From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF296C4361B for ; Wed, 9 Dec 2020 21:55:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7B8D023C44 for ; Wed, 9 Dec 2020 21:55:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388375AbgLIVzX (ORCPT ); Wed, 9 Dec 2020 16:55:23 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:50118 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727030AbgLIVzX (ORCPT ); Wed, 9 Dec 2020 16:55:23 -0500 Received: from in01.mta.xmission.com ([166.70.13.51]) by out02.mta.xmission.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1kn7Q1-001gO4-Ci; Wed, 09 Dec 2020 14:54:41 -0700 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1kn7Q0-00025k-Im; Wed, 09 Dec 2020 14:54:41 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Yahu Gao Cc: Alexey Dobriyan , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Al Viro References: <20201209112100.47653-1-yahu.gao@windriver.com> Date: Wed, 09 Dec 2020 15:54:02 -0600 In-Reply-To: <20201209112100.47653-1-yahu.gao@windriver.com> (Yahu Gao's message of "Wed, 9 Dec 2020 19:20:59 +0800") Message-ID: <87zh2mprwl.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1kn7Q0-00025k-Im;;;mid=<87zh2mprwl.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+8DidLiK3xuGsZRPuNCOhwUzv0QdyZRiI= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: Review request 0/1: fs/proc: Fix NULL pointer dereference in X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yahu Gao writes: > There is a kernel NULL pointer dereference was found in Linux system. > The details of kernel NULL is shown at bellow. > > Currently, we do not have a way to provoke this fault on purpose, but > the reproduction rate in out CI loops is high enough that we could go > for a trace patch in black or white UP and get a reproduction in few > weeks. > > Our kernel version is 4.1.21, but via analyzing the source code of the > call trace. The upstream version should be affected. Really sorry for > havn't reproduced this in upstream version. But it's easier to be safe > than to prove it can't happen, right? Except I there are strong invariants that suggests that it takes a memory stomp to get a NULL pointer deference here. For the life of a proc inode PROC_I(inode)->pid should be non-NULL. For a non-NULL pid pointer ->tasks[PIDTYPE_PID].first simply reads an entry out of the struct pid. Only pid needs to be non-NULL. So I don't see how you are getting a NULL pointer derference. Have you decoded the oops, looked at the assembly and seen which field is NULL? I expec that will help you track down what is wrong. > Details of kernel crash: > ---------------------------------------------------------------------- > [1446.285834] Unable to handle kernel NULL pointer dereference at > virtual address 00000008 > [ 1446.293943] pgd = e4af0880 > [ 1446.296656] [00000008] *pgd=10cc3003, *pmd=04153003, *pte=00000000 > [ 1446.302898] Internal error: Oops: 207 1 PREEMPT SMP ARM > [ 1446.302950] Modules linked in: adkNetD ncp > lttng_ring_buffer_client_mmap_overwrite(C) > lttng_ring_buffer_client_mmap_discard(C) > lttng_ring_buffer_client_discard(C) > lttng_ring_buffer_metadata_mmap_client(C) lttng_probe_printk(C) > lttng_probe_irq(C) lttng_ring_buffer_metadata_client(C) > lttng_ring_buffer_client_overwrite(C) lttng_probe_signal(C) > lttng_probe_sched(C) lttng_tracer(C) lttng_statedump(C) > lttng_lib_ring_buffer(C) lttng_clock_plugin_arm_cntpct(C) lttng_clock(C) > [ 1446.302963] CPU: 0 PID: 12086 Comm: netstat Tainted: G C > 4.1.21-rt13-* #1 > [ 1446.302967] Hardware name: Ericsson CPM1 > [ 1446.302972] task: cbd75480 ti: c4a68000 task.ti: c4a68000 > [ 1446.302984] PC is at pid_delete_dentry+0x8/0x18 > [ 1446.302992] LR is at dput+0x1a8/0x2b4 > [ 1446.303003] pc : [] lr : [] psr: 20070013 > [ 1446.303003] sp : c4a69e88 ip : 00000000 fp : 00000000 > [ 1446.303007] r10: 000218cc r9 : cd228000 r8 : e5f44320 > [ 1446.303011] r7 : 00000001 r6 : 00080040 r5 : c4aa97d0 r4 : c4aa9780 > [ 1446.303015] r3 : 00000000 r2 : cbd75480 r1 : 00000000 r0 : c4aa9780 > [ 1446.303020] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment > user > [ 1446.303026] Control: 30c5387d Table: 24af0880 DAC: 000000fd > [ 1446.303033] Process netstat (pid: 12086, stack limit = 0xc4a68218) > [ 1446.303039] Stack: (0xc4a69e88 to 0xc4a6a000) > [ 1446.303052] 9e80: c4a69f70 0000a1c0 c4a69f13 00000002 e5f44320 > cd228000 > [ 1446.303059] 9ea0: 000218cc c0571604 c0a60bcc 00000000 00000000 > 00000000 c4a69f20 c4a69f15 > [ 1446.303065] 9ec0: 00003133 00000002 c4a69f13 00000000 0000001f > c4a69f70 c35de800 0000007c > [ 1446.303072] 9ee0: ce2b1c00 cd228000 00000001 c05747b8 c05745cc > c35de800 0000001f 00000000 > [ 1446.303078] 9f00: 00000004 cd228008 00020000 c05745cc 33000004 > c0400031 c4a68000 00000400 > [ 1446.303086] 9f20: beb78c2c cd228000 c4a69f70 00000000 cd228008 > c0ffca90 c4a68000 00000400 > [ 1446.303103] 9f40: beb78c2c c052cd0c bf08a774 00000400 01480080 > 00008000 cd228000 cd228000 > [ 1446.303114] 9f60: c040f7c8 c4a68000 00000400 c052d22c c052cd8c > 00000000 00000021 00000000 > [ 1446.303127] 9f80: 01480290 01480280 00007df0 ffffffea 01480060 > 01480060 01480064 b6e424c0 > [ 1446.303143] 9fa0: 0000008d c040f794 01480060 01480064 00000004 > 01480080 00008000 00000000 > [ 1446.303150] 9fc0: 01480060 01480064 b6e424c0 0000008d 01480080 > 01480060 00035440 beb78c2c > [ 1446.303156] 9fe0: 01480080 beb78160 b6ede59c b6edea3c 60070010 > 00000004 00000000 00000000 > [ 1446.303167] [] (pid_delete_dentry) from [] (dput+0x1a8/0x2b4) > [ 1446.303176] [] (dput) from [] (proc_fill_cache+0x54/0x10c) > [ 1446.303189] [] (proc_fill_cache) from [] > (proc_readfd_common+0xd8/0x238) > [ 1446.303203] [] (proc_readfd_common) from [] (iterate_dir+0x98/0x118) > [ 1446.303217] [] (iterate_dir) from [] (SyS_getdents+0x7c/0xf0) > [ 1446.303233] [] (SyS_getdents) from [] (__sys_trace_return+0x0/0x2c) > [ 1446.303243] Code: e8bd0030 e12fff1e e5903028 e5133020 (e5930008) Eric