Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Hi sll, On Thu, 25 Jun 2020 11:25:17 +1000 Stephen Rothwell wrote: > > On Wed, 24 Jun 2020 11:57:07 -0400 Qian Cai wrote: > > > > On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote: > > > Qian Cai wrote: > > > > > > > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU > > > > safe per-ns mount list”) fixed the null-ptr-deref. > > > > > > Okay, I'm dropping this commit for now. > > > > What's the point of re-adding this buggy patch to linux-next again since > > 0621 without fixing the previous reported issue at all? Reverting the > > commit will still fix the crash below immediately, i.e., > > > > dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list") > > I have added a revert of that commit to linux-next today. I am still reverting that commit ... -- Cheers, Stephen Rothwell pgpBaqqbgqbU3.pgp Description: OpenPGP digital signature
Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Hi all, On Wed, 24 Jun 2020 11:57:07 -0400 Qian Cai wrote: > > On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote: > > Qian Cai wrote: > > > > > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU > > > safe per-ns mount list”) fixed the null-ptr-deref. > > > > Okay, I'm dropping this commit for now. > > What's the point of re-adding this buggy patch to linux-next again since > 0621 without fixing the previous reported issue at all? Reverting the > commit will still fix the crash below immediately, i.e., > > dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list") I have added a revert of that commit to linux-next today. -- Cheers, Stephen Rothwell pgpIXwKK165W0.pgp Description: OpenPGP digital signature
Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
On Wed, May 13, 2020 at 12:29:52AM +0100, David Howells wrote: > Qian Cai wrote: > > > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe > > per-ns mount list”) fixed the null-ptr-deref. > > Okay, I'm dropping this commit for now. What's the point of re-adding this buggy patch to linux-next again since 0621 without fixing the previous reported issue at all? Reverting the commit will still fix the crash below immediately, i.e., dbc87e74d022 ("vfs, fsinfo: Add an RCU safe per-ns mount list") # runc run root [ 9067.486969][T72863] general protection fault, probably for non-canonical address 0xdc00: [#1] SMP KASAN PTI [ 9067.543973][T72863] KASAN: null-ptr-deref in range [0x-0x0007] [ 9067.586640][T72863] CPU: 24 PID: 72863 Comm: runc:[2:INIT] Not tainted 5.8.0-rc2-next-20200624+ #4 [ 9067.629285][T72863] Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018 [ 9067.663809][T72863] RIP: 0010:umount_tree+0x4ec/0xcf0 [ 9067.688505][T72863] Code: 0f 85 61 04 00 00 49 83 c7 08 48 8b 43 b8 4c 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 33 04 00 00 4c 8b 7b c0 4c 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 09 04 00 00 49 89 07 48 85 c0 74 19 48 8d 78 08 [ 9067.782308][T72863] RSP: 0018:c900259efcb0 EFLAGS: 00010246 [ 9067.810141][T72863] RAX: RBX: 8884b0cb8cd8 RCX: 192004b3dfa0 [ 9067.848310][T72863] RDX: RSI: 8884b0cb8cd8 RDI: c900259efd08 [ 9067.886236][T72863] RBP: dc00 R08: fbfff2bac7a6 R09: fbfff2bac7a6 [ 9067.922883][T72863] R10: 95d63d2f R11: fbfff2bac7a5 R12: 8884b0cb8c40 [ 9067.960156][T72863] R13: c900259efd00 R14: 0001 R15: [ 9067.997069][T72863] FS: 7fc286f88b80() GS:1ed8() knlGS: [ 9068.040907][T72863] CS: 0010 DS: ES: CR0: 80050033 [ 9068.074258][T72863] CR2: 7fc284141e00 CR3: 000fbc33a002 CR4: 001706e0 [ 9068.111890][T72863] Call Trace: [ 9068.126482][T72863] ? rcu_read_unlock+0x50/0x50 [ 9068.148298][T72863] ? unhash_mnt+0x450/0x450 [ 9068.169156][T72863] ? rwlock_bug.part.1+0x90/0x90 [ 9068.191014][T72863] do_mount+0x1132/0x1620 [ 9068.211042][T72863] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 9068.235399][T72863] ? copy_mount_string+0x20/0x20 [ 9068.258407][T72863] ? memdup_user+0x4f/0x80 [ 9068.278493][T72863] __x64_sys_mount+0x15d/0x1b0 [ 9068.299948][T72863] do_syscall_64+0x5f/0x310 [ 9068.320837][T72863] ? trace_hardirqs_off+0x12/0x1a0 [ 9068.343781][T72863] ? asm_exc_page_fault+0x8/0x30 [ 9068.367139][T72863] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 9068.394316][T72863] RIP: 0033:0x55d71f93e7ca [ 9068.414833][T72863] Code: Bad RIP value. [ 9068.433443][T72863] RSP: 002b:00c00021af30 EFLAGS: 0206 