Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp399273imu; Wed, 21 Nov 2018 22:32:12 -0800 (PST) X-Google-Smtp-Source: AFSGD/X6er8iD/1lN+P0kQm8y2Js7NbYHHLoUvRqNK8Ty/GjSpy7V88UtJgTwgEWplPoQm89ZKBs X-Received: by 2002:a17:902:2a0a:: with SMTP id i10mr9856858plb.323.1542868332461; Wed, 21 Nov 2018 22:32:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542868332; cv=none; d=google.com; s=arc-20160816; b=QKfUXZoLWXhU60ctPh5CdaEDvX3+vxqoQKXUYKkBjB9Pk5RC6MC9GahUaf4vPx7685 sF2nLYFCrESiG9C+zqXcAjYejGbPRodNRDvjvkh9c1D98RAhvxHijhm855kwgOX9St+X MhGK8MJDXr/ORgVhHgoxBJoJUCfu3OuXJ6bVyzjva6imEUBFnyhUBH9rxS3HmV1WM6dI Zp8GkhuEFWioChNsai+BqeQTYXeeJvomyV6kP/dtKEjkqPW/Z0qpViMNQzmcb2AEZABL xGQXhyAtVPaoGr5zlOCujRaTp8fzm7/D5lgA0U4fnZhF6/f+1UZEmoatsdaJG1WsoyOD m+uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=QlG7ftrcjxrscPNM5bFlvJAM5MFYY65IJ8h487XRFto=; b=Dw/oZNHThsnpTGV/MpyT/j0+o2bezcfyS181qhwwiZz8WG9LPC7UmVuqRiJYgbwHLD ulrhyWIgoBwYfQotNSkWXyp40XS0xEYX5fW91JtWMTP80f4BHd/Q31BpmEh1ruXQysnT zhxWeIxnvLciM2nJ92Xz0P4RsPmA9dx24xMv+UMKLK4MLj/7Wq0Fmsiz/Xk4ulCpmw0h qV+7cBn+Xk6Nep7/dBv98onH1xuNXIH9lrQ7VxLdlz/z/Rfi6jKoWD+J+8EmLxTQG9Ku nqaLet6Lphwdo5TXzMKvgBru5HvGfNorw9nFCNLBnsiwyCWvNfTbALJRSPjeU1iY7CV+ 1J3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bUz5sXcX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c8si31659687pgc.65.2018.11.21.22.31.43; Wed, 21 Nov 2018 22:32:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bUz5sXcX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729835AbeKVG61 (ORCPT + 99 others); Thu, 22 Nov 2018 01:58:27 -0500 Received: from mail-yw1-f67.google.com ([209.85.161.67]:33028 "EHLO mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726210AbeKVG61 (ORCPT ); Thu, 22 Nov 2018 01:58:27 -0500 Received: by mail-yw1-f67.google.com with SMTP id q11so2784288ywa.0; Wed, 21 Nov 2018 12:22:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QlG7ftrcjxrscPNM5bFlvJAM5MFYY65IJ8h487XRFto=; b=bUz5sXcXIul88E9NFWDuSOOYfP5TWt2/Gw4nOtkjmadnu6z8rdNsc5vJaAidROKxcP YaOmOrl62ZufOUxKLC6/gwQh4mQb+ctjW2mPvbPDUvH294vIfClKcaVPBwsQT5ot9sbA 7qSoSQHEpU/2cG7xRMPidtwQcO51aSjQV1JRWj0Gbf9K0JzEXWsPnZi0jOOeDAJ6G3UB l/RA79cT7I8qjBsh5xGRZQNiICJq6g/msNFpWFPP47/tXio8BtWhcQNotchFLCLZYuY4 K0fXtkf80Ij/fm2S/5Nnu2uC5ghKoRXiHT+4wgQSY6v8/eR98HsWXXKPD3ptL6WJTjUz ZBpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QlG7ftrcjxrscPNM5bFlvJAM5MFYY65IJ8h487XRFto=; b=V8EY/1KBmbV5EJdkl0WRq2ne8oxPLw1cQNW9W0SmhuLITefDn799d27DQbYoM4YLHP aPQiOKF8XsQt+bLqoJFgo25iVgp8UhFgeXM2ENmliP+ke86hOfDEIWw7CYN+Z4vkjKTl JH0pyR+VMr85mwgYXpTze+wHiCIPn4Sd4sqRy/e/9lkAeH1m8eRgL8B29nT+gIkyof/k F7/Ovr3Thrm0TvfzuF98If+Wx2EOFt+xfPRt7EgwN3Y48OUiwtaiGSxuhanui95ZiptS Laf6Xo7aWRilOp46o+g75a1m/aqoVv+jO4QYApuIRdMwLw9XTfHEt9yVawIWbKEuy8WI xwwQ== X-Gm-Message-State: AGRZ1gITi5BsFU8eTlRpyWycs1sjMMP69S3xEyTnHUkMVh369z4EQ3Ku nxb+SBGedymblTWvdArpZ8WC4JvvOupvnvJYUkU= X-Received: by 2002:a81:34d3:: with SMTP id b202mr8105592ywa.241.1542831757432; Wed, 21 Nov 2018 12:22:37 -0800 (PST) MIME-Version: 1.0 References: <000000000000d03eea0571adfe83@google.com> <000000000000a8e163057b2f2ddf@google.com> <20181121200114.yqis7fvn5x7nsw6e@merlin> In-Reply-To: <20181121200114.yqis7fvn5x7nsw6e@merlin> From: Amir Goldstein Date: Wed, 21 Nov 2018 22:22:26 +0200 Message-ID: Subject: Re: possible deadlock in mnt_want_write To: Goldwyn Rodrigues Cc: syzbot+ae82084b07d0297e566b@syzkaller.appspotmail.com, Mimi Zohar , Miklos Szeredi , linux-fsdevel , linux-kernel , syzkaller-bugs@googlegroups.com, Al Viro Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 21, 2018 at 10:04 PM Goldwyn Rodrigues wrote: > > On 20:57 21/11, Amir Goldstein wrote: > > On Wed, Nov 21, 2018 at 8:33 PM syzbot > > wrote: > > > > > > syzbot has found a reproducer for the following crash on: > > > > > > HEAD commit: 442b8cea2477 Add linux-next specific files for 20181109 > > > git tree: linux-next > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11a1426d400000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=2f72bdb11df9fbe8 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b > > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1632326d400000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a16ed5400000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+ae82084b07d0297e566b@syzkaller.appspotmail.com > > > ... > > > percpu_down_read include/linux/percpu-rwsem.h:59 [inline] > > > __sb_start_write+0x214/0x370 fs/super.c:1564 > > > sb_start_write include/linux/fs.h:1607 [inline] > > > mnt_want_write+0x3f/0xc0 fs/namespace.c:359 > > > ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24 > > > ovl_open_maybe_copy_up+0x12c/0x190 fs/overlayfs/copy_up.c:888 > > > ovl_open+0xb3/0x260 fs/overlayfs/file.c:123 > > > do_dentry_open+0x499/0x1250 fs/open.c:771 > > > vfs_open fs/open.c:880 [inline] > > > dentry_open+0x143/0x1d0 fs/open.c:896 > > > ima_calc_file_hash+0x324/0x570 > > > > I suppose ima_calc_file_hash opens the file with write flags > > and cause overlay to try to copy up which takes mnt_want_write(). > > Why does IMA need to open the file with write flags? > > > > Isn't this commit supposed to prevent that: > > a408e4a86b36 ima: open a new file instance if no read permissions > > > > Not write, read flags. This patch re-opens the files in O_RDONLY for > files opened with O_WRONLY and cannot be read, so that the hash can be > calculated. IOW, the user opened the file in overlayfs with write flags. > My point is: ovl_open_need_copy_up() -> ovl_open_flags_need_copy_up() returns false for O_RDONLY flags and never gets to ovl_want_write(), so how is the stack trace below possible when ima_calc_file_hash() removes all "write" flags before opening the file? ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24 ovl_open_maybe_copy_up+0x12c/0x190 fs/overlayfs/copy_up.c:888 ovl_open+0xb3/0x260 fs/overlayfs/file.c:123 do_dentry_open+0x499/0x1250 fs/open.c:771 vfs_open fs/open.c:880 [inline] dentry_open+0x143/0x1d0 fs/open.c:896 ima_calc_file_hash+0x324/0x570 security/integrity/ima/ima_crypto.c:427 The answer is found in the zysbot repro: it opens the file with open(O_WRONLY|O_RDWR) (0x3) Not nice, but apparently possible. How about adding O_RDWR to the masked flags in ima_calc_file_hash()? Since syzbot has a reproducer, you can send it a patch to verify the fix. Thanks, Amir.