* WARNING in __kernel_read @ 2020-07-13 7:03 syzbot 2020-07-14 11:02 ` Christoph Hellwig 0 siblings, 1 reply; 9+ messages in thread From: syzbot @ 2020-07-13 7:03 UTC (permalink / raw) To: hch, linux-fsdevel, linux-kernel, syzkaller-bugs, viro Hello, syzbot found the following crash on: HEAD commit: a581387e Merge tag 'io_uring-5.8-2020-07-10' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13e730eb100000 kernel config: https://syzkaller.appspot.com/x/.config?x=66ad203c2bb6d8b dashboard link: https://syzkaller.appspot.com/bug?extid=d012ca3f813739c37c25 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e0222b100000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162a004f100000 The bug was bisected to: commit 6209dd9132e8ea5545cffc84483841e88ea8cc5b Author: Christoph Hellwig <hch@lst.de> Date: Fri May 8 07:00:28 2020 +0000 fs: implement kernel_read using __kernel_read bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=152d91fb100000 final crash: https://syzkaller.appspot.com/x/report.txt?x=172d91fb100000 console output: https://syzkaller.appspot.com/x/log.txt?x=132d91fb100000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+d012ca3f813739c37c25@syzkaller.appspotmail.com Fixes: 6209dd9132e8 ("fs: implement kernel_read using __kernel_read") ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5 at fs/read_write.c:427 __kernel_read+0x41d/0x4d0 fs/read_write.c:427 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.8.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events p9_read_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 panic+0x2e3/0x75c kernel/panic.c:231 __warn.cold+0x20/0x45 kernel/panic.c:600 report_bug+0x1bd/0x210 lib/bug.c:198 handle_bug+0x38/0x90 arch/x86/kernel/traps.c:235 exc_invalid_op+0x13/0x40 arch/x86/kernel/traps.c:255 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:542 RIP: 0010:__kernel_read+0x41d/0x4d0 fs/read_write.c:427 Code: fd ff ff e8 75 19 b6 ff 45 31 c9 45 31 c0 b9 01 00 00 00 4c 89 f2 89 ee 4c 89 ef e8 5d 22 12 00 e9 46 ff ff ff e8 53 19 b6 ff <0f> 0b 49 c7 c4 ea ff ff ff e9 11 fe ff ff 4c 89 f7 e8 2d 76 f5 ff RSP: 0018:ffffc90000cbfbc8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8880a9786ac0 RCX: ffffffff81bd9ac4 RDX: ffff8880a95a2140 RSI: ffffffff81bd9e3d RDI: 0000000000000005 RBP: ffff888096bc8060 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 1ffffffff1829bdd R12: 00000000081d801e R13: ffffc90000cbfc98 R14: ffff8880a9786b44 R15: 0000000000000007 kernel_read+0x52/0x70 fs/read_write.c:457 p9_fd_read net/9p/trans_fd.c:263 [inline] p9_read_work+0x2ac/0xff0 net/9p/trans_fd.c:298 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: WARNING in __kernel_read 2020-07-13 7:03 WARNING in __kernel_read syzbot @ 2020-07-14 11:02 ` Christoph Hellwig 2020-07-23 14:17 ` Cengiz Can 0 siblings, 1 reply; 9+ messages in thread From: Christoph Hellwig @ 2020-07-14 11:02 UTC (permalink / raw) To: syzbot Cc: hch, linux-fsdevel, linux-kernel, syzkaller-bugs, viro, v9fs-developer On Mon, Jul 13, 2020 at 12:03:17AM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: This is not a crash, but a WARN_ON_ONCE, someone really needs to fix syzbot to report this correctly. The fix should be queued up by the 9p maintainers. > > HEAD commit: a581387e Merge tag 'io_uring-5.8-2020-07-10' of git://git... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13e730eb100000 > kernel config: https://syzkaller.appspot.com/x/.config?x=66ad203c2bb6d8b > dashboard link: https://syzkaller.appspot.com/bug?extid=d012ca3f813739c37c25 > compiler: gcc (GCC) 10.1.0-syz 20200507 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e0222b100000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162a004f100000 > > The bug was bisected to: > > commit 6209dd9132e8ea5545cffc84483841e88ea8cc5b > Author: Christoph Hellwig <hch@lst.de> > Date: Fri May 8 07:00:28 2020 +0000 > > fs: implement kernel_read using __kernel_read > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=152d91fb100000 > final crash: https://syzkaller.appspot.com/x/report.txt?x=172d91fb100000 > console output: https://syzkaller.appspot.com/x/log.txt?x=132d91fb100000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+d012ca3f813739c37c25@syzkaller.appspotmail.com > Fixes: 6209dd9132e8 ("fs: implement kernel_read using __kernel_read") > > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 5 at fs/read_write.c:427 __kernel_read+0x41d/0x4d0 fs/read_write.c:427 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.8.0-rc4-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Workqueue: events p9_read_work > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x18f/0x20d lib/dump_stack.c:118 > panic+0x2e3/0x75c kernel/panic.c:231 > __warn.cold+0x20/0x45 kernel/panic.c:600 > report_bug+0x1bd/0x210 lib/bug.c:198 > handle_bug+0x38/0x90 arch/x86/kernel/traps.c:235 > exc_invalid_op+0x13/0x40 arch/x86/kernel/traps.c:255 > asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:542 > RIP: 0010:__kernel_read+0x41d/0x4d0 fs/read_write.c:427 > Code: fd ff ff e8 75 19 b6 ff 45 31 c9 45 31 c0 b9 01 00 00 00 4c 89 f2 89 ee 4c 89 ef e8 5d 22 12 00 e9 46 ff ff ff e8 53 19 b6 ff <0f> 0b 49 c7 c4 ea ff ff ff e9 11 fe ff ff 4c 89 f7 e8 2d 76 f5 ff > RSP: 0018:ffffc90000cbfbc8 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffff8880a9786ac0 RCX: ffffffff81bd9ac4 > RDX: ffff8880a95a2140 RSI: ffffffff81bd9e3d RDI: 0000000000000005 > RBP: ffff888096bc8060 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 1ffffffff1829bdd R12: 00000000081d801e > R13: ffffc90000cbfc98 R14: ffff8880a9786b44 R15: 0000000000000007 > kernel_read+0x52/0x70 fs/read_write.c:457 > p9_fd_read net/9p/trans_fd.c:263 [inline] > p9_read_work+0x2ac/0xff0 net/9p/trans_fd.c:298 > process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 > worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 > kthread+0x3b5/0x4a0 kernel/kthread.c:291 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches ---end quoted text--- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: WARNING in __kernel_read 2020-07-14 11:02 ` Christoph Hellwig @ 2020-07-23 14:17 ` Cengiz Can 2020-07-23 15:51 ` Eric Biggers 0 siblings, 1 reply; 9+ messages in thread From: Cengiz Can @ 2020-07-23 14:17 UTC (permalink / raw) To: Eric Van Hensbergen, Latchesar Ionkov, Dominique Martinet Cc: Christoph Hellwig, linux-fsdevel, linux-kernel, syzkaller-bugs, viro, v9fs-developer, syzbot Hello, I'm trying to help clean up syzkaller submissions and this caught my attention and I wanted to get your advice. With commit: 6209dd9132e8ea5545cffc84483841e88ea8cc5b `kernel_read` was modified to use `__kernel_read` by Christoph Hellwig. One of the syzkaller tests executes following system calls: open("./file0", O_WRONLY|O_CREAT|O_EXCL|O_DIRECT|0x4, 000) = 5 open("/dev/char/4:1", O_RDWR) = 6 mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000005,wfdno=0x0000000000000006," This initiates a `__kernel_read` call from `p9_read_work` (and `p9_fd_read`) and since the `file->f_mode` does not contain FMODE_READ , a WARN_ON_ONCE is thrown. ``` if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) return -EINVAL; ``` Can you help me understand what's wrong and fix this issue? Is it already being worked on? Thank you Cengiz Can On Tue, 2020-07-14 at 13:02 +0200, Christoph Hellwig wrote: > On Mon, Jul 13, 2020 at 12:03:17AM -0700, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > This is not a crash, but a WARN_ON_ONCE, someone really needs to fix > syzbot to report this correctly. > > The fix should be queued up by the 9p maintainers. > > > HEAD commit: a581387e Merge tag 'io_uring-5.8-2020-07-10' of > > git://git... > > git tree: upstream > > console output: > > https://syzkaller.appspot.com/x/log.txt?x=13e730eb100000 > > kernel config: > > https://syzkaller.appspot.com/x/.config?x=66ad203c2bb6d8b > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=d012ca3f813739c37c25 > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > syz repro: > > https://syzkaller.appspot.com/x/repro.syz?x=12e0222b100000 > > C reproducer: > > https://syzkaller.appspot.com/x/repro.c?x=162a004f100000 > > > > The bug was bisected to: > > > > commit 6209dd9132e8ea5545cffc84483841e88ea8cc5b > > Author: Christoph Hellwig <hch@lst.de> > > Date: Fri May 8 07:00:28 2020 +0000 > > > > fs: implement kernel_read using __kernel_read > > > > bisection log: > > https://syzkaller.appspot.com/x/bisect.txt?x=152d91fb100000 > > final crash: > > https://syzkaller.appspot.com/x/report.txt?x=172d91fb100000 > > console output: > > https://syzkaller.appspot.com/x/log.txt?x=132d91fb100000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > commit: > > Reported-by: syzbot+d012ca3f813739c37c25@syzkaller.appspotmail.com > > Fixes: 6209dd9132e8 ("fs: implement kernel_read using > > __kernel_read") > > > > ------------[ cut here ]------------ > > WARNING: CPU: 0 PID: 5 at fs/read_write.c:427 > > __kernel_read+0x41d/0x4d0 fs/read_write.c:427 > > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.8.0-rc4-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > BIOS Google 01/01/2011 > > Workqueue: events p9_read_work > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x18f/0x20d lib/dump_stack.c:118 > > panic+0x2e3/0x75c kernel/panic.c:231 > > __warn.cold+0x20/0x45 kernel/panic.c:600 > > report_bug+0x1bd/0x210 lib/bug.c:198 > > handle_bug+0x38/0x90 arch/x86/kernel/traps.c:235 > > exc_invalid_op+0x13/0x40 arch/x86/kernel/traps.c:255 > > asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:542 > > RIP: 0010:__kernel_read+0x41d/0x4d0 fs/read_write.c:427 > > Code: fd ff ff e8 75 19 b6 ff 45 31 c9 45 31 c0 b9 01 00 00 00 4c > > 89 f2 89 ee 4c 89 ef e8 5d 22 12 00 e9 46 ff ff ff e8 53 19 b6 ff > > <0f> 0b 49 c7 c4 ea ff ff ff e9 11 fe ff ff 4c 89 f7 e8 2d 76 f5 ff > > RSP: 0018:ffffc90000cbfbc8 EFLAGS: 00010293 > > RAX: 0000000000000000 RBX: ffff8880a9786ac0 RCX: ffffffff81bd9ac4 > > RDX: ffff8880a95a2140 RSI: ffffffff81bd9e3d RDI: 0000000000000005 > > RBP: ffff888096bc8060 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 1ffffffff1829bdd R12: 00000000081d801e > > R13: ffffc90000cbfc98 R14: ffff8880a9786b44 R15: 0000000000000007 > > kernel_read+0x52/0x70 fs/read_write.c:457 > > p9_fd_read net/9p/trans_fd.c:263 [inline] > > p9_read_work+0x2ac/0xff0 net/9p/trans_fd.c:298 > > process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 > > worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 > > kthread+0x3b5/0x4a0 kernel/kthread.c:291 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 > > Kernel Offset: disabled > > Rebooting in 86400 seconds.. > > > > > > --- > > This bug is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this bug report. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > For information about bisection process see: > > https://goo.gl/tpsmEJ#bisection > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches > ---end quoted text--- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: WARNING in __kernel_read 2020-07-23 14:17 ` Cengiz Can @ 2020-07-23 15:51 ` Eric Biggers 0 siblings, 0 replies; 9+ messages in thread From: Eric Biggers @ 2020-07-23 15:51 UTC (permalink / raw) To: Cengiz Can Cc: Eric Van Hensbergen, Latchesar Ionkov, Dominique Martinet, Christoph Hellwig, linux-fsdevel, linux-kernel, syzkaller-bugs, viro, v9fs-developer, syzbot Hi Cengiz, On Thu, Jul 23, 2020 at 05:17:25PM +0300, Cengiz Can wrote: > Hello, > > I'm trying to help clean up syzkaller submissions and this caught my > attention and I wanted to get your advice. > > With commit: 6209dd9132e8ea5545cffc84483841e88ea8cc5b `kernel_read` was > modified to use `__kernel_read` by Christoph Hellwig. > > One of the syzkaller tests executes following system calls: > > open("./file0", O_WRONLY|O_CREAT|O_EXCL|O_DIRECT|0x4, 000) = 5 > open("/dev/char/4:1", O_RDWR) = 6 > mount(NULL, "./file0", "9p", 0, > "trans=fd,rfdno=0x0000000000000005,wfdno=0x0000000000000006," > > This initiates a `__kernel_read` call from `p9_read_work` (and > `p9_fd_read`) and since the `file->f_mode` does not contain FMODE_READ > , a WARN_ON_ONCE is thrown. > > ``` > if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) > return -EINVAL; > ``` > > Can you help me understand what's wrong and fix this issue? > Is it already being worked on? > Looks like this was already fixed in linux-next by: commit a39c46067c845a8a2d7144836e9468b7f072343e Author: Christoph Hellwig <hch@lst.de> Date: Fri Jul 10 10:57:22 2020 +0200 net/9p: validate fds in p9_fd_open Let's tell syzbot so that it closes this bug report: #syz fix: net/9p: validate fds in p9_fd_open ^ permalink raw reply [flat|nested] 9+ messages in thread
* WARNING in __kernel_read @ 2021-10-06 9:33 Hao Sun 2021-10-06 12:17 ` Matthew Wilcox 0 siblings, 1 reply; 9+ messages in thread From: Hao Sun @ 2021-10-06 9:33 UTC (permalink / raw) To: Linux Kernel Mailing List, linux-fsdevel, viro Hello, When using Healer to fuzz the latest Linux kernel, the following crash was triggered. HEAD commit: 0513e464f900 Merge tag 'perf-tools-fixes-for-v5.15-2021-09-27' git tree: upstream console output: https://drive.google.com/file/d/1RomE2Ls4uFB-AfgRtQr6739q4npqS-_Y/view?usp=sharing kernel config: https://drive.google.com/file/d/1Jqhc4DpCVE8X7d-XBdQnrMoQzifTG5ho/view?usp=sharing C reproducer: https://drive.google.com/file/d/1RzAsyIZzw5X_m340nY9fu4KWjGdG98pv/view?usp=sharing Syzlang reproducer: https://drive.google.com/file/d/1QqdmE15ktTdJIQK9s6u-btC5YuajI9XH/view?usp=sharing If you fix this issue, please add the following tag to the commit: Reported-by: Hao Sun <sunhao.th@gmail.com> ------------[ cut here ]------------ WARNING: CPU: 1 PID: 28082 at fs/read_write.c:429 __kernel_read+0x3bb/0x410 fs/read_write.c:429 Modules linked in: CPU: 1 PID: 28082 Comm: syz-executor Not tainted 5.15.0-rc3+ #21 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:__kernel_read+0x3bb/0x410 fs/read_write.c:429 Code: 8b 04 25 40 70 01 00 8b 88 60 05 00 00 4c 8d 80 c8 07 00 00 e8 88 c7 c6 02 48 c7 c5 ea ff ff ff e9 6a fe ff ff e8 65 cf dd ff <0f> 0b 48 c7 c5 ea ff ff ff e9 57 fe ff ff e8 52 cf dd ff b9 01 00 RSP: 0018:ffffc900025e7cf8 EFLAGS: 00010216 RAX: 00000000000081cb RBX: ffff888109c16c00 RCX: ffffc90002c55000 RDX: 0000000000040000 RSI: ffffffff8159c1fb RDI: ffff888109c16c00 RBP: 000000004808801c R08: 0000000000000000 R09: 0000000000000000 R10: ffffc900025e7d40 R11: 0000000000000000 R12: ffffc9000f315000 R13: ffffc900025e7df8 R14: 0000000000206590 R15: ffffc9000f315000 FS: 00007f55dbd06700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000003 CR3: 000000001a3ac000 CR4: 0000000000752ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000003 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kernel_read+0x47/0x60 fs/read_write.c:461 kernel_read_file+0x20a/0x370 fs/kernel_read_file.c:93 kernel_read_file_from_fd+0x55/0x90 fs/kernel_read_file.c:184 __do_sys_finit_module+0x89/0x110 kernel/module.c:4180 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x46ae99 