linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Qian Cai <cai@lca.pw>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	linux-fsdevel@vger.kernel.org,
	LKML <linux-kernel@vger.kernel.org>
Subject: Null-ptr-deref due to "sanitized pathwalk machinery (v4)"
Date: Tue, 24 Mar 2020 17:06:03 -0400	[thread overview]
Message-ID: <4CBDE0F3-FB73-43F3-8535-6C75BA004233@lca.pw> (raw)

Reverted the series on the top of today's linux-next fixed boot crashes.

# git revert 609c56723133..e0e25e9bbed5 --no-edit [1]

[   53.027443][ T3519] BUG: Kernel NULL pointer dereference on read at 0x00000000
[   53.027480][ T3519] Faulting instruction address: 0xc0000000004dbfa4
[   53.027498][ T3519] Oops: Kernel access of bad area, sig: 11 [#1]
[   53.027521][ T3519] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV
[   53.027538][ T3519] Modules linked in: kvm_hv kvm ip_tables x_tables xfs sd_mod bnx2x ahci libahci mdio libata tg3 libphy firmware_class dm_mirror dm_region_hash dm_log dm_mod
[   53.027594][ T3519] CPU: 36 PID: 3519 Comm: polkitd Not tainted 5.6.0-rc7-next-20200324 #1
[   53.027618][ T3519] NIP:  c0000000004dbfa4 LR: c0000000004dc040 CTR: 0000000000000000
[   53.027634][ T3519] REGS: c0002013879af810 TRAP: 0300   Not tainted  (5.6.0-rc7-next-20200324)
[   53.027668][ T3519] MSR:  9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 24004422  XER: 20040000
[   53.027708][ T3519] CFAR: c0000000004dc044 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 
[   53.027708][ T3519] GPR00: c0000000004dc040 c0002013879afaa0 c00000000165a500 0000000000000000 
[   53.027708][ T3519] GPR04: c000000001511408 0000000000000000 c0002013879af834 0000000000000002 
[   53.027708][ T3519] GPR08: 0000000000000001 0000000000000000 0000000000000000 0000000000000001 
[   53.027708][ T3519] GPR12: 0000000000004000 c000001ffffe1e00 0000000000000000 0000000000000000 
[   53.027708][ T3519] GPR16: 0000000000000000 0000000000000001 0000000000000000 0000000000000000 
[   53.027708][ T3519] GPR20: c000200ea1eacf38 c000201c8102f043 2f2f2f2f2f2f2f2f 0000000000000003 
[   53.027708][ T3519] GPR24: 0000000000000000 c0002013879afbc8 fffffffffffff000 0000000000200000 
[   53.027708][ T3519] GPR28: ffffffffffffffff 61c8864680b583eb 0000000000000000 0000000000002e2e 
[   53.027931][ T3519] NIP [c0000000004dbfa4] link_path_walk+0x284/0x4c0
__d_entry_type at include/linux/dcache.h:389
(inlined by) d_can_lookup at include/linux/dcache.h:404
(inlined by) link_path_walk at fs/namei.c:2178
[   53.027963][ T3519] LR [c0000000004dc040] link_path_walk+0x320/0x4c0
[   53.027993][ T3519] Call Trace:
[   53.028013][ T3519] [c0002013879afaa0] [c0000000004dc040] link_path_walk+0x320/0x4c0 (unreliable)
[   53.028050][ T3519] [c0002013879afb60] [c0000000004dc334] path_lookupat+0x94/0x1b0
[   53.028084][ T3519] [c0002013879afba0] [c0000000004ddf80] filename_lookup.part.55+0xa0/0x170
[   53.028101][ T3519] [c0002013879afce0] [c0000000004ca748] vfs_statx+0xa8/0x190
[   53.028117][ T3519] [c0002013879afd60] [c0000000004cacc0] __do_sys_newstat+0x40/0x90
[   53.028145][ T3519] [c0002013879afe20] [c00000000000b378] system_call+0x5c/0x68
[   53.028178][ T3519] Instruction dump:
[   53.028197][ T3519] 3bdeffff e9390058 38800000 7f23cb78 7fde07b4 1d5e0030 7d295214 eaa90020 
