"fs/namei.c: keep track of nd->root refcount status" causes boot panic

From: Qian Cai
Date: Tue Sep 03 2019 - 00:21:45 EST


The linux-next commit "fs/namei.c: keep track of nd->root refcount statusâ [1] causes boot panic on all
architectures here on todayâs linux-next (0902). Reverted it will fix the issue.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=e013ec23b8231cf7f95605cbb0e47aa0e3d047a4

All config are here: https://github.com/cailca/linux-mm

[ 104.088693][ T1] Run /init as init process
[ 104.155068][ T1] ==================================================================
[ 104.163000][ T1] BUG: KASAN: invalid-access in dput+0x94/0x8d0
[ 104.169095][ T1] Read of size 4 at addr aaaaaaaaaaaaaaaa by task systemd/1
[ 104.176227][ T1]
[ 104.178416][ T1] CPU: 166 PID: 1 Comm: systemd Not tainted 5.3.0-rc6-next-20190902 #2
[ 104.186504][ T1] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 104.196935][ T1] Call trace:
[ 104.200091][ T1] dump_backtrace+0x0/0x264
[ 104.204447][ T1] show_stack+0x20/0x2c
[ 104.208460][ T1] dump_stack+0xb0/0x104
[ 104.212558][ T1] __kasan_report+0x1fc/0x294
[ 104.217088][ T1] kasan_report+0x10/0x18
[ 104.221271][ T1] __hwasan_load4_noabort+0x84/0x8c
[ 104.226320][ T1] dput+0x94/0x8d0
[ 104.229902][ T1] path_put+0x24/0x40
[ 104.233739][ T1] terminate_walk+0x98/0x124
[ 104.238182][ T1] path_lookupat+0x1a8/0x3f8
[ 104.242624][ T1] filename_lookup+0x84/0x128
[ 104.247154][ T1] user_path_at_empty+0x54/0x68
[ 104.251869][ T1] __arm64_sys_name_to_handle_at+0xd4/0x63c
[ 104.257625][ T1] el0_svc_handler+0x16c/0x234
[ 104.262240][ T1] el0_svc+0x8/0xc
[ 104.265814][ T1] ==================================================================
[ 104.273726][ T1] Disabling lock debugging due to kernel taint
[ 104.279758][ T1] Unable to handle kernel paging request at virtual address aaaaaaaaaaaaaaaa
[ 104.288378][ T1] Mem abort info:
[ 104.291861][ T1] ESR = 0x96000004
[ 104.295619][ T1] EC = 0x25: DABT (current EL), IL = 32 bits
[ 104.301619][ T1] SET = 0, FnV = 0
[ 104.305375][ T1] EA = 0, S1PTW = 0
[ 104.309203][ T1] Data abort info:
[ 104.312773][ T1] ISV = 0, ISS = 0x00000004
[ 104.317310][ T1] CM = 0, WnR = 0
[ 104.320968][ T1] [aaaaaaaaaaaaaaaa] address between user and kernel address ranges
[ 104.328806][ T1] Internal error: Oops: 96000004 [#1] SMP
[ 104.334375][ T1] Modules linked in:
[ 104.338127][ T1] CPU: 166 PID: 1 Comm: systemd Tainted: G B 5.3.0-rc6-next-20190902 #2
[ 104.347601][ T1] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 104.358033][ T1] pstate: 60400009 (nZCv daif +PAN -UAO)
[ 104.363514][ T1] pc : dput+0x94/0x8d0
[ 104.367433][ T1] lr : dput+0x94/0x8d0
[ 104.371349][ T1] sp : 29ff008b8054fb40
[ 104.375353][ T1] x29: 29ff008b8054fba0 x28: faff008b8052a0c0
[ 104.381357][ T1] x27: 0000000000080040 x26: 0000000000080060
[ 104.387361][ T1] x25: 0000000000000001 x24: faff008b8052a0c0
[ 104.393365][ T1] x23: 0000000000000001 x22: ffff9000129e5cb8
[ 104.399368][ T1] x21: ffff900010f4cb4a x20: faff008b8052a0d8
[ 104.405371][ T1] x19: aaaaaaaaaaaaaaaa x18: 0000000000000000
[ 104.411374][ T1] x17: 0000000000000000 x16: 0000000000000000
