lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAOQ4uxgkJghRf5HyNYv73UD+JoNF0yZ7ji+4qPQGo0E2513cOQ@mail.gmail.com>
Date: Mon, 1 Dec 2025 09:49:56 +0100
From: Amir Goldstein <amir73il@...il.com>
To: NeilBrown <neil@...wn.name>
Cc: Deepanshu Kartikey <kartikey406@...il.com>, brauner@...nel.org, viro@...iv.linux.org.uk, 
	jlayton@...nel.org, linux-kernel@...r.kernel.org, 
	syzbot+b74150fd2ef40e716ca2@...kaller.appspot.com
Subject: Re: [PATCH] ipc/mqueue: fix dentry refcount imbalance in prepare_open()

On Sun, Nov 30, 2025 at 11:27 PM NeilBrown <neilb@...mail.net> wrote:
>
> On Sun, 30 Nov 2025, Amir Goldstein wrote:
> > On Sun, Nov 30, 2025 at 10:27 AM Deepanshu Kartikey
> > <kartikey406@...il.com> wrote:
> > >
> > > When opening an existing message queue, prepare_open() does not increment
> > > the dentry refcount, but end_creating() always calls dput(). This causes
> > > a refcount imbalance that triggers a WARN_ON_ONCE in fast_dput() when the
> > > file is later closed.
> > >
> > > The creation path via vfs_mkobj() correctly increments the refcount, but
> > > the "already exists" path was missing the corresponding dget().
> > >
> > > Add the missing dget() call when opening an existing queue to balance the
> > > dput() in end_creating().
> >
> > Sorry but this analysis looks wrong.
>
> Agreed.  vfs_mkobj() takes a ref (via mqueue_create_attr) on a newly
> created dentry to keep it in dcache.  The open-existing path doesn't
> need to do that.
>
> >
> > AFAIS, the bug was that end_creating() should have been before the out_putfd
> > label just as path_put() was before the commit.
>
> Disagree.  Moving end_creating() earlier to before out_putfd: would only
> affect code paths that "goto out_putfd".  The only code that does that
> in when path.dentry is an IS_ERR() so there is nothing to dput.
>
> I don't think there is a bug here.  The dput() issue in the syzkaller
> report below has already been addressed by an overlayfs fix in
> ovl_lock_rename_workdir().
>

Maybe so, but the syzbot repro has nothing to do with overlayfs
I have absolutely no idea why the bot tagged this report as [overlayfs]
but I will ask it to retest on upstream.

Thanks,
Amir.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