From: Al Viro <viro@ZenIV.linux.org.uk>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Patrick McLean <chutzpah@gentoo.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Bruce Fields <bfields@redhat.com>,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
stable <stable@vger.kernel.org>,
Thorsten Leemhuis <regressions@leemhuis.info>
Subject: Re: [nfsd4] potentially hardware breaking regression in 4.14-rc and 4.13.11
Date: Sat, 11 Nov 2017 02:32:27 +0000 [thread overview]
Message-ID: <20171111023227.GI21978@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20171111011306.GA30259@fieldses.org>
On Fri, Nov 10, 2017 at 08:13:06PM -0500, J. Bruce Fields wrote:
> On Fri, Nov 10, 2017 at 03:26:27PM -0800, Patrick McLean wrote:
> >
> >
> > On 2017-11-10 10:42 AM, Linus Torvalds wrote:
> > > On Thu, Nov 9, 2017 at 5:58 PM, Patrick McLean <chutzpah@gentoo.org> wrote:
> > >>
> > >> Something must have changed since 4.13.8 to trigger this though.
> > >
> > > Arnd pointed to some commits that might be relevant for the cp210x
> > > module, but those are all already in 4.13.8, so if 4.13.8 really is
> > > rock solid for you, I don't think that's it.
> > >
> > > I really don't see anything that looks even half-way suspicious in
> > > that 4.13.8..11 range. But as mentioned, compiler interactions can be
> > > _really_ subtle.
> > >
> > > And hey, it can be a real kernel bug too, that just happens to be
> > > exposed by RANDSTRUCT, so a bisect really would be very nice.
> >
> > I am working on bisecting the issue now, but I think I have some more
> > evidence pointing to a compiler issue related to RANDSTRUCT. There are
> > actually 3 issues that we have seen. Sometimes we get the null pointer
> > deref in the initial message, sometimes we get the GPF, and sometimes we
> > see an issue where the NFS clients see all files as root-owned
> > directories.
>
> That suggests that stat.uid is 0 and stat.mode & S_IFMT is 0040000 in
> the stat structure that nfsd passed to vfs_getattr().
>
> No idea what sort of information is useful when tracking down this kind
> of bug, but you could also run wireshark and take a look at the server's
> GETATTR replies to see if there's some other corruption.
FWIW, having looked at some of the __bugger_layout users... Compiler bugs
aside,
* use in struct {dentry,inode,mount,block_device} has to go - cache
use patterns at hash lookups are _not_ something to play with like that.
* struct file_lock and struct super_block - ditto, only it's not
hash lookups that hurt here. struct vm_area_struct, while we are at it.
* struct group_info - Cthulhu's pus-leaking warts, what's the point
randomizing _that_? No, really - here's the damn thing in all its glory:
struct group_info {
atomic_t usage;
int ngroups;
kgid_t gid[0];
} __randomize_layout;
I really hope that plugin does *not* try to move the ->gid[] anywhere...
Which leaves us a choice between putting ->usage first or second. Sure,
every bit helps, but... even for security theatre that looks a bit too
pathetic.
* struct vfsmount. Wow. All of log2(3!) bits. Congratulations.
At least that's better than struct path. Oh, wait - they'd done struct path
as well...
What the hell had they been doing? Muscarine old-fashioned way? Looks like
a mix of pointless and truly dangerous. And then there are compiler bugs and
the charming effect on reproducibility...
next prev parent reply other threads:[~2017-11-11 2:32 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-09 0:43 [nfsd4] potentially hardware breaking regression in 4.14-rc and 4.13.11 Patrick McLean
2017-11-09 2:40 ` Linus Torvalds
2017-11-09 3:45 ` Al Viro
2017-11-09 19:34 ` Patrick McLean
2017-11-09 19:38 ` Al Viro
2017-11-09 19:42 ` Patrick McLean
2017-11-09 19:37 ` Al Viro
2017-11-09 19:51 ` Patrick McLean
2017-11-09 20:04 ` Linus Torvalds
2017-11-09 21:16 ` Al Viro
2017-11-10 1:58 ` Patrick McLean
2017-11-10 13:53 ` Arnd Bergmann
2017-11-10 18:42 ` Linus Torvalds
2017-11-10 23:26 ` Patrick McLean
2017-11-11 0:27 ` Patrick McLean
2017-11-11 2:36 ` [kernel-hardening] " Linus Torvalds
2017-11-11 2:36 ` Linus Torvalds
2017-11-11 16:13 ` [kernel-hardening] " Kees Cook
2017-11-11 16:13 ` Kees Cook
2017-11-11 17:31 ` [kernel-hardening] " Linus Torvalds
2017-11-11 17:31 ` Linus Torvalds
2017-11-13 22:48 ` [kernel-hardening] " Patrick McLean
2017-11-13 22:48 ` Patrick McLean
2017-11-17 0:54 ` [kernel-hardening] " Kees Cook
2017-11-17 0:54 ` Kees Cook
2017-11-17 19:03 ` [kernel-hardening] " Patrick McLean
2017-11-17 19:03 ` Patrick McLean
2017-11-17 21:26 ` [kernel-hardening] " Kees Cook
2017-11-17 21:26 ` Kees Cook
2017-11-18 0:27 ` [kernel-hardening] " Patrick McLean
2017-11-18 0:27 ` Patrick McLean
2017-11-18 0:55 ` [kernel-hardening] " Linus Torvalds
2017-11-18 0:55 ` Linus Torvalds
2017-11-18 1:54 ` [kernel-hardening] " Patrick McLean
2017-11-18 1:54 ` Patrick McLean
2017-11-18 5:14 ` [kernel-hardening] " Kees Cook
2017-11-18 5:14 ` Kees Cook
2017-11-18 5:29 ` [kernel-hardening] " Linus Torvalds
2017-11-18 5:29 ` Linus Torvalds
2017-11-18 8:20 ` [kernel-hardening] " Kees Cook
2017-11-18 8:20 ` Kees Cook
2018-02-21 22:19 ` RANDSTRUCT structs need linux/compiler_types.h (Was: [nfsd4] potentially hardware breaking regression in 4.14-rc and 4.13.11) Maciej S. Szmigiero
2018-02-21 22:47 ` Linus Torvalds
2018-02-21 22:47 ` Linus Torvalds
2018-02-21 23:34 ` Kees Cook
2018-02-21 23:34 ` Kees Cook
2018-03-05 9:27 ` Masahiro Yamada
2018-03-05 9:27 ` Masahiro Yamada
2018-03-05 19:15 ` Kees Cook
2018-03-05 19:18 ` Linus Torvalds
2018-02-21 22:52 ` Kees Cook
2018-02-21 23:24 ` Linus Torvalds
2018-02-22 0:12 ` Kees Cook
2018-02-22 0:22 ` Linus Torvalds
2018-02-22 0:23 ` Kees Cook
2018-02-22 0:27 ` Kees Cook
2017-11-11 1:13 ` [nfsd4] potentially hardware breaking regression in 4.14-rc and 4.13.11 J. Bruce Fields
2017-11-11 2:32 ` Al Viro [this message]
2017-11-10 1:47 ` Patrick McLean
2017-11-09 20:47 ` J. Bruce Fields
2017-11-09 23:07 ` Patrick McLean
2017-11-13 22:59 ` bit tweaks [was: Re: [nfsd4] potentially hardware breaking regression in 4.14-rc and 4.13.11] Rasmus Villemoes
2017-11-13 23:30 ` Linus Torvalds
2017-11-13 23:54 ` Linus Torvalds
2017-11-14 22:24 ` Rasmus Villemoes
2017-11-14 22:43 ` Linus Torvalds
2017-11-14 23:53 ` Rasmus Villemoes
2017-11-15 0:02 ` Linus Torvalds
2017-11-11 2:47 ` [nfsd4] potentially hardware breaking regression in 4.14-rc and 4.13.11 Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171111023227.GI21978@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bfields@fieldses.org \
--cc=bfields@redhat.com \
--cc=chutzpah@gentoo.org \
--cc=darrick.wong@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=regressions@leemhuis.info \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.