[   53.028245][ T3519] 4bfffac5 2fa30000 409e00ac e9390008 <81290000> 55290256 7f89d800 409e0160 
[   53.028284][ T3519] ---[ end trace 0effae07d5cccfa0 ]—

[  705.047353][ T4874] BUG: KASAN: invalid-access in link_path_walk+0x374/0x53c
__d_entry_type at include/linux/dcache.h:389
(inlined by) d_can_lookup at include/linux/dcache.h:404
(inlined by) link_path_walk at fs/namei.c:2178
[  705.054422][ T4874] Read of size 4 at addr 0000000000000000 by task plymouthd/4874
[  705.062003][ T4874] 
[  705.064213][ T4874] CPU: 16 PID: 4874 Comm: plymouthd Tainted: G             L    5.6.0-rc7-next-20200324 #1
[  705.074055][ T4874] Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.11 06/18/2019
[  705.084502][ T4874] Call trace:
[  705.087663][ T4874]  dump_backtrace+0x0/0x224
[  705.092036][ T4874]  show_stack+0x20/0x2c
[  705.096063][ T4874]  dump_stack+0xfc/0x184
[  705.100178][ T4874]  __kasan_report+0x178/0x238
[  705.104725][ T4874]  kasan_report+0x3c/0x58
[  705.108925][ T4874]  check_memory_region+0x98/0xa0
[  705.113734][ T4874]  __hwasan_load4_noabort+0x18/0x20
[  705.118801][ T4874]  link_path_walk+0x374/0x53c
[  705.123350][ T4874]  path_lookupat+0x78/0x1d4
[  705.127723][ T4874]  filename_lookup+0x80/0x124
[  705.132270][ T4874]  user_path_at_empty+0x54/0x68
[  705.136990][ T4874]  vfs_statx+0xcc/0x1b8
[  705.141016][ T4874]  __arm64_sys_newfstatat+0x94/0x120
[  705.146169][ T4874]  do_el0_svc+0x128/0x1dc
[  705.150369][ T4874]  el0_sync_handler+0xd0/0x268
[  705.155003][ T4874]  el0_sync+0x164/0x180
[  705.159028][ T4874] ==================================================================
[  705.166957][ T4874] Disabling lock debugging due to kernel taint
[  705.173067][ T4874] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[  705.182599][ T4874] Mem abort info:
[  705.186104][ T4874]   ESR = 0x96000005
[  705.189906][ T4874]   EC = 0x25: DABT (current EL), IL = 32 bits
[  705.195928][ T4874]   SET = 0, FnV = 0
[  705.199727][ T4874]   EA = 0, S1PTW = 0
[  705.203578][ T4874] Data abort info:
[  705.207168][ T4874]   ISV = 0, ISS = 0x00000005
[  705.211749][ T4874]   CM = 0, WnR = 0
[  705.215431][ T4874] user pgtable: 64k pages, 48-bit VAs, pgdp=0000009659f42000
[  705.222702][ T4874] [0000000000000000] pgd=0000000000000000, pud=0000000000000000
[  705.230250][ T4874] Internal error: Oops: 96000005 [#1] SMP
[  705.235824][ T4874] Modules linked in: thunderx2_pmu processor efivarfs ip_tables xfs libcrc32c sd_mod ahci libahci mlx5_core libata dm_mirror dm_region_hash dm_log dm_mod
[  705.251173][ T4874] CPU: 16 PID: 4874 Comm: plymouthd Tainted: G    B        L    5.6.0-rc7-next-20200324 #1
[  705.260999][ T4874] Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.11 06/18/2019
[  705.271438][ T4874] pstate: 60400009 (nZCv daif +PAN -UAO BTYPE=--)
[  705.277708][ T4874] pc : link_path_walk+0x374/0x53c
[  705.282587][ T4874] lr : link_path_walk+0x374/0x53c
[  705.287463][ T4874] sp : b1ff00916cdefa90
[  705.291473][ T4874] x29: b1ff00916cdefb30 x28: 9cff00098d5eb703 
[  705.297485][ T4874] x27: 0000000000000000 x26: fefefefefefefeff 
[  705.303496][ T4874] x25: 0000000236266748 x24: 2f2f2f2f2f2f2f2f 
[  705.309507][ T4874] x23: b1ff00916cdefba0 x22: b1ff00916cdefbc8 
[  705.315518][ T4874] x21: b1ff00916cdefbe0 x20: b1ff00916cdefbd0 
[  705.321529][ T4874] x19: b1ff00916cdefb98 x18: 0000000000000000 
