| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Jun 2019 11:30:32 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: David Howells <dhowells@...hat.com>,
Al Viro <viro@...iv.linux.org.uk>
Cc: Mark Rutland <mark.rutland@....com>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: "Dentry still in use" splats in v5.2-rc3
On Wed, Jun 05, 2019 at 02:54:01PM +0100, Mark Rutland wrote:
> Hi All,
>
> While fuzzing arm64 v5.2-rc3, Syzkaller started hitting splats of the
> form:
>
> BUG: Dentry (____ptrval____){i=1,n=/} still in use (2) [unmount of bpf bpf]
>
> ... which I can reliably reproduce with the following C program
> (partially minimized from what Syzkaller auto-generated).
>
> It looks like any filesystem will do. I've seen splats with "bpf",
> "hugetlbfs", "rpc_pipefs", and "tmpfs", and can reproduce the problem
> with any of these.
>
> Any ideas?
>
> I'm using the config from my fuzzing/5.2-rc3 branch on kernel.org [1].
>
> Thanks,
> Mark.
>
> ----
> #include <unistd.h>
> #include <sys/syscall.h>
>
> /*
> * NOTE: these are the arm64 numbers
> */
> #ifndef __NR_fsconfig
> #define __NR_fsconfig 431
> #endif
> #ifndef __NR_fsmount
> #define __NR_fsmount 432
> #endif
> #ifndef __NR_fsopen
> #define __NR_fsopen 430
> #endif
>
> int main(void)
> {
> int fs, mnt;
>
> fs = syscall(__NR_fsopen, "bpf", 0);
> syscall(__NR_fsconfig, fs, 6, 0, 0, 0);
> mnt = syscall(__NR_fsmount, fs, 0, 0);
> fchdir(mnt);
>
> close(fs);
> close(mnt);
> }
>
David and Al, is sys_fsmount() missing a call to mntget()?
- Eric
Powered by blists - more mailing lists