From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C41BE77188 for ; Fri, 3 Jan 2025 13:49:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CCD616B007B; Fri, 3 Jan 2025 08:49:25 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C7D576B0082; Fri, 3 Jan 2025 08:49:25 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B6BF76B0083; Fri, 3 Jan 2025 08:49:25 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 9934E6B007B for ; Fri, 3 Jan 2025 08:49:25 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 3BCF3140772 for ; Fri, 3 Jan 2025 13:49:25 +0000 (UTC) X-FDA: 82966269078.20.29BBF73 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf11.hostedemail.com (Postfix) with ESMTP id 8E50F40003 for ; Fri, 3 Jan 2025 13:48:33 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=DplbHVXE; dmarc=none; spf=none (imf11.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735912138; a=rsa-sha256; cv=none; b=MJpclxjasl0shJ+UwBRp5HXb5hKNP5n6kHmKfoBz2kkuKW3v2I9epcWPPswltJZF1LO7Cq UBU7IxiT4soWXPFNq4upWPCkxci0tN8vDZGoHjbli4x1s/MkpxbqWfUeAxB31og16fVVEl thzFJH/57OkYhHGnVj7d8ulkB3YitgM= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=DplbHVXE; dmarc=none; spf=none (imf11.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1735912138; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9mF7t6NmWUf0oub/sbaixYjiY8as59cuzFbTBqyhaoQ=; b=DXRKGLJKB2UV3+VTh8D0Sg9ESo2IG0WvcwYCZH8poscbSE7LldLgs4HN5VW7+T9beW7adZ aMwblbwm76xb4L5a8FVDgF+4ulQ8jS8HAZSt2S+2ESqVkObQ5lVfy2kjBfbsjfzGq9kY6B 8/mRlkEiJJngSoZa+sYPCiCNtOBFaBA= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=9mF7t6NmWUf0oub/sbaixYjiY8as59cuzFbTBqyhaoQ=; b=DplbHVXE16QDN6CXFxnusaX3gr 4um33md0b12GUJrDpvsGFaXTYZzZ231GhZas0D4SfJTyunEQVLIBXLaz1G7lZj5ek/XKQgkuEb+Ng g/XjcNOXYSy0NH9OZQYzFRTuC8VKcbvRxwpaTg+W4zSxVJmDmbZwmZaIoQbV/TY2vtAXfA7LXqIx3 DwaDPxYicFuJUXdDqtZ+XGejpZ2hAxxaOSuZXqXFgcqDTQd51qALaqy17MPNKcI6MtKCPpZ7BiVC9 Jwc/zj3PB396UTNsRb/phWFysCF0yfLaLyzjNAUp4wgfRCdfPhHKwSSlB/oJlOSftPRpLHARgOUx8 2pANyPVg==; Received: from willy by casper.infradead.org with local (Exim 4.98 #2 (Red Hat Linux)) id 1tTi3B-00000005v2F-2Gla; Fri, 03 Jan 2025 13:49:17 +0000 Date: Fri, 3 Jan 2025 13:49:17 +0000 From: Matthew Wilcox To: cheung wall , Stefan Roesch Cc: Andrew Morton , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: "divide error in bdi_set_min_bytes" in Linux kernel version 6.13.0-rc2 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 8E50F40003 X-Stat-Signature: euwg395qg86y1pmma4zunrdpr3rn3wk5 X-HE-Tag: 1735912113-110881 X-HE-Meta: U2FsdGVkX1+YEAh4HdgeilL35Q1znSkbqFM5BeU1lxFamN8RHnxCGaA4W2qG61i2hdw/9o+GDrh435dI7MtP+9i3EBjdCuZr1aIcrOXRgT8G7PwJ3N4EkH/l8loOdJPQrkl9HYC7KPkk14xyURRDSxgAWLy2GWHfIildgGeOwJWFcjjmitAAxIh+5/dd7oNhu1RZU3cnrmvB2DmQxrJ4CZfST1HTwGS6h2hEpGYySQVLMhP/QTOkC123JC3OBvxNP0dRWjEa8hfCZUdmvsG78eV5zk0z5JRHHltfVao3LcGo4Q5oq3Z+f1LRI5iiYi0RXWbQ6Y0zWcKa8ItE6+MVM+vJ7h55wiGobJ8hot22BKmg7i3QXLksaFnBnPcblF/Rsufo+kqOTOEBiy7gsZbfM2X0SxnFcv29xD71wRidCc0CJlBvZyhwP6PJgtvck+8z5qePyvtUxcOVRjxQ4zBdxzzxCHCyT38SkOqLdLUQzS9zSVHIGlcmZcCrJ0nG2CbSRNU1BdFqMphJPkB3WrvZscHtP2MZjpX12V67jHPjJx0KIgNNAFLARlHeAcdk6DQFF9UxjAWVShkZWIo7LO8ASgspqnab37UUEkcjePL02SE3j1Mqkqj7guPuV0rlgYcgq/610bDHBfJ+0f/9ETNs9RIJef+ktlKP4/KTkGlNmUM7kSFSGHerSIKIedoZb8OjWj/n1/cydo3XkS26oY90RVZlLy58wJNqm2zIgapO1glXlEtdkgdm5vlZ3Z11mzQZVIFAPJ+UyNqStkhO/rmF3UvxABHXfDQRDR2V1MOXetWgJ+fRsBWNNdyC57d+CQo9ujqAbis2aLRQl8Olbl5Zs5Hkh+I97Ha5c84f7og02n0m/iYqfqoD/uMxDy1VCFyfaLqzeQlckIRwwyssPfqzvgaIjQG2aHFiUaHM7z6Btjc3FResBHYzdZbVoFW7E2GK9Z+CfMykBxmKR5b0byA uaw4a4hX +OpnCYUAVZoJMYmRbRvAczdvBxkESMZomtTRBmmT/dAITQYw9fo3nwfyDlOXbk9EUi+rSx+HGv5xUfa0VlhLZ6M0ST43T9FLKdpax9BW3DRbsZK0XhPRi2al3eVrb48mmVR2whaWbW2/j1ZyjRH8OJ6G7uXHvmIqNYDWyxoZjDwtq+OwjFtzXQaoeZ536ZxYOM9RSsuhFWa4gpo4EBq4lvSmyl9N01TkztG+pKlFE36nMKaxlvMKJAEUVvKyM/kQdl5lRkz/MVhfzs2gGL63t+h74SzSU399v1ALVVleQLcD/wB9Am8r36lZJfI2hM51ntgCmkBvwfZCPf1ilQ3Q14coicAdAV7yLU1pPyboi2B/1ibf4rAlSoqtblhBZj+H4HmS0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Jan 03, 2025 at 03:25:01PM +0800, cheung wall wrote: > I am writing to report a potential vulnerability identified in the > Linux Kernel version 6.13.0-rc2. This issue was discovered using our > custom vulnerability discovery tool. Your tool would be more useful if you told us what it was doing. I suspect it's writing a very small value into the min_bytes pseudo-file. Since that's something only root can do, this isn't a vulnerability. This is a very annoying conversation to keep having with people who write their own custom "vulnerability discovery tools". That said, we could do better here. Stefan, you wrote this code. > RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] > RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline] > RIP: 0010:bdi_set_min_bytes+0x9f/0x1d0 mm/page-writeback.c:799 > Code: ff 48 39 d8 0f 82 3b 01 00 00 e8 ac fd e7 ff 48 69 db 40 42 0f > 00 48 8d 74 24 40 48 8d 7c 24 20 e8 c6 f1 ff ff 31 d2 48 89 d8 <48> f7 > 74 24 40 48 89 c3 3d 40 42 0f 00 0f 87 08 01 00 00 e8 79 fd > RSP: 0018:ffff88810a5f7b60 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff9c9ef057 > RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810a5f7ab8 > RBP: 1ffff110214bef6c R08: 0000000000000000 R09: fffffbfff4081c7b > R10: ffffffffa040e3df R11: 0000000000032001 R12: ffff888105c65000 > R13: dffffc0000000000 R14: ffff888105c65000 R15: ffff888105c65800 > FS: 00007fdfc7c37580(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000055adcdc786c8 CR3: 0000000104128000 CR4: 0000000000350ef0 > Call Trace: > > min_bytes_store+0xba/0x120 mm/backing-dev.c:385 > dev_attr_store+0x58/0x80 drivers/base/core.c:2439 > sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139 > kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334 > new_sync_write fs/read_write.c:586 [inline] > vfs_write+0x51e/0xc80 fs/read_write.c:679 > ksys_write+0x110/0x200 fs/read_write.c:731 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7fdfc7b4d513 > Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f > 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d > 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 > RSP: 002b:00007ffe7796ae28 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 > RAX: ffffffffffffffda RBX: 000055adcdc766c0 RCX: 00007fdfc7b4d513 > RDX: 0000000000000002 RSI: 000055adcdc766c0 RDI: 0000000000000001 > RBP: 0000000000000002 R08: 000055adcdc766c0 R09: 00007fdfc7c30be0 > R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001 > R13: 0000000000000002 R14: 7fffffffffffffff R15: 0000000000000000 > > ------------[ cut here end]------------ > > Root Cause: > > The crash is caused by a division by zero error within the Linux > kernel's page-writeback subsystem. Specifically, the bdi_set_min_bytes > function attempts to calculate a ratio using bdi_ratio_from_pages, > which internally calls div64_u64. During this calculation, a > denominator value unexpectedly becomes zero, likely due to improper > handling or validation of input data provided through the sysfs > interface during the min_bytes_store operation. This erroneous zero > value leads to a divide error exception when the kernel tries to > perform the division. The issue occurs while processing a sysfs write > operation (min_bytes_store), suggesting that invalid or uninitialized > data supplied through sysfs triggers the faulty calculation, > ultimately causing the kernel to crash. > > Thank you for your time and attention. > > Best regards > > Wall