Re: [linux-yocto] [yocto-kernel-cache][yocto-5.4][PATCH] NFS: fix general protection fault in nfs_mount

2021-06-30 Thread Bruce Ashfield 
In message: [yocto-kernel-cache][yocto-5.4][PATCH] NFS: fix general protection 
fault in nfs_mount
on 28/06/2021 Ovidiu Panait wrote:

> While fuzzing the kernel with syzkaller, the following issue was triggered:
> 
> Call Trace:
>  strlen usr/src/kernel/include/linux/string.h:306 [inline]
>  nfs_mount+0x316/0x740 usr/src/kernel/fs/nfs/mount_clnt.c:174
>  ? __kernel_text_address+0x12/0x40 usr/src/kernel/kernel/extable.c:95
>  ? mnt_xdr_dec_mountres+0x3a0/0x3a0 usr/src/kernel/fs/nfs/mount_clnt.c:371
>  ? arch_stack_walk+0xa2/0xf0 usr/src/kernel/arch/x86/kernel/stacktrace.c:26
>  ? mark_usage usr/src/kernel/kernel/locking/lockdep.c:3426 [inline]
>  ? __lock_acquire+0x557/0x5ed0 usr/src/kernel/kernel/locking/lockdep.c:3752
>  nfs_request_mount.constprop.0+0x42e/0x680 usr/src/kernel/fs/nfs/super.c:1817
>  ? nfs_fs_mount+0x2870/0x2870 usr/src/kernel/fs/nfs/super.c:2080
>  ? lockdep_hardirqs_on+0x580/0x580 
> usr/src/kernel/kernel/locking/lockdep.c:3264
>  ? lockdep_hardirqs_on+0x580/0x580 
> usr/src/kernel/kernel/locking/lockdep.c:3264
>  nfs_try_mount_request usr/src/kernel/fs/nfs/super.c:1839 [inline]
>  nfs_try_mount+0x25b/0x93a usr/src/kernel/fs/nfs/super.c:1907
>  ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043
>  ? nfs_request_mount.constprop.0+0x680/0x680 
> usr/src/kernel/fs/nfs/super.c:1800
>  ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043
>  ? rwlock_bug.part.0+0x90/0x90 usr/src/kernel/include/linux/sched.h:1250
>  ? kasan_check_read+0x11/0x20 usr/src/kernel/mm/kasan/common.c:94
>  ? atomic_read usr/src/kernel/include/asm-generic/atomic-instrumented.h:26 
> [inline]
>  ? queued_spin_is_locked usr/src/kernel/include/asm-generic/qspinlock.h:26 
> [inline]
>  ? debug_spin_unlock usr/src/kernel/kernel/locking/spinlock_debug.c:98 
> [inline]
>  ? do_raw_spin_unlock+0x59/0x260 
> usr/src/kernel/kernel/locking/spinlock_debug.c:138
>  ? __raw_spin_unlock usr/src/kernel/include/linux/spinlock_api_smp.h:152 
> [inline]
>  ? _raw_spin_unlock+0x32/0x50 usr/src/kernel/kernel/locking/spinlock.c:183
>  ? find_nfs_version+0xe6/0x110 usr/src/kernel/include/linux/err.h:26
>  nfs_fs_mount+0xe83/0x2870 usr/src/kernel/fs/nfs/super.c:2750
>  ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517
>  ? trace_kfree usr/src/kernel/include/trace/events/kmem.h:137 [inline]
>  ? kfree+0x194/0x2c0 usr/src/kernel/mm/slub.c:3983
