Linux-Next Archive on lore.kernel.org
 help / color / Atom feed
* Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
@ 2020-05-12 19:50 Qian Cai
  2020-05-12 23:29 ` David Howells
  0 siblings, 1 reply; 4+ messages in thread
From: Qian Cai @ 2020-05-12 19:50 UTC (permalink / raw)
  To: David Howells
  Cc: Alexander Viro, linux-fsdevel, LKML, Linux-Next Mailing List,
	Stephen Rothwell

Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe per-ns mount list”) fixed the null-ptr-deref.

# runc run root

[ 1531.635242][ T4444] BUG: Kernel NULL pointer dereference on write at 0x00000000
[ 1531.635285][ T4444] Faulting instruction address: 0xc0000000005689e0
[ 1531.635299][ T4444] Oops: Kernel access of bad area, sig: 11 [#1]
[ 1531.635310][ T4444] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV
[ 1531.635331][ T4444] Modules linked in: kvm_hv kvm ip_tables x_tables xfs sd_mod bnx2x tg3 ahci libahci mdio libphy libata firmware_class dm_mirror dm_region_hash dm_log dm_mod
[ 1531.635370][ T4444] CPU: 16 PID: 4444 Comm: runc:[2:INIT] Not tainted 5.7.0-rc5-next-20200512+ #9
[ 1531.635383][ T4444] NIP:  c0000000005689e0 LR: c0000000005689b0 CTR: 0000000000000000
[ 1531.635413][ T4444] REGS: c000001323aef980 TRAP: 0300   Not tainted  (5.7.0-rc5-next-20200512+)
[ 1531.635434][ T4444] MSR:  9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 24424282  XER: 00000000
[ 1531.635468][ T4444] CFAR: c0000000006f9eec DAR: 0000000000000000 DSISR: 42000000 IRQMASK: 0 
[ 1531.635468][ T4444] GPR00: c000000000570000 c000001323aefc10 c00000000168aa00 0000000000000001 
[ 1531.635468][ T4444] GPR04: c0000015934e9e98 c0000015934e9e98 00000000283df117 fffffffe4386c189 
[ 1531.635468][ T4444] GPR08: c000001323aefc38 0000000000000000 0000000000000000 0000000000000002 
[ 1531.635468][ T4444] GPR12: 0000000024402282 c000001fffff1800 000000c000229990 000000000000000a 
[ 1531.635468][ T4444] GPR16: ffffffffffffffff 0000000000000000 000000000000007a 000000012479c68c 
[ 1531.635468][ T4444] GPR20: 0000000000000000 000000c000000180 0000000000000000 0000000000000000 
[ 1531.635468][ T4444] GPR24: 0000000000000000 c00000000516b870 c00000000516b858 5deadbeef0000122 
[ 1531.635468][ T4444] GPR28: c000001323aefc38 c0000015934e9e00 c0000015934e9ea8 c0000015934e9e98 
[ 1531.635652][ T4444] NIP [c0000000005689e0] umount_tree+0x250/0x470
__write_once_size at include/linux/compiler.h:250
(inlined by) __hlist_del at include/linux/list.h:811
(inlined by) hlist_del_rcu at include/linux/rculist.h:487
(inlined by) umount_tree at fs/namespace.c:1485
[ 1531.635672][ T4444] LR [c0000000005689b0] umount_tree+0x220/0x470
[ 1531.635682][ T4444] Call Trace:
[ 1531.635709][ T4444] [c000001323aefca0] [c000000000570000] do_mount+0xb70/0xc90
[ 1531.635738][ T4444] [c000001323aefd70] [c0000000005706f8] sys_mount+0x158/0x180
[ 1531.635760][ T4444] [c000001323aefdc0] [c000000000038ac4] system_call_exception+0x114/0x1e0
[ 1531.635799][ T4444] [c000001323aefe20] [c00000000000c8f0] system_call_common+0xf0/0x278
[ 1531.635828][ T4444] Instruction dump:
[ 1531.635836][ T4444] 60000000 2fa30000 419e0014 e93f0008 e95f0000 f92a0008 f9490000 e93fffb8 
[ 1531.635860][ T4444] e95fffc0 fbff0000 fbff0008 2fa90000 <f92a0000> 419e0008 f9490008 e93f0058 
[ 1531.635885][ T4444] ---[ end trace f12075f6fac94362 ]---
[ 1531.748352][ T4444] 
[ 1532.748433][ T4444] Kernel panic - not syncing: Fatal exception

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
  2020-05-12 19:50 Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list" Qian Cai
@ 2020-05-12 23:29 ` David Howells
  2020-06-24 15:57   ` Qian Cai
  0 siblings, 1 reply; 4+ messages in thread
From: David Howells @ 2020-05-12 23:29 UTC (permalink / raw)
  To: Qian Cai
  Cc: dhowells, Alexander Viro, linux-fsdevel, LKML,
	Linux-Next Mailing List, Stephen Rothwell

Qian Cai <cai@lca.pw> wrote:

> Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe per-ns mount list”) fixed the null-ptr-deref.

Okay, I'm dropping this commit for now.

David


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
  2020-05-12 23:29 ` David Howells
@ 2020-06-24 15:57   ` Qian Cai
  2020-06-25  1:25     ` Stephen Rothwell
  0 siblings, 1 reply; 4+ messages in thread
From: Qian Cai @ 2020-06-24 15:57 UTC (permalink / raw)
  To: David Howells
  Cc: Alexander Viro, linux-fsdevel, LKML, Linux-Next Mailing List,
	Stephen Rothwell, paulmck, rcu, torvalds

On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote:
> Qian Cai <cai@lca.pw> wrote:
> 
> > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe per-ns mount list”) fixed the null-ptr-deref.
> 
> Okay, I'm dropping this commit for now.

What's the point of re-adding this buggy patch to linux-next again since
0621 without fixing the previous reported issue at all? Reverting the
commit will still fix the crash below immediately, i.e.,

dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list")

# runc run root

[ 9067.486969][T72863] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
[ 9067.543973][T72863] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 9067.586640][T72863] CPU: 24 PID: 72863 Comm: runc:[2:INIT] Not tainted 5.8.0-rc2-next-20200624+ #4
[ 9067.629285][T72863] Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018
[ 9067.663809][T72863] RIP: 0010:umount_tree+0x4ec/0xcf0
[ 9067.688505][T72863] Code: 0f 85 61 04 00 00 49 83 c7 08 48 8b 43 b8 4c 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 33 04 00 00 4c 8b 7b c0 4c 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 09 04 00 00 49 89 07 48 85 c0 74 19 48 8d 78 08
[ 9067.782308][T72863] RSP: 0018:ffffc900259efcb0 EFLAGS: 00010246
[ 9067.810141][T72863] RAX: 0000000000000000 RBX: ffff8884b0cb8cd8 RCX: 1ffff92004b3dfa0
[ 9067.848310][T72863] RDX: 0000000000000000 RSI: ffff8884b0cb8cd8 RDI: ffffc900259efd08
[ 9067.886236][T72863] RBP: dffffc0000000000 R08: fffffbfff2bac7a6 R09: fffffbfff2bac7a6
[ 9067.922883][T72863] R10: ffffffff95d63d2f R11: fffffbfff2bac7a5 R12: ffff8884b0cb8c40
[ 9067.960156][T72863] R13: ffffc900259efd00 R14: 0000000000000001 R15: 0000000000000000
[ 9067.997069][T72863] FS:  00007fc286f88b80(0000) GS:ffff88881ed80000(0000) knlGS:0000000000000000
[ 9068.040907][T72863] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9068.074258][T72863] CR2: 00007fc284141e00 CR3: 0000000fbc33a002 CR4: 00000000001706e0
[ 9068.111890][T72863] Call Trace:
[ 9068.126482][T72863]  ? rcu_read_unlock+0x50/0x50
[ 9068.148298][T72863]  ? unhash_mnt+0x450/0x450
[ 9068.169156][T72863]  ? rwlock_bug.part.1+0x90/0x90
[ 9068.191014][T72863]  do_mount+0x1132/0x1620
[ 9068.211042][T72863]  ? rcu_read_lock_bh_held+0xc0/0xc0
[ 9068.235399][T72863]  ? copy_mount_string+0x20/0x20
[ 9068.258407][T72863]  ? memdup_user+0x4f/0x80
[ 9068.278493][T72863]  __x64_sys_mount+0x15d/0x1b0
[ 9068.299948][T72863]  do_syscall_64+0x5f/0x310
[ 9068.320837][T72863]  ? trace_hardirqs_off+0x12/0x1a0
[ 9068.343781][T72863]  ? asm_exc_page_fault+0x8/0x30
[ 9068.367139][T72863]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 9068.394316][T72863] RIP: 0033:0x55d71f93e7ca
[ 9068.414833][T72863] Code: Bad RIP value.
[ 9068.433443][T72863] RSP: 002b:000000c00021af30 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[ 9068.473044][T72863] RAX: ffffffffffffffda RBX: 000000c000028000 RCX: 000055d71f93e7ca
[ 9068.510343][T72863] RDX: 000000c00010546a RSI: 000000c000105470 RDI: 000000c000105460
[ 9068.547999][T72863] RBP: 000000c00021afc8 R08: 0000000000000000 R09: 0000000000000000
