All of lore.kernel.org
 help / color / mirror / Atom feed
From: ebiederm@xmission.com (Eric W. Biederman)
To: Alakesh Haloi <alakesh.haloi@gmail.com>
Cc: linux-kernel@vger.kernel.org,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	Sargun Dhillon <sargun@sargun.me>,
	Minchan Kim <minchan@kernel.org>,
	Bernd Edlinger <bernd.edlinger@hotmail.de>
Subject: Re: [PATCH] pid: add null pointer check in pid_nr_ns()
Date: Wed, 02 Dec 2020 11:19:46 -0600	[thread overview]
Message-ID: <875z5kceh9.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20201201024811.GA72235@ip-172-31-62-0.us-west-2.compute.internal> (Alakesh Haloi's message of "Mon, 30 Nov 2020 18:48:11 -0800")

Alakesh Haloi <alakesh.haloi@gmail.com> writes:

> There has been at least one occurrence where a null pointer derefernce
> panic was seen with following stack trace.
>
>  #0 [ffffff800bcd3800] machine_kexec at ffffff8008095fb4
>  #1 [ffffff800bcd3860] __crash_kexec at ffffff8008122a30
>  #2 [ffffff800bcd39f0] panic at ffffff80080aa054
>  #3 [ffffff800bcd3ae0] die at ffffff800808aee8
>  #4 [ffffff800bcd3b20] die_kernel_fault at ffffff8008099520
>  #5 [ffffff800bcd3b50] __do_kernel_fault at ffffff8008098e50
>  #6 [ffffff800bcd3b80] do_translation_fault at ffffff800809929c
>  #7 [ffffff800bcd3b90] do_mem_abort at ffffff8008081204
>  #8 [ffffff800bcd3d90] el1_ia at ffffff800808304c
>      PC: ffffff80080c20ec  [pid_nr_ns+4]
>      LR: ffffff80080c231c  [__task_pid_nr_ns+72]
>      SP: ffffff800bcd3da0  PSTATE: 60000005
>     X29: ffffff800bcd3da0  X28: ffffffc00691c380  X27: 0000000000000001
>     X26: 00000000004ce8e8  X25: 00000000004ce8d0  X24: ffffffc00691c3e0
>     X23: ffffffc004e8c000  X22: 0000000000000000  X21: ffffffc00b042ed2
>     X20: ffffff800876a4f0  X19: 0000000000000000  X18: 0000000000000000
>     X17: 0000000000000001  X16: 0000000000000000  X15: 0000000000000000
>     X14: 0000000400000003  X13: 0000000000000008  X12: fefefefefefefeff
>     X11: 0000000000000000  X10: 0000007fffffffff   X9: 00000000004ce8b0
>      X8: 00000000004ce8b0   X7: 0000000000000000   X6: ffffffc00b042ed2
>      X5: ffffffc00b042ed2   X4: 0000000000020008   X3: 53206e69616c702f
>      X2: ffffff800876a4f0   X1: ffffff800876a4f0   X0: 53206e69616c702f
>  #9 [ffffff800bcd3da0] pid_nr_ns at ffffff80080c20e8

I just skimmed through the callers of pid_nr_ns and now I am very
puzzled. I don't see any of them where the namespace can be passed as
NULL.

So I really suspect you have a larger but somewhere in the caller of
pid_nr_ns.  Perhaps the memory was stomped and you were lucky it was
NULL.

Without some more details I really don't think testing for a NULL
namespace is useful or productive.  At best it will mask bugs in the
callers

Eric

> Signed-off-by: Alakesh Haloi <alakesh.haloi@gmail.com>
> Cc: stable@vger.kernel.org
> ---
>  kernel/pid.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/pid.c b/kernel/pid.c
> index a96bc4bf4f86..3767b9e1431d 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -474,7 +474,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
>  	struct upid *upid;
>  	pid_t nr = 0;
>  
> -	if (pid && ns->level <= pid->level) {
> +	if (pid && ns && ns->level <= pid->level) {
>  		upid = &pid->numbers[ns->level];
>  		if (upid->ns == ns)
>  			nr = upid->nr;

  parent reply	other threads:[~2020-12-02 17:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-01  2:48 [PATCH] pid: add null pointer check in pid_nr_ns() Alakesh Haloi
2020-12-01  5:33 ` Eric W. Biederman
2020-12-02 17:19 ` Eric W. Biederman [this message]
2020-12-04 18:32   ` Alakesh Haloi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875z5kceh9.fsf@x220.int.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=alakesh.haloi@gmail.com \
    --cc=bernd.edlinger@hotmail.de \
    --cc=christian.brauner@ubuntu.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=minchan@kernel.org \
    --cc=oleg@redhat.com \
    --cc=sargun@sargun.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.