lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <cb0c926f-15be-4400-a9b9-0122a6238fea@app.fastmail.com>
Date: Wed, 25 Jun 2025 15:29:50 +0200
From: "Arnd Bergmann" <arnd@...db.de>
To: "Marek Szyprowski" <m.szyprowski@...sung.com>,
 "Arnd Bergmann" <arnd@...nel.org>,
 "Alexander Viro" <viro@...iv.linux.org.uk>,
 "Christian Brauner" <brauner@...nel.org>
Cc: "Jan Kara" <jack@...e.cz>,
 "Alexander Mikhalitsyn" <alexander@...alicyn.com>,
 "Jann Horn" <jannh@...gle.com>, "Luca Boccassi" <luca.boccassi@...il.com>,
 "Jeff Layton" <jlayton@...nel.org>,
 "Roman Kisel" <romank@...ux.microsoft.com>, linux-fsdevel@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] coredump: reduce stack usage in vfs_coredump()

On Wed, Jun 25, 2025, at 13:54, Marek Szyprowski wrote:
> On 25.06.2025 13:41, Marek Szyprowski wrote:
>>
>> This change appears in today's linux-next (next-20250625) as commit 
>> fb82645d3f72 ("coredump: reduce stack usage in vfs_coredump()"). In my 
>> tests I found that it causes a kernel oops on some of my ARM 32bit 
>> Exynos based boards. This is really strange, because I don't see any 
>> obvious problem in this patch. Reverting $subject on top of linux-next 
>> hides/fixes the oops. I suspect some kind of use-after-free issue, but 
>> I cannot point anything related. Here is the kernel log from one of 
>> the affected boards (I've intentionally kept the register and stack 
>> dumps):
>
> I've just checked once again and found the source of the issue. 
> vfs_coredump() calls coredump_cleanup(), which calls coredump_finish(), 
> which performs the following dereference:
>
> next = current->signal->core_state->dumper.next
>
> of the core_state assigned in zap_threads() called from coredump_wait(). 
> It looks that core_state cannot be moved into coredump_wait() without 
> refactoring/cleaning this first.

Thanks for the analysis, I agree that this can't work and my patch
just needs to be dropped. The 'noinline_for_stack' change on
its own is probably sufficient to avoid the warning, and I can
respin a new version after more build testing.

     Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