From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F4C1E77188 for ; Fri, 3 Jan 2025 22:25:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DE0596B0083; Fri, 3 Jan 2025 17:25:22 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D8EED6B0088; Fri, 3 Jan 2025 17:25:22 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C2FEF6B0089; Fri, 3 Jan 2025 17:25:22 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id A148B6B0083 for ; Fri, 3 Jan 2025 17:25:22 -0500 (EST) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 5546C1A06DA for ; Fri, 3 Jan 2025 22:25:22 +0000 (UTC) X-FDA: 82967572884.08.89F1A83 Received: from fout-a8-smtp.messagingengine.com (fout-a8-smtp.messagingengine.com [103.168.172.151]) by imf18.hostedemail.com (Postfix) with ESMTP id 4E1DA1C0006 for ; Fri, 3 Jan 2025 22:25:20 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=devkernel.io header.s=fm3 header.b=ZcQ8W2ui; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=i88FAFXv; spf=pass (imf18.hostedemail.com: domain of shr@devkernel.io designates 103.168.172.151 as permitted sender) smtp.mailfrom=shr@devkernel.io; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735943120; a=rsa-sha256; cv=none; b=UFJ03R72CCtlGb6TDkY4N6xbBb4gKpzmu7qpPZ05ijrC90nt5v9ghk8/6+cwlayk2oDU3c fz2rRgC2XIm5ATUT1WDy2+fqB4NT1P6sE/U8nQ4SRRgmq+7muQWvMpbzCSKvpz99vZNIvR /W4/gDiKCJUTuN3jp0Rg1iC2pjCB0iM= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=devkernel.io header.s=fm3 header.b=ZcQ8W2ui; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=i88FAFXv; spf=pass (imf18.hostedemail.com: domain of shr@devkernel.io designates 103.168.172.151 as permitted sender) smtp.mailfrom=shr@devkernel.io; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1735943120; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wJP1ar9X0L6IgFAANXqamn8drs36v0rwgpIryR2P3aw=; b=EV0GDME3W9mhMBzHm/TdlzMUFwTR8eKXvH0RGO2OJcVC+zu/lXfcRiOgEs9qDG4KQMZd3u cRYduJm/xzvXwiRbHBoCTeSXwMDfkB/oqTWF+tP7eT+iB9zfkB52cN31I/pJRUqInfMy/r NucHffa9jGLlkpcbogO8d67iX2VgpWk= Received: from phl-compute-11.internal (phl-compute-11.phl.internal [10.202.2.51]) by mailfout.phl.internal (Postfix) with ESMTP id 7C4F21380217; Fri, 3 Jan 2025 17:25:19 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-11.internal (MEProxy); Fri, 03 Jan 2025 17:25:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devkernel.io; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1735943119; x=1736029519; bh=wJP1ar9X0L 6IgFAANXqamn8drs36v0rwgpIryR2P3aw=; b=ZcQ8W2uiHrP644Bj8cc0E+t2Pv ZcEHKmh8lCFlvfB/+2WyT5y66Fn28n36nWkhDuzt7q9XhiEoJB5ZT1bJu9dVipxG Br552CbZ+qALfbv8tRVR7Hz0mPCPCgBgLv/rZDbY8/2JVGZTa8yJTl8ojVwyOZ3d +6NeDoHH5fETpmlDkhUVo85XCtVwNkHk7rPJbUwIFi1sOkQXq+NaUGXlcF8Lea4n 3sUSaD8JPc5yNobUYls49Il0K4PGgwlJZsIFLuP5X5uLmQLilx3cAolOyksK88Yn VIRCqObiLeg1rCwtwdRq7ING0k/N+riXwwdYW2hX8VcxL3exY2tanzbogp/g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1735943119; x=1736029519; bh=wJP1ar9X0L6IgFAANXqamn8drs36v0rwgpI ryR2P3aw=; b=i88FAFXvWupBXATM2+7lRopawpdEOY6gDoDvLWH/PSquU35N13P a4D2fyVeDNZ9AT7KqRFyeB3gpEa/LMBKKyfHLoNfJ24G5zIfV1ELmbCmJVIcYAlv 60qSxyEDKXLXhitUGc7oJv1Qqs0faMvI+Ae4E8yhzMC33lAq3UrCXSQOeIj4GkUM 3f82+C+wBwepYAp6z9Gv+uRKgTpWKnhxrm8xetSGwZ0htcuKBvC/hzUZnVrMbztH tCLnoIfvCovcbDvCTUEs0NZupvpLmg8cxRnKBzZa6rwiNuXVxOq1wrp6hrlE3Nut