| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240722095403.dmnewl7g7ti6fqat@quack3>
Date: Mon, 22 Jul 2024 11:54:03 +0200
From: Jan Kara <jack@...e.cz>
To: Zqiang <qiang.zhang1211@...il.com>
Cc: viro@...iv.linux.org.uk, brauner@...nel.org, jack@...e.cz,
paulmck@...nel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] nsfs: Fix the missed rcu_read_unlock() invoking in
ns_ioctl()
On Mon 22-07-24 16:51:49, Zqiang wrote:
> Currently, the syzbot report follow wanings:
>
> Voluntary context switch within RCU read-side critical section!
> WARNING: CPU: 0 PID: 3460 at kernel/rcu/tree_plugin.h:330 rcu_note_context_switch+0x354/0x49c
> Call trace:
> rcu_note_context_switch+0x354/0x49c kernel/rcu/tree_plugin.h:330
> __schedule+0xb0/0x850 kernel/sched/core.c:6417
> __schedule_loop kernel/sched/core.c:6606 [inline]
> schedule+0x34/0x104 kernel/sched/core.c:6621
> do_notify_resume+0xe4/0x164 arch/arm64/kernel/entry-common.c:136
> exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
> exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
> el0_interrupt+0xc4/0xc8 arch/arm64/kernel/entry-common.c:797
> __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:802
> el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:807
> el0t_64_irq+0x19c/0x1a0 arch/arm64/kernel/entry.S:599
>
> This happens when the tsk pointer is null and a call to rcu_read_unlock()
> is missed in ns_ioctl(), this commit therefore invoke rcu_read_lock()
> when tsk pointer is null.
>
> Reported-by: syzbot+784d0a1246a539975f05@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=784d0a1246a539975f05
> Fixes: ca567df74a28 ("nsfs: add pid translation ioctls")
> Signed-off-by: Zqiang <qiang.zhang1211@...il.com>
Thanks for the fix but this should be already fixed by commit
280e36f0d5b9971 ("nsfs: use cleanup guard") that was recently merged
upstream.
Honza
> ---
> fs/nsfs.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nsfs.c b/fs/nsfs.c
> index a4a925dce331..e228d06f0949 100644
> --- a/fs/nsfs.c
> +++ b/fs/nsfs.c
> @@ -188,8 +188,10 @@ static long ns_ioctl(struct file *filp, unsigned int ioctl,
> tsk = find_task_by_vpid(arg);
> else
> tsk = find_task_by_pid_ns(arg, pid_ns);
> - if (!tsk)
> + if (!tsk) {
> + rcu_read_unlock();
> break;
> + }
>
> switch (ioctl) {
> case NS_GET_PID_FROM_PIDNS:
> --
> 2.17.1
>
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
Powered by blists - more mailing lists