[  705.327540][ T4874] x17: 0000000000000000 x16: 0000000000000000 
[  705.333550][ T4874] x15: 0000000000000000 x14: 2020202020202020 
[  705.339561][ T4874] x13: 20424d5f45484341 x12: 50415f3130432f20 
[  705.345571][ T4874] x11: 0000000000000003 x10: ffff8008bb246a3e 
[  705.351582][ T4874] x9 : 68bdf6118cf10200 x8 : 0000000000000000 
[  705.357592][ T4874] x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000000 
[  705.363602][ T4874] x5 : 0000000000000080 x4 : 0000000000000000 
[  705.369612][ T4874] x3 : ffff900010a5a394 x2 : 0000000000000001 
[  705.375622][ T4874] x1 : 0000000000000004 x0 : 0000000000000000 
[  705.381631][ T4874] Call trace:
[  705.384777][ T4874]  link_path_walk+0x374/0x53c
[  705.389311][ T4874]  path_lookupat+0x78/0x1d4
[  705.393670][ T4874]  filename_lookup+0x80/0x124
[  705.398204][ T4874]  user_path_at_empty+0x54/0x68
[  705.402909][ T4874]  vfs_statx+0xcc/0x1b8
[  705.406921][ T4874]  __arm64_sys_newfstatat+0x94/0x120
[  705.412060][ T4874]  do_el0_svc+0x128/0x1dc
[  705.416247][ T4874]  el0_sync_handler+0xd0/0x268
[  705.420865][ T4874]  el0_sync+0x164/0x180
[  705.424883][ T4874] Code: 97fe39bd f94002fb aa1b03e0 97fe39aa (b9400368) 
[  705.432066][ T4874] ---[ end trace 71f0365c08ac491a ]---
[  705.437381][ T4874] Kernel panic - not syncing: Fatal exception
[  705.443608][ T4874] SMP: stopping secondary CPUs
[  705.448297][ T4874] Kernel Offset: disabled
[  705.452483][ T4874] CPU features: 0x006002,61000c38
[  705.457359][ T4874] Memory Limit: none
[  705.461411][ T4874] ---[ end Kernel panic - not syncing: Fatal exception ]—

[1]
e0e25e9bbed5 lookup_open(): don't bother with fallbacks to lookup+create
b686da54700f atomic_open(): no need to pass struct open_flags anymore
60e1d0b8512f open_last_lookups(): move complete_walk() into do_open()
4d7ed93ff9db open_last_lookups(): lift O_EXCL|O_CREAT handling into do_open()
57e9b028e9e7 open_last_lookups(): don't abuse complete_walk() when all we want is unlazy
c01d40b1c03c open_last_lookups(): consolidate fsnotify_create() calls
c8291f6b0037 take post-lookup part of do_last() out of loop
881386f7e46a link_path_walk(): sample parent's i_uid and i_mode for the last component
0e47dacb7f29 __nd_alloc_stack(): make it return bool
794dc2d56401 reserve_stack(): switch to __nd_alloc_stack()
59089811438c pick_link(): take reserving space on stack into a new helper
8c60edbc56a2 pick_link(): more straightforward handling of allocation failures
4efc770ddf45 fold path_to_nameidata() into its only remaining caller
dcc11116def1 pick_link(): pass it struct path already with normal refcounting rules
0058fcb4c3b5 fs/namei.c: kill follow_mount()
ffa2db4ac3e7 non-RCU analogue of the previous commit
8255cecd93ba helper for mount rootwards traversal
573f88cea0e2 follow_dotdot(): be lazy about changing nd->path
ea63a0dc31fd follow_dotdot_rcu(): be lazy about changing nd->path
5c19a79cd9d3 follow_dotdot{,_rcu}(): massage loops
5e3c3570ec97 lift all calls of step_into() out of follow_dotdot/follow_dotdot_rcu
6dfd9fe54dfd follow_dotdot{,_rcu}(): switch to use of step_into()
7521f22b3ce2 handle_dots(), follow_dotdot{,_rcu}(): preparation to switch to step_into()
957dd41d8842 move handle_dots(), follow_dotdot() and follow_dotdot_rcu() past step_into()
