[syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    a6b443748715 Merge branch 'for-next/core', remote-tracking..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17025144880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=14bf9ec0df433b27
dashboard link: https://syzkaller.appspot.com/bug?extid=258ad6d2cb6685e145bc
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=106b8164880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1040a75d080000

Downloadable assets:
disk image: https://storage.googleapis.com/81b491dd5861/disk-a6b44374.raw.xz
vmlinux: https://storage.googleapis.com/69c979cdc99a/vmlinux-a6b44374.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+258ad6d2cb6685e145bc@syzkaller.appspotmail.com

Unable to handle kernel paging request at virtual address 004065676e6168fb
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004
  CM = 0, WnR = 0
[004065676e6168fb] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 2562 Comm: udevd Not tainted 6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kernfs_lockdep fs/kernfs/dir.c:43 [inline]
pc : kernfs_put_active+0x24/0x11c fs/kernfs/dir.c:449
lr : kernfs_put_active+0x20/0x11c fs/kernfs/dir.c:443
sp : ffff800015fcbc50
x29: ffff800015fcbc50 x28: ffff0000c4810000 x27: 0001000000000000
x26: 0000000000000152 x25: ffff0000c538f348 x24: ffff8000086fe770
x23: ffff0000c92e5620 x22: 0000000000000007 x21: ffff0000cbc31500
x20: ffff8000086fba20 x19: 2f4065676e616863 x18: 0000000000000000
x17: 0000000000000000 x16: ffff80000db78658 x15: ffff0000c4810000
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000c4810000
x11: ff808000086f6a0c x10: 0000000000000000 x9 : ffff8000086f6a0c
x8 : ffff0000c4810000 x7 : ffff8000095d8f84 x6 : 0000000000000000
x5 : 0000000000000080 x4 : ffff0001fefd3740 x3 : 0000000000083500
x2 : ffff0000c8aa3000 x1 : 0000000000000000 x0 : 2f4065676e616863
Call trace:
 kernfs_put_active+0x24/0x11c fs/kernfs/dir.c:446
 kernfs_fop_write_iter+0x1fc/0x294 fs/kernfs/file.c:358
 call_write_iter include/linux/fs.h:2187 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x2dc/0x46c fs/read_write.c:578
 ksys_write+0xb4/0x160 fs/read_write.c:631
 __do_sys_write fs/read_write.c:643 [inline]
 __se_sys_write fs/read_write.c:640 [inline]
 __arm64_sys_write+0x24/0x34 fs/read_write.c:640
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
 el0t_64_sync+0x18c/0x190
Code: aa1e03f4 aa0003f3 97eea9d1 b40004f3 (79413275) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	aa1e03f4 	mov	x20, x30
   4:	aa0003f3 	mov	x19, x0
   8:	97eea9d1 	bl	0xffffffffffbaa74c
   c:	b40004f3 	cbz	x19, 0xa8
* 10:	79413275 	ldrh	w21, [x19, #152] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[Tetsuo Handa]

I don't know whether crafted filesystem image is used is relevant to this problem.
But I think a bug is inside NILFS2 filesystem code.

When inode allocation fails due to security_inode_alloc() returning -ENOMEM, some
inconsistent state happens. It seems to me that destruction of partially initialized
inode corrupts kernel memory (and causes various oops depending on timings).

On 2022/09/17 11:53, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    a6b443748715 Merge branch 'for-next/core', remote-tracking..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=17025144880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=14bf9ec0df433b27
> dashboard link: https://syzkaller.appspot.com/bug?extid=258ad6d2cb6685e145bc
> compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=106b8164880000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1040a75d080000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/81b491dd5861/disk-a6b44374.raw.xz
> vmlinux: https://storage.googleapis.com/69c979cdc99a/vmlinux-a6b44374.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+258ad6d2cb6685e145bc-Pl5Pbv+GP7P466ipTTIvnc23WoclnBCfAL8bYrjMMd8@public.gmane.org

Re: [syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[Tetsuo Handa]

On 2022/09/18 0:50, Tetsuo Handa wrote:
> I don't know whether crafted filesystem image is used is relevant to this problem.
> But I think a bug is inside NILFS2 filesystem code.

