* possible deadlock in ovl_maybe_copy_up
@ 2020-11-23 10:05 syzbot
2021-04-03 19:18 ` [syzbot] " syzbot
0 siblings, 1 reply; 7+ messages in thread
From: syzbot @ 2020-11-23 10:05 UTC (permalink / raw)
To: linux-kernel, linux-unionfs, miklos, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: a349e4c6 Merge tag 'xfs-5.10-fixes-7' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11813299500000
kernel config: https://syzkaller.appspot.com/x/.config?x=a521022462477aea
dashboard link: https://syzkaller.appspot.com/bug?extid=c18f2f6a7b08c51e3025
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.10.0-rc4-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/12280 is trying to acquire lock:
ffff8881480c8460 (sb_writers#4){.+.+}-{0:0}, at: ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:990
but task is already holding lock:
ffff888011c1a740 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x363/0x1760 security/integrity/ima/ima_main.c:253
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&iint->mutex){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:956 [inline]
__mutex_lock+0x134/0x10e0 kernel/locking/mutex.c:1103
process_measurement+0x363/0x1760 security/integrity/ima/ima_main.c:253
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:498
do_open fs/namei.c:3254 [inline]
path_openat+0x154d/0x2730 fs/namei.c:3369
do_filp_open+0x17e/0x3c0 fs/namei.c:3396
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_openat fs/open.c:1200 [inline]
__se_sys_openat fs/open.c:1195 [inline]
__x64_sys_openat+0x13f/0x1f0 fs/open.c:1195
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
-> #0 (sb_writers#4){.+.+}-{0:0}:
check_prev_add kernel/locking/lockdep.c:2866 [inline]
check_prevs_add kernel/locking/lockdep.c:2991 [inline]
validate_chain kernel/locking/lockdep.c:3606 [inline]
__lock_acquire+0x2ca6/0x5c00 kernel/locking/lockdep.c:4830
lock_acquire kernel/locking/lockdep.c:5435 [inline]
lock_acquire+0x2a3/0x8c0 kernel/locking/lockdep.c:5400
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1594 [inline]
sb_start_write include/linux/fs.h:1664 [inline]
mnt_want_write+0x69/0x3d0 fs/namespace.c:354
ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:990
ovl_open+0xba/0x270 fs/overlayfs/file.c:154
do_dentry_open+0x4b9/0x11b0 fs/open.c:817
vfs_open fs/open.c:931 [inline]
dentry_open+0x132/0x1d0 fs/open.c:947
ima_calc_file_hash+0x32b/0x5a0 security/integrity/ima/ima_crypto.c:557
ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:250
process_measurement+0xca6/0x1760 security/integrity/ima/ima_main.c:330
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:498
do_open fs/namei.c:3254 [inline]
path_openat+0x154d/0x2730 fs/namei.c:3369
do_filp_open+0x17e/0x3c0 fs/namei.c:3396
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_open fs/open.c:1192 [inline]
__se_sys_open fs/open.c:1188 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1188
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&iint->mutex);
lock(sb_writers#4);
lock(&iint->mutex);
lock(sb_writers#4);
*** DEADLOCK ***
1 lock held by syz-executor.4/12280:
#0: ffff888011c1a740 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x363/0x1760 security/integrity/ima/ima_main.c:253
stack backtrace:
CPU: 0 PID: 12280 Comm: syz-executor.4 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2115
check_prev_add kernel/locking/lockdep.c:2866 [inline]
check_prevs_add kernel/locking/lockdep.c:2991 [inline]
validate_chain kernel/locking/lockdep.c:3606 [inline]
__lock_acquire+0x2ca6/0x5c00 kernel/locking/lockdep.c:4830
lock_acquire kernel/locking/lockdep.c:5435 [inline]
lock_acquire+0x2a3/0x8c0 kernel/locking/lockdep.c:5400
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1594 [inline]
sb_start_write include/linux/fs.h:1664 [inline]
mnt_want_write+0x69/0x3d0 fs/namespace.c:354
ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:990
ovl_open+0xba/0x270 fs/overlayfs/file.c:154
do_dentry_open+0x4b9/0x11b0 fs/open.c:817
vfs_open fs/open.c:931 [inline]
dentry_open+0x132/0x1d0 fs/open.c:947
ima_calc_file_hash+0x32b/0x5a0 security/integrity/ima/ima_crypto.c:557
ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:250
process_measurement+0xca6/0x1760 security/integrity/ima/ima_main.c:330
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:498
do_open fs/namei.c:3254 [inline]
path_openat+0x154d/0x2730 fs/namei.c:3369
do_filp_open+0x17e/0x3c0 fs/namei.c:3396
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_open fs/open.c:1192 [inline]
__se_sys_open fs/open.c:1188 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1188
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45deb9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fccb9104c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00000000000221c0 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000020000040
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffc3967e2bf R14: 00007fccb91059c0 R15: 000000000118bf2c
overlayfs: upperdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] possible deadlock in ovl_maybe_copy_up
2020-11-23 10:05 possible deadlock in ovl_maybe_copy_up syzbot
@ 2021-04-03 19:18 ` syzbot
2021-04-04 8:10 ` Amir Goldstein
[not found] ` <20210618040135.950-1-hdanton@sina.com>
0 siblings, 2 replies; 7+ messages in thread
From: syzbot @ 2021-04-03 19:18 UTC (permalink / raw)
To: linux-kernel, linux-unionfs, miklos, syzkaller-bugs
syzbot has found a reproducer for the following issue on:
HEAD commit: 454c576c Add linux-next specific files for 20210401
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1616e07ed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=920cc274cae812a5
dashboard link: https://syzkaller.appspot.com/bug?extid=c18f2f6a7b08c51e3025
