Re: [syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Sep 18, 2022 at 3:26 PM Tetsuo Handa wrote:
> On 2022/09/18 0:50, Tetsuo Handa wrote:
> > I don't know whether crafted filesystem image is used is relevant to this problem.
> > But I think a bug is inside NILFS2 filesystem code.
>
> I confirmed that use of crafted filesystem image is irrelevant to this problem.
> You can reproduce this problem using fault injection patch
>
> ----------
> diff --git a/fs/inode.c b/fs/inode.c
> index ba1de23c13c1..dfde0cadd51e 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -192,6 +192,10 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
>         inode->i_wb_frn_history = 0;
>  #endif
>
> +       if (!strcmp(current->comm, "my_touch")) {
> +               inode->i_security = NULL;
> +               goto out;
> +       }
>         if (security_inode_alloc(inode))
>                 goto out;
>         spin_lock_init(&inode->i_lock);
> ----------
>
> and script which uses freshly created clean filesystem image.
>
> ----------
> cp -p /bin/touch my_touch
> dd if=/dev/zero of=nilfs.img bs=134221824 count=1
> mkfs.nilfs2 nilfs.img
> while date; do mount -o loop -t nilfs2 nilfs.img /mnt/; ./my_touch /mnt/file; umount -d /mnt/; done
> ----------
<snip>

Thank you for your help, Handa-san.

The first oops inserted by your injection patch is already reported by
[1], and the bug fix is queued in the for-next branch of vfs tree [2].
  Take a look at the patch titled "fs: fix UAF/GPF bug in
nilfs_mdt_destroy" in the
latest linux-next or vfs/for-next.

[1] https://lore.kernel.org/all/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@xxxxxxxxxxxxxx/T/#u
 (report)
[2] https://lkml.kernel.org/r/20220816040859.659129-1-dzm91@xxxxxxxxxxx
(vfs patch)

The correction was done for inode_init_always() instead of fixing
nilfs2.   Please refer to [3] for the background.

[3] https://lkml.kernel.org/r/20220815175114.23576-1-konishi.ryusuke@xxxxxxxxx
     (discussion of how to fix it.  The nilfs2 patch itself was withdrawn)

I confirmed that the patch [2] fixes the second oops as well.

I'm not sure if the patch [2] fixes the originally reported problem,
but it will be fixed if it's the same.

Thanks,
Ryusuke Konishi
[Index of Archives]     [Linux Filesystem Development]     [Linux BTRFS]     [Linux CIFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux