Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp228890ybb; Tue, 24 Mar 2020 21:05:28 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtx57+z77OKiYUuEbehHbdfBhL1J0h88YJKszlLJlo3Y/XniF7tnXV4IbMp0wusr6G/iWao X-Received: by 2002:a05:6830:1ae9:: with SMTP id c9mr1033718otd.298.1585109128408; Tue, 24 Mar 2020 21:05:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585109128; cv=none; d=google.com; s=arc-20160816; b=NZkYOWonFCAJ0r/sxhqfZm0hQ3rfgMz16xe6ShhPz3wFrSRphoT/c3e+QZtb2sseyF DLvXD+fjHItwFFn3nf/ycklX/BW2mPiGuYmm9CnMa8eFjMRljjy0vBFHPFozppPJTgNY yesWLEtU1Wz4rAOyjvZY9rOZckOTkY7lQbYNOSdjf01Y2oa89qS+Yc8ZjWI2sQ8w2Wor r56cArxbSPPncE6LdTkGVEfgrbZLtvRlFdGpWuYnPhhTydbTYUxHiud6GDQkW3QiCK9V kKE4elQpDO45K0+HFUQA91FTZjDeWknXWWoRo43Z35PIfiIxm1AVmk7Z1EwkfzQEB+YJ EW0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=6HUGgDL6y7kimk5n+5zKoZrOBtL4VwzBCLZZUddcy98=; b=BnZ+Wud3KOxRjlm0FKM2kbcnnQtDDl6uwBaN95fA9s0vtbGBoma8KAd73Syipg7F5O uKINnzIxJw5VqLkUDKKjpV4TFPK7xQv+VYUUhmTJcsc7Vsw99PhQTstl6d+XLEXrtWoz 8epejZaczbNCWVINgKXq48+XlJp83qkXJkR7vbr9IBLRcUJ5CEZWHZC+Hm0iHVJFSLLo 010G/Gh72en6AKng8RFkaXVKKPvfBwhIpRy+UstCm0c2PyUyGiE7nvPMkVlScAUop/lX pQtoWCgED+2dNALyfmYUYE/VCz+7nW3E9I9H4Zn1+uuMrBLN7sF5Jxc5L6mIwRYhllT8 IyYw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m67si10141522oib.215.2020.03.24.21.05.14; Tue, 24 Mar 2020 21:05:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726043AbgCYEEG (ORCPT + 99 others); Wed, 25 Mar 2020 00:04:06 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:41842 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725781AbgCYEEG (ORCPT ); Wed, 25 Mar 2020 00:04:06 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1jGxGp-002Aql-K1; Wed, 25 Mar 2020 04:03:59 +0000 Date: Wed, 25 Mar 2020 04:03:59 +0000 From: Al Viro To: Qian Cai Cc: Linus Torvalds , linux-fsdevel@vger.kernel.org, LKML Subject: Re: Null-ptr-deref due to "sanitized pathwalk machinery (v4)" Message-ID: <20200325040359.GK23230@ZenIV.linux.org.uk> References: <4CBDE0F3-FB73-43F3-8535-6C75BA004233@lca.pw> <20200324214637.GI23230@ZenIV.linux.org.uk> <20200325021327.GJ23230@ZenIV.linux.org.uk> <5281297D-B66E-4A4C-9B41-D2242F6B7AE7@lca.pw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5281297D-B66E-4A4C-9B41-D2242F6B7AE7@lca.pw> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 24, 2020 at 11:24:01PM -0400, Qian Cai wrote: > > On Mar 24, 2020, at 10:13 PM, Al Viro wrote: > > > > On Tue, Mar 24, 2020 at 09:49:48PM -0400, Qian Cai wrote: > > > >> It does not catch anything at all with the patch, > > > > You mean, oops happens, but neither WARN_ON() is triggered? > > Lovely... Just to make sure: could you slap the same couple > > of lines just before > > if (unlikely(!d_can_lookup(nd->path.dentry))) { > > in link_path_walk(), just to check if I have misread the trace > > you've got? > > > > Does that (+ other two inserts) end up with > > 1) some of these WARN_ON() triggered when oops happens or > > 2) oops is happening, but neither WARN_ON() triggers or > > 3) oops not happening / becoming harder to hit? > > Only the one just before > if (unlikely(!d_can_lookup(nd->path.dentry))) { > In link_path_walk() will trigger. > [ 245.767202][ T5020] pathname = /var/run/nscd/socket Lovely. So * we really do get NULL nd->path.dentry there; I've not misread the trace. * on the entry into link_path_walk() nd->path.dentry is non-NULL. * *ALL* components should've been LAST_NORM ones * not a single symlink in sight, unless the setup is rather unusual * possibly not even a single mountpoint along the way (depending upon the userland used) And in the same loop we have if (likely(type == LAST_NORM)) { struct dentry *parent = nd->path.dentry; nd->flags &= ~LOOKUP_JUMPED; if (unlikely(parent->d_flags & DCACHE_OP_HASH)) { struct qstr this = { { .hash_len = hash_len }, .name = name }; err = parent->d_op->d_hash(parent, &this); if (err < 0) return err; hash_len = this.hash_len; name = this.name; } } upstream of that thing. So NULL nd->path.dentry *there* would've oopsed. IOW, what we are hitting is walk_component() with non-NULL nd->path.dentry when we enter it, NULL being returned and nd->path.dentry becoming NULL by the time we return from walk_component(). Could you post the results of stat / /var /var/run /var/run/nscd /var/run/nscd/socket after the boot with working kernel? Also, is that "hit on every boot" or stochastic? If it's the latter, I'd like to see the output of the same thing on a successful boot of the same kernel, if possible... Also, is the pathname always the same and if not, what other variants have been observed?