[Kernel-packages] [Bug 1934175] Re: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb)
This bug was fixed in the package linux - 4.15.0-154.161 --- linux (4.15.0-154.161) bionic; urgency=medium * bionic/linux: 4.15.0-154.161 -proposed tracker (LP: #1938411) * Potential reverts of 4.19.y stable changes in 18.04 (LP: #1938537) - SAUCE: Revert "locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal" - SAUCE: Revert "drm/amd/amdgpu: fix refcount leak" * Packaging resync (LP: #1786013) - [Packaging] resync getabis - [Packaging] update helper scripts - update dkms package versions * btrfs: Automatic balance returns -EUCLEAN and leads to forced readonly filesystem (LP: #1934709) // CVE-2019-19036 - btrfs: Validate child tree block's level and first key - btrfs: Detect unbalanced tree with empty leaf before crashing btree operations * btrfs: Automatic balance returns -EUCLEAN and leads to forced readonly filesystem (LP: #1934709) - Revert "btrfs: Detect unbalanced tree with empty leaf before crashing btree operations" - Revert "btrfs: Validate child tree block's level and first key" - btrfs: Only check first key for committed tree blocks - btrfs: Fix wrong first_key parameter in replace_path * Enable fib-onlink-tests.sh and msg_zerocopy.sh in kselftests/net on Bionic (LP: #1934759) - selftests: Add fib-onlink-tests.sh to TEST_PROGS - selftests: net: use TEST_PROGS_EXTENDED - selftests/net: enable msg_zerocopy test - SAUCE: selftests: Make fib-onlink-tests.sh executable * Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb) (LP: #1934175) - kernfs: deal with kernfs_fill_super() failures - unfuck sysfs_mount() * large_dir in ext4 broken (LP: #1933074) - SAUCE: ext4: fix directory index node split corruption * btrfs: Attempting to balance a nearly full filesystem with relocated root nodes fails (LP: #1933172) // CVE-2019-19036 - btrfs: reloc: fix reloc root leak and NULL pointer dereference * btrfs: Attempting to balance a nearly full filesystem with relocated root nodes fails (LP: #1933172) - Revert "btrfs: reloc: fix reloc root leak and NULL pointer dereference" * Pixel format change broken for Elgato Cam Link 4K (LP: #1932367) - (upstream) media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K * Bionic update: upstream stable patchset 2021-06-23 (LP: #1933375) - net: usb: cdc_ncm: don't spew notifications - efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared - efi: cper: fix snprintf() use in cper_dimm_err_location() - vfio/pci: Fix error return code in vfio_ecap_init() - vfio/pci: zap_vma_ptes() needs MMU - vfio/platform: fix module_put call in error flow - ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service - HID: pidff: fix error return code in hid_pidff_init() - HID: i2c-hid: fix format string mismatch - netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches - ieee802154: fix error return code in ieee802154_add_iface() - ieee802154: fix error return code in ieee802154_llsec_getparams() - Bluetooth: fix the erroneous flush_work() order - Bluetooth: use correct lock to prevent UAF of hdev object - net: caif: added cfserl_release function - net: caif: add proper error handling - net: caif: fix memory leak in caif_device_notify - net: caif: fix memory leak in cfusbl_device_notify - ALSA: timer: Fix master timer notification - ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed - pid: take a reference when initializing `cad_pid` - ocfs2: fix data corruption by fallocate - nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect - btrfs: fix error handling in btrfs_del_csums - btrfs: fixup error handling in fixup_inode_link_counts - mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY - selftests/bpf: make 'dubious pointer arithmetic' test useful - bnxt_en: Remove the setting of dev_port. - KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode - sched/fair: Optimize select_idle_cpu - xen-pciback: redo VF placement in the virtual topology - ALSA: usb: update old-style static const declaration - nl80211: validate key indexes for cfg80211_registered_device - x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing - btrfs: return errors from btrfs_del_csums in cleanup_ref_head - KVM: arm64: Fix debug register indexing -- Kleber Sacilotto de Souza Fri, 30 Jul 2021 14:39:24 +0200 ** Changed in: linux (Ubuntu Bionic) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19036 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1934175 Title: Kernel oops due to uninitialized list on kernfs
