Re: general protection fault in kernfs_kill_sb (2)

From: Tetsuo Handa
Date: Sat May 12 2018 - 22:20:30 EST


On 2018/05/13 2:01, syzbot wrote:
> Call Trace:
> Â__list_del_entry include/linux/list.h:117 [inline]
> Âlist_del include/linux/list.h:125 [inline]
> Âkernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361
> Âsysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50
> Âdeactivate_locked_super+0x97/0x100 fs/super.c:316
> Âkernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335
> Âsysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36
> Âmount_fs+0xae/0x328 fs/super.c:1267
> Âvfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> Âvfs_kern_mount fs/namespace.c:1027 [inline]
> Âdo_new_mount fs/namespace.c:2518 [inline]
> Âdo_mount+0x564/0x3070 fs/namespace.c:2848
> Âksys_mount+0x12d/0x140 fs/namespace.c:3064
> Â__do_sys_mount fs/namespace.c:3078 [inline]
> Â__se_sys_mount fs/namespace.c:3075 [inline]
> Â__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
> Âdo_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> Âentry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4426a9
> RSP: 002b:00007ffc558bd1b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004426a9
> RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000040
> RBP: 00007ffc558bda60 R08: 0000000000000000 R09: 0000000300000000
> R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
> R13: 0000000000000004 R14: 0000000000001380 R15: 00007ffc558bd2f8
> Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 5f 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8
> RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: ffff8801aca6f860
> ---[ end trace d148f307a34e229f ]---

This is what I reported at
https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ .

We are currently waiting for comments from Al Viro.