Bug 197603 - BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
Summary: BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: ecryptfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ecryptfs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-31 15:37 UTC by TJ
Modified: 2017-11-28 19:03 UTC (History)
1 user (show)

See Also:
Kernel Version: v4.13
Subsystem:
Regression: No
Bisected commit-id:


Attachments
build.sh - script that builds config that provokes issue (1.45 KB, application/x-shellscript)
2017-10-31 15:37 UTC, TJ
Details

Description TJ 2017-10-31 15:37:28 UTC
Created attachment 260451 [details]
build.sh - script that builds config that provokes issue

Originally found on Ubuntu 4.13.0-16-lowlatency, reproduced in mainline v4.13 (on a different PC), and Ubuntu 4.4.0-98-lowlatency.

Trying to 'cat' a file in an overlayfs. The file is in the lowerdir. I use the attached script to create directories and randomly distributed files. $HOME is ecryptfs. /tmp/ is tmpfs.

$ pwd
$HOME/Hacking/overlayfs/

$ ./build.sh

$ sudo mount -t overlay overlay -o lowerdir=lower/1,upperdir=/tmp/upper/1,workdir=/tmp/workdir/1 overlay/1

$ grep /tmp /proc/mounts
tmpfs /tmp tmpfs rw,nosuid,nodev,relatime 0 0
overlay /home/tj/Hacking/overlayfs/overlay/1 overlay rw,relatime,lowerdir=lower/1,upperdir=/tmp/upper/1,workdir=/tmp/workdir/1 0 0

$ ls lower/1/
1b 1c 1d 1e 1f 1g 1k 1l 1o 1p 1q 1t 1u 1v 1w 1x 1y 1z

$ ls /tmp/upper/1/
1e 1i 1l 1n 1u

$ ls overlay/1/
1b 1c 1d 1e 1f 1g 1i 1k 1l 1n 1o 1p 1q 1t 1u 1v 1w 1x 1y 1z

$ cat overlay/1/1b
Killed

$ uname -r
4.13.0-16-lowlatency

$ lsb_release -a
LSB Version: core-9.20160110ubuntu0.2-amd64:core-9.20160110ubuntu0.2-noarch:security-9.20160110ubuntu0.2-amd64:security-9.20160110ubuntu0.2-noarch
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

$ apt list linux-lowlatency-hwe-16.04-edge
Listing... Done
linux-lowlatency-hwe-16.04-edge/xenial-proposed,now 4.13.0.16.23 amd64 [installed]