AEEFBm6mWjE/wTIdtcgcYUns7p4hFhgMCNw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudefgedgudehlecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfhgfhf fvvefuffgjkfggtgesthdtredttdertdenucfhrhhomhepufhtvghfrghnucftohgvshgt hhcuoehshhhrseguvghvkhgvrhhnvghlrdhioheqnecuggftrfgrthhtvghrnhepveelgf fghfehudeitdehjeevhedthfetvdfhledutedvgeeikeeggefgudeguedtnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhhrhesuggvvhhkvg hrnhgvlhdrihhopdhnsggprhgtphhtthhopeeipdhmohguvgepshhmthhpohhuthdprhgt phhtthhopehlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdprh gtphhtthhopehlihhnuhigqdhmmheskhhvrggtkhdrohhrghdprhgtphhtthhopehlihhn uhigqdhfshguvghvvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtoheprg hkphhmsehlihhnuhigqdhfohhunhgurghtihhonhdrohhrghdprhgtphhtthhopeiiiihq qhdtuddtfedrhhgvhiesghhmrghilhdrtghomhdprhgtphhtthhopeifihhllhihsehinh hfrhgruggvrggurdhorhhg X-ME-Proxy: Feedback-ID: i84614614:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 3 Jan 2025 17:25:17 -0500 (EST) References: User-agent: mu4e 1.10.3; emacs 29.4 From: Stefan Roesch To: Matthew Wilcox Cc: cheung wall , Andrew Morton , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: "divide error in bdi_set_min_bytes" in Linux kernel version 6.13.0-rc2 Date: Fri, 03 Jan 2025 14:24:07 -0800 In-reply-to: Message-ID: <87pll35yd0.fsf@devkernel.io> MIME-Version: 1.0 Content-Type: text/plain X-Rspamd-Queue-Id: 4E1DA1C0006 X-Stat-Signature: eqmaeoub68mjtpmrmhpom9kbeeetrgr9 X-Rspam-User: X-Rspamd-Server: rspam09 X-HE-Tag: 1735943120-37052 X-HE-Meta: U2FsdGVkX1/C1QCEX39x2bMSJV+f/JOc4+kTJApq3eYJQQzzvn1YPiqlpZPsBXzEeehCY8HLdg6t9sXsfE99gljcxg6tzMEXHNlORYQP3SoEcjSHacPtwHgAH3LxYuNUyDSHNPCn3jIq4NpxRqgwD5Zvpm2Q2sAP9R0gY1qwJfVun40aQ0IieFmV6bBHvOwNN+DtwaxROVvQVE73JqckMSPlNr2kQ7/lbvikpADUNVr7WvkF2JWFo9sofnS192sGR0352zQLbOHqqv07MPcq687eAGtea/TrI+GPiprkw+ArwULUBXaWwsxgUA/GbBRk42Nz9u30EWmFSOk6lUoQxGP7xB3wDWA91bPnNgC9OxANNAMh/wGJtjpM5jn+2iDrSuDj4Ui/pWDaKn2OnSucbK76tf5scdJ0Hgy9DGsSC+Ieh8WGOTJi6UXHzwM0ePXj3rFrNUkftVLKanTnRbaI20fD6YPP7si/IggElkRJs6gFAdYwZXOJYPgkgzqIs+Rv4RwnYrjM1DUE4IKtk0NUB0O1q73zDoXeHmGnWOv/dqib4Mw9Dmv5MduAlNU3Bd0f+QoPjAJ+NiGwf/0HSUUuNPtcUoriJDZaA3m+YhQuDUbXyWOcwi+aDHtEnFMbeYtvEKDEuGuXNHFbvg6R8FscjIImXVUtdG9IDMqmvdl6w/E7XVku5RgCOP2GyGBgZlquaBZB1nW864sqNP0KglMVF9lvXJmGEDnvEYydNPvQCk0vTVeT4kEF8W/Lv26w1agACAjrRtGw13zMefqlqZ/Y1kVn9vyPmVt7HaQttvCfERM6X9i14jPy2e9tnudw9P21wHN5uOgnDAcfcPCFzyeiyiub/fhGbnZ0TMagGvRCZtq8oy1jqKvhI7CyO5GmPgmIvKHCL0g6897wT6yM3qIoNqenCrFd9ibIh3cbJoPv8kMmuNUmMFzb4zTBuAtpH6NuV5M2i3tJoy8wb5wBG+l guJxkgz5 gxEJ8eNq+PvRYCqF2FZo32fOKirQ5xLU7ac5QdDd5jjeDV/+YgiPDTcPWdNreTPw/WVktdbaDzXMBtC3LwveFWKS0AYSDFlmiCkA3JC9r/tx7jPTjOTJ61e4RNUrn+zuiZcWozaBni7GuPC3l3j9nOd8EY3mfjhoW1JOe7VX+CsUBxutJwZBSijm0V296YlGxwnSovlmsauRl6J2U7xPfOJXtbm7Y3U1TSHGUq6dw2Rbfuvw8p5t4KdG5ClJ7nlImDKv/d2BKPsR/Uekgrt9HZfcROoKokRkHxcK5294WBLyJU0YzIwwrYOWqZxVgD/+YfD+GoflyG6iG0zdmorRT6uSvxOXqeeLZMIx06y7i3zX+S2NnX2SQMOLki3xzfOuJR/sea5hG3Vg44oOf6xdNN/9d8HcTk3gZTL02N4yzKVY8csXw1R3WqC6pXg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Matthew Wilcox writes: > On Fri, Jan 03, 2025 at 03:25:01PM +0800, cheung wall wrote: >> I am writing to report a potential vulnerability identified in the >> Linux Kernel version 6.13.0-rc2. This issue was discovered using our >> custom vulnerability discovery tool. > > Your tool would be more useful if you told us what it was doing. > I suspect it's writing a very small value into