From: Jordan Glover <Golden_Miller83@protonmail.ch>
To: Hillf Danton <hdanton@sina.com>
Cc: Yu Zhao <yuzhao@google.com>, Alexey Gladkov <legion@kernel.org>,
ebiederm@xmission.com, LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, containers@lists.linux-foundation.org
Subject: Re: linux 5.14.3: free_user_ns causes NULL pointer dereference
Date: Thu, 07 Oct 2021 13:28:29 +0000 [thread overview]
Message-ID: <BCdQdQjRHZ9CJwIhmvKGfnFtMBJuatrZUX5In1gLlPswtrs4HwNONAbJleaeSfOOenMIdc_FPi0wwPIdW5Vodm4Aj-0iCqQY57288M5WFuY=@protonmail.ch> (raw)
In-Reply-To: <20211006021219.2010-1-hdanton@sina.com>
On Wednesday, October 6th, 2021 at 2:12 AM, Hillf Danton <hdanton@sina.com> wrote:
> Could you please check if it is due to count underflow? Given nothing wrong
>
> on the other side based on the efforts
>
> "We looked through the users of put_ucounts and we don't see any obvious buggy
>
> users that would be freeing the data structure early."
>
> Thanks
>
> Hillf
>
> --- linux-5.14.4/kernel/ucount.c
>
> +++ b/kernel/ucount.c
>
> @@ -152,7 +152,10 @@ static void hlist_add_ucounts(struct uco
>
> struct ucounts *get_ucounts(struct ucounts *ucounts)
>
> {
>
> - if (ucounts && atomic_add_negative(1, &ucounts->count)) {
>
> - if (!ucounts)
>
> - return NULL;
>
>
> - WARN_ON(!atomic_read(&ucounts->count));
>
> - if (atomic_add_negative(1, &ucounts->count)) {
>
> put_ucounts(ucounts);
> ucounts = NULL;
>
>
> }
>
> --
>
For me above patch changed slightly the printed output. Now the warning
comes from 'cleanup_net' instead of 'free_user_ns'. My system was also
still responsive after the bug occurred which didn't happen previously.
I can't say if this means anything or if this is result of above patch
or instability of my reproducer.
------------[ cut here ]------------
WARNING: CPU: 2 PID: 27643 at kernel/ucount.c:256 dec_ucount+0x43/0x50
Modules linked in: <cut>
CPU: 2 PID: 27643 Comm: kworker/u8:3 Not tainted 5.14.9 #1 0274f3d0712a6dadc9a2cf8341ae333de732a31a
Workqueue: netns cleanup_net
RIP: 0010:dec_ucount+0x43/0x50
Code: 14 01 48 8b 02 48 89 c6 48 83 ee 01 78 1c f0 48 0f b1 32 75 f0 48 8b 41 10 48 8b 88 e8 01 00 00 48 85 c9 75 d9 e9 fd fc ff ff <0f> 0b eb e7 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 f8 48
RSP: 0018:ffffb34fc34cfe30 EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffffa448eec5f3b0 RCX: ffffa447cfe1f540
RDX: ffffa447cfe1f580 RSI: ffffffffffffffff RDI: ffffa447c445c780
RBP: ffffa448eec5f380 R08: 0000000000000040 R09: ffffa44a196ac040
R10: 00000000001436be R11: 0000000000000259 R12: ffffb34fc34cfe10
R13: ffffb34fc34cfe40 R14: 00000000ffffffff R15: ffffa448eec5d414
FS: 0000000000000000(0000) GS:ffffa44a19700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000072a95d359030 CR3: 000000000b20e005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
cleanup_net+0x2e2/0x370
process_one_work+0x1e1/0x380
worker_thread+0x50/0x3a0
? rescuer_thread+0x360/0x360
kthread+0x127/0x150