[ 9068.587756][T72863] R10: 0000000000001000 R11: 0000000000000206 R12: 0000000000000148
[ 9068.624851][T72863] R13: 0000000000000147 R14: 0000000000000200 R15: 0000000000000100
[ 9068.662061][T72863] Modules linked in: loop vfio_pci vfio_virqfd vfio_iommu_type1 vfio kvm_intel kvm irqbypass efivars nls_ascii nls_cp437 vfat fat ip_tables x_tables sd_mod bnx2x hpsa mdio scsi_transport_sas firmware_class dm_mirror dm_region_hash dm_log dm_mod efivarfs
[ 9068.777205][T72863] ---[ end trace 9c03562d398fb10f ]---
[ 9068.802729][T72863] RIP: 0010:umount_tree+0x4ec/0xcf0
[ 9068.826630][T72863] Code: 0f 85 61 04 00 00 49 83 c7 08 48 8b 43 b8 4c 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 33 04 00 00 4c 8b 7b c0 4c 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 09 04 00 00 49 89 07 48 85 c0 74 19 48 8d 78 08
[ 9068.918966][T72863] RSP: 0018:ffffc900259efcb0 EFLAGS: 00010246
[ 9068.947083][T72863] RAX: 0000000000000000 RBX: ffff8884b0cb8cd8 RCX: 1ffff92004b3dfa0
[ 9068.985097][T72863] RDX: 0000000000000000 RSI: ffff8884b0cb8cd8 RDI: ffffc900259efd08
[ 9069.022555][T72863] RBP: dffffc0000000000 R08: fffffbfff2bac7a6 R09: fffffbfff2bac7a6
[ 9069.061621][T72863] R10: ffffffff95d63d2f R11: fffffbfff2bac7a5 R12: ffff8884b0cb8c40
[ 9069.101629][T72863] R13: ffffc900259efd00 R14: 0000000000000001 R15: 0000000000000000
[ 9069.138367][T72863] FS:  00007fc286f88b80(0000) GS:ffff88881ed80000(0000) knlGS:0000000000000000
[ 9069.180543][T72863] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9069.209807][T72863] CR2: 00007fc284141e00 CR3: 0000000fbc33a002 CR4: 00000000001706e0
[ 9069.245727][T72863] Kernel panic - not syncing: Fatal exception
[ 9069.273756][T72863] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 9069.327388][T72863] ---[ end Kernel panic - not syncing: Fatal exception ]---
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
  2020-06-24 15:57   ` Qian Cai
@ 2020-06-25  1:25     ` Stephen Rothwell
  0 siblings, 0 replies; 4+ messages in thread
From: Stephen Rothwell @ 2020-06-25  1:25 UTC (permalink / raw)
  To: Qian Cai
  Cc: David Howells, Alexander Viro, linux-fsdevel, LKML,
	Linux-Next Mailing List, paulmck, rcu, torvalds


[-- Attachment #1: Type: text/plain, Size: 753 bytes --]

Hi all,

On Wed, 24 Jun 2020 11:57:07 -0400 Qian Cai <cai@lca.pw> wrote:
>
> On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote:
> > Qian Cai <cai@lca.pw> wrote:
> >   
> > > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe per-ns mount list”) fixed the null-ptr-deref.  
> > 
> > Okay, I'm dropping this commit for now.  
> 
> What's the point of re-adding this buggy patch to linux-next again since
> 0621 without fixing the previous reported issue at all? Reverting the
> commit will still fix the crash below immediately, i.e.,
> 
> dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list")

I have added a revert of that commit to linux-next today.

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-12 19:50 Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list" Qian Cai
2020-05-12 23:29 ` David Howells
2020-06-24 15:57   ` Qian Cai
2020-06-25  1:25     ` Stephen Rothwell

Linux-Next Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-next/0 linux-next/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-next linux-next/ https://lore.kernel.org/linux-next \
		linux-next@vger.kernel.org
	public-inbox-index linux-next

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-next


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git