[BUG]: general protection fault in __lookup_mnt

Next message: Vikash Garodia: "Re: [PATCH v5 10/16] media: iris: add minimal GET_PROPERTY implementation"
Previous message: Anisa Su: "Re: [PATCH v10 00/31] DCD: Add support for Dynamic Capacity Devices (DCD)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xianying Wang

Date: Wed Jun 24 2026 - 03:52:08 EST

Hi,

I would like to report a kernel general protection fault triggered by
a syzkaller C reproducer. The issue was observed on Linux 7.1-rc5 with
KASAN enabled.

According to the crash log, the kernel reaches the ext4
writeback/release path. The stack includes ext4_xattr_set_entry(),
ext4_xattr_ibody_set(), ext4_destroy_inline_data(), ext4_writepages(),
ext4_release_file(), and __fput(). Therefore, the issue appears to be
related to the interaction between crafted ext4 metadata, inline data
destruction, xattr entry update, delayed writeback, and file release.

My current hypothesis is that after the reproducer performs
synchronous/direct writes and a large sendfile() operation on a file
from the crafted ext4 image, ext4 enters an inconsistent internal
state during file release or dirty page writeback. In particular, when
inline data is destroyed and the xattr entry is updated as part of
writeback, some metadata or buffer state appears to be invalid,
eventually leading to the general protection fault in the ext4
xattr/writeback path.

This can be reproduced on:

HEAD commit:

e7ae89a0c97ce2b68b0983cd01eda67cf373517d

e7ae89a0c97c Linux 7.1-rc5

syzkaller commit：

d3ccff6372e07c6aabd02b5da419aa6492b5f0ad

d3ccff637 sys/linux: improve iouring interface

report: https://pastebin.com/raw/hu0BEbZm

console output :https://pastebin.com/raw/scMTFri8

kernel config : https://pastebin.com/raw/VRAFJF0P

C reproducer :https://pastebin.com/raw/m3KkHd09

Let me know if you need more details or testing.

Best regards,

Xianying