[Kernel-packages] [Bug 1934175] Re: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb)
** Tags removed: verification-needed-bionic ** Tags added: bionic verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1934175 Title: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb) Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Bug description: [Impact] * We had a recent report of a kernel crash due to a NULL pointer dereference in a Bionic 4.15 derivative kernel, as per the following log collected: [...] [537105.767348] SLUB: Unable to allocate memory on node -1, gfp=0x14000c0(GFP_KERNEL) [...] [537105.767368] BUG: unable to handle kernel NULL pointer dereference at 0008 [537105.11] IP: kernfs_kill_sb+0x31/0x70 [537105.783582] PGD 0 P4D 0 [537105.787844] Oops: 0002 [#1] SMP PTI [...] RIP: 0010:kernfs_kill_sb+0x31/0x70 RSP: 0018:b90aec1afd00 EFLAGS: 00010286 RAX: RBX: 9fdbd567d900 RCX: a0143885ae01 RDX: RSI: a0143885ae00 RDI: a2937c40 RBP: b90aec1afd10 R08: a0150b581510 R09: 0001814d R10: b90aec1afcd8 R11: 0100 R12: a01436e43000 R13: a01436e43000 R14: R15: 9fdbd567d900 FS: 7fe41a615b80() GS:a01afea4() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0008 CR3: 007dfe3cc003 CR4: 003606e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sysfs_kill_sb+0x1f/0x40 deactivate_locked_super+0x48/0x80 kernfs_mount_ns+0x1eb/0x230 sysfs_mount+0x66/0xc0 mount_fs+0x37/0x160 ? alloc_vfsmnt+0x1b3/0x230 vfs_kern_mount.part.24+0x5d/0x110 do_mount+0x5ed/0xce0 [...] * The following detailed call stack plus the disassembly help to understand the cause of the issue: mount_fs() --sysfs_mount() kernfs_mount_ns() --deactivate_locked_super() sysfs_kill_sb() --kernfs_kill_sb() The below disassembly of kernfs_kill_sb() clarifies exactly the issue: 812f46e0 : [ ... prologue ...] 48 8b 9f 08 04 00 00mov0x408(%rdi),%rbx # %rbx = kernfs_super_info *info = sb->s_fs_info 49 89 fcmov%rdi,%r12 # %r12 = super_block *sb 48 c7 c7 40 7c 53 82mov$0x82537c40,%rdi # %rdi = _mutex (global) 812f46f9: R_X86_64_32S kernfs_mutex e8 ee da 67 00 callq 819721f0 # mutex_lock(_mutex); [...] 48 8b 53 18 mov0x18(%rbx),%rdx # %rdx = info->node 48 8b 43 20 mov0x20(%rbx),%rax # based on splat, RAX == 0x0 [info->head.prev] 48 89 42 08 mov%rax,0x8(%rdx) # <- OOPS [tried to assign next->prev = prev, see __list_del()] 48 89 10mov%rdx,(%rax) 48 b8 00 01 00 00 00movabs $0xdead0100,%rax # node->next = LIST_POISON1 [...] * The fix for this issue comes from upstream commit 82382acec0c9 ("kernfs: deal with kernfs_fill_super() failures"); this commit is a very trivial fix that adds an INIT_LIST_HEAD(>node) in kernfs_mount_ns(), making the list prev/next pointers valid since the beginning. Unfortunately this commit wasn't CCed to stable email when sent, so it wasn't automatically picked up by Ubuntu kernel; now it was properly submitted to stable list [0]. * Along with this fix, we found another commit (7b745a4e4051) which is a small/simple fix to correlated code, that also should have been sent to 4.14.y stable branch, but for some reason wasn't. Since both commits were accepted in linux-stable, we are hereby proposing the backport for Ubuntu kernel 4.15. [0] https://lore.kernel.org/stable/20210622210622.9925-1-gpicc...