crash inside ovl_encode_real_fh() due to NULL dentry pointer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I'd like to report an overlayfs related crash. The stack trace is as follows:

crash> bt
PID: 1789     TASK: ffff89006ebc5200  CPU: 57   COMMAND: "lsof"
 #0 [ffffc900b24b74e8] machine_kexec at ffffffff810afa90
 #1 [ffffc900b24b7558] __crash_kexec at ffffffff81219328
 #2 [ffffc900b24b7630] panic at ffffffff810f5b01
 #3 [ffffc900b24b76c0] oops_end at ffffffff81055835
 #4 [ffffc900b24b7708] page_fault_oops at ffffffff810c7a17
 #5 [ffffc900b24b7788] do_user_addr_fault at ffffffff810c84ae
 #6 [ffffc900b24b77f0] exc_page_fault at ffffffff82110102
 #7 [ffffc900b24b7830] asm_exc_page_fault at ffffffff82200c27
    [exception RIP: ovl_encode_real_fh+48]
    RIP: ffffffffc243dca0  RSP: ffffc900b24b78e0  RFLAGS: 00010282
    RAX: 0000000000000000  RBX: ffffc900b24b7a58  RCX: 0000000000000080
    RDX: 61c8864680b583eb  RSI: 0000000000000000  RDI: ffff890058bc9800
    RBP: ffffc900b24b7938   R8: 0000000000000002   R9: ffff890673f21ce0
    R10: 0000000000ffff10  R11: 000000000000000f  R12: 0000000000000001
    R13: ffff890058bc9800  R14: 0000000000000080  R15: 0000000000000000
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #8 [ffffc900b24b7940] ovl_dentry_to_fid at ffffffffc24402b1 [overlay]
 #9 [ffffc900b24b79a0] ovl_encode_fh at ffffffffc2440435 [overlay]
#10 [ffffc900b24b79f8] exportfs_encode_inode_fh at ffffffff8165937b
#11 [ffffc900b24b7a38] show_mark_fhandle at ffffffff815208ec
#12 [ffffc900b24b7b08] inotify_fdinfo at ffffffff81520ca0
#13 [ffffc900b24b7b40] show_fdinfo at ffffffff81520a7f
#14 [ffffc900b24b7ba0] inotify_show_fdinfo at ffffffff81520cee
#15 [ffffc900b24b7bc0] seq_show at ffffffff81580d4c
#16 [ffffc900b24b7c18] seq_read_iter at ffffffff814f42a0
#17 [ffffc900b24b7c88] seq_read at ffffffff814f4713
#18 [ffffc900b24b7d48] vfs_read at ffffffff814ba791
#19 [ffffc900b24b7e10] ksys_read at ffffffff814bb7aa
#20 [ffffc900b24b7e70] __x64_sys_read at ffffffff814bb85e
#21 [ffffc900b24b7e90] x64_sys_call at ffffffff81006641
#22 [ffffc900b24b7eb0] do_syscall_64 at ffffffff82108b58
#23 [ffffc900b24b7f50] entry_SYSCALL_64_after_hwframe at ffffffff82200130
    RIP: 0000772a57dd2a61  RSP: 00007ffcc0ebd2a8  RFLAGS: 00000246
    RAX: ffffffffffffffda  RBX: 000063e265d7a2a0  RCX: 0000772a57dd2a61
    RDX: 0000000000000400  RSI: 000063e265d7a500  RDI: 0000000000000007
    RBP: 00007ffcc0ebd2e0   R8: 0000000000000001   R9: 0000000000000000
    R10: 0000000000000000  R11: 0000000000000246  R12: 0000772a57eb9030
    R13: 0000772a57eb8ee0  R14: 0000000000000000  R15: 000063e265d7a2a0
    ORIG_RAX: 0000000000000000  CS: 0033  SS: 002b

I analyzed the crash dump, here is what I figured out:
- The overlay fs is mounted with only 2 lowerdirs, and nfs_export=on
- When ovl_dentry_to_fid() is called on the root dentry:
   - ovl_check_encode_origin(dentry) returns 0 as euc_lower (I believe
it should return 1 in this case)
   - "enc_lower ? ovl_dentry_lower(dentry) : ovl_dentry_upper(dentry)"
evaluates to NULL
   - NULL is passed as the second argument to ovl_encode_real_fh(), so
it crashes

This crash has been reproduced on both kernel 6.8 and 6.6, but I
haven't tried on any newer kernel version.
I have a simple C program to reproduce it, if needed I can upload its
source to my github repository or email it here.

Thanks,
-Youzhong
[Index of Archives]     [Linux Filesystems Devel]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux