From: Amir Goldstein <amir73il@gmail.com>
To: Edward Adam Davis <eadavis@qq.com>, viro@zeniv.linux.org.uk
Cc: syzbot+8608bb4553edb8c78f41@syzkaller.appspotmail.com,
chao@kernel.org, jaegeuk@kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
phillip@squashfs.org.uk, reiserfs-devel@vger.kernel.org,
squashfs-devel@lists.sourceforge.net,
syzkaller-bugs@googlegroups.com, terrelln@fb.com,
overlayfs <linux-unionfs@vger.kernel.org>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [PATCH] ovl: fix BUG: Dentry still in use in unmount
Date: Sun, 17 Dec 2023 11:32:16 +0200 [thread overview]
Message-ID: <CAOQ4uxi+4-jyNY6jzNt1wG5xcYSZiSfU0AtCWtF71PSW160zRw@mail.gmail.com> (raw)
In-Reply-To: <tencent_4E2FCFC90D97A5910DFA926DDD945D9B1907@qq.com>
Hi Edward,
Thanks for the quick fix, but it is incorrect.
On Sun, Dec 17, 2023 at 10:11 AM Edward Adam Davis <eadavis@qq.com> wrote:
>
> workdir and destdir could be the same when copying up to indexdir.
This is not the reason for the bug, the reason is:
syzbot exercised the forbidden practice of moving the workdir under
lowerdir while overlayfs is mounted and tripped a dentry reference leak.
>
> Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held")
> Reported-and-tested-by: syzbot+8608bb4553edb8c78f41@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> fs/overlayfs/copy_up.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> index 4382881b0709..ae5eb442025d 100644
> --- a/fs/overlayfs/copy_up.c
> +++ b/fs/overlayfs/copy_up.c
> @@ -731,10 +731,14 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> .rdev = c->stat.rdev,
> .link = c->link
> };
> + err = -EIO;
> + /* workdir and destdir could be the same when copying up to indexdir */
> + if (lock_rename(c->workdir, c->destdir) != NULL)
> + goto unlock;
You can't do that. See comment below ovl_copy_up_data().
>
> err = ovl_prep_cu_creds(c->dentry, &cc);
> if (err)
> - return err;
> + goto unlock;
>
> ovl_start_write(c->dentry);
> inode_lock(wdir);
> @@ -743,8 +747,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> ovl_end_write(c->dentry);
> ovl_revert_cu_creds(&cc);
>
> + err = PTR_ERR(temp);
> if (IS_ERR(temp))
> - return PTR_ERR(temp);
> + goto unlock;
>
> /*
> * Copy up data first and then xattrs. Writing data after
> @@ -760,10 +765,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> * If temp was moved, abort without the cleanup.
> */
> ovl_start_write(c->dentry);
> - if (lock_rename(c->workdir, c->destdir) != NULL ||
> - temp->d_parent != c->workdir) {
> + if (temp->d_parent != c->workdir) {
dput(temp);
here is all that should be needed to fix the leak.
> err = -EIO;
> - goto unlock;
> + goto unlockcd;
> } else if (err) {
> goto cleanup;
> }
See my suggested fix at https://github.com/amir73il/linux/commits/ovl-fixes
Al,
Heads up.
This fix will have a minor conflict with a8b0026847b8 ("rename(): avoid
a deadlock in the case of parents having no common ancestor")
on your work.rename branch.
I plan to push my fix to linux-next soon, but I see that work.rename
is not in linux-next yet.
Thanks,
Amir.
WARNING: multiple messages have this Message-ID (diff)
From: Amir Goldstein <amir73il@gmail.com>
To: Edward Adam Davis <eadavis@qq.com>, viro@zeniv.linux.org.uk
Cc: squashfs-devel@lists.sourceforge.net,
reiserfs-devel@vger.kernel.org,
Miklos Szeredi <miklos@szeredi.hu>,
syzbot+8608bb4553edb8c78f41@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net, terrelln@fb.com,
phillip@squashfs.org.uk, linux-fsdevel@vger.kernel.org,
jaegeuk@kernel.org, overlayfs <linux-unionfs@vger.kernel.org>
Subject: Re: [f2fs-dev] [PATCH] ovl: fix BUG: Dentry still in use in unmount
Date: Sun, 17 Dec 2023 11:32:16 +0200 [thread overview]
Message-ID: <CAOQ4uxi+4-jyNY6jzNt1wG5xcYSZiSfU0AtCWtF71PSW160zRw@mail.gmail.com> (raw)
In-Reply-To: <tencent_4E2FCFC90D97A5910DFA926DDD945D9B1907@qq.com>
Hi Edward,
Thanks for the quick fix, but it is incorrect.
