From: kernel test robot <oliver.sang@intel.com>
To: Christian Brauner <brauner@kernel.org>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
<linux-fsdevel@vger.kernel.org>, <linux-nfs@vger.kernel.org>,
Amir Goldstein <amir73il@gmail.com>,
Jeff Layton <jlayton@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Christian Brauner <brauner@kernel.org>, <oliver.sang@intel.com>
Subject: Re: [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks
Date: Mon, 27 May 2024 10:49:18 +0800 [thread overview]
Message-ID: <202405271007.7e95eb21-lkp@intel.com> (raw)
In-Reply-To: <20240524-vfs-open_by_handle_at-v1-1-3d4b7d22736b@kernel.org>
Hello,
kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
commit: 9ca8b65e411ba759831af5d678f8d01e141816a1 ("[PATCH RFC] : fhandle: relax open_by_handle_at() permission checks")
url: https://github.com/intel-lab-lkp/linux/commits/Christian-Brauner/fhandle-relax-open_by_handle_at-permission-checks/20240524-182059
patch link: https://lore.kernel.org/all/20240524-vfs-open_by_handle_at-v1-1-3d4b7d22736b@kernel.org/
patch subject: [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks
in testcase: trinity
version:
with following parameters:
runtime: 600s
compiler: gcc-13
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+---------------------------------------------+------------+------------+
| | 8f6a15f095 | 9ca8b65e41 |
+---------------------------------------------+------------+------------+
| boot_successes | 4 | 0 |
| boot_failures | 0 | 6 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 6 |
| Oops:Oops:#[##] | 0 | 6 |
| EIP:handle_to_path | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+---------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202405271007.7e95eb21-lkp@intel.com
[ 20.927410][ T678] BUG: kernel NULL pointer dereference, address: 00000002
[ 20.928271][ T678] #PF: supervisor read access in kernel mode
[ 20.928887][ T678] #PF: error_code(0x0000) - not-present page
[ 20.929607][ T678] *pde = 00000000
[ 20.930090][ T678] Oops: Oops: 0000 [#1]
[ 20.930616][ T678] CPU: 0 PID: 678 Comm: trinity-c0 Not tainted 6.9.0-10324-g9ca8b65e411b #1
[ 20.931662][ T678] EIP: handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.932243][ T678] Code: f2 ff ff ff e9 95 fe ff ff 8d b6 00 00 00 00 bb ea ff ff ff e9 85 fe ff ff 8d b6 00 00 00 00 8b 45 d8 ba 15 00 00 00 8b 40 6c <8b> 40 18 e8 c1 3a de ff 84 c0 0f 84 5f fe ff ff 8b 45 d8 8b 55 dc
All code
========
0: f2 ff repnz (bad)
2: ff (bad)
3: ff (bad)
4: e9 95 fe ff ff jmp 0xfffffffffffffe9e
9: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
f: bb ea ff ff ff mov $0xffffffea,%ebx
14: e9 85 fe ff ff jmp 0xfffffffffffffe9e
19: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
1f: 8b 45 d8 mov -0x28(%rbp),%eax
22: ba 15 00 00 00 mov $0x15,%edx
27: 8b 40 6c mov 0x6c(%rax),%eax
2a:* 8b 40 18 mov 0x18(%rax),%eax <-- trapping instruction
2d: e8 c1 3a de ff call 0xffffffffffde3af3
32: 84 c0 test %al,%al
34: 0f 84 5f fe ff ff je 0xfffffffffffffe99
3a: 8b 45 d8 mov -0x28(%rbp),%eax
3d: 8b 55 dc mov -0x24(%rbp),%edx
Code starting with the faulting instruction
===========================================
0: 8b 40 18 mov 0x18(%rax),%eax
3: e8 c1 3a de ff call 0xffffffffffde3ac9
8: 84 c0 test %al,%al
a: 0f 84 5f fe ff ff je 0xfffffffffffffe6f
10: 8b 45 d8 mov -0x28(%rbp),%eax
13: 8b 55 dc mov -0x24(%rbp),%edx
[ 20.934542][ T678] EAX: ffffffea EBX: c38458c0 ECX: 00000015 EDX: 00000015
[ 20.935354][ T678] ESI: ede5bf48 EDI: 00000000 EBP: ede5bf70 ESP: ede5bf2c
[ 20.936199][ T678] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010246
[ 20.937022][ T678] CR0: 80050033 CR2: 00000002 CR3: 0370d000 CR4: 00040690
[ 20.937713][ T678] Call Trace:
[ 20.938034][ T678] ? show_regs (arch/x86/kernel/dumpstack.c:479)
[ 20.938520][ T678] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 20.938942][ T678] ? debug_locks_off (lib/debug_locks.c:44)
[ 20.939502][ T678] ? page_fault_oops (arch/x86/mm/fault.c:715)
[ 20.940033][ T678] ? kernelmode_fixup_or_oops+0x5c/0x70
[ 20.940759][ T678] ? __bad_area_nosemaphore+0x113/0x1b4
[ 20.941504][ T678] ? lock_release (kernel/locking/lockdep.c:467 (discriminator 4) kernel/locking/lockdep.c:5776 (discriminator 4))
[ 20.942005][ T678] ? up_read (kernel/locking/rwsem.c:1623)
[ 20.942838][ T678] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835)
[ 20.943483][ T678] ? do_user_addr_fault (arch/x86/mm/fault.c:1452)
[ 20.944138][ T678] ? exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:67 arch/x86/include/asm/irqflags.h:127 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
[ 20.944774][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
[ 20.945558][ T678] ? handle_exception (arch/x86/entry/entry_32.S:1054)
[ 20.946219][ T678] ? keyring_search_rcu (include/linux/refcount.h:192 include/linux/refcount.h:241 include/linux/refcount.h:258 include/linux/key.h:308 security/keys/keyring.c:923)
[ 20.946845][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
[ 20.947517][ T678] ? handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.948115][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
[ 20.948896][ T678] ? handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.949505][ T678] ? __lock_release+0x54/0x170
[ 20.950147][ T678] ? __task_pid_nr_ns (include/linux/rcupdate.h:810 kernel/pid.c:514)
[ 20.950699][ T678] __ia32_sys_open_by_handle_at (fs/fhandle.c:317 fs/fhandle.c:357 fs/fhandle.c:348 fs/fhandle.c:348)
[ 20.951279][ T678] ? syscall_exit_to_user_mode (kernel/entry/common.c:221)
[ 20.951859][ T678] ia32_sys_call (arch/x86/entry/syscall_32.c:42)
[ 20.952409][ T678] do_int80_syscall_32 (arch/x86/entry/common.c:165 (discriminator 1) arch/x86/entry/common.c:339 (discriminator 1))
[ 20.953037][ T678] entry_INT80_32 (arch/x86/entry/entry_32.S:944)
[ 20.953604][ T678] EIP: 0x8097522
[ 20.954040][ T678] Code: 89 c8 c3 90 8d 74 26 00 85 c0 c7 01 01 00 00 00 75 d8 a1 cc 3c ad 08 eb d1 66 90 66 90 66 90 66 90 66 90 66 90 66 90 90 cd 80 <c3> 8d b6 00 00 00 00 8d bc 27 00 00 00 00 8b 10 a3 f4 3c ad 08 85
All code
========
0: 89 c8 mov %ecx,%eax
2: c3 ret
3: 90 nop
4: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
8: 85 c0 test %eax,%eax
a: c7 01 01 00 00 00 movl $0x1,(%rcx)
10: 75 d8 jne 0xffffffffffffffea
12: a1 cc 3c ad 08 eb d1 movabs 0x9066d1eb08ad3ccc,%eax
19: 66 90
1b: 66 90 xchg %ax,%ax
1d: 66 90 xchg %ax,%ax
1f: 66 90 xchg %ax,%ax
21: 66 90 xchg %ax,%ax
23: 66 90 xchg %ax,%ax
25: 66 90 xchg %ax,%ax
27: 90 nop
28: cd 80 int $0x80
2a:* c3 ret <-- trapping instruction
2b: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
31: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
38: 8b 10 mov (%rax),%edx
3a: a3 .byte 0xa3
3b: f4 hlt
3c: 3c ad cmp $0xad,%al
3e: 08 .byte 0x8
3f: 85 .byte 0x85
Code starting with the faulting instruction
===========================================
0: c3 ret
1: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
7: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
e: 8b 10 mov (%rax),%edx
10: a3 .byte 0xa3
11: f4 hlt
12: 3c ad cmp $0xad,%al
14: 08 .byte 0x8
15: 85 .byte 0x85
[ 20.956462][ T678] EAX: ffffffda EBX: 00000136 ECX: 00000001 EDX: 00033f01
[ 20.957337][ T678] ESI: 000001b6 EDI: fffffff9 EBP: fffffff8 ESP: bf997c98
[ 20.958254][ T678] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[ 20.959207][ T678] Modules linked in:
[ 20.959695][ T678] CR2: 0000000000000002
[ 20.960372][ T678] ---[ end trace 0000000000000000 ]---
[ 20.960979][ T678] EIP: handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.961566][ T678] Code: f2 ff ff ff e9 95 fe ff ff 8d b6 00 00 00 00 bb ea ff ff ff e9 85 fe ff ff 8d b6 00 00 00 00 8b 45 d8 ba 15 00 00 00 8b 40 6c <8b> 40 18 e8 c1 3a de ff 84 c0 0f 84 5f fe ff ff 8b 45 d8 8b 55 dc
All code
========
0: f2 ff repnz (bad)
2: ff (bad)
3: ff (bad)
4: e9 95 fe ff ff jmp 0xfffffffffffffe9e
9: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
f: bb ea ff ff ff mov $0xffffffea,%ebx
14: e9 85 fe ff ff jmp 0xfffffffffffffe9e
19: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
1f: 8b 45 d8 mov -0x28(%rbp),%eax
22: ba 15 00 00 00 mov $0x15,%edx
27: 8b 40 6c mov 0x6c(%rax),%eax
2a:* 8b 40 18 mov 0x18(%rax),%eax <-- trapping instruction
2d: e8 c1 3a de ff call 0xffffffffffde3af3
32: 84 c0 test %al,%al
34: 0f 84 5f fe ff ff je 0xfffffffffffffe99
3a: 8b 45 d8 mov -0x28(%rbp),%eax
3d: 8b 55 dc mov -0x24(%rbp),%edx
Code starting with the faulting instruction
===========================================
0: 8b 40 18 mov 0x18(%rax),%eax
3: e8 c1 3a de ff call 0xffffffffffde3ac9
8: 84 c0 test %al,%al
a: 0f 84 5f fe ff ff je 0xfffffffffffffe6f
10: 8b 45 d8 mov -0x28(%rbp),%eax
13: 8b 55 dc mov -0x24(%rbp),%edx
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240527/202405271007.7e95eb21-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2024-05-27 2:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 10:19 [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks Christian Brauner
2024-05-24 12:35 ` Amir Goldstein
2024-10-13 16:34 ` Amir Goldstein
2024-10-14 16:06 ` Jan Kara
2024-10-15 14:01 ` Christian Brauner
2024-10-16 12:45 ` fanotify sb/mount watch inside userns (Was: [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks) Amir Goldstein
2024-10-16 12:53 ` Amir Goldstein
2025-04-18 11:32 ` Amir Goldstein
2025-04-24 11:28 ` Jan Kara
2024-05-25 10:55 ` [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks Jeff Layton
2024-05-27 2:49 ` kernel test robot [this message]
2024-05-27 7:28 ` Dan Carpenter
2024-05-27 11:31 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2024-05-26 0:03 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202405271007.7e95eb21-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=cyphar@cyphar.com \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.