Re: [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hello,

kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:

commit: 9ca8b65e411ba759831af5d678f8d01e141816a1 ("[PATCH RFC] : fhandle: relax open_by_handle_at() permission checks")
url: https://github.com/intel-lab-lkp/linux/commits/Christian-Brauner/fhandle-relax-open_by_handle_at-permission-checks/20240524-182059
patch link: https://lore.kernel.org/all/20240524-vfs-open_by_handle_at-v1-1-3d4b7d22736b@xxxxxxxxxx/
patch subject: [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks

in testcase: trinity
version: 
with following parameters:

	runtime: 600s



compiler: gcc-13
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+---------------------------------------------+------------+------------+
|                                             | 8f6a15f095 | 9ca8b65e41 |
+---------------------------------------------+------------+------------+
| boot_successes                              | 4          | 0          |
| boot_failures                               | 0          | 6          |
| BUG:kernel_NULL_pointer_dereference,address | 0          | 6          |
| Oops:Oops:#[##]                             | 0          | 6          |
| EIP:handle_to_path                          | 0          | 6          |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 6          |
+---------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202405271007.7e95eb21-lkp@xxxxxxxxx


[   20.927410][  T678] BUG: kernel NULL pointer dereference, address: 00000002
[   20.928271][  T678] #PF: supervisor read access in kernel mode
[   20.928887][  T678] #PF: error_code(0x0000) - not-present page
[   20.929607][  T678] *pde = 00000000
[   20.930090][  T678] Oops: Oops: 0000 [#1]
[   20.930616][  T678] CPU: 0 PID: 678 Comm: trinity-c0 Not tainted 6.9.0-10324-g9ca8b65e411b #1
[ 20.931662][ T678] EIP: handle_to_path (fs/fhandle.c:259 (discriminator 1)) 
[ 20.932243][ T678] Code: f2 ff ff ff e9 95 fe ff ff 8d b6 00 00 00 00 bb ea ff ff ff e9 85 fe ff ff 8d b6 00 00 00 00 8b 45 d8 ba 15 00 00 00 8b 40 6c <8b> 40 18 e8 c1 3a de ff 84 c0 0f 84 5f fe ff ff 8b 45 d8 8b 55 dc
All code
========
   0:	f2 ff                	repnz (bad)
   2:	ff                   	(bad)
   3:	ff                   	(bad)
   4:	e9 95 fe ff ff       	jmp    0xfffffffffffffe9e
   9:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
   f:	bb ea ff ff ff       	mov    $0xffffffea,%ebx
  14:	e9 85 fe ff ff       	jmp    0xfffffffffffffe9e
  19:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  1f:	8b 45 d8             	mov    -0x28(%rbp),%eax
  22:	ba 15 00 00 00       	mov    $0x15,%edx
  27:	8b 40 6c             	mov    0x6c(%rax),%eax
  2a:*	8b 40 18             	mov    0x18(%rax),%eax		<-- trapping instruction
  2d:	e8 c1 3a de ff       	call   0xffffffffffde3af3
  32:	84 c0                	test   %al,%al
  34:	0f 84 5f fe ff ff    	je     0xfffffffffffffe99
  3a:	8b 45 d8             	mov    -0x28(%rbp),%eax
  3d:	8b 55 dc             	mov    -0x24(%rbp),%edx