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13da365ed00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ca9d16d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.12.0-rc5-next-20210401-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor144/9166 is trying to acquire lock:
ffff888144cf0460 (sb_writers#5){.+.+}-{0:0}, at: ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
but task is already holding lock:
ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&iint->mutex){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:949 [inline]
__mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
do_open fs/namei.c:3361 [inline]
path_openat+0x15b5/0x27e0 fs/namei.c:3492
do_filp_open+0x17e/0x3c0 fs/namei.c:3519
do_sys_openat2+0x16d/0x420 fs/open.c:1187
do_sys_open fs/open.c:1203 [inline]
__do_sys_open fs/open.c:1211 [inline]
__se_sys_open fs/open.c:1207 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1207
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
-> #0 (sb_writers#5){.+.+}-{0:0}:
check_prev_add kernel/locking/lockdep.c:2938 [inline]
check_prevs_add kernel/locking/lockdep.c:3061 [inline]
validate_chain kernel/locking/lockdep.c:3676 [inline]
__lock_acquire+0x2a17/0x5230 kernel/locking/lockdep.c:4902
lock_acquire kernel/locking/lockdep.c:5512 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1758 [inline]
sb_start_write include/linux/fs.h:1828 [inline]
mnt_want_write+0x6e/0x3e0 fs/namespace.c:375
ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
ovl_open+0xba/0x270 fs/overlayfs/file.c:149
do_dentry_open+0x4b9/0x11b0 fs/open.c:826
vfs_open fs/open.c:940 [inline]
dentry_open+0x132/0x1d0 fs/open.c:956
ima_calc_file_hash+0x2d2/0x4b0 security/integrity/ima/ima_crypto.c:557
ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:252
process_measurement+0xd1c/0x17e0 security/integrity/ima/ima_main.c:330
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
do_open fs/namei.c:3361 [inline]
path_openat+0x15b5/0x27e0 fs/namei.c:3492
do_filp_open+0x17e/0x3c0 fs/namei.c:3519
do_sys_openat2+0x16d/0x420 fs/open.c:1187
do_sys_open fs/open.c:1203 [inline]
__do_sys_open fs/open.c:1211 [inline]
__se_sys_open fs/open.c:1207 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1207
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&iint->mutex);
lock(sb_writers#5);
lock(&iint->mutex);
lock(sb_writers#5);
*** DEADLOCK ***
1 lock held by syz-executor144/9166:
#0: ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
stack backtrace:
CPU: 1 PID: 9166 Comm: syz-executor144 Not tainted 5.12.0-rc5-next-20210401-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2129
check_prev_add kernel/locking/lockdep.c:2938 [inline]
check_prevs_add kernel/locking/lockdep.c:3061 [inline]
validate_chain kernel/locking/lockdep.c:3676 [inline]
__lock_acquire+0x2a17/0x5230 kernel/locking/lockdep.c:4902
lock_acquire kernel/locking/lockdep.c:5512 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1758 [inline]
sb_start_write include/linux/fs.h:1828 [inline]
mnt_want_write+0x6e/0x3e0 fs/namespace.c:375
ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
ovl_open+0xba/0x270 fs/overlayfs/file.c:149
do_dentry_open+0x4b9/0x11b0 fs/open.c:826
vfs_open fs/open.c:940 [inline]
dentry_open+0x132/0x1d0 fs/open.c:956
ima_calc_file_hash+0x2d2/0x4b0 security/integrity/ima/ima_crypto.c:557
ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:252
process_measurement+0xd1c/0x17e0 security/integrity/ima/ima_main.c:330
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
do_open fs/namei.c:3361 [inline]
path_openat+0x15b5/0x27e0 fs/namei.c:3492
do_filp_open+0x17e/0x3c0 fs/namei.c:3519
do_sys_openat2+0x16d/0x420 fs/open.c:1187
do_sys_open fs/open.c:1203 [inline]
__do_sys_open fs/open.c:1211 [inline]
__se_sys_open fs/open.c:1207 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1207
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x446109
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe4412f12f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00000000004cb4c0 RCX: 0000000000446109
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 00000000200001c0
RBP: 000000000049b06c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 69662f7375622f2e
R13: 79706f636174656d R14: 0079616c7265766f R15: 00000000004cb4c8
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] possible deadlock in ovl_maybe_copy_up
2021-04-03 19:18 ` [syzbot] " syzbot
@ 2021-04-04 8:10 ` Amir Goldstein
[not found] ` <20210618040135.950-1-hdanton@sina.com>
1 sibling, 0 replies; 7+ messages in thread
From: Amir Goldstein @ 2021-04-04 8:10 UTC (permalink / raw)
To: syzbot
Cc: linux-kernel, overlayfs, Miklos Szeredi, syzkaller-bugs,
Mimi Zohar, Goldwyn Rodrigues
On Sat, Apr 3, 2021 at 10:18 PM syzbot
<syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 454c576c Add linux-next specific files for 20210401
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1616e07ed00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=920cc274cae812a5
> dashboard link: https://syzkaller.appspot.com/bug?extid=c18f2f6a7b08c51e3025
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13da365ed00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ca9d16d00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com
>
> ======================================================
> WARNING: possible circular locking dependency detected
> 5.12.0-rc5-next-20210401-syzkaller #0 Not tainted
> ------------------------------------------------------
> syz-executor144/9166 is trying to acquire lock:
> ffff888144cf0460 (sb_writers#5){.+.+}-{0:0}, at: ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
>
> but task is already holding lock:
> ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
>
> which lock already depends on the new lock.
>
>
> the existing dependency chain (in reverse order) is:
>
> -> #1 (&iint->mutex){+.+.}-{3:3}:
> __mutex_lock_common kernel/locking/mutex.c:949 [inline]
> __mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
> process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> do_open fs/namei.c:3361 [inline]
> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> do_sys_open fs/open.c:1203 [inline]
> __do_sys_open fs/open.c:1211 [inline]
> __se_sys_open fs/open.c:1207 [inline]
> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> -> #0 (sb_writers#5){.+.+}-{0:0}:
> check_prev_add kernel/locking/lockdep.c:2938 [inline]
> check_prevs_add kernel/locking/lockdep.c:3061 [inline]
> validate_chain kernel/locking/lockdep.c:3676 [inline]
> __lock_acquire+0x2a17/0x5230 kernel/locking/lockdep.c:4902
> lock_acquire kernel/locking/lockdep.c:5512 [inline]
> lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
> percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
> __sb_start_write include/linux/fs.h:1758 [inline]
> sb_start_write include/linux/fs.h:1828 [inline]
> mnt_want_write+0x6e/0x3e0 fs/namespace.c:375
> ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
> ovl_open+0xba/0x270 fs/overlayfs/file.c:149
> do_dentry_open+0x4b9/0x11b0 fs/open.c:826
> vfs_open fs/open.c:940 [inline]
> dentry_open+0x132/0x1d0 fs/open.c:956
> ima_calc_file_hash+0x2d2/0x4b0 security/integrity/ima/ima_crypto.c:557
> ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:252
> process_measurement+0xd1c/0x17e0 security/integrity/ima/ima_main.c:330
> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> do_open fs/namei.c:3361 [inline]
> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> do_sys_open fs/open.c:1203 [inline]
> __do_sys_open fs/open.c:1211 [inline]
> __se_sys_open fs/open.c:1207 [inline]
> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> other info that might help us debug this:
>
> Possible unsafe locking scenario:
>
> CPU0 CPU1
> ---- ----
> lock(&iint->mutex);
> lock(sb_writers#5);
> lock(&iint->mutex);
> lock(sb_writers#5);
>
> *** DEADLOCK ***
>
> 1 lock held by syz-executor144/9166:
> #0: ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
>
It's a false positive lockdep warning due to missing annotation of
stacking layer on iint->mutex in IMA code.
To fix it properly, iint->mutex, which can be taken in any of the
stacking fs layers, should be annotated with stacking depth like
ovl_lockdep_annotate_inode_mutex_key()
I think it's the same root cause as:
https://syzkaller.appspot.com/bug?extid=18a1619cceea30ed45af
https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b
I think both of the above were marked "fixed" by a paper over.
The latter was marked "fixed" by "ovl: detect overlapping layers"
but if you look at the repro, the fact that 'workdir' overlaps with
'lowerdir' has nothing to do with the lockdep warning, so said
"fix" just papered over the IMA lockdep warning.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] possible deadlock in ovl_maybe_copy_up
[not found] ` <20210618040135.950-1-hdanton@sina.com>
@ 2021-06-22 2:32 ` Mimi Zohar
2021-06-22 4:51 ` Amir Goldstein
[not found] ` <20210622065340.1322-1-hdanton@sina.com>
0 siblings, 2 replies; 7+ messages in thread
From: Mimi Zohar @ 2021-06-22 2:32 UTC (permalink / raw)
To: Hillf Danton; +Cc: Amir Goldstein, syzbot, linux-kernel, syzkaller-bugs
On Fri, 2021-06-18 at 12:01 +0800, Hillf Danton wrote:
> On Sun, 4 Apr 2021 11:10:48 +0300 Amir Goldstein wrote:
> >On Sat, Apr 3, 2021 at 10:18 PM syzbot wrote:
> >>
> >> syzbot has found a reproducer for the following issue on:
> >>
> >> HEAD commit: 454c576c Add linux-next specific files for 20210401
> >> git tree: linux-next
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1616e07ed00000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=920cc274cae812a5
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=c18f2f6a7b08c51e3025
> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13da365ed00000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ca9d16d00000
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com
> >>
> >> ======================================================
> >> WARNING: possible circular locking dependency detected
> >> 5.12.0-rc5-next-20210401-syzkaller #0 Not tainted
> >> ------------------------------------------------------
> >> syz-executor144/9166 is trying to acquire lock:
> >> ffff888144cf0460 (sb_writers#5){.+.+}-{0:0}, at: ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
> >>
> >> but task is already holding lock:
> >> ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> >>
> >> which lock already depends on the new lock.
