Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Hi sll,
On Thu, 25 Jun 2020 11:25:17 +1000 Stephen Rothwell
wrote:
>
> On Wed, 24 Jun 2020 11:57:07 -0400 Qian Cai wrote:
> >
> > On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote:
> > > Qian Cai wrote:
> > >
> > > > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU
> > > > safe per-ns mount list”) fixed the null-ptr-deref.
> > >
> > > Okay, I'm dropping this commit for now.
> >
> > What's the point of re-adding this buggy patch to linux-next again since
> > 0621 without fixing the previous reported issue at all? Reverting the
> > commit will still fix the crash below immediately, i.e.,
> >
> > dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list")
>
> I have added a revert of that commit to linux-next today.
I am still reverting that commit ...
--
Cheers,
Stephen Rothwell
pgpBaqqbgqbU3.pgp
Description: OpenPGP digital signature
Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Hi all,
On Wed, 24 Jun 2020 11:57:07 -0400 Qian Cai wrote:
>
> On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote:
> > Qian Cai wrote:
> >
> > > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU
> > > safe per-ns mount list”) fixed the null-ptr-deref.
> >
> > Okay, I'm dropping this commit for now.
>
> What's the point of re-adding this buggy patch to linux-next again since
> 0621 without fixing the previous reported issue at all? Reverting the
> commit will still fix the crash below immediately, i.e.,
>
> dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list")
I have added a revert of that commit to linux-next today.
--
Cheers,
Stephen Rothwell
pgpIXwKK165W0.pgp
Description: OpenPGP digital signature
Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote:
> Qian Cai wrote:
>
> > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe
> > per-ns mount list”) fixed the null-ptr-deref.
>
> Okay, I'm dropping this commit for now.
What's the point of re-adding this buggy patch to linux-next again since
0621 without fixing the previous reported issue at all? Reverting the
commit will still fix the crash below immediately, i.e.,
dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list")
# runc run root
[ 9067.486969][T72863] general protection fault, probably for non-canonical
address 0xdc00: [#1] SMP KASAN PTI
[ 9067.543973][T72863] KASAN: null-ptr-deref in range
[0x-0x0007]
[ 9067.586640][T72863] CPU: 24 PID: 72863 Comm: runc:[2:INIT] Not tainted
5.8.0-rc2-next-20200624+ #4
[ 9067.629285][T72863] Hardware name: HP ProLiant BL660c Gen9, BIOS I38
10/17/2018
[ 9067.663809][T72863] RIP: 0010:umount_tree+0x4ec/0xcf0
[ 9067.688505][T72863] Code: 0f 85 61 04 00 00 49 83 c7 08 48 8b 43 b8 4c 89 fa
48 c1 ea 03 80 3c 2a 00 0f 85 33 04 00 00 4c 8b 7b c0 4c 89 fa 48 c1 ea 03 <80>
3c 2a 00 0f 85 09 04 00 00 49 89 07 48 85 c0 74 19 48 8d 78 08
[ 9067.782308][T72863] RSP: 0018:c900259efcb0 EFLAGS: 00010246
[ 9067.810141][T72863] RAX: RBX: 8884b0cb8cd8 RCX:
192004b3dfa0
[ 9067.848310][T72863] RDX: RSI: 8884b0cb8cd8 RDI:
c900259efd08
[ 9067.886236][T72863] RBP: dc00 R08: fbfff2bac7a6 R09:
fbfff2bac7a6
[ 9067.922883][T72863] R10: 95d63d2f R11: fbfff2bac7a5 R12:
8884b0cb8c40
[ 9067.960156][T72863] R13: c900259efd00 R14: 0001 R15:
[ 9067.997069][T72863] FS: 7fc286f88b80() GS:1ed8()
knlGS:
[ 9068.040907][T72863] CS: 0010 DS: ES: CR0: 80050033
[ 9068.074258][T72863] CR2: 7fc284141e00 CR3: 000fbc33a002 CR4:
001706e0
[ 9068.111890][T72863] Call Trace:
[ 9068.126482][T72863] ? rcu_read_unlock+0x50/0x50
[ 9068.148298][T72863] ? unhash_mnt+0x450/0x450
[ 9068.169156][T72863] ? rwlock_bug.part.1+0x90/0x90
[ 9068.191014][T72863] do_mount+0x1132/0x1620
[ 9068.211042][T72863] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 9068.235399][T72863] ? copy_mount_string+0x20/0x20
[ 9068.258407][T72863] ? memdup_user+0x4f/0x80
[ 9068.278493][T72863] __x64_sys_mount+0x15d/0x1b0
[ 9068.299948][T72863] do_syscall_64+0x5f/0x310
[ 9068.320837][T72863] ? trace_hardirqs_off+0x12/0x1a0
[ 9068.343781][T72863] ? asm_exc_page_fault+0x8/0x30
[ 9068.367139][T72863] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 9068.394316][T72863] RIP: 0033:0x55d71f93e7ca
[ 9068.414833][T72863] Code: Bad RIP value.
[ 9068.433443][T72863] RSP: 002b:00c00021af30 EFLAGS: 0206 ORIG_RAX:
00a5
[ 9068.473044][T72863] RAX: ffda RBX: 00c28000 RCX:
55d71f93e7ca
[ 9068.510343][T72863] RDX: 00c00010546a RSI: 00c000105470 RDI:
00c000105460
[ 9068.547999][T72863] RBP: 00c00021afc8 R08: R09:
[ 9068.587756][T72863] R10: 1000 R11: 0206 R12:
0148
[ 9068.624851][T72863] R13: 0147 R14: 0200 R15:
0100
[ 9068.662061][T72863] Modules linked in: loop vfio_pci vfio_virqfd
vfio_iommu_type1 vfio kvm_intel kvm irqbypass efivars nls_ascii nls_cp437 vfat
fat ip_tables x_tables sd_mod bnx2x hpsa mdio scsi_transport_sas firmware_class
dm_mirror dm_region_hash dm_log dm_mod efivarfs
[ 9068.777205][T72863] ---[ end trace 9c03562d398fb10f ]---
[ 9068.802729][T72863] RIP: 0010:umount_tree+0x4ec/0xcf0
[ 9068.826630][T72863] Code: 0f 85 61 04 00 00 49 83 c7 08 48 8b 43 b8 4c 89 fa
48 c1 ea 03 80 3c 2a 00 0f 85 33 04 00 00 4c 8b 7b c0 4c 89 fa 48 c1 ea 03 <80>
3c 2a 00 0f 85 09 04 00 00 49 89 07 48 85 c0 74 19 48 8d 78 08
[ 9068.918966][T72863] RSP: 0018:c900259efcb0 EFLAGS: 00010246
[ 9068.947083][T72863] RAX: RBX: 8884b0cb8cd8 RCX:
192004b3dfa0
[ 9068.985097][T72863] RDX: RSI: 8884b0cb8cd8 RDI:
c900259efd08
[ 9069.022555][T72863] RBP: dc00 R08: fbfff2bac7a6 R09:
fbfff2bac7a6
[ 9069.061621][T72863] R10: 95d63d2f R11: fbfff2bac7a5 R12:
8884b0cb8c40
[ 9069.101629][T72863] R13: c900259efd00 R14: 0001 R15:
[ 9069.138367][T72863] FS: 7fc286f88b80() GS:1ed8()
knlGS:
[ 9069.180543][T72863] CS: 0010 DS: ES: CR0: 80050033
[ 9069.209807][T72863] CR2: 7fc284141e00 CR3: 000fbc33a002 CR4:
001706e0
[ 9069.245727][T72863] Kernel panic - not syncing: Fatal exception
[ 9069.273756][T72863] Kernel Offset: 0x11c0 from 0x8100
(relocation range: 0x8000-0xbfff)
[ 9069.327388][T72863] ---[ end Kernel panic - not syncing: Fatal
Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Qian Cai wrote: > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe > per-ns mount list”) fixed the null-ptr-deref. Okay, I'm dropping this commit for now. David
Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe per-ns mount list”) fixed the null-ptr-deref. # runc run root [ 1531.635242][ T] BUG: Kernel NULL pointer dereference on write at 0x [ 1531.635285][ T] Faulting instruction address: 0xc05689e0 [ 1531.635299][ T] Oops: Kernel access of bad area, sig: 11 [#1] [ 1531.635310][ T] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV [ 1531.635331][ T] Modules linked in: kvm_hv kvm ip_tables x_tables xfs sd_mod bnx2x tg3 ahci libahci mdio libphy libata firmware_class dm_mirror dm_region_hash dm_log dm_mod [ 1531.635370][ T] CPU: 16 PID: Comm: runc:[2:INIT] Not tainted 5.7.0-rc5-next-20200512+ #9 [ 1531.635383][ T] NIP: c05689e0 LR: c05689b0 CTR: [ 1531.635413][ T] REGS: c01323aef980 TRAP: 0300 Not tainted (5.7.0-rc5-next-20200512+) [ 1531.635434][ T] MSR: 90009033 CR: 24424282 XER: [ 1531.635468][ T] CFAR: c06f9eec DAR: DSISR: 4200 IRQMASK: 0 [ 1531.635468][ T] GPR00: c057 c01323aefc10 c168aa00 0001 [ 1531.635468][ T] GPR04: c015934e9e98 c015934e9e98 283df117 fffe4386c189 [ 1531.635468][ T] GPR08: c01323aefc38 0002 [ 1531.635468][ T] GPR12: 24402282 c01f1800 00c000229990 000a [ 1531.635468][ T] GPR16: 007a 00012479c68c [ 1531.635468][ T] GPR20: 00c00180 [ 1531.635468][ T] GPR24: c516b870 c516b858 5deadbeef122 [ 1531.635468][ T] GPR28: c01323aefc38 c015934e9e00 c015934e9ea8 c015934e9e98 [ 1531.635652][ T] NIP [c05689e0] umount_tree+0x250/0x470 __write_once_size at include/linux/compiler.h:250 (inlined by) __hlist_del at include/linux/list.h:811 (inlined by) hlist_del_rcu at include/linux/rculist.h:487 (inlined by) umount_tree at fs/namespace.c:1485 [ 1531.635672][ T] LR [c05689b0] umount_tree+0x220/0x470 [ 1531.635682][ T] Call Trace: [ 1531.635709][ T] [c01323aefca0] [c057] do_mount+0xb70/0xc90 [ 1531.635738][ T] [c01323aefd70] [c05706f8] sys_mount+0x158/0x180 [ 1531.635760][ T] [c01323aefdc0] [c0038ac4] system_call_exception+0x114/0x1e0 [ 1531.635799][ T] [c01323aefe20] [c000c8f0] system_call_common+0xf0/0x278 [ 1531.635828][ T] Instruction dump: [ 1531.635836][ T] 6000 2fa3 419e0014 e93f0008 e95f f92a0008 f949 e93fffb8 [ 1531.635860][ T] e95fffc0 fbff fbff0008 2fa9 419e0008 f9490008 e93f0058 [ 1531.635885][ T] ---[ end trace f12075f6fac94362 ]--- [ 1531.748352][ T] [ 1532.748433][ T] Kernel panic - not syncing: Fatal exception