Code starting with the faulting instruction
===========================================
   0:	8b 40 18             	mov    0x18(%rax),%eax
   3:	e8 c1 3a de ff       	call   0xffffffffffde3ac9
   8:	84 c0                	test   %al,%al
   a:	0f 84 5f fe ff ff    	je     0xfffffffffffffe6f
  10:	8b 45 d8             	mov    -0x28(%rbp),%eax
  13:	8b 55 dc             	mov    -0x24(%rbp),%edx
[   20.934542][  T678] EAX: ffffffea EBX: c38458c0 ECX: 00000015 EDX: 00000015
[   20.935354][  T678] ESI: ede5bf48 EDI: 00000000 EBP: ede5bf70 ESP: ede5bf2c
[   20.936199][  T678] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010246
[   20.937022][  T678] CR0: 80050033 CR2: 00000002 CR3: 0370d000 CR4: 00040690
[   20.937713][  T678] Call Trace:
[ 20.938034][ T678] ? show_regs (arch/x86/kernel/dumpstack.c:479) 
[ 20.938520][ T678] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) 
[ 20.938942][ T678] ? debug_locks_off (lib/debug_locks.c:44) 
[ 20.939502][ T678] ? page_fault_oops (arch/x86/mm/fault.c:715) 
[ 20.940033][ T678] ? kernelmode_fixup_or_oops+0x5c/0x70 
[ 20.940759][ T678] ? __bad_area_nosemaphore+0x113/0x1b4 
[ 20.941504][ T678] ? lock_release (kernel/locking/lockdep.c:467 (discriminator 4) kernel/locking/lockdep.c:5776 (discriminator 4)) 
[ 20.942005][ T678] ? up_read (kernel/locking/rwsem.c:1623) 
[ 20.942838][ T678] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835) 
[ 20.943483][ T678] ? do_user_addr_fault (arch/x86/mm/fault.c:1452) 
[ 20.944138][ T678] ? exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:67 arch/x86/include/asm/irqflags.h:127 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) 
[ 20.944774][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) 
[ 20.945558][ T678] ? handle_exception (arch/x86/entry/entry_32.S:1054) 
[ 20.946219][ T678] ? keyring_search_rcu (include/linux/refcount.h:192 include/linux/refcount.h:241 include/linux/refcount.h:258 include/linux/key.h:308 security/keys/keyring.c:923) 
[ 20.946845][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) 
[ 20.947517][ T678] ? handle_to_path (fs/fhandle.c:259 (discriminator 1)) 
[ 20.948115][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) 
[ 20.948896][ T678] ? handle_to_path (fs/fhandle.c:259 (discriminator 1)) 
[ 20.949505][ T678] ? __lock_release+0x54/0x170 
[ 20.950147][ T678] ? __task_pid_nr_ns (include/linux/rcupdate.h:810 kernel/pid.c:514) 
[ 20.950699][ T678] __ia32_sys_open_by_handle_at (fs/fhandle.c:317 fs/fhandle.c:357 fs/fhandle.c:348 fs/fhandle.c:348) 
[ 20.951279][ T678] ? syscall_exit_to_user_mode (kernel/entry/common.c:221) 
[ 20.951859][ T678] ia32_sys_call (arch/x86/entry/syscall_32.c:42) 
[ 20.952409][ T678] do_int80_syscall_32 (arch/x86/entry/common.c:165 (discriminator 1) arch/x86/entry/common.c:339 (discriminator 1)) 
[ 20.953037][ T678] entry_INT80_32 (arch/x86/entry/entry_32.S:944) 
[   20.953604][  T678] EIP: 0x8097522
[ 20.954040][ T678] Code: 89 c8 c3 90 8d 74 26 00 85 c0 c7 01 01 00 00 00 75 d8 a1 cc 3c ad 08 eb d1 66 90 66 90 66 90 66 90 66 90 66 90 66 90 90 cd 80 <c3> 8d b6 00 00 00 00 8d bc 27 00 00 00 00 8b 10 a3 f4 3c ad 08 85
All code
========
   0:	89 c8                	mov    %ecx,%eax
   2:	c3                   	ret
   3:	90                   	nop
   4:	8d 74 26 00          	lea    0x0(%rsi,%riz,1),%esi
   8:	85 c0                	test   %eax,%eax
   a:	c7 01 01 00 00 00    	movl   $0x1,(%rcx)
  10:	75 d8                	jne    0xffffffffffffffea
  12:	a1 cc 3c ad 08 eb d1 	movabs 0x9066d1eb08ad3ccc,%eax
  19:	66 90 
  1b:	66 90                	xchg   %ax,%ax
  1d:	66 90                	xchg   %ax,%ax
  1f:	66 90                	xchg   %ax,%ax
  21:	66 90                	xchg   %ax,%ax
  23:	66 90                	xchg   %ax,%ax
  25:	66 90                	xchg   %ax,%ax
  27:	90                   	nop
  28:	cd 80                	int    $0x80
  2a:*	c3                   	ret		<-- trapping instruction
  2b:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  31:	8d bc 27 00 00 00 00 	lea    0x0(%rdi,%riz,1),%edi
  38:	8b 10                	mov    (%rax),%edx
  3a:	a3                   	.byte 0xa3
  3b:	f4                   	hlt
  3c:	3c ad                	cmp    $0xad,%al
  3e:	08                   	.byte 0x8
  3f:	85                   	.byte 0x85

