Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp1747552rdh; Sat, 25 Nov 2023 01:22:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IGEEyc2mo9HSqC6atceaRO8Kshfm2Cv4ihFn5AuCNuZwF5a5sWJsw6ZL92NYLdN/It923iy X-Received: by 2002:a05:6808:209f:b0:3a9:ba39:6d70 with SMTP id s31-20020a056808209f00b003a9ba396d70mr7855461oiw.23.1700904122865; Sat, 25 Nov 2023 01:22:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700904122; cv=none; d=google.com; s=arc-20160816; b=dEhJKevqqtvG/mCcC+x/1ULEIn8e1QEwjuNZCJZag0O8j0XfIwsPTtcoIw4K1mPC+g Z8iNr0DqrjRk/7ztyHiB/YETiGZT6giZUd8/3sJNlShyhwKlJmFY7OfEjueyPwP4wv9b zwYUAM4YtFR8sq7C545YmKCCvbVXumDuOicHh4zleq/B861Q35dUYLNZkZioksrwz7DW m0VNKZYueloJ+ya8k2HF6C5kYzdmOKDp8/PIaRcbqiKTN6uhjrh9xshzHWNLmgmYRhDP PxO0/kYmcwXOsiQx1etcy0tLz7RlAQ0RI7l57dRY177U+X68TKNSZKJgkFRP/H/Lbm15 AGWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=b2xWkAUf32ZykRBN65j+Q3PFsP2PMbNyWuqxvvlTBpw=; fh=LGB8GkKacquP7yV3Dj4DcZ248eEIe/XouSMUm2mQkEc=; b=05kAAEalr+XmKlkyqv//GDZu+sexY36rWyGvwr4am+V+RSu6NhMZ3QORwd+iE9RJLS ofpMVkQ+Or7cNO+zPlta4sDPoYNd0WMgOtHAKjRriceXJT/acYFh5P64XiX0HrqnAQEL IQTZ0VpYEr4VFcOz920AnBXiEQhwCxktD1IGX6ElcTHImOlmktFi0ktCJYt62ntqjkS8 bvjtKdzhuJe8CMkyrF8wIvJ4zpEXKq+oMKLP8HUwLsmdDX915yo++NOWYg18Vta8sWeg 13vlRdjtk34CNkjALQQGDIB6MSoH9mPnyp1KXySTW2ck4v81wt/P6b8/VSBNgyLe2V4m YA7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=P7UvDOIq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id i30-20020a63585e000000b005b98cb7b469si5337637pgm.219.2023.11.25.01.22.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Nov 2023 01:22:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=P7UvDOIq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id DE1CF809FA73; Sat, 25 Nov 2023 01:21:59 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231796AbjKYJVe (ORCPT + 99 others); Sat, 25 Nov 2023 04:21:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229483AbjKYJVd (ORCPT ); Sat, 25 Nov 2023 04:21:33 -0500 Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E57610C1; Sat, 25 Nov 2023 01:21:39 -0800 (PST) Received: by mail-yb1-xb2e.google.com with SMTP id 3f1490d57ef6-da3b4b7c6bdso2444584276.2; Sat, 25 Nov 2023 01:21:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700904098; x=1701508898; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=b2xWkAUf32ZykRBN65j+Q3PFsP2PMbNyWuqxvvlTBpw=; b=P7UvDOIqG/2/stPtnqAfHQv/6ISYTGrWOr2E343ZwNnyJ6QkVC94hkDtp4yD8EJ+Dl vqvakma+MUMy0W0LgsfDnwdA6lhmw9z3HItAjAm9K/ImisnC1eG0NJppWywJNPFuPpO1 iVsd5as8izSrziOkFAAXGLrTDVMWaH5edzCdNEdAyxJ3Ua74SRipItkWIt7CzhuyrSjf L16DWgKiWKyQvfPpl56FhApyHZErpH0GMdjS9UHIVWuRPRbu8nzQFSg7zrq3McTy5Z1T 1kwDWCAI/WL7j9lZaF811kBNCfCuLCKAS8ZOUKsEWORxlWhoulEHaG/aEbiU48CLnacy E0OA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700904098; x=1701508898; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=b2xWkAUf32ZykRBN65j+Q3PFsP2PMbNyWuqxvvlTBpw=; b=nVGDxhLYuaawHUu5D29lE/ZJzW99ZbaIaEkoCoaQ4sWjAONlB1NwFawOd0xsWTJHZh NWc/grQ8Sid56wKBGo+WjUZjB7N0XnE0pClUzXMIpXHEn69Z/V0NBiFLhlDWaiDCHxE7 PuMZkrhnDWI9cDB7aKpQq061eS0G+Cta66f82vlPS/I5wDuJP8Nl/7KQDNPF0K5As+vc c21Yxyoa63hMhj59g9ZGOmIhn6X6kisCieq8yzmsho/Bxl9Fblc7QoIMu2sGaofBQDke QgfipS/qZwvG8tYypThjSt1S9TnRDhl8GNMPZU+NJsqlPTpUfiEqDPa1ITtDx6CS6WBE 4dPA== X-Gm-Message-State: AOJu0YxF/nk9QkolPr+qTshRPwrPKD1JsZlz+/7B8HuGjujwmTQtVgZL /ehw5m5ZntAy7H+/PRoGqjc+dtWwUEbWWD0Yh6k= X-Received: by 2002:a25:cb8a:0:b0:d81:504f:f883 with SMTP id b132-20020a25cb8a000000b00d81504ff883mr1545416ybg.8.1700904098622; Sat, 25 Nov 2023 01:21:38 -0800 (PST) MIME-Version: 1.0 References: <000000000000258ac60606589787@google.com> In-Reply-To: From: Amir Goldstein Date: Sat, 25 Nov 2023 11:21:27 +0200 Message-ID: Subject: Re: [syzbot] [overlayfs?] KASAN: invalid-free in ovl_copy_up_one To: Jann Horn Cc: syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-unionfs@vger.kernel.org, miklos@szeredi.hu, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Sat, 25 Nov 2023 01:22:00 -0800 (PST) On Fri, Nov 24, 2023 at 5:26=E2=80=AFPM Jann Horn wrote: > > On Fri, Nov 24, 2023 at 4:11=E2=80=AFPM Jann Horn wrot= e: > > > > On Wed, Sep 27, 2023 at 5:10=E2=80=AFPM syzbot > > wrote: > > > syzbot has tested the proposed patch and the reproducer did not trigg= er any issue: > > > > > > Reported-and-tested-by: syzbot+477d8d8901756d1cbba1@syzkaller.appspot= mail.com > > > > > > Tested on: > > > > > > commit: 8e9b46c4 ovl: do not encode lower fh with upper sb_wr= i.. > > > git tree: https://github.com/amir73il/linux.git ovl_want_write > > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D10d10ffa6= 80000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3Dbb54ecdfa= 197f132 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D477d8d89017= 56d1cbba1 > > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils f= or Debian) 2.40 > > > > It looks like the fix was submitted without the Reported-by tag, so > > syzkaller doesn't recognize that the fix has landed... I'll tell > > syzkaller now which commit the fix is supposed to be in, please > > correct me if this is wrong: > > > > #syz fix: ovl: do not encode lower fh with upper sb_writers held > > (Ah, and just for the record: I hadn't realized when writing this that > the fix was actually in a newer version of the same patch... "git That is correct. I am very thankful for syzbot with helping me catch bugs during development and I would gladly attribute the bot and its owners, but I don't that Reported-and-tested-by is an adequate tag for a bug that never existed as far as git history. Even Tested-by: syzbot could be misleading to stable kernel bots that may conclude that the patch is a fix that needs to apply to stable. I am open to suggestions. Also maybe #syz correction: To tell syzbot we are not fixing a bug in upstream, but in a previous version of a patch that it had tested. > range-diff 44ef23e481b02df2f17599a24f81cf0045dc5256~1..44ef23e481b02df2f1= 7599a24f81cf0045dc5256 > 5b02bfc1e7e3811c5bf7f0fa626a0694d0dbbd77~1..5b02bfc1e7e3811c5bf7f0fa626a0= 694d0dbbd77" > shows an added "ovl_get_index_name", I guess that's the fix?) No, that added ovl_get_index_name() seems like a fluke of the range-diff to= ol. All the revisions of this patch always had this same minor change in this l= ine: - err =3D ovl_get_index_name(ofs, c->lowerpath.dentry, &c->destname); + err =3D ovl_get_index_name(ofs, origin, &c->destname); The fix is obviously in the other part of the range-diff. Thanks, Amir. if (err) - return err; -+ goto out; ++ goto out_free_fh; } else if (WARN_ON(!c->parent)) { /* Disconnected dentry must be copied up to index dir */ - return -EIO; + err =3D -EIO; -+ goto out; ++ goto out_free_fh; } else { /* * Mark parent "impure" because it may now contain non-pure @@ fs/overlayfs/copy_up.c: static int ovl_do_copy_up(struct ovl_copy_up_ctx *c) ovl_end_write(c->dentry); if (err) - return err; -+ goto out; ++ goto out_free_fh; } /* Should we copyup with O_TMPFILE or with workdir? */ @@ fs/overlayfs/copy_up.c: static int ovl_do_copy_up(struct ovl_copy_up_ctx *c) out: if (to_index) kfree(c->destname.name); ++out_free_fh: + kfree(fh); return err; }