LKML Archive on lore.kernel.org
 help / color / Atom feed
* kernel 5.4: refcount_t: increment on 0; use-after-free (in keyring_search_rcu called when nfs_idmap_lookup)
@ 2020-01-16 20:29 Wolfgang Walter
  0 siblings, 0 replies; only message in thread
From: Wolfgang Walter @ 2020-01-16 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: David Howells, keyrings

Hello,

with 5.4.5 and later (but didn't test lower 5.4 versions) I get the following kernel failure:

Jan 13 17:32:23 konstanz kernel: [2072916.589221] ------------[ cut here ]------------
Jan 13 17:32:23 konstanz kernel: [2072916.589228] refcount_t: increment on 0; use-after-free.
Jan 13 17:32:23 konstanz kernel: [2072916.589271] WARNING: CPU: 1 PID: 28813 at lib/refcount.c:156 refcount_inc_checked+0x26/0x30
Jan 13 17:32:23 konstanz kernel: [2072916.589273] Modules linked in: rpcsec_gss_krb5(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) fscache(E) binfmt_misc(E) intel_rapl_msr(E) intel_rapl_common(E) kvm_intel(E) kvm(E) irqbypass(E) crct10dif_pclmul(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_generic(E) ledtrig_audio(E) snd_hda_intel(E) snd_intel_nhlt(E) snd_hda_codec(E) snd_hda_core(E) snd_hwdep(E) cirrus(E) snd_pcm(E) evdev(E) joydev(E) snd_timer(E) serio_raw(E) virtio_balloon(E) snd(E) drm_kms_helper(E) soundcore(E) pcspkr(E) drm(E) button(E) auth_rpcgss(E) sunrpc(E) virtio_rng(E) rng_core(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) hid(E) ata_generic(E) virtio_net(E) net_failover(E) failover(E) virtio_blk(E) uhci_hcd(E) ehci_hcd(E) ahci(E) libahci(E) ata_piix(E) crc32c_intel(E) psmouse(E) i2c_piix4(E) usbcore(E) virtio_pci(E) libata(E) virtio_ring(E) virtio(E) scsi_mod(E) floppy(E)
Jan 13 17:32:23 konstanz kernel: [2072916.589496] CPU: 1 PID: 28813 Comm: tljob.exe Tainted: G            E     5.4.5-debian64.all+1.1 #1
Jan 13 17:32:23 konstanz kernel: [2072916.589497] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Jan 13 17:32:23 konstanz kernel: [2072916.589501] RIP: 0010:refcount_inc_checked+0x26/0x30
Jan 13 17:32:23 konstanz kernel: [2072916.589503] Code: 00 00 00 00 e8 9b ff ff ff 84 c0 74 01 c3 80 3d 6e f9 ce 00 00 75 f6 48 c7 c7 f0 b1 8d 9d c6 05 5e f9 ce 00 01 e8 a8 32 c7 ff <0f> 0b c3 0f 1f 80 00 00 00 00 41 54 8b 06 83 f8 ff 74 1d 31 c9 39
Jan 13 17:32:23 konstanz kernel: [2072916.589505] RSP: 0018:ffffb5f3809e3768 EFLAGS: 00010286
Jan 13 17:32:23 konstanz kernel: [2072916.589507] RAX: 0000000000000000 RBX: ffffb5f3809e3808 RCX: 0000000000000000
Jan 13 17:32:23 konstanz kernel: [2072916.589508] RDX: 0000000000000001 RSI: 0000000000000096 RDI: 00000000ffffffff
Jan 13 17:32:23 konstanz kernel: [2072916.589509] RBP: ffff8f08bbe3b300 R08: 0000000000000205 R09: 0000000000000004
Jan 13 17:32:23 konstanz kernel: [2072916.589510] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f08bd78fc00
Jan 13 17:32:23 konstanz kernel: [2072916.589511] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jan 13 17:32:23 konstanz kernel: [2072916.589513] FS:  00000000003f4000(006b) GS:ffff8f08bdb00000(0063) knlGS:0000000002893b40
Jan 13 17:32:23 konstanz kernel: [2072916.589515] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
Jan 13 17:32:23 konstanz kernel: [2072916.589528] CR2: 0000000010028600 CR3: 0000000026ece000 CR4: 00000000000406e0
