kernel/fork.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Since `((a & (b|c)) == (b|c))` is the same thing as `(a & (b|c))`, use
the second version which is simpler.
Signed-off-by: Joey Pabalinas <joeypabalinas@gmail.com>
---
kernel/fork.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index af673856499dcaa35e..cb49f25e30e69edaa5 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1930,14 +1930,14 @@ __latent_entropy struct task_struct *copy_process(
/*
* Don't allow sharing the root directory with processes in a different
* namespace
*/
- if ((clone_flags & (CLONE_NEWNS|CLONE_FS)) == (CLONE_NEWNS|CLONE_FS))
+ if (clone_flags & (CLONE_NEWNS|CLONE_FS))
return ERR_PTR(-EINVAL);
- if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ if (clone_flags & (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
--
Cheers,
Joey Pabalinas
Hello,
kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
commit: 62b2846e29a8bec933d0dd7a3a4ccc7af409d8d0 ("[PATCH] fork: simplify overcomplicated if conditions")
url: https://github.com/intel-lab-lkp/linux/commits/Joey-Pabalinas/fork-simplify-overcomplicated-if-conditions/20250904-144729
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/execve
patch link: https://lore.kernel.org/all/357638f71edc7f1d9814b1851a64e09a8895bffc.1756968204.git.joeypabalinas@gmail.com/
patch subject: [PATCH] fork: simplify overcomplicated if conditions
in testcase: boot
config: i386-randconfig-004-20250906
compiler: gcc-13
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+---------------------------------------------+------------+------------+
| | 8c94db0ae9 | 62b2846e29 |
+---------------------------------------------+------------+------------+
| boot_successes | 6 | 0 |
| boot_failures | 0 | 6 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 6 |
| Oops | 0 | 6 |
| EIP:rest_init | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+---------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202509081409.2daadf50-lkp@intel.com
[ 3.204615][ T0] BUG: kernel NULL pointer dereference, address: 00000020
[ 3.205081][ T0] #PF: supervisor write access in kernel mode
[ 3.205081][ T0] #PF: error_code(0x0002) - not-present page
[ 3.205081][ T0] *pde = 00000000
[ 3.205081][ T0] Oops: Oops: 0002 [#1] SMP
[ 3.205081][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc2-00004-g62b2846e29a8 #1 PREEMPT(full) cdac75d461890a0b0673a9c64f8f62c890a06589
[ 3.205081][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 3.205081][ T0] EIP: rest_init (init/main.c:717)
[ 3.205081][ T0] Code: 00 75 1b b9 b4 d6 a7 83 ba 4a 03 00 00 b8 9b d6 a7 83 c6 05 25 19 68 84 01 e8 80 c8 7f fe 89 d8 ba c0 ab f6 83 e8 e0 aa 7c fe <81> 48 20 00 00 00 04 64 8b 3d 18 20 8d 84 89 c6 89 fb 83 e3 1f 43
All code
========
0: 00 75 1b add %dh,0x1b(%rbp)
3: b9 b4 d6 a7 83 mov $0x83a7d6b4,%ecx
8: ba 4a 03 00 00 mov $0x34a,%edx
d: b8 9b d6 a7 83 mov $0x83a7d69b,%eax
12: c6 05 25 19 68 84 01 movb $0x1,-0x7b97e6db(%rip) # 0xffffffff8468193e
19: e8 80 c8 7f fe call 0xfffffffffe7fc89e
1e: 89 d8 mov %ebx,%eax
20: ba c0 ab f6 83 mov $0x83f6abc0,%edx
25: e8 e0 aa 7c fe call 0xfffffffffe7cab0a
2a:* 81 48 20 00 00 00 04 orl $0x4000000,0x20(%rax) <-- trapping instruction
31: 64 8b 3d 18 20 8d 84 mov %fs:-0x7b72dfe8(%rip),%edi # 0xffffffff848d2050
38: 89 c6 mov %eax,%esi
3a: 89 fb mov %edi,%ebx
3c: 83 e3 1f and $0x1f,%ebx
3f: 43 rex.XB
Code starting with the faulting instruction
===========================================
0: 81 48 20 00 00 00 04 orl $0x4000000,0x20(%rax)
7: 64 8b 3d 18 20 8d 84 mov %fs:-0x7b72dfe8(%rip),%edi # 0xffffffff848d2026
e: 89 c6 mov %eax,%esi
10: 89 fb mov %edi,%ebx
12: 83 e3 1f and $0x1f,%ebx
15: 43 rex.XB
[ 3.205081][ T0] EAX: 00000000 EBX: ffffffea ECX: 00000000 EDX: 00000000
[ 3.205081][ T0] ESI: ee7fd750 EDI: ee7fd740 EBP: 83eebf80 ESP: 83eebf74