> >>
> >>
> >> the existing dependency chain (in reverse order) is:
> >>
> >> -> #1 (&iint->mutex){+.+.}-{3:3}:
> >> __mutex_lock_common kernel/locking/mutex.c:949 [inline]
> >> __mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
> >> process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> >> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> >> do_open fs/namei.c:3361 [inline]
> >> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> >> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> >> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> >> do_sys_open fs/open.c:1203 [inline]
> >> __do_sys_open fs/open.c:1211 [inline]
> >> __se_sys_open fs/open.c:1207 [inline]
> >> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> >> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >> entry_SYSCALL_64_after_hwframe+0x44/0xae
> >>
> >> -> #0 (sb_writers#5){.+.+}-{0:0}:
> >> check_prev_add kernel/locking/lockdep.c:2938 [inline]
> >> check_prevs_add kernel/locking/lockdep.c:3061 [inline]
> >> validate_chain kernel/locking/lockdep.c:3676 [inline]
> >> __lock_acquire+0x2a17/0x5230 kernel/locking/lockdep.c:4902
> >> lock_acquire kernel/locking/lockdep.c:5512 [inline]
> >> lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
> >> percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
> >> __sb_start_write include/linux/fs.h:1758 [inline]
> >> sb_start_write include/linux/fs.h:1828 [inline]
> >> mnt_want_write+0x6e/0x3e0 fs/namespace.c:375
> >> ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
> >> ovl_open+0xba/0x270 fs/overlayfs/file.c:149
> >> do_dentry_open+0x4b9/0x11b0 fs/open.c:826
> >> vfs_open fs/open.c:940 [inline]
> >> dentry_open+0x132/0x1d0 fs/open.c:956
> >> ima_calc_file_hash+0x2d2/0x4b0 security/integrity/ima/ima_crypto.c:557
> >> ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:252
> >> process_measurement+0xd1c/0x17e0 security/integrity/ima/ima_main.c:330
> >> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> >> do_open fs/namei.c:3361 [inline]
> >> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> >> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> >> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> >> do_sys_open fs/open.c:1203 [inline]
> >> __do_sys_open fs/open.c:1211 [inline]
> >> __se_sys_open fs/open.c:1207 [inline]
> >> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> >> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >> entry_SYSCALL_64_after_hwframe+0x44/0xae
> >>
> >> other info that might help us debug this:
> >>
> >> Possible unsafe locking scenario:
> >>
> >> CPU0 CPU1
> >> ---- ----
> >> lock(&iint->mutex);
> >> lock(sb_writers#5);
> >> lock(&iint->mutex);
> >> lock(sb_writers#5);
> >>
> >> *** DEADLOCK ***
> >>
> >> 1 lock held by syz-executor144/9166:
> >> #0: ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> >>
>
> It is reported again.
> https://lore.kernel.org/lkml/00000000000067d24205c4d0e599@google.com/
> >
> >It's a false positive lockdep warning due to missing annotation of
> >stacking layer on iint->mutex in IMA code.
>
> Add it by copying what's created for ovl, see below.
> >
> >To fix it properly, iint->mutex, which can be taken in any of the
> >stacking fs layers, should be annotated with stacking depth like
> >ovl_lockdep_annotate_inode_mutex_key()
> >
> >I think it's the same root cause as:
> >https://syzkaller.appspot.com/bug?extid=18a1619cceea30ed45af
> >https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b
> >
> >I think both of the above were marked "fixed" by a paper over.
> >The latter was marked "fixed" by "ovl: detect overlapping layers"
> >but if you look at the repro, the fact that 'workdir' overlaps with
> >'lowerdir' has nothing to do with the lockdep warning, so said
> >"fix" just papered over the IMA lockdep warning.
> >
> >Thanks,
> >Amir.
>
> +++ x/security/integrity/iint.c
> @@ -85,6 +85,45 @@ static void iint_free(struct integrity_i
> kmem_cache_free(iint_cache, iint);
> }
>
> +/*
> + * a copy from ovl_lockdep_annotate_inode_mutex_key() in a bit to fix
> +
> + Possible unsafe locking scenario:
> +
> + CPU0 CPU1
> + ---- ----
> + lock(&iint->mutex);
> + lock(sb_writers#5);
> + lock(&iint->mutex);
> + lock(sb_writers#5);
> +
> + *** DEADLOCK ***
> +
> +It's a false positive lockdep warning due to missing annotation of
> +stacking layer on iint->mutex in IMA code. [1]
> +
> +[1] https://lore.kernel.org/linux-unionfs/CAOQ4uxjk4XYuwz5HCmN-Ge=Ld=tM1f7ZxVrd5U1AC2Wisc9MTA@mail.gmail.com/
> +*/
> +static void iint_annotate_mutex_key(struct integrity_iint_cache *iint,
> + struct inode *inode)
> +{
> +#ifdef CONFIG_LOCKDEP
> + static struct lock_class_key
> + iint_mutex_key[FILESYSTEM_MAX_STACK_DEPTH],
> + iint_mutex_dir_key[FILESYSTEM_MAX_STACK_DEPTH];
> +
> + int depth = inode->i_sb->s_stack_depth - 1;
> +
> + if (WARN_ON_ONCE(depth < 0 || depth >= FILESYSTEM_MAX_STACK_DEPTH))
> + depth = 0;
> +
> + if (S_ISDIR(inode->i_mode))
> + lockdep_set_class(&iint->mutex, &iint_mutex_dir_key[depth]);
> + else
> + lockdep_set_class(&iint->mutex, &iint_mutex_key[depth]);
> +#endif
> +}
The iint cache is only for regular files.