Jan 13 17:32:23 konstanz kernel: [2072916.589534] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 13 17:32:23 konstanz kernel: [2072916.589535] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jan 13 17:32:23 konstanz kernel: [2072916.589537] Call Trace:
Jan 13 17:32:23 konstanz kernel: [2072916.589579]  keyring_search_rcu+0x87/0x90
Jan 13 17:32:23 konstanz kernel: [2072916.589609]  search_cred_keyrings_rcu+0x2f/0x170
Jan 13 17:32:23 konstanz kernel: [2072916.589614]  search_process_keyrings_rcu+0x11/0xc0
Jan 13 17:32:23 konstanz kernel: [2072916.589618]  request_key_and_link+0x116/0x760
Jan 13 17:32:23 konstanz kernel: [2072916.589622]  ? keyring_alloc+0x70/0x70
Jan 13 17:32:23 konstanz kernel: [2072916.589624]  ? key_default_cmp+0x20/0x20
Jan 13 17:32:23 konstanz kernel: [2072916.589627]  request_key_tag+0x44/0xa0
Jan 13 17:32:23 konstanz kernel: [2072916.589717]  nfs_idmap_get_key+0x118/0x1f0 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.589748]  nfs_idmap_lookup_id+0x30/0x80 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.589764]  nfs_map_name_to_uid+0x13b/0x150 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.589778]  decode_getfattr_attrs+0xdbd/0x1110 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.589786]  ? _raw_spin_unlock_irqrestore+0x20/0x40
Jan 13 17:32:23 konstanz kernel: [2072916.589789]  ? __wake_up_common_lock+0x8a/0xc0
Jan 13 17:32:23 konstanz kernel: [2072916.589803]  nfs4_decode_dirent+0x173/0x2b0 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.589868]  nfs_readdir_page_filler+0x161/0x650 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.589890]  nfs_readdir_xdr_to_array+0x20c/0x3d0 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.589894]  ? xas_store+0x1b7/0x5e0
Jan 13 17:32:23 konstanz kernel: [2072916.589899]  ? __add_to_page_cache_locked+0x258/0x360
Jan 13 17:32:23 konstanz kernel: [2072916.589909]  nfs_readdir_filler+0x1e/0x80 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.589911]  do_read_cache_page+0x2e4/0x810
Jan 13 17:32:23 konstanz kernel: [2072916.589922]  ? nfs_readdir_xdr_to_array+0x3d0/0x3d0 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.589926]  ? verify_dirent_name+0x16/0x30
Jan 13 17:32:23 konstanz kernel: [2072916.589928]  ? filldir64+0x3a/0x170
Jan 13 17:32:23 konstanz kernel: [2072916.589938]  nfs_readdir+0x122/0x4e0 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.589953]  ? nfs4_xdr_dec_lookupp+0xd0/0xd0 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.589956]  iterate_dir+0x92/0x1a0
Jan 13 17:32:23 konstanz kernel: [2072916.589960]  ksys_getdents64+0x9c/0x130
Jan 13 17:32:23 konstanz kernel: [2072916.589963]  ? filldir+0x170/0x170
Jan 13 17:32:23 konstanz kernel: [2072916.589966]  __ia32_sys_getdents64+0x15/0x20
Jan 13 17:32:23 konstanz kernel: [2072916.589970]  do_fast_syscall_32+0x9a/0x216
Jan 13 17:32:23 konstanz kernel: [2072916.589979]  entry_SYSENTER_compat+0x7f/0x91
Jan 13 17:32:23 konstanz kernel: [2072916.589992] ---[ end trace 149edb431f1235b8 ]---
Jan 13 17:32:23 konstanz kernel: [2072916.590020] ------------[ cut here ]------------
Jan 13 17:32:23 konstanz kernel: [2072916.590021] refcount_t: underflow; use-after-free.