ORIG_RAX: 00a5 [ 9068.473044][T72863] RAX: ffda RBX: 00c28000 RCX: 55d71f93e7ca [ 9068.510343][T72863] RDX: 00c00010546a RSI: 00c000105470 RDI: 00c000105460 [ 9068.547999][T72863] RBP: 00c00021afc8 R08: R09: [ 9068.587756][T72863] R10: 1000 R11: 0206 R12: 0148 [ 9068.624851][T72863] R13: 0147 R14: 0200 R15: 0100 [ 9068.662061][T72863] Modules linked in: loop vfio_pci vfio_virqfd vfio_iommu_type1 vfio kvm_intel kvm irqbypass efivars nls_ascii nls_cp437 vfat fat ip_tables x_tables sd_mod bnx2x hpsa mdio scsi_transport_sas firmware_class dm_mirror dm_region_hash dm_log dm_mod efivarfs [ 9068.777205][T72863] ---[ end trace 9c03562d398fb10f ]--- [ 9068.802729][T72863] RIP: 0010:umount_tree+0x4ec/0xcf0 [ 9068.826630][T72863] Code: 0f 85 61 04 00 00 49 83 c7 08 48 8b 43 b8 4c 89 fa 48 c1 ea 03 80 3c 2a 00 0f 85 33 04 00 00 4c 8b 7b c0 4c 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 09 04 00 00 49 89 07 48 85 c0 74 19 48 8d 78 08 [ 9068.918966][T72863] RSP: 0018:c900259efcb0 EFLAGS: 00010246 [ 9068.947083][T72863] RAX: RBX: 8884b0cb8cd8 RCX: 192004b3dfa0 [ 9068.985097][T72863] RDX: RSI: 8884b0cb8cd8 RDI: c900259efd08 [ 9069.022555][T72863] RBP: dc00 R08: fbfff2bac7a6 R09: fbfff2bac7a6 [ 9069.061621][T72863] R10: 95d63d2f R11: fbfff2bac7a5 R12: 8884b0cb8c40 [ 9069.101629][T72863] R13: c900259efd00 R14: 0001 R15: [ 9069.138367][T72863] FS: 7fc286f88b80() GS:1ed8() knlGS: [ 9069.180543][T72863] CS: 0010 DS: ES: CR0: 80050033 [ 9069.209807][T72863] CR2: 7fc284141e00 CR3: 000fbc33a002 CR4: 001706e0 [ 9069.245727][T72863] Kernel panic - not syncing: Fatal exception [ 9069.273756][T72863] Kernel Offset: 0x11c0 from 0x8100 (relocation range: 0x8000-0xbfff) [ 9069.327388][T72863] ---[ end Kernel panic - not syncing: Fatal
Re: Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Qian Cai wrote: > Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe > per-ns mount list”) fixed the null-ptr-deref. Okay, I'm dropping this commit for now. David
Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"
Reverted the linux-next commit ee8ad8190cb1 (“vfs, fsinfo: Add an RCU safe per-ns mount list”) fixed the null-ptr-deref. # runc run root [ 1531.635242][ T] BUG: Kernel NULL pointer dereference on write at 0x [ 1531.635285][ T] Faulting instruction address: 0xc05689e0 [ 1531.635299][ T] Oops: Kernel access of bad area, sig: 11 [#1] [ 1531.635310][ T] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV [ 1531.635331][ T] Modules linked in: kvm_hv kvm ip_tables x_tables xfs sd_mod bnx2x tg3 ahci libahci mdio libphy libata firmware_class dm_mirror dm_region_hash dm_log dm_mod [ 1531.635370][ T] CPU: 16 PID: Comm: runc:[2:INIT] Not tainted 5.7.0-rc5-next-20200512+ #9 [ 1531.635383][ T] NIP: c05689e0 LR: c05689b0 CTR: [ 1531.635413][ T] REGS: c01323aef980 TRAP: 0300 Not tainted (5.7.0-rc5-next-20200512+) [ 1531.635434][ T] MSR: 90009033 CR: 24424282 XER: [ 1531.635468][ T] CFAR: c06f9eec DAR: DSISR: 4200 IRQMASK: 0 [ 1531.635468][ T] GPR00: c057 c01323aefc10 c168aa00 0001 [ 1531.635468][ T] GPR04: c015934e9e98 c015934e9e98 283df117 fffe4386c189 [ 1531.635468][ T] GPR08: c01323aefc38 0002 [ 1531.635468][ T] GPR12: 24402282 c01f1800 00c000229990 000a [ 1531.635468][ T] GPR16: 007a 00012479c68c [ 1531.635468][ T] GPR20: 00c00180 [ 1531.635468][ T] GPR24: c516b870 c516b858 5deadbeef122 [ 1531.635468][ T] GPR28: c01323aefc38 c015934e9e00 c015934e9ea8 c015934e9e98 [ 1531.635652][ T] NIP [c05689e0] umount_tree+0x250/0x470 __write_once_size at include/linux/compiler.h:250 (inlined by) __hlist_del at include/linux/list.h:811 (inlined by) hlist_del_rcu at include/linux/rculist.h:487 (inlined by) umount_tree at fs/namespace.c:1485 [ 1531.635672][ T] LR [c05689b0] umount_tree+0x220/0x470 [ 1531.635682][ T] Call Trace: [ 1531.635709][ T] [c01323aefca0] [c057] do_mount+0xb70/0xc90 [ 1531.635738][ T] [c01323aefd70] [c05706f8] sys_mount+0x158/0x180 [ 1531.635760][ T] [c01323aefdc0] [c0038ac4] system_call_exception+0x114/0x1e0 [ 1531.635799][ T] [c01323aefe20] [c000c8f0] system_call_common+0xf0/0x278 [ 1531.635828][ T] Instruction dump: [ 1531.635836][ T] 6000 2fa3 419e0014 e93f0008 e95f f92a0008 f949 e93fffb8 [ 1531.635860][ T] e95fffc0 fbff fbff0008 2fa9 419e0008 f9490008 e93f0058 [ 1531.635885][ T] ---[ end trace f12075f6fac94362 ]--- [ 1531.748352][ T] [ 1532.748433][ T] Kernel panic - not syncing: Fatal exception