[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOQ4uxi+4-jyNY6jzNt1wG5xcYSZiSfU0AtCWtF71PSW160zRw@mail.gmail.com>
Date: Sun, 17 Dec 2023 11:32:16 +0200
From: Amir Goldstein <amir73il@...il.com>
To: Edward Adam Davis <eadavis@...com>, viro@...iv.linux.org.uk
Cc: syzbot+8608bb4553edb8c78f41@...kaller.appspotmail.com, chao@...nel.org,
jaegeuk@...nel.org, linux-f2fs-devel@...ts.sourceforge.net,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
phillip@...ashfs.org.uk, reiserfs-devel@...r.kernel.org,
squashfs-devel@...ts.sourceforge.net, syzkaller-bugs@...glegroups.com,
terrelln@...com, overlayfs <linux-unionfs@...r.kernel.org>,
Miklos Szeredi <miklos@...redi.hu>
Subject: Re: [PATCH] ovl: fix BUG: Dentry still in use in unmount
Hi Edward,
Thanks for the quick fix, but it is incorrect.
On Sun, Dec 17, 2023 at 10:11 AM Edward Adam Davis <eadavis@...com> wrote:
>
> workdir and destdir could be the same when copying up to indexdir.
This is not the reason for the bug, the reason is:
syzbot exercised the forbidden practice of moving the workdir under
lowerdir while overlayfs is mounted and tripped a dentry reference leak.
>
> Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held")
> Reported-and-tested-by: syzbot+8608bb4553edb8c78f41@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
> fs/overlayfs/copy_up.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> index 4382881b0709..ae5eb442025d 100644
> --- a/fs/overlayfs/copy_up.c
> +++ b/fs/overlayfs/copy_up.c
> @@ -731,10 +731,14 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> .rdev = c->stat.rdev,
> .link = c->link
> };
> + err = -EIO;
> + /* workdir and destdir could be the same when copying up to indexdir */
> + if (lock_rename(c->workdir, c->destdir) != NULL)
> + goto unlock;
You can't do that. See comment below ovl_copy_up_data().
>
> err = ovl_prep_cu_creds(c->dentry, &cc);
> if (err)
> - return err;
> + goto unlock;
>
> ovl_start_write(c->dentry);
> inode_lock(wdir);
> @@ -743,8 +747,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> ovl_end_write(c->dentry);
> ovl_revert_cu_creds(&cc);
>
> + err = PTR_ERR(temp);
> if (IS_ERR(temp))
> - return PTR_ERR(temp);
> + goto unlock;
>
> /*
> * Copy up data first and then xattrs. Writing data after
> @@ -760,10 +765,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
> * If temp was moved, abort without the cleanup.
> */
> ovl_start_write(c->dentry);
> - if (lock_rename(c->workdir, c->destdir) != NULL ||
> - temp->d_parent != c->workdir) {
> + if (temp->d_parent != c->workdir) {
dput(temp);
here is all that should be needed to fix the leak.
> err = -EIO;
> - goto unlock;
> + goto unlockcd;
> } else if (err) {
> goto cleanup;
> }
See my suggested fix at https://github.com/amir73il/linux/commits/ovl-fixes
Al,
Heads up.
This fix will have a minor conflict with a8b0026847b8 ("rename(): avoid
a deadlock in the case of parents having no common ancestor")
on your work.rename branch.
I plan to push my fix to linux-next soon, but I see that work.rename
is not in linux-next yet.
Thanks,
Amir.
Powered by blists - more mailing lists