Re: general protection fault in kernfs_kill_sb (2)

Hi Al, On Mon, 14 May 2018 05:04:15 +0100 Al Viro wrote: > > On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > > > But there remains a refcount bug because deactivate_locked_super() from > > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb()

Re: general protection fault in kernfs_kill_sb (2)

Hi Al, On Mon, 14 May 2018 05:04:15 +0100 Al Viro wrote: > > On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > > > But there remains a refcount bug because deactivate_locked_super() from > > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via > > sb->kill_sb() when

Re: general protection fault in kernfs_kill_sb (2)

On Mon, May 14, 2018 at 05:04:15AM +0100, Al Viro wrote: > diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c > index b428d317ae92..92682fcc41f6 100644 > --- a/fs/sysfs/mount.c > +++ b/fs/sysfs/mount.c > @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type > *fs_type, > { >

Re: general protection fault in kernfs_kill_sb (2)

On Mon, May 14, 2018 at 05:04:15AM +0100, Al Viro wrote: > diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c > index b428d317ae92..92682fcc41f6 100644 > --- a/fs/sysfs/mount.c > +++ b/fs/sysfs/mount.c > @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type > *fs_type, > { >

Re: general protection fault in kernfs_kill_sb (2)

On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > But there remains a refcount bug because deactivate_locked_super() from > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount() > if kernfs_mount_ns()

Re: general protection fault in kernfs_kill_sb (2)

On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > But there remains a refcount bug because deactivate_locked_super() from > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount() > if kernfs_mount_ns()

Re: general protection fault in kernfs_kill_sb (2)

On Sun, May 13, 2018 at 11:19:46AM +0900, Tetsuo Handa wrote: > This is what I reported at > https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ . > > We are currently waiting for comments from Al Viro. 1) the damn thing is unusable without javashit. Which gets about the

Re: general protection fault in kernfs_kill_sb (2)

On Sun, May 13, 2018 at 11:19:46AM +0900, Tetsuo Handa wrote: > This is what I reported at > https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ . > > We are currently waiting for comments from Al Viro. 1) the damn thing is unusable without javashit. Which gets about the

Re: general protection fault in kernfs_kill_sb (2)

On 2018/05/13 2:01, syzbot wrote: > Call Trace: >  __list_del_entry include/linux/list.h:117 [inline] >  list_del include/linux/list.h:125 [inline] >  kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361 >  sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50 >  deactivate_locked_super+0x97/0x100 fs/super.c:316

Re: general protection fault in kernfs_kill_sb (2)

On 2018/05/13 2:01, syzbot wrote: > Call Trace: >  __list_del_entry include/linux/list.h:117 [inline] >  list_del include/linux/list.h:125 [inline] >  kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361 >  sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50 >  deactivate_locked_super+0x97/0x100 fs/super.c:316

general protection fault in kernfs_kill_sb (2)

Hello, syzbot found the following crash on: HEAD commit:f0ab773f5c96 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=140ce81780 kernel config: https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9

general protection fault in kernfs_kill_sb (2)

Hello, syzbot found the following crash on: HEAD commit:f0ab773f5c96 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=140ce81780 kernel config: https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9

Re: general protection fault in kernfs_kill_sb

On 2018/04/20 11:44, Eric Biggers wrote: > Fix for the kernfs bug is now queued in vfs/for-linus: > > #syz fix: kernfs: deal with early sget() failures Well, the following patches rpc_pipefs: deal with early sget() failures kernfs: deal with early sget() failures procfs: deal with early

Re: general protection fault in kernfs_kill_sb

On 2018/04/20 11:44, Eric Biggers wrote: > Fix for the kernfs bug is now queued in vfs/for-linus: > > #syz fix: kernfs: deal with early sget() failures Well, the following patches rpc_pipefs: deal with early sget() failures kernfs: deal with early sget() failures procfs: deal with early

Re: general protection fault in kernfs_kill_sb

On Fri, Apr 20, 2018 at 09:31:58AM +0200, Michal Hocko wrote: > On Fri 20-04-18 14:29:39, Tetsuo Handa wrote: > > Eric Biggers wrote: > > > But, there is still a related bug: when mounting sysfs, if > > > register_shrinker() > > > fails in sget_userns(), then kernfs_kill_sb() gets called, which

Re: general protection fault in kernfs_kill_sb

On Fri, Apr 20, 2018 at 09:31:58AM +0200, Michal Hocko wrote: > On Fri 20-04-18 14:29:39, Tetsuo Handa wrote: > > Eric Biggers wrote: > > > But, there is still a related bug: when mounting sysfs, if > > > register_shrinker() > > > fails in sget_userns(), then kernfs_kill_sb() gets called, which

