Re: [BUG] xfs: Assertion failure in dio_write( flags & IOMAP_DIO_OVERWRITE_ONLY) with a UAF

From: Christoph Hellwig
Date: Mon Aug 11 2025 - 06:46:00 EST

Next message: Manivannan Sadhasivam: "Re: [PATCH] dt-bindings: PCI: Add missing "#address-cells" to interrupt controllers"
Previous message: Parvathi Pudi: "Re: [PATCH net-next v12 2/5] net: ti: prueth: Adds ICSSM Ethernet driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 06, 2025 at 07:40:19PM +0800, cen zhang wrote:
> Hello maintainers,
>
> I would like to report a kernel panic found using syzkaller on a 6.16.0-rc6.
>
> The kernel log shows two distinct but closely timed crash reports,
> which I guess are related.
>
> 1. An XFS assertion failure: Assertion failed: flags &
> IOMAP_DIO_OVERWRITE_ONLY, file: fs/xfs/xfs_file.c, line: 876 triggered
> by a write() system call in xfs_file_dio_write_unaligned.
>
> 2. A KASAN use-after-free report on a task_struct object, triggered
> during an ioctl() call (likely FICLONE or FIDEDUPERANGE). The crash
> occurs in rwsem_down_write_slowpath when trying to lock an inode via
> xfs_reflink_remap_prep.
>
> Unfortunately, I have not been able to create a standalone C
> reproducer, and attempts to use syzkaller's repro tool on the syz-prog
> have not reliably triggered the bug again.

Thanks for the report, but it will be really hard to do anything without
a reproducer. I case you are still trying to create one it would be
great to hear if you have one!

Next message: Manivannan Sadhasivam: "Re: [PATCH] dt-bindings: PCI: Add missing "#address-cells" to interrupt controllers"
Previous message: Parvathi Pudi: "Re: [PATCH net-next v12 2/5] net: ti: prueth: Adds ICSSM Ethernet driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]