On Wed, 2016-02-17 at 00:40 +0100, Mickaël Salaün wrote: > Hi, > > Actually I found the same bug (without fuzzing) and I can reproduce it > in a deterministic way (e.g. by creating a LSM that return 1 for the > security_file_open hook). At least, from v4.2.8 I can easily trigger > traces like this : Reading through this thread I wonder if this is a new problem. Is there a previous kernel it can't be reproduced on? Perhaps a bisect will shed some light on what's happening. > > BUG: unable to handle kernel NULL pointer dereference at > 0000000000000050 > IP: [<ffffffff81170871>] atime_needs_update+0x11/0xc0 > PGD 127b17067 PUD 12ab2e067 PMD 0 > Oops: 0000 [#45] SMP > [...] > RIP: 0010:[<ffffffff81170871>] [<ffffffff81170871>] > atime_needs_update+0x11/0xc0 > RSP: 0018:ffff880127853c18 EFLAGS: 00010246 > RAX: ffff88012ad0c080 RBX: ffff88012ad0c1d8 RCX: ffff88012ad0c080 > RDX: 0000000000000000 RSI: ffff88012ad0c1d8 RDI: ffff880127853d98 > RBP: ffff880127853c28 R08: ffff8800cc0a2540 R09: ffff8800cfbfc320 > R10: ffff8800cc0a2540 R11: 0000000000000001 R12: ffff8800cb5d6300 > R13: 0000000000000000 R14: ffff88012ad0c080 R15: ffff880127853e7c > FS: 00007f1054aae700(0000) GS:ffff88012fc40000(0000) > knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000050 CR3: 0000000127977000 CR4: 00000000000406e0 > Stack: > ffff88012ad0c1d8 ffff8800cb5d6300 ffff880127853c60 ffffffff8117094e > ffff8800c9ade3c0 0000000000000000 00000000a670294f ffff880127853d70 > ffff880127853d98 ffff880127853c98 ffffffff8116071c ffff8800cb4ada80 > Call Trace: > [<ffffffff8117094e>] ? touch_atime+0x2e/0xd0 > [<ffffffff8116071c>] ? trailing_symlink+0xec/0x280 > [<ffffffff81163a78>] ? path_openat+0x468/0x1240 > [<ffffffff8111856d>] ? pagevec_lru_move_fn+0xed/0x110 > [<ffffffff81117ff0>] ? __activate_page+0x130/0x130 > [<ffffffff8116593c>] ? do_filp_open+0x8c/0x100 > [<ffffffff81164dec>] ? filename_lookup+0xec/0x180 > [<ffffffff8115bc24>] ? do_open_execat+0x74/0x170 > [<ffffffff8115d437>] ? do_execveat_common.isra.42+0x1a7/0x6a0 > [<ffffffff8115db90>] ? SyS_execve+0x30/0x40 > [<ffffffff8156ad65>] ? stub_execve+0x5/0x5 > [<ffffffff8156aadb>] ? entry_SYSCALL_64_fastpath+0x16/0x6a > Code: 89 c7 e8 63 eb ff ff 48 89 d8 5b c3 0f 1f 40 00 66 2e 0f 1f 84 > 00 00 00 00 00 55 48 89 e5 41 54 53 f6 46 0c 02 75 72 48 8b 56 28 <48> > 8b 42 50 a9 01 04 00 00 75 63 f6 c4 08 75 65 4c 8b 27 41 8b > RIP [<ffffffff81170871>] atime_needs_update+0x11/0xc0 > RSP <ffff880127853c18> > CR2: 0000000000000050 > ---[ end trace 97dc4f4bb0214bd8 ]--- > > > Regards, > Mickaël > > > On 05/02/2016 22:11, Dmitry Vyukov wrote: > > Hello, > > > > I've hit the following GPF while running syzkaller fuzzer: > > > > general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN > > Modules linked in: > > CPU: 1 PID: 5178 Comm: syz-executor Not tainted 4.5.0-rc2+ #65 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs > > 01/01/2011 > > task: ffff880064768000 ti: ffff8800622c0000 task.ti: > > ffff8800622c0000 > > RIP: 0010:[<ffffffff8181aa5d>] [<ffffffff8181aa5d>] > > atime_needs_update+0x2d/0x460 > > RSP: 0018:ffff8800622c7a30 EFLAGS: 00010203 > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000 > > RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000000000c > > RBP: ffff8800622c7a58 R08: 0000000000000001 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800622c7c08 > > R13: ffff8800622c7c08 R14: ffff8800301ca322 R15: ffff8800622c7bb0 > > FS: 00007fd1c9f8b700(0000) GS:ffff88003ed00000(0000) > > knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > > CR2: 0000000020f31000 CR3: 0000000062274000 CR4: 00000000000006e0 > > Stack: > > ffff8800622c7bf4 0000000000000000 ffff8800622c7c08 ffff8800301ca322 > > ffff8800622c7bb0 ffff8800622c7b38 ffffffff817ecd91 ffff880030bf5200 > > ffff8800622c7bb8 1ffff1000c458f56 ffff8800622c7c00 ffff8800622c7be0 > > Call Trace: > > [< inline >] get_link fs/namei.c:1006 > > [<ffffffff817ecd91>] link_path_walk+0xaf1/0x1030 fs/namei.c:1968 > > [<ffffffff817ed311>] path_parentat+0x41/0x150 fs/namei.c:2176 > > [<ffffffff817f4c5c>] filename_parentat+0x17c/0x3c0 fs/namei.c:2198 > > [< inline >] user_path_parent fs/namei.c:2412 > > [< inline >] SYSC_renameat2 fs/namei.c:4411 > > [< inline >] SyS_renameat2 fs/namei.c:4375 > > [< inline >] SYSC_renameat fs/namei.c:4521 > > [<ffffffff817f9a72>] SyS_renameat+0x192/0x820 fs/namei.c:4518 > > [<ffffffff8669e0b6>] entry_SYSCALL_64_fastpath+0x16/0x7a > > arch/x86/entry/entry_64.S:185 > > Code: 89 e5 41 57 41 56 41 55 41 54 49 89 fc 53 48 89 f3 e8 08 25 d5 > > ff 48 8d 7b 0c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 > > <0f> > > b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 > > RIP [<ffffffff8181aa5d>] atime_needs_update+0x2d/0x460 > > fs/inode.c:1611 > > RSP <ffff8800622c7a30> > > ---[ end trace 1a4c9bda4680ce46 ]--- > > > > On commit df48ab3c2f5ffca88b7803ffbadd074bd5a0a2ef. > > > > Objdump shows that inode is NULL in atime_needs_update. > > > > Unfortunately reproduction of this crash is very hard. The program > > executes something along the lines of: > > > > mmap(0x20000000, 15945728, PROT_READ|PROT_WRITE, > > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 > > mkdir("./bus", 0662515705056234013740) = 0 > > openat(AT_FDCWD, "./bus", O_RDONLY|O_EXCL) = 3 > > symlinkat("../bus", 3, "./bus") = 0 > > renameat(3, "./bus", 3, "./bus/file0") = 0 > > mmap(0x20f35000, 4096, PROT_READ|PROT_WRITE, > > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20f35000 > > mount("./bus", "./bus", 0x20f2aee4, > > MS_RDONLY|MS_NODEV|MS_RELATIME|MS_NODIRATIME|MS_BIND|MS_MOVE|MS_REC| > > MS_UNBINDABLE|MS_SLAVE|MS_SHARED|0xc000380, > > 0x20093f5f) = 0 > > open("./bus/file0", O_RDWR|O_EXCL) = -1 EISDIR (Is a directory) > > exit_group(0) = ? > > > > But in multiple threads so that some calls can be doubled and/or > > overlapped. And all this happens on a tmpfs mount. > > > > But I was able to reproduce it 8 or so times, so I am sure that it > > is real. > > > > For future reference, I was running these programs: > > https://gist.githubusercontent.com/dvyukov/124c457d308fa724d88a/raw/ > > fec2d86e125a7fd2fa2916791d65d7daead7cbbb/gistfile1.txt > > Following these instructions: > > https://github.com/google/syzkaller/wiki/How-to-execute-syzkaller-pr > > ograms > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html