[ 104.417377][ T1] x15: 0000000000000000 x14: 4c20534f4942202c
[ 104.423380][ T1] x13: 2020202020202020 x12: ffffffffffffffff
[ 104.429383][ T1] x11: 00000000000000fa x10: ffff8008b8052a0e
[ 104.435387][ T1] x9 : 828cac3cb2455600 x8 : 828cac3cb2455600
[ 104.441389][ T1] x7 : 0000000000000000 x6 : ffff9000101dcf08
[ 104.447392][ T1] x5 : 0000000000000000 x4 : 0000000000000080
[ 104.453395][ T1] x3 : ffff9000101d0e8c x2 : 0000000000000001
[ 104.459398][ T1] x1 : 0000000000000001 x0 : faff008b8052a0d8
[ 104.465402][ T1] Call trace:
[ 104.468541][ T1] dput+0x94/0x8d0
[ 104.472112][ T1] path_put+0x24/0x40
[ 104.475945][ T1] terminate_walk+0x98/0x124
[ 104.480385][ T1] path_lookupat+0x1a8/0x3f8
[ 104.484826][ T1] filename_lookup+0x84/0x128
[ 104.489353][ T1] user_path_at_empty+0x54/0x68
[ 104.494055][ T1] __arm64_sys_name_to_handle_at+0xd4/0x63c
[ 104.499798][ T1] el0_svc_handler+0x16c/0x234
[ 104.504411][ T1] el0_svc+0x8/0xc
[ 104.507989][ T1] Code: aa1603e0 9400202a aa1303e0 97fdfb5c (39400268)
[ 104.515005][ T1] ---[ end trace 8f0e764e24e4db67 ]---
[ 104.520314][ T1] Kernel panic - not syncing: Fatal exception
[ 104.526386][ T1] SMP: stopping secondary CPUs
[ 104.531154][ T1] Kernel Offset: disabled
[ 104.535334][ T1] CPU features: 0x0002,20000c18
[ 104.540032][ T1] Memory Limit: none
[ 104.543936][ T1] ---[ end Kernel panic - not syncing: Fatal exception ]â



[ 18.850684][ T1] Run /init as init process
[ 18.865679][ T1] Kernel attempted to access user page (7ffffb9da7e8) - exploit attempt? (uid: 0)
[ 18.865702][ T1] BUG: Unable to handle kernel data access at 0x7ffffb9da7e8
[ 18.865714][ T1] Faulting instruction address: 0xc000000000472f98
[ 18.865734][ T1] Oops: Kernel access of bad area, sig: 11 [#1]
[ 18.865744][ T1] LE PAGE_SIZE=64K MMU=Radix MMU=Hash SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV
[ 18.865766][ T1] Modules linked in:
[ 18.865786][ T1] CPU: 12 PID: 1 Comm: systemd Not tainted 5.3.0-rc6-next-20190902 #1
[ 18.865808][ T1] NIP: c000000000472f98 LR: c000000000472f94 CTR: 0000000000000000
[ 18.865828][ T1] REGS: c000200009d4f8c0 TRAP: 0300 Not tainted (5.3.0-rc6-next-20190902)
[ 18.865848][ T1] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24044842 XER: 00000000
[ 18.865874][ T1] CFAR: c00000000019c340 DAR: 00007ffffb9da7e8 DSISR: 08000000 IRQMASK: 0
[ 18.865874][ T1] GPR00: c000000000472f94 c000200009d4fb50 c000000001055f00 0000000000000000
[ 18.865874][ T1] GPR04: c000000001388ad8 0000000000000000 00000000b1fde0fa ffffffff000002ca
[ 18.865874][ T1] GPR08: 00000000b201b1b9 0000000000000000 0000000000000000 c00000002c128480
[ 18.865874][ T1] GPR12: 0000000000004000 c000001fffff5a00 0000000000000000 0000000000000fb1
[ 18.865874][ T1] GPR16: 00007ffffb9dffb1 000000012fbf8718 000000012fbf8728 000000012fbf8758
[ 18.865874][ T1] GPR20: 000000012fbf8768 00007ffffb9da7e8 00007ffffb9da7d8 00007ffffb9da440
[ 18.865874][ T1] GPR24: 0000000000080040 0000000000000001 c000000000472f4c c0000000009f5820
[ 18.865874][ T1] GPR28: c000000000f2bbe8 0000000000080060 00007ffffb9da868 00007ffffb9da7e8
[ 18.866054][ T1] NIP [c000000000472f98] dput.part.6+0xc8/0x4f0
