Re: [linux-yocto] [yocto-kernel-cache][yocto-5.4][PATCH] NFS: fix general protection fault in nfs_mount
In message: [yocto-kernel-cache][yocto-5.4][PATCH] NFS: fix general protection fault in nfs_mount on 28/06/2021 Ovidiu Panait wrote: > While fuzzing the kernel with syzkaller, the following issue was triggered: > > Call Trace: > strlen usr/src/kernel/include/linux/string.h:306 [inline] > nfs_mount+0x316/0x740 usr/src/kernel/fs/nfs/mount_clnt.c:174 > ? __kernel_text_address+0x12/0x40 usr/src/kernel/kernel/extable.c:95 > ? mnt_xdr_dec_mountres+0x3a0/0x3a0 usr/src/kernel/fs/nfs/mount_clnt.c:371 > ? arch_stack_walk+0xa2/0xf0 usr/src/kernel/arch/x86/kernel/stacktrace.c:26 > ? mark_usage usr/src/kernel/kernel/locking/lockdep.c:3426 [inline] > ? __lock_acquire+0x557/0x5ed0 usr/src/kernel/kernel/locking/lockdep.c:3752 > nfs_request_mount.constprop.0+0x42e/0x680 usr/src/kernel/fs/nfs/super.c:1817 > ? nfs_fs_mount+0x2870/0x2870 usr/src/kernel/fs/nfs/super.c:2080 > ? lockdep_hardirqs_on+0x580/0x580 > usr/src/kernel/kernel/locking/lockdep.c:3264 > ? lockdep_hardirqs_on+0x580/0x580 > usr/src/kernel/kernel/locking/lockdep.c:3264 > nfs_try_mount_request usr/src/kernel/fs/nfs/super.c:1839 [inline] > nfs_try_mount+0x25b/0x93a usr/src/kernel/fs/nfs/super.c:1907 > ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043 > ? nfs_request_mount.constprop.0+0x680/0x680 > usr/src/kernel/fs/nfs/super.c:1800 > ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043 > ? rwlock_bug.part.0+0x90/0x90 usr/src/kernel/include/linux/sched.h:1250 > ? kasan_check_read+0x11/0x20 usr/src/kernel/mm/kasan/common.c:94 > ? atomic_read usr/src/kernel/include/asm-generic/atomic-instrumented.h:26 > [inline] > ? queued_spin_is_locked usr/src/kernel/include/asm-generic/qspinlock.h:26 > [inline] > ? debug_spin_unlock usr/src/kernel/kernel/locking/spinlock_debug.c:98 > [inline] > ? do_raw_spin_unlock+0x59/0x260 > usr/src/kernel/kernel/locking/spinlock_debug.c:138 > ? __raw_spin_unlock usr/src/kernel/include/linux/spinlock_api_smp.h:152 > [inline] > ? _raw_spin_unlock+0x32/0x50 usr/src/kernel/kernel/locking/spinlock.c:183 > ? find_nfs_version+0xe6/0x110 usr/src/kernel/include/linux/err.h:26 > nfs_fs_mount+0xe83/0x2870 usr/src/kernel/fs/nfs/super.c:2750 > ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517 > ? trace_kfree usr/src/kernel/include/trace/events/kmem.h:137 [inline] > ? kfree+0x194/0x2c0 usr/src/kernel/mm/slub.c:3983 > ? nfs_clone_super+0x420/0x420 usr/src/kernel/fs/nfs/super.c:2421 > ? nfs_parse_mount_options+0x2400/0x2400 usr/src/kernel/fs/nfs/super.c:1396 > ? vfs_parse_fs_string+0x11b/0x170 usr/src/kernel/fs/fs_context.c:190 > ? vfs_parse_fs_param+0x540/0x540 usr/src/kernel/fs/fs_context.c:163 > ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517 > legacy_get_tree+0x10f/0x220 usr/src/kernel/fs/fs_context.c:659 > ? legacy_parse_monolithic+0x124/0x180 usr/src/kernel/fs/fs_context.c:643 > vfs_get_tree+0x98/0x3a0 usr/src/kernel/fs/super.c:1478 > do_new_mount usr/src/kernel/fs/namespace.c:2801 [inline] > do_mount+0x1381/0x1c20 usr/src/kernel/fs/namespace.c:3121 > ? copy_mount_string+0x40/0x40 usr/src/kernel/fs/namespace.c:3024 > ? kasan_kmalloc+0x9/0x10 usr/src/kernel/mm/kasan/common.c:509 > ? kmem_cache_alloc_trace+0x147/0x310 usr/src/kernel/mm/slub.c:2810 > ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 usr/src/kernel/kernel/kcov.c:189 > ? memset usr/src/kernel/include/linux/string.h:369 [inline] > ? copy_mount_options+0x2d9/0x3d0 usr/src/kernel/fs/namespace.c:3017 > ksys_mount+0xd8/0x130 usr/src/kernel/fs/namespace.c:3330 > __do_sys_mount usr/src/kernel/fs/namespace.c:3344 [inline] > __se_sys_mount usr/src/kernel/fs/namespace.c:3341 [inline] > __x64_sys_mount+0xc3/0x150 usr/src/kernel/fs/namespace.c:3341 > do_syscall_64+0xc7/0x600 usr/src/kernel/arch/x86/entry/common.c:295 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > It can be reproduced using the following simplified program: > #include > #include > > int main() > { >mount(NULL, "./file0", "nfs", 0x400, "\x07\000\000\000"); > >return 0; > } > > It was introduced by the follwing yocto-specific commit: > commit ad818f6b28a610b53814d8b1d0da2fadfd83a3ad > Author: Jason Wessel > Date: Wed Jan 7 00:59:33 2009 -0500 > > NFS: allow nfs root mount to use alternate rpc ports > > Allow an nfs root mount to use alternate RPC ports for mountd and nfsd. > > Signed-off-by: Jason Wessel > [forward port to 2.6.33+] > Signed-off-by: Bruce Ashfield > > Since hardknott, "NFS: allow nfs root mount to use alternate rpc ports" patch > is > no longer applied by yocto-kernel-cache (a4283cc6be0c65 ("kver: update > -dev to v5.6-rc5")) due to a merge conflict. Also, in later kernels (since > v5.6 > commit f2aedb713c284 ("NFS: Add fs_context support")), the nfs parser has been > refactored to use generic fs_context, so it is not clear how easy would be to > reproduce this issue. > > The null pointer dereference takes place only when
[linux-yocto] [yocto-kernel-cache][yocto-5.4][PATCH] NFS: fix general protection fault in nfs_mount
While fuzzing the kernel with syzkaller, the following issue was triggered: Call Trace: strlen usr/src/kernel/include/linux/string.h:306 [inline] nfs_mount+0x316/0x740 usr/src/kernel/fs/nfs/mount_clnt.c:174 ? __kernel_text_address+0x12/0x40 usr/src/kernel/kernel/extable.c:95 ? mnt_xdr_dec_mountres+0x3a0/0x3a0 usr/src/kernel/fs/nfs/mount_clnt.c:371 ? arch_stack_walk+0xa2/0xf0 usr/src/kernel/arch/x86/kernel/stacktrace.c:26 ? mark_usage usr/src/kernel/kernel/locking/lockdep.c:3426 [inline] ? __lock_acquire+0x557/0x5ed0 usr/src/kernel/kernel/locking/lockdep.c:3752 nfs_request_mount.constprop.0+0x42e/0x680 usr/src/kernel/fs/nfs/super.c:1817 ? nfs_fs_mount+0x2870/0x2870 usr/src/kernel/fs/nfs/super.c:2080 ? lockdep_hardirqs_on+0x580/0x580 usr/src/kernel/kernel/locking/lockdep.c:3264 ? lockdep_hardirqs_on+0x580/0x580 usr/src/kernel/kernel/locking/lockdep.c:3264 nfs_try_mount_request usr/src/kernel/fs/nfs/super.c:1839 [inline] nfs_try_mount+0x25b/0x93a usr/src/kernel/fs/nfs/super.c:1907 ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043 ? nfs_request_mount.constprop.0+0x680/0x680 usr/src/kernel/fs/nfs/super.c:1800 ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043 ? rwlock_bug.part.0+0x90/0x90 usr/src/kernel/include/linux/sched.h:1250 ? kasan_check_read+0x11/0x20 usr/src/kernel/mm/kasan/common.c:94 ? atomic_read usr/src/kernel/include/asm-generic/atomic-instrumented.h:26 [inline] ? queued_spin_is_locked usr/src/kernel/include/asm-generic/qspinlock.h:26 [inline] ? debug_spin_unlock usr/src/kernel/kernel/locking/spinlock_debug.c:98 [inline] ? do_raw_spin_unlock+0x59/0x260 usr/src/kernel/kernel/locking/spinlock_debug.c:138 ? __raw_spin_unlock usr/src/kernel/include/linux/spinlock_api_smp.h:152 [inline] ? _raw_spin_unlock+0x32/0x50 usr/src/kernel/kernel/locking/spinlock.c:183 ? find_nfs_version+0xe6/0x110 usr/src/kernel/include/linux/err.h:26 nfs_fs_mount+0xe83/0x2870 usr/src/kernel/fs/nfs/super.c:2750 ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517 ? trace_kfree usr/src/kernel/include/trace/events/kmem.h:137 [inline] ? kfree+0x194/0x2c0 usr/src/kernel/mm/slub.c:3983 ? nfs_clone_super+0x420/0x420 usr/src/kernel/fs/nfs/super.c:2421 ? nfs_parse_mount_options+0x2400/0x2400 usr/src/kernel/fs/nfs/super.c:1396 ? vfs_parse_fs_string+0x11b/0x170 usr/src/kernel/fs/fs_context.c:190 ? vfs_parse_fs_param+0x540/0x540 usr/src/kernel/fs/fs_context.c:163 ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517 legacy_get_tree+0x10f/0x220 usr/src/kernel/fs/fs_context.c:659 ? legacy_parse_monolithic+0x124/0x180 usr/src/kernel/fs/fs_context.c:643 vfs_get_tree+0x98/0x3a0 usr/src/kernel/fs/super.c:1478 do_new_mount usr/src/kernel/fs/namespace.c:2801 [inline] do_mount+0x1381/0x1c20 usr/src/kernel/fs/namespace.c:3121 ? copy_mount_string+0x40/0x40 usr/src/kernel/fs/namespace.c:3024 ? kasan_kmalloc+0x9/0x10 usr/src/kernel/mm/kasan/common.c:509 ? kmem_cache_alloc_trace+0x147/0x310 usr/src/kernel/mm/slub.c:2810 ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 usr/src/kernel/kernel/kcov.c:189 ? memset usr/src/kernel/include/linux/string.h:369 [inline] ? copy_mount_options+0x2d9/0x3d0 usr/src/kernel/fs/namespace.c:3017 ksys_mount+0xd8/0x130 usr/src/kernel/fs/namespace.c:3330 __do_sys_mount usr/src/kernel/fs/namespace.c:3344 [inline] __se_sys_mount usr/src/kernel/fs/namespace.c:3341 [inline] __x64_sys_mount+0xc3/0x150 usr/src/kernel/fs/namespace.c:3341 do_syscall_64+0xc7/0x600 usr/src/kernel/arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xbe It can be reproduced using the following simplified program: #include #include int main() { mount(NULL, "./file0", "nfs", 0x400, "\x07\000\000\000"); return 0; } It was introduced by the follwing yocto-specific commit: commit ad818f6b28a610b53814d8b1d0da2fadfd83a3ad Author: Jason Wessel Date: Wed Jan 7 00:59:33 2009 -0500 NFS: allow nfs root mount to use alternate rpc ports Allow an nfs root mount to use alternate RPC ports for mountd and nfsd. Signed-off-by: Jason Wessel [forward port to 2.6.33+] Signed-off-by: Bruce Ashfield Since hardknott, "NFS: allow nfs root mount to use alternate rpc ports" patch is no longer applied by yocto-kernel-cache (a4283cc6be0c65 ("kver: update -dev to v5.6-rc5")) due to a merge conflict. Also, in later kernels (since v5.6 commit f2aedb713c284 ("NFS: Add fs_context support")), the nfs parser has been refactored to use generic fs_context, so it is not clear how easy would be to reproduce this issue. The null pointer dereference takes place only when data->version is 0x07, because that is the only switch case that does not perform struct nfs_parsed_mount_data initialization (case 6 in the switch). All other switch cases fall through case 6 and perform the initializations properly. To fix this, also run legacy version 6 binary mount logic when NFS version is 0x07. Signed-off-by: Ovidiu