Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 6.13.0-rc2. This issue was discovered using our custom vulnerability discovery tool. HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2) Affected File: mm/page_alloc.c File: mm/page_alloc.c Function: __alloc_pages_noprof Detailed Call Stack: ------------[ cut here begin]------------ RIP: 0010:__alloc_pages_noprof+0x1b78/0x2040 mm/page_alloc.c:4727 Code: 8e 30 f5 ff 41 b9 10 00 00 00 44 8b 74 24 50 8b ac 24 80 00 00 00 44 0f b6 e0 44 89 e3 e9 46 f9 ff ff c6 05 ae 48 13 04 01 90 <0f> 0b 90 e9 31 e9 ff ff 83 7c 24 74 00 0f 84 fd fd ff ff 80 3d 94 RSP: 0018:ffff888114877950 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff1102290ef3c RDX: 0000000000000000 RSI: 0000000000000016 RDI: 0000000000040dc0 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102290ef72 R10: ffff888114877bf0 R11: 0000000000032001 R12: 0000000000000016 R13: 0000000000040dc0 R14: 00000003fffffe78 R15: 0000000000000016 FS: 00007f026dca3580(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056099cd776b8 CR3: 0000000108256000 CR4: 0000000000350ef0 Call Trace: <TASK> loop7: detected capacity change from 0 to 1024 EXT4-fs: Quota format mount options ignored when QUOTA feature is enabled EXT4-fs (loop7): can't mount with journal_async_commit, fs mounted w/o journal __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x88/0x160 mm/slub.c:4228 __kmalloc_large_node_noprof+0x18/0xa0 mm/slub.c:4255 __do_kmalloc_node mm/slub.c:4271 [inline] __kmalloc_noprof+0x37d/0x450 mm/slub.c:4295 kmalloc_noprof include/linux/slab.h:905 [inline] kmalloc_array_noprof include/linux/slab.h:946 [inline] max_vclocks_store+0x1c8/0x360 drivers/ptp/ptp_sysfs.c:299 dev_attr_store+0x58/0x80 drivers/base/core.c:2439 sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:586 [inline] vfs_write+0x51e/0xc80 fs/read_write.c:679 ksys_write+0x110/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f026dbb9513 Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 RSP: 002b:00007fff9482a6b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000056099cd756b0 RCX: 00007f026dbb9513 RDX: 000000000000000b RSI: 000056099cd756b0 RDI: 0000000000000001 RBP: 000000000000000b R08: 000056099cd756b0 R09: 00007f026dc9cbe0 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001 R13: 000000000000000b R14: 7fffffffffffffff R15: 0000000000000000 </TASK> ------------[ cut here end]------------ Root Cause: The kernel crash was triggered by a fault in the memory allocation process within the __alloc_pages_noprof function, located in mm/page_alloc.c at line 4727. This issue arose during a sysfs write operation handled by the Precision Time Protocol (PTP) driver, specifically within the max_vclocks_store function in drivers/ptp/ptp_sysfs.c. The call trace indicates that the PTP driver attempted to allocate memory using kmalloc_array_noprof, which ultimately led to an invalid memory access or improper handling of memory allocation parameters. The register state shows RAX as zero, suggesting a possible NULL pointer dereference. Additionally, the system encountered issues mounting the EXT4 filesystem with specific journal options, though this appears ancillary to the primary crash cause. Overall, the root cause is likely a bug in the PTP driver's sysfs write handler that improperly interacts with the kernel's page allocator, resulting in an invalid memory access and subsequent system crash. Thank you for your time and attention. Best regards Wall
