* general protection fault in __dentry_path @ 2019-01-30 10:35 syzbot 2019-01-30 11:32 ` syzbot 2019-02-21 4:14 ` syzbot 0 siblings, 2 replies; 9+ messages in thread From: syzbot @ 2019-01-30 10:35 UTC (permalink / raw) To: linux-fsdevel, linux-kernel, syzkaller-bugs, viro Hello, syzbot found the following crash on: HEAD commit: 02495e76ded5 Add linux-next specific files for 20190130 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=17e8d80f400000 kernel config: https://syzkaller.appspot.com/x/.config?x=a2b2e9c0bc43c14d dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 445 Comm: syz-executor3 Not tainted 5.0.0-rc4-next-20190130 #22 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344 Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40 RSP: 0018:ffff8881c21bf8a8 EFLAGS: 00010207 RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffc90005b5c000 RDX: 0000000000002edf RSI: ffffffff81e27c43 RDI: 000000000000002f RBP: ffff8881c21bf9d0 R08: ffff88806b30a040 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881c21bf9a8 R13: 0000000000000000 R14: 0000000000009674 R15: dffffc0000000000 FS: 00007f27af88b700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2f722000 CR3: 0000000218991000 CR4: 00000000001426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dentry_path_raw+0x26/0x30 fs/d_path.c:371 kvm_uevent_notify_change.part.0+0x213/0x440 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4050 kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4017 [inline] kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3355 [inline] kvm_dev_ioctl+0x137a/0x1a60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3377 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458089 Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f27af88ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458089 RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f27af88b6d4 R13: 00000000004c0bcf R14: 00000000004d2890 R15: 00000000ffffffff Modules linked in: ---[ end trace 1701fe85f04d676b ]--- RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344 Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40 RSP: 0018:ffff8881c21bf8a8 EFLAGS: 00010207 RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffc90005b5c000 RDX: 0000000000002edf RSI: ffffffff81e27c43 RDI: 000000000000002f RBP: ffff8881c21bf9d0 R08: ffff88806b30a040 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881c21bf9a8 R13: 0000000000000000 R14: 0000000000009674 R15: dffffc0000000000 FS: 00007f27af88b700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001f80f70 CR3: 0000000218991000 CR4: 00000000001426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: general protection fault in __dentry_path 2019-01-30 10:35 general protection fault in __dentry_path syzbot @ 2019-01-30 11:32 ` syzbot 2019-01-30 13:49 ` Tetsuo Handa 2019-02-21 4:14 ` syzbot 1 sibling, 1 reply; 9+ messages in thread From: syzbot @ 2019-01-30 11:32 UTC (permalink / raw) To: linux-fsdevel, linux-kernel, syzkaller-bugs, viro syzbot has found a reproducer for the following crash on: HEAD commit: 02495e76ded5 Add linux-next specific files for 20190130 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=106161ef400000 kernel config: https://syzkaller.appspot.com/x/.config?x=a2b2e9c0bc43c14d dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1182e5b8c00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8239 Comm: syz-executor4 Not tainted 5.0.0-rc4-next-20190130 #22 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344 Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40 RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207 RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21 RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8 R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000 FS: 00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000144a008 CR3: 00000000a1190000 CR4: 00000000001426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dentry_path_raw+0x26/0x30 fs/d_path.c:371 kvm_uevent_notify_change.part.0+0x213/0x440 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4050 kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4017 [inline] kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3355 [inline] kvm_dev_ioctl+0x137a/0x1a60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3377 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458089 Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f69a6d17c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458089 RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000006 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69a6d186d4 R13: 00000000004c0bcf R14: 