From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: "Ian Kent" <raven@themaw.net>, "Mickaël Salaün" <mic@digikod.net>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>
Subject: Re: fs: NULL deref in atime_needs_update
Date: Fri, 26 Feb 2016 22:07:59 +0000 [thread overview]
Message-ID: <20160226220759.GH17997@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CACT4Y+Z2RmFvtxdRY1=3h2sXMwmafFq+qgcZWGOoeZ79Yrwxzw@mail.gmail.com>
On Fri, Feb 26, 2016 at 10:25:21PM +0100, Dmitry Vyukov wrote:
> On Fri, Feb 26, 2016 at 10:21 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Thu, Feb 25, 2016 at 04:39:27PM +0000, Al Viro wrote:
> >> Hrm... OK, seeing that you still seem to trigger those within an hour or
> >> two (and *any* of remaining WARN_ON() are serious bugs - none of the
> >> "mitigation had been triggered" remained, sorry for not making it clear),
> >> let's try this. Again, any WARN_ON triggered means that we'd caught something,
> >> whether it progresses into oops or not.
> >
> > Any news on that one? I'm going to carve fixes for understood bugs out of
> > that one and put those into tonight push, but it would be nice to sort out
> > all remaining crap lurking in that area...
> >
> > Another question: what about the very first trace you'd posted, with apparent
> > GPF at 00000050? Have you seen anything like that afterwards?
>
> No, I did not have time to retest.
>
> GPF at 00000050 was not mine, it was Micka�l's.
Ah, OK - his is basically a forced nd->stack[] underrun, with passing a
never-assigned nd->link_inode to atime_needs_update(), so we are just
passing a contents of uninitialized stack word there and while it ends
up possible to dereference, it's not an address of struct inode and the
first attempt to follow a pointer in what would've been a struct inode
at that address (accessing inode->i_sb->s_flags) did blow up with GPF at
offsetof(struct super_block, s_flags).
All right, so we basically have several understood ones with fixes plus
something unknown that leads to lookup_fast() returning 0 with NULL in
*inode in about an hour or two on your setup...
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: "Ian Kent" <raven@themaw.net>, "Mickaël Salaün" <mic@digikod.net>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>
Subject: Re: fs: NULL deref in atime_needs_update
Date: Fri, 26 Feb 2016 22:07:59 +0000 [thread overview]
Message-ID: <20160226220759.GH17997@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CACT4Y+Z2RmFvtxdRY1=3h2sXMwmafFq+qgcZWGOoeZ79Yrwxzw@mail.gmail.com>
On Fri, Feb 26, 2016 at 10:25:21PM +0100, Dmitry Vyukov wrote:
> On Fri, Feb 26, 2016 at 10:21 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Thu, Feb 25, 2016 at 04:39:27PM +0000, Al Viro wrote:
> >> Hrm... OK, seeing that you still seem to trigger those within an hour or
> >> two (and *any* of remaining WARN_ON() are serious bugs - none of the
> >> "mitigation had been triggered" remained, sorry for not making it clear),
> >> let's try this. Again, any WARN_ON triggered means that we'd caught something,
> >> whether it progresses into oops or not.
> >
> > Any news on that one? I'm going to carve fixes for understood bugs out of
> > that one and put those into tonight push, but it would be nice to sort out
> > all remaining crap lurking in that area...
> >
> > Another question: what about the very first trace you'd posted, with apparent
> > GPF at 00000050? Have you seen anything like that afterwards?
>
> No, I did not have time to retest.
>
> GPF at 00000050 was not mine, it was Mickaël's.
Ah, OK - his is basically a forced nd->stack[] underrun, with passing a
never-assigned nd->link_inode to atime_needs_update(), so we are just
passing a contents of uninitialized stack word there and while it ends
up possible to dereference, it's not an address of struct inode and the
first attempt to follow a pointer in what would've been a struct inode
at that address (accessing inode->i_sb->s_flags) did blow up with GPF at
offsetof(struct super_block, s_flags).
All right, so we basically have several understood ones with fixes plus
something unknown that leads to lookup_fast() returning 0 with NULL in
*inode in about an hour or two on your setup...
next prev parent reply other threads:[~2016-02-26 22:08 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-05 21:11 fs: NULL deref in atime_needs_update Dmitry Vyukov
2016-02-16 23:40 ` Mickaël Salaün
2016-02-19 19:32 ` Dmitry Vyukov
2016-02-20 3:21 ` Al Viro
2016-02-20 3:54 ` Al Viro
2016-02-20 3:54 ` Al Viro
2016-02-20 13:25 ` Mickaël Salaün
2016-02-20 17:10 ` Al Viro
2016-02-20 17:10 ` Al Viro
2016-02-20 20:26 ` Mickaël Salaün
2016-02-20 20:50 ` Al Viro
2016-02-20 20:50 ` Al Viro
2016-02-22 11:20 ` Dmitry Vyukov
2016-02-22 17:23 ` Al Viro
2016-02-23 15:34 ` Dmitry Vyukov
2016-02-23 18:17 ` Al Viro
2016-02-20 10:36 ` Dmitry Vyukov
2016-02-24 3:12 ` Ian Kent
2016-02-24 4:46 ` Al Viro
2016-02-24 4:46 ` Al Viro
2016-02-24 10:03 ` Dmitry Vyukov
2016-02-24 10:15 ` Dmitry Vyukov
2016-02-24 13:35 ` Dmitry Vyukov
2016-02-24 15:15 ` Al Viro
2016-02-25 8:29 ` Dmitry Vyukov
2016-02-25 16:39 ` Al Viro
2016-02-26 21:21 ` Al Viro
2016-02-26 21:25 ` Dmitry Vyukov
2016-02-26 22:07 ` Al Viro [this message]
2016-02-26 22:07 ` Al Viro
2016-02-27 22:27 ` Al Viro
2016-02-27 22:27 ` Al Viro
2016-02-28 15:43 ` Dmitry Vyukov
2016-02-28 16:04 ` Dmitry Vyukov
2016-02-28 17:01 ` Al Viro
2016-02-28 20:01 ` Al Viro
2016-02-29 9:38 ` Dmitry Vyukov
2016-02-29 12:34 ` Dmitry Vyukov
2016-02-29 16:11 ` Al Viro
2016-02-29 13:09 ` Al Viro
2016-02-29 13:43 ` David Howells
2016-02-29 15:54 ` Dmitry Vyukov
2016-02-29 16:19 ` Al Viro
2016-02-29 18:19 ` Dmitry Vyukov
2016-03-01 8:59 ` Dmitry Vyukov
2016-02-29 16:45 ` Linus Torvalds
2016-02-29 16:50 ` Al Viro
2016-02-29 17:20 ` Al Viro
2016-02-29 17:24 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160226220759.GH17997@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mic@digikod.net \
--cc=raven@themaw.net \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.