@canonical.com/ [Test Case] * We don't have a real test case, although low-memory condition or an artificial kprobe reproducer could easily trigger the issue. * We booted a qemu virtual machine with a kernel containing both patches with no issues. [Where problems could occur] * The likelihood of issues are low, specially due to the fact both patches are very simple and they are on upstream kernel for more than 3 years (and were quickly accepted in 4.14.y stable branch last week). * With that sad, the second patch could potentially introduce issues with super_block references - I honestly cannot conceive any issues potentially caused by patch 1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1934175/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1934175] Re: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb)
** Changed in: linux (Ubuntu) Assignee: Guilherme G. Piccoli (gpiccoli) => (unassigned) ** Changed in: linux (Ubuntu Bionic) Assignee: Guilherme G. Piccoli (gpiccoli) => (unassigned) ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Krzysztof Kozlowski (krzk) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1934175 Title: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb) Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Bug description: [Impact] * We had a recent report of a kernel crash due to a NULL pointer dereference in a Bionic 4.15 derivative kernel, as per the following log collected: [...] [537105.767348] SLUB: Unable to allocate memory on node -1, gfp=0x14000c0(GFP_KERNEL) [...] [537105.767368] BUG: unable to handle kernel NULL pointer dereference at 0008 [537105.11] IP: kernfs_kill_sb+0x31/0x70 [537105.783582] PGD 0 P4D 0 [537105.787844] Oops: 0002 [#1] SMP PTI [...] RIP: 0010:kernfs_kill_sb+0x31/0x70 RSP: 0018:b90aec1afd00 EFLAGS: 00010286 RAX: RBX: 9fdbd567d900 RCX: a0143885ae01 RDX: RSI: a0143885ae00 RDI: a2937c40 RBP: b90aec1afd10 R08: a0150b581510 R09: 0001814d R10: b90aec1afcd8 R11: 0100 R12: a01436e43000 R13: a01436e43000 R14: R15: 9fdbd567d900 FS: 7fe41a615b80() GS:a01afea4() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0008 CR3: 007dfe3cc003 CR4: 003606e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sysfs_kill_sb+0x1f/0x40 deactivate_locked_super+0x48/0x80 kernfs_mount_ns+0x1eb/0x230 sysfs_mount+0x66/0xc0 mount_fs+0x37/0x160 ? alloc_vfsmnt+0x1b3/0x230 vfs_kern_mount.part.24+0x5d/0x110 do_mount+0x5ed/0xce0 [...] * The following detailed call stack plus the disassembly help to understand the cause of the issue: mount_fs() --sysfs_mount() kernfs_mount_ns() --deactivate_locked_super() sysfs_kill_sb() --kernfs_kill_sb() The below disassembly of kernfs_kill_sb() clarifies exactly the issue: 812f46e0 : [ ... prologue ...] 48 8b 9f 08 04 00 00mov0x408(%rdi),%rbx # %rbx = kernfs_super_info *info = sb->s_fs_info 49 89 fcmov%rdi,%r12 # %r12 = super_block *sb 48 c7 c7 40 7c 53 82mov$0x82537c40,%rdi # %rdi = _mutex (global) 812f46f9: R_X86_64_32S kernfs_mutex e8 ee da 67 00 callq 819721f0 # mutex_lock(_mutex); [...] 48 8b 53 18 mov0x18(%rbx),%rdx # %rdx = info->node 48 8b 43 20 mov0x20(%rbx),%rax # based on splat, RAX == 0x0 [info->head.prev] 48 89 42 08 mov%rax,0x8(%rdx) # <- OOPS [tried to assign next->prev = prev, see __list_del()] 48 89 10mov%rdx,(%rax) 48 b8 00 01 00 00 00movabs $0xdead0100,%rax # node->next = LIST_POISON1 [...] * The fix for this issue comes from upstream commit 82382acec0c9 ("kernfs: deal with kernfs_fill_super() failures"); this commit is a very trivial fix that adds an INIT_LIST_HEAD(>node) in kernfs_mount_ns(), making the list prev/next pointers valid since the beginning. Unfortunately this commit wasn't CCed to stable email when sent, so it wasn't automatically picked up by Ubuntu kernel; now it was properly submitted to stable list [0]. * Along with this fix, we found another commit (7b745a4e4051) which is a small/simple fix to correlated code, that also should have been sent to 4.14.y stable branch, but for some reason wasn't. Since both commits were accepted in linux-stable, we are hereby proposing the backport for Ubuntu kernel 4.15. [0] https://lore.kernel.org/stable/20210622210622.9925-1-gpicc...@canonical.com/ [Test Case] * We don't have a real test case, although low-memory condition or an artificial kprobe reproducer could easily trigger the issue. * We booted a qemu virtual machine with a kernel containing both patches with no issues. [Where problems could occur] * The likelihood of issues are low, specially due to the fact both patches are very simple and they are on upstream kernel for more than 3 years (and were quickly accepted in 4.14.y stable branch last week). * With that sad, the second patch could potentially introduce issues with super_block references - I honestly cannot conceive any issues potentially caused by patch 1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1934175/+subscriptions -- Mailing list:
[Kernel-packages] [Bug 1934175] Re: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb)