00000000004d2890 R15: 00000000ffffffff Modules linked in: ---[ end trace c2b508264c762aae ]--- RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344 Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40 RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207 RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21 RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8 R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000 FS: 00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fec12a1fdb8 CR3: 00000000a1190000 CR4: 00000000001426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: general protection fault in __dentry_path 2019-01-30 11:32 ` syzbot @ 2019-01-30 13:49 ` Tetsuo Handa 0 siblings, 0 replies; 9+ messages in thread From: Tetsuo Handa @ 2019-01-30 13:49 UTC (permalink / raw) To: kvm; +Cc: syzbot, syzkaller-bugs, viro This report should be sent to KVM people. I guess that a lack of serialization between kvm_create_vm_debugfs() from kvm_dev_ioctl_create_vm() and kvm_destroy_vm_debugfs() from kvm_destroy_vm() is causing a race on kvm->debugfs_dentry when kvm_uevent_notify_change() called dentry_path_raw(kvm->debugfs_dentry). On 2019/01/30 20:32, syzbot wrote: > syzbot has found a reproducer for the following crash on: > > HEAD commit: 02495e76ded5 Add linux-next specific files for 20190130 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=106161ef400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a2b2e9c0bc43c14d > dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1182e5b8c00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 8239 Comm: syz-executor4 Not tainted 5.0.0-rc4-next-20190130 #22 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344 > Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40 > RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207 > RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21 > RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f > RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8 > R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000 > FS: 00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000000144a008 CR3: 00000000a1190000 CR4: 00000000001426f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > dentry_path_raw+0x26/0x30 fs/d_path.c:371 > kvm_uevent_notify_change.part.0+0x213/0x440 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4050 > kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4017 [inline] > kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3355 [inline] > kvm_dev_ioctl+0x137a/0x1a60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3377 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696 > ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 > do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x458089 > Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007f69a6d17c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458089 > RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000006 > RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69a6d186d4 > R13: 00000000004c0bcf R14: 00000000004d2890 R15: 00000000ffffffff > Modules linked in: > ---[ end trace c2b508264c762aae ]--- > RIP: 0010:__dentry_path+0x2a5/0xaa0 fs/d_path.c:344 > Code: 00 00 e8 1e 9d 9f ff 48 c7 c7 68 26 81 89 e8 72 c4 14 06 e8 0d 9d 9f ff 48 8b 85 00 ff ff ff 48 8d 78 40 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b0 07 00 00 48 8b 85 00 ff ff ff 4c 8b 68 40 > RSP: 0018:ffff88808ab5f8a8 EFLAGS: 00010207 > RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffff81e27f21 > RDX: 0000000000000000 RSI: ffffffff81e27c43 RDI: 000000000000002f > RBP: ffff88808ab5f9d0 R08: ffff88809edd4280 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ab5f9a8 > R13: 0000000000000000 R14: 0000000000000c78 R15: dffffc0000000000 > FS: 00007f69a6d18700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fec12a1fdb8 CR3: 00000000a1190000 CR4: 00000000001426f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: general protection fault in __dentry_path 2019-01-30 10:35 general protection fault in __dentry_path syzbot 2019-01-30 11:32 ` syzbot @ 2019-02-21 4:14 ` syzbot 2019-02-26 19:19 ` Eric Biggers 1 sibling, 1 reply; 9+ messages in thread From: syzbot @ 2019-02-21 4:14 UTC (permalink / raw) To: kvm, linux-fsdevel, linux-kernel, penguin-kernel, syzkaller-bugs, viro syzbot has found a reproducer for the following crash on: HEAD commit: 2137397c92ae Merge tag 'sound-5.0' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1270bf78c00000 kernel config: https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad compiler: gcc (GCC) 9.0.0 20181231 (experimental) userspace arch: i386 