All of lore.kernel.org
 help / color / mirror / Atom feed
From: Qian Cai <cai@lca.pw>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	linux-fsdevel@vger.kernel.org,
	LKML <linux-kernel@vger.kernel.org>
Subject: Null-ptr-deref due to "sanitized pathwalk machinery (v4)"
Date: Tue, 24 Mar 2020 17:06:03 -0400	[thread overview]
Message-ID: <4CBDE0F3-FB73-43F3-8535-6C75BA004233@lca.pw> (raw)

Reverted the series on the top of today's linux-next fixed boot crashes.

# git revert 609c56723133..e0e25e9bbed5 --no-edit [1]

[   53.027443][ T3519] BUG: Kernel NULL pointer dereference on read at 0x00000000
[   53.027480][ T3519] Faulting instruction address: 0xc0000000004dbfa4
[   53.027498][ T3519] Oops: Kernel access of bad area, sig: 11 [#1]
[   53.027521][ T3519] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV
[   53.027538][ T3519] Modules linked in: kvm_hv kvm ip_tables x_tables xfs sd_mod bnx2x ahci libahci mdio libata tg3 libphy firmware_class dm_mirror dm_region_hash dm_log dm_mod
[   53.027594][ T3519] CPU: 36 PID: 3519 Comm: polkitd Not tainted 5.6.0-rc7-next-20200324 #1
[   53.027618][ T3519] NIP:  c0000000004dbfa4 LR: c0000000004dc040 CTR: 0000000000000000
[   53.027634][ T3519] REGS: c0002013879af810 TRAP: 0300   Not tainted  (5.6.0-rc7-next-20200324)
[   53.027668][ T3519] MSR:  9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 24004422  XER: 20040000
[   53.027708][ T3519] CFAR: c0000000004dc044 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 
[   53.027708][ T3519] GPR00: c0000000004dc040 c0002013879afaa0 c00000000165a500 0000000000000000 
[   53.027708][ T3519] GPR04: c000000001511408 0000000000000000 c0002013879af834 0000000000000002 
[   53.027708][ T3519] GPR08: 0000000000000001 0000000000000000 0000000000000000 0000000000000001 
[   53.027708][ T3519] GPR12: 0000000000004000 c000001ffffe1e00 0000000000000000 0000000000000000 
[   53.027708][ T3519] GPR16: 0000000000000000 0000000000000001 0000000000000000 0000000000000000 
[   53.027708][ T3519] GPR20: c000200ea1eacf38 c000201c8102f043 2f2f2f2f2f2f2f2f 0000000000000003 
[   53.027708][ T3519] GPR24: 0000000000000000 c0002013879afbc8 fffffffffffff000 0000000000200000 
[   53.027708][ T3519] GPR28: ffffffffffffffff 61c8864680b583eb 0000000000000000 0000000000002e2e 
[   53.027931][ T3519] NIP [c0000000004dbfa4] link_path_walk+0x284/0x4c0
__d_entry_type at include/linux/dcache.h:389
(inlined by) d_can_lookup at include/linux/dcache.h:404
(inlined by) link_path_walk at fs/namei.c:2178
[   53.027963][ T3519] LR [c0000000004dc040] link_path_walk+0x320/0x4c0
[   53.027993][ T3519] Call Trace:
[   53.028013][ T3519] [c0002013879afaa0] [c0000000004dc040] link_path_walk+0x320/0x4c0 (unreliable)
[   53.028050][ T3519] [c0002013879afb60] [c0000000004dc334] path_lookupat+0x94/0x1b0
[   53.028084][ T3519] [c0002013879afba0] [c0000000004ddf80] filename_lookup.part.55+0xa0/0x170
[   53.028101][ T3519] [c0002013879afce0] [c0000000004ca748] vfs_statx+0xa8/0x190
[   53.028117][ T3519] [c0002013879afd60] [c0000000004cacc0] __do_sys_newstat+0x40/0x90
[   53.028145][ T3519] [c0002013879afe20] [c00000000000b378] system_call+0x5c/0x68
[   53.028178][ T3519] Instruction dump:
[   53.028197][ T3519] 3bdeffff e9390058 38800000 7f23cb78 7fde07b4 1d5e0030 7d295214 eaa90020 