[ 18.866082][ T1] LR [c000000000472f94] dput.part.6+0xc4/0x4f0
[ 18.866100][ T1] Call Trace:
[ 18.866118][ T1] [c000200009d4fb50] [c000000000472f94] dput.part.6+0xc4/0x4f0 (unreliable)
[ 18.866140][ T1] [c000200009d4fbc0] [c00000000045b17c] terminate_walk+0x17c/0x1c0
[ 18.866152][ T1] [c000200009d4fc00] [c000000000462178] path_lookupat+0xf8/0x2a0
[ 18.866163][ T1] [c000200009d4fc70] [c000000000464950] filename_lookup.part.12+0xa0/0x170
[ 18.866185][ T1] [c000200009d4fda0] [c000000000509074] sys_name_to_handle_at+0xd4/0x300
[ 18.866208][ T1] [c000200009d4fe20] [c00000000000b278] system_call+0x5c/0x68
[ 18.866237][ T1] Instruction dump:
[ 18.866253][ T1] 39290001 912a0000 39000000 7f49d378 7f83e378 38e00000 38c00002 38a00000
[ 18.866276][ T1] 38800000 3bdf0080 4bd29249 60000000 <813f0000> 7fc3f378 71290008 4082013c
[ 18.866300][ T1] ---[ end trace de9d3874b1f53267 ]---
[ 18.958525][ T1]
[ 19.958606][ T1] Kernel panic - not syncing: Fatal exception



[ 39.686666][ T1] UBSAN: Undefined behaviour in kernel/locking/lockdep_internals.h:224:2
[ 39.725420][ T1] index 841678955 is out of range for type 'long unsigned int [8192]'
[ 39.763094][ T1] CPU: 4 PID: 1 Comm: systemd Not tainted 5.3.0-rc6-next-20190902 #1
[ 39.800145][ T1] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS U19 12/27/2015
[ 39.842199][ T1] Call Trace:
[ 39.856929][ T1] dump_stack+0x62/0x9a
[ 39.875739][ T1] ubsan_epilogue+0xd/0x3a
[ 39.895416][ T1] __ubsan_handle_out_of_bounds+0x70/0x80
[ 39.921688][ T1] __lock_acquire.isra.13+0x808/0x830
[ 39.945869][ T1] ? __lock_acquire.isra.13+0x430/0x830
[ 39.971711][ T1] lock_acquire+0x107/0x220
[ 39.994163][ T1] ? dput.part.7+0x1c5/0x500
[ 40.016158][ T1] ? dput.part.7+0x30/0x500
[ 40.036582][ T1] _raw_spin_lock+0x2f/0x40
[ 40.057076][ T1] ? dput.part.7+0x1c5/0x500
[ 40.077507][ T1] dput.part.7+0x1c5/0x500
[ 40.097771][ T1] ? path_get+0x35/0x40
[ 40.116577][ T1] dput+0xe/0x10
[ 40.132493][ T1] terminate_walk+0x1a4/0x1d0
[ 40.153485][ T1] path_lookupat+0x156/0x420
[ 40.174134][ T1] ? link_path_walk.part.6+0x870/0x870
[ 40.199229][ T1] ? create_object+0x4a2/0x540
[ 40.220672][ T1] ? lock_downgrade+0x390/0x390
[ 40.242538][ T1] ? do_raw_write_lock+0x118/0x1d0
[ 40.265756][ T1] ? do_raw_read_unlock+0x60/0x60
[ 40.288700][ T1] ? create_object+0x22a/0x540
[ 40.310276][ T1] filename_lookup.part.10+0x11b/0x1f0
[ 40.335487][ T1] ? do_renameat2+0x7e0/0x7e0
[ 40.356858][ T1] ? __virt_addr_valid+0xdd/0x170
[ 40.379861][ T1] ? __phys_addr_symbol+0x27/0x42
[ 40.402344][ T1] ? strncpy_from_user+0x100/0x280
[ 40.425720][ T1] ? getname_flags+0xa7/0x220
[ 40.447134][ T1] user_path_at_empty+0x3e/0x50
[ 40.469048][ T1] __x64_sys_name_to_handle_at+0x113/0x340
[ 40.496646][ T1] ? kmem_cache_free+0x128/0x430
[ 40.520509][ T1] ? vfs_dentry_acceptable+0x10/0x10
[ 40.547313][ T1] ? putname+0x6b/0x80
[ 40.565905][ T1] ? do_sys_open+0x172/0x2c0
[ 40.586647][ T1] ? _raw_spin_unlock_irq+0x27/0x40
[ 40.610151][ T1] ? task_work_run+0xa1/0x100
[ 40.631407][ T1] do_syscall_64+0xc7/0x646
[ 40.651745][ T1] ? syscall_return_slowpath+0x140/0x140
[ 40.676512][ T1] ? __do_page_fault+0x49f/0x630
