Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2224769ybf; Mon, 2 Mar 2020 04:35:24 -0800 (PST) X-Google-Smtp-Source: ADFU+vtNW1GafyluBfedRvICE2AmCvsF/p1KyIVzQkYiN7Pudx0EvZ2EiBbvruGaIGt+TCouAawh X-Received: by 2002:a9d:23e4:: with SMTP id t91mr4314408otb.125.1583152523916; Mon, 02 Mar 2020 04:35:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583152523; cv=none; d=google.com; s=arc-20160816; b=Bk+eAlNttWQpI6uDUNGGeGKpRQeu5+emB+ShcOvtKX0XXsnQm56mOl4cQju5VT5L8f VQ5uCYys2grDugje7fVW7LdTr85F/djRrIvp4m6PDgkVALTIE2I7DPX7ctlMLvkSWqcM XRFhCkBg6OS96t46wxB+tOEci8VV6O5M4C1WMh8Jnn3CbiyCVqI4Q5rQ+vtijO5UIIzl qg5NXg0T429bjKSyiq2LbOSdlO4YWjX7FYaVfgo+2LPYNcWkefirUYPdtkTKV6/B1HIh R1gRvUu7KkNKyvCjbkub5M5k55gJskIvbUbhmzO6eUIBf4R1Oz4TFFLApbeUbcLwMJWd G8EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=uzcQiw5bmowt4+ulow/RplAnqB+Uaeou/IGgfRNu6BY=; b=L5p50rqB2Jgu2UUr6qIWmh1+ieVlQ5LrJWEm0ZzQHCZ697bymrfy1TormexP/Z1D1K G/YjE05UoinmAjTVTnG9KiZGvKhnIJph5W2SVRlo9um+bPMl+WiFqdiB8H0RiMY7bG2C BLE6ovoU+fQJdQGNnTiCkxhetZh6e+8ZNy/Kro/g/8liRtmImfPvGCHEsvzC/CRgIkOe LJXw1LdA3iS0eMptSC6vrNONkF7qJcBCatkQM5c8l6aGs2apxXEg5/F3MGQ/rBC9yr3v MmNXqHcPQOn3M+fxcAiKln1S1jHTkEB9VkID4SvYY2T9ydz2dVMoE35F41eYNMKKtKIH f+6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fO7oLiXz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w7si6454868otq.250.2020.03.02.04.35.11; Mon, 02 Mar 2020 04:35:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fO7oLiXz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727736AbgCBMfE (ORCPT + 99 others); Mon, 2 Mar 2020 07:35:04 -0500 Received: from mail-vk1-f196.google.com ([209.85.221.196]:41555 "EHLO mail-vk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727361AbgCBMfD (ORCPT ); Mon, 2 Mar 2020 07:35:03 -0500 Received: by mail-vk1-f196.google.com with SMTP id y201so2879072vky.8 for ; Mon, 02 Mar 2020 04:35:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uzcQiw5bmowt4+ulow/RplAnqB+Uaeou/IGgfRNu6BY=; b=fO7oLiXzPRKQPba+voegh2apwnuQlM/BjsEMB5z3mgFhslsVplpSFNRCJQ1xwtsZ6G Mk1tqFJHS7WArliEtpqf4A+y5AZy7OnwGrJ8V3Tt85OXKyAAQ/G+JZf/5LycM89GzxtF yO7+dWorbsSIin6ccAB79DTVSRBfWH7jPqt1k6E6+d/dSpvshtFxpj9g0bZweNa8BLC8 9RZs1j0xaR/CYCPUFJ0gKkoRhchY0l1Irfm7I5NLaprd0LOUZFuuBGLMYf/TEvX9V4df OLgfu/DVEJZ8VhNnBsMrTQK7xBwt6clX/spAK0iRpcuChoUpJ0YgCbODYY5M11C+wMpF SrUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uzcQiw5bmowt4+ulow/RplAnqB+Uaeou/IGgfRNu6BY=; b=dMwSTsGyTY6nf5l5WpX+TcrM/vDPWaTK9Bm7j00syrmiVmsOt4TtKU1QfFx2hT/Wgx s4xBsld+9jsqLoZcIyDs+6xkeW6W1rJHOONn3qaVGkqzb19GgopNU7PpVst6SYkS+adm OZvM/dS3u8XHf0zHck1DX3j5XwYkqy0hGc+Ajh3pdzat0sW4vg2egwaJT4R2PGtAXiJB sChis2x1djnr6BR/+TCghj7TJkkm/Z0Ek6W47CZaL/+ah1PDCKEH3okcECb6wdKLQJXs whrZzTO+KqXXSAnwi16WQYzpIZc+FdfGFDMMRFh3ZVDT6BdsK4v0nLr62ycc/FoSKZFV Kq7w== X-Gm-Message-State: ANhLgQ3s6/WO89KjFvoja1uoI1ufkyS+XIzSzCkoZ4yirnDQla6mVJVA DV8cisLxOyxoxN1ldh7Mr3fDRl2+hgOmcQJ5N4pQEA== X-Received: by 2002:a1f:9d8a:: with SMTP id g132mr8967505vke.39.1583152500830; Mon, 02 Mar 2020 04:35:00 -0800 (PST) MIME-Version: 1.0 References: <000000000000d3e319059fcfdc98@google.com> In-Reply-To: From: Dmitry Vyukov Date: Mon, 2 Mar 2020 13:34:49 +0100 Message-ID: Subject: Re: WARNING: bad unlock balance in ovl_llseek To: Amir Goldstein Cc: syzbot , linux-kernel , overlayfs , Miklos Szeredi , Miklos Szeredi , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 2, 2020 at 1:10 PM Amir Goldstein wrote: > > > On Sun, Mar 1, 2020 at 9:13 PM syzbot > > > wrote: > > > > > > > > Hello, > > > > > > > > syzbot found the following crash on: > > > > > > > > HEAD commit: f8788d86 Linux 5.6-rc3 > > > > git tree: upstream > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13c5f8f9e00000 > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d2e033af114153f > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=66a9752fa927f745385e > > > > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=131d9a81e00000 