[   53.028245][ T3519] 4bfffac5 2fa30000 409e00ac e9390008 <81290000> 55290256 7f89d800 409e0160 
[   53.028284][ T3519] ---[ end trace 0effae07d5cccfa0 ]—

[  705.047353][ T4874] BUG: KASAN: invalid-access in link_path_walk+0x374/0x53c
__d_entry_type at include/linux/dcache.h:389
(inlined by) d_can_lookup at include/linux/dcache.h:404
(inlined by) link_path_walk at fs/namei.c:2178
[  705.054422][ T4874] Read of size 4 at addr 0000000000000000 by task plymouthd/4874
[  705.062003][ T4874] 
[  705.064213][ T4874] CPU: 16 PID: 4874 Comm: plymouthd Tainted: G             L    5.6.0-rc7-next-20200324 #1
[  705.074055][ T4874] Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.11 06/18/2019
[  705.084502][ T4874] Call trace:
[  705.087663][ T4874]  dump_backtrace+0x0/0x224
[  705.092036][ T4874]  show_stack+0x20/0x2c
[  705.096063][ T4874]  dump_stack+0xfc/0x184
[  705.100178][ T4874]  __kasan_report+0x178/0x238
[  705.104725][ T4874]  kasan_report+0x3c/0x58
[  705.108925][ T4874]  check_memory_region+0x98/0xa0
[  705.113734][ T4874]  __hwasan_load4_noabort+0x18/0x20
[  705.118801][ T4874]  link_path_walk+0x374/0x53c
[  705.123350][ T4874]  path_lookupat+0x78/0x1d4
[  705.127723][ T4874]  filename_lookup+0x80/0x124
[  705.132270][ T4874]  user_path_at_empty+0x54/0x68
[  705.136990][ T4874]  vfs_statx+0xcc/0x1b8
[  705.141016][ T4874]  __arm64_sys_newfstatat+0x94/0x120
[  705.146169][ T4874]  do_el0_svc+0x128/0x1dc
[  705.150369][ T4874]  el0_sync_handler+0xd0/0x268
[  705.155003][ T4874]  el0_sync+0x164/0x180
[  705.159028][ T4874] ==================================================================
[  705.166957][ T4874] Disabling lock debugging due to kernel taint
[  705.173067][ T4874] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[  705.182599][ T4874] Mem abort info:
[  705.186104][ T4874]   ESR = 0x96000005
[  705.189906][ T4874]   EC = 0x25: DABT (current EL), IL = 32 bits
[  705.195928][ T4874]   SET = 0, FnV = 0
[  705.199727][ T4874]   EA = 0, S1PTW = 0
[  705.203578][ T4874] Data abort info:
[  705.207168][ T4874]   ISV = 0, ISS = 0x00000005
[  705.211749][ T4874]   CM = 0, WnR = 0
[  705.215431][ T4874] user pgtable: 64k pages, 48-bit VAs, pgdp=0000009659f42000
[  705.222702][ T4874] [0000000000000000] pgd=0000000000000000, pud=0000000000000000
[  705.230250][ T4874] Internal error: Oops: 96000005 [#1] SMP
[  705.235824][ T4874] Modules linked in: thunderx2_pmu processor efivarfs ip_tables xfs libcrc32c sd_mod ahci libahci mlx5_core libata dm_mirror dm_region_hash dm_log dm_mod
[  705.251173][ T4874] CPU: 16 PID: 4874 Comm: plymouthd Tainted: G    B        L    5.6.0-rc7-next-20200324 #1
[  705.260999][ T4874] Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.11 06/18/2019
[  705.271438][ T4874] pstate: 60400009 (nZCv daif +PAN -UAO BTYPE=--)
[  705.277708][ T4874] pc : link_path_walk+0x374/0x53c
[  705.282587][ T4874] lr : link_path_walk+0x374/0x53c
[  705.287463][ T4874] sp : b1ff00916cdefa90
[  705.291473][ T4874] x29: b1ff00916cdefb30 x28: 9cff00098d5eb703 
[  705.297485][ T4874] x27: 0000000000000000 x26: fefefefefefefeff 
[  705.303496][ T4874] x25: 0000000236266748 x24: 2f2f2f2f2f2f2f2f 
[  705.309507][ T4874] x23: b1ff00916cdefba0 x22: b1ff00916cdefbc8 
[  705.315518][ T4874] x21: b1ff00916cdefbe0 x20: b1ff00916cdefbd0 