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1934175 Title: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb) Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Bug description: [Impact] * We had a recent report of a kernel crash due to a NULL pointer dereference in a Bionic 4.15 derivative kernel, as per the following log collected: [...] [537105.767348] SLUB: Unable to allocate memory on node -1, gfp=0x14000c0(GFP_KERNEL) [...] [537105.767368] BUG: unable to handle kernel NULL pointer dereference at 0008 [537105.11] IP: kernfs_kill_sb+0x31/0x70 [537105.783582] PGD 0 P4D 0 [537105.787844] Oops: 0002 [#1] SMP PTI [...] RIP: 0010:kernfs_kill_sb+0x31/0x70 RSP: 0018:b90aec1afd00 EFLAGS: 00010286 RAX: RBX: 9fdbd567d900 RCX: a0143885ae01 RDX: RSI: a0143885ae00 RDI: a2937c40 RBP: b90aec1afd10 R08: a0150b581510 R09: 0001814d R10: b90aec1afcd8 R11: 0100 R12: a01436e43000 R13: a01436e43000 R14: R15: 9fdbd567d900 FS: 7fe41a615b80() GS:a01afea4() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0008 CR3: 007dfe3cc003 CR4: 003606e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sysfs_kill_sb+0x1f/0x40 deactivate_locked_super+0x48/0x80 kernfs_mount_ns+0x1eb/0x230 sysfs_mount+0x66/0xc0 mount_fs+0x37/0x160 ? alloc_vfsmnt+0x1b3/0x230 vfs_kern_mount.part.24+0x5d/0x110 do_mount+0x5ed/0xce0 [...] * The following detailed call stack plus the disassembly help to understand the cause of the issue: mount_fs() --sysfs_mount() kernfs_mount_ns() --deactivate_locked_super() sysfs_kill_sb() --kernfs_kill_sb() The below disassembly of kernfs_kill_sb() clarifies exactly the issue: 812f46e0 : [ ... prologue ...] 48 8b 9f 08 04 00 00mov0x408(%rdi),%rbx # %rbx = kernfs_super_info *info = sb->s_fs_info 49 89 fcmov%rdi,%r12 # %r12 = super_block *sb 48 c7 c7 40 7c 53 82mov$0x82537c40,%rdi # %rdi = _mutex (global) 812f46f9: R_X86_64_32S kernfs_mutex e8 ee da 67 00 callq 819721f0 # mutex_lock(_mutex); [...] 48 8b 53 18 mov0x18(%rbx),%rdx # %rdx = info->node 48 8b 43 20 mov0x20(%rbx),%rax # based on splat, RAX == 0x0 [info->head.prev] 48 89 42 08 mov%rax,0x8(%rdx) # <- OOPS [tried to assign next->prev = prev, see __list_del()] 48 89 10mov%rdx,(%rax) 48 b8 00 01 00 00 00movabs $0xdead0100,%rax # node->next = LIST_POISON1 [...] * The fix for this issue comes from upstream commit 82382acec0c9 ("kernfs: deal with kernfs_fill_super() failures"); this commit is a very trivial fix that adds an INIT_LIST_HEAD(>node) in kernfs_mount_ns(), making the list prev/next pointers valid since the beginning. Unfortunately this commit wasn't CCed to stable email when sent, so it wasn't automatically picked up by Ubuntu kernel; now it was properly submitted to stable list [0]. * Along with this fix, we found another commit (7b745a4e4051) which is a small/simple fix to correlated code, that also should have been sent to 4.14.y stable branch, but for some reason wasn't. Since both commits were accepted in linux-stable, we are hereby proposing the backport for Ubuntu kernel 4.15. [0] https://lore.kernel.org/stable/20210622210622.9925-1-gpicc...@canonical.com/ [Test Case] * We don't have a real test case, although low-memory condition or an artificial kprobe reproducer could easily trigger the issue. * We booted a qemu virtual machine with a kernel containing both patches with no issues. [Where problems could occur] * The likelihood of issues are low, specially due to the fact both patches are very simple and they are on upstream kernel for more than 3 years (and were quickly
[Kernel-packages] [Bug 1934175] Re: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb)
