000000000000a RSI: 000056026cd426b0 RDI: 0000000000000001 RBP: 000000000000000a R08: 000056026cd426b0 R09: 00002ac2e5aabbe0 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001 R13: 000000000000000a R14: 7fffffffffffffff R15: 0000000000000000 </TASK> ------------[ cut here end]------------ Root Cause: The crash is caused by a division by zero error within the Linux kernel's page-writeback subsystem. Specifically, the bdi_set_max_bytes function attempts to calculate a ratio using bdi_ratio_from_pages, which internally calls div64_u64. During this calculation, a denominator value unexpectedly becomes zero, likely due to an improper handling of a capacity change from 0 to 1024 bytes as indicated by the log message "loop6: detected capacity change from 0 to 1024". This erroneous zero value leads to the divide error exception when the kernel tries to perform the division operation. The issue occurs while processing a sysfs write operation (max_bytes_store), suggesting that invalid or uninitialized data provided through the sysfs interface triggers the faulty calculation, ultimately causing the kernel to crash. Thank you for your time and attention. Best regards Wall