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f55dbd05c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99 RDX: 0000000000000003 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000004e4809 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c0a0 R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffeee82e7a0 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: WARNING in __kernel_read 2021-10-06 9:33 Hao Sun @ 2021-10-06 12:17 ` Matthew Wilcox 2021-10-06 13:57 ` Theodore Ts'o 2021-10-12 6:21 ` Christoph Hellwig 0 siblings, 2 replies; 9+ messages in thread From: Matthew Wilcox @ 2021-10-06 12:17 UTC (permalink / raw) To: Hao Sun Cc: Linux Kernel Mailing List, linux-fsdevel, viro, Christoph Hellwig, Kees Cook On Wed, Oct 06, 2021 at 05:33:47PM +0800, Hao Sun wrote: > C reproducer: https://drive.google.com/file/d/1RzAsyIZzw5X_m340nY9fu4KWjGdG98pv/view?usp=sharing It's easier than this reproducer makes it look. res = syscall(__NR_openat, -1, 0x20000080ul, 0x4c003ul, 0x10ul); syscall(__NR_finit_module, r[0], 0ul, 3ul); should be enough. Basically, userspace opens an fd without FMODE_READ and passes it to finit_module(). > ------------[ cut here ]------------ > WARNING: CPU: 1 PID: 28082 at fs/read_write.c:429 > __kernel_read+0x3bb/0x410 fs/read_write.c:429 > Modules linked in: > CPU: 1 PID: 28082 Comm: syz-executor Not tainted 5.15.0-rc3+ #21 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 > RIP: 0010:__kernel_read+0x3bb/0x410 fs/read_write.c:429 > Call Trace: > kernel_read+0x47/0x60 fs/read_write.c:461 > kernel_read_file+0x20a/0x370 fs/kernel_read_file.c:93 > kernel_read_file_from_fd+0x55/0x90 fs/kernel_read_file.c:184 > __do_sys_finit_module+0x89/0x110 kernel/module.c:4180 finit_module() is not the only caller of kernel_read_file_from_fd() which passes it a fd that userspace passed in, for example kexec_file_load() doesn't validate the fd either. We could validate the fd in individual syscalls, in kernel_read_file_from_fd() or just do what vfs_read() does and return -EBADF without warning. So, one of these two patches. Christoph, Al, what's your preference? diff --git a/fs/kernel_read_file.c b/fs/kernel_read_file.c index 87aac4c72c37..1f28b693d1db 100644 --- a/fs/kernel_read_file.c +++ b/fs/kernel_read_file.c @@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, loff_t offset, void **buf, struct fd f = fdget(fd); int ret = -EBADF; - if (!f.file) + if (!f.file || !(file->f_mode & FMODE_READ)) goto out; ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id); diff --git a/fs/read_write.c b/fs/read_write.c index af057c57bdc6..bab43b8532d1 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -426,8 +426,8 @@ ssize_t __kernel_read(struct file *file, void *buf, size_t count, loff_t *pos) struct iov_iter iter; ssize_t ret; - if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) - return -EINVAL; + if (!(file->f_mode & FMODE_READ)) + return -EBADF; if (!(file->f_mode & FMODE_CAN_READ)) return -EINVAL; /* ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: WARNING in __kernel_read 2021-10-06 12:17 ` Matthew Wilcox @ 2021-10-06 13:57 ` Theodore Ts'o 2021-10-06 22:10 ` Kees Cook 2021-10-12 6:21 ` Christoph Hellwig 1 sibling, 1 reply; 9+ messages in thread From: Theodore Ts'o @ 2021-10-06 13:57 UTC (permalink / raw) To: Matthew Wilcox Cc: Hao Sun, Linux Kernel Mailing List, linux-fsdevel, viro, Christoph Hellwig, Kees Cook On Wed, Oct 06, 2021 at 01:17:32PM +0100, Matthew Wilcox wrote: > finit_module() is not the only caller of kernel_read_file_from_fd() > which passes it a fd that userspace passed in, for example > kexec_file_load() doesn't validate the fd either. We could validate > the fd in individual syscalls, in kernel_read_file_from_fd() > or