[  705.321529][ T4874] x19: b1ff00916cdefb98 x18: 0000000000000000 
[  705.327540][ T4874] x17: 0000000000000000 x16: 0000000000000000 
[  705.333550][ T4874] x15: 0000000000000000 x14: 2020202020202020 
[  705.339561][ T4874] x13: 20424d5f45484341 x12: 50415f3130432f20 
[  705.345571][ T4874] x11: 0000000000000003 x10: ffff8008bb246a3e 
[  705.351582][ T4874] x9 : 68bdf6118cf10200 x8 : 0000000000000000 
[  705.357592][ T4874] x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000000 
[  705.363602][ T4874] x5 : 0000000000000080 x4 : 0000000000000000 
[  705.369612][ T4874] x3 : ffff900010a5a394 x2 : 0000000000000001 
[  705.375622][ T4874] x1 : 0000000000000004 x0 : 0000000000000000 
[  705.381631][ T4874] Call trace:
[  705.384777][ T4874]  link_path_walk+0x374/0x53c
[  705.389311][ T4874]  path_lookupat+0x78/0x1d4
[  705.393670][ T4874]  filename_lookup+0x80/0x124
[  705.398204][ T4874]  user_path_at_empty+0x54/0x68
[  705.402909][ T4874]  vfs_statx+0xcc/0x1b8
[  705.406921][ T4874]  __arm64_sys_newfstatat+0x94/0x120
[  705.412060][ T4874]  do_el0_svc+0x128/0x1dc
[  705.416247][ T4874]  el0_sync_handler+0xd0/0x268
[  705.420865][ T4874]  el0_sync+0x164/0x180
[  705.424883][ T4874] Code: 97fe39bd f94002fb aa1b03e0 97fe39aa (b9400368) 
[  705.432066][ T4874] ---[ end trace 71f0365c08ac491a ]---
[  705.437381][ T4874] Kernel panic - not syncing: Fatal exception
[  705.443608][ T4874] SMP: stopping secondary CPUs
[  705.448297][ T4874] Kernel Offset: disabled
[  705.452483][ T4874] CPU features: 0x006002,61000c38
[  705.457359][ T4874] Memory Limit: none
[  705.461411][ T4874] ---[ end Kernel panic - not syncing: Fatal exception ]—

[1]
e0e25e9bbed5 lookup_open(): don't bother with fallbacks to lookup+create
b686da54700f atomic_open(): no need to pass struct open_flags anymore
60e1d0b8512f open_last_lookups(): move complete_walk() into do_open()
4d7ed93ff9db open_last_lookups(): lift O_EXCL|O_CREAT handling into do_open()
57e9b028e9e7 open_last_lookups(): don't abuse complete_walk() when all we want is unlazy
c01d40b1c03c open_last_lookups(): consolidate fsnotify_create() calls
c8291f6b0037 take post-lookup part of do_last() out of loop
881386f7e46a link_path_walk(): sample parent's i_uid and i_mode for the last component
0e47dacb7f29 __nd_alloc_stack(): make it return bool
794dc2d56401 reserve_stack(): switch to __nd_alloc_stack()
59089811438c pick_link(): take reserving space on stack into a new helper
8c60edbc56a2 pick_link(): more straightforward handling of allocation failures
4efc770ddf45 fold path_to_nameidata() into its only remaining caller
dcc11116def1 pick_link(): pass it struct path already with normal refcounting rules
0058fcb4c3b5 fs/namei.c: kill follow_mount()
ffa2db4ac3e7 non-RCU analogue of the previous commit
8255cecd93ba helper for mount rootwards traversal
573f88cea0e2 follow_dotdot(): be lazy about changing nd->path
ea63a0dc31fd follow_dotdot_rcu(): be lazy about changing nd->path
5c19a79cd9d3 follow_dotdot{,_rcu}(): massage loops
5e3c3570ec97 lift all calls of step_into() out of follow_dotdot/follow_dotdot_rcu
6dfd9fe54dfd follow_dotdot{,_rcu}(): switch to use of step_into()
7521f22b3ce2 handle_dots(), follow_dotdot{,_rcu}(): preparation to switch to step_into()