>  ? nfs_clone_super+0x420/0x420 usr/src/kernel/fs/nfs/super.c:2421
>  ? nfs_parse_mount_options+0x2400/0x2400 usr/src/kernel/fs/nfs/super.c:1396
>  ? vfs_parse_fs_string+0x11b/0x170 usr/src/kernel/fs/fs_context.c:190
>  ? vfs_parse_fs_param+0x540/0x540 usr/src/kernel/fs/fs_context.c:163
>  ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517
>  legacy_get_tree+0x10f/0x220 usr/src/kernel/fs/fs_context.c:659
>  ? legacy_parse_monolithic+0x124/0x180 usr/src/kernel/fs/fs_context.c:643
>  vfs_get_tree+0x98/0x3a0 usr/src/kernel/fs/super.c:1478
>  do_new_mount usr/src/kernel/fs/namespace.c:2801 [inline]
>  do_mount+0x1381/0x1c20 usr/src/kernel/fs/namespace.c:3121
>  ? copy_mount_string+0x40/0x40 usr/src/kernel/fs/namespace.c:3024
>  ? kasan_kmalloc+0x9/0x10 usr/src/kernel/mm/kasan/common.c:509
>  ? kmem_cache_alloc_trace+0x147/0x310 usr/src/kernel/mm/slub.c:2810
>  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 usr/src/kernel/kernel/kcov.c:189
>  ? memset usr/src/kernel/include/linux/string.h:369 [inline]
>  ? copy_mount_options+0x2d9/0x3d0 usr/src/kernel/fs/namespace.c:3017
>  ksys_mount+0xd8/0x130 usr/src/kernel/fs/namespace.c:3330
>  __do_sys_mount usr/src/kernel/fs/namespace.c:3344 [inline]
>  __se_sys_mount usr/src/kernel/fs/namespace.c:3341 [inline]
>  __x64_sys_mount+0xc3/0x150 usr/src/kernel/fs/namespace.c:3341
>  do_syscall_64+0xc7/0x600 usr/src/kernel/arch/x86/entry/common.c:295
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> It can be reproduced using the following simplified program:
>  #include 
>  #include 
> 
>  int main()
>  {
>mount(NULL, "./file0", "nfs", 0x400, "\x07\000\000\000");
> 
>return 0;
>  }
> 
> It was introduced by the follwing yocto-specific commit:
> commit ad818f6b28a610b53814d8b1d0da2fadfd83a3ad
> Author: Jason Wessel 
> Date:   Wed Jan 7 00:59:33 2009 -0500
> 
> NFS: allow nfs root mount to use alternate rpc ports
> 
> Allow an nfs root mount to use alternate RPC ports for mountd and nfsd.
> 
> Signed-off-by: Jason Wessel 
> [forward port to 2.6.33+]
> Signed-off-by: Bruce Ashfield 
> 
> Since hardknott, "NFS: allow nfs root mount to use alternate rpc ports" patch 
> is
> no longer applied by yocto-kernel-cache (a4283cc6be0c65 ("kver: update
> -dev to v5.6-rc5")) due to a merge conflict. Also, in later kernels (since 
> v5.6
> commit f2aedb713c284 ("NFS: Add fs_context support")), the nfs parser has been
> refactored to use generic fs_context, so it is not clear how easy would be to
> reproduce this issue.
> 
> The null pointer dereference takes place only when

[linux-yocto] [yocto-kernel-cache][yocto-5.4][PATCH] NFS: fix general protection fault in nfs_mount

2021-06-28 Thread Ovidiu Panait 
While fuzzing the kernel with syzkaller, the following issue was triggered:

Call Trace:
 strlen usr/src/kernel/include/linux/string.h:306 [inline]
 nfs_mount+0x316/0x740 usr/src/kernel/fs/nfs/mount_clnt.c:174
 ? __kernel_text_address+0x12/0x40 usr/src/kernel/kernel/extable.c:95
 ? mnt_xdr_dec_mountres+0x3a0/0x3a0 usr/src/kernel/fs/nfs/mount_clnt.c:371
 ? arch_stack_walk+0xa2/0xf0 usr/src/kernel/arch/x86/kernel/stacktrace.c:26
 ? mark_usage usr/src/kernel/kernel/locking/lockdep.c:3426 [inline]
 ? __lock_acquire+0x557/0x5ed0 usr/src/kernel/kernel/locking/lockdep.c:3752
 nfs_request_mount.constprop.0+0x42e/0x680 usr/src/kernel/fs/nfs/super.c:1817
 ? nfs_fs_mount+0x2870/0x2870 usr/src/kernel/fs/nfs/super.c:2080
 ? lockdep_hardirqs_on+0x580/0x580 usr/src/kernel/kernel/locking/lockdep.c:3264
 ? lockdep_hardirqs_on+0x580/0x580 usr/src/kernel/kernel/locking/lockdep.c:3264
 nfs_try_mount_request usr/src/kernel/fs/nfs/super.c:1839 [inline]
 nfs_try_mount+0x25b/0x93a usr/src/kernel/fs/nfs/super.c:1907
 ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043
 ? nfs_request_mount.constprop.0+0x680/0x680 usr/src/kernel/fs/nfs/super.c:1800
 ? lock_downgrade+0x770/0x770 usr/src/kernel/kernel/locking/lockdep.c:4043
 ? rwlock_bug.part.0+0x90/0x90 usr/src/kernel/include/linux/sched.h:1250
 ? kasan_check_read+0x11/0x20 usr/src/kernel/mm/kasan/common.c:94
 ? atomic_read usr/src/kernel/include/asm-generic/atomic-instrumented.h:26 
[inline]
 ? queued_spin_is_locked usr/src/kernel/include/asm-generic/qspinlock.h:26 
[inline]
 ? debug_spin_unlock usr/src/kernel/kernel/locking/spinlock_debug.c:98 [inline]
 ? do_raw_spin_unlock+0x59/0x260 
usr/src/kernel/kernel/locking/spinlock_debug.c:138
 ? __raw_spin_unlock usr/src/kernel/include/linux/spinlock_api_smp.h:152 
[inline]
 ? _raw_spin_unlock+0x32/0x50 usr/src/kernel/kernel/locking/spinlock.c:183
 ? find_nfs_version+0xe6/0x110 usr/src/kernel/include/linux/err.h:26
 nfs_fs_mount+0xe83/0x2870 usr/src/kernel/fs/nfs/super.c:2750
 ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517
 ? trace_kfree usr/src/kernel/include/trace/events/kmem.h:137 [inline]
 ? kfree+0x194/0x2c0 usr/src/kernel/mm/slub.c:3983
 ? nfs_clone_super+0x420/0x420 usr/src/kernel/fs/nfs/super.c:2421
 ? nfs_parse_mount_options+0x2400/0x2400 usr/src/kernel/fs/nfs/super.c:1396
 ? vfs_parse_fs_string+0x11b/0x170 usr/src/kernel/fs/fs_context.c:190
 ? vfs_parse_fs_param+0x540/0x540 usr/src/kernel/fs/fs_context.c:163
 ? nfs_remount+0x19e0/0x19e0 usr/src/kernel/include/net/ipv6.h:517
 legacy_get_tree+0x10f/0x220 usr/src/kernel/fs/fs_context.c:659
 ? legacy_parse_monolithic+0x124/0x180 usr/src/kernel/fs/fs_context.c:643
 vfs_get_tree+0x98/0x3a0 usr/src/kernel/fs/super.c:1478
 do_new_mount usr/src/kernel/fs/namespace.c:2801 [inline]
 do_mount+0x1381/0x1c20 usr/src/kernel/fs/namespace.c:3121
 ? copy_mount_string+0x40/0x40 usr/src/kernel/fs/namespace.c:3024
 ? kasan_kmalloc+0x9/0x10 usr/src/kernel/mm/kasan/common.c:509
 ? kmem_cache_alloc_trace+0x147/0x310 usr/src/kernel/mm/slub.c:2810
 ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 usr/src/kernel/kernel/kcov.c:189
 ? memset usr/src/kernel/include/linux/string.h:369 [inline]
 ? copy_mount_options+0x2d9/0x3d0 usr/src/kernel/fs/namespace.c:3017
 ksys_mount+0xd8/0x130 usr/src/kernel/fs/namespace.c:3330
 __do_sys_mount usr/src/kernel/fs/namespace.c:3344 [inline]
 __se_sys_mount usr/src/kernel/fs/namespace.c:3341 [inline]
 __x64_sys_mount+0xc3/0x150 usr/src/kernel/fs/namespace.c:3341
 do_syscall_64+0xc7/0x600 usr/src/kernel/arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

It can be reproduced using the following simplified program:
 #include 
 #include 

 int main()
 {
   mount(NULL, "./file0", "nfs", 0x400, "\x07\000\000\000");

   return 0;
 }

It was introduced by the follwing yocto-specific commit:
commit ad818f6b28a610b53814d8b1d0da2fadfd83a3ad
Author: Jason Wessel 
Date:   Wed Jan 7 00:59:33 2009 -0500

NFS: allow nfs root mount to use alternate rpc ports

Allow an nfs root mount to use alternate RPC ports for mountd and nfsd.

Signed-off-by: Jason Wessel 
[forward port to 2.6.33+]
Signed-off-by: Bruce Ashfield 

Since hardknott, "NFS: allow nfs root mount to use alternate rpc ports" patch is
no longer applied by yocto-kernel-cache (a4283cc6be0c65 ("kver: update
-dev to v5.6-rc5")) due to a merge conflict. Also, in later kernels (since v5.6
commit f2aedb713c284 ("NFS: Add fs_context support")), the nfs parser has been
refactored to use generic fs_context, so it is not clear how easy would be to
reproduce this issue.

The null pointer dereference takes place only when data->version is 0x07,
because that is the only switch case that does not perform struct
nfs_parsed_mount_data initialization (case 6 in the switch). All other
switch cases fall through case 6 and perform the initializations properly.
To fix this, also run legacy version 6 binary mount logic when NFS version
is 0x07.

Signed-off-by: Ovidiu