Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp981262ybl; Tue, 13 Aug 2019 05:44:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqygOHYV7JdZy9UgOeU37dcl9Oh0DAzckYTxZbcvq3EGsgTAsJyd0AS5Zp8TbCu9qTqaQqk5 X-Received: by 2002:a17:902:2f43:: with SMTP id s61mr3415633plb.238.1565700287470; Tue, 13 Aug 2019 05:44:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565700287; cv=none; d=google.com; s=arc-20160816; b=Rx0EQFo10mRZSA0CaRPp7GmBy76ycC4G1Ru5EqfU8m14DSVeZqOss7AkohjCMpgv5x qMNm4qS+AbmUTOJMcYD2OKXCscl+jDTd16lIace9HPLp9oeSyc6y1fGUYm0yG6kQvIKF 35YKY+oD4Fc3WB9ar4WYC6iYyReuXwYx78H+3ayuRaspy5Kz3nHx9HKp8+/FYcMpPfKu AAM0m3qjpjuIBuhJdTQut3ny9+6DH8MHo2f9FPzclDR52BD0gJlDf27VN5BI8EYSaKLl Q3PU/D8KMIRvmIvmHs5prDwdvNXifz4v+r0vM4dkmw8s9WJ3zXvKKlduVRzMEDKs5tI0 UFKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:subject:cc:to:from:date; bh=hE4HfNnDcwkdAlnmpRFwsi32hjXDcekEKqqN5C3FYA0=; b=vDB3/joSv7CT3EsJHmfYMxJhioUcXjYERevueXeGeMwXBONn/Ba482oNnKXNkOqy3e wsmmcQo7w0O+0rYoGGtFpT2dfkFEnn9qA0DB94S2X96/T+P36bEm9oIZmQICOBB8N0gR KL3NCxqPinOQrf+Ge53eQn+Rz60p6INSV0dXPd32O4ArCG/Ba8ce7kOjQBXwOp/wXa8V +ojJ3RSiSCwx4Y7XMOEd7UdqwtMgoHCz8eVv74NUbBEXVlu3mYtTcBlU322eZRdhZAyI ucaa3gE9yYj0Nb8zMoKbgGNStOl2HI8+mWSmAh2PZ3vQ2SP4EUOv1SxI0AFE9tYp2LO7 C2AA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bb21si924925pjb.37.2019.08.13.05.44.31; Tue, 13 Aug 2019 05:44:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728366AbfHMMmF convert rfc822-to-8bit (ORCPT + 99 others); Tue, 13 Aug 2019 08:42:05 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:3866 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727715AbfHMMmF (ORCPT ); Tue, 13 Aug 2019 08:42:05 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x7DCZS42097041 for ; Tue, 13 Aug 2019 08:42:04 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ubwbkraba-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 13 Aug 2019 08:42:03 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 13 Aug 2019 13:42:01 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 13 Aug 2019 13:41:58 +0100 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x7DCfv4D25821276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 13 Aug 2019 12:41:57 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 82AF3A4054; Tue, 13 Aug 2019 12:41:57 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3B71CA405F; Tue, 13 Aug 2019 12:41:57 +0000 (GMT) Received: from localhost (unknown [9.152.212.112]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTPS; Tue, 13 Aug 2019 12:41:57 +0000 (GMT) Date: Tue, 13 Aug 2019 14:41:55 +0200 From: Vasily Gorbik To: Stephen Rothwell , Matthew Garrett , James Morris , Steven Rostedt Cc: Linux Next Mailing List , Linux Kernel Mailing List Subject: Re: linux-next: Tree for Aug 13 References: <20190813191924.7c5310dd@canb.auug.org.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8BIT In-Reply-To: <20190813191924.7c5310dd@canb.auug.org.au> X-TM-AS-GCONF: 00 x-cbid: 19081312-0012-0000-0000-0000033E2AE6 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19081312-0013-0000-0000-000021783A46 Message-Id: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-08-13_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908130133 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 13, 2019 at 07:19:24PM +1000, Stephen Rothwell wrote: > Merging security/next-testing (a4848e06f9af Merge branch 'next-lockdown' into next-testing) > CONFLICT (content): Merge conflict in kernel/trace/trace_kprobe.c > CONFLICT (content): Merge conflict in fs/tracefs/inode.c > Applying: early_security_init() needs a stub got !CONFIG_SECURITY Hi all, next-lockdown causes panic on s390 when doing: cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_read/id [ 3972.384027] Unable to handle kernel pointer dereference in virtual kernel address space [ 3972.384031] Failing address: 0000000000000000 TEID: 0000000000000887 [ 3972.384032] Fault in home space mode while using kernel ASCE. [ 3972.384033] AS:00000000744cc007 R3:00000001fffd0007 S:00000001fffd6000 P:000000000000013d [ 3972.384051] Oops: 0004 ilc:1 [#1] SMP [ 3972.384053] Modules linked in: binfmt_misc(E) dm_crypt(E) lcs(E) ctcm(E) fsm(E) algif_skcipher(E) af_alg(E) nfsv3(E) nfs_acl(E) nfs(E) lockd(E) grace(E) sctp(E) quota_v2(E) quota_tree(E) ntfs(E) vfat(E) fat(E) overlay(E) loop(E) dm_service_time(E) kvm(E) xt_CHECKSUM(E) xt_MASQUERADE(E) xt_tcpudp(E) ip6t_rpfilter(E) ip6t_REJECT(E) nf_reject_ipv6(E) ipt_REJECT(E) nf_reject_ipv4(E) xt_conntrack(E) ip6table_nat(E) ip6table_mangle(E) ip6table_raw(E) tun(E) ip6table_security(E) bridge(E) iptable_nat(E) nf_nat(E) stp(E) llc(E) iptable_mangle(E) iptable_raw(E) iptable_security(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) ip_set(E) nfnetlink(E) ip6table_filter(E) ip6_tables(E) iptable_filter(E) ip_tables(E) x_tables(E) sunrpc(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) s390_trng(E) ghash_s390(E) prng(E) aes_s390(E) des_s390(E) des_generic(E) sha512_s390(E) sha1_s390(E) vfio_ccw(E) vfio_mdev(E) mdev(E) vfio_iommu_type1(E) vfio(E) eadm_sch(E) sch_fq_codel(E) [ 3972.384076] sha256_s390(E) sha_common(E) pkey(E) zcrypt(E) rng_core(E) autofs4(E) [last unloaded: dummy_del_mod] [ 3972.384084] CPU: 17 PID: 45118 Comm: psvc-ioctl-bpf1 Tainted: G OE 5.3.0-20190813.rc4.git0.8e72ac275c63.301.fc30.s390x+next #1 [ 3972.384086] Hardware name: IBM 3906 M04 704 (LPAR) [ 3972.384087] Krnl PSW : 0704c00180000000 0000000000000000 (0x0) [ 3972.384090] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 [ 3972.384103] Krnl GPRS: 000003e004c0fb90 0000000000000000 00000001f912abf0 0000000197b36800 [ 3972.384104] 0000000197b36810 0000000000000001 0000000100000000 0000000197b36810 [ 3972.384105] 00000000736ae3a0 0000000100000000 00000001f912abf0 0000000197b36800 [ 3972.384106] 000000013aff0000 0000000073c625a8 00000000734a1486 000003e004c0fbc8 [ 3972.384110] Krnl Code:>0000000000000000: 0000 illegal 0000000000000002: 0000 illegal 0000000000000004: 0000 illegal 0000000000000006: 0000 illegal 0000000000000008: 0000 illegal 000000000000000a: 0000 illegal 000000000000000c: 0000 illegal 000000000000000e: 0000 illegal [ 3972.384116] Call Trace: [ 3972.384122] ([<00000000734a1486>] do_dentry_open+0x206/0x3c0) [ 3972.384125] [<00000000734b8c1e>] do_last+0x16e/0x918 [ 3972.384126] [<00000000734b944e>] path_openat+0x86/0x2b8 [ 3972.384128] [<00000000734baa64>] do_filp_open+0x7c/0xf8 [ 3972.384129] [<00000000734a3484>] do_sys_open+0x18c/0x258 [ 3972.384134] [<0000000073c457cc>] system_call+0xd8/0x2c8 [ 3972.384135] Last Breaking-Event-Address: [ 3972.384139] [<00000000736ae3fa>] default_open_file+0x5a/0x78 [ 3972.384141] Kernel panic - not syncing: Fatal exception: panic_on_oops Which correspond to: fs/tracefs/inode.c:46 static int default_open_file(struct inode *inode, struct file *filp) 45 real_fops = dentry->d_fsdata; 46 return real_fops->open(inode, filp); Commit which introduces the problem: commit 757ff7244358406dd16a7f5f623ca40ed27c603c Author: Matthew Garrett AuthorDate: Wed Aug 7 17:07:19 2019 -0700 Commit: James Morris CommitDate: Fri Aug 9 22:23:58 2019 -0700 tracefs: Restrict tracefs when the kernel is locked down Tracefs may release more information about the kernel than desirable, so restrict it when the kernel is locked down in confidentiality mode by preventing open(). Signed-off-by: Matthew Garrett Reviewed-by: Steven Rostedt (VMware) Signed-off-by: James Morris --- fs/tracefs/inode.c | 40 +++++++++++++++++++++++++++++++++++++++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 41 insertions(+), 1 deletion(-) Using default s390 config, where # CONFIG_SECURITY_LOCKDOWN_LSM is not set -- ⣿⣿⣿⣿⢋⡀⣀⠹⣿⣿⣿⣿ ⣿⣿⣿⣿⠠⣶⡦⠀⣿⣿⣿⣿ ⣿⣿⣿⠏⣴⣮⣴⣧⠈⢿⣿⣿ ⣿⣿⡏⢰⣿⠖⣠⣿⡆⠈⣿⣿ ⣿⢛⣵⣄⠙⣶⣶⡟⣅⣠⠹⣿ ⣿⣜⣛⠻⢎⣉⣉⣀⠿⣫⣵⣿