On Sun, Dec 17, 2023 at 10:11 AM Edward Adam Davis <eadavis@qq.com> wrote:
>
> workdir and destdir could be the same when copying up to indexdir.
This is not the reason for the bug, the reason is:
syzbot exercised the forbidden practice of moving the workdir under
lowerdir while overlayfs is mounted and tripped a dentry reference leak.
>
> Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held")
> Reported-and-tested-by: syzbot+8608bb4553edb8c78f41@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> fs/overlayfs/copy_up.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> index 4382881b0709..ae5eb442025d 100644
> --- a/fs/overlayfs/copy_up.c
> +++ b/fs/overlayfs/copy_up.c
> @@ -731,10 +731,14 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> .rdev = c->stat.rdev,
> .link = c->link
> };
> + err = -EIO;
> + /* workdir and destdir could be the same when copying up to indexdir */
> + if (lock_rename(c->workdir, c->destdir) != NULL)
> + goto unlock;
You can't do that. See comment below ovl_copy_up_data().
>
> err = ovl_prep_cu_creds(c->dentry, &cc);
> if (err)
> - return err;
> + goto unlock;
>
> ovl_start_write(c->dentry);
> inode_lock(wdir);
> @@ -743,8 +747,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> ovl_end_write(c->dentry);
> ovl_revert_cu_creds(&cc);
>
> + err = PTR_ERR(temp);
> if (IS_ERR(temp))
> - return PTR_ERR(temp);
> + goto unlock;
>
> /*
> * Copy up data first and then xattrs. Writing data after
> @@ -760,10 +765,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> * If temp was moved, abort without the cleanup.
> */
> ovl_start_write(c->dentry);
> - if (lock_rename(c->workdir, c->destdir) != NULL ||
> - temp->d_parent != c->workdir) {
> + if (temp->d_parent != c->workdir) {
dput(temp);
here is all that should be needed to fix the leak.
> err = -EIO;
> - goto unlock;
> + goto unlockcd;
> } else if (err) {
> goto cleanup;
> }
See my suggested fix at https://github.com/amir73il/linux/commits/ovl-fixes
Al,
Heads up.
This fix will have a minor conflict with a8b0026847b8 ("rename(): avoid
a deadlock in the case of parents having no common ancestor")
on your work.rename branch.
I plan to push my fix to linux-next soon, but I see that work.rename
is not in linux-next yet.
Thanks,
Amir.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2023-12-17 9:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-26 10:50 [syzbot] BUG: Dentry still in use in unmount syzbot
2023-12-16 23:19 ` [syzbot] [reiserfs?] [squashfs?] " syzbot
2023-12-16 23:19 ` [f2fs-dev] " syzbot
2023-12-17 3:39 ` Edward Adam Davis
2023-12-17 4:04 ` [syzbot] " syzbot
2023-12-17 5:43 ` Edward Adam Davis
2023-12-17 6:09 ` [syzbot] " syzbot
2023-12-17 8:11 ` [f2fs-dev] [PATCH] ovl: fix " Edward Adam Davis via Linux-f2fs-devel
2023-12-17 8:11 ` Edward Adam Davis
2023-12-17 9:32 ` Amir Goldstein [this message]
2023-12-17 9:32 ` [f2fs-dev] " Amir Goldstein
2023-12-17 9:16 ` [syzbot] [reiserfs?] [squashfs?] " Amir Goldstein
2023-12-17 9:16 ` [f2fs-dev] " Amir Goldstein
2023-12-17 9:36 ` syzbot
2023-12-17 9:36 ` [f2fs-dev] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOQ4uxi+4-jyNY6jzNt1wG5xcYSZiSfU0AtCWtF71PSW160zRw@mail.gmail.com \
--to=amir73il@gmail.com \
--cc=chao@kernel.org \
--cc=eadavis@qq.com \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=phillip@squashfs.org.uk \
--cc=reiserfs-devel@vger.kernel.org \
--cc=squashfs-devel@lists.sourceforge.net \
--cc=syzbot+8608bb4553edb8c78f41@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=terrelln@fb.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.