kernel BUG：general protection fault in simple_xattrs_free

[杜义恒]

Dear Linux maintainers and reviewers:
We are reporting a Linux kernel bug titled **kernel BUG： general protection fault in simple_xattrs_free**, discovered using a modified version of Syzkaller.
Linux version: ccd1cdca5cd433c8a5dff78b69a79b31d9b77ee1
The bisection log shows the first introduced commit is 382b1e8f30f779af8d6d33268e53df7de579ef3c
commit 382b1e8f30f779af8d6d33268e53df7de579ef3c
Author: Will Rosenberg <whro...@asu.edu>
Date:   Tue Nov 25 08:13:32 2025 -0700

    kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

    There exists a memory leak of kernfs_iattrs contained as an element
    of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
    allocates kernfs_iattrs as a sub-object, and the LSM security check
    incorrectly errors out and does not free the kernfs_iattrs sub-object.

    Make an additional error out case that properly frees kernfs_iattrs if
    security_kernfs_init_security() fails.

    Fixes: e19dfdc83b60 ("kernfs: initialize security of newly created nodes")
    Co-developed-by: Oliver Rosenberg <olro...@gmail.com>
    Signed-off-by: Oliver Rosenberg <olro...@gmail.com>
    Signed-off-by: Will Rosenberg <whro...@asu.edu>
    Link: https://patch.msgid.link/20251125151332.2...@asu.edu
    Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index a670ba3e565e..5c0efd6b239f 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -675,11 +675,14 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
        if (parent) {
                ret = security_kernfs_init_security(parent, kn);
                if (ret)
-                       goto err_out3;
+                       goto err_out4;
        }

        return kn;

+ err_out4:
+       simple_xattrs_free(&kn->iattr->xattrs, NULL);
+       kmem_cache_free(kernfs_iattrs_cache, kn->iattr);
  err_out3:
        spin_lock(&root->kernfs_idr_lock);
        idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));
The test case, kernel config and full bisection log are attached.

The report is (The full report is attached):
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
CPU: 1 UID: 0 PID: 13621 Comm: syz.7.239 Not tainted 6.19.0-rc2-gccd1cdca5cd4-dirty #2 PREEMPT(full) 
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:rb_first include/linux/rbtree.h:54 [inline]
RIP: 0010:simple_xattrs_free+0x60/0x1e0 fs/xattr.c:1564
Code: ea 03 80 3c 02 00 0f 85 8c 01 00 00 49 c7 04 24 00 00 00 00 e8 51 b5 77 ff 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 57 01 00 00 48 bd 00 00 00 00 00 fc ff df 49 8b
RSP: 0018:ffa0000006c4f8e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ff110002ec236bd8 RCX: ffa000000c291000
RDX: 0000000000000007 RSI: ffffffff824414df RDI: 0000000000000038
RBP: 1ff4000000d89f2c R08: 0000000000000001 R09: 0000000000000001
R10: 00000000ffffffea R11: 0000000000000003 R12: 0000000000000000
R13: ff110002ec236bc8 R14: 0000000000000038 R15: ff11000100ed7868
FS:  00007f04e68c96c0(0000) GS:ff110005a2023000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4be9dfff8c CR3: 0000000112694000 CR4: 0000000000753ef0
DR0: 000000004cf7957f DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
Call Trace:
 <TASK>
 __kernfs_new_node+0x7fd/0x9d0 fs/kernfs/dir.c:684
 kernfs_new_node+0x13c/0x250 fs/kernfs/dir.c:716
 __kernfs_create_file+0x55/0x360 fs/kernfs/file.c:1057
 cgroup_add_file kernel/cgroup/cgroup.c:4421 [inline]
 cgroup_addrm_files+0x51c/0xbd0 kernel/cgroup/cgroup.c:4475
 css_populate_dir+0x3c7/0x580 kernel/cgroup/cgroup.c:1812
 cgroup_mkdir+0x56b/0x1460 kernel/cgroup/cgroup.c:6019
 kernfs_iop_mkdir+0x111/0x190 fs/kernfs/dir.c:1271
 vfs_mkdir+0x7ac/0xb90 fs/namei.c:5130
 do_mkdirat+0x43b/0x5c0 fs/namei.c:5164
 __do_sys_mkdirat fs/namei.c:5186 [inline]
 __se_sys_mkdirat fs/namei.c:5184 [inline]
 __x64_sys_mkdirat+0x87/0xb0 fs/namei.c:5184
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x72/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f04e598feed
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f04e68c9008 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f04e5bc5fa0 RCX: 00007f04e598feed
RDX: 00000000000001ff RSI: 0000400000000000 RDI: ffffffffffffff9c
RBP: 00007f04e5a317f4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f04e5bc5fa0 R15: 00007ffcd0aabd80
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rb_first include/linux/rbtree.h:54 [inline]
RIP: 0010:simple_xattrs_free+0x60/0x1e0 fs/xattr.c:1564
Code: ea 03 80 3c 02 00 0f 85 8c 01 00 00 49 c7 04 24 00 00 00 00 e8 51 b5 77 ff 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 57 01 00 00 48 bd 00 00 00 00 00 fc ff df 49 8b
RSP: 0018:ffa0000006c4f8e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ff110002ec236bd8 RCX: ffa000000c291000
RDX: 0000000000000007 RSI: ffffffff824414df RDI: 0000000000000038
RBP: 1ff4000000d89f2c R08: 0000000000000001 R09: 0000000000000001
R10: 00000000ffffffea R11: 0000000000000003 R12: 0000000000000000
R13: ff110002ec236bc8 R14: 0000000000000038 R15: ff11000100ed7868
FS:  00007f04e68c96c0(0000) GS:ff110002c0223000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4befefdc90 CR3: 0000000112694000 CR4: 0000000000753ef0
PKRU: 80000000
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	03 80 3c 02 00 0f    	add    0xf00023c(%rax),%eax
   6:	85 8c 01 00 00 49 c7 	test   %ecx,-0x38b70000(%rcx,%rax,1)
   d:	04 24                	add    $0x24,%al
   f:	00 00                	add    %al,(%rax)
  11:	00 00                	add    %al,(%rax)
  13:	e8 51 b5 77 ff       	call   0xff77b569
  18:	4c 89 f2             	mov    %r14,%rdx
  1b:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  22:	fc ff df
  25:	48 c1 ea 03          	shr    $0x3,%rdx
* 29:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2d:	0f 85 57 01 00 00    	jne    0x18a
  33:	48 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%rbp
  3a:	fc ff df
  3d:	49                   	rex.WB
  3e:	8b                   	.byte 0x8b

[Greg KH]

On Fri, Jan 30, 2026 at 04:26:12PM +0800, 杜义恒 wrote:
> Dear Linux maintainers and reviewers:
> We are reporting a Linux kernel bug titled **kernel BUG： general protection fault in simple_xattrs_free**, discovered using a modified version of Syzkaller.

> Linux version: ccd1cdca5cd433c8a5dff78b69a79b31d9b77ee1The bisection log shows the first introduced commit is 382b1e8f30f779af8d6d33268e53df7de579ef3ccommit 382b1e8f30f779af8d6d33268e53df7de579ef3cAuthor: Will Rosenberg <whro...@asu.edu>

Can you try a newer -rc release? This should be fixed by now.

thanks,

greg k-h