From patchwork Sun Jun 7 23:41:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 224736 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F32AFC433E0 for ; Sun, 7 Jun 2020 23:41:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C9210206F6 for ; Sun, 7 Jun 2020 23:41:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591573280; bh=APTxFSG75AKTzpoVzzrTh4B5I2uDGGrY3UXjBuEWkZs=; h=Date:From:To:Subject:In-Reply-To:List-ID:From; b=J23JkGTdrKIx/jUfXM3oFOqwD28xBTAp1Oo4xOsmBZbsAlrMYOcMZeWfI31BUgp+h jNFRXGQ0qxqvNgkVbSZxKA46c+xAso5jGuhg/t2SMpQWA1z1Aa6Uo7DOBMhxNjFnRC 0Ze/5ZlTbum+tPuT6ciyxcNvWIFaS68ap4DQMS6s= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727878AbgFGXlU (ORCPT ); Sun, 7 Jun 2020 19:41:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:37894 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727794AbgFGXlU (ORCPT ); Sun, 7 Jun 2020 19:41:20 -0400 Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D8773206D5; Sun, 7 Jun 2020 23:41:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591573279; bh=APTxFSG75AKTzpoVzzrTh4B5I2uDGGrY3UXjBuEWkZs=; h=Date:From:To:Subject:In-Reply-To:From; b=vBO3g04tfSvaN4DydHprM8GgQYo9neemaafMO2DpMxLHgnDVtI8D9oDlnilP0SBb2 8vqz/6IGgjvz4U0/CM+vd0JzXl5AZgK8g0/bil4PdvZ4CIgLX/qBrCsl8ZMpIVA1QV 0opfR+ftIPdeR0CXtxjXgA/zyw6ILEyoxHhrXqk0= Date: Sun, 07 Jun 2020 16:41:18 -0700 From: Andrew Morton To: hdk1983@gmail.com, hermes@ceres.dti.ne.jp, konishi.ryusuke@gmail.com, me@waltonhoops.com, mm-commits@vger.kernel.org, stable@vger.kernel.org, tom@logand.com Subject: + nilfs2-fix-null-pointer-dereference-at-nilfs_segctor_do_construct.patch added to -mm tree Message-ID: <20200607234118.e6OahXAr8%akpm@linux-foundation.org> In-Reply-To: <20200604164523.e15f3177f4b69dcb4f2534a1@linux-foundation.org> User-Agent: s-nail v14.8.16 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch titled Subject: nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() has been added to the -mm tree. Its filename is nilfs2-fix-null-pointer-dereference-at-nilfs_segctor_do_construct.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/nilfs2-fix-null-pointer-dereference-at-nilfs_segctor_do_construct.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/nilfs2-fix-null-pointer-dereference-at-nilfs_segctor_do_construct.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Ryusuke Konishi Subject: nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() After commit c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if mapping has no dirty pages"), the following null pointer dereference has been reported on nilfs2: BUG: kernel NULL pointer dereference, address: 00000000000000a8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI ... RIP: 0010:percpu_counter_add_batch+0xa/0x60 ... Call Trace: __test_set_page_writeback+0x2d3/0x330 nilfs_segctor_do_construct+0x10d3/0x2110 [nilfs2] nilfs_segctor_construct+0x168/0x260 [nilfs2] nilfs_segctor_thread+0x127/0x3b0 [nilfs2] kthread+0xf8/0x130 ... This crash turned out to be caused by set_page_writeback() call for segment summary buffers at nilfs_segctor_prepare_write(). set_page_writeback() can call inc_wb_stat(inode_to_wb(inode), WB_WRITEBACK) where inode_to_wb(inode) is NULL if the inode of underlying block device does not have an associated wb. This fixes the issue by calling inode_attach_wb() in advance to ensure to associate the bdev inode with its wb. Link: http://lkml.kernel.org/r/20200608.011819.1399059588922299158.konishi.ryusuke@gmail.com Fixes: c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if mapping has no dirty pages") Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Reported-by: Walton Hoops Reported-by: Tomas Hlavaty Reported-by: ARAI Shun-ichi Reported-by: Hideki EIRAKU Cc: [5.4+] Signed-off-by: Andrew Morton --- fs/nilfs2/segment.