[ 40.698994][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 40.725719][ T1] RIP: 0033:0x7f681e45cf3e
[ 40.745799][ T1] Code: 48 8b 0d 4d ff 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 2f 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1a ff 2b 00 f7 d8 64 89 01 48
[ 40.837197][ T1] RSP: 002b:00007ffdc2968038 EFLAGS: 00000202 ORIG_RAX: 000000000000012f
[ 40.875888][ T1] RAX: ffffffffffffffda RBX: 0000000000000080 RCX: 00007f681e45cf3e
[ 40.912761][ T1] RDX: 000055bdc6e995b0 RSI: 00007f681fc203d6 RDI: 0000000000000004
[ 40.949212][ T1] RBP: 000055bdc6e995b0 R08: 0000000000001000 R09: 0000000000000003
[ 40.985257][ T1] R10: 00007ffdc2968064 R11: 0000000000000202 R12: 000055bdc6e994e1
[ 41.024224][ T1] R13: 00007f681fc203d6 R14: 0000000000000004 R15: 00007ffdc29680c8
[ 41.063027][ T1] ================================================================================
[ 41.105463][ T1] BUG: unable to handle page fault for address: ffff8885e379f7a0
[ 41.143820][ T1] #PF: supervisor write access in kernel mode
[ 41.171406][ T1] #PF: error_code(0x0002) - not-present page
[ 41.199505][ T1] PGD 656801067 P4D 656801067 PUD 87dd34067 PMD 87dc18067 PTE 800ffffa1c860060
[ 41.240827][ T1] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 41.270580][ T1] CPU: 4 PID: 1 Comm: systemd Not tainted 5.3.0-rc6-next-20190902 #1
[ 41.307810][ T1] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS U19 12/27/2015
[ 41.350005][ T1] RIP: 0010:__lock_acquire.isra.13+0x94/0x830
[ 41.377694][ T1] Code: 00 49 81 ec a0 b3 0b 88 48 b8 a3 8b 2e ba e8 a2 8b 2e 49 c1 fc 04 4c 0f af e0 4d 63 f4 49 81 fe ff 1f 00 00 0f 87 65 07 00 00 <65> 4a ff 04 f5 48 f4 01 00 49 8d 85 68 07 00 00 48 89 c7 48 89 45
[ 41.469635][ T1] RSP: 0018:ffff8882059bf8c8 EFLAGS: 00010082
[ 41.496954][ T1] RAX: ffff888486576040 RBX: 0000000000000000 RCX: ffffffff86758ea8
[ 41.534066][ T1] RDX: 1ffffffff0f872d0 RSI: dffffc0000000000 RDI: ffffffff87c39680
[ 41.572462][ T1] RBP: ffff8882059bf938 R08: fffffbfff0f872d1 R09: fffffbfff0f872d1
[ 41.610885][ T1] R10: fffffbfff0f872d0 R11: ffffffff87c39683 R12: ffffff52322b006b
[ 41.646423][ T1] R13: ffff888486576040 R14: 00000000322b006b R15: 0000000000000000
[ 41.683212][ T1] FS: 00007f682011f580(0000) GS:ffff888452200000(0000) knlGS:0000000000000000
[ 41.724248][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.754393][ T1] CR2: ffff8885e379f7a0 CR3: 000000031d4f8002 CR4: 00000000001606a0
[ 41.791003][ T1] Call Trace:
[ 41.805757][ T1] ? __lock_acquire.isra.13+0x430/0x830
[ 41.830925][ T1] lock_acquire+0x107/0x220
[ 41.851379][ T1] ? dput.part.7+0x1c5/0x500
[ 41.872014][ T1] ? dput.part.7+0x30/0x500
[ 41.893373][ T1] _raw_spin_lock+0x2f/0x40
[ 41.914209][ T1] ? dput.part.7+0x1c5/0x500
[ 41.935211][ T1] dput.part.7+0x1c5/0x500
[ 41.955220][ T1] ? path_get+0x35/0x40
[ 41.973805][ T1] dput+0xe/0x10
[ 41.989687][ T1] terminate_walk+0x1a4/0x1d0
[ 42.010467][ T1] path_lookupat+0x156/0x420
[ 42.031327][ T1] ? link_path_walk.part.6+0x870/0x870
[ 42.057145][ T1] ? create_object+0x4a2/0x540
[ 42.081409][ T1] ? lock_downgrade+0x390/0x390
[ 42.105227][ T1] ? do_raw_write_lock+0x118/0x1d0
[ 42.128399][ T1] ? do_raw_read_unlock+0x60/0x60
[ 42.151389][ T1] ? create_object+0x22a/0x540
[ 42.172907][ T1] filename_lookup.part.10+0x11b/0x1f0
[ 42.197856][ T1] ? do_renameat2+0x7e0/0x7e0
[ 42.218965][ T1] ? __virt_addr_valid+0xdd/0x170
[ 42.241783][ T1] ? __phys_addr_symbol+0x27/0x42
[ 42.264601][ T1] ? strncpy_from_user+0x100/0x280
[ 42.287801][ T1] ? getname_flags+0xa7/0x220
[ 42.309515][ T1] user_path_at_empty+0x3e/0x50
[ 42.331635][ T1] __x64_sys_name_to_handle_at+0x113/0x340
[ 42.358043][ T1] ? kmem_cache_free+0x128/0x430
[ 42.380461][ T1] ? vfs_dentry_acceptable+0x10/0x10
[ 42.404055][ T1] ? putname+0x6b/0x80
[ 42.421534][ T1] ? do_sys_open+0x172/0x2c0
[ 42.442060][ T1] ? _raw_spin_unlock_irq+0x27/0x40
[ 42.465673][ T1] ? task_work_run+0xa1/0x100
[ 42.486841][ T1] do_syscall_64+0xc7/0x646
[ 42.507390][ T1] ? syscall_return_slowpath+0x140/0x140
[ 42.533265][ T1] ? __do_page_fault+0x49f/0x630
[ 42.556144][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 42.584451][ T1] RIP: 0033:0x7f681e45cf3e
[ 42.605521][ T1] Code: 48 8b 0d 4d ff 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 2f 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1a ff 2b 00 f7 d8 64 89 01 48
[ 42.698743][ T1] RSP: 002b:00007ffdc2968038 EFLAGS: 00000202 ORIG_RAX: 000000000000012f
[ 42.737341][ T1] RAX: ffffffffffffffda RBX: 0000000000000080 RCX: 00007f681e45cf3e
[ 42.774197][ T1] RDX: 000055bdc6e995b0 RSI: 00007f681fc203d6 RDI: 0000000000000004
[ 42.809605][ T1] RBP: 000055bdc6e995b0 R08: 0000000000001000 R09: 0000000000000003
[ 42.845762][ T1] R10: 00007ffdc2968064 R11: 0000000000000202 R12: 000055bdc6e994e1
[ 42.882437][ T1] R13: 00007f681fc203d6 R14: 0000000000000004 R15: 00007ffdc29680c8
[ 42.918931][ T1] Modules linked in:
[ 42.935805][ T1] CR2: ffff8885e379f7a0
[ 42.954388][ T1] ---[ end trace cb4b0fb03ef6dea9 ]---
[ 42.979305][ T1] RIP: 0010:__lock_acquire.isra.13+0x94/0x830
[ 43.006969][ T1] Code: 00 49 81 ec a0 b3 0b 88 48 b8 a3 8b 2e ba e8 a2 8b 2e 49 c1 fc 04 4c 0f af e0 4d 63 f4 49 81 fe ff 1f 00 00 0f 87 65 07 00 00 <65> 4a ff 04 f5 48 f4 01 00 49 8d 85 68 07 00 00 48 89 c7 48 89 45
[ 43.100565][ T1] RSP: 0018:ffff8882059bf8c8 EFLAGS: 00010082
[ 43.130310][ T1] RAX: ffff888486576040 RBX: 0000000000000000 RCX: ffffffff86758ea8
[ 43.166789][ T1] RDX: 1ffffffff0f872d0 RSI: dffffc0000000000 RDI: ffffffff87c39680
[ 43.203516][ T1] RBP: ffff8882059bf938 R08: fffffbfff0f872d1 R09: fffffbfff0f872d1
[ 43.240056][ T1] R10: fffffbfff0f872d0 R11: ffffffff87c39683 R12: ffffff52322b006b
[ 43.276539][ T1] R13: ffff888486576040 R14: 00000000322b006b R15: 0000000000000000
[ 43.313154][ T1] FS: 00007f682011f580(0000) GS:ffff888452200000(0000) knlGS:0000000000000000
[ 43.353925][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 43.383756][ T1] CR2: ffff8885e379f7a0 CR3: 000000031d4f8002 CR4: 00000000001606a0
[ 43.420258][ T1] Kernel panic - not syncing: Fatal exception
[ 43.448058][ T1] Kernel Offset: 0x5600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 43.501291][ T1] ---[ end Kernel panic - not syncing: Fatal exception ]---