> +
> /**
> * integrity_inode_get - find or allocate an iint associated with an inode
> * @inode: pointer to the inode
> @@ -113,6 +152,7 @@ struct integrity_iint_cache *integrity_i
> iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
> if (!iint)
> return NULL;
> + iint_annotate_mutex_key(iint, inode);
>
> write_lock(&integrity_iint_lock);
Should annotating the iint be limited to files on overlay filesystems?
thanks,
Mimi
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] possible deadlock in ovl_maybe_copy_up
2021-06-22 2:32 ` Mimi Zohar
@ 2021-06-22 4:51 ` Amir Goldstein
2021-06-22 11:40 ` Mimi Zohar
[not found] ` <20210622065340.1322-1-hdanton@sina.com>
1 sibling, 1 reply; 7+ messages in thread
From: Amir Goldstein @ 2021-06-22 4:51 UTC (permalink / raw)
To: Mimi Zohar; +Cc: Hillf Danton, syzbot, linux-kernel, syzkaller-bugs
On Tue, Jun 22, 2021 at 5:32 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Fri, 2021-06-18 at 12:01 +0800, Hillf Danton wrote:
> > On Sun, 4 Apr 2021 11:10:48 +0300 Amir Goldstein wrote:
> > >On Sat, Apr 3, 2021 at 10:18 PM syzbot wrote:
> > >>
> > >> syzbot has found a reproducer for the following issue on:
> > >>
> > >> HEAD commit: 454c576c Add linux-next specific files for 20210401
> > >> git tree: linux-next
> > >> console output: https://syzkaller.appspot.com/x/log.txt?x=1616e07ed00000
> > >> kernel config: https://syzkaller.appspot.com/x/.config?x=920cc274cae812a5
> > >> dashboard link: https://syzkaller.appspot.com/bug?extid=c18f2f6a7b08c51e3025
> > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13da365ed00000
> > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ca9d16d00000
> > >>
> > >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > >> Reported-by: syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com
> > >>
> > >> ======================================================
> > >> WARNING: possible circular locking dependency detected
> > >> 5.12.0-rc5-next-20210401-syzkaller #0 Not tainted
> > >> ------------------------------------------------------
> > >> syz-executor144/9166 is trying to acquire lock:
> > >> ffff888144cf0460 (sb_writers#5){.+.+}-{0:0}, at: ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
> > >>
> > >> but task is already holding lock:
> > >> ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> > >>
> > >> which lock already depends on the new lock.
> > >>
> > >>
> > >> the existing dependency chain (in reverse order) is:
> > >>
> > >> -> #1 (&iint->mutex){+.+.}-{3:3}:
> > >> __mutex_lock_common kernel/locking/mutex.c:949 [inline]
> > >> __mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
> > >> process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> > >> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> > >> do_open fs/namei.c:3361 [inline]
> > >> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> > >> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> > >> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> > >> do_sys_open fs/open.c:1203 [inline]
> > >> __do_sys_open fs/open.c:1211 [inline]
> > >> __se_sys_open fs/open.c:1207 [inline]
> > >> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> > >> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > >> entry_SYSCALL_64_after_hwframe+0x44/0xae
> > >>
> > >> -> #0 (sb_writers#5){.+.+}-{0:0}:
> > >> check_prev_add kernel/locking/lockdep.c:2938 [inline]
> > >> check_prevs_add kernel/locking/lockdep.c:3061 [inline]
> > >> validate_chain kernel/locking/lockdep.c:3676 [inline]
> > >> __lock_acquire+0x2a17/0x5230 kernel/locking/lockdep.c:4902
> > >> lock_acquire kernel/locking/lockdep.c:5512 [inline]
> > >> lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
> > >> percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
> > >> __sb_start_write include/linux/fs.h:1758 [inline]
> > >> sb_start_write include/linux/fs.h:1828 [inline]
> > >> mnt_want_write+0x6e/0x3e0 fs/namespace.c:375
> > >> ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
> > >> ovl_open+0xba/0x270 fs/overlayfs/file.c:149
> > >> do_dentry_open+0x4b9/0x11b0 fs/open.c:826
> > >> vfs_open fs/open.c:940 [inline]
> > >> dentry_open+0x132/0x1d0 fs/open.c:956
> > >> ima_calc_file_hash+0x2d2/0x4b0 security/integrity/ima/ima_crypto.c:557
> > >> ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:252
> > >> process_measurement+0xd1c/0x17e0 security/integrity/ima/ima_main.c:330
> > >> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> > >> do_open fs/namei.c:3361 [inline]
> > >> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> > >> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> > >> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> > >> do_sys_open fs/open.c:1203 [inline]
> > >> __do_sys_open fs/open.c:1211 [inline]
> > >> __se_sys_open fs/open.c:1207 [inline]
> > >> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> > >> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > >> entry_SYSCALL_64_after_hwframe+0x44/0xae
> > >>
> > >> other info that might help us debug this:
> > >>
> > >> Possible unsafe locking scenario:
> > >>
> > >> CPU0 CPU1
> > >> ---- ----
> > >> lock(&iint->mutex);
> > >> lock(sb_writers#5);
> > >> lock(&iint->mutex);
> > >> lock(sb_writers#5);
> > >>
> > >> *** DEADLOCK ***
> > >>
> > >> 1 lock held by syz-executor144/9166:
> > >> #0: ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> > >>
> >
> > It is reported again.
