lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Jan 2024 13:07:45 +0800
From: Hillf Danton <hdanton@...a.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: syzbot <syzbot+da4f9f61f96525c62cc7@...kaller.appspotmail.com>,
	Amir Goldstein <amir73il@...il.com>,
	linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [overlayfs?] possible deadlock in seq_read_iter (2)

On Sun, 28 Jan 2024 21:43:35 +0000 Al Viro <viro@...iv.linux.org.uk>
> On Sat, Jan 27, 2024 at 07:46:10PM +0800, Hillf Danton wrote:
> > On Tue, 19 Dec 2023 11:43:27 -0800
> > > syzbot has found a reproducer for the following issue on:
> > > 
> > > HEAD commit:    2cf4f94d8e86 Merge tag 'scsi-fixes' of git://git.kernel.or..
> > > git tree:       upstream
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=154aa8d6e80000
> > 
> > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  2cf4f94d8e86
> > 
> > --- x/fs/namei.c
> > +++ y/fs/namei.c
> > @@ -3533,6 +3533,8 @@ static const char *open_last_lookups(str
> >  
> >  	if (open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {
> >  		got_write = !mnt_want_write(nd->path.mnt);
> > +		if (!got_write && (open_flag & O_CREAT))
> > +			return ERR_PTR(-EISDIR);
> 
> NAK.

Thanks for looking at it, the AV legend.
> 
> Please, RTFComment just below your addition.

That is a simple debug patch to test why mnt_want_write() is needed in
ovl_create_object() as per the syzbot report [1], given the locking
order in open_last_lookups() in case of O_CREAT.

	mnt_want_write();
	inode_lock();

> Besides, EISDIR is
> obviously bogus in a lot of cases, starting with attempting to
> create a new file on a read-only filesystem.

EISDIR should have been replaced with EDEADLOCK.

	-> #3
	 (sb_writers#4){.+.+}-{0:0}:
	       lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
	       percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
	       __sb_start_write include/linux/fs.h:1635 [inline]
	       sb_start_write+0x4d/0x1c0 include/linux/fs.h:1710
	       mnt_want_write+0x3f/0x90 fs/namespace.c:404
	       ovl_create_object+0x13b/0x360 fs/overlayfs/dir.c:629
	       lookup_open fs/namei.c:3477 [inline]
	       open_last_lookups fs/namei.c:3546 [inline]
	       path_openat+0x13fa/0x3290 fs/namei.c:3776
	       do_filp_open+0x234/0x490 fs/namei.c:3809
	       do_sys_openat2+0x13e/0x1d0 fs/open.c:1437
	       do_sys_open fs/open.c:1452 [inline]
	       __do_sys_open fs/open.c:1460 [inline]
	       __se_sys_open fs/open.c:1456 [inline]
	       __x64_sys_open+0x225/0x270 fs/open.c:1456
	       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	       do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
	       entry_SYSCALL_64_after_hwframe+0x63/0x6b

[1] https://lore.kernel.org/lkml/0000000000008efd70060ce21487@google.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