* [REGRESSION] fs: ERR_PTR dereference in expand_files() on v6.12.43
@ 2025-08-25 15:27 Nathan Gao
2025-08-25 19:56 ` Sasha Levin
0 siblings, 1 reply; 2+ messages in thread
From: Nathan Gao @ 2025-08-25 15:27 UTC (permalink / raw)
To: stable; +Cc: regressions, linux-fsdevel, Nathan Gao
Hi,
I noticed an ERR_PTR dereference issue in expand_files() on kernel 6.12.43
when allocating large file descriptor tables. The issue occurs when
alloc_fdtable() returns ERR_PTR(-EMFILE) for large nr input, but
expand_fdtable() is not properly checking these error returns. dup_fd()
seems also have the issue, missing proper ERR_PTR handling.
The ERR_PTR return was introduced by d4f9351243c1 ("fs: Prevent file
descriptor table allocations exceeding INT_MAX") which adds INT_MAX limit
check in alloc_fdtable().
I was able to trigger this with the unshare_test selftest:
[ 40.283906] BUG: unable to handle page fault for address: ffffffffffffffe8
...
[ 40.287436] RIP: 0010:expand_files+0x7e/0x1c0
...
[ 40.366211] Kernel panic - not syncing: Fatal exception
Looking at the upstream kernel, this can be addressed by Al Viro's
fdtable series [1], which added the ERR_PTR handling in this code path.
Perhaps backporting this series, especially 1d3b4be ("alloc_fdtable():
change calling conventions.") would help resolve the issue.
Thanks for all the work on stable tree.
Best,
Nathan Gao
[1] https://lore.kernel.org/all/20241007173912.GR4017910@ZenIV/
Signed-off-by: Nathan Gao <zcgao@amazon.com>
--
2.47.3
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [REGRESSION] fs: ERR_PTR dereference in expand_files() on v6.12.43
2025-08-25 15:27 [REGRESSION] fs: ERR_PTR dereference in expand_files() on v6.12.43 Nathan Gao
@ 2025-08-25 19:56 ` Sasha Levin
0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2025-08-25 19:56 UTC (permalink / raw)
To: Nathan Gao; +Cc: stable, regressions, linux-fsdevel
On Mon, Aug 25, 2025 at 08:27:25AM -0700, Nathan Gao wrote:
>Hi,
>
>I noticed an ERR_PTR dereference issue in expand_files() on kernel 6.12.43
>when allocating large file descriptor tables. The issue occurs when
>alloc_fdtable() returns ERR_PTR(-EMFILE) for large nr input, but
>expand_fdtable() is not properly checking these error returns. dup_fd()
>seems also have the issue, missing proper ERR_PTR handling.
>
>The ERR_PTR return was introduced by d4f9351243c1 ("fs: Prevent file
>descriptor table allocations exceeding INT_MAX") which adds INT_MAX limit
>check in alloc_fdtable().
Ugh, sorry :(
>I was able to trigger this with the unshare_test selftest:
>
>[ 40.283906] BUG: unable to handle page fault for address: ffffffffffffffe8
>...
>[ 40.287436] RIP: 0010:expand_files+0x7e/0x1c0
>...
>[ 40.366211] Kernel panic - not syncing: Fatal exception
>
>Looking at the upstream kernel, this can be addressed by Al Viro's
>fdtable series [1], which added the ERR_PTR handling in this code path.
>Perhaps backporting this series, especially 1d3b4be ("alloc_fdtable():
>change calling conventions.") would help resolve the issue.
I agree. I'll pick up. Thanks for the report!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-25 19:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-25 15:27 [REGRESSION] fs: ERR_PTR dereference in expand_files() on v6.12.43 Nathan Gao
2025-08-25 19:56 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).