lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 30 Oct 2023 16:39:11 +0800
From:   ChenXiaoSong <chenxiaosongemail@...mail.com>
To:     gregkh@...uxfoundation.org, trond.myklebust@...merspace.com,
        chenxiaosong@...inos.cn
Cc:     Anna.Schumaker@...app.com, sashal@...nel.org,
        liuzhengyuan@...inos.cn, huangjinhui@...inos.cn,
        liuyun01@...inos.cn, huhai@...inos.cn, linux-nfs@...r.kernel.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Question about LTS 4.19 patch "89047634f5ce NFS: Don't interrupt file
 writeout due to fatal errors"

Hi Trond and Greg:

LTS 4.19 reported null-ptr-deref BUG as follows:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
Call Trace:
  nfs_inode_add_request+0x1cc/0x5b8
  nfs_setup_write_request+0x1fa/0x1fc
  nfs_writepage_setup+0x2d/0x7d
  nfs_updatepage+0x8b8/0x936
  nfs_write_end+0x61d/0xd45
  generic_perform_write+0x19a/0x3f0
  nfs_file_write+0x2cc/0x6e5
  new_sync_write+0x442/0x560
  __vfs_write+0xda/0xef
  vfs_write+0x176/0x48b
  ksys_write+0x10a/0x1e9
  __se_sys_write+0x24/0x29
  __x64_sys_write+0x79/0x93
  do_syscall_64+0x16d/0x4bb
  entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The reason is: generic_error_remove_page set page->mapping to NULL when 
nfs server have a fatal error:

nfs_updatepage
   nfs_writepage_setup
     nfs_setup_write_request
       nfs_try_to_update_request // return NULL
         nfs_wb_page // return 0
           nfs_writepage_locked // return 0
             nfs_do_writepage // return 0
               nfs_page_async_flush // return 0
                 nfs_error_is_fatal_on_server
                 generic_error_remove_page
                   truncate_inode_page
                     delete_from_page_cache
                       __delete_from_page_cache
                         page_cache_tree_delete
                           page->mapping = NULL // this is point
       nfs_create_request
         req->wb_page    = page // the page is freed
       nfs_inode_add_request
         mapping = page_file_mapping(req->wb_page)
           return page->mapping
         spin_lock(&mapping->private_lock) // mapping is NULL

It is reasonable by reverting the patch "89047634f5ce NFS: Don't 
interrupt file writeout due to fatal errors" to fix this bug?


This patch is one patch of patchset [Fix up soft mounts for 
NFSv4.x](https://lore.kernel.org/all/20190407175912.23528-1-trond.myklebust@hammerspace.com/), 
the patchset replace custom error reporting mechanism. it seams that we 
should merge all the patchset to LTS 4.19, or all patchs should not be 
merged. And the "Fixes:" label is not correct, this patch is a 
refactoring patch, not for fixing bugs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