Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1256038pxx; Fri, 30 Oct 2020 06:05:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwW+7QxJeu6WebWzbvOu3vvM85mn4R2avPuP4QK2bGn1u/RYMHZLvg/GhDWdu6X861W7blo X-Received: by 2002:aa7:d4c6:: with SMTP id t6mr2141747edr.372.1604063106908; Fri, 30 Oct 2020 06:05:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604063106; cv=none; d=google.com; s=arc-20160816; b=yKDzRnVvegVhVye23M6fJUn89bPrU4P/1aMj05Ov4i0nejfNgZblNTUTeRL/Gj2m2s c8P/p3S2OAQTPET6++/gfBHGHytdlqYQXOx8EOeB80tTl4TI//cJwh9rxbabELTfEZOF xo29Ph54oJ4ddgCkx0qK7IAaNJ7i+qh0MtwPJeaA2v5mGLO1gAHagHI2My3CdTS/V2Fx pWH+UrsKv2HC21xfdpj+VaWVFV8o5mHoStBXHkSeER1EH7nodHcY6Ed2Nlsjwck4eG8q 3lWyxbUm4eIt+ldaNgskqZvHdfOicReyQOr9S9jkbJMILElmZ8VaAKoa0U7ePjUaCuUy 2Gxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=hfUp6uvT0mNo9qOvWz4kadVZif4hwG0EcrIPidc71AU=; b=Pbb4uvsGGuzjHMEKpxZkkWX0tEQ+DME67nvcLe5225JB55kbN417pb4TkimIzQN9ya WJEZTB3Pq/gJxoRO4OglnnPWfMv0ZlGIqyPQfd+n5N4rxPukVUSg8lSy7RKIlH7Tu8+Y QjVGIKfZYH0SBfiJPewqfdc2P/+720og1w8axrtD7jHduM0B1bTQBbdJjd243W7UbINP TJf8TzjDJWUKmoXlIQTPLLLNI9o1YWPD+0WUHvcTSmxoEvIitkkTb2yFlribWsex7gy4 g0GasBKFHNhHKEmS/jVFj/VgeRZIHO8OiC1cqy28iLS30Fc7Dd5WB7liRIynuAjloERQ 1qLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b="c/0np4r5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n11si3839652ejb.664.2020.10.30.06.04.42; Fri, 30 Oct 2020 06:05:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b="c/0np4r5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726626AbgJ3NCh (ORCPT + 99 others); Fri, 30 Oct 2020 09:02:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726573AbgJ3NCg (ORCPT ); Fri, 30 Oct 2020 09:02:36 -0400 Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE918C0613D7 for ; Fri, 30 Oct 2020 06:02:34 -0700 (PDT) Received: by mail-vk1-xa33.google.com with SMTP id y10so1431395vkl.5 for ; Fri, 30 Oct 2020 06:02:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hfUp6uvT0mNo9qOvWz4kadVZif4hwG0EcrIPidc71AU=; b=c/0np4r5fnnReVFjWkDWXo8hF0To3ovSOoxgoL/QWs9VxL86iqjKdadij03d378/T5 B7rjoCbR258EwTEX+UW+6QMPF65hDWZsco0RfSUG9stFDcsd6ZZkDH+4oFGIQiro7Wrf /VUafL5CtS83KydlI6lpgD86QMrk86JITh21I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hfUp6uvT0mNo9qOvWz4kadVZif4hwG0EcrIPidc71AU=; b=hD1wmqIbf3/4YIkR59nUaHWtCHHpGxXGp26cWCZBCJpLf74OIQrKdRtxmnx2RQi7Bt lii5rqbF4mz/VFpD1PoWMGz4QGWN7IByP8R+2B+f70zatAYwfUSrDayOmd3DSzw5eyw3 +Azo5nt3/WkCGj8TmFyYaecCB40RbJzZcDe2EHL8GjVhYk0jfZjdtjFiCJkOEntke3QX K6W6UG+Q+KUyZ8FJxKdx90IiWfjtCobP1lNQbUaPoGzQFn55nS+wAqaov0qEZW7wKXa1 FIX87L6/6BZRk0lGWI+x1Kq+56QlyjHlDqccYaejATH4C4WltfaazfP3VEIWnHaPCZkl aShQ== X-Gm-Message-State: AOAM530VdGr92zepBzXuqm0Z69f3m7NMCWyHsKp6JsmUdfuAB2Uh4zDA tyZZlFuE0nCHm01iJo5TLoAUmJXCuudCagaCsxMFqg== X-Received: by 2002:a1f:23d0:: with SMTP id j199mr6640364vkj.11.1604062953264; Fri, 30 Oct 2020 06:02:33 -0700 (PDT) MIME-Version: 1.0 References: <0000000000008caae305ab9a5318@google.com> <000000000000a726a405ada4b6cf@google.com> In-Reply-To: From: Miklos Szeredi Date: Fri, 30 Oct 2020 14:02:22 +0100 Message-ID: Subject: Re: general protection fault in security_inode_getattr To: Ondrej Mosnacek Cc: syzbot , andriin@fb.com, Alexei Starovoitov , bpf , Daniel Borkmann , James Morris , john.fastabend@gmail.com, kafai@fb.com, KP Singh , Linux kernel mailing list , Linux Security Module list , network dev , "Serge E. Hallyn" , Song Liu , syzkaller-bugs , yhs@fb.com, linux-fsdevel@vger.kernel.org, overlayfs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 24, 2020 at 11:00 PM Ondrej Mosnacek wrote: > > On Mon, Aug 24, 2020 at 9:37 PM syzbot > wrote: > > syzbot has found a reproducer for the following issue on: > > Looping in fsdevel and OverlayFS maintainers, as this seems to be > FS/OverlayFS related... Hmm, the oopsing code is always something like: All code ======== 0: 1b fe sbb %esi,%edi 2: 49 8d 5e 08 lea 0x8(%r14),%rbx 6: 48 89 d8 mov %rbx,%rax 9: 48 c1 e8 03 shr $0x3,%rax d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) 12: 74 08 je 0x1c 14: 48 89 df mov %rbx,%rdi 17: e8 bc b4 5b fe callq 0xfffffffffe5bb4d8 1c: 48 8b 1b mov (%rbx),%rbx 1f: 48 83 c3 68 add $0x68,%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 9f b4 5b fe callq 0xfffffffffe5bb4d8 39: 48 8b 1b mov (%rbx),%rbx 3c: 48 83 c3 0c add $0xc,%rbx And that looks (to me) like the unrolled loop in call_int_hook(). I don't see how that could be related to overlayfs, though it's definitely interesting why it only triggers from overlay->vfs_getattr()->security_inode_getattr()... Thanks, Miklos