c9a0f75d81e3 follow_dotdot{,_rcu}(): lift LOOKUP_BENEATH checks out of loop
abc2c632e0ce follow_dotdot{,_rcu}(): lift switching nd->path to parent out of loop
a6a7eb7628cf expand path_parent_directory() in its callers
63b27720a476 path_parent_directory(): leave changing path->dentry to callers
6b03f7edf43e path_connected(): pass mount and dentry separately
c981a4828125 split the lookup-related parts of do_last() into a separate helper
973d4b73fbaf do_last(): rejoin the common path even earlier in FMODE_{OPENED,CREATED} case
8795e7d48288 do_last(): simplify the liveness analysis past finish_open_created
5a2d3edd8dad do_last(): rejoing the common path earlier in FMODE_{OPENED,CREATED} case
59e96e65833e do_last(): don't bother with keeping got_write in FMODE_OPENED case
3ad5615a071f do_last(): merge the may_open() calls
7be219b4dcd9 atomic_open(): lift the call of may_open() into do_last()
6fb968cdf9d0 atomic_open(): return the right dentry in FMODE_OPENED case
9deed3ebca24 new helper: traverse_mounts()
ea936aeb3ead massage __follow_mount_rcu() a bit
c108837e06b6 namei: have link_path_walk() maintain LOOKUP_PARENT
d8d4611a4f2d link_path_walk(): simplify stack handling
b1a819724074 pick_link(): check for WALK_TRAILING, not LOOKUP_PARENT
8c4efe22e7c4 namei: invert the meaning of WALK_FOLLOW
b4c0353693d2 sanitize handling of nd->last_type, kill LAST_BIND
ad6cc4c338f4 finally fold get_link() into pick_link()
06708adb99e8 merging pick_link() with get_link(), part 6
b0417d2c7298 merging pick_link() with get_link(), part 5
92d270165cff merging pick_link() with get_link(), part 4
40fcf5a931af merging pick_link() with get_link(), part 3
1ccac622f9da merging pick_link() with get_link(), part 2
43679723d27f merging pick_link() with get_link(), part 1
a9dc1494a782 expand the only remaining call of path_lookup_conditional()
161aff1d93ab LOOKUP_MOUNTPOINT: fold path_mountpointat() into path_lookupat()
cbae4d12eeee fold handle_mounts() into step_into()
aca2903eefd0 new step_into() flag: WALK_NOFOLLOW
56676ec39019 step_into() callers: dismiss the symlink earlier
20e343571cef lookup_fast(): take mount traversal into callers
c153007b7b7a teach handle_mounts() to handle RCU mode
b023e1728bec lookup_fast(): consolidate the RCU success case
db3c9ade50b1 handle_mounts(): pass dentry in, turn path into a pure out argument
e73cabff5917 do_last(): collapse the call of path_to_nameidata()
da5ebf5aa676 lookup_open(): saner calling conventions (return dentry on success)

             reply	other threads:[~2020-03-24 21:06 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-24 21:06 Qian Cai [this message]
2020-03-24 21:46 ` Al Viro
2020-03-25  1:49   ` Qian Cai
2020-03-25  2:13     ` Al Viro
2020-03-25  3:24       ` Qian Cai
2020-03-25  4:03         ` Al Viro
2020-03-25  5:58           ` Al Viro
2020-03-25 14:02             ` Al Viro
2020-03-25 14:05               ` Al Viro
2020-03-25 19:43             ` Qian Cai
2020-03-25 21:07               ` Al Viro
2020-03-25 13:21           ` Qian Cai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CBDE0F3-FB73-43F3-8535-6C75BA004233@lca.pw \
    --to=cai@lca.pw \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@ZenIV.linux.org.uk \
    --subject='Re: Null-ptr-deref due to "sanitized pathwalk machinery (v4)"' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).