Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp406690pxy; Wed, 5 May 2021 05:17:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy6NgrdPo8Xx1PmNZdDPFvxMR4BAXnUC8k+5wUr0PqicgFYkclGEja2FK9j6sQXkIWUsBdn X-Received: by 2002:a17:902:c651:b029:ee:9ce7:2d74 with SMTP id s17-20020a170902c651b02900ee9ce72d74mr29488968pls.84.1620217036185; Wed, 05 May 2021 05:17:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620217036; cv=none; d=google.com; s=arc-20160816; b=BSJyfHwiBij71ZeOtyazVuVA4D4Mq7oZ8c6ztQnZE+UpCEmAYIdJXMbgpPhEY6MLyp Mjpqlj3BgsCnXbatoovSfwNMvfK2KwIdKAkeYuojGR7fyS+4PPA9zbOTH4Hy4Yi2ix1r 3WSvkKPcXP3SseMiu6isFl3tY6khHb9OBGV/SSIaRCLW0nlmbjJikA3aDLZgpwAQKhBn iYj0uiLpUk8I7lbzt5OtWovi7dkWqbZuBmBM0rDkX3u0G470GfBXHrQSVyHyPlNu0ll0 WGNQ9Fzf5WsLdekl4vL3QJwYqO3PVHenhR6BE4iwoEwM+1vSuU5JIDbIqqj9gYzlZpf5 Dsig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/iz1HysII/dUIEcorNl/HwTqGIYmotZJyik1S7xaNlY=; b=Amj3LHfdbMVWHdiSHynDqjn3ILrkymcKHqVkoRDupK72TMKiTmqL5mxdHDpUQgmlqJ zuzvI/bw9LjQrKwfS/owaaFw1HzJRl1CduH2g1kacpAbzCS371+gR5MbUnlrsVCnMf34 OIyGRr49pL+p3DfRXs89/R8hYUekTfkrsl93BnlEfWa209/VFGmgy/AavrgGU9s8RkJT i3Zxln29BRARxVC2xLjHQFZ9DDV5Vdpjqcq8WcyOPLQrVhMW7ESj7uuK7bhCDMcQvP+6 4diRB9d1yh/QdOdGBcWc9lJSE5QK2XC7NQPGjXlVYVrDLxGpBhV1aLm2rGGo0027LtkI RTEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="h+Q36sU/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r19si20265354pjo.35.2021.05.05.05.17.03; Wed, 05 May 2021 05:17:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="h+Q36sU/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234080AbhEEMOp (ORCPT + 99 others); Wed, 5 May 2021 08:14:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:53680 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233524AbhEEMKh (ORCPT ); Wed, 5 May 2021 08:10:37 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3BDA361402; Wed, 5 May 2021 12:09:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620216572; bh=C9ke7v72V70s1IdVAQHEb0HbJn+RJXrdfqqY1sv86ws=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h+Q36sU/QXnrVa6Gp5zDyzC3sE3WhhLVUJKs3M47CFcuCGlVR4IyDSLOsE8BbItNM fFjk2m/BCuUIUPFtDtdQdTJRgotokvyNCi80LxMGuSwW3XMiMyW3VFIZziApfKwJfS A28sQtntPxhL1QYbcr7gd+nU9ij8IK1IpXgePoOc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Amir Goldstein , syzbot , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Vivek Goyal , Miklos Szeredi Subject: [PATCH 5.11 22/31] ovl: fix leaked dentry Date: Wed, 5 May 2021 14:06:11 +0200 Message-Id: <20210505112327.401594800@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210505112326.672439569@linuxfoundation.org> References: <20210505112326.672439569@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mickaël Salaün commit eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41 upstream. Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock: overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay] ... WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umount_check.cold+0x107/0x14d ... Call Trace: d_walk+0x28c/0x950 ? dentry_lru_isolate+0x2b0/0x2b0 ? __kasan_slab_free+0x12/0x20 do_one_tree+0x33/0x60 shrink_dcache_for_umount+0x78/0x1d0 generic_shutdown_super+0x70/0x440 kill_anon_super+0x3e/0x70 deactivate_locked_super+0xc4/0x160 deactivate_super+0xfa/0x140 cleanup_mnt+0x22e/0x370 __cleanup_mnt+0x1a/0x30 task_work_run+0x139/0x210 do_exit+0xb0c/0x2820 ? __kasan_check_read+0x1d/0x30 ? find_held_lock+0x35/0x160 ? lock_release+0x1b6/0x660 ? mm_update_next_owner+0xa20/0xa20 ? reacquire_held_locks+0x3f0/0x3f0 ? __sanitizer_cov_trace_const_cmp4+0x22/0x30 do_group_exit+0x135/0x380 __do_sys_exit_group.isra.0+0x20/0x20 __x64_sys_exit_group+0x3c/0x50 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day... This fix has been tested with a syzkaller reproducer. Cc: Amir Goldstein Cc: # v5.8+ Reported-by: syzbot Fixes: 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()") Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20210329164907.2133175-1-mic@digikod.net Reviewed-by: Vivek Goyal Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman --- fs/overlayfs/namei.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/overlayfs/namei.c +++ b/fs/overlayfs/namei.c @@ -919,6 +919,7 @@ struct dentry *ovl_lookup(struct inode * continue; if ((uppermetacopy || d.metacopy) && !ofs->config.metacopy) { + dput(this); err = -EPERM; pr_warn_ratelimited("refusing to follow metacopy origin for (%pd2)\n", dentry); goto out_put;