[syzbot] [overlayfs?] possible deadlock in ovl_copy_up_one
5 views
Skip to first unread message
syzbot
Jun 13, 2024, 7:07:20 PMJun 13
to amir...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, mik...@szeredi.hu, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 771ed66105de Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15018032980000
kernel config: https://syzkaller.appspot.com/x/.config?x=399230c250e8119c
dashboard link: https://syzkaller.appspot.com/bug?extid=b778ac10fe2a0cd72517
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1253e6f6980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b2d41c980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-771ed661.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8d8815105845/vmlinux-771ed661.xz
kernel image: https://storage.googleapis.com/syzbot-assets/93a43d933942/bzImage-771ed661.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b778ac...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
6.10.0-rc2-syzkaller-00366-g771ed66105de #0 Not tainted
--------------------------------------------
syz-executor222/5195 is trying to acquire lock:
ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_do_copy_up fs/overlayfs/copy_up.c:967 [inline]
ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_copy_up_one+0x82a/0x3490 fs/overlayfs/copy_up.c:1168
but task is already holding lock:
ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_tmpfile+0x15b/0x6f0 fs/overlayfs/dir.c:1363
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sb_writers#5);
lock(sb_writers#5);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by syz-executor222/5195:
#0: ffff88801bbe2420 (sb_writers#10){.+.+}-{0:0}, at: do_tmpfile fs/namei.c:3761 [inline]
#0: ffff88801bbe2420 (sb_writers#10){.+.+}-{0:0}, at: path_openat+0xc0f/0x29f0 fs/namei.c:3798
#1: ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_tmpfile+0x15b/0x6f0 fs/overlayfs/dir.c:1363
#2: ffff88803037a808 (&ovl_i_lock_key[depth]){+.+.}-{3:3}, at: ovl_inode_lock_interruptible fs/overlayfs/overlayfs.h:657 [inline]
#2: ffff88803037a808 (&ovl_i_lock_key[depth]){+.+.}-{3:3}, at: ovl_copy_up_start+0x4d/0x2f0 fs/overlayfs/util.c:719
stack backtrace:
CPU: 0 PID: 5195 Comm: syz-executor222 Not tainted 6.10.0-rc2-syzkaller-00366-g771ed66105de #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1655 [inline]
sb_start_write include/linux/fs.h:1791 [inline]
ovl_start_write+0x130/0x310 fs/overlayfs/util.c:31
ovl_do_copy_up fs/overlayfs/copy_up.c:967 [inline]
ovl_copy_up_one+0x82a/0x3490 fs/overlayfs/copy_up.c:1168
ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
ovl_create_tmpfile fs/overlayfs/dir.c:1317 [inline]
ovl_tmpfile+0x2b8/0x6f0 fs/overlayfs/dir.c:1373
vfs_tmpfile+0x2be/0x540 fs/namei.c:3701
do_tmpfile fs/namei.c:3764 [inline]
path_openat+0xc8e/0x29f0 fs/namei.c:3798
do_filp_open+0x1dc/0x430 fs/namei.c:3834
do_sys_openat2+0x17a/0x1e0 fs/open.c:1405
do_sys_open fs/open.c:1420 [inline]
__do_sys_open fs/open.c:1428 [inline]
__se_sys_open fs/open.c:1424 [inline]
__x64_sys_open+0x154/0x1e0 fs/open.c:1424
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9268e3ef49
Code: 48 83 c4 28 c3 e8 67 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6faf26d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fff6faf26e0 RCX: 00007f9268e3ef49
RDX: 0000000000000000 RSI: 0000000000591002 RDI: 0000000020000100
RBP: 00007fff6faf26e8 R08: 00007f9268e0bf50 R09: 00007f9268e0bf50
R10: 00007f9268e0bf50 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff6faf2948 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 771ed66105de Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15018032980000
kernel config: https://syzkaller.appspot.com/x/.config?x=399230c250e8119c
dashboard link: https://syzkaller.appspot.com/bug?extid=b778ac10fe2a0cd72517
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1253e6f6980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b2d41c980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-771ed661.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8d8815105845/vmlinux-771ed661.xz
kernel image: https://storage.googleapis.com/syzbot-assets/93a43d933942/bzImage-771ed661.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b778ac...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
6.10.0-rc2-syzkaller-00366-g771ed66105de #0 Not tainted
--------------------------------------------
syz-executor222/5195 is trying to acquire lock:
ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_do_copy_up fs/overlayfs/copy_up.c:967 [inline]
ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_copy_up_one+0x82a/0x3490 fs/overlayfs/copy_up.c:1168
but task is already holding lock:
ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_tmpfile+0x15b/0x6f0 fs/overlayfs/dir.c:1363
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sb_writers#5);
lock(sb_writers#5);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by syz-executor222/5195:
#0: ffff88801bbe2420 (sb_writers#10){.+.+}-{0:0}, at: do_tmpfile fs/namei.c:3761 [inline]
#0: ffff88801bbe2420 (sb_writers#10){.+.+}-{0:0}, at: path_openat+0xc0f/0x29f0 fs/namei.c:3798
#1: ffff888024f6a420 (sb_writers#5){.+.+}-{0:0}, at: ovl_tmpfile+0x15b/0x6f0 fs/overlayfs/dir.c:1363
#2: ffff88803037a808 (&ovl_i_lock_key[depth]){+.+.}-{3:3}, at: ovl_inode_lock_interruptible fs/overlayfs/overlayfs.h:657 [inline]
#2: ffff88803037a808 (&ovl_i_lock_key[depth]){+.+.}-{3:3}, at: ovl_copy_up_start+0x4d/0x2f0 fs/overlayfs/util.c:719
stack backtrace:
CPU: 0 PID: 5195 Comm: syz-executor222 Not tainted 6.10.0-rc2-syzkaller-00366-g771ed66105de #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1655 [inline]
sb_start_write include/linux/fs.h:1791 [inline]
ovl_start_write+0x130/0x310 fs/overlayfs/util.c:31
ovl_do_copy_up fs/overlayfs/copy_up.c:967 [inline]
ovl_copy_up_one+0x82a/0x3490 fs/overlayfs/copy_up.c:1168
ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
ovl_create_tmpfile fs/overlayfs/dir.c:1317 [inline]
ovl_tmpfile+0x2b8/0x6f0 fs/overlayfs/dir.c:1373
vfs_tmpfile+0x2be/0x540 fs/namei.c:3701
do_tmpfile fs/namei.c:3764 [inline]
path_openat+0xc8e/0x29f0 fs/namei.c:3798
do_filp_open+0x1dc/0x430 fs/namei.c:3834
do_sys_openat2+0x17a/0x1e0 fs/open.c:1405
do_sys_open fs/open.c:1420 [inline]
__do_sys_open fs/open.c:1428 [inline]
__se_sys_open fs/open.c:1424 [inline]
__x64_sys_open+0x154/0x1e0 fs/open.c:1424
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9268e3ef49
Code: 48 83 c4 28 c3 e8 67 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6faf26d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fff6faf26e0 RCX: 00007f9268e3ef49
RDX: 0000000000000000 RSI: 0000000000591002 RDI: 0000000020000100
RBP: 00007fff6faf26e8 R08: 00007f9268e0bf50 R09: 00007f9268e0bf50
R10: 00007f9268e0bf50 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff6faf2948 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
Jun 13, 2024, 9:05:30 PMJun 13
to syzbot+b778ac...@syzkaller.appspotmail.com, amir...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, mik...@szeredi.hu, syzkall...@googlegroups.com
ovl_copy_up() will retrieve sb_writers, and ovl_want_write will also retrieve
sb_writers, adjusting the order of their execution to avoid deadlocks.
Reported-by: syzbot+b778ac...@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/overlayfs/dir.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 116f542442dd..ab65e98a1def 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -1314,10 +1314,6 @@ static int ovl_create_tmpfile(struct file *file, struct dentry *dentry,
int flags = file->f_flags | OVL_OPEN_FLAGS;
int err;
- err = ovl_copy_up(dentry->d_parent);
- if (err)
- return err;
-
old_cred = ovl_override_creds(dentry->d_sb);
err = ovl_setup_cred_for_create(dentry, inode, mode, old_cred);
if (err)
@@ -1360,6 +1356,10 @@ static int ovl_tmpfile(struct mnt_idmap *idmap, struct inode *dir,
if (!OVL_FS(dentry->d_sb)->tmpfile)
return -EOPNOTSUPP;
+ err = ovl_copy_up(dentry->d_parent);
+ if (err)
+ return err;
+
err = ovl_want_write(dentry);
if (err)
return err;
--
2.43.0
sb_writers, adjusting the order of their execution to avoid deadlocks.
Reported-by: syzbot+b778ac...@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/overlayfs/dir.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 116f542442dd..ab65e98a1def 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -1314,10 +1314,6 @@ static int ovl_create_tmpfile(struct file *file, struct dentry *dentry,
int flags = file->f_flags | OVL_OPEN_FLAGS;
int err;
- err = ovl_copy_up(dentry->d_parent);
- if (err)
- return err;
-
old_cred = ovl_override_creds(dentry->d_sb);
err = ovl_setup_cred_for_create(dentry, inode, mode, old_cred);
if (err)
@@ -1360,6 +1356,10 @@ static int ovl_tmpfile(struct mnt_idmap *idmap, struct inode *dir,
if (!OVL_FS(dentry->d_sb)->tmpfile)
return -EOPNOTSUPP;
+ err = ovl_copy_up(dentry->d_parent);
+ if (err)
+ return err;
+
err = ovl_want_write(dentry);
if (err)
return err;
--
2.43.0
Miklos Szeredi
Jun 14, 2024, 2:54:11 AMJun 14
to Lizhi Xu, syzbot+b778ac...@syzkaller.appspotmail.com, amir...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 14 Jun 2024 at 03:05, Lizhi Xu <lizh...@windriver.com> wrote:
>
> ovl_copy_up() will retrieve sb_writers, and ovl_want_write will also retrieve
> sb_writers, adjusting the order of their execution to avoid deadlocks.
>
> Reported-by: syzbot+b778ac...@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizh...@windriver.com>
Thank you.
>
> ovl_copy_up() will retrieve sb_writers, and ovl_want_write will also retrieve
> sb_writers, adjusting the order of their execution to avoid deadlocks.
>
> Reported-by: syzbot+b778ac...@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizh...@windriver.com>
This is already fixed in:
git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs.git #overlayfs-next
Will send a pull request to Linus in the following weeks.
Thanks,
Miklos
Miklos Szeredi
Jun 14, 2024, 3:11:26 AMJun 14
to syzbot, amir...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz dup: possible deadlock in ovl_copy_up_flags
Reply all
Reply to author
Forward
0 new messages