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1934175 Title: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb) Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Bug description: [Impact] * We had a recent report of a kernel crash due to a NULL pointer dereference in a Bionic 4.15 derivative kernel, as per the following log collected: [...] [537105.767348] SLUB: Unable to allocate memory on node -1, gfp=0x14000c0(GFP_KERNEL) [...] [537105.767368] BUG: unable to handle kernel NULL pointer dereference at 0008 [537105.11] IP: kernfs_kill_sb+0x31/0x70 [537105.783582] PGD 0 P4D 0 [537105.787844] Oops: 0002 [#1] SMP PTI [...] RIP: 0010:kernfs_kill_sb+0x31/0x70 RSP: 0018:b90aec1afd00 EFLAGS: 00010286 RAX: RBX: 9fdbd567d900 RCX: a0143885ae01 RDX: RSI: a0143885ae00 RDI: a2937c40 RBP: b90aec1afd10 R08: a0150b581510 R09: 0001814d R10: b90aec1afcd8 R11: 0100 R12: a01436e43000 R13: a01436e43000 R14: R15: 9fdbd567d900 FS: 7fe41a615b80() GS:a01afea4() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0008 CR3: 007dfe3cc003 CR4: 003606e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sysfs_kill_sb+0x1f/0x40 deactivate_locked_super+0x48/0x80 kernfs_mount_ns+0x1eb/0x230 sysfs_mount+0x66/0xc0 mount_fs+0x37/0x160 ? alloc_vfsmnt+0x1b3/0x230 vfs_kern_mount.part.24+0x5d/0x110 do_mount+0x5ed/0xce0 [...] * The following detailed call stack plus the disassembly help to understand the cause of the issue: mount_fs() --sysfs_mount() kernfs_mount_ns() --deactivate_locked_super() sysfs_kill_sb() --kernfs_kill_sb() The below disassembly of kernfs_kill_sb() clarifies exactly the issue: 812f46e0 : [ ... prologue ...] 48 8b 9f 08 04 00 00mov0x408(%rdi),%rbx # %rbx = kernfs_super_info *info = sb->s_fs_info 49 89 fcmov%rdi,%r12 # %r12 = super_block *sb 48 c7 c7 40 7c 53 82mov$0x82537c40,%rdi # %rdi = _mutex (global) 812f46f9: R_X86_64_32S kernfs_mutex e8 ee da 67 00 callq 819721f0 # mutex_lock(_mutex); [...] 48 8b 53 18 mov0x18(%rbx),%rdx # %rdx = info->node 48 8b 43 20 mov0x20(%rbx),%rax # based on splat, RAX == 0x0 [info->head.prev] 48 89 42 08 mov%rax,0x8(%rdx) # <- OOPS [tried to assign next->prev = prev, see __list_del()] 48 89 10mov%rdx,(%rax) 48 b8 00 01 00 00 00movabs $0xdead0100,%rax # node->next = LIST_POISON1 [...] * The fix for this issue comes from upstream commit 82382acec0c9 ("kernfs: deal with kernfs_fill_super() failures"); this commit is a very trivial fix that adds an INIT_LIST_HEAD(>node) in kernfs_mount_ns(), making the list prev/next pointers valid since the beginning. Unfortunately this commit wasn't CCed to stable email when sent, so it wasn't automatically picked up by Ubuntu kernel; now it was properly submitted to stable list [0]. * Along with this fix, we found another commit (7b745a4e4051) which is a small/simple fix to correlated code, that also should have been sent to 4.14.y stable branch, but for some reason wasn't. Since both commits were accepted in linux-stable, we are hereby proposing the backport for Ubuntu kernel 4.15. [0] https://lore.kernel.org/stable/20210622210622.9925-1-gpicc...@canonical.com/ [Test Case] * We don't have a real test case, although low-memory condition or an artificial kprobe reproducer could easily trigger the issue. * We booted a qemu virtual machine with a kernel containing both patches with no issues. [Where problems could occur] * The likelihood of issues are low, specially due to the fact both patches are very simple and they are on upstream kernel for more than 3 years (and were quickly accepted in 4.14.y stable branch last week). * With that sad, the second patch could potentially introduce issues with super_block references - I honestly cannot conceive any issues potentially caused by patch 1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1934175/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1934175] Re: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb)
