Re: NULL pointer dereference when access /proc/net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 26, 2021 at 01:04:46AM +0800, haosdent wrote:
> Hi, Alexander, thanks a lot for your quick reply.
> 
> > Not really - the crucial part is ->d_count == -128, i.e. it's already past
> > __dentry_kill().
> 
> Thanks a lot for your information, we would check this.
> 
> > Which tree is that?
> > If you have some patches applied on top of that...
> 
> We use Ubuntu Linux Kernel "4.15.0-42.45~16.04.1" from launchpad directly
> without any modification,  the mapping Linux Kernel should be
> "4.15.18" according
> to https://people.canonical.com/~kernel/info/kernel-version-map.html

Umm...  OK, I don't have it Ubuntu source at hand, but the thing to look into
would be
	* nd->flags contains LOOKUP_RCU
	* in the mainline from that period (i.e. back when __atime_needs_update()
used to exist) we had atime_needs_update_rcu() called in get_link() under those
conditions, with
static inline bool atime_needs_update_rcu(const struct path *path,
				          struct inode *inode)
{
	return __atime_needs_update(path, inode, true);
}
and __atime_needs_update() passing its last argument (rcu:true in this case) to
relatime_need_update() in
	if (!relatime_need_update(path, inode, now, rcu))
relatime_need_update() hitting
	update_ovl_inode_times(path->dentry, inode, rcu);
and update_ovl_inode_times() starting with
	if (rcu || likely(!(dentry->d_flags & DCACHE_OP_REAL)))
		return;
with subsequent accesses to ->d_inode.  Those obviously are *NOT* supposed
to be reached in rcu mode, due to that check.

Your oops looks like something similar to that call chain had been involved and
somehow had managed to get through to those ->d_inode uses.

Again, in RCU mode we really, really should not assume ->d_inode stable.  That's
why atime_needs_update() gets inode as a separate argument and does *NOT* look
at path->dentry at all.  In the kernels of 4.8..4.18 period there it used to do
so, but only in non-RCU mode (which is the reason for explicit rcu argument passed
through that callchain).



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux