Null-ptr-deref due to "vfs, fsinfo: Add an RCU safe per-ns mount list"

From: Qian Cai
Date: Tue May 12 2020 - 15:50:37 EST


Reverted the linux-next commit ee8ad8190cb1 (âvfs, fsinfo: Add an RCU safe per-ns mount listâ) fixed the null-ptr-deref.

# runc run root

[ 1531.635242][ T4444] BUG: Kernel NULL pointer dereference on write at 0x00000000
[ 1531.635285][ T4444] Faulting instruction address: 0xc0000000005689e0
[ 1531.635299][ T4444] Oops: Kernel access of bad area, sig: 11 [#1]
[ 1531.635310][ T4444] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=256 DEBUG_PAGEALLOC NUMA PowerNV
[ 1531.635331][ T4444] Modules linked in: kvm_hv kvm ip_tables x_tables xfs sd_mod bnx2x tg3 ahci libahci mdio libphy libata firmware_class dm_mirror dm_region_hash dm_log dm_mod
[ 1531.635370][ T4444] CPU: 16 PID: 4444 Comm: runc:[2:INIT] Not tainted 5.7.0-rc5-next-20200512+ #9
[ 1531.635383][ T4444] NIP: c0000000005689e0 LR: c0000000005689b0 CTR: 0000000000000000
[ 1531.635413][ T4444] REGS: c000001323aef980 TRAP: 0300 Not tainted (5.7.0-rc5-next-20200512+)
[ 1531.635434][ T4444] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24424282 XER: 00000000
[ 1531.635468][ T4444] CFAR: c0000000006f9eec DAR: 0000000000000000 DSISR: 42000000 IRQMASK: 0
[ 1531.635468][ T4444] GPR00: c000000000570000 c000001323aefc10 c00000000168aa00 0000000000000001
[ 1531.635468][ T4444] GPR04: c0000015934e9e98 c0000015934e9e98 00000000283df117 fffffffe4386c189
[ 1531.635468][ T4444] GPR08: c000001323aefc38 0000000000000000 0000000000000000 0000000000000002
[ 1531.635468][ T4444] GPR12: 0000000024402282 c000001fffff1800 000000c000229990 000000000000000a
[ 1531.635468][ T4444] GPR16: ffffffffffffffff 0000000000000000 000000000000007a 000000012479c68c
[ 1531.635468][ T4444] GPR20: 0000000000000000 000000c000000180 0000000000000000 0000000000000000
[ 1531.635468][ T4444] GPR24: 0000000000000000 c00000000516b870 c00000000516b858 5deadbeef0000122
[ 1531.635468][ T4444] GPR28: c000001323aefc38 c0000015934e9e00 c0000015934e9ea8 c0000015934e9e98
[ 1531.635652][ T4444] NIP [c0000000005689e0] umount_tree+0x250/0x470
__write_once_size at include/linux/compiler.h:250
(inlined by) __hlist_del at include/linux/list.h:811
(inlined by) hlist_del_rcu at include/linux/rculist.h:487
(inlined by) umount_tree at fs/namespace.c:1485
[ 1531.635672][ T4444] LR [c0000000005689b0] umount_tree+0x220/0x470
[ 1531.635682][ T4444] Call Trace:
[ 1531.635709][ T4444] [c000001323aefca0] [c000000000570000] do_mount+0xb70/0xc90
[ 1531.635738][ T4444] [c000001323aefd70] [c0000000005706f8] sys_mount+0x158/0x180
[ 1531.635760][ T4444] [c000001323aefdc0] [c000000000038ac4] system_call_exception+0x114/0x1e0
[ 1531.635799][ T4444] [c000001323aefe20] [c00000000000c8f0] system_call_common+0xf0/0x278
[ 1531.635828][ T4444] Instruction dump:
[ 1531.635836][ T4444] 60000000 2fa30000 419e0014 e93f0008 e95f0000 f92a0008 f9490000 e93fffb8
[ 1531.635860][ T4444] e95fffc0 fbff0000 fbff0008 2fa90000 <f92a0000> 419e0008 f9490008 e93f0058
[ 1531.635885][ T4444] ---[ end trace f12075f6fac94362 ]---
[ 1531.748352][ T4444]
[ 1532.748433][ T4444] Kernel panic - not syncing: Fatal exception