Code starting with the faulting instruction
===========================================
   0:	c3                   	ret
   1:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
   7:	8d bc 27 00 00 00 00 	lea    0x0(%rdi,%riz,1),%edi
   e:	8b 10                	mov    (%rax),%edx
  10:	a3                   	.byte 0xa3
  11:	f4                   	hlt
  12:	3c ad                	cmp    $0xad,%al
  14:	08                   	.byte 0x8
  15:	85                   	.byte 0x85
[   20.956462][  T678] EAX: ffffffda EBX: 00000136 ECX: 00000001 EDX: 00033f01
[   20.957337][  T678] ESI: 000001b6 EDI: fffffff9 EBP: fffffff8 ESP: bf997c98
[   20.958254][  T678] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[   20.959207][  T678] Modules linked in:
[   20.959695][  T678] CR2: 0000000000000002
[   20.960372][  T678] ---[ end trace 0000000000000000 ]---
[ 20.960979][ T678] EIP: handle_to_path (fs/fhandle.c:259 (discriminator 1)) 
[ 20.961566][ T678] Code: f2 ff ff ff e9 95 fe ff ff 8d b6 00 00 00 00 bb ea ff ff ff e9 85 fe ff ff 8d b6 00 00 00 00 8b 45 d8 ba 15 00 00 00 8b 40 6c <8b> 40 18 e8 c1 3a de ff 84 c0 0f 84 5f fe ff ff 8b 45 d8 8b 55 dc
All code
========
   0:	f2 ff                	repnz (bad)
   2:	ff                   	(bad)
   3:	ff                   	(bad)
   4:	e9 95 fe ff ff       	jmp    0xfffffffffffffe9e
   9:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
   f:	bb ea ff ff ff       	mov    $0xffffffea,%ebx
  14:	e9 85 fe ff ff       	jmp    0xfffffffffffffe9e
  19:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  1f:	8b 45 d8             	mov    -0x28(%rbp),%eax
  22:	ba 15 00 00 00       	mov    $0x15,%edx
  27:	8b 40 6c             	mov    0x6c(%rax),%eax
  2a:*	8b 40 18             	mov    0x18(%rax),%eax		<-- trapping instruction
  2d:	e8 c1 3a de ff       	call   0xffffffffffde3af3
  32:	84 c0                	test   %al,%al
  34:	0f 84 5f fe ff ff    	je     0xfffffffffffffe99
  3a:	8b 45 d8             	mov    -0x28(%rbp),%eax
  3d:	8b 55 dc             	mov    -0x24(%rbp),%edx

Code starting with the faulting instruction
===========================================
   0:	8b 40 18             	mov    0x18(%rax),%eax
   3:	e8 c1 3a de ff       	call   0xffffffffffde3ac9
   8:	84 c0                	test   %al,%al
   a:	0f 84 5f fe ff ff    	je     0xfffffffffffffe6f
  10:	8b 45 d8             	mov    -0x28(%rbp),%eax
  13:	8b 55 dc             	mov    -0x24(%rbp),%edx


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240527/202405271007.7e95eb21-lkp@xxxxxxxxx



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux