Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp612250ybb; Wed, 25 Mar 2020 06:22:55 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvgRNEzoZtZHU9x7IV9x6lXsPXgbTOKnxZyQAAIrX9Jq1coRV3rCjyPyxGDjJWR+e4zCDBk X-Received: by 2002:a05:6830:3109:: with SMTP id b9mr2506803ots.369.1585142575393; Wed, 25 Mar 2020 06:22:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585142575; cv=none; d=google.com; s=arc-20160816; b=Aeck/84cZgFhFnBdK4X6xShhVy+GbsqeNdFfPjOj52viLvm6hnaiRAswBLWk0COcST pZzdrD9p3WWEjgOz/rIhLLfRBv+usAKw4CBGdn/fUDSLK5JUWepCajZVeIG5WZLEt8/x XWdsnXD29Yf7qrBdCjJpyEAUkwkFlD1hJoorNBwXHn76YLkEEMdY0hU5J2/lcdNfO9CS 0efr98DY9yCps68PlkuuvObzk5kzMEA1V2EDW9wx1OObXdsKrVHonrIPDRnaknSWNgiD T41Jx0eW7hqcIbPcfEoOw0jRa6dohwmjvrCGA52+CUhnWXw+PSG2I6HqT0BAE8u6MTLh vZ9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=6BqCxccxfCYt0s0B7B5Tq5f8zXMXUI8kTYEC1wL3LOA=; b=tt2NKHLhfkrMgD7+jSbRRgd3lZfa/RCrClxYQB9v677lkoSzx33F6J8DXi9+bXsxY8 wRLFonLLTHv4AzAzxmxPYC7G3Y79WMH1VO2oIFVUxiEL3Bw3HwvHb/tLdVoYOmiqGxyu 59PqoayvMuJBRnmdKN93WxD50Lh8/+hRyigk9P/8prnk0J4gMQzUqoCkcMyFI+Ovk4uO JLxw30I66Yp9RKpoQNJ5qLMYm3zwpaGuXT14LRFRVsx+cDTz8exyNM3cGzi1aixOs1L1 SfEKUp/ju+xdh7XU9paqSZ4PxJkDU2GF7XkW8JhQn9A8JLcgc6f6vOUpxM1TaGdEXzMn WXWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=dLui0I7w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j15si1503709oos.59.2020.03.25.06.22.42; Wed, 25 Mar 2020 06:22:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=dLui0I7w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727432AbgCYNWE (ORCPT + 99 others); Wed, 25 Mar 2020 09:22:04 -0400 Received: from mail-qt1-f195.google.com ([209.85.160.195]:44789 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727286AbgCYNWE (ORCPT ); Wed, 25 Mar 2020 09:22:04 -0400 Received: by mail-qt1-f195.google.com with SMTP id x16so2026846qts.11 for ; Wed, 25 Mar 2020 06:22:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6BqCxccxfCYt0s0B7B5Tq5f8zXMXUI8kTYEC1wL3LOA=; b=dLui0I7wqDgCnRAsbciTulvvaOb9VbQSkhfUF5xkxBmsG/OFh6/8s4wJxoJ1qCVwEA 5ZBM0IpJiNJ6Dwbsn6t+ae9+7GhRREiC1ZhekIQBc0llXtx6iVWp/xqxDafD1/xBhCGK CXXq/z6TXXzzQkZjUXxHzBEYtj+vUr65KY3Cr+bAyLDyGjnjiDwx0tV760TPtBZASjPk 5JXarGayW0M+vcdmovzt03eaduYIEUdWjrFpXL1cGpL6ADAHELS36dLbQ0ntuqADUFFZ eYR4KFIopBY0eGirgN0BBsq9iC4ll0+wJrzW/CbwNTPFvWxSiZJqL1iyftgRkbrkD17i scdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6BqCxccxfCYt0s0B7B5Tq5f8zXMXUI8kTYEC1wL3LOA=; b=XPMUCUixRJu96yDKeEhWp77nfEv04CWCEAZOazUNOJNqOFVBtrL9yWn+Ku3uCZqolW INreZuZTFFmdLBvBSHYjpCTmKFfBIvObuUYcN0e6/dgPnml/PTAcd1fil8DV1WvaRzgl Mk4gRaSgvNJCn2gBl+l2oCqgXWyd+Upa6x+vtk5D3v3Qcq4WMc7Ofbv7VDy+WxasTueb QMQAwnsStNFAi8YIqMPeSC2CVzDCtzcgFKHcZEogQ7DCQ7NlOQkAEwjpQ1Y2Cxv5YtGx Db5MX0cNnvu9nlEKsz+NI75/deFWxPMyQemDLF2fxvEDLLQwOwqkR9c0Nl8e5r7cH4s0 +D+A== X-Gm-Message-State: ANhLgQ12ABrSr+EG8I0FAR9T/MnSVbW9Ts29NUBIt36V6gxgRHTRnBJY oCsXYLTM8/ZHT1gHzxJ4YePmGg== X-Received: by 2002:ac8:6d31:: with SMTP id r17mr2911848qtu.68.1585142522727; Wed, 25 Mar 2020 06:22:02 -0700 (PDT) Received: from [192.168.1.153] (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43]) by smtp.gmail.com with ESMTPSA id 2sm17715492qtp.33.2020.03.25.06.22.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Mar 2020 06:22:02 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Subject: Re: Null-ptr-deref due to "sanitized pathwalk machinery (v4)" From: Qian Cai In-Reply-To: <20200325040359.GK23230@ZenIV.linux.org.uk> Date: Wed, 25 Mar 2020 09:21:59 -0400 Cc: Linus Torvalds , linux-fsdevel@vger.kernel.org, LKML Content-Transfer-Encoding: quoted-printable Message-Id: References: <4CBDE0F3-FB73-43F3-8535-6C75BA004233@lca.pw> <20200324214637.GI23230@ZenIV.linux.org.uk> <20200325021327.GJ23230@ZenIV.linux.org.uk> <5281297D-B66E-4A4C-9B41-D2242F6B7AE7@lca.pw> <20200325040359.GK23230@ZenIV.linux.org.uk> To: Al Viro X-Mailer: Apple Mail (2.3608.60.0.2.5) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Mar 25, 2020, at 12:03 AM, Al Viro wrote: >=20 > On Tue, Mar 24, 2020 at 11:24:01PM -0400, Qian Cai wrote: >=20 >>> On Mar 24, 2020, at 10:13 PM, Al Viro = wrote: >>>=20 >>> On Tue, Mar 24, 2020 at 09:49:48PM -0400, Qian Cai wrote: >>>=20 >>>> It does not catch anything at all with the patch, >>>=20 >>> You mean, oops happens, but neither WARN_ON() is triggered? >>> Lovely... Just to make sure: could you slap the same couple >>> of lines just before >>> if (unlikely(!d_can_lookup(nd->path.dentry))) { >>> in link_path_walk(), just to check if I have misread the trace >>> you've got? >>>=20 >>> Does that (+ other two inserts) end up with >>> 1) some of these WARN_ON() triggered when oops happens or >>> 2) oops is happening, but neither WARN_ON() triggers or >>> 3) oops not happening / becoming harder to hit? >>=20 >> Only the one just before >> if (unlikely(!d_can_lookup(nd->path.dentry))) { >> In link_path_walk() will trigger. >=20 >> [ 245.767202][ T5020] pathname =3D /var/run/nscd/socket >=20 > Lovely. So > * we really do get NULL nd->path.dentry there; I've not misread = the > trace. > * on the entry into link_path_walk() nd->path.dentry is = non-NULL. > * *ALL* components should've been LAST_NORM ones > * not a single symlink in sight, unless the setup is rather = unusual > * possibly not even a single mountpoint along the way (depending > upon the userland used) >=20 > And in the same loop we have > if (likely(type =3D=3D LAST_NORM)) { > struct dentry *parent =3D nd->path.dentry; > nd->flags &=3D ~LOOKUP_JUMPED; > if (unlikely(parent->d_flags & DCACHE_OP_HASH)) = { > struct qstr this =3D { { .hash_len =3D = hash_len }, .name =3D name }; > err =3D parent->d_op->d_hash(parent, = &this); > if (err < 0) > return err; > hash_len =3D this.hash_len; > name =3D this.name; > } > } > upstream of that thing. So NULL nd->path.dentry *there* would've = oopsed. > IOW, what we are hitting is walk_component() with non-NULL = nd->path.dentry > when we enter it, NULL being returned and nd->path.dentry becoming = NULL > by the time we return from walk_component(). >=20 > Could you post the results of > stat / /var /var/run /var/run/nscd /var/run/nscd/socket The file is gone after a successful boot, # stat / /var /var/run /var/run/nscd /var/run/nscd/socket File: / Size: 244 Blocks: 0 IO Block: 65536 directory Device: fe00h/65024d Inode: 128 Links: 17 Access: (0555/dr-xr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2020-03-24 14:21:27.112559236 -0400 Modify: 2020-03-24 14:21:25.840486593 -0400 Change: 2020-03-24 14:21:25.840486593 -0400 Birth: - File: /var Size: 4096 Blocks: 8 IO Block: 65536 directory Device: fe00h/65024d Inode: 133 Links: 21 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2018-08-12 05:57:57.000000000 -0400 Modify: 2020-03-23 21:29:31.087264900 -0400 Change: 2020-03-23 21:29:31.087264900 -0400 Birth: - File: /var/run -> ../run Size: 6 Blocks: 0 IO Block: 65536 symbolic = link Device: fe00h/65024d Inode: 143 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2020-03-24 17:34:11.865030724 -0400 Modify: 2020-03-23 17:16:40.573974805 -0400 Change: 2020-03-23 17:16:40.573974805 -0400 Birth: - stat: cannot stat '/var/run/nscd': No such file or directory stat: cannot stat '/var/run/nscd/socket': No such file or directory > after the boot with working kernel? Also, is that "hit on every boot" = or > stochastic? If it's the latter, I'd like to see the output of the = same > thing on a successful boot of the same kernel, if possible... It does not hit every time, so I used a cron job, @reboot sleep 180; systemctl reboot It has always hit it within a hour so far.