public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed
* [BUG] xfs: NULL pointer dereference in xfs_buf.h: xfs_buf_daddr()
@ 2025-11-18 11:06 李天宇
  2025-11-19  6:06 ` Christoph Hellwig
  0 siblings, 1 reply; 3+ messages in thread
From: 李天宇 @ 2025-11-18 11:06 UTC (permalink / raw)
  To: linux-kernel; +Cc: linux-xfs, cem

The kernel reports a kernel NULL pointer dereference when the sys_mount is called. This is triggered by the statement b_maps[0], where b_maps is NULL.

This bug was discovered through a fuzzing framework on Linux v6.2(x86_64, QEMU). Since no reproducing code is left, we have only the report to analyze. I have checked the stack frame and relevant code. After comparing it with the mainline code, the buggy code at xfs_buf.h:333 and at xfs_btree.c:1902 (lines according to rc5 on mainline) remains unchanged. Therefore, I suspect that this bug could also occur in the latest kernel.

To determine why b_maps is NULL, I reviewed all statements involving b_maps and found only 2 assignments to b_maps: at xfs_buf.c:296/298. Thus, I believe the issue may be due to one of the following reasons:
1. At xfs_buf.c: xfs_buf_alloc(), no proper value is set for b_maps, which seems unlikely.
2. Race conditions may have occurred, causing the b_maps field to be accessed before properly initialized.

A simple fix might be to ensure bp->b_maps is not NULL in xfs_buf_daddr(), but this does not address the root cause of the problem. It may be better to investigate whether there could be a situation where the usage occurs before initialization.
I hope this analysis helps provide more clarity.

Test environment, configuration, and kernel logs are listed below:

	Kernel 6.2: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.2.tar.gz
	Configuration: https://github.com/Wxm-233/KConfigFuzz_Repros/raw/refs/heads/master/62-config
	Kernel log: https://github.com/j1akai/KConfigFuzz_bug/raw/d50808fe31d5fc307cc0eb57f0cb29bc4fa537d2/x86/crashes-part1/0008_0b8eea7d39710d97dcf1bc48d36ac038269a5e7e/x86_62_66_syzkaller_0904-2_6.2_xian+yin/report0


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [BUG] xfs: NULL pointer dereference in xfs_buf.h: xfs_buf_daddr()
  2025-11-18 11:06 [BUG] xfs: NULL pointer dereference in xfs_buf.h: xfs_buf_daddr() 李天宇
@ 2025-11-19  6:06 ` Christoph Hellwig
  2025-11-19  6:41   ` Dave Chinner
  0 siblings, 1 reply; 3+ messages in thread
From: Christoph Hellwig @ 2025-11-19  6:06 UTC (permalink / raw)
  To: 李天宇; +Cc: linux-kernel, linux-xfs, cem

On Tue, Nov 18, 2025 at 07:06:14PM +0800, 李天宇 wrote:
> The kernel reports a kernel NULL pointer dereference when the sys_mount is called. This is triggered by the statement b_maps[0], where b_maps is NULL.
> 
> This bug was discovered through a fuzzing framework on Linux v6.2

Linux 6.2 is ancient (Feb 2023), and the buffer cache code has seen a
major rewrite since:

ch@brick:~/work/linux$ git diff v6.2..HEAD fs/xfs/xfs_buf.[ch] | diffstat
 xfs_buf.c | 1651 +++++++++++++++++++++++++++++++++++++++-----------------------------------------------------
  xfs_buf.h |   96 +++--
2 files changed, 768 insertions(+), 979 deletions(-)

hch@brick:~/work/linux$ wc -l fs/xfs/xfs_buf.[ch]
 2132 fs/xfs/xfs_buf.c
  391 fs/xfs/xfs_buf.h
 2523 total

so I'm not sure how relevant this report is, especially without a good
report.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [BUG] xfs: NULL pointer dereference in xfs_buf.h: xfs_buf_daddr()
  2025-11-19  6:06 ` Christoph Hellwig
@ 2025-11-19  6:41   ` Dave Chinner
  0 siblings, 0 replies; 3+ messages in thread
From: Dave Chinner @ 2025-11-19  6:41 UTC (permalink / raw)
  To: Christoph Hellwig; +Cc: 李天宇, linux-kernel, linux-xfs, cem

On Tue, Nov 18, 2025 at 10:06:49PM -0800, Christoph Hellwig wrote:
> On Tue, Nov 18, 2025 at 07:06:14PM +0800, 李天宇 wrote:
> > The kernel reports a kernel NULL pointer dereference when the sys_mount is called. This is triggered by the statement b_maps[0], where b_maps is NULL.
> > 
> > This bug was discovered through a fuzzing framework on Linux v6.2
> 
> Linux 6.2 is ancient (Feb 2023), and the buffer cache code has seen a
> major rewrite since:
> 
> ch@brick:~/work/linux$ git diff v6.2..HEAD fs/xfs/xfs_buf.[ch] | diffstat
>  xfs_buf.c | 1651 +++++++++++++++++++++++++++++++++++++++-----------------------------------------------------
>   xfs_buf.h |   96 +++--
> 2 files changed, 768 insertions(+), 979 deletions(-)
> 
> hch@brick:~/work/linux$ wc -l fs/xfs/xfs_buf.[ch]
>  2132 fs/xfs/xfs_buf.c
>   391 fs/xfs/xfs_buf.h
>  2523 total
> 
> so I'm not sure how relevant this report is, especially without a good
> report.

It's not even a buffer cache bug. Something trashed a buffer
pointer in a btree cursor and xfs_buf_daddr() is the first
dereference to trip over it. It looks like random memory
corruption to me, so unless it is reproduced on a TOT kernel there's
no point spending any time looking at it...

-Dave.
-- 
Dave Chinner
david@fromorbit.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-11-19  6:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-18 11:06 [BUG] xfs: NULL pointer dereference in xfs_buf.h: xfs_buf_daddr() 李天宇
2025-11-19  6:06 ` Christoph Hellwig
2025-11-19  6:41   ` Dave Chinner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox