From: bugzilla-daemon@kernel.org
To: linuxppc-dev@lists.ozlabs.org
Subject: [Bug 214913] [xfstests generic/051] BUG: Kernel NULL pointer dereference on read at 0x00000108 NIP [c0000000000372e4] tm_cgpr_active+0x14/0x40
Date: Mon, 12 Dec 2022 07:30:59 +0000 [thread overview]
Message-ID: <bug-214913-206035-L4SJLvo7CX@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-214913-206035@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=214913
--- Comment #11 from Christophe Leroy (christophe.leroy@csgroup.eu) ---
Le 12/12/2022 à 04:52, Nicholas Piggin a écrit :
> On Sun Dec 11, 2022 at 11:19 PM AEST, wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=214913
>>
>> --- Comment #7 from Zorro Lang (zlang@redhat.com) ---
>> (In reply to Michael Ellerman from comment #5)
>>> Sorry I don't have any idea which commit could have fixed this.
>>>
>>> The process that crashed was "fsstress", do you know if it uses io_uring?
>>
>> Yes, fsstress has io_uring read/write operations. And from the kernel
>> .config
>> file(as attachment), the CONFIG_IO_URING=y
>
> The task being dumped seems like it's lost its task->thread.regs. The
> NULL pointer is here:
>
> int tm_cgpr_active(struct task_struct *target, const struct user_regset
> *regset)
> {
> if (!cpu_has_feature(CPU_FTR_TM))
> return -ENODEV;
>
> if (!MSR_TM_ACTIVE(target->thread.regs->msr))
> return 0;
>
> return regset->n;
> }
>
> On that regs->msr deref. r9 contains the regs pointer.
>
> The kernel attempt to read user page - exploit attempt? message is
> I think a red herring it's coming up because of the NULL deref I
> think (I thought we fixed that).
>
No we didn't fix that, my patch was rejected see
https://patchwork.ozlabs.org/project/linuxppc-dev/patch/8b865b93d25c15c8e6d41e71c368bfc28da4489d.1606816701.git.christophe.leroy@csgroup.eu/
The reason for the rejection was:
The first page can be mapped if mmap_min_addr is 0.
Blocking all faults to the first page would potentially break any
program that does that.
Also if there is something mapped at 0 it's a good chance it is an
exploit attempt :)
Christophe
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2022-12-12 7:32 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-02 9:27 [Bug 214913] New: [xfstests generic/051] BUG: Kernel NULL pointer dereference on read at 0x00000108 NIP [c0000000000372e4] tm_cgpr_active+0x14/0x40 bugzilla-daemon
2021-11-02 9:29 ` [Bug 214913] " bugzilla-daemon
2021-11-04 5:45 ` bugzilla-daemon
2021-11-04 8:15 ` bugzilla-daemon
2021-11-05 11:53 ` bugzilla-daemon
2021-12-09 11:43 ` bugzilla-daemon
2022-12-11 13:13 ` bugzilla-daemon
2022-12-11 13:19 ` bugzilla-daemon
2022-12-12 3:52 ` Nicholas Piggin
2022-12-12 7:30 ` Christophe Leroy
2022-12-12 3:52 ` bugzilla-daemon
2022-12-12 5:57 ` bugzilla-daemon
2022-12-12 7:19 ` Nicholas Piggin
2022-12-12 7:19 ` bugzilla-daemon
2022-12-12 7:30 ` bugzilla-daemon [this message]
2024-11-14 3:21 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-214913-206035-L4SJLvo7CX@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).