Jan 13 17:32:23 konstanz kernel: [2072916.590038] WARNING: CPU: 1 PID: 28813 at lib/refcount.c:190 refcount_sub_and_test_checked+0x55/0x60
Jan 13 17:32:23 konstanz kernel: [2072916.590039] Modules linked in: rpcsec_gss_krb5(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) fscache(E) binfmt_misc(E)
 intel_rapl_msr(E) intel_rapl_common(E) kvm_intel(E) kvm(E) irqbypass(E) crct10dif_pclmul(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) crypto_simd(E) c
ryptd(E) glue_helper(E) snd_hda_codec_generic(E) ledtrig_audio(E) snd_hda_intel(E) snd_intel_nhlt(E) snd_hda_codec(E) snd_hda_core(E) snd_hwdep(E) cirrus(E) snd_pc
m(E) evdev(E) joydev(E) snd_timer(E) serio_raw(E) virtio_balloon(E) snd(E) drm_kms_helper(E) soundcore(E) pcspkr(E) drm(E) button(E) auth_rpcgss(E) sunrpc(E) virti
o_rng(E) rng_core(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) hid(E) ata_generic(E) virtio_net(E) net_failover(E) failover(E) virtio_blk(E) uhci_hcd(E) ehci_hcd(E) ahci(E) libahci(E) ata_piix(E) crc32c_intel(E) psmouse(E) i2c_piix4(E) usbcore(E) virtio_pci(E) libata(E) virtio_ring(E) virtio(E) scsi_mod(E) floppy(E)
Jan 13 17:32:23 konstanz kernel: [2072916.590069] CPU: 1 PID: 28813 Comm: tljob.exe Tainted: G        W   E     5.4.5-debian64.all+1.1 #1
Jan 13 17:32:23 konstanz kernel: [2072916.590070] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Jan 13 17:32:23 konstanz kernel: [2072916.590073] RIP: 0010:refcount_sub_and_test_checked+0x55/0x60
Jan 13 17:32:23 konstanz kernel: [2072916.590075] Code: e0 41 5c c3 44 89 e0 41 5c c3 44 0f b6 25 11 f9 ce 00 45 84 e4 75 e4 48 c7 c7 20 b2 8d 9d c6 05 fe f8 ce 00 01 e8 49 32 c7 ff <0f> 0b eb d0 0f 1f 80 00 00 00 00 48 89 fe bf 01 00 00 00 eb 96 66
Jan 13 17:32:23 konstanz kernel: [2072916.590076] RSP: 0018:ffffb5f3809e38e8 EFLAGS: 00010282
Jan 13 17:32:23 konstanz kernel: [2072916.590078] RAX: 0000000000000000 RBX: 000000000000001c RCX: 0000000000000000
Jan 13 17:32:23 konstanz kernel: [2072916.590079] RDX: 0000000000000001 RSI: 0000000000000092 RDI: 00000000ffffffff
Jan 13 17:32:23 konstanz kernel: [2072916.590080] RBP: ffff8f0867406200 R08: 0000000000000239 R09: 0000000000000004
Jan 13 17:32:23 konstanz kernel: [2072916.590081] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
Jan 13 17:32:23 konstanz kernel: [2072916.590082] R13: ffffffffc0aed8a8 R14: ffff8f0867406200 R15: ffff8f0874c284c0
Jan 13 17:32:23 konstanz kernel: [2072916.590084] FS:  00000000003f4000(006b) GS:ffff8f08bdb00000(0063) knlGS:0000000002893b40
Jan 13 17:32:23 konstanz kernel: [2072916.590085] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
Jan 13 17:32:23 konstanz kernel: [2072916.590086] CR2: 0000000010028600 CR3: 0000000026ece000 CR4: 00000000000406e0
Jan 13 17:32:23 konstanz kernel: [2072916.590091] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 13 17:32:23 konstanz kernel: [2072916.590092] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jan 13 17:32:23 konstanz kernel: [2072916.590093] Call Trace:
Jan 13 17:32:23 konstanz kernel: [2072916.590096]  key_put+0xf/0x30
Jan 13 17:32:23 konstanz kernel: [2072916.590113]  nfs_idmap_get_key+0x1ac/0x1f0 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.590127]  nfs_idmap_lookup_id+0x30/0x80 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.590139]  nfs_map_name_to_uid+0x13b/0x150 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.590151]  decode_getfattr_attrs+0xdbd/0x1110 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.590155]  ? _raw_spin_unlock_irqrestore+0x20/0x40
