| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOdxtTas63Wky=NeKVMFBfTanCqhGS-9cX-kwc7wFx9COSD+Zw@mail.gmail.com> Date: Wed, 14 Jan 2026 17:04:35 -0800 From: Chenglong Tang <chenglongtang@...gle.com> To: Amir Goldstein <amir73il@...il.com> Cc: viro@...iv.linux.org.uk, brauner@...nel.org, Jan Kara <jack@...e.cz>, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, miklos@...redi.hu Subject: Re: [Regression 6.12] NULL pointer dereference in submit_bio_noacct via backing_file_read_iter Hi Amir, Thanks for the suggestion. I followed your advice and cherry-picked the 4 recommended commits (plus the backing-file cleanup and a fix for it) onto 6.12. However, the system now panics immediately during boot with a NULL pointer dereference. The commit chain applied: ovl: allocate a container struct ovl_file for ovl private context (87a8a76c34a2) ovl: store upper real file in ovl_file struct (18e48d0e2c7b) ovl: do not open non-data lower file for fsync (c2c54b5f34f6) ovl: use wrapper ovl_revert_creds() (fc5a1d2287bf) backing-file: clean up the API (48b50624aec4) fs/backing_file: fix wrong argument in callback (2957fa4931a3) The Crash: The panic occurs in backing_file_read_iter because it receives a NULL file pointer from ovl_read_iter. [ 7.443266] #PF: error_code(0x0000) - not-present page [ 7.444208] PGD 0 P4D 0 [ 7.445270] Oops: Oops: 0000 [#1] SMP PTI [ 7.446175] CPU: 0 UID: 0 PID: 423 Comm: sudo Tainted: G O 6.12.55+ #1 [ 7.447669] Tainted: [O]=OOT_MODULE [ 7.448330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 7.449825] RIP: 0010:backing_file_read_iter+0x1a/0x250 [ 7.450810] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 <8b> 47 0c a9 00 00 00 02 0f 84 d9 01 00 00 49 89 f6 48 83 7e 18 00 [ 7.453754] RSP: 0018:ffff9e95407b7db0 EFLAGS: 00010282 [ 7.454694] RAX: 0000000000000000 RBX: ffff9e95407b7e78 RCX: 0000000000000000 [ 7.455892] RDX: ffff9e95407b7e78 RSI: ffff9e95407b7e50 RDI: 0000000000000000 [ 7.457158] RBP: ffff9e95407b7de8 R08: ffff9e95407b7df8 R09: 0000000000000001 [ 7.458331] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 7.459593] R13: 0000000000001000 R14: ffff9e95407b7e50 R15: 0000000000000000 [ 7.460968] FS: 00007a330957cb80(0000) GS:ffff9cb0ac000000(0000) knlGS:0000000000000000 [ 7.463015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7.464268] CR2: 000000000000000c CR3: 000000010bfc0003 CR4: 00000000003706f0 [ 7.465453] Call Trace: [ 7.465994] <TASK> [ 7.466487] ovl_read_iter+0x9a/0xe0 [ 7.467424] ? __pfx_ovl_file_accessed+0x10/0x10 [ 7.468353] vfs_read+0x2b1/0x300 [ 7.469137] ksys_read+0x75/0xe0 [ 7.469894] do_syscall_64+0x61/0x130 [ 7.470603] ? clear_bhb_loop+0x40/0x90 [ 7.471381] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 7.472486] RIP: 0033:0x7a330967221d It appears ovl: store upper real file in ovl_file struct introduces a bug when backported to 6.12. In ovl_real_fdget_path, the code initializes real->word = 0. If ovl_change_flags is called and succeeds, it returns 0 immediately. However, because of the early return, real->word is never assigned the realfile pointer (which happens at the bottom of the function). The caller sees success but gets a NULL file pointer. I wonder is there an upstream commit that corrects this logic, or does this dependency chain require the larger ovl_real_file refactor from 6.13 to work correctly? Best, Chenglong
Powered by blists - more mailing lists