the min_bytes pseudo-file. > Since that's something only root can do, this isn't a vulnerability. > This is a very annoying conversation to keep having with people who > write their own custom "vulnerability discovery tools". > > That said, we could do better here. Stefan, you wrote this code. > Thanks for the analysis Matthew. I'll have a look. Is there a testcase? >> RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] >> RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline] >> RIP: 0010:bdi_set_min_bytes+0x9f/0x1d0 mm/page-writeback.c:799 >> Code: ff 48 39 d8 0f 82 3b 01 00 00 e8 ac fd e7 ff 48 69 db 40 42 0f >> 00 48 8d 74 24 40 48 8d 7c 24 20 e8 c6 f1 ff ff 31 d2 48 89 d8 <48> f7 >> 74 24 40 48 89 c3 3d 40 42 0f 00 0f 87 08 01 00 00 e8 79 fd >> RSP: 0018:ffff88810a5f7b60 EFLAGS: 00010246 >> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff9c9ef057 >> RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810a5f7ab8 >> RBP: 1ffff110214bef6c R08: 0000000000000000 R09: fffffbfff4081c7b >> R10: ffffffffa040e3df R11: 0000000000032001 R12: ffff888105c65000 >> R13: dffffc0000000000 R14: ffff888105c65000 R15: ffff888105c65800 >> FS: 00007fdfc7c37580(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> CR2: 000055adcdc786c8 CR3: 0000000104128000 CR4: 0000000000350ef0 >> Call Trace: >> >> min_bytes_store+0xba/0x120 mm/backing-dev.c:385 >> dev_attr_store+0x58/0x80 drivers/base/core.c:2439 >> sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139 >> kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334 >> new_sync_write fs/read_write.c:586 [inline] >> vfs_write+0x51e/0xc80 fs/read_write.c:679 >> ksys_write+0x110/0x200 fs/read_write.c:731 >> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >> do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7fdfc7b4d513 >> Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f >> 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d >> 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 >> RSP: 002b:00007ffe7796ae28 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 >> RAX: ffffffffffffffda RBX: 000055adcdc766c0 RCX: 00007fdfc7b4d513 >> RDX: 0000000000000002 RSI: 000055adcdc766c0 RDI: 0000000000000001 >> RBP: 0000000000000002 R08: 000055adcdc766c0 R09: 00007fdfc7c30be0 >> R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001 >> R13: 0000000000000002 R14: 7fffffffffffffff R15: 0000000000000000 >> >> ------------[ cut here end]------------ >> >> Root Cause: >> >> The crash is caused by a division by zero error within the Linux >> kernel's page-writeback subsystem. Specifically, the bdi_set_min_bytes >> function attempts to calculate a ratio using bdi_ratio_from_pages, >> which internally calls div64_u64. During this calculation, a >> denominator value unexpectedly becomes zero, likely due to improper >> handling or validation of input data provided through the sysfs >> interface during the min_bytes_store operation. This erroneous zero >> value leads to a divide error exception when the kernel tries to >> perform the division. The issue occurs while processing a sysfs write >> operation (min_bytes_store), suggesting that invalid or uninitialized >> data supplied through sysfs triggers the faulty calculation, >> ultimately causing the kernel to crash. >> >> Thank you for your time and attention. >> >> Best regards >> >> Wall