All of lore.kernel.org
 help / color / mirror / Atom feed
* [syzbot] [fs?] KASAN: null-ptr-deref Read in ida_free (3)
@ 2023-03-30  0:28 syzbot
  2023-03-30  6:22 ` Christian Brauner
  0 siblings, 1 reply; 6+ messages in thread
From: syzbot @ 2023-03-30  0:28 UTC (permalink / raw)
  To: brauner, linux-fsdevel, linux-kernel, syzkaller-bugs, viro

Hello,

syzbot found the following issue on:

HEAD commit:    da8e7da11e4b Merge tag 'nfsd-6.3-4' of git://git.kernel.or..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1266331ec80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=acdb62bf488a8fe5
dashboard link: https://syzkaller.appspot.com/bug?extid=8ac3859139c685c4f597
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11639815c80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12128b1ec80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/62e9c5f4bead/disk-da8e7da1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c11aa933e2a7/vmlinux-da8e7da1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7a21bdd49c84/bzImage-da8e7da1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in ida_free+0x1b9/0x400 lib/idr.c:511
Read of size 8 at addr 0000000000000000 by task syz-executor237/5830

CPU: 1 PID: 5830 Comm: syz-executor237 Not tainted 6.3.0-rc3-syzkaller-00338-gda8e7da11e4b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_report+0xe6/0x540 mm/kasan/report.c:433
 kasan_report+0x176/0x1b0 mm/kasan/report.c:536
 kasan_check_range+0x283/0x290 mm/kasan/generic.c:187
 instrument_atomic_read include/linux/instrumented.h:72 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 ida_free+0x1b9/0x400 lib/idr.c:511
 mnt_release_group_id fs/namespace.c:160 [inline]
 cleanup_group_ids fs/namespace.c:2093 [inline]
 do_mount_setattr fs/namespace.c:4188 [inline]
 __do_sys_mount_setattr fs/namespace.c:4375 [inline]
 __se_sys_mount_setattr+0xc44/0x1b00 fs/namespace.c:4334
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7efc4b190919
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efc4b142318 EFLAGS: 00000246 ORIG_RAX: 00000000000001ba
RAX: ffffffffffffffda RBX: 00007efc4b2183e8 RCX: 00007efc4b190919
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007efc4b2183e0 R08: 0000000000000020 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 00007ffe5a122bdf R14: 00007efc4b142400 R15: 0000000000022000
 </TASK>
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [syzbot] [fs?] KASAN: null-ptr-deref Read in ida_free (3)
  2023-03-30  0:28 [syzbot] [fs?] KASAN: null-ptr-deref Read in ida_free (3) syzbot
@ 2023-03-30  6:22 ` Christian Brauner
  2023-03-30  6:52   ` syzbot
  0 siblings, 1 reply; 6+ messages in thread
From: Christian Brauner @ 2023-03-30  6:22 UTC (permalink / raw)
  To: syzbot; +Cc: linux-fsdevel, linux-kernel, syzkaller-bugs, viro

On Wed, Mar 29, 2023 at 05:28:55PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    da8e7da11e4b Merge tag 'nfsd-6.3-4' of git://git.kernel.or..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1266331ec80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=acdb62bf488a8fe5
> dashboard link: https://syzkaller.appspot.com/bug?extid=8ac3859139c685c4f597
> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11639815c80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12128b1ec80000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/62e9c5f4bead/disk-da8e7da1.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c11aa933e2a7/vmlinux-da8e7da1.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7a21bdd49c84/bzImage-da8e7da1.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com

This bug deserves a #include <asm-generic/bitops/ffs.h>.

In any case, it might just be advisable to hold namespace_lock() while
cleaning up peer group ids...

