linux-unionfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Miklos Szeredi <miklos@szeredi.hu>
To: Zheng Liang <zhengliang6@huawei.com>
Cc: overlayfs <linux-unionfs@vger.kernel.org>,
	"zhangyi (F)" <yi.zhang@huawei.com>
Subject: Re: [PATCH] ovl: fix oops in ovl_rename
Date: Fri, 24 Sep 2021 21:01:11 +0200	[thread overview]
Message-ID: <CAJfpegsOzWOryij91aRpJnXGVXnKf8jK90j-HEMWh8-hVShvxg@mail.gmail.com> (raw)
In-Reply-To: <20210924011628.2069334-1-zhengliang6@huawei.com>

On Fri, 24 Sept 2021 at 03:09, Zheng Liang <zhengliang6@huawei.com> wrote:
>
> We find a kernel NULL pointer dereference problem in overlayfs.
> The problem can appear in the following scene:
>
> mkdir lower upper work merge
> touch lower/old
> touch lower/new
> mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
> rm merge/new
> ------------------------------------------------------------------------------------------
> process A(rename file in merge)                                process B(delete file in upper)
> renameat2(AT_FDCWD, "old", AT_FDCWD, "new", 0)
> (new is whiteout file in upper)
>   do_renameat2
>     vfs_rename
>       ovl_rename
>       (overwrite=true,ovl_lower_positive(old)=true,
>       ovl_dentry_is_whiteout(new)=true)
>       (we can add some delay after "flags|=RENAME_EXCHANGE",
>       it can make the problem appear more easy)
>       ……                                                       unlink(new)
>       ……                                                       (delete whiteout in upper)
>       (newdentry is negative)
>         ovl_do_rename
>
> So,before commencing with ovl_do_rename that the flags maybe attach RENAME_EXCHANGE
> and the newdentry is negative in ovl_rename.If we enabled selinux,it
> will lead to kernel panic.such as the following log:
> PID: 2552045  TASK: ffff8880302faf00  CPU: 2   COMMAND: "fsstress"
>  #0 [ffff888080e772a0] machine_kexec at ffffffff856adedc
>  #1 [ffff888080e773a8] __crash_kexec at ffffffff8585cd20
>  #2 [ffff888080e774c0] panic at ffffffff8572b288
>  #3 [ffff888080e77590] oops_end at ffffffff85641f6e
>  #4 [ffff888080e775f0] __do_page_fault at ffffffff856cd55b
>  #5 [ffff888080e77668] do_page_fault at ffffffff856cd834
>  #6 [ffff888080e776a0] async_page_fault at ffffffff8660125e
>     [exception RIP: __inode_security_revalidate+34]
>     RIP: ffffffff85c43452  RSP: ffff888080e77758  RFLAGS: 00010202
>     RAX: 0000000000000000  RBX: 0000000000000000  RCX: ffffffff8593ae7e
>     RDX: 0000000000000000  RSI: 0000000000000297  RDI: 0000000000000297
>     RBP: ffff8881984e6628   R8: ffffed10115e3f39   R9: ffffed10115e3f39
>     R10: 0000000000000001  R11: ffffed10115e3f38  R12: 0000000000000001
>     R13: 0000000000000000  R14: ffff88808350a000  R15: 1ffff110101ceef5
>     ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
>  #7 [ffff888080e77780] selinux_inode_rename at ffffffff85c4418d
>  #8 [ffff888080e77858] security_inode_rename at ffffffff85c35f24
>  #9 [ffff888080e77890] vfs_rename at ffffffff85b01209
>  #10 [ffff888080e779a8] ovl_do_rename at ffffffffc0a44c22 [overlay]
>  #11 [ffff888080e779d8] ovl_rename at ffffffffc0a46575 [overlay]
>  #12 [ffff888080e77b48] vfs_rename at ffffffff85b0155a
>  #13 [ffff888080e77c60] do_renameat2 at ffffffff85b06e65
>  #14 [ffff888080e77f00] __x64_sys_renameat2 at ffffffff85b06fb2
>  #15 [ffff888080e77f30] do_syscall_64 at ffffffff85606243
>  #16 [ffff888080e77f50] entry_SYSCALL_64_after_hwframe at ffffffff866000ad
>
> We can add some check in ovl_rename for this scene and return error to avoid kernel panic.

Thanks.  Patch looks good; pushed to vfs.git#overlayfs-next (with a
cleaned up commit message).

Miklos

      parent reply	other threads:[~2021-09-24 19:01 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-24  1:16 Zheng Liang
2021-09-24  7:12 ` 139
2021-09-24  8:50   ` zhengliang (A)
2021-09-24 19:01 ` Miklos Szeredi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJfpegsOzWOryij91aRpJnXGVXnKf8jK90j-HEMWh8-hVShvxg@mail.gmail.com \
    --to=miklos@szeredi.hu \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=yi.zhang@huawei.com \
    --cc=zhengliang6@huawei.com \
    --subject='Re: [PATCH] ovl: fix oops in ovl_rename' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).