lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 5 Jun 2019 14:54:01 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     David Howells <dhowells@...hat.com>,
        Al Viro <viro@...iv.linux.org.uk>
Cc:     linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: "Dentry still in use" splats in v5.2-rc3

Hi All,

While fuzzing arm64 v5.2-rc3, Syzkaller started hitting splats of the
form:

    BUG: Dentry (____ptrval____){i=1,n=/}  still in use (2) [unmount of bpf bpf]

... which I can reliably reproduce with the following C program
(partially minimized from what Syzkaller auto-generated).

It looks like any filesystem will do. I've seen splats with "bpf",
"hugetlbfs", "rpc_pipefs", and "tmpfs", and can reproduce the problem
with any of these.

Any ideas?

I'm using the config from my fuzzing/5.2-rc3 branch on kernel.org [1].

Thanks,
Mark.

----
#include <unistd.h>
#include <sys/syscall.h>

/*
 * NOTE: these are the arm64 numbers
 */
#ifndef __NR_fsconfig
#define __NR_fsconfig 431
#endif
#ifndef __NR_fsmount
#define __NR_fsmount 432
#endif
#ifndef __NR_fsopen
#define __NR_fsopen 430
#endif

int main(void)
{
        int fs, mnt;

        fs = syscall(__NR_fsopen, "bpf", 0);
        syscall(__NR_fsconfig, fs, 6, 0, 0, 0);
        mnt = syscall(__NR_fsmount, fs, 0, 0);
        fchdir(mnt);

        close(fs);
        close(mnt);
}

----

----
[   29.746323][  T245] BUG: Dentry (____ptrval____){i=1,n=/}  still in use (2) [unmount of bpf bpf]
[   29.748645][  T245] WARNING: CPU: 3 PID: 245 at fs/dcache.c:1529 umount_check+0x170/0x1b8
[   29.750313][  T245] CPU: 3 PID: 245 Comm: repro Not tainted 5.2.0-rc3-00004-gff694e8 #1
[   29.752165][  T245] Hardware name: linux,dummy-virt (DT)
[   29.753406][  T245] pstate: 80400005 (Nzcv daif +PAN -UAO)
[   29.754640][  T245] pc : umount_check+0x170/0x1b8
[   29.755708][  T245] lr : umount_check+0x170/0x1b8
[   29.756821][  T245] sp : ffff8000647b7ac0
[   29.757730][  T245] x29: ffff8000647b7ac0 x28: ffff20001073dc38 
[   29.759047][  T245] x27: ffff8000666f4788 x26: ffff800064732040 
[   29.760428][  T245] x25: ffff10000c8e6325 x24: ffff200014f62500 
[   29.761755][  T245] x23: 0000000000000001 x22: ffff200015041e80 
[   29.763061][  T245] x21: ffff8000647aec80 x20: 0000000000000002 
[   29.764441][  T245] x19: ffff8000666f4788 x18: 0000000000000000 
[   29.765764][  T245] x17: 0000000000000000 x16: 0000000000000000 
[   29.767064][  T245] x15: 0000000000000000 x14: ffff200014f70788 
[   29.768445][  T245] x13: 00000000f2000000 x12: ffff10000d566546 
[   29.769774][  T245] x11: 1ffff0000d566545 x10: ffff10000d566545 
[   29.771098][  T245] x9 : 1ffff0000d566545 x8 : dfff200000000000 
[   29.772484][  T245] x7 : ffff10000d566546 x6 : ffff80006ab32a2f 
[   29.773820][  T245] x5 : ffff10000d566546 x4 : ffff10000d566546 
[   29.775155][  T245] x3 : 1fffe40002d30afc x2 : 24cbddc7f4015a00 
[   29.776539][  T245] x1 : 0000000000000000 x0 : 000000000000004c 
[   29.777868][  T245] Call trace:
[   29.778598][  T245]  umount_check+0x170/0x1b8
[   29.779574][  T245]  d_walk.part.2+0x100/0x6a0
[   29.780610][  T245]  do_one_tree+0x34/0x58
[   29.781577][  T245]  shrink_dcache_for_umount+0x60/0x110
[   29.782752][  T245]  generic_shutdown_super+0x68/0x360
[   29.783913][  T245]  kill_anon_super+0x44/0x70
[   29.784932][  T245]  kill_litter_super+0x4c/0x60
[   29.786054][  T245]  deactivate_locked_super+0x8c/0xf0
[   29.787214][  T245]  deactivate_super+0xd8/0xf8
[   29.788278][  T245]  cleanup_mnt+0x90/0x128
[   29.789388][  T245]  __cleanup_mnt+0x1c/0x28
[   29.790362][  T245]  task_work_run+0x124/0x198
[   29.791374][  T245]  do_notify_resume+0x664/0x778
[   29.792440][  T245]  work_pending+0x8/0x14
[   29.793439][  T245] irq event stamp: 1502
[   29.794374][  T245] hardirqs last  enabled at (1501): [<ffff2000102afd48>] console_unlock+0x700/0xcc0
[   29.796424][  T245] hardirqs last disabled at (1502): [<ffff200010082110>] do_debug_exception+0x118/0x438
[   29.798605][  T245] softirqs last  enabled at (1498): [<ffff200010083574>] __do_softirq+0xbc4/0x10c8
[   29.800639][  T245] softirqs last disabled at (1443): [<ffff20001019f96c>] irq_exit+0x2c4/0x338
[   29.802581][  T245] ---[ end trace cd8baed7622b7c8b ]---
[   29.804034][  T245] VFS: Busy inodes after unmount of bpf. Self-destruct in 5 seconds.  Have a nice day...
----

[1] git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git fuzzing/5.2-rc3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