I confirmed that use of crafted filesystem image is irrelevant to this problem.
You can reproduce this problem using fault injection patch

----------
diff --git a/fs/inode.c b/fs/inode.c
index ba1de23c13c1..dfde0cadd51e 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -192,6 +192,10 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
 	inode->i_wb_frn_history = 0;
 #endif
 
+	if (!strcmp(current->comm, "my_touch")) {
+		inode->i_security = NULL;
+		goto out;
+	}
 	if (security_inode_alloc(inode))
 		goto out;
 	spin_lock_init(&inode->i_lock);
----------

and script which uses freshly created clean filesystem image.

----------
cp -p /bin/touch my_touch
dd if=/dev/zero of=nilfs.img bs=134221824 count=1
mkfs.nilfs2 nilfs.img
while date; do mount -o loop -t nilfs2 nilfs.img /mnt/; ./my_touch /mnt/file; umount -d /mnt/; done
----------

For your information, use of loop module is also irrelevant to this problem.
Since this is a memory corruption, oops happens at random location.

----------
root@fuzz:~/linux# fdisk -l /dev/sdb
Disk /dev/sdb: 129 MiB, 135266304 bytes, 264192 sectors
Disk model: VBOX HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
root@fuzz:~# mkfs.nilfs2 /dev/sdb
mkfs.nilfs2 (nilfs-utils 2.2.8)
Start writing file system initial data to the device
       Blocksize:4096  Device:/dev/sdb  Device Size:135266304
File system initialization succeeded !!
root@fuzz:~# while date; do mount -t nilfs2 /dev/sdb /mnt/; ./my_touch /mnt/file; umount /mnt/; done
----------