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=150bee14c00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f401d4c00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 12576 Comm: syz-executor696 Not tainted 5.0.0-rc7+ #81 kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344 Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00 e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89 kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = '/devices/virtual/misc/kvm' RSP: 0018:ffff888096127c58 EFLAGS: 00010293 RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2 RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001 RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78 FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000080fb028 CR3: 000000009de68000 CR4: 00000000001426f0 kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env Call Trace: kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = '/devices/virtual/misc/kvm' dentry_path_raw+0x26/0x30 fs/d_path.c:371 kvm_uevent_notify_change.part.0+0x213/0x440 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4051 kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4018 [inline] kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3356 [inline] kvm_dev_ioctl+0x1132/0x1750 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3378 __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline] __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline] __ia32_compat_sys_ioctl+0x197/0x620 fs/compat_ioctl.c:998 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fe8869 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f7fe41fc EFLAGS: 00000293 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ae01 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 4fe494385b47fe74 ]--- kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344 Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00 e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89 RSP: 0018:ffff888096127c58 EFLAGS: 00010293 RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2 RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001 RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78 kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = '/devices/virtual/misc/kvm' FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000080fb038 CR3: 000000009de68000 CR4: 00000000001426f0 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: general protection fault in __dentry_path 2019-02-21 4:14 ` syzbot @ 2019-02-26 19:19 ` Eric Biggers 2019-02-27 8:38 ` Greg Kroah-Hartman 2019-02-28 15:08 ` [PATCH] kvm: properly check debugfs dentry before using it Greg Kroah-Hartman 0 siblings, 2 replies; 9+ messages in thread From: Eric Biggers @ 2019-02-26 19:19 UTC (permalink / raw) To: Greg Kroah-Hartman, kvm Cc: syzbot, linux-fsdevel, linux-kernel, penguin-kernel, syzkaller-bugs, viro On Wed, Feb 20, 2019 at 08:14:03PM -0800, syzbot wrote: > syzbot has found a reproducer for the following crash on: > > HEAD commit: 2137397c92ae Merge tag 'sound-5.0' of git://git.kernel.org.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1270bf78c00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f > dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > userspace arch: i386 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=150bee14c00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f401d4c00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 12576 Comm: syz-executor696 Not tainted 5.0.0-rc7+ #81 > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344 > Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00 > e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9 > 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89 > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = > '/devices/virtual/misc/kvm' > RSP: 0018:ffff888096127c58 EFLAGS: 00010293 > RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2 > RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001 > RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78 > FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40 > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > CR2: 00000000080fb028 CR3: 000000009de68000 CR4: 00000000001426f0 > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env > Call Trace: > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = > '/devices/virtual/misc/kvm' > dentry_path_raw+0x26/0x30 fs/d_path.c:371 > kvm_uevent_notify_change.part.0+0x213/0x440 > arch/x86/kvm/../../../virt/kvm/kvm_main.c:4051 > kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4018 > [inline] > kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3356 > [inline] > kvm_dev_ioctl+0x1132/0x1750 