** Description changed: - TBD + [Impact] + * We had a recent report of a kernel crash due to a NULL pointer dereference in a Bionic 4.15 derivative kernel, as per the following log collected: + + [...] + [537105.767348] SLUB: Unable to allocate memory on node -1, gfp=0x14000c0(GFP_KERNEL) + [...] + [537105.767368] BUG: unable to handle kernel NULL pointer dereference at 0008 + [537105.11] IP: kernfs_kill_sb+0x31/0x70 + [537105.783582] PGD 0 P4D 0 + [537105.787844] Oops: 0002 [#1] SMP PTI + [...] + RIP: 0010:kernfs_kill_sb+0x31/0x70 + RSP: 0018:b90aec1afd00 EFLAGS: 00010286 + RAX: RBX: 9fdbd567d900 RCX: a0143885ae01 + RDX: RSI: a0143885ae00 RDI: a2937c40 + RBP: b90aec1afd10 R08: a0150b581510 R09: 0001814d + R10: b90aec1afcd8 R11: 0100 R12: a01436e43000 + R13: a01436e43000 R14: R15: 9fdbd567d900 + FS: 7fe41a615b80() GS:a01afea4() knlGS: + CS: 0010 DS: ES: CR0: 80050033 + CR2: 0008 CR3: 007dfe3cc003 CR4: 003606e0 + DR0: DR1: DR2: + DR3: DR6: fffe0ff0 DR7: 0400 + Call Trace: + sysfs_kill_sb+0x1f/0x40 + deactivate_locked_super+0x48/0x80 + kernfs_mount_ns+0x1eb/0x230 + sysfs_mount+0x66/0xc0 + mount_fs+0x37/0x160 + ? alloc_vfsmnt+0x1b3/0x230 + vfs_kern_mount.part.24+0x5d/0x110 + do_mount+0x5ed/0xce0 + [...] + + * The following detailed call stack plus the disassembly help to + understand the cause of the issue: + + mount_fs() + --sysfs_mount() + kernfs_mount_ns() + --deactivate_locked_super() + sysfs_kill_sb() + --kernfs_kill_sb() + + The below disassembly of kernfs_kill_sb() clarifies exactly the issue: + + 812f46e0 : + [ ... prologue ...] + 48 8b 9f 08 04 00 00mov0x408(%rdi),%rbx # %rbx = kernfs_super_info *info = sb->s_fs_info + 49 89 fcmov%rdi,%r12 # %r12 = super_block *sb + 48 c7 c7 40 7c 53 82mov$0x82537c40,%rdi # %rdi = _mutex (global) + 812f46f9: R_X86_64_32S kernfs_mutex + e8 ee da 67 00 callq 819721f0 # mutex_lock(_mutex); + [...] + 48 8b 53 18 mov0x18(%rbx),%rdx # %rdx = info->node + 48 8b 43 20 mov0x20(%rbx),%rax # based on splat, RAX == 0x0 [info->head.prev] + 48 89 42 08 mov%rax,0x8(%rdx) # <- OOPS [tried to assign next->prev = prev, see __list_del()] + 48 89 10mov%rdx,(%rax) + 48 b8 00 01 00 00 00movabs $0xdead0100,%rax # node->next = LIST_POISON1 + [...] + + * The fix for this issue comes from upstream commit 82382acec0c9 + ("kernfs: deal with kernfs_fill_super() failures"); this commit is a + very trivial fix that adds an INIT_LIST_HEAD(>node) in + kernfs_mount_ns(), making the list prev/next pointers valid since the + beginning. Unfortunately this commit wasn't CCed to stable email when + sent, so it wasn't automatically picked up by Ubuntu kernel; now it was + properly submitted to stable list [0]. + + * Along with this fix, we found another commit (7b745a4e4051) which is a + small/simple fix to correlated code, that also should have been sent to + 4.14.y stable branch, but for some reason wasn't. Since both commits + were accepted in linux-stable, we are hereby proposing the backport for + Ubuntu kernel 4.15. + + [0] + https://lore.kernel.org/stable/20210622210622.9925-1-gpicc...@canonical.com/ + + + [Test Case] + * We don't have a real test case, although low-memory condition or an artificial kprobe reproducer could easily trigger the issue. + + * We booted a qemu virtual machine with a kernel containing both patches + with no issues. + + + [Where problems could occur] + * The likelihood of issues are low, specially due to the fact both patches are very simple and they are on upstream kernel for more than 3 years (and were quickly accepted in 4.14.y stable branch last week). + + * With that sad, the second patch could potentially introduce issues + with super_block references - I honestly cannot conceive any issues + potentially caused by patch 1. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1934175 Title: Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb) Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: In Progress Bug description: [Impact] * We had a recent report of a kernel crash due to a NULL pointer dereference in a Bionic 4.15 derivative kernel, as per the following log collected: [...] [537105.767348] SLUB: Unable to allocate memory on node -1, gfp=0x14000c0(GFP_KERNEL) [...] [537105.767368] BUG: unable to handle kernel NULL pointer dereference at 0008 [537105.11]