| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aEgmD6POgqn-jUH1@pc636> Date: Tue, 10 Jun 2025 14:33:19 +0200 From: Uladzislau Rezki <urezki@...il.com> To: Vlastimil Babka <vbabka@...e.cz> Cc: Uladzislau Rezki <urezki@...il.com>, Kent Overstreet <kent.overstreet@...ux.dev>, "Paul E. McKenney" <paulmck@...nel.org>, syzbot <syzbot+80e5d6f453f14a53383a@...kaller.appspotmail.com>, akpm@...ux-foundation.org, josh@...htriplett.org, linux-bcachefs@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, rcu@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [rcu?] [bcachefs?] BUG: unable to handle kernel NULL pointer dereference in rcu_core (3) On Mon, Jun 09, 2025 at 08:28:56PM +0200, Vlastimil Babka wrote: > On 6/8/25 20:23, Uladzislau Rezki wrote: > > On Sun, Jun 08, 2025 at 11:26:28AM -0400, Kent Overstreet wrote: > >> > >> I don't think it's that - syzbot's .config already has that enabled. > >> KASAN, too. > >> > >> And the only place we do call_rcu() is from rcu_pending.c, where we've > >> got a rearming rcu callback - but we track whether it's outstanding, and > >> we do all relevant operations with a lock held. > >> > >> And we only use rcu_pending.c with SRCU, not regular RCU. > >> > >> We do use kfree_rcu() in a few places (all boring, I expect), but that > >> doesn't (generally?) use the rcu callback list. > >> > > Right, kvfree_rcu() does not intersect with regular callbacks, it has > > its own path. > > You mean do to the batching? Maybe the batching should be disabled with > CONFIG_DEBUG_OBJECTS_RCU_HEAD=y if it prevents it from detecting issues? > Otherwise we now have kvfree_rcu_cb() so the special handling of > kvfree_rcu() is gone in in the non-batching case. > Not really. I meant that in a call_rcu() API there is no any check if a passed callback which is executed after GP is NULL. If so, we get the bug about about dereferencing of NULL pointer. Since it is invoked by the rcu_core() context, we can not identify the caller in order to blame someone :) As for batching, we have a support of CONFIG_DEBUG_OBJECTS_RCU_HEAD. It helps to identify double-freeing and probably leaking. > > It looks like the problem is here: > > > > <snip> > > f = rhp->func; > > debug_rcu_head_callback(rhp); > > WRITE_ONCE(rhp->func, (rcu_callback_t)0L); > > f(rhp); > > <snip> > > > > we do not check if callback, "f", is a NULL. If it is, the kernel bug > > is triggered right away. For example: > > > > call_rcu(&rh, NULL); > > > > @Paul, do you think it makes sense to narrow callers which apparently > > pass NULL as a callback? To me it seems the case of this bug. But we > > do not know the source. > > > > It would give at least a stack-trace of caller which passes a NULL. > > Right, AFAIU this kind of check is now possible, previously NULL was being > interpreted as a valid __is_kvfree_rcu_offset() (i.e. rcu_head at offset 0). > > > -- > > Uladzislau Rezki > > >
Powered by blists - more mailing lists