From patchwork Tue Feb 23 15:34:59 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Vyukov X-Patchwork-Id: 8393941 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6F87CC0553 for ; Tue, 23 Feb 2016 15:35:27 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 35D2F20328 for ; Tue, 23 Feb 2016 15:35:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DBCAE202F8 for ; Tue, 23 Feb 2016 15:35:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753860AbcBWPfX (ORCPT ); Tue, 23 Feb 2016 10:35:23 -0500 Received: from mail-wm0-f44.google.com ([74.125.82.44]:35224 "EHLO mail-wm0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753348AbcBWPfV (ORCPT ); Tue, 23 Feb 2016 10:35:21 -0500 Received: by mail-wm0-f44.google.com with SMTP id c200so226535650wme.0 for ; Tue, 23 Feb 2016 07:35:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=aiZ+ZOK02x4B65U7lyLplUK2C+TJVvA7qSDx6T9ihAw=; b=Ns3ySiFo6gKuyEhZxeXDj6eoyYSGbC5MEFZ7OMoI3JoxtzHls7pEeKSArbSsH19IWf K9QQkdlIPPBVs9mRRNIhpebUQgKwKugEpbMoXqYfiIh2poPEBLTsrtGTLeNTAaOHo7Sw rZ9nayAdX5XmCcEgtgH112/jFMh5JbH/qDIKNBvdivRsy6HF/kb3fqVhIQ5gPhqXeCJy +kWX2mf/CBXm6ZQMpINqNqOESg4FevfFHW1fdBjimb4aZ4R7KKEk/rjtw/GbVRsFVo1G Dtp92JZQfKfgc2GDZ+7xbZGZvsidwETfO3aIVP2aEonIxhksPbqzrYNkTwol9+B332nP 9FIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=aiZ+ZOK02x4B65U7lyLplUK2C+TJVvA7qSDx6T9ihAw=; b=VLK05sw7O8/nN5tjfwjSLISx9T2rCjwT4AhmQyNO+REv0v5coTcn6CZu7cnD3IbWQc ET6RPO8tBiqfBb0KC4/NnmXVEBKDrhKL9sWKP1Vu+dimmvDDD8lvfU9ydU8ZNC1yOTzE YBgdRgodCWtSyGryMB4qE7GXre1Vo00mxKgfrxarA2TsdbfPQ7LTvvAnTfaT9FUjwZE6 7T1Epm06go88aLCerWnmI93D2lKz/sG73B1ytRkRIfeSWkI/v5xZlavKBo5+8Eyt4pQD r+63frY9IzY8nCvJVQYacb1Bg626TRR1yTbWJdg1FIXOJA+9+gKRwNhvSJ8KCZehkztU QG+A== X-Gm-Message-State: AG10YOSd+HbGyDuxKGzUcpwp4WFNM4KyQQsZTNODQhRHr+E+8vQy+U+6aFLMDTlbXpyQg4dX/NE5s6dxjCuwi1xz X-Received: by 10.194.47.237 with SMTP id g13mr34634272wjn.142.1456241719769; Tue, 23 Feb 2016 07:35:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.34.8 with HTTP; Tue, 23 Feb 2016 07:34:59 -0800 (PST) In-Reply-To: <20160222172314.GL17997@ZenIV.linux.org.uk> References: <56C3B35E.6020109@digikod.net> <20160220032127.GA19926@ZenIV.linux.org.uk> <20160220035442.GE17997@ZenIV.linux.org.uk> <56C86954.6030101@digikod.net> <20160220171044.GH17997@ZenIV.linux.org.uk> <20160222172314.GL17997@ZenIV.linux.org.uk> From: Dmitry Vyukov Date: Tue, 23 Feb 2016 16:34:59 +0100 Message-ID: Subject: Re: fs: NULL deref in atime_needs_update To: Al Viro Cc: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , "linux-fsdevel@vger.kernel.org" , LKML , syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Feb 22, 2016 at 6:23 PM, Al Viro wrote: > On Mon, Feb 22, 2016 at 12:20:30PM +0100, Dmitry Vyukov wrote: > >> I've reproduced the second report (the one originating in openat) with >> this patch and the WARNING did _not_ fire: > > Lovely... Could you dump your inode.o on anonftp somewhere? Or post > the disassembled atime_needs_update, for that matter - shouldn't be > all that long... .config (and gcc version) you are using would also be nice. > > On the face of it, NULL inode is a plausible source of that one, but > it's _very_ odd. It would have to be NULL ->link_inode, and since the > warning hadn't triggered, there was a successful should_follow_link(), > with NULL inode argument. > > Could you slap WARN_ON(!inode) in pick_link()? Or even > WARN_ON(IS_ERR_OR_NULL(inode)), for that matter... I was able to reproduce the crash