lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250127091811.3183623-1-quzicheng@huawei.com>
Date: Mon, 27 Jan 2025 09:18:11 +0000
From: Zicheng Qu <quzicheng@...wei.com>
To: <quzicheng@...wei.com>
CC: <pengfei.xu@...el.com>, <axboe@...nel.dk>, <hch@....de>,
	<jlayton@...nel.org>, <brauner@...nel.org>, <joel.granados@...nel.org>,
	<rafael@...nel.org>, <len.brown@...el.com>, <pavel@....cz>,
	<linux-kernel@...r.kernel.org>, <linux-pm@...r.kernel.org>,
	<syzkaller-bugs@...glegroups.com>
Subject: Re: [Syzkaller & bisect] There is general protection fault in path_init in v6.11-rc2

Hi,

I am encountering this similar panic issue in v6.6 and would greatly 
appreciate any guidance or suggestions you might have. 

It seems that the sysfs path was passed to acct(), and when the process 
exited, the fs_struct was released. However, acct_pin_kill() attempted 
to write to the hibernate sysfs interface, triggering a null pointer 
dereference.

I added a few more logs (labeled the file path, the function name and some key info) based on Pengfei. Below are the relevant log 
excerpts and details of the problem for the process/thread T9251:

[  266.570716][ T9251] kernel/acct.c acct_on(): ./file0
[  266.574701][ T7380] fs/namei.c path_init():, fs_struct is: not null
[  266.576955][ T9251] fs/namei.c path_init():, fs_struct is: not null
[  266.579385][ T9317] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.579674][ T7380] fs/namei.c path_init():, fs_struct is: not null
[  266.584518][ T9244] fs/fs_struct.c exit_fs(): the kill is: 0, fs_struct is released
[  266.587130][ T9268] fs/fs_struct.c exit_fs(): the kill is: 0, fs_struct is released
[  266.587478][ T9251] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.591099][ T9278] Process accounting resumed
[  266.592558][ T7380] fs/namei.c path_init():, fs_struct is: not null
[  266.595184][ T9278] kernel/power/hibernate.c resume_store()
[  266.598253][ T7380] fs/namei.c path_init():, fs_struct is: not null
[  266.601043][ T9278] fs/namei.c path_init():, fs_struct is: not null
[  266.605319][ T7380] fs/namei.c path_init():, fs_struct is: not null
[  266.609439][ T9278] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.614479][ T9321] fs/namei.c path_init():, fs_struct is: not null
[  266.615085][ T9320] fs/namei.c path_init():, fs_struct is: not null
[  266.616612][ T9251] kernel/power/hibernate.c resume_store()
[  266.620361][ T9321] fs/namei.c path_init():, fs_struct is: not null
[  266.622487][ T9251] fs/namei.c path_init():, fs_struct is: null
[  266.624631][ T9319] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.625668][ T9321] fs/namei.c path_init():, fs_struct is: not null
[  266.625737][ T9321] fs/namei.c path_init():, fs_struct is: not null
[  266.628762][ T9251] Unable to handle kernel paging request at virtual address dfff800000000001
[  266.629149][ T9328] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.633753][ T9321] fs/namei.c path_init():, fs_struct is: not null
[  266.635200][ T9251] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[  266.637804][ T9331] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.641370][ T9251] Mem abort info:
[  266.641375][ T9251]   ESR = 0x0000000096000004
[  266.643344][ T9334] fs/namei.c path_init():, fs_struct is: not null
[  266.643533][ T9332] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.649985][ T9335] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  266.650571][ T9251]   EC = 0x25: DABT (current EL), IL = 32 bits
[  266.679306][ T9333] fs/namei.c path_init():, fs_struct is: not null
[  266.681354][ T9251]   SET = 0, FnV = 0
[  266.681360][ T9251]   EA = 0, S1PTW = 0
[  267.132845][ T9280] fs/fs_struct.c exit_fs(): the kill is: 0, fs_struct is released
[  267.132913][ T9274] fs/fs_struct.c exit_fs(): the kill is: 0, fs_struct is released
[  267.133970][ T9251]   FSC = 0x04: level 0 translation fault
[  267.133978][ T9251] Data abort info:
[  267.133981][ T9251]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[  267.133984][ T9251]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[  267.133988][ T9251]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[  267.133992][ T9251] [dfff800000000001] address between user and kernel address ranges
[  267.134000][ T9251] Internal error: Oops: 0000000096000004 [#1] SMP
[  267.134817][ T9320] fs/fs_struct.c exit_fs(): the kill is: 1, fs_struct is released
[  267.137764][ T7101] fs/namei.c path_init():, fs_struct is: not null
[  267.140527][ T9251] Modules linked in:
[  267.140541][ T9251] CPU: 2 PID: 9251 Comm: syz.3.547 Not tainted 6.6.0-qzc-reproduct-1+ #12
[  267.140550][ T9251] Hardware name: linux,dummy-virt (DT)
[  267.140554][ T9251] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  267.140561][ T9251] pc : path_init+0x5f0/0x16c0
[  267.140582][ T9251] lr : path_init+0x5c8/0x16c0
[  267.140588][ T9251] sp : ffff800082c06e40
[  267.140592][ T9251] x29: ffff800082c06e40 x28: 0000000000000000
[  267.143204][ T7101] fs/namei.c path_init():, fs_struct is: not null
[  267.146064][ T9251]  x27: dfff800000000000
[  267.146073][ T9251] x26: 0000000000000000 x25: 0000000000000008 x24: 0000000000000041
[  267.146082][ T9251] x23: ffff1f2bceea5520 x22: 1ffff00010580e0c x21: ffff800082c07080
[  267.146091][ T9251] x20: 1ffff00010580e10 x19: ffff800082c07060 x18: 0000000000000000
[  267.146100][ T9251] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[  267.146108][ T9251] x14: 0000000000000000 x13: 205d343332395420 x12: 0000000000000005
[  267.146115][ T9251] x11: ffff800082c07090 x10: ffff800082c07068
[  267.148952][ T7101] fs/namei.c path_init():, fs_struct is: not null
[  267.151802][ T9251]  x9 : dfff800000000001
[  267.151810][ T9251] x8 : 00008fffefa7f290 x7 : ffff800082c070a0 x6 : 0000000000000003
[  267.151819][ T9251] x5 : ffff800082c06b80 x4 : ffff700010580d71 x3 : 1ffff00010580de0
[  267.151827][ T9251] x2 : 0000000000000000 x1 : ffff1f2bc490bfc0 x0 : 000000000000002b
[  267.151836][ T9251] Call trace:
[  267.151840][ T9251]  path_init+0x5f0/0x16c0
[  267.151848][ T9251]  path_lookupat+0x3c/0x590
[  267.151855][ T9251]  filename_lookup+0x144/0x410
[  267.151859][ T9251]  kern_path+0x44/0x70
[  267.151863][ T9251]  lookup_bdev+0xb8/0x220
[  267.151871][ T9251]  resume_store+0x184/0x320
[  267.151878][ T9251]  kobj_attr_store+0x3c/0x70
[  267.154689][ T7101] fs/namei.c path_init():, fs_struct is: not null
[  267.157783][ T9251]  sysfs_kf_write+0xfc/0x188
[  267.157796][ T9251]  kernfs_fop_write_iter+0x274/0x3e0
[  267.157800][ T9251]  __kernel_write_iter+0x1c4/0x600
[  267.157808][ T9251]  __kernel_write+0xbc/0x100
[  267.157813][ T9251]  do_acct_process+0x3e8/0x620
[  267.157821][ T9251]  acct_pin_kill+0x3c/0x110
[  267.157826][ T9251]  pin_kill+0x164/0x610
[  267.157832][ T9251]  mnt_pin_kill+0x50/0x98
[  267.157836][ T9251]  cleanup_mnt+0x24c/0x2c8
[  267.161037][ T7101] fs/namei.c path_init():, fs_struct is: not null
[  267.164241][ T9251]  __cleanup_mnt+0x1c/0x30
[  267.164252][ T9251]  task_work_run+0x17c/0x308
[  267.164259][ T9251]  do_exit+0x3ac/0xa30
[  267.164267][ T9251]  do_group_exit+0x100/0x348
[  267.164272][ T9251]  get_signal+0x107c/0x10f8
[  267.164277][ T9251]  do_signal+0x160/0x400
[  267.164283][ T9251]  do_notify_resume+0x1c4/0x470
[  267.164287][ T9251]  el0_svc+0x1c0/0x1e8
[  267.164294][ T9251]  el0t_64_sync_handler+0xc0/0xc8
[  267.164299][ T9251]  el0t_64_sync+0x188/0x190
[  267.166883][ T7101] fs/namei.c path_init():, fs_struct is: not null
[  267.170069][ T9251] Code: 91010267 d343fe76 9100c26b 9100226a (39c00120) 
[  267.170079][ T9251] ---[ end trace 0000000000000000 ]---
[  267.170084][ T9251] Kernel panic - not syncing: Oops: Fatal exception
[  267.170090][ T9251] SMP: stopping secondary CPUs
[  267.170167][ T9251] Kernel Offset: 0x22a72e400000 from 0xffff800080000000
[  267.170172][ T9251] PHYS_OFFSET: 0xffffe0d540000000
[  267.170175][ T9251] CPU features: 0x00,00000008,00002009,e0080000,1000421b
[  267.170182][ T9251] Memory Limit: none
[  269.627565][ T9251] ---[ end Kernel panic - not syncing: Oops: Fatal exception ]---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