CVE-2026-23249

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: check for deleted cursors when revalidating two btrees<br /> <br /> The free space and inode btree repair functions will rebuild both btrees<br /> at the same time, after which it needs to evaluate both btrees to<br /> confirm that the corruptions are gone.<br /> <br /> However, Jiaming Zhang ran syzbot and produced a crash in the second<br /> xchk_allocbt call. His root-cause analysis is as follows (with minor<br /> corrections):<br /> <br /> In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first<br /> for BNOBT, second for CNTBT). The cause of this issue is that the<br /> first call nullified the cursor required by the second call.<br /> <br /> Let&amp;#39;s first enter xrep_revalidate_allocbt() via following call chain:<br /> <br /> xfs_file_ioctl() -&gt;<br /> xfs_ioc_scrubv_metadata() -&gt;<br /> xfs_scrub_metadata() -&gt;<br /> `sc-&gt;ops-&gt;repair_eval(sc)` -&gt;<br /> xrep_revalidate_allocbt()<br /> <br /> xchk_allocbt() is called twice in this function. In the first call:<br /> <br /> /* Note that sc-&gt;sm-&gt;sm_type is XFS_SCRUB_TYPE_BNOPT now */<br /> xchk_allocbt() -&gt;<br /> xchk_btree() -&gt;<br /> `bs-&gt;scrub_rec(bs, recp)` -&gt;<br /> xchk_allocbt_rec() -&gt;<br /> xchk_allocbt_xref() -&gt;<br /> xchk_allocbt_xref_other()<br /> <br /> since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &amp;sc-&gt;sa.cnt_cur.<br /> Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call<br /> chain:<br /> <br /> xfs_alloc_get_rec() -&gt;<br /> xfs_btree_get_rec() -&gt;<br /> xfs_btree_check_block() -&gt;<br /> (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter<br /> is true, return -EFSCORRUPTED. This should be caused by<br /> ioctl$XFS_IOC_ERROR_INJECTION I guess.<br /> <br /> Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from<br /> xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this<br /> function, *curpp (points to sc-&gt;sa.cnt_cur) is nullified.<br /> <br /> Back to xrep_revalidate_allocbt(), since sc-&gt;sa.cnt_cur has been<br /> nullified, it then triggered null-ptr-deref via xchk_allocbt() (second<br /> call) -&gt; xchk_btree().<br /> <br /> So. The bnobt revalidation failed on a cross-reference attempt, so we<br /> deleted the cntbt cursor, and then crashed when we tried to revalidate<br /> the cntbt. Therefore, check for a null cntbt cursor before that<br /> revalidation, and mark the repair incomplete. Also we can ignore the<br /> second tree entirely if the first tree was rebuilt but is already<br /> corrupt.<br /> <br /> Apply the same fix to xrep_revalidate_iallocbt because it has the same<br /> problem.