Jan 13 17:32:23 konstanz kernel: [2072916.590157]  ? __wake_up_common_lock+0x8a/0xc0
Jan 13 17:32:23 konstanz kernel: [2072916.590168]  nfs4_decode_dirent+0x173/0x2b0 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.590178]  nfs_readdir_page_filler+0x161/0x650 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.590190]  nfs_readdir_xdr_to_array+0x20c/0x3d0 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.590193]  ? xas_store+0x1b7/0x5e0
Jan 13 17:32:23 konstanz kernel: [2072916.590196]  ? __add_to_page_cache_locked+0x258/0x360
Jan 13 17:32:23 konstanz kernel: [2072916.590204]  nfs_readdir_filler+0x1e/0x80 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.590207]  do_read_cache_page+0x2e4/0x810
Jan 13 17:32:23 konstanz kernel: [2072916.590215]  ? nfs_readdir_xdr_to_array+0x3d0/0x3d0 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.590218]  ? verify_dirent_name+0x16/0x30
Jan 13 17:32:23 konstanz kernel: [2072916.590220]  ? filldir64+0x3a/0x170
Jan 13 17:32:23 konstanz kernel: [2072916.590228]  nfs_readdir+0x122/0x4e0 [nfs]
Jan 13 17:32:23 konstanz kernel: [2072916.590240]  ? nfs4_xdr_dec_lookupp+0xd0/0xd0 [nfsv4]
Jan 13 17:32:23 konstanz kernel: [2072916.590243]  iterate_dir+0x92/0x1a0
Jan 13 17:32:23 konstanz kernel: [2072916.590246]  ksys_getdents64+0x9c/0x130
Jan 13 17:32:23 konstanz kernel: [2072916.590249]  ? filldir+0x170/0x170
Jan 13 17:32:23 konstanz kernel: [2072916.590252]  __ia32_sys_getdents64+0x15/0x20
Jan 13 17:32:23 konstanz kernel: [2072916.590255]  do_fast_syscall_32+0x9a/0x216
Jan 13 17:32:23 konstanz kernel: [2072916.590257]  entry_SYSENTER_compat+0x7f/0x91
Jan 13 17:32:23 konstanz kernel: [2072916.590261] ---[ end trace 149edb431f1235b9 ]---





Here with 5.4.12:



Jan 16 20:26:18 konstanz kernel: [    5.548117] Key type id_resolver registered
Jan 16 20:26:18 konstanz kernel: [    5.548118] Key type id_legacy registered
Jan 16 20:41:37 konstanz kernel: [  924.090960] ------------[ cut here ]------------
Jan 16 20:41:37 konstanz kernel: [  924.090965] refcount_t: increment on 0; use-after-free.
Jan 16 20:41:37 konstanz kernel: [  924.091001] WARNING: CPU: 1 PID: 1247 at lib/refcount.c:156 refcount_inc_checked+0x26/0x30
Jan 16 20:41:37 konstanz kernel: [  924.091003] Modules linked in: rpcsec_gss_krb5(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) fscache(E) intel_rapl_msr(E) intel_rapl_common(E) kvm_intel(E) kvm(E) irqbypass(E) binfmt_misc(E) crct10dif_pclmul(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_generic(E) ledtrig_audio(E) snd_hda_intel(E) snd_intel_nhlt(E) snd_hda_codec(E) cirrus(E) snd_hda_core(E) drm_kms_helper(E) snd_hwdep(E) snd_pcm(E) snd_timer(E) snd(E) evdev(E) joydev(E) serio_raw(E) pcspkr(E) soundcore(E) virtio_balloon(E) drm(E) button(E) auth_rpcgss(E) sunrpc(E) virtio_rng(E) rng_core(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) hid(E) ata_generic(E) virtio_net(E) net_failover(E) failover(E) virtio_blk(E) uhci_hcd(E) ahci(E) ehci_hcd(E) ata_piix(E) libahci(E) virtio_pci(E) virtio_ring(E) crc32c_intel(E) psmouse(E) virtio(E) libata(E) i2c_piix4(E) usbcore(E) scsi_mod(E) floppy(E)