? set_kthread_struct+0x40/0x40
ret_from_fork+0x22/0x30
---[ end trace e5fdc3317f00d0e8 ]---
BUG: kernel NULL pointer dereference, address: 00000000000001e8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 2 PID: 27643 Comm: kworker/u8:3 Tainted: G W 5.14.9 #1 0274f3d0712a6dadc9a2cf8341ae333de732a31a
Workqueue: netns cleanup_net
RIP: 0010:dec_ucount+0x32/0x50
Code: 74 34 89 f6 48 89 f9 4c 8d 04 f5 20 00 00 00 4a 8d 14 01 48 8b 02 48 89 c6 48 83 ee 01 78 1c f0 48 0f b1 32 75 f0 48 8b 41 10 <48> 8b 88 e8 01 00 00 48 85 c9 75 d9 e9 fd fc ff ff 0f 0b eb e7 66
RSP: 0018:ffffb34fc34cfe30 EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffffa448eec5f3b0 RCX: ffffa447cfe1f540
RDX: ffffa447cfe1f580 RSI: ffffffffffffffff RDI: ffffa447c445c780
RBP: ffffa448eec5f380 R08: 0000000000000040 R09: ffffa44a196ac040
R10: 00000000001436be R11: 0000000000000259 R12: ffffb34fc34cfe10
R13: ffffb34fc34cfe40 R14: 00000000ffffffff R15: ffffa448eec5d414
FS: 0000000000000000(0000) GS:ffffa44a19700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001e8 CR3: 000000000b20e005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
cleanup_net+0x2e2/0x370
process_one_work+0x1e1/0x380
worker_thread+0x50/0x3a0
? rescuer_thread+0x360/0x360
kthread+0x127/0x150
? set_kthread_struct+0x40/0x40
ret_from_fork+0x22/0x30
Modules linked in: <cut>
CR2: 00000000000001e8
---[ end trace e5fdc3317f00d0e9 ]---
RIP: 0010:dec_ucount+0x32/0x50
Code: 74 34 89 f6 48 89 f9 4c 8d 04 f5 20 00 00 00 4a 8d 14 01 48 8b 02 48 89 c6 48 83 ee 01 78 1c f0 48 0f b1 32 75 f0 48 8b 41 10 <48> 8b 88 e8 01 00 00 48 85 c9 75 d9 e9 fd fc ff ff 0f 0b eb e7 66
RSP: 0018:ffffb34fc34cfe30 EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffffa448eec5f3b0 RCX: ffffa447cfe1f540
RDX: ffffa447cfe1f580 RSI: ffffffffffffffff RDI: ffffa447c445c780
RBP: ffffa448eec5f380 R08: 0000000000000040 R09: ffffa44a196ac040
R10: 00000000001436be R11: 0000000000000259 R12: ffffb34fc34cfe10
R13: ffffb34fc34cfe40 R14: 00000000ffffffff R15: ffffa448eec5d414
FS: 0000000000000000(0000) GS:ffffa44a19700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001e8 CR3: 000000000b20e005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
next prev parent reply other threads:[~2021-10-07 13:28 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-15 19:49 linux 5.14.3: free_user_ns causes NULL pointer dereference Jordan Glover
2021-09-15 19:49 ` Jordan Glover
2021-09-15 21:02 ` Eric W. Biederman
2021-09-15 21:02 ` Eric W. Biederman
2021-09-15 22:42 ` Jordan Glover
2021-09-15 22:42 ` Jordan Glover
2021-09-15 23:44 ` Yu Zhao
2021-09-15 23:44 ` Yu Zhao
2021-09-17 16:15 ` Eric W. Biederman
2021-09-17 16:15 ` Eric W. Biederman
2021-09-17 18:45 ` Yu Zhao
2021-09-17 18:45 ` Yu Zhao
2021-09-15 23:47 ` Jordan Glover
2021-09-15 23:47 ` Jordan Glover
2021-09-16 17:30 ` Eric W. Biederman
2021-09-16 17:30 ` Eric W. Biederman
2021-09-16 19:14 ` Alexey Gladkov
2021-09-16 19:14 ` Alexey Gladkov