Re: general protection fault in kernfs_kill_sb

On Fri 20-04-18 14:29:39, Tetsuo Handa wrote: > Eric Biggers wrote: > > But, there is still a related bug: when mounting sysfs, if > > register_shrinker() > > fails in sget_userns(), then kernfs_kill_sb() gets called, which frees the > > 'struct kernfs_super_info'. But, the 'struct

Re: general protection fault in kernfs_kill_sb

On Fri 20-04-18 14:29:39, Tetsuo Handa wrote: > Eric Biggers wrote: > > But, there is still a related bug: when mounting sysfs, if > > register_shrinker() > > fails in sget_userns(), then kernfs_kill_sb() gets called, which frees the > > 'struct kernfs_super_info'. But, the 'struct

Re: general protection fault in kernfs_kill_sb

On Thu, Apr 19, 2018 at 07:44:40PM -0700, Eric Biggers wrote: > On Mon, Apr 02, 2018 at 03:34:15PM +0100, Al Viro wrote: > > On Mon, Apr 02, 2018 at 07:40:22PM +0900, Tetsuo Handa wrote: > > > > > That commit assumes that calling kill_sb() from deactivate_locked_super(s) > > > without

Re: general protection fault in kernfs_kill_sb

On Thu, Apr 19, 2018 at 07:44:40PM -0700, Eric Biggers wrote: > On Mon, Apr 02, 2018 at 03:34:15PM +0100, Al Viro wrote: > > On Mon, Apr 02, 2018 at 07:40:22PM +0900, Tetsuo Handa wrote: > > > > > That commit assumes that calling kill_sb() from deactivate_locked_super(s) > > > without

Re: general protection fault in kernfs_kill_sb

On Mon, Apr 02, 2018 at 03:34:15PM +0100, Al Viro wrote: > On Mon, Apr 02, 2018 at 07:40:22PM +0900, Tetsuo Handa wrote: > > > That commit assumes that calling kill_sb() from deactivate_locked_super(s) > > without corresponding fill_super() is safe. We have so far crashed with > > rpc_mount() and

Re: general protection fault in kernfs_kill_sb

On Mon, Apr 02, 2018 at 03:34:15PM +0100, Al Viro wrote: > On Mon, Apr 02, 2018 at 07:40:22PM +0900, Tetsuo Handa wrote: > > > That commit assumes that calling kill_sb() from deactivate_locked_super(s) > > without corresponding fill_super() is safe. We have so far crashed with > > rpc_mount() and

Re: general protection fault in kernfs_kill_sb

On Mon, Apr 02, 2018 at 07:40:22PM +0900, Tetsuo Handa wrote: > That commit assumes that calling kill_sb() from deactivate_locked_super(s) > without corresponding fill_super() is safe. We have so far crashed with > rpc_mount() and kernfs_mount_ns(). Is that really safe? Consider the case

Re: general protection fault in kernfs_kill_sb

On Mon, Apr 02, 2018 at 07:40:22PM +0900, Tetsuo Handa wrote: > That commit assumes that calling kill_sb() from deactivate_locked_super(s) > without corresponding fill_super() is safe. We have so far crashed with > rpc_mount() and kernfs_mount_ns(). Is that really safe? Consider the case

Re: general protection fault in kernfs_kill_sb

On 2018/04/02 2:01, syzbot wrote: > Hello, > > syzbot hit the following crash on bpf-next commit > 7828f20e3779e4e85e55371e0e43f5006a15fb41 (Sat Mar 31 00:17:57 2018 +) > Merge branch 'bpf-cgroup-bind-connect' > syzbot dashboard link: >

Re: general protection fault in kernfs_kill_sb

On 2018/04/02 2:01, syzbot wrote: > Hello, > > syzbot hit the following crash on bpf-next commit > 7828f20e3779e4e85e55371e0e43f5006a15fb41 (Sat Mar 31 00:17:57 2018 +) > Merge branch 'bpf-cgroup-bind-connect' > syzbot dashboard link: >

general protection fault in kernfs_kill_sb

Hello, syzbot hit the following crash on bpf-next commit 7828f20e3779e4e85e55371e0e43f5006a15fb41 (Sat Mar 31 00:17:57 2018 +) Merge branch 'bpf-cgroup-bind-connect' syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=151de3f2be6b40ac8026 So far this crash happened 3 times on

general protection fault in kernfs_kill_sb

Hello, syzbot hit the following crash on bpf-next commit 7828f20e3779e4e85e55371e0e43f5006a15fb41 (Sat Mar 31 00:17:57 2018 +) Merge branch 'bpf-cgroup-bind-connect' syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=151de3f2be6b40ac8026 So far this crash happened 3 times on