Bug 205885

Summary: [Bisected] BUG: KASAN: null-ptr-deref in strncpy+0x3c/0x60
Product: Platform Specific/Hardware Reporter: Erhard F. (erhard_f)
Component: PPC-32Assignee: platform_ppc-32
Status: RESOLVED PATCH_ALREADY_AVAILABLE    
Severity: normal CC: christophe.leroy, michael
Priority: P1    
Hardware: PPC-32   
OS: Linux   
Kernel Version: 5.5-rc2 Subsystem:
Regression: No Bisected commit-id:
Attachments: screenshot (5.5-rc2, PowerMac G4 DP)
kernel .config (5.5-rc2, PowerMac G4 DP)
kernel .config (5.5-rc2, PowerMac G4 DP)
bisect.log
bisect.log

Description Erhard F. 2019-12-17 00:33:46 UTC 
Created attachment 286331 [details]
screenshot (5.5-rc2, PowerMac G4 DP)

I get this hit at booting kernel 5.5-rc2 on my G4 DP:

[...]
BUG: KASAN: null-ptr-deref in strncpy+0x3c/0x60
Read of size 1 at addr 00000000 by task swapper/0/1

CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W        5.5.0-rc2-PowerMacG4
Call Trace:
[ee8edd78] [c07819e0] dump_stack+0xbc/0x118 (unreliable)
[ee8edda8] [c0244b48] __kasan_report+0x174/0x180
[ee8edde8] [c07949dc] strncpy+0x3c/0x60
[ee8ede18] [c0b6979c] mount_block_root+0x200/0x3e0
[ee8edef8] [c0b69b74] prepare_namespace+0x164/0x174
[ee8edf18] [c0005f3c] kernel_init+0x14/0xf0
[ee8edf38] [c001a348] ret_from_kernel_thread+0x14/0x1c
=================================================================
BUG: Kernel NULL pointer dereference on read at 0x0000000
Faulting instruction address: 0xc07949dc
Oops: Kernel access of bad area sig: 11 (#1]
[...]

For details see screenshot (I appled a median filter but tesseract still was not able to make much text out of it).
Comment 1 Erhard F. 2019-12-17 00:35:11 UTC 
Created attachment 286333 [details]
kernel .config (5.5-rc2, PowerMac G4 DP)
Comment 2 Christophe Leroy 2019-12-17 05:41:50 UTC 
You didn't get that with 5.5-rc1 ?
You get that as well when KASAN is not activated ?

If answer to both is 'yes', can you bisect ?
Comment 3 Erhard F. 2019-12-17 15:22:22 UTC 
5.5-rc1 works with identical kernel .config.
And on -rc2 I get that without KASAN as well.

I'll do a bisect and report back.
Comment 4 Erhard F. 2019-12-17 17:49:59 UTC 
Created attachment 286343 [details]
kernel .config (5.5-rc2, PowerMac G4 DP)
Comment 5 Erhard F. 2019-12-17 17:51:34 UTC 
Created attachment 286345 [details]
bisect.log
Comment 6 Erhard F. 2019-12-17 17:52:27 UTC 
Created attachment 286347 [details]
bisect.log

# git bisect bad | tee -a ~/bisect01.log 
cccaa5e33525fc07f4a2ce0518e50b9ddf435e47 is the first bad commit
commit cccaa5e33525fc07f4a2ce0518e50b9ddf435e47
Author: Dominik Brodowski <linux@dominikbrodowski.net>
Date:   Tue Oct 23 22:41:09 2018 +0200

    init: use do_mount() instead of ksys_mount()
    
    In prepare_namespace(), do_mount() can be used instead of ksys_mount()
    as the first and third argument are const strings in the kernel, the
    second and fourth argument are passed through anyway, and the fifth
    argument is NULL.
    
    In do_mount_root(), ksys_mount() is called with the first and third
    argument being already kernelspace strings, which do not need to be
    copied over from userspace to kernelspace (again). The second and
    fourth arguments are passed through to do_mount() anyway. The fifth
    argument, while already residing in kernelspace, needs to be put into
    a page of its own. Then, do_mount() can be used instead of
    ksys_mount().
    
    Once this is done, there are no in-kernel users to ksys_mount() left,
    which can therefore be removed.
    
    Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>

 fs/namespace.c           | 10 ++--------
 include/linux/syscalls.h |  2 --
 init/do_mounts.c         | 28 ++++++++++++++++++++++------
 3 files changed, 24 insertions(+), 16 deletions(-)
Comment 7 Michael Ellerman 2019-12-18 11:07:29 UTC 
This is fixed upstream:

https://git.kernel.org/torvalds/c/7de7de7ca0ae0fc70515ee3154af33af75edae2c