linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jan Kara <jack@suse.cz>
To: syzbot <syzbot+06cc05ddc896f12b7ec5@syzkaller.appspotmail.com>
Cc: amir73il@gmail.com, jack@suse.cz, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	ntfs3@lists.linux.dev,
	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
	Al Viro <viro@ZenIV.linux.org.uk>,
	Christian Brauner <christian@brauner.io>
Subject: Re: [syzbot] kernel BUG in dnotify_free_mark
Date: Mon, 31 Oct 2022 18:50:50 +0100	[thread overview]
Message-ID: <20221031175050.xmhub66b6d4dvpcb@quack3> (raw)
In-Reply-To: <0000000000008b529305ec20dacc@google.com>

Hello!

[added some CCs to gather more ideas]

On Fri 28-10-22 16:45:33, syzbot wrote:
> syzbot found the following issue on:
> 
> HEAD commit:    247f34f7b803 Linux 6.1-rc2
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=157f594a880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1d3548a4365ba17d
> dashboard link: https://syzkaller.appspot.com/bug?extid=06cc05ddc896f12b7ec5
> compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15585936880000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ec85ba880000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a5f39164dea4/disk-247f34f7.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8d1b92f5a01f/vmlinux-247f34f7.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/1a4d2943796c/mount_0.gz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+06cc05ddc896f12b7ec5@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> kernel BUG at fs/notify/dnotify/dnotify.c:136!

OK, I've tracked this down to the problem in ntfs3 driver or maybe more
exactly in bad inode handling. What the reproducer does is that it mounts
ntfs3 image, places dnotify mark on filesystem's /, then accesses something
which finds that / is corrupted.  This calls ntfs_bad_inode() which calls
make_bad_inode() which sets inode->i_mode to S_IFREG. So when the file
descriptor is closed, dnotify doesn't get properly shutdown because it
works only on directories. Now calling make_bad_inode() on live inode is
problematic because it can change inode type (e.g. from directory to
regular file) and that tends to confuse things - dnotify in this case.

Now it is easy to blame filesystem driver for calling make_bad_inode() on
live inode but given it seems to be relatively widespread maybe
make_bad_inode() should be more careful not to screw VFS? What do other
people think?

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

  reply	other threads:[~2022-10-31 17:50 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-28 23:45 [syzbot] kernel BUG in dnotify_free_mark syzbot
2022-10-31 17:50 ` Jan Kara [this message]
2022-10-31 18:18   ` Amir Goldstein
2022-11-01 10:57     ` Jan Kara
     [not found] <20221029060343.3425-1-hdanton@sina.com>
2022-10-29  6:28 ` syzbot
     [not found] <20221029073104.3494-1-hdanton@sina.com>
2022-10-29  8:05 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221031175050.xmhub66b6d4dvpcb@quack3 \
    --to=jack@suse.cz \
    --cc=almaz.alexandrovich@paragon-software.com \
    --cc=amir73il@gmail.com \
    --cc=christian@brauner.io \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ntfs3@lists.linux.dev \
    --cc=syzbot+06cc05ddc896f12b7ec5@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).