----------
[  298.082977][ T4437] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  299.544397][ T4447] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  300.927033][ T4457] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  302.264135][ T4467] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  302.321643][ T4471] ------------[ cut here ]------------
[  302.322713][ T4471] kernel BUG at arch/x86/mm/physaddr.c:23!
[  302.324231][ T4471] invalid opcode: 0000 [#1] PREEMPT SMP
[  302.325534][ T4471] CPU: 1 PID: 4471 Comm: my_touch Not tainted 6.0.0-rc5-00094-ga335366bad13-dirty #855
[  302.327840][ T4471] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  302.329932][ T4471] RIP: 0010:__phys_addr+0xe5/0xf0
[  302.331203][ T4471] Code: d5 27 00 48 c7 c7 80 38 50 86 4c 89 fe 4c 89 f2 e8 40 47 68 01 eb 9a e8 e9 d4 27 00 0f 0b e8 e2 d4 27 00 0f 0b e8 db d4 27 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 53 48 89 fb e8 c7 d4 27 00 48 81
[  302.335926][ T4471] RSP: 0018:ffffc90003a97ac0 EFLAGS: 00010293
[  302.337401][ T4471] RAX: ffffffff811b9035 RBX: 000000007fffffff RCX: ffff888106ee0000
[  302.339356][ T4471] RDX: 0000000000000000 RSI: 000000007fffffff RDI: 000000001fffffff
[  302.341314][ T4471] RBP: ffffffffffffffff R08: ffffffff811b8ff9 R09: 0000000000000c40
[  302.343242][ T4471] R10: ffffffff816d23a0 R11: ffff888106ee0000 R12: ffff888012c26000
[  302.345201][ T4471] R13: 0000000000000041 R14: ffff888011d10158 R15: 000000007fffffff
[  302.347107][ T4471] FS:  00007f50cbe78740(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[  302.349316][ T4471] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  302.351011][ T4471] CR2: 00007f50cbd08b60 CR3: 0000000011ad4000 CR4: 00000000000506e0
[  302.353031][ T4471] Call Trace:
[  302.353868][ T4471]  <TASK>
[  302.354587][ T4471]  kfree+0x47/0x2b0
[  302.355528][ T4471]  ? nilfs_mdt_destroy+0x1c/0x30
[  302.356787][ T4471]  ? trace_kmem_cache_alloc+0x2d/0xe0
[  302.358140][ T4471]  nilfs_mdt_destroy+0x1c/0x30
[  302.359368][ T4471]  nilfs_free_inode+0x20/0x40
[  302.360466][ T4471]  ? nilfs_setup_super+0x210/0x210
[  302.361763][ T4471]  alloc_inode+0xc1/0xe0
[  302.362851][ T4471]  new_inode+0x1e/0xd0
[  302.364096][ T4471]  nilfs_new_inode+0x37/0x340
[  302.365349][ T4471]  nilfs_create+0x5a/0x150
[  302.366621][ T4471]  ? nilfs_lookup+0x90/0x90
[  302.367875][ T4471]  path_openat+0x8d4/0x1510
[  302.372812][ T4471]  do_filp_open+0xb9/0x1a0
[  302.374131][ T4471]  ? alloc_fd+0x2de/0x320
[  302.375151][ T4471]  ? do_raw_spin_unlock+0x64/0x2b0
[  302.376581][ T4471]  ? _raw_spin_unlock+0x24/0x40
[  302.377904][ T4471]  do_sys_openat2+0x9b/0x240
[  302.392326][ T4471]  __x64_sys_openat+0xcb/0xf0
[  302.406515][ T4471]  do_syscall_64+0x3d/0x90
[  302.420310][ T4471]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  302.432032][ T4471] RIP: 0033:0x7f50cbd146eb
[  302.445517][ T4471] Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[  302.475988][ T4471] RSP: 002b:00007ffea2dd8af0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[  302.491286][ T4471] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f50cbd146eb
[  302.506272][ T4471] RDX: 0000000000000941 RSI: 00007ffea2dd974c RDI: 00000000ffffff9c
[  302.516526][ T4471] RBP: 00007ffea2dd974c R08: 0000000000000001 R09: 0000000000000000
[  302.532010][ T4471] R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941
[  302.547302][ T4471] R13: 0000000000000002 R14: 00007f50cbebf2e0 R15: 00007ffea2dd8de8
[  302.562739][ T4471]  </TASK>
[  302.576503][ T4471] Modules linked in:
[  302.590802][ T4471] ---[ end trace 0000000000000000 ]---
[  302.607760][ T4471] RIP: 0010:__phys_addr+0xe5/0xf0
[  302.622428][ T4471] Code: d5 27 00 48 c7 c7 80 38 50 86 4c 89 fe 4c 89 f2 e8 40 47 68 01 eb 9a e8 e9 d4 27 00 0f 0b e8 e2 d4 27 00 0f 0b e8 db d4 27 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 53 48 89 fb e8 c7 d4 27 00 48 81
[  302.653011][ T4471] RSP: 0018:ffffc90003a97ac0 EFLAGS: 00010293
[  302.667464][ T4471] RAX: ffffffff811b9035 RBX: 000000007fffffff RCX: ffff888106ee0000
[  302.682257][ T4471] RDX: 0000000000000000 RSI: 000000007fffffff RDI: 000000001fffffff
[  302.696817][ T4471] RBP: ffffffffffffffff R08: ffffffff811b8ff9 R09: 0000000000000c40
[  302.711387][ T4471] R10: ffffffff816d23a0 R11: ffff888106ee0000 R12: ffff888012c26000
[  302.725838][ T4471] R13: 0000000000000041 R14: ffff888011d10158 R15: 000000007fffffff
[  302.740693][ T4471] FS:  00007f50cbe78740(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[  302.755595][ T4471] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  302.770509][ T4471] CR2: 00007f50cbd08b60 CR3: 0000000011ad4000 CR4: 00000000000506e0
[  302.784918][ T4471] Kernel panic - not syncing: Fatal exception
[  302.799730][ T4471] Kernel Offset: disabled
[  302.813206][ T4471] Rebooting in 10 seconds..
----------