[ 3.205081][ T0] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00210246
[ 3.205081][ T0] CR0: 80050033 CR2: 00000020 CR3: 04910000 CR4: 00040690
[ 3.205081][ T0] Call Trace:
[ 3.205081][ T0] start_kernel (init/main.c:1335)
[ 3.205081][ T0] i386_start_kernel (arch/x86/kernel/head32.c:129)
[ 3.205081][ T0] startup_32_smp (arch/x86/kernel/head_32.S:290)
[ 3.205081][ T0] Modules linked in:
[ 3.205081][ T0] CR2: 0000000000000020
[ 3.205081][ T0] ---[ end trace 0000000000000000 ]---
[ 3.205081][ T0] EIP: rest_init (init/main.c:717)
[ 3.205081][ T0] Code: 00 75 1b b9 b4 d6 a7 83 ba 4a 03 00 00 b8 9b d6 a7 83 c6 05 25 19 68 84 01 e8 80 c8 7f fe 89 d8 ba c0 ab f6 83 e8 e0 aa 7c fe <81> 48 20 00 00 00 04 64 8b 3d 18 20 8d 84 89 c6 89 fb 83 e3 1f 43
All code
========
0: 00 75 1b add %dh,0x1b(%rbp)
3: b9 b4 d6 a7 83 mov $0x83a7d6b4,%ecx
8: ba 4a 03 00 00 mov $0x34a,%edx
d: b8 9b d6 a7 83 mov $0x83a7d69b,%eax
12: c6 05 25 19 68 84 01 movb $0x1,-0x7b97e6db(%rip) # 0xffffffff8468193e
19: e8 80 c8 7f fe call 0xfffffffffe7fc89e
1e: 89 d8 mov %ebx,%eax
20: ba c0 ab f6 83 mov $0x83f6abc0,%edx
25: e8 e0 aa 7c fe call 0xfffffffffe7cab0a
2a:* 81 48 20 00 00 00 04 orl $0x4000000,0x20(%rax) <-- trapping instruction
31: 64 8b 3d 18 20 8d 84 mov %fs:-0x7b72dfe8(%rip),%edi # 0xffffffff848d2050
38: 89 c6 mov %eax,%esi
3a: 89 fb mov %edi,%ebx
3c: 83 e3 1f and $0x1f,%ebx
3f: 43 rex.XB
Code starting with the faulting instruction
===========================================
0: 81 48 20 00 00 00 04 orl $0x4000000,0x20(%rax)
7: 64 8b 3d 18 20 8d 84 mov %fs:-0x7b72dfe8(%rip),%edi # 0xffffffff848d2026
e: 89 c6 mov %eax,%esi
10: 89 fb mov %edi,%ebx
12: 83 e3 1f and $0x1f,%ebx
15: 43 rex.XB
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250908/202509081409.2daadf50-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
syzbot ci has tested the following series [v1] fork: simplify overcomplicated if conditions https://lore.kernel.org/all/357638f71edc7f1d9814b1851a64e09a8895bffc.1756968204.git.joeypabalinas@gmail.com * [PATCH] fork: simplify overcomplicated if conditions and found the following issue: general protection fault in rest_init Full report is available here: https://ci.syzbot.org/series/e9c440d7-f494-4207-a59d-773bbbf909ff *** general protection fault in rest_init tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: b320789d6883cc00ac78ce83bccbfe7ed58afcf0 arch: amd64 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 config: https://ci.syzbot.org/builds/58676b34-5a2d-40b9-ab9d-b45b8161dd5c/config Console: colour VGA+ 80x25 printk: legacy console [ttyS0] enabled printk: legacy console [ttyS0] enabled printk: legacy bootconsole [earlyser0] disabled printk: legacy bootconsole [earlyser0] disabled Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar ... MAX_LOCKDEP_SUBCLASSES: 8 ... MAX_LOCK_DEPTH: 48 ... MAX_LOCKDEP_KEYS: 8192 ... CLASSHASH_SIZE: 4096 ... MAX_LOCKDEP_ENTRIES: 1048576 ... MAX_LOCKDEP_CHAINS: 1048576 ... CHAINHASH_SIZE: 524288 memory used by lock dependency info: 106625 kB memory used for stack traces: 8320 kB per task-struct memory footprint: 1920 bytes mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl ACPI: Core revision 20250404 clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns APIC: Switch to symmetric I/O mode setup x2apic enabled APIC: Switched APIC routing to: physical x2apic ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x285d45cc0d6, max_idle_ns: 440795339158 ns Calibrating delay loop (skipped) preset value.. 5600.55 BogoMIPS (lpj=28002760) Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0 Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0 mitigations: Enabled attack vectors: user_kernel, user_user, guest_host, guest_guest, SMT mitigations: auto Speculative Store Bypass: Vulnerable Spectre V2 : Mitigation: Retpolines ITS: Mitigation: Aligned branch/return thunks MDS: Vulnerable: Clear CPU buffers attempted, no microcode Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT active return thunk: its_return_thunk x86/fpu: x87 FPU will use FXSAVE Freeing SMP alternatives memory: 136K pid_max: default: 32768 minimum: 301 LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,apparmor,bpf,ima,evm landlock: Up and running. Yama: becoming mindful. TOMOYO Linux initialized AppArmor: AppArmor initialized LSM support for eBPF active Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage) Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes, vmalloc hugepage) Mount-cache hash table entries: 8192 (order: 4, 65536 bytes, vmalloc) Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes, vmalloc) Running RCU synchronous self tests Running RCU synchronous self tests Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:rest_init+0xf8/0x300 Code: f6 49 bf 00 00 00 00 00 fc ff df 89 ef 48 c7 c6 40 57 fe 8d e8 e9 47 12 f6 49 89 c6 48 89 c7 48 83 c7 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 d9 01 00 00 41 80 4e 2f 04 e8 e1 e3 ff RSP: 0000:ffffffff8de07ee0 EFLAGS: 00010207 RAX: 0000000000000005 RBX: ffffffff8b79fc61 RCX: ffffffff8de95100 RDX: 0000000000000000 RSI: ffffffffffffffea RDI: 000000000000002c RBP: 00000000ffffffea R08: 0000000000000000 R09: ffffffff8b79fc61 R10: dffffc0000000000 R11: fffffbfff1f47207 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8618000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88813ffff000 CR3: 000000000df36000 CR4: 00000000000006f0 Call Trace: <TASK> start_kernel+0x3a9/0x410 x86_64_start_reservations+0x24/0x30 x86_64_start_kernel+0x143/0x1c0 common_startup_64+0x13e/0x147 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:rest_init+0xf8/0x300 Code: f6 49 bf 00 00 00 00 00 fc ff df 89 ef 48 c7 c6 40 57 fe 8d e8 e9 47 12 f6 49 89 c6 48 89 c7 48 83 c7 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 d9 01 00 00 41 80 4e 2f 04 e8 e1 e3 ff RSP: 0000:ffffffff8de07ee0 EFLAGS: 00010207 RAX: 0000000000000005 RBX: ffffffff8b79fc61 RCX: ffffffff8de95100 RDX: 0000000000000000 RSI: ffffffffffffffea RDI: 000000000000002c RBP: 00000000ffffffea R08: 0000000000000000 R09: ffffffff8b79fc61 R10: dffffc0000000000 R11: fffffbfff1f47207 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8618000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88813ffff000 CR3: 000000000df36000 CR4: 00000000000006f0 *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com.
On Wed, Sep 03, 2025 at 08:46:29PM -1000, Joey Pabalinas wrote: > Since `((a & (b|c)) == (b|c))` is the same thing as `(a & (b|c))`, use > the second version which is simpler. Huh? No it is not the same thing. a = 1; b = 1; c = 2; (a & (b|c)) is 1 which is true. ((a & (b|c)) == (b|c)) is false. -- Kiryl Shutsemau / Kirill A. Shutemov
On Thu, Sep 04, 2025 at 10:56:44AM +0100, Kiryl Shutsemau wrote: > On Wed, Sep 03, 2025 at 08:46:29PM -1000, Joey Pabalinas wrote: > > Since `((a & (b|c)) == (b|c))` is the same thing as `(a & (b|c))`, use > > the second version which is simpler. > > Huh? No it is not the same thing. > > a = 1; > b = 1; > c = 2; > > (a & (b|c)) is 1 which is true. > ((a & (b|c)) == (b|c)) is false. Ah, you are right. My mistake. -- Cheers, Joey Pabalinas
On 04.09.25 12:04, Joey Pabalinas wrote: > On Thu, Sep 04, 2025 at 10:56:44AM +0100, Kiryl Shutsemau wrote: >> On Wed, Sep 03, 2025 at 08:46:29PM -1000, Joey Pabalinas wrote: >>> Since `((a & (b|c)) == (b|c))` is the same thing as `(a & (b|c))`, use >>> the second version which is simpler. >> >> Huh? No it is not the same thing. >> >> a = 1; >> b = 1; >> c = 2; >> >> (a & (b|c)) is 1 which is true. >> ((a & (b|c)) == (b|c)) is false. > > Ah, you are right. My mistake. I suspect you didn't even test that patch? Please do us all a favor and don't send any more such patches. -- Cheers David / dhildenb
© 2016 - 2025 Red Hat, Inc.