just do what vfs_read() does and return -EBADF without warning. My suggestion would be to do both, and keep a WARN() in __kernel_read(), since that should never happen (and we want a stack trace if it does). - Ted ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: WARNING in __kernel_read 2021-10-06 13:57 ` Theodore Ts'o @ 2021-10-06 22:10 ` Kees Cook 0 siblings, 0 replies; 9+ messages in thread From: Kees Cook @ 2021-10-06 22:10 UTC (permalink / raw) To: Theodore Ts'o Cc: Matthew Wilcox, Hao Sun, Linux Kernel Mailing List, linux-fsdevel, viro, Christoph Hellwig On Wed, Oct 06, 2021 at 09:57:22AM -0400, Theodore Ts'o wrote: > On Wed, Oct 06, 2021 at 01:17:32PM +0100, Matthew Wilcox wrote: > > finit_module() is not the only caller of kernel_read_file_from_fd() > > which passes it a fd that userspace passed in, for example > > kexec_file_load() doesn't validate the fd either. We could validate > > the fd in individual syscalls, in kernel_read_file_from_fd() > > or just do what vfs_read() does and return -EBADF without warning. > > My suggestion would be to do both, and keep a WARN() in > __kernel_read(), since that should never happen (and we want a stack > trace if it does). Agreed. -- Kees Cook ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: WARNING in __kernel_read 2021-10-06 12:17 ` Matthew Wilcox 2021-10-06 13:57 ` Theodore Ts'o @ 2021-10-12 6:21 ` Christoph Hellwig 1 sibling, 0 replies; 9+ messages in thread From: Christoph Hellwig @ 2021-10-12 6:21 UTC (permalink / raw) To: Matthew Wilcox Cc: Hao Sun, Linux Kernel Mailing List, linux-fsdevel, viro, Christoph Hellwig, Kees Cook On Wed, Oct 06, 2021 at 01:17:32PM +0100, Matthew Wilcox wrote: > On Wed, Oct 06, 2021 at 05:33:47PM +0800, Hao Sun wrote: > > C reproducer: https://drive.google.com/file/d/1RzAsyIZzw5X_m340nY9fu4KWjGdG98pv/view?usp=sharing > > It's easier than this reproducer makes it look. > > res = syscall(__NR_openat, -1, 0x20000080ul, 0x4c003ul, 0x10ul); > syscall(__NR_finit_module, r[0], 0ul, 3ul); > > should be enough. Basically, userspace opens an fd without FMODE_READ > and passes it to finit_module(). > > > ------------[ cut here ]------------ > > WARNING: CPU: 1 PID: 28082 at fs/read_write.c:429 > > __kernel_read+0x3bb/0x410 fs/read_write.c:429 > > Modules linked in: > > CPU: 1 PID: 28082 Comm: syz-executor Not tainted 5.15.0-rc3+ #21 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > > rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 > > RIP: 0010:__kernel_read+0x3bb/0x410 fs/read_write.c:429 > > Call Trace: > > kernel_read+0x47/0x60 fs/read_write.c:461 > > kernel_read_file+0x20a/0x370 fs/kernel_read_file.c:93 > > kernel_read_file_from_fd+0x55/0x90 fs/kernel_read_file.c:184 > > __do_sys_finit_module+0x89/0x110 kernel/module.c:4180 > > finit_module() is not the only caller of kernel_read_file_from_fd() > which passes it a fd that userspace passed in, for example > kexec_file_load() doesn't validate the fd either. We could validate > the fd in individual syscalls, in kernel_read_file_from_fd() > or just do what vfs_read() does and return -EBADF without warning. > > So, one of these two patches. Christoph, Al, what's your preference? I think the warning was something Linux wanted. So the first one seems like the way to go. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-10-12 6:21 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-07-13 7:03 WARNING in __kernel_read syzbot 2020-07-14 11:02 ` Christoph Hellwig 2020-07-23 14:17 ` Cengiz Can 2020-07-23 15:51 ` Eric Biggers 2021-10-06 9:33 Hao Sun 2021-10-06 12:17 ` Matthew Wilcox 2021-10-06 13:57 ` Theodore Ts'o 2021-10-06 22:10 ` Kees Cook 2021-10-12 6:21 ` Christoph Hellwig
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).