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14117a81e00000 > > > > > > > > > > Dmitry, > > > > > > There is something strange about the C repro. > > > It passes an invalid address for the first arg of mount syscall: > > > > > > syscall(__NR_mount, 0x400000ul, 0x20000000ul, 0x20000080ul, 0ul, > > > 0x20000100ul); > > > > > > With this address mount syscall returns -EFAULT on my system. > > > I fixed this manually, but repro did not trigger the reported bug on my system. > > > > Hi Amir, > > > > This is not strange in the context of fuzzer, it's goal is to pass > > random data. Generally if it says 0x400000ul, that's what it is, don't > > fix it, or you are running a different program that may not reproduce > > the bug. If syzbot attaches a reproducer, the bug was triggered by > > precisely this program. > > > > What's strange it that a bug in overlay code cannot be triggered if overlay > isn't mounted and as it is the repro couldn't mount overlayfs at all, at > lease with my kernel config. Can it depend on kernel config? The bug was triggered by the program provided somehow. Separate question: why is it failing? Isn't src unused for overlayfs? Where/how does vfs code look at src? > The bounds check that causes mount failure is in vfs code, not in > overlayfs code, > so not sure what exactly went on there. > > > > The reason why it passes non-pointers here is we think the src > > argument of overlay mount is unused: > > https://github.com/google/syzkaller/blob/4a4e0509de520c7139ca2b5606712cbadc550db2/sys/linux/filesystem.txt#L12 > > If it's not true, it needs to be fixed (or almost all overlay mounts > > fail with EFAULT during fuzzing). > > > > > > > > The bug was bisected to: > > > > > > > > commit b1f9d3858f724ed45b279b689fb5b400d91352e3 > > > > Author: Amir Goldstein > > > > Date: Sat Dec 21 09:42:29 2019 +0000 > > > > > > > > ovl: use ovl_inode_lock in ovl_llseek() > > > > > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16ff3bede00000 > > > > final crash: https://syzkaller.appspot.com/x/report.txt?x=15ff3bede00000 > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11ff3bede00000 > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > > Reported-by: syzbot+66a9752fa927f745385e@syzkaller.appspotmail.com > > > > Fixes: b1f9d3858f72 ("ovl: use ovl_inode_lock in ovl_llseek()") > > > > > > > > ===================================== > > > > WARNING: bad unlock balance detected! > > > > 5.6.0-rc3-syzkaller #0 Not tainted > > > > ------------------------------------- > > > > syz-executor194/8947 is trying to release lock (&ovl_i_lock_key[depth]) at: > > > > [] ovl_inode_unlock fs/overlayfs/overlayfs.h:328 [inline] > > > > [] ovl_llseek+0x215/0x2c0 fs/overlayfs/file.c:193 > > > > but there are no more locks to release! > > > > > > > > > > This is strange. I don't see how that can happen nor how my change would > > > have caused this regression. If anything, the lock chance may have brought > > > a bug in stack file ops to light, but don't see the bug. > > > > > > The repro is multi-threaded but when I ran the repro, a single thread did: > > > - open lower file (pre copy up) > > > - lchown file (copy up) > > > - llseek the open file (so llseek is on a temporary ovl_open_realfile()) > > > > > > Perhaps when bug was triggered ops above were executed by different > > > threads? > > > > Perfectly possible. > > > > > Dmitry, I may have asked this before - how hard would it be to attach an > > > strace of the repro to a bug report? > > > > This is tracked in https://github.com/google/syzkaller/issues/197 but > > no progress so far. > > What exactly were the main pain points in this case? But note that > > strace is not atomic with actual execution, so it may lead you down > > even worse rabbit hole... > > Sure, but it can add more insight for analysis. > > Thanks, > Amir.