Hi,
On Thu, Dec 10, 2020 at 05:04:22PM +0100, Klaus Singvogel wrote:
> Package: src:linux
> Version: 4.19.160-2
> Severity: important
>
> Dear Maintainer,
>
> *** Reporter, please consider answering these questions, where appropriate ***
>
> * What led up to the situation?
>
> sudo mount -rbind /sys /${CHROOT}/sys
>
> * What exactly did you do (or not do) that was effective (or ineffective)?
>
> sudo umount /${CHROOT}/sys/firmware/efi/efivar
>
> * What was the outcome of this action?
>
> Segmentation fault and Kernel oops
>
> * What outcome did you expect instead?
>
> No segmentation fault, no Kernel oops
>
> Note:
> This bug can be reproduced on further machines with this kernel version.
>
> Here is the output of the oops:
>
> [133082.213609] ------------[ cut here ]------------
> [133082.213610] kernel BUG at mm/slub.c:3950!
> [133082.213615] invalid opcode: 0000 [#1] SMP PTI
> [133082.213617] CPU: 5 PID: 11559 Comm: umount Tainted: G U
> 4.19.0-13-amd64 #1 Debian 4.19.160-2
> [133082.213618] Hardware name: Micro-Star International Co., Ltd.
> MS-7B45/Z370 GAMING PRO CARBON (MS-7B45), BIOS A.B0 06/05/2020
> [133082.213621] RIP: 0010:kfree+0x168/0x180
> [133082.213622] Code: 5d 41 5c e9 fa 11 f9 ff 48 89 d9 48 89 da 41 b8 01 00
> 00 00 5b 4c 89 d6 5d 41 5c e9 02 f6 ff ff 0f 0b 49 8b 42 08 a8 01 75 c3 <0f>
> 0b 48 8b 3d ff 48 dd 00 e9 c7 fe ff ff 66 2e 0f 1f 84 00 00 00
> [133082.213623] RSP: 0018:ffffb71549543e58 EFLAGS: 00010246
> [133082.213624] RAX: 0000000000000000 RBX: ffff941ddae5c000 RCX:
> ffffffffa4ada018
> [133082.213625] RDX: 0000000000000000 RSI: 0000000000000296 RDI:
> 00006be600000000
> [133082.213626] RBP: ffffffffc08c1040 R08: ffffe66b51437208 R09:
> 0000000000000001
> [133082.213626] R10: ffffe66b516b9700 R11: ffffe66b51707008 R12:
> ffffffffc08bf742
> [133082.213627] R13: 0000000000000000 R14: 0000000000000000 R15:
> ffff941ddae5c000
> [133082.213628] FS: 00007f6337c2c080(0000) GS:ffff941ddeb40000(0000)
> knlGS:0000000000000000
> [133082.213629] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [133082.213630] CR2: 00007ffd34ee8cf8 CR3: 000000042a628006 CR4:
> 00000000003606e0
> [133082.213631] Call Trace:
> [133082.213635] ? efivarfs_kill_sb+0x30/0x30 [efivarfs]
> [133082.213637] efivarfs_destroy+0x22/0x30 [efivarfs]
> [133082.213639] __efivar_entry_iter+0xd8/0x110
> [133082.213642] deactivate_locked_super+0x2f/0x70
> [133082.213644] cleanup_mnt+0x3f/0x70
> [133082.213646] task_work_run+0x8a/0xb0
> [133082.213648] exit_to_usermode_loop+0xeb/0xf0
> [133082.213650] do_syscall_64+0x10d/0x110
> [133082.213652] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [133082.213653] RIP: 0033:0x7f6338052507
> [133082.213655] Code: 19 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00
> 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48>
> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 19 0c 00 f7 d8 64 89 01 48
> [133082.213655] RSP: 002b:00007ffd34eea528 EFLAGS: 00000246 ORIG_RAX:
> 00000000000000a6
> [133082.213657] RAX: 0000000000000000 RBX: 0000563e3ae26ac0 RCX:
> 00007f6338052507
> [133082.213657] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
> 0000563e3ae26cd0
> [133082.213658] RBP: 0000000000000000 R08: 0000563e3ae27b40 R09:
> 00007f63380d3e80
> [133082.213659] R10: 0000000000000000 R11: 0000000000000246 R12:
> 0000563e3ae26cd0
> [133082.213659] R13: 00007f63381781c4 R14: 0000563e3ae26bb8 R15:
> 0000000000000000
> [133082.213661] Modules linked in: tcp_diag udp_diag raw_diag inet_diag
> unix_diag fuse rfkill uvcvideo videobuf2_vmalloc videobuf2_memops
> videobuf2_v4l2 videobuf2_common snd_usb_audio nls_ascii videodev nls_cp437
> snd_usbmidi_lib vfat snd_rawmidi intel_rapl media snd_seq_device fat
> snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp coretemp
> snd_hda_codec_realtek kvm_intel snd_hda_codec_generic kvm irqbypass
> crct10dif_pclmul crc32_pclmul snd_hda_intel snd_hda_codec ghash_clmulni_intel
> intel_cstate efi_pstore snd_hda_core joydev sg intel_uncore snd_hwdep