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/nilfs2/segment.c~nilfs2-fix-null-pointer-dereference-at-nilfs_segctor_do_construct +++ a/fs/nilfs2/segment.c @@ -2780,6 +2780,8 @@ int nilfs_attach_log_writer(struct super if (!nilfs->ns_writer) return -ENOMEM; + inode_attach_wb(nilfs->ns_bdev->bd_inode, NULL); + err = nilfs_segctor_start_thread(nilfs->ns_writer); if (err) { kfree(nilfs->ns_writer); From patchwork Thu Jun 4 23:51:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 224815 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCF99C433DF for ; Thu, 4 Jun 2020 23:51:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B3D6120885 for ; Thu, 4 Jun 2020 23:51:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591314689; bh=XXxDjNogkdci1qxWAScTv1ZqBxr4iB4zXBQkWdZw69M=; h=Date:From:To:Subject:In-Reply-To:List-ID:From; b=p6u0NCNnwq+1opqNTpPYgykA5w9Xk33/BIjvVTqWJkin5bIt9Ap5mQm/BZV+bDgdQ k49VJAeDwskZU2OJIX8RHec9ZXFd5Hq2PxSTiJWb7XhpHOkYrwEaVYxR4C6YKBKJC+ HzHAj88SjS2EzDow7gsM3p9C2HZsfb0SwfLleRjo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726129AbgFDXv3 (ORCPT ); Thu, 4 Jun 2020 19:51:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:50022 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725943AbgFDXv2 (ORCPT ); Thu, 4 Jun 2020 19:51:28 -0400 Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 17525208C9; Thu, 4 Jun 2020 23:51:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591314688; bh=XXxDjNogkdci1qxWAScTv1ZqBxr4iB4zXBQkWdZw69M=; h=Date:From:To:Subject:In-Reply-To:From; b=vesZObfp4RqYwVGtUJeAWJ+QymivPs2gRGxL1edqN+Y07VpVZ8iPKXG6lv9f7XUPQ xmatokQ6oMIf6zSl4aQAIhldR1Q3KaSHxiCsr53vbkbcgDjV0FpZ+pqTB0s8qrt4b4 tw2H0enK/t+YWLkZ0uZ+vukdFOUMXEzMn6RxYRQY= Date: Thu, 04 Jun 2020 16:51:27 -0700 From: Andrew Morton To: ajd@linux.ibm.com, akash.goel@intel.com, akpm@linux-foundation.org, carnil@debian.org, dja@axtens.net, linux-mm@kvack.org, linux@roeck-us.net, mm-commits@vger.kernel.org, mpe@ellerman.id.au, rientjes@google.com, stable@vger.kernel.org, torvalds@linux-foundation.org Subject: [patch 100/127] kernel/relay.c: handle alloc_percpu returning NULL in relay_open Message-ID: <20200604235127.XZqAyQULA%akpm@linux-foundation.org> In-Reply-To: <20200604164523.e15f3177f4b69dcb4f2534a1@linux-foundation.org> User-Agent: s-nail v14.8.16 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniel Axtens Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open alloc_percpu() may return NULL, which means chan->buf may be set to NULL. In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an invalid pointer: BUG: Unable to handle kernel data access at 0x7dae0000 Faulting instruction address: 0xc0000000003f3fec ... NIP [c0000000003f3fec] relay_open+0x29c/0x600 LR [c0000000003f3fc0] relay_open+0x270/0x600 Call Trace: [c000000054353a70] [c0000000003f3fb4] relay_open+0x264/0x600 (unreliable) [c000000054353b00] [c000000000451764] __blk_trace_setup+0x254/0x600 [c000000054353bb0] [c000000000451b78] blk_trace_setup+0x68/0xa0 [c000000054353c10] [c0000000010da77c] sg_ioctl+0x7bc/0x2e80 [c000000054353cd0] [c000000000758cbc] do_vfs_ioctl+0x13c/0x1300 [c000000054353d90] [c000000000759f14] ksys_ioctl+0x94/0x130 [c000000054353de0] [c000000000759ff8] sys_ioctl+0x48/0xb0 [c000000054353e20] [c00000000000bcd0] system_call+0x5c/0x68 Check if alloc_percpu returns NULL. This was found by syzkaller both on x86 and powerpc, and the reproducer it found on powerpc is capable of hitting the issue as an unprivileged user. Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") Signed-off-by: Daniel Axtens Reviewed-by: Michael Ellerman Reviewed-by: Andrew Donnellan Acked-by: David Rientjes Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com Cc: Akash Goel Cc: Andrew Donnellan Cc: Guenter Roeck Cc: Salvatore Bonaccorso Cc: [4.10+] Signed-off-by: Andrew Morton --- kernel/relay.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/kernel/relay.c~relay-handle-alloc_percpu-returning-null-in-relay_open +++ a/kernel/relay.c @@ -581,6 +581,11 @@ struct rchan *relay_open(const char *bas return NULL; chan->buf = alloc_percpu(struct rchan_buf *); + if (!chan->buf) { + kfree(chan); + return NULL; + } + chan->version = RELAYFS_CHANNEL_VERSION; chan->n_subbufs = n_subbufs; chan->subbuf_size = subbuf_size;