Jan 16 20:41:37 konstanz kernel: [  924.091205] CPU: 1 PID: 1247 Comm: tljob.exe Tainted: G            E     5.4.12-debian64.all+1.1 #1
Jan 16 20:41:37 konstanz kernel: [  924.091205] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Jan 16 20:41:37 konstanz kernel: [  924.091207] RIP: 0010:refcount_inc_checked+0x26/0x30
Jan 16 20:41:37 konstanz kernel: [  924.091210] Code: 00 00 00 00 e8 9b ff ff ff 84 c0 74 01 c3 80 3d 7e f1 ce 00 00 75 f6 48 c7 c7 40 ba ad bd c6 05 6e f1 ce 00 01 e8 18 2b c7 ff <0f> 0b c3 0f 1f 80 00 00 00 00 41 54 8b 06 83 f8 ff 74 1d 31 c9 39
Jan 16 20:41:37 konstanz kernel: [  924.091211] RSP: 0018:ffffb9ea01183768 EFLAGS: 00010286
Jan 16 20:41:37 konstanz kernel: [  924.091212] RAX: 0000000000000000 RBX: ffffb9ea01183808 RCX: 0000000000000000
Jan 16 20:41:37 konstanz kernel: [  924.091213] RDX: 0000000000000001 RSI: 0000000000000096 RDI: 00000000ffffffff
Jan 16 20:41:37 konstanz kernel: [  924.091214] RBP: ffff9018f4a81100 R08: 0000000000000204 R09: 0000000000000004
Jan 16 20:41:37 konstanz kernel: [  924.091215] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9018f50bb9c0
Jan 16 20:41:37 konstanz kernel: [  924.091215] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jan 16 20:41:37 konstanz kernel: [  924.091216] FS:  00000000003f4000(006b) GS:ffff90193db00000(0063) knlGS:0000000002893b40
Jan 16 20:41:37 konstanz kernel: [  924.091217] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
Jan 16 20:41:37 konstanz kernel: [  924.091218] CR2: 00007ffc3a1d4668 CR3: 000000007aa9e000 CR4: 00000000000406e0
Jan 16 20:41:37 konstanz kernel: [  924.091220] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 16 20:41:37 konstanz kernel: [  924.091221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jan 16 20:41:37 konstanz kernel: [  924.091221] Call Trace:
Jan 16 20:41:37 konstanz kernel: [  924.091241]  keyring_search_rcu+0x87/0x90
Jan 16 20:41:37 konstanz kernel: [  924.091269]  search_cred_keyrings_rcu+0x2f/0x170
Jan 16 20:41:37 konstanz kernel: [  924.091287]  search_process_keyrings_rcu+0x11/0xc0
Jan 16 20:41:37 konstanz kernel: [  924.091290]  request_key_and_link+0x116/0x760
Jan 16 20:41:37 konstanz kernel: [  924.091293]  ? keyring_alloc+0x70/0x70
Jan 16 20:41:37 konstanz kernel: [  924.091295]  ? key_default_cmp+0x20/0x20
Jan 16 20:41:37 konstanz kernel: [  924.091298]  request_key_tag+0x44/0xa0
Jan 16 20:41:37 konstanz kernel: [  924.091349]  nfs_idmap_get_key+0x118/0x1f0 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091368]  nfs_idmap_lookup_id+0x30/0x80 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091378]  nfs_map_name_to_uid+0x13b/0x150 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091441]  ? xdr_set_next_buffer+0x32/0xa0 [sunrpc]
Jan 16 20:41:37 konstanz kernel: [  924.091451]  decode_getfattr_attrs+0xdbd/0x1110 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091486]  ? nfs_set_cache_invalid+0x33/0xa0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091494]  nfs4_decode_dirent+0x173/0x2b0 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091501]  nfs_readdir_page_filler+0x161/0x650 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091517]  nfs_readdir_xdr_to_array+0x20c/0x3d0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091520]  ? xas_store+0x1b7/0x5e0
Jan 16 20:41:37 konstanz kernel: [  924.091524]  ? __add_to_page_cache_locked+0x248/0x360