> > https://lore.kernel.org/lkml/00000000000067d24205c4d0e599@google.com/
> > >
> > >It's a false positive lockdep warning due to missing annotation of
> > >stacking layer on iint->mutex in IMA code.
> >
> > Add it by copying what's created for ovl, see below.
> > >
> > >To fix it properly, iint->mutex, which can be taken in any of the
> > >stacking fs layers, should be annotated with stacking depth like
> > >ovl_lockdep_annotate_inode_mutex_key()
> > >
> > >I think it's the same root cause as:
> > >https://syzkaller.appspot.com/bug?extid=18a1619cceea30ed45af
> > >https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b
> > >
> > >I think both of the above were marked "fixed" by a paper over.
> > >The latter was marked "fixed" by "ovl: detect overlapping layers"
> > >but if you look at the repro, the fact that 'workdir' overlaps with
> > >'lowerdir' has nothing to do with the lockdep warning, so said
> > >"fix" just papered over the IMA lockdep warning.
> > >
> > >Thanks,
> > >Amir.
> >
> > +++ x/security/integrity/iint.c
> > @@ -85,6 +85,45 @@ static void iint_free(struct integrity_i
> > kmem_cache_free(iint_cache, iint);
> > }
> >
> > +/*
> > + * a copy from ovl_lockdep_annotate_inode_mutex_key() in a bit to fix
> > +
> > + Possible unsafe locking scenario:
> > +
> > + CPU0 CPU1
> > + ---- ----
> > + lock(&iint->mutex);
> > + lock(sb_writers#5);
> > + lock(&iint->mutex);
> > + lock(sb_writers#5);
> > +
> > + *** DEADLOCK ***
> > +
> > +It's a false positive lockdep warning due to missing annotation of
> > +stacking layer on iint->mutex in IMA code. [1]
> > +
> > +[1] https://lore.kernel.org/linux-unionfs/CAOQ4uxjk4XYuwz5HCmN-Ge=Ld=tM1f7ZxVrd5U1AC2Wisc9MTA@mail.gmail.com/
> > +*/
> > +static void iint_annotate_mutex_key(struct integrity_iint_cache *iint,
> > + struct inode *inode)
> > +{
> > +#ifdef CONFIG_LOCKDEP
> > + static struct lock_class_key
> > + iint_mutex_key[FILESYSTEM_MAX_STACK_DEPTH],
> > + iint_mutex_dir_key[FILESYSTEM_MAX_STACK_DEPTH];
> > +
> > + int depth = inode->i_sb->s_stack_depth - 1;
> > +
> > + if (WARN_ON_ONCE(depth < 0 || depth >= FILESYSTEM_MAX_STACK_DEPTH))
> > + depth = 0;
> > +
> > + if (S_ISDIR(inode->i_mode))
> > + lockdep_set_class(&iint->mutex, &iint_mutex_dir_key[depth]);
> > + else
> > + lockdep_set_class(&iint->mutex, &iint_mutex_key[depth]);
> > +#endif
> > +}
>
> The iint cache is only for regular files.
>
> > +
> > /**
> > * integrity_inode_get - find or allocate an iint associated with an inode
> > * @inode: pointer to the inode
> > @@ -113,6 +152,7 @@ struct integrity_iint_cache *integrity_i
> > iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
> > if (!iint)
> > return NULL;
> > + iint_annotate_mutex_key(iint, inode);
> >
> > write_lock(&integrity_iint_lock);
>
> Should annotating the iint be limited to files on overlay filesystems?
>
Not to overlay files specifically but to files on stacked fs,
i.e. (inode->i_sb->s_stack_depth > 0)
Assuming that this patch is tested(?), how come it did not hit the
WARN_ON_ONCE(depth < 0... above?
