Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2646774pxf; Sun, 4 Apr 2021 08:56:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZkXbhF1+F+lpytt3n+Yf1kIqjrpplED+DYy2IIQCxIdhDfLr2E4GxCFBk0CAL/BsVz4gw X-Received: by 2002:a05:6638:144e:: with SMTP id l14mr20126446jad.76.1617551813110; Sun, 04 Apr 2021 08:56:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617551813; cv=none; d=google.com; s=arc-20160816; b=CD+G4pPlfQcLCMh3m/eGVPddYR1vNerriVaA8zCzvylV3NhEmBCGIPzBG8pycbM2Mo 1wAIa+mEPjb/2lxMctNbTt2ZWVBO7XDCCJiTsCl3M37hhaxZvD0xDKoQhAWqw09t2fND QG/flGfqzAMzDHxgNh/JKGLZuDlj388NO//BNpWYNdCHpSLq1ke697e/XSSFcwRslfH8 2uMLkXq0+MNhLCHIFuoCSO24RurB2YQG9ej0OTPEkTmpQiKjRF0yVHs2cznQYO3iZjl8 JCjnkWiA+ZIiHxbDZXBZesxCsAC0ofVrwYrACwszW5kqkuyGPBxCNBMzf8zzg2Hn5IbS gQCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=77ZDUEOerwMBFEqCXRmfYsoLMEaF9rFsQ6IyBgi13ZY=; b=mYhxQZtx22408rxNXIC8Cx1tVn1K7eWDxpdTbVzLx5pdgaDKS5qGtNncxyCUmSHyy9 kHoL4NZJ3E62M1zzMsi2RyEK3yP05nTOcXiWKS/xjOF+Hhruv3SR1pjm7xr7WpQFuUt8 Q6qhWIJpHlchs4ArlMdbVQeGaNVeXnaVZK4EgEnQqQrh8cXZpdmDHiTU7a+gmsPAcwuq WAbycOnw9yaA+1G7O/bidxXlbijRQ3HWvnKsWkBzh49WyTkgy9VnAQRSsArzochCgWlO CNxnzFVEEiUUx8rcmOTWm8WU7XMZ8F/7ocsg+st+L22pRsy4ZU710Zh/vSQ7luPqMjn1 Jj3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f11si11924265ioc.41.2021.04.04.08.56.39; Sun, 04 Apr 2021 08:56:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229861AbhDDP4N (ORCPT + 99 others); Sun, 4 Apr 2021 11:56:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230495AbhDDP4L (ORCPT ); Sun, 4 Apr 2021 11:56:11 -0400 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 61B70C061756; Sun, 4 Apr 2021 08:56:06 -0700 (PDT) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux)) id 1lT56Y-002UUF-A9; Sun, 04 Apr 2021 15:56:02 +0000 Date: Sun, 4 Apr 2021 15:56:02 +0000 From: Al Viro To: Christian Brauner Cc: Jens Axboe , syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, io-uring@vger.kernel.org Subject: Re: [syzbot] WARNING in mntput_no_expire (2) Message-ID: References: <0000000000003a565e05bee596f2@google.com> <20210401154515.k24qdd2lzhtneu47@wittgenstein> <90e7e339-eaec-adb2-cfed-6dc058a117a3@kernel.dk> <20210401174613.vymhhrfsemypougv@wittgenstein> <20210401175919.jpiylhfrlb4xb67u@wittgenstein> <20210404113445.xo6ntgfpxigcb3x6@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210404113445.xo6ntgfpxigcb3x6@wittgenstein> Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 04, 2021 at 01:34:45PM +0200, Christian Brauner wrote: > Sorry for not replying to your earlier mail but I've been debugging this > too. My current theory is that it's related to LOOKUP_ROOT_GRABBED when > LOOKUP_CACHED is specified _possibly_ with an interaction how > create_io_thread() is created with CLONE_FS. The reproducer requires you > either have called pivot_root() or chroot() in order for the failure to > happen. So I think the fact that we skip legitimize_root() when > LOOKUP_CACHED is set might figure into this. I can keep digging. > > Funny enough I already placed a printk statement into the place you > wanted one too so I just amended mine. Here's what you get: > > If pivot pivot_root() is used before the chroot() you get: > > [ 637.464555] AAAA: count(-1) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(579) | dev(tmpfs) > > if you only call chroot, i.e. make the pivot_root() branch a simple > if (true) you get: > > [ 955.206117] AAAA: count(-2) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(580) | dev(tmpfs) Very interesting. What happens if you call loop() twice? And now I wonder whether it's root or cwd, actually... Hmm... How about this: fd = open("/proc/self/mountinfo", 0); mkdir("./newroot/foo", 0777); mount("./newroot/foo", "./newroot/foo", 0, MS_BIND, NULL); chroot("./newroot"); chdir("/foo"); while (1) { static char buf[4096]; int n = read(fd, buf, 4096); if (n <= 0) break; write(1, buf, n); } close(fd); drop_caps(); loop(); as the end of namespace_sandbox_proc(), instead of chroot("./newroot"); chdir("/"); drop_caps(); loop(); sequence we have there? > The cat /proc/self/mountinfo is for the id(579) below: ... and it misses the damn thing, since we call it before the mount in question had been created ;-/ So we'd probably be better off not trying to be clever and just doing that as explicit (and completely untested) read-write loop above.