> intel_rapl_perf snd_pcm iTCO_wdt snd_timer iTCO_vendor_support efivars snd
> pcspkr soundcore mei_me pcc_cpufreq mei acpi_pad acpi_tad evdev i2c_dev
> parport_pc sunrpc ppdev lp parport efivarfs ip_tables x_tables autofs4 ext4
> crc16 mbcache jbd2 fscrypto
> [133082.213677] ecb btrfs zstd_decompress zstd_compress xxhash raid10
> raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor
> raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod
> hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid sr_mod cdrom sd_mod
> uas usb_storage crc32c_intel i915 ahci libahci i2c_algo_bit libata
> drm_kms_helper mxm_wmi scsi_mod xhci_pci xhci_hcd aesni_intel drm e1000e
> usbcore aes_x86_64 crypto_simd cryptd glue_helper i2c_i801 usb_common thermal
> fan wmi video button
> [133082.213691] ---[ end trace fdc6cf3f029628a7 ]---
> [133082.303757] RIP: 0010:kfree+0x168/0x180
> [133082.303775] Code: 5d 41 5c e9 fa 11 f9 ff 48 89 d9 48 89 da 41 b8 01 00
> 00 00 5b 4c 89 d6 5d 41 5c e9 02 f6 ff ff 0f 0b 49 8b 42 08 a8 01 75 c3 <0f>
> 0b 48 8b 3d ff 48 dd 00 e9 c7 fe ff ff 66 2e 0f 1f 84 00 00 00
> [133082.303776] RSP: 0018:ffffb71549543e58 EFLAGS: 00010246
> [133082.303776] RAX: 0000000000000000 RBX: ffff941ddae5c000 RCX:
> ffffffffa4ada018
> [133082.303777] RDX: 0000000000000000 RSI: 0000000000000296 RDI:
> 00006be600000000
> [133082.303778] RBP: ffffffffc08c1040 R08: ffffe66b51437208 R09:
> 0000000000000001
> [133082.303778] R10: ffffe66b516b9700 R11: ffffe66b51707008 R12:
> ffffffffc08bf742
> [133082.303779] R13: 0000000000000000 R14: 0000000000000000 R15:
> ffff941ddae5c000
> [133082.303780] FS: 00007f6337c2c080(0000) GS:ffff941ddeb40000(0000)
> knlGS:0000000000000000
> [133082.303781] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [133082.303781] CR2: 00007ffd34ee8cf8 CR3: 000000042a628006 CR4:
> 00000000003606e0
This should be
https://lore.kernel.org/lkml/5f31cde519b941308412b3849197e...@acums.aculab.com/
and the commit was reverted in 4.19.161.
Can you check if applying the revert commit fixes the issue?
Regards,
Salvatore
>From db9e8d33b066d7022a4ed1c8fa16b6496cd651c3 Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <a...@kernel.org>
Date: Wed, 25 Nov 2020 08:45:55 +0100
Subject: [PATCH] efivarfs: revert "fix memory leak in efivarfs_create()"
[ Upstream commit ff04f3b6f2e27f8ae28a498416af2a8dd5072b43 ]
The memory leak addressed by commit fe5186cf12e3 is a false positive:
all allocations are recorded in a linked list, and freed when the
filesystem is unmounted. This leads to double frees, and as reported
by David, leads to crashes if SLUB is configured to self destruct when
double frees occur.
So drop the redundant kfree() again, and instead, mark the offending
pointer variable so the allocation is ignored by kmemleak.
Cc: Vamshi K Sthambamkadi <vamshi.k.sthambamk...@gmail.com>
Fixes: fe5186cf12e3 ("efivarfs: fix memory leak in efivarfs_create()")
Reported-by: David Laight <david.lai...@aculab.com>
Signed-off-by: Ard Biesheuvel <a...@kernel.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
fs/efivarfs/inode.c | 2 ++
fs/efivarfs/super.c | 1 -
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c
index 8c6ab6c95727..7f40343b39b0 100644
--- a/fs/efivarfs/inode.c
+++ b/fs/efivarfs/inode.c
@@ -10,6 +10,7 @@
#include <linux/efi.h>
#include <linux/fs.h>
#include <linux/ctype.h>
+#include <linux/kmemleak.h>
#include <linux/slab.h>
#include <linux/uuid.h>
@@ -106,6 +107,7 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry,
var->var.VariableName[i] = '\0';
inode->i_private = var;
+ kmemleak_ignore(var);
err = efivar_entry_add(var, &efivarfs_list);
if (err)
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index 7808a26bd33f..834615f13f3e 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -23,7 +23,6 @@ LIST_HEAD(efivarfs_list);
static void efivarfs_evict_inode(struct inode *inode)
{
clear_inode(inode);
- kfree(inode->i_private);
}
static const struct super_operations efivarfs_ops = {
--
2.29.2
