217404 – overlayfs: get_acl: Null pointer dereference at realinode in rcu-walk mode

Bug 217404 - overlayfs: get_acl: Null pointer dereference at realinode in rcu-walk mode

Summary: overlayfs: get_acl: Null pointer dereference at realinode in rcu-walk mode

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	fs_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-05 03:48 UTC by Zhihao Cheng
Modified:	2023-05-05 03:50 UTC (History)
CC List:	0 users

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
diff (1.80 KB, patch) 2023-05-05 03:50 UTC, Zhihao Cheng	Details \| Diff
test.sh (336 bytes, application/x-shellscript) 2023-05-05 03:50 UTC, Zhihao Cheng	Details
Add an attachment (proposed patch, testcase, etc.)

Description Zhihao Cheng 2023-05-05 03:48:18 UTC

1. Apply diff and compile kernel
2. useradd freg
3. ./test.sh

[  204.469828] overlayfs: get inode, wait drop cache, dir
[  204.500679] destroy inode
[  205.472132] overlayfs: wait done
[  205.472713] overlayfs: XXXX inodestate 60 unhash 1 upper dentry ffff88817b725000 dentry->inode 0000000000000000
[  205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028
[  205.474858] #PF: supervisor read access in kernel mode
[  205.475469] #PF: error_code(0x0000) - not-present page
[  205.476071] PGD 0 P4D 0 
[  205.476321] Oops: 0000 [#1] PREEMPT SMP
[  205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216
[  205.477503] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproje4
[  205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300
[  205.479204] Code: 48 83 05 35 cd ca 0c 01 48 83 3d 2d c0 b8 0c 00 0f 84 9b 00 00 00 48 89 ef e8 1f bf ff ff 48 89 c3 48 85 cf
[  205.481194] RSP: 0018:ffffc9000171bb28 EFLAGS: 00010202
[  205.481865] RAX: 0000000000000063 RBX: 0000000000000000 RCX: 0000000000000027
[  205.482812] RDX: 0000000000000000 RSI: ffff88842fc9c6c8 RDI: ffff88842fc9c6c0
[  205.483775] RBP: ffff88817b78c020 R08: 0000000000000000 R09: ffffc9000171b9c8
[  205.484747] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
[  205.485685] R13: 0000000000000001 R14: 0000000000008000 R15: 0000000000000000
[  205.486551] FS:  00007f8381ad6540(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
[  205.487212] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  205.487696] CR2: 000055f830f22cac CR3: 0000000176205000 CR4: 00000000000006e0
[  205.488296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  205.488904] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  205.489584] Call Trace:
[  205.489812]  <TASK>
[  205.490014]  ovl_get_inode_acl+0x26/0x30
[  205.490466]  get_cached_acl_rcu+0x61/0xa0
[  205.490908]  generic_permission+0x1bf/0x4e0
[  205.491447]  ovl_permission+0x79/0x1b0
[  205.491917]  inode_permission+0x15e/0x2c0
[  205.492425]  link_path_walk+0x115/0x550
[  205.492890]  ? path_init+0x3b1/0x560
[  205.493311]  path_lookupat.isra.0+0xb2/0x200
[  205.493803]  filename_lookup+0xda/0x240
[  205.494295]  ? _raw_spin_lock_irqsave+0x7d/0xa0
[  205.494881]  ? __create_object+0x2b3/0x5c0
[  205.495401]  vfs_statx+0xa6/0x1f0
[  205.495747]  vfs_fstatat+0x7b/0xb0
[  205.496142]  __do_sys_newlstat+0x3b/0x90
[  205.496591]  __x64_sys_newlstat+0x1e/0x30
[  205.496946]  do_syscall_64+0x39/0x80
[  205.497323]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  205.497892] RIP: 0033:0x7f8380cffa75
[  205.498229] Code: 19 f4 2c 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b9
[  205.500102] RSP: 002b:00007fff93bbcd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
[  205.500849] RAX: ffffffffffffffda RBX: 00007fff93bbf4d0 RCX: 00007f8380cffa75
[  205.501541] RDX: 000055fdca6ff150 RSI: 000055fdca6ff150 RDI: 00007fff93bbf4d0
[  205.502322] RBP: 00007fff93bbd0d0 R08: 0000000000000004 R09: 00007fff93bbf4e7
[  205.503054] R10: 0000000093bbf400 R11: 0000000000000246 R12: 00007fff93bbf4d0
[  205.503734] R13: 0000000000000000 R14: 000055fdca6ff140 R15: 0000000000000000
[  205.504419]  </TASK>
[  205.504675] Modules linked in:
[  205.505005] CR2: 0000000000000028
[  205.505370] ---[ end trace 0000000000000000 ]---
[  205.505869] RIP: 0010:do_ovl_get_acl+0x5d/0x300
[  205.506385] Code: 48 83 05 35 cd ca 0c 01 48 83 3d 2d c0 b8 0c 00 0f 84 9b 00 00 00 48 89 ef e8 1f bf ff ff 48 89 c3 48 85 cf
[  205.509896] RSP: 0018:ffffc9000171bb28 EFLAGS: 00010202
[  205.510573] RAX: 0000000000000063 RBX: 0000000000000000 RCX: 0000000000000027
[  205.511492] RDX: 0000000000000000 RSI: ffff88842fc9c6c8 RDI: ffff88842fc9c6c0
[  205.512325] RBP: ffff88817b78c020 R08: 0000000000000000 R09: ffffc9000171b9c8
[  205.513139] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
[  205.513967] R13: 0000000000000001 R14: 0000000000008000 R15: 0000000000000000
[  205.514869] FS:  00007f8381ad6540(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
[  205.515808] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  205.516519] CR2: 000055f830f22cac CR3: 0000000176205000 CR4: 00000000000006e0
[  205.517336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  205.518156] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  205.518972] Kernel panic - not syncing: Fatal exception
[  205.519661] Kernel Offset: disabled
[  205.520072] ---[ end Kernel panic - not syncing: Fatal exception ]---

Comment 1 Zhihao Cheng 2023-05-05 03:50:15 UTC

Created attachment 304218 [details]
diff

Comment 2 Zhihao Cheng 2023-05-05 03:50:36 UTC

Created attachment 304219 [details]
test.sh

Note You need to log in before you can comment on or make changes to this bug.