From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: "Ian Kent" <raven@themaw.net>, "Mickaël Salaün" <mic@digikod.net>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>
Subject: Re: fs: NULL deref in atime_needs_update
Date: Fri, 26 Feb 2016 21:21:37 +0000 [thread overview]
Message-ID: <20160226212137.GF17997@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20160225163927.GW17997@ZenIV.linux.org.uk>
On Thu, Feb 25, 2016 at 04:39:27PM +0000, Al Viro wrote:
> Hrm... OK, seeing that you still seem to trigger those within an hour or
> two (and *any* of remaining WARN_ON() are serious bugs - none of the
> "mitigation had been triggered" remained, sorry for not making it clear),
> let's try this. Again, any WARN_ON triggered means that we'd caught something,
> whether it progresses into oops or not.
Any news on that one? I'm going to carve fixes for understood bugs out of
that one and put those into tonight push, but it would be nice to sort out
all remaining crap lurking in that area...
Another question: what about the very first trace you'd posted, with apparent
GPF at 00000050? Have you seen anything like that afterwards?
> diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
> index c6d7d3d..86f81e3 100644
> --- a/fs/autofs4/root.c
> +++ b/fs/autofs4/root.c
> @@ -323,6 +323,7 @@ static struct dentry *autofs4_mountpoint_changed(struct path *path)
> struct dentry *new = d_lookup(parent, &dentry->d_name);
> if (!new)
> return NULL;
> + WARN_ON(d_is_negative(new));
> ino = autofs4_dentry_ino(new);
> ino->last_used = jiffies;
> dput(path->dentry);
> diff --git a/fs/namei.c b/fs/namei.c
> index f624d13..daa6b25 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -1209,6 +1209,7 @@ static int follow_managed(struct path *path, struct nameidata *nd)
> /* Handle an automount point */
> if (managed & DCACHE_NEED_AUTOMOUNT) {
> ret = follow_automount(path, nd, &need_mntput);
> + WARN_ON(d_is_negative(path->dentry));
> if (ret < 0)
> break;
> continue;
> @@ -1260,6 +1261,7 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
> {
> for (;;) {
> struct mount *mounted;
> + void *p;
> /*
> * Don't forget we might have a non-mountpoint managed dentry
> * that wants to block transit.
> @@ -1289,7 +1291,9 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
> * dentry sequence number here after this d_inode read,
> * because a mount-point is always pinned.
> */
> - *inode = path->dentry->d_inode;
> + p = *inode = path->dentry->d_inode;
> + if (unlikely(!p))
> + WARN_ON(!read_seqretry(&mount_lock, nd->m_seq));
> }
> return !read_seqretry(&mount_lock, nd->m_seq) &&
> !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);
> @@ -1580,10 +1584,12 @@ static int lookup_fast(struct nameidata *nd,
> */
> if (negative)
> return -ENOENT;
> + WARN_ON(!*inode); // ->d_seq was fucked somehow
> path->mnt = mnt;
> path->dentry = dentry;
> - if (likely(__follow_mount_rcu(nd, path, inode, seqp)))
> + if (likely(__follow_mount_rcu(nd, path, inode, seqp))) {
> return 0;
> + }
> unlazy:
> if (unlazy_walk(nd, dentry, seq))
> return -ECHILD;
> @@ -1613,8 +1619,10 @@ unlazy:
> path->mnt = mnt;
> path->dentry = dentry;
> err = follow_managed(path, nd);
> - if (likely(!err))
> + if (likely(!err)) {
> *inode = d_backing_inode(path->dentry);
> + WARN_ON(!*inode);
> + }
> return err;
>
> need_lookup:
> @@ -1712,6 +1720,12 @@ static inline int should_follow_link(struct nameidata *nd, struct path *link,
> return 0;
> if (!follow)
> return 0;
> + /* make sure that d_is_symlink above matches inode */
> + if (nd->flags & LOOKUP_RCU) {
> + if (read_seqcount_retry(&link->dentry->d_seq, seq))
> + return -ECHILD;
> + }
> + WARN_ON(!inode); // now, _that_ should not happen.
> return pick_link(nd, link, inode, seq);
> }
>
> @@ -1743,11 +1757,11 @@ static int walk_component(struct nameidata *nd, int flags)
> if (err < 0)
> return err;
>
> - inode = d_backing_inode(path.dentry);
> seq = 0; /* we are already out of RCU mode */
> err = -ENOENT;
> if (d_is_negative(path.dentry))
> goto out_path_put;
> + inode = d_backing_inode(path.dentry);
> }
>
> if (flags & WALK_PUT)
> @@ -3106,8 +3120,10 @@ static int do_last(struct nameidata *nd,
> nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
> /* we _can_ be in RCU mode here */
> error = lookup_fast(nd, &path, &inode, &seq);
> - if (likely(!error))
> + if (likely(!error)) {
> + WARN_ON(!inode);
> goto finish_lookup;
> + }
>
> if (error < 0)
> return error;
> @@ -3192,12 +3208,13 @@ retry_lookup:
> return error;
>
> BUG_ON(nd->flags & LOOKUP_RCU);
> - inode = d_backing_inode(path.dentry);
> seq = 0; /* out of RCU mode, so the value doesn't matter */
> if (unlikely(d_is_negative(path.dentry))) {
> path_to_nameidata(&path, nd);
> return -ENOENT;
> }
> + inode = d_backing_inode(path.dentry);
> + WARN_ON(!inode);
> finish_lookup:
> if (nd->depth)
> put_link(nd);
> @@ -3206,11 +3223,6 @@ finish_lookup:
> if (unlikely(error))
> return error;
>
> - if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
> - path_to_nameidata(&path, nd);
> - return -ELOOP;
> - }
> -
> if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path.mnt) {
> path_to_nameidata(&path, nd);
> } else {
> @@ -3229,6 +3241,10 @@ finish_open:
> return error;
> }
> audit_inode(nd->name, nd->path.dentry, 0);
> + if (unlikely(d_is_symlink(nd->path.dentry)) && !(open_flag & O_PATH)) {
> + error = -ELOOP;
> + goto out;
> + }
> error = -EISDIR;
> if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
> goto out;
> @@ -3273,6 +3289,10 @@ opened:
> goto exit_fput;
> }
> out:
> + if (unlikely(error > 0)) {
> + WARN_ON(1);
> + error = -EINVAL;
> + }
> if (got_write)
> mnt_drop_write(nd->path.mnt);
> path_put(&save_parent);
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 4fb1691..4128a5c 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1060,6 +1060,8 @@ static void cleanup_mnt(struct mount *mnt)
> * so mnt_get_writers() below is safe.
> */
> WARN_ON(mnt_get_writers(mnt));
> + WARN_ON(!mnt->mnt.mnt_root->d_inode); // some joker has managed to
> + // make mnt_root negative on us
> if (unlikely(mnt->mnt_pins.first))
> mnt_pin_kill(mnt);
> fsnotify_vfsmount_delete(&mnt->mnt);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-02-26 21:21 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-05 21:11 fs: NULL deref in atime_needs_update Dmitry Vyukov
2016-02-16 23:40 ` Mickaël Salaün
2016-02-19 19:32 ` Dmitry Vyukov
2016-02-20 3:21 ` Al Viro
2016-02-20 3:54 ` Al Viro
2016-02-20 3:54 ` Al Viro
2016-02-20 13:25 ` Mickaël Salaün
2016-02-20 17:10 ` Al Viro
2016-02-20 17:10 ` Al Viro
2016-02-20 20:26 ` Mickaël Salaün
2016-02-20 20:50 ` Al Viro
2016-02-20 20:50 ` Al Viro
2016-02-22 11:20 ` Dmitry Vyukov
2016-02-22 17:23 ` Al Viro
2016-02-23 15:34 ` Dmitry Vyukov
2016-02-23 18:17 ` Al Viro
2016-02-20 10:36 ` Dmitry Vyukov
2016-02-24 3:12 ` Ian Kent
2016-02-24 4:46 ` Al Viro
2016-02-24 4:46 ` Al Viro
2016-02-24 10:03 ` Dmitry Vyukov
2016-02-24 10:15 ` Dmitry Vyukov
2016-02-24 13:35 ` Dmitry Vyukov
2016-02-24 15:15 ` Al Viro
2016-02-25 8:29 ` Dmitry Vyukov
2016-02-25 16:39 ` Al Viro
2016-02-26 21:21 ` Al Viro [this message]
2016-02-26 21:25 ` Dmitry Vyukov
2016-02-26 22:07 ` Al Viro
2016-02-26 22:07 ` Al Viro
2016-02-27 22:27 ` Al Viro
2016-02-27 22:27 ` Al Viro
2016-02-28 15:43 ` Dmitry Vyukov
2016-02-28 16:04 ` Dmitry Vyukov
2016-02-28 17:01 ` Al Viro
2016-02-28 20:01 ` Al Viro
2016-02-29 9:38 ` Dmitry Vyukov
2016-02-29 12:34 ` Dmitry Vyukov
2016-02-29 16:11 ` Al Viro
2016-02-29 13:09 ` Al Viro
2016-02-29 13:43 ` David Howells
2016-02-29 15:54 ` Dmitry Vyukov
2016-02-29 16:19 ` Al Viro
2016-02-29 18:19 ` Dmitry Vyukov
2016-03-01 8:59 ` Dmitry Vyukov
2016-02-29 16:45 ` Linus Torvalds
2016-02-29 16:50 ` Al Viro
2016-02-29 17:20 ` Al Viro
2016-02-29 17:24 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160226212137.GF17997@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mic@digikod.net \
--cc=raven@themaw.net \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.