lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250626033411.GU1880847@ZenIV>
Date: Thu, 26 Jun 2025 04:34:11 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: Mark Fasheh <mark@...heh.com>, Joel Becker <jlbec@...lplan.org>,
	Joseph Qi <joseph.qi@...ux.alibaba.com>,
	Richard Weinberger <richard@....at>, ocfs2-devel@...ts.linux.dev,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] ocfs2: update d_splice_alias() return code checking

On Thu, Jun 26, 2025 at 11:14:59AM +0900, Tetsuo Handa wrote:

> But when commit b5ae6b15bd73 ("merge d_materialise_unique() into
> d_splice_alias()") was merged into v3.19-rc1, d_splice_alias() started
> returning -ELOOP as one of ERR_PTR values.
> 
> As a result, when syzkaller mounts a crafted ocfs2 filesystem image that
> hits d_splice_alias() == -ELOOP case from ocfs2_lookup(), ocfs2_lookup()
> fails to handle -ELOOP case and generic_shutdown_super() hits "VFS: Busy
> inodes after unmount" message.
> 
> Don't call ocfs2_dentry_attach_lock() nor ocfs2_dentry_attach_gen()
> when d_splice_alias() returned -ELOOP.
> 
> Reported-by: syzbot <syzbot+1134d3a5b062e9665a7a@...kaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=1134d3a5b062e9665a7a
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> ---
> This patch wants review from maintainers. I'm not familiar with this change.

Not the right fix.  If nothing else, -ELOOP is not the only possible value
there.

This
                status = ocfs2_dentry_attach_lock(dentry, inode,
                                                  OCFS2_I(dir)->ip_blkno);
                if (status) {
                        mlog_errno(status);
                        ret = ERR_PTR(status);
                        goto bail_unlock;
                }
looks like pretty obvious leak in its own right?  What's more, on IS_ERR(ret)
we should stop playing silly buggers and just return the damn error.

So basically
        ret = d_splice_alias(inode, dentry);
	if (IS_ERR(ret))
		goto bail_unlock;
	if (inode) {
		if (ret)
			dentry = ret;
                status = ocfs2_dentry_attach_lock(dentry, inode,
                                                  OCFS2_I(dir)->ip_blkno);
		if (unlikely(status)) {
			if (ret)
				dput(ret);
			ret = ERR_PTR(status);
		}
	} else {
                ocfs2_dentry_attach_gen(dentry);
	}
bail_unlock:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