$ tail /var/log/kern.log

Oct 31 03:11:09 hephaestion kernel: [ 1057.380604] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
Oct 31 03:11:09 hephaestion kernel: [ 1057.380668] IP: ecryptfs_privileged_open+0x51/0x180
Oct 31 03:11:09 hephaestion kernel: [ 1057.380686] PGD 20ee07067
Oct 31 03:11:09 hephaestion kernel: [ 1057.380688] P4D 20ee07067
Oct 31 03:11:09 hephaestion kernel: [ 1057.380700] PUD 20c455067
Oct 31 03:11:09 hephaestion kernel: [ 1057.380711] PMD 0
Oct 31 03:11:09 hephaestion kernel: [ 1057.380721]
Oct 31 03:11:09 hephaestion kernel: [ 1057.380741] Oops: 0000 [#1] PREEMPT SMP
Oct 31 03:11:09 hephaestion kernel: [ 1057.380755] Modules linked in: overlay hidp scsi_transport_iscsi veth ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 xt_comment xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 ccm xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables 8021q garp mrp stp llc rfcomm bnep binfmt_misc dm_thin_pool dm_persistent_data dm_bio_prison dm_bufio cdc_mbim cdc_wdm cdc_ncm usbnet cdc_acm mii gpio_ich dell_laptop coretemp btusb btrtl btbcm btintel joydev dell_wmi bluetooth dell_smbios dcdbas wmi_bmof sparse_keymap serio_raw ecdh_generic arc4 snd_hda_codec_idt snd_hda_codec_generic snd_hda_intel
Oct 31 03:11:09 hephaestion kernel: [ 1057.381004] snd_hda_codec snd_hda_core input_leds snd_hwdep snd_pcm snd_seq_midi uvcvideo snd_seq_midi_event videobuf2_vmalloc videobuf2_memops snd_rawmidi videobuf2_v4l2 iwl4965 videobuf2_core iwlegacy videodev media mac80211 snd_seq r852 sm_common nand nand_ecc nand_bch bch mtd r592 memstick lpc_ich cfg80211 snd_seq_device snd_timer snd soundcore shpchp mac_hid kvm_intel kvm irqbypass parport_pc ppdev nfsd lp auth_rpcgss nfs_acl lockd grace parport sunrpc autofs4 crypto_simd glue_helper cryptd aes_x86_64 algif_skcipher af_alg dm_crypt raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear dm_mirror dm_region_hash dm_log hid_generic usbhid hid psmouse sky2 ahci nouveau libahci pata_acpi firewire_ohci sdhci_pci sdhci firewire_core
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] crc_itu_t mxm_wmi i2c_algo_bit video ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] CPU: 0 PID: 10087 Comm: cat Tainted: P OE 4.13.0-16-lowlatency #19~16.04.3-Ubuntu
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] Hardware name: Dell Inc. XPS M1530 / , BIOS A12 11/19/2008
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] task: ffff8a1167050000 task.stack: ffffa10c010a8000
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RIP: 0010:ecryptfs_privileged_open+0x51/0x180
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RSP: 0018:ffffa10c010abb60 EFLAGS: 00010246
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RAX: ffffa10c010abb88 RBX: ffff8a1167459540 RCX: ffff8a11677ced80
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RDX: ffffffffbeefbe60 RSI: ffffffffbe6999fb RDI: ffffa10c010abb80
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RBP: ffffa10c010abbd0 R08: ffffffffbdd68aa1 R09: ffff8a118a183800
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] R10: ffff8a113175d010 R11: ffff8a113175e278 R12: 0000000000000000
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] R13: ffff8a11677ced80 R14: 0000000000000000 R15: ffff8a11cd431710
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] FS: 00007f80f7700700(0000) GS:ffff8a11dfc00000(0000) knlGS:0000000000000000
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] CR2: 0000000000000030 CR3: 000000020d763000 CR4: 00000000000006f0
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] Call Trace:
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ecryptfs_get_lower_file+0x7d/0xc0
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ecryptfs_open+0x71/0x200
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] do_dentry_open+0x1f8/0x320
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ? ecryptfs_release+0x30/0x30
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] vfs_open+0x4e/0x80
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] path_openat+0x2a8/0x13c0
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ? unlock_page_memcg+0x12/0x20
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ? page_add_file_rmap+0x58/0x170
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] do_filp_open+0x99/0x110
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ? cp_new_stat+0x156/0x190
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ? __check_object_size+0xfc/0x1a0
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ? __alloc_fd+0xae/0x170
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] do_sys_open+0x12d/0x2a0
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] ? do_sys_open+0x12d/0x2a0
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] SyS_open+0x1e/0x20
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] entry_SYSCALL_64_fastpath+0x1e/0xa9
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RIP: 0033:0x7f80f7245010
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RSP: 002b:00007fff0583f8d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RAX: ffffffffffffffda RBX: 00007fff0583fb38 RCX: 00007f80f7245010
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RDX: 0000000000020000 RSI: 0000000000000000 RDI: 00007fff05840237
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] R10: 000000000000069d R11: 0000000000000246 R12: 00000000004025b0
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] R13: 00007fff0583fb30 R14: 0000000000000000 R15: 0000000000000000
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] Code: c2 60 be ef be 49 89 cd 65 48 8b 04 25 28 00 00 00 48 89 45 d8 31 c0 48 8d 45 90 c7 45 a8 00 00 00 00 48 8d 78 20 e8 1f 91 d5 ff <49> 8b 44 24 30 48 89 5d 90 4c 89 65 a0 4c 89 75 98 48 8b 40 28
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] RIP: ecryptfs_privileged_open+0x51/0x180 RSP: ffffa10c010abb60
Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] CR2: 0000000000000030
Oct 31 03:11:09 hephaestion kernel: [ 1057.391461] ---[ end trace 1d38ad38c6419426 ]---
Comment 1 Tyler Hicks 2017-10-31 22:29:51 UTC
Hello and thanks for the bug report. I've verified the report using 4.14-rc7.
Comment 2 TJ 2017-11-28 17:54:14 UTC
With a rebuild of the Ubuntu kernel image with the addition of:

ccflags += -save-temps


and then

objdump -Sd fs/ecryptfs/kthread.o

this should correlate 0x2b1 to the faulting location ecryptfs_privileged_open+0x51:

0000000000000260 <ecryptfs_privileged_open>:
 */
int ecryptfs_privileged_open(struct file **lower_file,
                             struct dentry *lower_dentry,
                             struct vfsmount *lower_mnt,
                             const struct cred *cred)
{
 260:   55                      push   %rbp
 261:   48 89 e5                mov    %rsp,%rbp
 264:   41 56                   push   %r14
 266:   41 55                   push   %r13
 268:   41 54                   push   %r12
 26a:   53                      push   %rbx
 26b:   48 89 fb                mov    %rdi,%rbx
 26e:   49 89 f4                mov    %rsi,%r12
 271:   49 89 d6                mov    %rdx,%r14
 * structure.
 */
static inline void init_completion(struct completion *x)
{
        x->done = 0;
        init_waitqueue_head(&x->wait);
 274:   48 c7 c6 00 00 00 00    mov    $0x0,%rsi
 27b:   48 83 ec 50             sub    $0x50,%rsp
 27f:   48 c7 c2 00 00 00 00    mov    $0x0,%rdx
 286:   49 89 cd                mov    %rcx,%r13
 289:   65 48 8b 04 25 28 00    mov    %gs:0x28,%rax
 290:   00 00 
 292:   48 89 45 d8             mov    %rax,-0x28(%rbp)
 296:   31 c0                   xor    %eax,%eax
 298:   48 8d 45 90             lea    -0x70(%rbp),%rax
 * This inline function will initialize a dynamically created completion
 * structure.
 */
static inline void init_completion(struct completion *x)
{
        x->done = 0;
 29c:   c7 45 a8 00 00 00 00    movl   $0x0,-0x58(%rbp)
        init_waitqueue_head(&x->wait);
 2a3:   48 8d 78 20             lea    0x20(%rax),%rdi
 2a7:   e8 00 00 00 00          callq  2ac <ecryptfs_privileged_open+0x4c>
        req.path.mnt = lower_mnt;

        /* Corresponding dput() and mntput() are done when the
         * lower file is fput() when all eCryptfs files for the inode are
         * released. */
        flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
 2ac:   49 8b 44 24 30          mov    0x30(%r12),%rax
        struct ecryptfs_open_req req;
        int flags = O_LARGEFILE;
        int rc = 0;

        init_completion(&req.done);
        req.lower_file = lower_file;
 2b1:   48 89 5d 90             mov    %rbx,-0x70(%rbp)
        req.path.dentry = lower_dentry;
 2b5:   4c 89 65 a0             mov    %r12,-0x60(%rbp)
        req.path.mnt = lower_mnt;
 2b9:   4c 89 75 98             mov    %r14,-0x68(%rbp)

        /* Corresponding dput() and mntput() are done when the
         * lower file is fput() when all eCryptfs files for the inode are
         * released. */
        flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
 2bd:   48 8b 40 28             mov    0x28(%rax),%rax
 2c1:   f6 40 50 01             testb  $0x1,0x50(%rax)
 2c5:   74 42                   je     309 <ecryptfs_privileged_open+0xa9>
        (*lower_file) = dentry_open(&req.path, flags, cred);
Comment 3 TJ 2017-11-28 19:03:53 UTC
If I've traced correctly from ecryptfs_get_lower_file() through ecryptfs_init_lower_file() into the call to ecryptfs_privileged_open() the problem is path->dentry == NULL, since r12==0:

Oct 31 03:11:09 hephaestion kernel: [ 1057.381012] R10: ffff8a113175d010 R11: ffff8a113175e278 R12: 0000000000000000

However, I don't see ecryptfs_init_lower_file() in the stack trace. Despite the source I am assuming it was inlined since it is effectively a wrapper for the call to ecryptfs_privileged_open().


int ecryptfs_get_lower_file(struct dentry *dentry, struct inode *inode)
{
...
 else if (count == 1) { 
    rc = ecryptfs_init_lower_file(dentry,
 a04: 48 8d bb 78 02 00 00  lea    0x278(%rbx),%rdi    // rdi = cred
 a0b: 65 48 8b 04 25 00 00  mov    %gs:0x0,%rax 
 a12: 00 00
...
 a14: 48 8b 88 a8 09 00 00  mov    0x9a8(%rax),%rcx    // rcx = lower_file
 a1b: 49 8b 75 08           mov    0x8(%r13),%rsi      // rsi = path->dentry
 a1f: 49 8b 55 00           mov    0x0(%r13),%rdx      // rdx = path->mnt
 a23: e8 00 00 00 00        callq  a28 <ecryptfs_get_lower_file+0x78>
              cred);
  if (rc) { 
 a28: 85 c0                 test   %eax,%eax

...

0000000000000260 <ecryptfs_privileged_open>:
 */
int ecryptfs_privileged_open(struct file **lower_file,
           struct dentry *lower_dentry,
           struct vfsmount *lower_mnt,
           const struct cred *cred)
{
// rcx = lower_file
// rsi = path->dentry
// rdx = path->mnt
// rdi = cred

 260: 55                    push   %rbp
 261: 48 89 e5              mov    %rsp,%rbp
 264: 41 56                 push   %r14
 266: 41 55                 push   %r13
 268: 41 54                 push   %r12
 26a: 53                    push   %rbx
 26b: 48 89 fb              mov    %rdi,%rbx // cred
 26e: 49 89 f4              mov    %rsi,%r12 // path->dentry
 271: 49 89 d6              mov    %rdx,%r14 // path->mnt
 * structure.
 */
static inline void init_completion(struct completion *x)
{
  x->done = 0;
  init_waitqueue_head(&x->wait);
 274: 48 c7 c6 00 00 00 00  mov    $0x0,%rsi
 27b: 48 83 ec 50           sub    $0x50,%rsp
 27f: 48 c7 c2 00 00 00 00  mov    $0x0,%rdx
 286: 49 89 cd              mov    %rcx,%r13  // lower_file
 289: 65 48 8b 04 25 28 00  mov    %gs:0x28,%rax
 290: 00 00
 292: 48 89 45 d8           mov    %rax,-0x28(%rbp)
 296: 31 c0                 xor    %eax,%eax
 298: 48 8d 45 90           lea    -0x70(%rbp),%rax
 * This inline function will initialize a dynamically created completion
 * structure.
 */
static inline void init_completion(struct completion *x)
{
  x->done = 0;
 29c: c7 45 a8 00 00 00 00  movl   $0x0,-0x58(%rbp)
  init_waitqueue_head(&x->wait);
 2a3: 48 8d 78 20           lea    0x20(%rax),%rdi
 2a7: e8 00 00 00 00        callq  2ac <ecryptfs_privileged_open+0x4c>
  req.path.mnt = lower_mnt;

  /* Corresponding dput() and mntput() are done when the
   * lower file is fput() when all eCryptfs files for the inode are
   * released. */
  flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
 2ac: 49 8b 44 24 30        mov    0x30(%r12),%rax   // r12: path->dentry

Note You need to log in before you can comment on or make changes to this bug.