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3378 > __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline] > __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline] > __ia32_compat_sys_ioctl+0x197/0x620 fs/compat_ioctl.c:998 > do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] > do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397 > entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 > RIP: 0023:0xf7fe8869 > Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 > 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 > 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 > RSP: 002b:00000000f7fe41fc EFLAGS: 00000293 ORIG_RAX: 0000000000000036 > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ae01 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > Modules linked in: > ---[ end trace 4fe494385b47fe74 ]--- > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env > RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344 > Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00 > e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9 > 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89 > RSP: 0018:ffff888096127c58 EFLAGS: 00010293 > RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2 > RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001 > RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78 > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = > '/devices/virtual/misc/kvm' > FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40 > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > CR2: 00000000080fb038 CR3: 000000009de68000 CR4: 00000000001426f0 > Hi Greg, this started happening with: commit ff9fb72bc07705c00795ca48631f7fffe24d2c6b (HEAD) Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Wed Jan 23 11:28:14 2019 +0100 debugfs: return error values, not NULL But virt/kvm/kvm_main.c still checks for NULL: if (kvm->debugfs_dentry) { char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL); if (p) { tmp = dentry_path_raw(kvm->debugfs_dentry, p, PATH_MAX); if (!IS_ERR(tmp)) add_uevent_var(env, "STATS_PATH=%s", tmp); kfree(p); } } ... and sometimes kvm->debugfs_dentry = ERR_PTR(-EEXIST). - Eric ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: general protection fault in __dentry_path 2019-02-26 19:19 ` Eric Biggers @ 2019-02-27 8:38 ` Greg Kroah-Hartman 2019-02-28 15:08 ` [PATCH] kvm: properly check debugfs dentry before using it Greg Kroah-Hartman 1 sibling, 0 replies; 9+ messages in thread From: Greg Kroah-Hartman @ 2019-02-27 8:38 UTC (permalink / raw) To: Eric Biggers Cc: kvm, syzbot, linux-fsdevel, linux-kernel, penguin-kernel, syzkaller-bugs, viro On Tue, Feb 26, 2019 at 11:19:33AM -0800, Eric Biggers wrote: > On Wed, Feb 20, 2019 at 08:14:03PM -0800, syzbot wrote: > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit: 2137397c92ae Merge tag 'sound-5.0' of git://git.kernel.org.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=1270bf78c00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f > > dashboard link: https://syzkaller.appspot.com/bug?extid=7857962b4d45e602b8ad > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > userspace arch: i386 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=150bee14c00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f401d4c00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com > > > > kasan: CONFIG_KASAN_INLINE enabled > > kasan: GPF could be caused by NULL-ptr deref or user memory access > > general protection fault: 0000 [#1] PREEMPT SMP KASAN > > CPU: 0 PID: 12576 Comm: syz-executor696 Not tainted 5.0.0-rc7+ #81 > > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344 > > Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00 > > e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9 > > 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89 > > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = > > '/devices/virtual/misc/kvm' > > RSP: 0018:ffff888096127c58 EFLAGS: 00010293 > > RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2 > > RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001 > > RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > > R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78 > > FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40 > > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > > CR2: 00000000080fb028 CR3: 000000009de68000 CR4: 00000000001426f0 > > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env > > Call Trace: > > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = > > '/devices/virtual/misc/kvm' > > dentry_path_raw+0x26/0x30 fs/d_path.c:371 > > kvm_uevent_notify_change.part.0+0x213/0x440 > > arch/x86/kvm/../../../virt/kvm/kvm_main.c:4051 > > kvm_uevent_notify_change arch/x86/kvm/../../../virt/kvm/kvm_main.c:4018 > > [inline] > > kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3356 > > [inline] > > kvm_dev_ioctl+0x1132/0x1750 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3378 > > __do_compat_sys_ioctl fs/compat_ioctl.c:1052 [inline] > > __se_compat_sys_ioctl fs/compat_ioctl.c:998 [inline] > > __ia32_compat_sys_ioctl+0x197/0x620 fs/compat_ioctl.c:998 > > do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] > > do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397 > > entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 > > RIP: 0023:0xf7fe8869 > > Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 > > 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 > > 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 > > RSP: 002b:00000000f7fe41fc EFLAGS: 00000293 ORIG_RAX: 0000000000000036 > > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ae01 > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > > RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > > Modules linked in: > > ---[ end trace 4fe494385b47fe74 ]--- > > kobject: 'kvm' (00000000985ff3e6): kobject_uevent_env > > RIP: 0010:__dentry_path+0x49e/0x7c0 fs/d_path.c:344 > > Code: 89 fc 41 83 e4 01 44 89 e6 e8 fe e4 b2 ff 45 84 e4 0f 85 04 02 00 00 > > e8 b0 e3 b2 ff 48 8b 85 18 ff ff ff 44 89 bd 40 ff ff ff <80> 38 00 0f 85 f9 > > 02 00 00 48 8b 85 38 ff ff ff 41 83 e7 01 44 89 > > RSP: 0018:ffff888096127c58 EFLAGS: 00010293 > > RAX: dffffc0000000005 RBX: 0000000000000000 RCX: ffffffff81bcfdc2 > > RDX: 0000000000000000 RSI: ffffffff81bcfdd0 RDI: 0000000000000001 > > RBP: ffff888096127d48 R08: ffff88809b17c540 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > > R13: ffff888096127d20 R14: ffff888092473afe R15: 0000000000014e78 > > kobject: 'kvm' (00000000985ff3e6): fill_kobj_path: path = > > '/devices/virtual/misc/kvm' > > FS: 0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f7fe4b40 > > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > > CR2: 00000000080fb038 CR3: 000000009de68000 CR4: 00000000001426f0 > > > > Hi Greg, this started happening with: > > commit ff9fb72bc07705c00795ca48631f7fffe24d2c6b (HEAD) > Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Date: Wed Jan 23 11:28:14 2019 +0100 > > debugfs: return error values, not NULL > > But virt/kvm/kvm_main.c still checks for NULL: > > if (kvm->debugfs_dentry) { > char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL); > > if (p) { > tmp = dentry_path_raw(kvm->debugfs_dentry, p, PATH_MAX); > if (!IS_ERR(tmp)) > add_uevent_var(env, "STATS_PATH=%s", tmp); > kfree(p); > } > } > > ... and sometimes kvm->debugfs_dentry = ERR_PTR(-EEXIST). Ugh, thanks for the notification. I'll make a fix for this after my coffee kicks in this morning... greg k-h ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] kvm: properly check debugfs dentry before using it 2019-02-26 19:19 ` Eric Biggers 2019-02-27 8:38 ` Greg Kroah-Hartman @ 2019-02-28 15:08 ` Greg Kroah-Hartman 2019-02-28 15:14 ` Paolo Bonzini 1 sibling, 1 reply; 9+ messages in thread From: Greg Kroah-Hartman @ 2019-02-28 15:08 UTC (permalink / raw) To: Paolo Bonzini, Radim Krčmář, Eric Biggers Cc: kvm, syzbot, linux-fsdevel, linux-kernel, penguin-kernel, syzkaller-bugs, viro debugfs can now report an error code if something went wrong instead of just NULL. So if the return value is to be used as a "real" dentry, it needs to be checked if it is an error before dereferencing it. This is now happening because of ff9fb72bc077 ("debugfs: return error values, not NULL"). syzbot has found a way to trigger multiple debugfs files attempting to be created, which fails, and then the error code gets passed to dentry_path_raw() which obviously does not like it. Reported-by: Eric Biggers <ebiggers@kernel.org> Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: kvm@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- Paolo, this should be merged into 5.0-final, and if not there, then 5.1-rc1 and then backported to 5.0 through the stable tree. If you want me to send this to Linus, I will be glad to do so. diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 585845203db8..076bc38963bf 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4044,7 +4044,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm) } add_uevent_var(env, "PID=%d", kvm->userspace_pid); - if (kvm->debugfs_dentry) { + if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) { char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL); if (p) { ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] kvm: properly check debugfs dentry before using it 2019-02-28 15:08 ` [PATCH] kvm: properly check debugfs dentry before using it Greg Kroah-Hartman @ 2019-02-28 15:14 ` Paolo Bonzini 2019-02-28 15:32 ` Greg Kroah-Hartman 0 siblings, 1 reply; 9+ messages in thread From: Paolo Bonzini @ 2019-02-28 15:14 UTC (permalink / raw) To: Greg Kroah-Hartman, Radim Krčmář, Eric Biggers Cc: kvm, syzbot, linux-fsdevel, linux-kernel, penguin-kernel, syzkaller-bugs, viro On 28/02/19 16:08, Greg Kroah-Hartman wrote: > debugfs can now report an error code if something went wrong instead of > just NULL. So if the return value is to be used as a "real" dentry, it > needs to be checked if it is an error before dereferencing it. > > This is now happening because of ff9fb72bc077 ("debugfs: return error > values, not NULL"). syzbot has found a way to trigger multiple debugfs > files attempting to be created, which fails, and then the error code > gets passed to dentry_path_raw() which obviously does not like it. > > Reported-by: Eric Biggers <ebiggers@kernel.org> > Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: "Radim Krčmář" <rkrcmar@redhat.com> > Cc: kvm@vger.kernel.org > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > --- > > Paolo, this should be merged into 5.0-final, and if not there, then > 5.1-rc1 and then backported to 5.0 through the stable tree. If you > want me to send this to Linus, I will be glad to do so. > > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c > index 585845203db8..076bc38963bf 100644 > --- a/virt/kvm/kvm_main.c > +++ b/virt/kvm/kvm_main.c > @@ -4044,7 +4044,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm) > } > add_uevent_var(env, "PID=%d", kvm->userspace_pid); > > - if (kvm->debugfs_dentry) { > + if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) { > char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL); > > if (p) { > Sure, go ahead. Acked-by: Paolo Bonzini <pbonzini@redhat.com> Paolo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] kvm: properly check debugfs dentry before using it 2019-02-28 15:14 ` Paolo Bonzini @ 2019-02-28 15:32 ` Greg Kroah-Hartman 0 siblings, 0 replies; 9+ messages in thread From: Greg Kroah-Hartman @ 2019-02-28 15:32 UTC (permalink / raw) To: Paolo Bonzini Cc: Radim Krčmář, Eric Biggers, kvm, syzbot, linux-fsdevel, linux-kernel, penguin-kernel, syzkaller-bugs, viro On Thu, Feb 28, 2019 at 04:14:50PM +0100, Paolo Bonzini wrote: > On 28/02/19 16:08, Greg Kroah-Hartman wrote: > > debugfs can now report an error code if something went wrong instead of > > just NULL. So if the return value is to be used as a "real" dentry, it > > needs to be checked if it is an error before dereferencing it. > > > > This is now happening because of ff9fb72bc077 ("debugfs: return error > > values, not NULL"). syzbot has found a way to trigger multiple debugfs > > files attempting to be created, which fails, and then the error code > > gets passed to dentry_path_raw() which obviously does not like it. > > > > Reported-by: Eric Biggers <ebiggers@kernel.org> > > Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com > > Cc: Paolo Bonzini <pbonzini@redhat.com> > > Cc: "Radim Krčmář" <rkrcmar@redhat.com> > > Cc: kvm@vger.kernel.org > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > > > --- > > > > Paolo, this should be merged into 5.0-final, and if not there, then > > 5.1-rc1 and then backported to 5.0 through the stable tree. If you > > want me to send this to Linus, I will be glad to do so. > > > > > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c > > index 585845203db8..076bc38963bf 100644 > > --- a/virt/kvm/kvm_main.c > > +++ b/virt/kvm/kvm_main.c > > @@ -4044,7 +4044,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm) > > } > > add_uevent_var(env, "PID=%d", kvm->userspace_pid); > > > > - if (kvm->debugfs_dentry) { > > + if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) { > > char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL); > > > > if (p) { > > > > Sure, go ahead. > > Acked-by: Paolo Bonzini <pbonzini@redhat.com> Wonderful, will do so right now, thanks! greg k-h ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-02-28 15:32 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-01-30 10:35 general protection fault in __dentry_path syzbot 2019-01-30 11:32 ` syzbot 2019-01-30 13:49 ` Tetsuo Handa 2019-02-21 4:14 ` syzbot 2019-02-26 19:19 ` Eric Biggers 2019-02-27 8:38 ` Greg Kroah-Hartman 2019-02-28 15:08 ` [PATCH] kvm: properly check debugfs dentry before using it Greg Kroah-Hartman 2019-02-28 15:14 ` Paolo Bonzini 2019-02-28 15:32 ` Greg Kroah-Hartman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.