fs: GPF in deactivate_locked_super

33 views
Skip to first unread message

Dmitry Vyukov

unread,
Mar 23, 2017, 10:15:12 AM3/23/17
to Al Viro, linux-...@vger.kernel.org, LKML, syzkaller
Hello,

I've got the following crash while running syzkaller on
093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Note the preceding injected
kmalloc failure, most likely it's the root cause.


FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 4874 Comm: syz-executor3 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
kzalloc include/linux/slab.h:495 [inline]
register_shrinker+0x10e/0x2d0 mm/vmscan.c:284
sget_userns+0xbf2/0xe40 fs/super.c:521
mount_ns+0x6d/0x190 fs/super.c:1026
mqueue_mount+0xbe/0xe0 ipc/mqueue.c:340
mount_fs+0x66/0x2f0 fs/super.c:1223
vfs_kern_mount.part.23+0xc6/0x4b0 fs/namespace.c:979
vfs_kern_mount fs/namespace.c:3293 [inline]
kern_mount_data+0x50/0xb0 fs/namespace.c:3293
mq_init_ns+0x167/0x220 ipc/mqueue.c:1418
create_ipc_ns ipc/namespace.c:57 [inline]
copy_ipcs+0x39b/0x580 ipc/namespace.c:83
create_new_namespaces+0x285/0x8c0 kernel/nsproxy.c:86
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
SYSC_unshare kernel/fork.c:2319 [inline]
SyS_unshare+0x664/0xf80 kernel/fork.c:2269
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x445b79
RSP: 002b:00007fb4faa4e858 EFLAGS: 00000286 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 0000000000445b79
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000a040000
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004a7e31
R13: 0000000000000000 R14: 00007fb4faa4e618 R15: 00007fb4faa4e788

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4874 Comm: syz-executor3 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800390760c0 task.stack: ffff880039228000
RIP: 0010:__list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51
RSP: 0018:ffff88003922ef00 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88003a232ea0 RDI: ffff88003a232ea8
RBP: ffff88003922ef18 R08: fffffbfff0c0242c R09: 0000000000000001
R10: ffff8800390760c0 R11: fffffbfff0c0242b R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88003a232740 R15: ffff88003a232ea0
FS: 00007fb4faa4f700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000ff7 CR3: 0000000043a01000 CR4: 00000000000026e0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
__list_del_entry include/linux/list.h:116 [inline]
list_del include/linux/list.h:124 [inline]
unregister_shrinker+0x79/0x300 mm/vmscan.c:301
deactivate_locked_super+0x75/0xe0 fs/super.c:308
deactivate_super+0x151/0x160 fs/super.c:340
cleanup_mnt+0xb2/0x160 fs/namespace.c:1115
mntput_no_expire+0x6e9/0xaa0 fs/namespace.c:1181
mntput fs/namespace.c:1191 [inline]
kern_unmount+0x9c/0xd0 fs/namespace.c:2995
mq_put_mnt+0x37/0x50 ipc/mqueue.c:1434
put_ipc_ns+0x4d/0x160 ipc/namespace.c:150
free_nsproxy+0xde/0x230 kernel/nsproxy.c:179
switch_task_namespaces+0xaa/0xc0 kernel/nsproxy.c:228
exit_task_namespaces+0x17/0x20 kernel/nsproxy.c:233
do_exit+0x1ac6/0x26d0 kernel/exit.c:878
do_group_exit+0x149/0x400 kernel/exit.c:983
get_signal+0x696/0x1810 kernel/signal.c:2318
do_signal+0x90/0x1ee0 arch/x86/kernel/signal.c:808
exit_to_usermode_loop+0x1e5/0x2d0 arch/x86/entry/common.c:157
prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
syscall_return_slowpath+0x3bd/0x460 arch/x86/entry/common.c:260
entry_SYSCALL_64_fastpath+0xc0/0xc2
RIP: 0033:0x445b79
RSP: 002b:00007fb4faa4e858 EFLAGS: 00000202 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 0000000000708000 RCX: 0000000000445b79
RDX: 0000000000000009 RSI: 0000000000000001 RDI: 0000000000708024
RBP: 0000000000001d10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006dfdd0
R13: 000000008208ae63 R14: 000000002000a000 R15: ffffffffffffffff
Code: 00 00 00 00 ad de 49 39 c4 74 66 48 b8 00 02 00 00 00 00 ad de
48 89 da 48 39 c3 74 65 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80>
3c 02 00 75 7b 48 8b 13 48 39 f2 75 57 49 8d 7c 24 08 48 b8
RIP: __list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51 RSP: ffff88003922ef00
---[ end trace 569c84071b70c014 ]---

