CVE-2026-23249

In the Linux kernel, the following vulnerability has been resolved:

xfs: check for deleted cursors when revalidating two btrees

The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.

However, Jiaming Zhang ran syzbot and produced a crash in the second xchk allocbt call. His root-cause analysis is as follows (with minor corrections):

In xrep revalidate allocbt(), xchk allocbt() is called twice (first for BNOBT, second for CNTBT). The cause of this issue is that the first call nullified the cursor required by the second call.

Let's first enter xrep revalidate allocbt() via following call chain:

xfs file ioctl() -> xfs ioc scrubv metadata() -> xfs scrub metadata() -> sc->ops->repair eval(sc) -> xrep revalidate allocbt()

xchk allocbt() is called twice in this function. In the first call:

/* Note that sc->sm->sm type is XFS SCRUB TYPE BNOPT now */ xchk allocbt() -> xchk btree() -> bs->scrub rec(bs, recp) -> xchk allocbt rec() -> xchk allocbt xref() -> xchk allocbt xref other()

since sm type is XFS SCRUB TYPE BNOBT, pur is set to &sc->sa.cnt cur. Kernel called xfs alloc get rec() and returned -EFSCORRUPTED. Call chain:

xfs alloc get rec() -> xfs btree get rec() -> xfs btree check block() -> (XFS IS CORRUPT || XFS TEST ERROR), the former is false and the latter is true, return -EFSCORRUPTED. This should be caused by ioctl$XFS IOC ERROR INJECTION I guess.

Back to xchk allocbt xref other(), after receiving -EFSCORRUPTED from xfs alloc get rec(), kernel called xchk should check xref(). In this function, *curpp (points to sc->sa.cnt cur) is nullified.

Back to xrep revalidate allocbt(), since sc->sa.cnt cur has been nullified, it then triggered null-ptr-deref via xchk allocbt() (second call) -> xchk btree().

So. The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt. Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete. Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.

Apply the same fix to xrep revalidate iallocbt because it has the same problem.