http://bugzilla.opensuse.org/show_bug.cgi?id=1195706 Bug ID: 1195706 Summary: Oops in audit starting with 5.16 due to new openat2 auditing Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: openSUSE Tumbleweed Status: NEW Severity: Major Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: jeffm@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Starting with the first update to 5.16, I started getting Oopses like the following when docker starts up: [ 62.463049] BUG: unable to handle page fault for address: 000000c000b3e9b8 [ 62.463094] #PF: supervisor read access in kernel mode [ 62.463118] #PF: error_code(0x0001) - permissions violation [ 62.463143] PGD 800000011bf99067 P4D 800000011bf99067 PUD 11bf9a067 PMD 800000011d4008e7 [ 62.463179] Oops: 0001 [#1] PREEMPT SMP PTI [ 62.463200] CPU: 1 PID: 4865 Comm: dockerd Kdump: loaded Not tainted 5.16.4-1-default #1 openSUSE Tumbleweed f35df798c13cc3a259a6bf2924380af618948152 [ 62.463260] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 [ 62.463304] RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220 [ 62.463339] Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff 83 f8 05 0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00 83 e0 03 0f be 80 c5 5e 65 b6 41 21 c5 eb c7 4d 85 e4 0f [ 62.463409] RSP: 0018:ffffab1b005e7dd0 EFLAGS: 00010246 [ 62.463433] RAX: 000000c000b3e9b8 RBX: 0000000000000001 RCX: 000000000000001f [ 62.463463] RDX: 0000000000000006 RSI: 00000000000001b5 RDI: 00000000c000003e [ 62.463492] RBP: ffff88a306606620 R08: ffff88a301eebaa0 R09: ffff88a30a30c238 [ 62.463522] R10: 0000000040000020 R11: ffff88a301770210 R12: ffff88a31a54c800 [ 62.463551] R13: 000000000000000f R14: 00000000000001b5 R15: ffff88a301eebaa0 [ 62.463580] FS: 00007fd43c94c640(0000) GS:ffff88a37fd00000(0000) knlGS:0000000000000000 [ 62.463613] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.463638] CR2: 000000c000b3e9b8 CR3: 000000010f02a002 CR4: 0000000000370ee0 [ 62.463671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 62.463701] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 62.463730] Call Trace: [ 62.463754] <TASK> [ 62.463775] audit_filter_syscall+0xb0/0x100 [ 62.463799] ? do_sys_openat2+0x81/0x160 [ 62.463820] __audit_syscall_exit+0x69/0xf0 [ 62.463842] syscall_exit_to_user_mode_prepare+0x14d/0x180 [ 62.463870] syscall_exit_to_user_mode+0x9/0x40 [ 62.463903] do_syscall_64+0x69/0x80 [ 62.463926] ? syscall_exit_to_user_mode+0x18/0x40 [ 62.463948] ? do_syscall_64+0x69/0x80 [ 62.463968] ? syscall_exit_to_user_mode+0x18/0x40 [ 62.463991] ? do_syscall_64+0x69/0x80 [ 62.464010] ? do_syscall_64+0x69/0x80 [ 62.464030] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 62.464074] RIP: 0033:0x562f9ebdf64a [ 62.464872] Code: e8 9b 00 fa ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48 [ 62.466526] RSP: 002b:000000c000b3e8a8 EFLAGS: 00000216 ORIG_RAX: 00000000000001b5 [ 62.467380] RAX: 000000000000000d RBX: 000000c00005e800 RCX: 0000562f9ebdf64a [ 62.468252] RDX: 000000c000b3e9b8 RSI: 000000c000190480 RDI: ffffffffffffff9c [ 62.469104] RBP: 000000c000b3e928 R08: 0000000000000000 R09: 0000000000000000 [ 62.469977] R10: 0000000000000018 R11: 0000000000000216 R12: 0000000000000000 [ 62.470814] R13: 0000000000000001 R14: 0000000000000031 R15: ffffffffffffffff [ 62.471648] </TASK> [ 62.472512] Modules linked in: af_packet iscsi_ibft iscsi_boot_sysfs rfkill snd_hda_codec_generic ledtrig_audio snd_hda_intel intel_rapl_msr intel_rapl_common snd_intel_dspcfg snd_intel_sdw_acpi kvm_intel snd_hda_codec snd_hda_core iTCO_wdt intel_pmc_bxt iTCO_vendor_support snd_hwdep kvm snd_pcm snd_timer qxl irqbypass i2c_i801 snd drm_ttm_helper pcspkr i2c_smbus ttm soundcore lpc_ich virtio_balloon drm_kms_helper tiny_power_button joydev virtio_net net_failover failover cec rc_core button syscopyarea sysfillrect sysimgblt fb_sys_fops drm configfs fuse ip_tables x_tables hid_generic usbhid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd xhci_pci serio_raw xhci_pci_renesas xhci_hcd usbcore virtio_blk qemu_fw_cfg btrfs blake2b_generic libcrc32c crc32c_intel xor raid6_pq sg virtio_rng [ 62.478895] CR2: 000000c000b3e9b8 After some investigation, I've identified the following commit as the cause: commit 1c30e3af8a79260cdba833a719209b01e6b92300 Author: Richard Guy Briggs <rgb@redhat.com> Date: Wed May 19 16:00:21 2021 -0400 audit: add support for the openat2 syscall [...] diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3f9108101598..8c4335a35274 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -63,6 +63,7 @@ #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> +#include <uapi/linux/openat2.h> #include "audit.h" @@ -183,6 +184,8 @@ static int audit_match_perm(struct audit_context *ctx, int mask) return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); case AUDITSC_EXECVE: return mask & AUDIT_PERM_EXEC; + case AUDITSC_OPENAT2: + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); default: return 0; } Where ctx->argv[2] holds a userspace pointer. A small test program using an audit rule of "-w /var/tmp/testfile -k openat2-oops" prints the address of the struct open_how and it matches the faulting address. #include <fcntl.h> #include <linux/openat2.h> #include <sys/syscall.h> #include <unistd.h> #include <stdio.h> long openat2(int dirfd, const char *pathname, struct open_how *how, size_t size) { return syscall(SYS_openat2, dirfd, pathname, how, size); } int main(void) { struct open_how how = { .flags = O_RDONLY|O_DIRECTORY, }; int fd; fprintf(stderr, "&how = %p\n", &how); fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct open_how)); perror("openat2"); } $ mkdir /var/tmp/testfile $ ./a.out &how = [address] <crash> I've submitted the report upstream as well. -- You are receiving this mail because: You are the assignee for the bug.