From: Jan Kara <jack@suse.cz>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: fs: gpf in simple_setattr
Date: Mon, 3 Mar 2014 22:40:40 +0100 [thread overview]
Message-ID: <20140303214040.GA15265@quack.suse.cz> (raw)
In-Reply-To: <53123D81.6080003@oracle.com>
On Sat 01-03-14 15:05:21, Sasha Levin wrote:
> ping again?
>
> I've been working on it, but don't see an obvious issue.
>
> It does look like an access to invalid memory easily doable from
> userspace, so it should probably get fixed soon...
Hum, can you maybe dump the name in dentry passed to simple_setattr()? Or
maybe even the whole path using dentry_path() (but not sure if that will
be workable on half-torn-down fs)? Maybe it will give us a hint at which
filesystem to look...
Honza
> On 01/08/2014 11:00 AM, Sasha Levin wrote:
> >ping? still happening in -next.
> >
> >On 12/18/2013 07:25 PM, Sasha Levin wrote:
> >>Hi all,
> >>
> >>While fuzzing with trinity inside a KVM tools guest running latest -next kernel, I've stumbled on
> >>the following spew.
> >>
> >>This happens when sb is dereferenced in __mark_inode_dirty():
> >>
> >> if (sb->s_op->dirty_inode) <--- HERE
> >> sb->s_op->dirty_inode(inode, flags);
> >>
> >>'sb' is pointing to a memory full of poisoned memory (6b6b6b6b6b6b6b6b).
> >>
> >>[ 590.469520] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> >>[ 590.470737] Dumping ftrace buffer:
> >>[ 590.471331] (ftrace buffer empty)
> >>[ 590.471903] Modules linked in:
> >>[ 590.472349] CPU: 3 PID: 9685 Comm: trinity-child97 Tainted: G W
> >>3.13.0-rc4-next-20131218-sasha-00013-g2cebb9b-dirty #4156
> >>[ 590.472396] task: ffff8800bc520000 ti: ffff8800bc4fa000 task.ti: ffff8800bc4fa000
> >>[ 590.472396] RIP: 0010:[<ffffffff81302d34>] [<ffffffff81302d34>] __mark_inode_dirty+0xd4/0x360
> >>[ 590.475691] RSP: 0018:ffff8800bc4fbda8 EFLAGS: 00010246
> >>[ 590.475691] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8802f9002530 RCX: 000000006b6b6b6b
> >>[ 590.475691] RDX: 0000000000000000 RSI: 0000000000000007 RDI: ffff8802f9002530
> >>[ 590.475691] RBP: ffff8800bc4fbdc8 R08: 0000000000000000 R09: 0000000000000000
> >>[ 590.475691] R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000007
> >>[ 590.475691] R13: 0000000000000000 R14: ffff8802f8795668 R15: ffff8802f9002530
> >>[ 590.475691] FS: 00007f9bba1b7700(0000) GS:ffff8801c8000000(0000) knlGS:0000000000000000
> >>[ 590.475691] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> >>[ 590.475691] CR2: 00007f9bba17da44 CR3: 00000000bc4e6000 CR4: 00000000000006e0
> >>[ 590.475691] Stack:
> >>[ 590.475691] ffff8802f9002530 ffff8800bc4fbe98 0000000000000000 ffff880161244000
> >>[ 590.475691] ffff8800bc4fbdf8 ffffffff8130001b ffff8800bc4fbde8 0000000000001846
> >>[ 590.475691] ffff8800bc4fbe98 0000000000000000 ffff8800bc4fbe78 ffffffff812f3016
> >>[ 590.475691] Call Trace:
> >>[ 590.475691] [<ffffffff8130001b>] simple_setattr+0x5b/0x70
> >>[ 590.475691] [<ffffffff812f3016>] notify_change+0x216/0x300
> >>[ 590.475691] [<ffffffff812d0180>] ? zs_malloc+0x1b0/0x200
> >>[ 590.475691] [<ffffffff812d0b15>] chown_common+0x135/0x1c0
> >>[ 590.475691] [<ffffffff812d0c20>] SyS_fchown+0x80/0xd0
> >>[ 590.475691] [<ffffffff843a6d50>] tracesys+0xdd/0xe2
> >>[ 590.494436] VFS: Warning: trinity-child15 using old stat() call. Recompile your binary.
> >>[ 590.475691] Code: c5 10 48 89 de ff d0 49 8b 45 00 48 85 c0 75 e7 65 ff 0c 25 5c da 00 00 0f 94
> >>c0 84 c0 74 08 e8 b3 33 d7 ff 0f 1f 00 49 8b 46 30 <48> 8b 40 10 48 85 c0 74 08 44 89 e6 48 89 df ff
> >>d0 8b 05 bd 6b
> >>[ 590.475691] RIP [<ffffffff81302d34>] __mark_inode_dirty+0xd4/0x360
> >>[ 590.475691] RSP <ffff8800bc4fbda8>
> >>
> >>
> >>Thanks,
> >>Sasha
> >
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Jan Kara <jack@suse.cz>
SUSE Labs, CR
next prev parent reply other threads:[~2014-03-03 21:40 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-19 0:25 fs: gpf in simple_setattr Sasha Levin
2014-01-08 16:00 ` Sasha Levin
2014-03-01 20:05 ` Sasha Levin
2014-03-02 3:35 ` Linus Torvalds
2014-03-03 2:01 ` Sasha Levin
2014-03-03 21:40 ` Jan Kara [this message]
2014-03-05 0:00 ` Sasha Levin
2014-03-05 12:45 ` Jan Kara
2014-03-06 16:02 ` Sasha Levin
2014-03-08 2:14 ` Sasha Levin
2014-03-10 10:43 ` Jan Kara
2014-03-10 14:13 ` Sasha Levin
2014-03-24 14:42 ` Sasha Levin
2014-03-24 21:48 ` Jan Kara
2014-03-25 0:44 ` Sasha Levin
2014-03-25 17:33 ` Jan Kara
2014-03-25 17:51 ` Sasha Levin
2014-03-25 21:12 ` Jan Kara
2014-03-26 0:12 ` Sasha Levin
2014-03-26 0:41 ` Linus Torvalds
2014-03-26 5:34 ` Jan Kara
2014-03-26 5:53 ` Dave Jones
2014-03-26 15:00 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140303214040.GA15265@quack.suse.cz \
--to=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.