kernel crash in mknod
From: Steve French
Date: Sun Mar 24 2024 - 01:00:41 EST
Anyone else seeing this kernel crash in do_mknodat (I see it with a
simple "mkfifo" on smb3 mount). I started seeing this in 6.9-rc (did
not see it in 6.8). I did not see it with the 3/12/23 mainline
(early in the 6.9-rc merge Window) but I do see it in the 3/22 build
so it looks like the regression was introduced by:
commit 08abce60d63fb55f440c393f4508e99064f2fd91
Author: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Date: Thu Feb 15 11:31:02 2024 +0100
security: Introduce path_post_mknod hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce
the path_post_mknod hook.
IMA-appraisal requires all existing files in policy to have a file
hash/signature stored in security.ima. An exception is made for empty files
created by mknod, by tagging them as new files.
LSMs could also take some action after files are created.
The new hook cannot return an error and cannot cause the operation to be
reverted.
Dmesg showing the crash it causes below:
[ 84.862122] RIP: 0010:security_path_post_mknod+0x9/0x60
[ 84.862139] Code: 41 5e 5d 31 d2 31 f6 31 ff c3 cc cc cc cc 0f 1f
00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48
8b 46 30 <f6> 40 0d 02 75 43 55 48 89 e5 41 55 49 89 fd 41 54 49 89 f4
53 48
[ 84.862149] RSP: 0018:ffffa22dc1f6bdc8 EFLAGS: 00010246
[ 84.862159] RAX: 0000000000000000 RBX: ffff8d4fc85da000 RCX: 0000000000000000
[ 84.862167] RDX: 0000000000000000 RSI: ffff8d502473a900 RDI: ffffffffaa26f6e0
[ 84.862174] RBP: ffffa22dc1f6be28 R08: 0000000000000000 R09: 0000000000000000
[ 84.862181] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 84.862187] R13: ffff8d502473a900 R14: 0000000000001000 R15: 0000000000000000
[ 84.862195] FS: 00007d2c5c075800(0000) GS:ffff8d573b880000(0000)
knlGS:0000000000000000
[ 84.862204] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 84.862211] CR2: 000000000000000d CR3: 000000018d63a005 CR4: 00000000003706f0
[ 84.862219] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 84.862225] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 84.862232] Call Trace:
[ 84.862238] <TASK>
[ 84.862248] ? show_regs+0x6c/0x80
[ 84.862262] ? __die+0x24/0x80
[ 84.862273] ? page_fault_oops+0x96/0x1b0
[ 84.862290] ? do_user_addr_fault+0x30c/0x730
[ 84.862304] ? exc_page_fault+0x82/0x1b0
[ 84.862318] ? asm_exc_page_fault+0x27/0x30
[ 84.862338] ? security_path_post_mknod+0x9/0x60
[ 84.862350] ? do_mknodat+0x191/0x2c0
[ 84.862365] __x64_sys_mknodat+0x37/0x50
[ 84.862376] do_syscall_64+0x81/0x180
[ 84.862387] ? count_memcg_events.constprop.0+0x2a/0x50
[ 84.862402] ? handle_mm_fault+0xaf/0x330
[ 84.862418] ? do_user_addr_fault+0x33f/0x730
[ 84.862430] ? irqentry_exit_to_user_mode+0x6a/0x260
[ 84.862442] ? irqentry_exit+0x43/0x50
[ 84.862453] ? exc_page_fault+0x93/0x1b0
[ 84.862464] entry_SYSCALL_64_after_hwframe+0x6c/0x74
[ 84.862476] RIP: 0033:0x7d2c5bf19e07
[ 84.862536] Code: 9c ff ff ff e9 0a 00 00 00 66 2e 0f 1f 84 00 00
00 00 00 f3 0f 1e fa 48 89 c8 48 c1 e8 20 75 2b 41 89 ca b8 03 01 00
00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 e1 3f 0e 00 f7 d8 64 89
02 b8
[ 84.862544] RSP: 002b:00007ffc1b2c4568 EFLAGS: 00000246 ORIG_RAX:
0000000000000103
[ 84.862556] RAX: ffffffffffffffda RBX: 00007ffc1b2c4718 RCX: 00007d2c5bf19e07
[ 84.862563] RDX: 00000000000011b6 RSI: 00007ffc1b2c6712 RDI: 00000000ffffff9c
[ 84.862570] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
[ 84.862576] R10: 0000000000000000 R11: 0000000000000246 R12: 00007d2c5bffe428
[ 84.862582] R13: 0000000000000000 R14: 00007ffc1b2c6712 R15: 00007d2c5c199000
[ 84.862597] </TASK>
--
Thanks,
Steve