----------
[  506.599768][ T9545] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  508.025268][ T9555] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  509.390901][ T9565] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  510.763935][ T9575] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  512.169897][ T9585] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  513.548042][ T9595] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  514.910318][ T9605] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[  516.279080][ T9614] BUG: kernel NULL pointer dereference, address: 00000000000001a8
[  516.294944][ T9614] #PF: supervisor read access in kernel mode
[  516.310648][ T9614] #PF: error_code(0x0000) - not-present page
[  516.326186][ T9614] PGD 8a8c9067 P4D 8a8c9067 PUD 88e9c067 PMD 0 
[  516.341907][ T9614] Oops: 0000 [#1] PREEMPT SMP
[  516.356456][ T9614] CPU: 1 PID: 9614 Comm: mount.nilfs2 Not tainted 6.0.0-rc5-00094-ga335366bad13-dirty #855
[  516.372406][ T9614] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  516.383284][ T9614] RIP: 0010:nilfs_attach_log_writer+0x2b2/0x440
[  516.397928][ T9614] Code: 35 ff 48 85 db 74 0f e8 cc b0 35 ff 49 89 9c 24 b8 02 00 00 eb 05 e8 bd b0 35 ff 4d 89 a5 28 02 00 00 49 8b 45 18 48 8b 58 30 <48> 83 bb a8 01 00 00 00 74 07 e8 9f b0 35 ff eb 16 e8 98 b0 35 ff
[  516.429611][ T9614] RSP: 0018:ffffc900112dfc98 EFLAGS: 00010293
[  516.445173][ T9614] RAX: ffffffff89de8e38 RBX: 0000000000000000 RCX: ffff88800ba43900
[  516.461654][ T9614] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  516.478266][ T9614] RBP: ffff8881035f3000 R08: ffffffff820db43a R09: 0000000000000000
[  516.494788][ T9614] R10: ffffffff82759b34 R11: ffff88800ba43900 R12: ffff88810544b000
[  516.511110][ T9614] R13: ffff8881035f3000 R14: ffff88810d501d00 R15: ffff8881035f3000
[  516.528123][ T9614] FS:  00007f6749ad1800(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[  516.545496][ T9614] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  516.562052][ T9614] CR2: 00000000000001a8 CR3: 00000000802b2000 CR4: 00000000000506e0
[  516.579321][ T9614] Call Trace:
[  516.595390][ T9614]  <TASK>
[  516.611067][ T9614]  ? nilfs_attach_checkpoint+0x172/0x1c0
[  516.627444][ T9614]  nilfs_fill_super+0x19d/0x2c0
[  516.643529][ T9614]  nilfs_mount+0x387/0x590
[  516.659363][ T9614]  ? trace_kmalloc+0x2d/0xe0
[  516.675432][ T9614]  ? kfree+0x35/0x2b0
[  516.691383][ T9614]  ? aa_get_newest_label+0x6b/0x350
[  516.709097][ T9614]  legacy_get_tree+0x2c/0x70
[  516.724981][ T9614]  vfs_get_tree+0x2f/0x110
[  516.740205][ T9614]  do_new_mount+0x1dd/0x560
[  516.754968][ T9614]  __se_sys_mount+0x286/0x2e0
[  516.769748][ T9614]  ? syscall_enter_from_user_mode+0x2e/0x1d0
[  516.784000][ T9614]  do_syscall_64+0x3d/0x90
[  516.798686][ T9614]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  516.818489][ T9614] RIP: 0033:0x7f6749926eae
[  516.835460][ T9614] Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 1f 0f 00 f7 d8 64 89 01 48
[  516.869770][ T9614] RSP: 002b:00007ffd011ea2a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[  516.886854][ T9614] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6749926eae
[  516.903145][ T9614] RDX: 00000000006a0b40 RSI: 00000000006a0b60 RDI: 00000000006a0b80
[  516.919669][ T9614] RBP: 00000000006a0910 R08: 0000000000000000 R09: 00000000006a4850
[  516.935717][ T9614] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  516.952125][ T9614] R13: 00000000006a0b40 R14: 00000000006a0b80 R15: 00000000006a0910
[  516.968742][ T9614]  </TASK>
[  516.983539][ T9614] Modules linked in:
[  516.998303][ T9614] CR2: 00000000000001a8
[  517.013537][ T9614] ---[ end trace 0000000000000000 ]---
[  517.030306][ T9614] RIP: 0010:nilfs_attach_log_writer+0x2b2/0x440
[  517.045670][ T9614] Code: 35 ff 48 85 db 74 0f e8 cc b0 35 ff 49 89 9c 24 b8 02 00 00 eb 05 e8 bd b0 35 ff 4d 89 a5 28 02 00 00 49 8b 45 18 48 8b 58 30 <48> 83 bb a8 01 00 00 00 74 07 e8 9f b0 35 ff eb 16 e8 98 b0 35 ff
[  517.078650][ T9614] RSP: 0018:ffffc900112dfc98 EFLAGS: 00010293
[  517.094862][ T9614] RAX: ffffffff89de8e38 RBX: 0000000000000000 RCX: ffff88800ba43900
[  517.111291][ T9614] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  517.123443][ T9614] RBP: ffff8881035f3000 R08: ffffffff820db43a R09: 0000000000000000
[  517.139682][ T9614] R10: ffffffff82759b34 R11: ffff88800ba43900 R12: ffff88810544b000
[  517.157097][ T9614] R13: ffff8881035f3000 R14: ffff88810d501d00 R15: ffff8881035f3000
[  517.175687][ T9614] FS:  00007f6749ad1800(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[  517.193810][ T9614] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  517.210835][ T9614] CR2: 00000000000001a8 CR3: 00000000802b2000 CR4: 00000000000506e0
[  517.228628][ T9614] Kernel panic - not syncing: Fatal exception
[  517.245269][ T9614] Kernel Offset: disabled
[  517.261513][ T9614] Rebooting in 10 seconds..
----------