Thanks,
Amir.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] possible deadlock in ovl_maybe_copy_up
[not found] ` <20210622065340.1322-1-hdanton@sina.com>
@ 2021-06-22 8:53 ` Amir Goldstein
0 siblings, 0 replies; 7+ messages in thread
From: Amir Goldstein @ 2021-06-22 8:53 UTC (permalink / raw)
To: Hillf Danton; +Cc: Mimi Zohar, syzbot, linux-kernel, syzkaller-bugs, overlayfs
On Tue, Jun 22, 2021 at 9:53 AM Hillf Danton <hdanton@sina.com> wrote:
>
> On Mon, 21 Jun 2021 22:32:28 -0400 Mimi Zohar wrote:
> >On Fri, 2021-06-18 at 12:01 +0800, Hillf Danton wrote:
> >> On Sun, 4 Apr 2021 11:10:48 +0300 Amir Goldstein wrote:
> >> >On Sat, Apr 3, 2021 at 10:18 PM syzbot wrote:
> >> >>
> >> >> syzbot has found a reproducer for the following issue on:
> >> >>
> >> >> HEAD commit: 454c576c Add linux-next specific files for 20210401
> >> >> git tree: linux-next
> >> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1616e07ed00000
> >> >> kernel config: https://syzkaller.appspot.com/x/.config?x=920cc274cae812a5
> >> >> dashboard link: https://syzkaller.appspot.com/bug?extid=c18f2f6a7b08c51e3025
> >> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13da365ed00000
> >> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ca9d16d00000
> >> >>
> >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> >> Reported-by: syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com
> >> >>
> >> >> ======================================================
> >> >> WARNING: possible circular locking dependency detected
> >> >> 5.12.0-rc5-next-20210401-syzkaller #0 Not tainted
> >> >> ------------------------------------------------------
> >> >> syz-executor144/9166 is trying to acquire lock:
> >> >> ffff888144cf0460 (sb_writers#5){.+.+}-{0:0}, at: ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
> >> >>
> >> >> but task is already holding lock:
> >> >> ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> >> >>
> >> >> which lock already depends on the new lock.
> >> >>
> >> >>
> >> >> the existing dependency chain (in reverse order) is:
> >> >>
> >> >> -> #1 (&iint->mutex){+.+.}-{3:3}:
> >> >> __mutex_lock_common kernel/locking/mutex.c:949 [inline]
> >> >> __mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
> >> >> process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> >> >> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> >> >> do_open fs/namei.c:3361 [inline]
> >> >> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> >> >> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> >> >> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> >> >> do_sys_open fs/open.c:1203 [inline]
> >> >> __do_sys_open fs/open.c:1211 [inline]
> >> >> __se_sys_open fs/open.c:1207 [inline]
> >> >> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> >> >> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >> >> entry_SYSCALL_64_after_hwframe+0x44/0xae
> >> >>
> >> >> -> #0 (sb_writers#5){.+.+}-{0:0}:
> >> >> check_prev_add kernel/locking/lockdep.c:2938 [inline]
> >> >> check_prevs_add kernel/locking/lockdep.c:3061 [inline]
> >> >> validate_chain kernel/locking/lockdep.c:3676 [inline]
> >> >> __lock_acquire+0x2a17/0x5230 kernel/locking/lockdep.c:4902
> >> >> lock_acquire kernel/locking/lockdep.c:5512 [inline]
> >> >> lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
> >> >> percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
> >> >> __sb_start_write include/linux/fs.h:1758 [inline]
> >> >> sb_start_write include/linux/fs.h:1828 [inline]
> >> >> mnt_want_write+0x6e/0x3e0 fs/namespace.c:375
> >> >> ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:995
> >> >> ovl_open+0xba/0x270 fs/overlayfs/file.c:149
> >> >> do_dentry_open+0x4b9/0x11b0 fs/open.c:826
> >> >> vfs_open fs/open.c:940 [inline]
> >> >> dentry_open+0x132/0x1d0 fs/open.c:956
> >> >> ima_calc_file_hash+0x2d2/0x4b0 security/integrity/ima/ima_crypto.c:557
> >> >> ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:252
> >> >> process_measurement+0xd1c/0x17e0 security/integrity/ima/ima_main.c:330
> >> >> ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:499
> >> >> do_open fs/namei.c:3361 [inline]
> >> >> path_openat+0x15b5/0x27e0 fs/namei.c:3492
> >> >> do_filp_open+0x17e/0x3c0 fs/namei.c:3519
> >> >> do_sys_openat2+0x16d/0x420 fs/open.c:1187
> >> >> do_sys_open fs/open.c:1203 [inline]
> >> >> __do_sys_open fs/open.c:1211 [inline]
> >> >> __se_sys_open fs/open.c:1207 [inline]
> >> >> __x64_sys_open+0x119/0x1c0 fs/open.c:1207
> >> >> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >> >> entry_SYSCALL_64_after_hwframe+0x44/0xae
> >> >>
> >> >> other info that might help us debug this:
> >> >>
> >> >> Possible unsafe locking scenario:
> >> >>
> >> >> CPU0 CPU1
> >> >> ---- ----
> >> >> lock(&iint->mutex);
> >> >> lock(sb_writers#5);
> >> >> lock(&iint->mutex);
> >> >> lock(sb_writers#5);
> >> >>
> >> >> *** DEADLOCK ***
> >> >>
> >> >> 1 lock held by syz-executor144/9166:
> >> >> #0: ffff8880256d42c0 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x3a8/0x17e0 security/integrity/ima/ima_main.c:253
> >> >>
> >>
> >> It is reported again.
> >> https://lore.kernel.org/lkml/00000000000067d24205c4d0e599@google.com/
> >> >
> >> >It's a false positive lockdep warning due to missing annotation of
> >> >stacking layer on iint->mutex in IMA code.
> >>
> >> Add it by copying what's created for ovl, see below.