Jan 16 20:41:37 konstanz kernel: [  924.091530]  nfs_readdir_filler+0x1e/0x80 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091531]  do_read_cache_page+0x2e4/0x810
Jan 16 20:41:37 konstanz kernel: [  924.091538]  ? nfs_readdir_xdr_to_array+0x3d0/0x3d0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091540]  ? verify_dirent_name+0x16/0x30
Jan 16 20:41:37 konstanz kernel: [  924.091542]  ? filldir64+0x3a/0x170
Jan 16 20:41:37 konstanz kernel: [  924.091548]  nfs_readdir+0x122/0x4e0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091556]  ? nfs4_xdr_dec_lookupp+0xd0/0xd0 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091558]  iterate_dir+0x92/0x1a0
Jan 16 20:41:37 konstanz kernel: [  924.091561]  ksys_getdents64+0x9c/0x130
Jan 16 20:41:37 konstanz kernel: [  924.091562]  ? filldir+0x170/0x170
Jan 16 20:41:37 konstanz kernel: [  924.091564]  __ia32_sys_getdents64+0x15/0x20
Jan 16 20:41:37 konstanz kernel: [  924.091567]  do_fast_syscall_32+0x9a/0x216
Jan 16 20:41:37 konstanz kernel: [  924.091572]  entry_SYSENTER_compat+0x7f/0x91
Jan 16 20:41:37 konstanz kernel: [  924.091580] ---[ end trace 43098646b595d492 ]---
Jan 16 20:41:37 konstanz kernel: [  924.091599] ------------[ cut here ]------------
Jan 16 20:41:37 konstanz kernel: [  924.091599] refcount_t: underflow; use-after-free.
Jan 16 20:41:37 konstanz kernel: [  924.091609] WARNING: CPU: 1 PID: 1247 at lib/refcount.c:190 refcount_sub_and_test_checked+0x55/0x60
Jan 16 20:41:37 konstanz kernel: [  924.091609] Modules linked in: rpcsec_gss_krb5(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) fscache(E) intel_rapl_msr(E) intel_rapl_common(E) kvm_intel(E) kvm(E) irqbypass(E) binfmt_misc(E) crct10dif_pclmul(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_generic(E) ledtrig_audio(E) snd_hda_intel(E) snd_intel_nhlt(E) snd_hda_codec(E) cirrus(E) snd_hda_core(E) drm_kms_helper(E) snd_hwdep(E) snd_pcm(E) snd_timer(E) snd(E) evdev(E) joydev(E) serio_raw(E) pcspkr(E) soundcore(E) virtio_balloon(E) drm(E) button(E) auth_rpcgss(E) sunrpc(E) virtio_rng(E) rng_core(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) hid(E) ata_generic(E) virtio_net(E) net_failover(E) failover(E) virtio_blk(E) uhci_hcd(E) ahci(E) ehci_hcd(E) ata_piix(E) libahci(E) virtio_pci(E) virtio_ring(E) crc32c_intel(E) psmouse(E) virtio(E) libata(E) i2c_piix4(E) usbcore(E) scsi_mod(E) floppy(E)
Jan 16 20:41:37 konstanz kernel: [  924.091640] CPU: 1 PID: 1247 Comm: tljob.exe Tainted: G        W   E     5.4.12-debian64.all+1.1 #1
Jan 16 20:41:37 konstanz kernel: [  924.091641] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Jan 16 20:41:37 konstanz kernel: [  924.091643] RIP: 0010:refcount_sub_and_test_checked+0x55/0x60
Jan 16 20:41:37 konstanz kernel: [  924.091659] Code: e0 41 5c c3 44 89 e0 41 5c c3 44 0f b6 25 21 f1 ce 00 45 84 e4 75 e4 48 c7 c7 70 ba ad bd c6 05 0e f1 ce 00 01 e8 b9 2a c7 ff <0f> 0b eb d0 0f 1f 80 00 00 00 00 48 89 fe bf 01 00 00 00 eb 96 66
Jan 16 20:41:37 konstanz kernel: [  924.091660] RSP: 0018:ffffb9ea011838e8 EFLAGS: 00010282
Jan 16 20:41:37 konstanz kernel: [  924.091661] RAX: 0000000000000000 RBX: 000000000000001b RCX: 0000000000000000
Jan 16 20:41:37 konstanz kernel: [  924.091662] RDX: 0000000000000001 RSI: 0000000000000092 RDI: 00000000ffffffff
Jan 16 20:41:37 konstanz kernel: [  924.091663] RBP: ffff90193c29bf00 R08: 0000000000000238 R09: 0000000000000004
Jan 16 20:41:37 konstanz kernel: [  924.091663] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
Jan 16 20:41:37 konstanz kernel: [  924.091664] R13: ffffffffc0be18a8 R14: ffff90193c29bf00 R15: ffff90193ae69000
Jan 16 20:41:37 konstanz kernel: [  924.091665] FS:  00000000003f4000(006b) GS:ffff90193db00000(0063) knlGS:0000000002893b40
Jan 16 20:41:37 konstanz kernel: [  924.091666] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
Jan 16 20:41:37 konstanz kernel: [  924.091667] CR2: 00007ffc3a1d4668 CR3: 000000007aa9e000 CR4: 00000000000406e0
Jan 16 20:41:37 konstanz kernel: [  924.091684] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 16 20:41:37 konstanz kernel: [  924.091685] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jan 16 20:41:37 konstanz kernel: [  924.091685] Call Trace:
Jan 16 20:41:37 konstanz kernel: [  924.091688]  key_put+0xf/0x30
Jan 16 20:41:37 konstanz kernel: [  924.091697]  nfs_idmap_get_key+0x1ac/0x1f0 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091705]  nfs_idmap_lookup_id+0x30/0x80 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091713]  nfs_map_name_to_uid+0x13b/0x150 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091722]  ? xdr_set_next_buffer+0x32/0xa0 [sunrpc]
Jan 16 20:41:37 konstanz kernel: [  924.091730]  decode_getfattr_attrs+0xdbd/0x1110 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091736]  ? nfs_set_cache_invalid+0x33/0xa0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091743]  nfs4_decode_dirent+0x173/0x2b0 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091748]  nfs_readdir_page_filler+0x161/0x650 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091754]  nfs_readdir_xdr_to_array+0x20c/0x3d0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091756]  ? xas_store+0x1b7/0x5e0
Jan 16 20:41:37 konstanz kernel: [  924.091758]  ? __add_to_page_cache_locked+0x248/0x360
Jan 16 20:41:37 konstanz kernel: [  924.091763]  nfs_readdir_filler+0x1e/0x80 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091764]  do_read_cache_page+0x2e4/0x810
Jan 16 20:41:37 konstanz kernel: [  924.091769]  ? nfs_readdir_xdr_to_array+0x3d0/0x3d0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091771]  ? verify_dirent_name+0x16/0x30
Jan 16 20:41:37 konstanz kernel: [  924.091772]  ? filldir64+0x3a/0x170
Jan 16 20:41:37 konstanz kernel: [  924.091792]  nfs_readdir+0x122/0x4e0 [nfs]
Jan 16 20:41:37 konstanz kernel: [  924.091799]  ? nfs4_xdr_dec_lookupp+0xd0/0xd0 [nfsv4]
Jan 16 20:41:37 konstanz kernel: [  924.091801]  iterate_dir+0x92/0x1a0
Jan 16 20:41:37 konstanz kernel: [  924.091803]  ksys_getdents64+0x9c/0x130
Jan 16 20:41:37 konstanz kernel: [  924.091805]  ? filldir+0x170/0x170
Jan 16 20:41:37 konstanz kernel: [  924.091807]  __ia32_sys_getdents64+0x15/0x20
Jan 16 20:41:37 konstanz kernel: [  924.091809]  do_fast_syscall_32+0x9a/0x216
Jan 16 20:41:37 konstanz kernel: [  924.091810]  entry_SYSENTER_compat+0x7f/0x91
Jan 16 20:41:37 konstanz kernel: [  924.091812] ---[ end trace 43098646b595d493 ]---



4.19.96 works fine.

Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-16 20:29 kernel 5.4: refcount_t: increment on 0; use-after-free (in keyring_search_rcu called when nfs_idmap_lookup) Wolfgang Walter

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git