lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <13d5ecd9-3e9f-4593-b300-9141941a29cb@suse.cz>
Date: Mon, 9 Jun 2025 20:28:56 +0200
From: Vlastimil Babka <vbabka@...e.cz>
To: Uladzislau Rezki <urezki@...il.com>,
 Kent Overstreet <kent.overstreet@...ux.dev>,
 "Paul E. McKenney" <paulmck@...nel.org>
Cc: syzbot <syzbot+80e5d6f453f14a53383a@...kaller.appspotmail.com>,
 akpm@...ux-foundation.org, josh@...htriplett.org,
 linux-bcachefs@...r.kernel.org, linux-kernel@...r.kernel.org,
 linux-mm@...ck.org, rcu@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [rcu?] [bcachefs?] BUG: unable to handle kernel NULL
 pointer dereference in rcu_core (3)

On 6/8/25 20:23, Uladzislau Rezki wrote:
> On Sun, Jun 08, 2025 at 11:26:28AM -0400, Kent Overstreet wrote:
>> 
>> I don't think it's that - syzbot's .config already has that enabled.
>> KASAN, too.
>> 
>> And the only place we do call_rcu() is from rcu_pending.c, where we've
>> got a rearming rcu callback - but we track whether it's outstanding, and
>> we do all relevant operations with a lock held.
>> 
>> And we only use rcu_pending.c with SRCU, not regular RCU.
>> 
>> We do use kfree_rcu() in a few places (all boring, I expect), but that
>> doesn't (generally?) use the rcu callback list.
>>
> Right, kvfree_rcu() does not intersect with regular callbacks, it has
> its own path. 

You mean do to the batching? Maybe the batching should be disabled with
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y if it prevents it from detecting issues?
Otherwise we now have kvfree_rcu_cb() so the special handling of
kvfree_rcu() is gone in in the non-batching case.

> It looks like the problem is here:
> 
> <snip>
>   f = rhp->func;
>   debug_rcu_head_callback(rhp);
>   WRITE_ONCE(rhp->func, (rcu_callback_t)0L);
>   f(rhp);
> <snip>
> 
> we do not check if callback, "f", is a NULL. If it is, the kernel bug
> is triggered right away. For example:
> 
> call_rcu(&rh, NULL);
> 
> @Paul, do you think it makes sense to narrow callers which apparently
> pass NULL as a callback? To me it seems the case of this bug. But we
> do not know the source.
> 
> It would give at least a stack-trace of caller which passes a NULL.

Right, AFAIU this kind of check is now possible, previously NULL was being
interpreted as a valid __is_kvfree_rcu_offset() (i.e. rcu_head at offset 0).

> --
> Uladzislau Rezki
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