2021-09-28 13:40 ` Jordan Glover
2021-09-28 13:40 ` Jordan Glover
2021-09-29 17:36 ` Alexey Gladkov
2021-09-29 17:36 ` Alexey Gladkov
2021-09-29 21:39 ` Jordan Glover
2021-09-29 21:39 ` Jordan Glover
2021-09-30 13:06 ` Alexey Gladkov
2021-09-30 22:27 ` Yu Zhao
2021-09-30 22:27 ` Yu Zhao
2021-10-04 17:10 ` Eric W. Biederman
2021-10-04 17:19 ` Eric W. Biederman
2021-10-04 21:34 ` Yu Zhao
2021-10-06 7:57 ` Rune Kleveland
2021-10-10 8:59 ` Rune Kleveland
2021-10-11 13:09 ` Hillf Danton
2021-10-12 17:31 ` Eric W. Biederman
2021-10-15 22:10 ` [CFT][PATCH] ucounts: Fix signal ucount refcounting Eric W. Biederman
2021-10-15 23:09 ` Alexey Gladkov
2021-10-16 17:34 ` Eric W. Biederman
2021-10-17 19:35 ` Yu Zhao
2021-10-18 15:35 ` Eric W. Biederman
2021-10-16 2:08 ` Hillf Danton
2021-10-16 18:00 ` Eric W. Biederman
2021-10-17 16:47 ` Rune Kleveland
2021-10-18 6:25 ` Yu Zhao
2021-10-18 10:31 ` Jordan Glover
2021-10-18 16:06 ` [PATCH v2] " Eric W. Biederman
2021-10-18 17:21 ` [PATCH 0/3] ucounts: misc fixes Eric W. Biederman
2021-10-18 17:23 ` [PATCH 1/3] ucounts: Pair inc_rlimit_ucounts with dec_rlimit_ucoutns in commit_creds Eric W. Biederman
2021-10-18 17:23 ` [PATCH 2/3] ucounts: Proper error handling in set_cred_ucounts Eric W. Biederman
2021-10-18 17:24 ` [PATCH 3/3] ucounts: Move get_ucounts from cred_alloc_blank to key_change_session_keyring Eric W. Biederman
2021-10-24 17:36 ` kernel test robot
2021-10-25 14:13 ` Eric W. Biederman
2021-11-06 5:05 ` kernel test robot
2021-11-06 5:05 ` kernel test robot
2021-11-06 20:22 ` kernel test robot
2021-11-06 20:22 ` kernel test robot
2021-10-18 17:54 ` [PATCH 0/4] ucounts: misc cleanups Eric W. Biederman
2021-10-18 17:55 ` [PATCH 1/4] ucounts: In set_cred_ucounts assume new->ucounts is non-NULL Eric W. Biederman
2021-10-18 17:56 ` [PATCH 2/4] ucounts: Remove unnecessary test for NULL ucount in get_ucounts Eric W. Biederman
2021-10-18 17:56 ` [PATCH 3/4] ucounts: Add get_ucounts_or_wrap for clarity Eric W. Biederman
2021-10-18 17:57 ` [PATCH 4/4] ucounts: Use atomic_long_sub_return " Eric W. Biederman
2021-10-18 22:29 ` [PATCH 0/4] ucounts: misc cleanups Yu Zhao
2021-10-18 22:28 ` [PATCH 0/3] ucounts: misc fixes Yu Zhao
2021-10-18 22:26 ` [PATCH v2] ucounts: Fix signal ucount refcounting Yu Zhao
2021-10-11 13:39 ` linux 5.14.3: free_user_ns causes NULL pointer dereference Alexey Gladkov
2021-10-06 2:12 ` Hillf Danton
2021-10-06 6:22 ` Yu Zhao
2021-10-07 13:28 ` Jordan Glover [this message]
2021-10-10 11:26 ` Hillf Danton
2021-10-03 19:37 ` Jordan Glover
2021-10-03 19:37 ` Jordan Glover
2021-10-20 7:39 Antoine Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BCdQdQjRHZ9CJwIhmvKGfnFtMBJuatrZUX5In1gLlPswtrs4HwNONAbJleaeSfOOenMIdc_FPi0wwPIdW5Vodm4Aj-0iCqQY57288M5WFuY=@protonmail.ch' \
--to=golden_miller83@protonmail.ch \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hdanton@sina.com \
--cc=legion@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.