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git b4/vfs-mount_setattr-propagation-fix

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [syzbot] [fs?] KASAN: null-ptr-deref Read in ida_free (3)
  2023-03-30  6:22 ` Christian Brauner
@ 2023-03-30  6:52   ` syzbot
  2023-03-30  7:13     ` [PATCH] fs: drop peer group ids under namespace lock Christian Brauner
  0 siblings, 1 reply; 6+ messages in thread
From: syzbot @ 2023-03-30  6:52 UTC (permalink / raw)
  To: brauner, linux-fsdevel, linux-kernel, syzkaller-bugs, viro

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com

Tested on:

commit:         07cd4f12 fs: drop peer group ids under namespace lock
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git b4/vfs-mount_setattr-propagation-fix
console output: https://syzkaller.appspot.com/x/log.txt?x=163d4771c80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c35b3803e5ad668
dashboard link: https://syzkaller.appspot.com/bug?extid=8ac3859139c685c4f597
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] fs: drop peer group ids under namespace lock
  2023-03-30  6:52   ` syzbot
@ 2023-03-30  7:13     ` Christian Brauner
  2023-03-31 10:36       ` Christian Brauner
  0 siblings, 1 reply; 6+ messages in thread
From: Christian Brauner @ 2023-03-30  7:13 UTC (permalink / raw)
  To: linux-fsdevel
  Cc: linux-kernel, syzkaller-bugs, viro, syzbot+8ac3859139c685c4f597,
	stable, Christian Brauner

When cleaning up peer group ids in the failure path we need to make sure
to hold on to the namespace lock. Otherwise another thread might just
turn the mount from a shared into a non-shared mount concurrently.

Reported-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com
Link: https://lore.kernel.org/lkml/00000000000088694505f8132d77@google.com
Fixes: 2a1867219c7b ("fs: add mount_setattr()")
Cc: stable@vger.kernel.org # 5.12+
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/namespace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index bc0f15257b49..6836e937ee61 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -4183,9 +4183,9 @@ static int do_mount_setattr(struct path *path, struct mount_kattr *kattr)
 	unlock_mount_hash();
 
 	if (kattr->propagation) {
-		namespace_unlock();
 		if (err)
 			cleanup_group_ids(mnt, NULL);
+		namespace_unlock();
 	}
 
 	return err;

---
base-commit: 197b6b60ae7bc51dd0814953c562833143b292aa
change-id: 20230330-vfs-mount_setattr-propagation-fix-363b7c59d7fb


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] fs: drop peer group ids under namespace lock
  2023-03-30  7:13     ` [PATCH] fs: drop peer group ids under namespace lock Christian Brauner
@ 2023-03-31 10:36       ` Christian Brauner
  0 siblings, 0 replies; 6+ messages in thread
From: Christian Brauner @ 2023-03-31 10:36 UTC (permalink / raw)
  To: linux-fsdevel
  Cc: Christian Brauner, linux-kernel, syzkaller-bugs, viro,
	syzbot+8ac3859139c685c4f597, stable


On Thu, 30 Mar 2023 09:13:16 +0200, Christian Brauner wrote:
> When cleaning up peer group ids in the failure path we need to make sure
> to hold on to the namespace lock. Otherwise another thread might just
> turn the mount from a shared into a non-shared mount concurrently.
> 
> 

Ok, syzbot is happy with this as well so let's get this fixed and backported,

tree: git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git
branch: vfs.misc.fixes
[1/1] fs: drop peer group ids under namespace lock
      commit: cb2239c198ad9fbd5aced22cf93e45562da781eb

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [syzbot] [fs?] KASAN: null-ptr-deref Read in ida_free (3)
       [not found] <20230330033925.2831-1-hdanton@sina.com>
@ 2023-03-30  4:08 ` syzbot
  0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2023-03-30  4:08 UTC (permalink / raw)
  To: hdanton, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com

Tested on:

commit:         da8e7da1 Merge tag 'nfsd-6.3-4' of git://git.kernel.or..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=139a22b9c80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=acdb62bf488a8fe5
dashboard link: https://syzkaller.appspot.com/bug?extid=8ac3859139c685c4f597
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1765c20dc80000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-03-31 10:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-30  0:28 [syzbot] [fs?] KASAN: null-ptr-deref Read in ida_free (3) syzbot
2023-03-30  6:22 ` Christian Brauner
2023-03-30  6:52   ` syzbot
2023-03-30  7:13     ` [PATCH] fs: drop peer group ids under namespace lock Christian Brauner
2023-03-31 10:36       ` Christian Brauner
     [not found] <20230330033925.2831-1-hdanton@sina.com>
2023-03-30  4:08 ` [syzbot] [fs?] KASAN: null-ptr-deref Read in ida_free (3) syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.