957dd41d8842 move handle_dots(), follow_dotdot() and follow_dotdot_rcu() past step_into()
c9a0f75d81e3 follow_dotdot{,_rcu}(): lift LOOKUP_BENEATH checks out of loop
abc2c632e0ce follow_dotdot{,_rcu}(): lift switching nd->path to parent out of loop
a6a7eb7628cf expand path_parent_directory() in its callers
63b27720a476 path_parent_directory(): leave changing path->dentry to callers
6b03f7edf43e path_connected(): pass mount and dentry separately
c981a4828125 split the lookup-related parts of do_last() into a separate helper
973d4b73fbaf do_last(): rejoin the common path even earlier in FMODE_{OPENED,CREATED} case
8795e7d48288 do_last(): simplify the liveness analysis past finish_open_created
5a2d3edd8dad do_last(): rejoing the common path earlier in FMODE_{OPENED,CREATED} case
59e96e65833e do_last(): don't bother with keeping got_write in FMODE_OPENED case
3ad5615a071f do_last(): merge the may_open() calls
7be219b4dcd9 atomic_open(): lift the call of may_open() into do_last()
6fb968cdf9d0 atomic_open(): return the right dentry in FMODE_OPENED case
9deed3ebca24 new helper: traverse_mounts()
ea936aeb3ead massage __follow_mount_rcu() a bit
c108837e06b6 namei: have link_path_walk() maintain LOOKUP_PARENT
d8d4611a4f2d link_path_walk(): simplify stack handling
b1a819724074 pick_link(): check for WALK_TRAILING, not LOOKUP_PARENT
8c4efe22e7c4 namei: invert the meaning of WALK_FOLLOW
b4c0353693d2 sanitize handling of nd->last_type, kill LAST_BIND
ad6cc4c338f4 finally fold get_link() into pick_link()
06708adb99e8 merging pick_link() with get_link(), part 6
b0417d2c7298 merging pick_link() with get_link(), part 5
92d270165cff merging pick_link() with get_link(), part 4
40fcf5a931af merging pick_link() with get_link(), part 3
1ccac622f9da merging pick_link() with get_link(), part 2
43679723d27f merging pick_link() with get_link(), part 1
a9dc1494a782 expand the only remaining call of path_lookup_conditional()
161aff1d93ab LOOKUP_MOUNTPOINT: fold path_mountpointat() into path_lookupat()
cbae4d12eeee fold handle_mounts() into step_into()
aca2903eefd0 new step_into() flag: WALK_NOFOLLOW
56676ec39019 step_into() callers: dismiss the symlink earlier
20e343571cef lookup_fast(): take mount traversal into callers
c153007b7b7a teach handle_mounts() to handle RCU mode
b023e1728bec lookup_fast(): consolidate the RCU success case
db3c9ade50b1 handle_mounts(): pass dentry in, turn path into a pure out argument
e73cabff5917 do_last(): collapse the call of path_to_nameidata()
da5ebf5aa676 lookup_open(): saner calling conventions (return dentry on success)

             reply	other threads:[~2020-03-24 21:06 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-24 21:06 Qian Cai [this message]
2020-03-24 21:46 ` Null-ptr-deref due to "sanitized pathwalk machinery (v4)" Al Viro
2020-03-25  1:49   ` Qian Cai
2020-03-25  2:13     ` Al Viro
2020-03-25  3:24       ` Qian Cai
2020-03-25  4:03         ` Al Viro
2020-03-25  5:58           ` Al Viro
2020-03-25 14:02             ` Al Viro
2020-03-25 14:05               ` Al Viro
2020-03-25 19:43             ` Qian Cai
2020-03-25 21:07               ` Al Viro
2020-03-25 13:21           ` Qian Cai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CBDE0F3-FB73-43F3-8535-6C75BA004233@lca.pw \
    --to=cai@lca.pw \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.