> >> >
> >> >To fix it properly, iint->mutex, which can be taken in any of the
> >> >stacking fs layers, should be annotated with stacking depth like
> >> >ovl_lockdep_annotate_inode_mutex_key()
> >> >
> >> >I think it's the same root cause as:
> >> >https://syzkaller.appspot.com/bug?extid=18a1619cceea30ed45af
> >> >https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b
> >> >
> >> >I think both of the above were marked "fixed" by a paper over.
> >> >The latter was marked "fixed" by "ovl: detect overlapping layers"
> >> >but if you look at the repro, the fact that 'workdir' overlaps with
> >> >'lowerdir' has nothing to do with the lockdep warning, so said
> >> >"fix" just papered over the IMA lockdep warning.
> >> >
> >> >Thanks,
> >> >Amir.
> >>
> >> +++ x/security/integrity/iint.c
> >> @@ -85,6 +85,45 @@ static void iint_free(struct integrity_i
> >> kmem_cache_free(iint_cache, iint);
> >> }
> >>
> >> +/*
> >> + * a copy from ovl_lockdep_annotate_inode_mutex_key() in a bit to fix
> >> +
> >> + Possible unsafe locking scenario:
> >> +
> >> + CPU0 CPU1
> >> + ---- ----
> >> + lock(&iint->mutex);
> >> + lock(sb_writers#5);
> >> + lock(&iint->mutex);
> >> + lock(sb_writers#5);
> >> +
> >> + *** DEADLOCK ***
> >> +
> >> +It's a false positive lockdep warning due to missing annotation of
> >> +stacking layer on iint->mutex in IMA code. [1]
> >> +
> >> +[1] https://lore.kernel.org/linux-unionfs/CAOQ4uxjk4XYuwz5HCmN-Ge=Ld=tM1f7ZxVrd5U1AC2Wisc9MTA@mail.gmail.com/
> >> +*/
> >> +static void iint_annotate_mutex_key(struct integrity_iint_cache *iint,
> >> + struct inode *inode)
> >> +{
> >> +#ifdef CONFIG_LOCKDEP
> >> + static struct lock_class_key
> >> + iint_mutex_key[FILESYSTEM_MAX_STACK_DEPTH],
> >> + iint_mutex_dir_key[FILESYSTEM_MAX_STACK_DEPTH];
> >> +
> >> + int depth = inode->i_sb->s_stack_depth - 1;
> >> +
> >> + if (WARN_ON_ONCE(depth < 0 || depth >= FILESYSTEM_MAX_STACK_DEPTH))
> >> + depth = 0;
> >> +
> >> + if (S_ISDIR(inode->i_mode))
> >> + lockdep_set_class(&iint->mutex, &iint_mutex_dir_key[depth]);
> >> + else
> >> + lockdep_set_class(&iint->mutex, &iint_mutex_key[depth]);
> >> +#endif
> >> +}
> >
> >The iint cache is only for regular files.
>
> Yes you are right.
> >
> >> +
> >> /**
> >> * integrity_inode_get - find or allocate an iint associated with an inode
> >> * @inode: pointer to the inode
> >> @@ -113,6 +152,7 @@ struct integrity_iint_cache *integrity_i
> >> iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
> >> if (!iint)
> >> return NULL;
> >> + iint_annotate_mutex_key(iint, inode);
> >>
> >> write_lock(&integrity_iint_lock);
> >
> >Should annotating the iint be limited to files on overlay filesystems?
>
> Yes but it is more difficult to address than thought without adding to
> the vfs is_ovl_inode(inode).
>
> Aside from adding is_xfs_inode(inode), another option is move the
> dentry_open() in ima_calc_file_hash() out of and before the iint->mutex in
> process_measurement(), and that will keep the AB locking order intact.
>
> Thoughts are welcome.
There is no need to detect overlayfs check for (inode->i_sb->s_stack_depth > 0)
Thanks,
Amir.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] possible deadlock in ovl_maybe_copy_up
2021-06-22 4:51 ` Amir Goldstein
@ 2021-06-22 11:40 ` Mimi Zohar
0 siblings, 0 replies; 7+ messages in thread
From: Mimi Zohar @ 2021-06-22 11:40 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Hillf Danton, syzbot, linux-kernel, syzkaller-bugs
> > Should annotating the iint be limited to files on overlay filesystems?
> >
>
> Not to overlay files specifically but to files on stacked fs,
> i.e. (inode->i_sb->s_stack_depth > 0)
> Assuming that this patch is tested(?), how come it did not hit the
> WARN_ON_ONCE(depth < 0... above?
Thanks, Amir!
As per the overlayfs comment, the depth can never be 0. It sounds like
in this case we only want to annotate the iint mutex for regular files,
if the stacking depth is greater than 0, but less than the max depth.
(I'm still trying to reproduce the lockdep.)
Mimi
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-22 11:41 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-23 10:05 possible deadlock in ovl_maybe_copy_up syzbot
2021-04-03 19:18 ` [syzbot] " syzbot
2021-04-04 8:10 ` Amir Goldstein
[not found] ` <20210618040135.950-1-hdanton@sina.com>
2021-06-22 2:32 ` Mimi Zohar
2021-06-22 4:51 ` Amir Goldstein
2021-06-22 11:40 ` Mimi Zohar
[not found] ` <20210622065340.1322-1-hdanton@sina.com>
2021-06-22 8:53 ` Amir Goldstein
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).