Re: [syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[Ryusuke Konishi]

On Sun, Sep 18, 2022 at 3:26 PM Tetsuo Handa wrote:
> On 2022/09/18 0:50, Tetsuo Handa wrote:
> > I don't know whether crafted filesystem image is used is relevant to this problem.
> > But I think a bug is inside NILFS2 filesystem code.
>
> I confirmed that use of crafted filesystem image is irrelevant to this problem.
> You can reproduce this problem using fault injection patch
>
> ----------
> diff --git a/fs/inode.c b/fs/inode.c
> index ba1de23c13c1..dfde0cadd51e 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -192,6 +192,10 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
>         inode->i_wb_frn_history = 0;
>  #endif
>
> +       if (!strcmp(current->comm, "my_touch")) {
> +               inode->i_security = NULL;
> +               goto out;
> +       }
>         if (security_inode_alloc(inode))
>                 goto out;
>         spin_lock_init(&inode->i_lock);
> ----------
>
> and script which uses freshly created clean filesystem image.
>
> ----------
> cp -p /bin/touch my_touch
> dd if=/dev/zero of=nilfs.img bs=134221824 count=1
> mkfs.nilfs2 nilfs.img
> while date; do mount -o loop -t nilfs2 nilfs.img /mnt/; ./my_touch /mnt/file; umount -d /mnt/; done
> ----------
<snip>

Thank you for your help, Handa-san.

The first oops inserted by your injection patch is already reported by
[1], and the bug fix is queued in the for-next branch of vfs tree [2].
  Take a look at the patch titled "fs: fix UAF/GPF bug in
nilfs_mdt_destroy" in the
latest linux-next or vfs/for-next.

[1] https://lore.kernel.org/all/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org/T/#u
 (report)
[2] https://lkml.kernel.org/r/20220816040859.659129-1-dzm91-6lmH0oBJgSDM1kAEIRd3EQ@public.gmane.org
(vfs patch)

The correction was done for inode_init_always() instead of fixing
nilfs2.   Please refer to [3] for the background.

[3] https://lkml.kernel.org/r/20220815175114.23576-1-konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
     (discussion of how to fix it.  The nilfs2 patch itself was withdrawn)

I confirmed that the patch [2] fixes the second oops as well.

I'm not sure if the patch [2] fixes the originally reported problem,
but it will be fixed if it's the same.

Thanks,
Ryusuke Konishi

Re: [syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[Tetsuo Handa]

On 2022/09/18 19:19, Ryusuke Konishi wrote:
> I'm not sure if the patch [2] fixes the originally reported problem,
> but it will be fixed if it's the same.

Will be fixed. Thank you.

#syz fix: fs: fix UAF/GPF bug in nilfs_mdt_destroy