on vanilla kernel (no KASAN, no KCOV) with the new WARNING, this one does fire. So I am on commit 4de8ebeff8ddefaceeb7fc6a9b1a514fc9624509 (Feb 22), with: $ git diff return -ELOOP; @@ -3273,6 +3274,10 @@ opened: goto exit_fput; } out: + if (unlikely(error > 0)) { + WARN_ON(1); + error = -EINVAL; + } if (got_write) mnt_drop_write(nd->path.mnt); path_put(&save_parent); The crash: [ 8095.048336] ------------[ cut here ]------------ [ 8095.048864] WARNING: CPU: 3 PID: 5532 at fs/namei.c:1672 should_follow_link.part.25+0x55/0x21a() [ 8095.049830] Modules linked in: [ 8095.050155] CPU: 3 PID: 5532 Comm: syz-executor Not tainted 4.5.0-rc5+ #69 [ 8095.050760] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 8095.051104] 0000000000000000 ffff8800005ffc78 ffffffff8194e5f9 0000000000000000 [ 8095.051649] ffffffff8334c24c ffff8800005ffcb0 ffffffff81172291 ffff8800005ffde0 [ 8095.051649] ffff8800005ffd98 0000000000048000 ffff8800005ffde0 ffff8800005ffefc [ 8095.051649] Call Trace: [ 8095.051649] [] dump_stack+0x99/0xd0 [ 8095.054784] [] warn_slowpath_common+0x81/0xc0 [ 8095.054784] [] warn_slowpath_null+0x15/0x20 [ 8095.054784] [] should_follow_link.part.25+0x55/0x21a [ 8095.054784] [] path_openat+0x1229/0x1500 [ 8095.057172] [] do_filp_open+0x79/0xd0 [ 8095.057172] [] ? _raw_spin_unlock+0x22/0x30 [ 8095.057172] [] ? __alloc_fd+0xf8/0x200 [ 8095.058364] [] do_sys_open+0x110/0x1f0 [ 8095.058364] [] SyS_openat+0xf/0x20 [ 8095.058364] [] entry_SYSCALL_64_fastpath+0x16/0x7a [ 8095.060124] ---[ end trace 50e32daa426e4c92 ]--- [ 8095.060526] BUG: unable to handle kernel NULL pointer dereference at 000000000000000c [ 8095.061111] IP: [] atime_needs_update+0x9/0xc0 [ 8095.061549] PGD 6ae6e067 PUD 6ae6a067 PMD 0 [ 8095.061549] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 8095.061549] Modules linked in: [ 8095.061549] CPU: 3 PID: 5532 Comm: syz-executor Tainted: G W 4.5.0-rc5+ #69 [ 8095.061549] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 8095.061549] task: ffff88002bc00000 ti: ffff8800005fc000 task.ti: ffff8800005fc000 [ 8095.061549] RIP: 0010:[] [] atime_needs_update+0x9/0xc0 [ 8095.061549] RSP: 0018:ffff8800005ffcb0 EFLAGS: 00010282 [ 8095.061549] RAX: 0000000000000030 RBX: ffff8800005ffde0 RCX: 0000000000000000 [ 8095.061549] RDX: ffff8800005ffe38 RSI: 0000000000000000 RDI: ffff8800005ffe38 [ 8095.061549] RBP: ffff8800005ffcc0 R08: 0000000000000002 R09: 0000000000000001 [ 8095.061549] R10: 0000000000000001 R11: 0000000000001828 R12: 0000000000000000 [ 8095.061549] R13: ffff8800005ffe38 R14: ffff880031950be0 R15: ffff8800005ffefc [ 8095.061549] FS: 00007fc3bf2ee700(0000) GS:ffff88007f900000(0000) knlGS:0000000000000000 [ 8095.069746] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 8095.069746] CR2: 000000000000000c CR3: 000000006b982000 CR4: 00000000000006e0 [ 8095.071108] Stack: [ 8095.071538] ffff8800005ffcc0 ffff8800005ffde0 ffff8800005ffd00 ffffffff81314ca2 [ 8095.072227] 0000000200000002 0000000000000005 ffff8800005ffd98 0000000000048000 [ 8095.072227] ffff8800005ffde0 ffff8800005ffefc ffff8800005ffdd0 ffffffff81317173 [ 8095.072227] Call Trace: [ 8095.072227] [] trailing_symlink+0x62/0x260 [ 8095.072227] [] path_openat+0x2d3/0x1500 [ 8095.072227] [] do_filp_open+0x79/0xd0 [ 8095.072227] [] ? _raw_spin_unlock+0x22/0x30 [ 8095.072227] [] ? __alloc_fd+0xf8/0x200 [ 8095.072227] [] do_sys_open+0x110/0x1f0 [ 8095.072227] [] SyS_openat+0xf/0x20 [ 8095.072227] [] entry_SYSCALL_64_fastpath+0x16/0x7a [ 8095.072227] Code: ff ff ff 48 85 c0 48 89 c3 74 08 48 89 c7 e8 ef dc ff ff 48 89 d8 5b 5d c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 46 0c 02 48 8b 1f 75 6b 48 8b 7e 28 48 8b 47 50 a9 01 04 00 [ 8095.072227] RIP [] atime_needs_update+0x9/0xc0 [ 8095.072227] RSP [ 8095.072227] CR2: 000000000000000c [ 8095.116838] ---[ end trace 50e32daa426e4c93 ]--- [ 8095.116838] BUG: sleeping function called from invalid context at include/linux/sched.h:2795 [ 8095.116838] in_atomic(): 1, irqs_disabled(): 1, pid: 5532, name: syz-executor [ 8095.116838] INFO: lockdep is turned off. [ 8095.116838] irq event stamp: 636 [ 8095.116838] hardirqs last enabled at (635): [] vprintk_emit+0x2d6/0x5f0 [ 8095.116838] hardirqs last disabled at (636): [] error_entry+0x69/0xc0 [ 8095.116838] softirqs last enabled at (632): [] __do_softirq+0x222/0x4a0 [ 8095.116838] softirqs last disabled at (623): [] irq_exit+0xa7/0xc0 [ 8095.116838] CPU: 3 PID: 5532 Comm: syz-executor Tainted: G D W 4.5.0-rc5+ #69 [ 8095.116838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 8095.116838] 0000000000000000 ffff8800005ff9a8 ffffffff8194e5f9 ffff88002bc00000 [ 8095.116838] 000000000000159c ffff8800005ff9d0 ffffffff811a0659 ffffffff832a29c3 [ 8095.116838] 0000000000000aeb 0000000000000000 ffff8800005ff9f8 ffffffff811a0764 [ 8095.116838] Call Trace: [ 8095.116838] [] dump_stack+0x99/0xd0 [ 8095.116838] [] ___might_sleep+0x179/0x240 [ 8095.116838] [] __might_sleep+0x44/0x80 [ 8095.116838] [] exit_signals+0x1f/0x130 [ 8095.116838] [] do_exit+0xbf/0xd10 [ 8095.116838] [] ? kmsg_dump+0x104/0x180 [ 8095.116838] [] oops_end+0x9f/0xe0 [ 8095.116838] [] no_context+0x108/0x390 [ 8095.116838] [] ? print_time.part.13+0x67/0x90 [ 8095.116838] [] __bad_area_nosemaphore+0x11d/0x220 [ 8095.116838] [] bad_area_nosemaphore+0xe/0x10 [ 8095.116838] [] __do_page_fault+0x84/0x470 [ 8095.116838] [] trace_do_page_fault+0x74/0x2c0 [ 8095.116838] [] do_async_page_fault+0x14/0x90 [ 8095.116838] [] async_page_fault+0x28/0x30 [ 8095.116838] [] ? atime_needs_update+0x9/0xc0 [ 8095.116838] [] trailing_symlink+0x62/0x260 [ 8095.116838] [] path_openat+0x2d3/0x1500 [ 8095.116838] [] do_filp_open+0x79/0xd0 [ 8095.116838] [] ? _raw_spin_unlock+0x22/0x30 [ 8095.116838] [] ? __alloc_fd+0xf8/0x200 [ 8095.116838] [] do_sys_open+0x110/0x1f0 [ 8095.116838] [] SyS_openat+0xf/0x20 [ 8095.116838] [] entry_SYSCALL_64_fastpath+0x16/0x7a [ 8095.195133] note: syz-executor[5532] exited with preempt_count 1 And here is my inode.o: https://gist.githubusercontent.com/dvyukov/27ec88c2c1a83c2e0f38/raw/2514d0ddd7720a978e6a2f67c2dcb391046ce0e7/gistfile1.txt This can be reproduced following the instructions here: https://github.com/google/syzkaller/wiki/How-to-execute-syzkaller-programs Using this command line: # ./syz-execprog -cover=0 -procs=60 -repeat=0 prog with the following program: https://gist.githubusercontent.com/dvyukov/fc026f36f9f76d1a440b/raw/0e133afa99eb7de45880523fbd48256cd2ae4a6c/gistfile1.txt (requires CONFIG_USER_NS=y). The crash triggers after hours of execution. --- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/namei.c b/fs/namei.c index f624d13..9675e9e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1669,6 +1669,7 @@ static int pick_link(struct nameidata *nd, struct path *link, { int error; struct saved *last; + WARN_ON(IS_ERR_OR_NULL(inode)); if (unlikely(nd->total_link_count++ >= MAXSYMLINKS)) { path_to_nameidata(link, nd);