On Sun, Jun 29, 2025 at 05:31:07AM +0800, zhangjian wrote:
> Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the memory
> of server_fh is not passed from user space. So I add a check for input size.
>
> Log is snipped as following:
We've been seeing failures in -next on LTP on a range of arm64 systems
with NFS roots in the name_to_handle_at01, open_by_handle_at01 and
open_by_handle_at02 tests. I bisected the first of these to this patch
which is in -next as e29be1f394a3dbadc4e and does look rather plausible.
Test log:
25455 19:32:08.444643 tst_tmpdir.c:316: TINFO: Using /ltp-tmp/ltp-hYUZKTq9fM/LTP_namNHNk6a as tmpdir (nfs filesystem)
25456 19:32:08.456042 tst_test.c:1900: TINFO: LTP version: 20250130-1-g60fe84aaf
25457 19:32:08.467435 tst_test.c:1904: TINFO: Tested kernel: 6.16.0-rc6-next-20250716 #1 SMP PREEMPT Wed Jul 16 13:20:00 UTC 2025 aarch64
25458 19:32:08.467734 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
25459 19:32:08.478825 tst_test.c:1722: TINFO: Overall timeout per run is 0h 01m 30s
25460 19:32:08.479124 tst_buffers.c:57: TINFO: Test is using guarded buffers
25461 19:32:08.490212 name_to_handle_at01.c:94: TFAIL: open_by_handle_at() failed (0): ESTALE (116)
25464 19:32:08.501869 name_to_handle_at01.c:94: TFAIL: open_by_handle_at() failed (3): ESTALE (116)
25465 19:32:08.512847 name_to_handle_at01.c:94: TFAIL: open_by_handle_at() failed
25489 19:32:08.672266 Summary:
25490 19:32:08.672558 passed 0
25491 19:32:08.672788 failed 27
26185 19:33:10.208358 tst_tmpdir.c:316: TINFO: Using /ltp-tmp/ltp-hYUZKTq9fM/LTP_opeiSM8q7 as tmpdir (nfs filesystem)
26188 19:33:10.231165 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
26189 19:33:10.231460 tst_test.c:1722: TINFO: Overall timeout per run is 0h 01m 30s
26190 19:33:10.242485 tst_buffers.c:57: TINFO: Test is using guarded buffers
26191 19:33:10.253938 open_by_handle_at02.c:98: TPASS: invalid-dfd: open_by_handle_at() failed as expected: EBADF (9)
26192 19:33:10.254233 open_by_handle_at02.c:98: TPASS: stale-dfd: open_by_handle_at() failed as expected: ESTALE (116)
26196 19:33:10.288302 tst_capability.c:29: TINFO: Dropping CAP_DAC_READ_SEARCH(2)
26197 19:33:10.299325 tst_capability.c:41: TINFO: Permitting CAP_DAC_READ_SEARCH(2)
26198 19:33:10.310836 open_by_handle_at02.c:98: TPASS: no-capability: open_by_handle_at() failed as expected: EPERM (1)
26199 19:33:10.311132 open_by_handle_at02.c:92: TFAIL: symlink: open_by_handle_at() should fail with ELOOP: ESTALE (116)
26201 19:33:10.311579 Summary:
26202 19:33:10.311782 passed 6
26203 19:33:10.322143 failed 1
26163 19:33:10.106087 tst_tmpdir.c:316: TINFO: Using /ltp-tmp/ltp-hYUZKTq9fM/LTP_opeJvSZuG as tmpdir (nfs filesystem)
26166 19:33:10.117795 tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
26167 19:33:10.128809 tst_test.c:1722: TINFO: Overall timeout per run is 0h 01m 30s
26168 19:33:10.129102 tst_buffers.c:57: TINFO: Test is using guarded buffers
26169 19:33:10.140117 open_by_handle_at01.c:93: TFAIL: open_by_handle_at() failed (0): ESTALE (116)
26170 19:33:10.151537 open_by_handle_at01.c:93: TFAIL: open_by_handle_at() failed (1): ESTALE (116)
26177 19:33:10.197165 open_by_handle_at01.c:93: TFAIL: open_by_handle_at() failed (8): ESTALE (116)
26179 19:33:10.197714 Summary:
26180 19:33:10.197929 passed 0
26181 19:33:10.198134 failed 9
Bisect log:
git bisect start
# status: waiting for both good and bad commits
# bad: [97987520025658f30bb787a99ffbd9bbff9ffc9d] Add linux-next specific files for 20250721
git bisect bad 97987520025658f30bb787a99ffbd9bbff9ffc9d
# status: waiting for good commit(s), bad commit known
# good: [922467c8223bfa20435da8c9b1c99285aac735ff] Merge branch 'for-linux-next-fixes' of https://gitlab.freedesktop.org/drm/misc/kernel.git
git bisect good 922467c8223bfa20435da8c9b1c99285aac735ff
# bad: [73d0e6df78d50bd07d097a76eddc99cd89864d09] Merge branch 'main' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git
git bisect bad 73d0e6df78d50bd07d097a76eddc99cd89864d09
# bad: [4ff8b17af7757fd16152eb8262c599129c8f5498] Merge branch 'fs-next' of linux-next
git bisect bad 4ff8b17af7757fd16152eb8262c599129c8f5498
# good: [13c60604ff678ac477521d9846fc2f75f0972e4b] Merge branch 'for-next' of https://github.com/sophgo/linux.git
git bisect good 13c60604ff678ac477521d9846fc2f75f0972e4b
# bad: [dce9a77d74cf572c1348d9d47cd79e7b61580f56] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs.git
git bisect bad dce9a77d74cf572c1348d9d47cd79e7b61580f56
# good: [11581c89066a19d050d12b002609ade30bb39ece] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git
git bisect good 11581c89066a19d050d12b002609ade30bb39ece
# good: [1d4e5eefd114eeb35449a8bcbbaa968baaa591e3] Merge branch 'dev' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
git bisect good 1d4e5eefd114eeb35449a8bcbbaa968baaa591e3
# bad: [38a098af636b698e5e14978de4accdc8a5173e24] Merge branch 'linux-next' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6.git
git bisect bad 38a098af636b698e5e14978de4accdc8a5173e24
# good: [bce0d4cf481614eb1f0817a233d9479d609bd0a8] Merge branch 'ksmbd-for-next' of https://github.com/smfrench/smb3-kernel.git
git bisect good bce0d4cf481614eb1f0817a233d9479d609bd0a8
# good: [90c9550a8d65fb9b1bf87baf97a04ed91bf61b33] NFS: support the kernel keyring for TLS
git bisect good 90c9550a8d65fb9b1bf87baf97a04ed91bf61b33
# good: [d897d81671bc4615c80f4f3bd5e6b218f59df50c] pNFS: Handle RPC size limit for layoutcommits
git bisect good d897d81671bc4615c80f4f3bd5e6b218f59df50c
# bad: [e29be1f394a3dbadc4e5d198dfc822d49569bb52] nfs:check for user input filehandle size
git bisect bad e29be1f394a3dbadc4e5d198dfc822d49569bb52
# good: [7db6e66663681abda54f81d5916db3a3b8b1a13d] pNFS: Fix disk addr range check in block/scsi layout
git bisect good 7db6e66663681abda54f81d5916db3a3b8b1a13d
# first bad commit: [e29be1f394a3dbadc4e5d198dfc822d49569bb52] nfs:check for user input filehandle size
Attachment:
signature.asc
Description: PGP signature