Nikolay Borisov

unread,
Mar 24, 2017, 3:57:53 AM3/24/17
to dvy...@google.com, vi...@zeniv.linux.org.uk, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com, Nikolay Borisov
register_shrinker allocates dynamic memory and thus is susceptible to failures
under low-memory situation. Currently,get_userns ignores the return value of
register_shrinker, potentially exposing not fully initialised object. This
can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced.

Fix this by failing to register the filesystem in case there is not enough
memory to fully construct the shrinker object.

Signed-off-by: Nikolay Borisov <nbor...@suse.com>
---
fs/super.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/super.c b/fs/super.c
index b8b6a086c03b..964b18447c92 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -518,7 +518,19 @@ struct super_block *sget_userns(struct file_system_type *type,
hlist_add_head(&s->s_instances, &type->fs_supers);
spin_unlock(&sb_lock);
get_filesystem(type);
- register_shrinker(&s->s_shrink);
+ err = register_shrinker(&s->s_shrink);
+ if (err) {
+ spin_lock(&sb_lock);
+ list_del(&s->s_list);
+ hlist_del(&s->s_instances);
+ spin_unlock(&sb_lock);
+
+ up_write(&s->s_umount);
+ destroy_super(s);
+ put_filesystem(type);
+ return ERR_PTR(err);
+ }
+
return s;
}

--
2.7.4

Nikolay Borisov

unread,
Mar 24, 2017, 4:25:53 AM3/24/17
to dvy...@google.com, vi...@zeniv.linux.org.uk, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com, Nikolay Borisov
register_shrinker allocates dynamic memory and thus is susceptible to failures
under low-memory situation. Currently,get_userns ignores the return value of
register_shrinker, potentially exposing not fully initialised object. This
can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced.

Fix this by failing to register the filesystem in case there is not enough
memory to fully construct the shrinker object.

Signed-off-by: Nikolay Borisov <nbor...@suse.com>
Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work")
Link: lkml.kernel.org/r/CACT4Y+b-purC3HHbw=SctmS3MA8FKqtNYZ...@mail.gmail.com
---

Add Fixes and Link tags for better traceability

Nikolay Borisov

unread,
Apr 1, 2017, 5:11:21 AM4/1/17
to Al Viro, Dmitry Vyukov, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com


On 24.03.2017 10:25, Nikolay Borisov wrote:
> register_shrinker allocates dynamic memory and thus is susceptible to failures
> under low-memory situation. Currently,get_userns ignores the return value of
> register_shrinker, potentially exposing not fully initialised object. This
> can lead to a NULL-ptr deref everytime shrinker->nr_deferred is referenced.
>
> Fix this by failing to register the filesystem in case there is not enough
> memory to fully construct the shrinker object.
>
> Signed-off-by: Nikolay Borisov <nbor...@suse.com>
> Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work")
> Link: lkml.kernel.org/r/CACT4Y+b-purC3HHbw=SctmS3MA8FKqtNYZ...@mail.gmail.com
> ---

PING, Al is there something bothering you with this patch that needs
fixing before it's merged? Also I think it should be tagged stable.
Reply all
Reply to author
Forward
0 new messages