Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp188106rdb; Sun, 28 Jan 2024 21:08:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IGDZi0KWPgTPi0iDQjmWZdLeqq+Ju2tFlHS5kKJl9/csqoLkQt+bDOutxRB7jvqW+RR9vqu X-Received: by 2002:a05:622a:1807:b0:42a:a69b:9734 with SMTP id t7-20020a05622a180700b0042aa69b9734mr1131975qtc.56.1706504891789; Sun, 28 Jan 2024 21:08:11 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706504891; cv=pass; d=google.com; s=arc-20160816; b=ZwhbIJ7w2g4pq4Egk3q/YWhli6JcRcfl8TlrAPk9cKgZbQmXb7FeRID83zMrAt9A4u BuVNyNMwTgkP2wazYszturZiw0M4IQHNF9XbBFhQLodhbnCiBUaErB5NZE1JqpDuTflk /CIxCIYR7MkwQGl+taLNMZwKCUZ6q8eHbRjJ9fAjq1k30/DMqbfi/Ar8zKhdnRySe5wc 7M/jrAuioCw6G9qPCvtaFKdynZiovryfLE8eizSlK04OWp77dN67CybWsoDnTO3KEH6V 7EfqK7x4WA7LHEIYS9o2YUi6StgiaVbzj3gcu5mg6/xztlef9tNRjW84oiJ2sxqTy4T7 93Aw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=5jUs2e400+yM4SejNOoUbZgtvQf/mbNfEshqIpa7cLg=; fh=+oO8yfuCY3mmugooaC9Df1afBaQvssqf70sLOGDaW14=; b=Jij8L05M5l7Lo3Y/oEQlGG+64ydG7/ULjcS1HXjAXdYvak1mO1fDL2BVC5bvgI2Ogs RksloGsY45riLT4eupip+chyysCTgcjtkG8OC3BZaz12yHcHXDHCT5Z07ur4iisiyC9y D2JfIIr8iHuS3D+5LdwFgxHi9NI5AlSsfzutAFh20PUzTQAZRI47iKFFUmtZ1t6K7SRU RP607xftsZoi8uTrmLu+bY7JFxUrT/NaTF9YkeHZ7AqfjF2Umg9QgqKcpmkXlvMMZT8k FVqhOSJWVvz+U7KXdIbvE2qNgZbd9Ld41vMkII/J1XBB807j05M3ffBjLVYHUUFKEZ3n pQgg== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-42177-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42177-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id u8-20020ac858c8000000b0042aac17a904si80899qta.313.2024.01.28.21.08.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Jan 2024 21:08:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-42177-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-42177-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42177-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 8B2031C21C1B for ; Mon, 29 Jan 2024 05:08:11 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 80BE542040; Mon, 29 Jan 2024 05:08:06 +0000 (UTC) Received: from mail115-118.sinamail.sina.com.cn (mail115-118.sinamail.sina.com.cn [218.30.115.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2ADD335CC for ; Mon, 29 Jan 2024 05:08:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=218.30.115.118 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706504886; cv=none; b=D2hdqikOcL3Z40QoSL4xlVPGoq9ai1s95C3evMnMtqd54E14i+2E3OkRB0hzwulXF6EABMTuzFuSQ8pdC5WIiD/3W7thcTu+EaBmndHGb6zI+JrGUNBt9gODfMdpakKA/BphM30MmozGSGgIJn6VLYofCejSXBkDlzlUEa6SFyc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706504886; c=relaxed/simple; bh=i0IQCh6o0xdt0om92jW6gIk0NFwCoQpjaGyNJqppFyA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=OLihTCwPtwgEuybi9tk6FtIyrHtwd7JQOhJLOABwMljcRINAWTsz4knHXG/aSjg/gUPvmW2ECgGs0zuhfaMW+iVMqcOX68qe5XgF49pKS0ciNIiFtzqMA7xbaiEeuyl2Eot1EOptmOALJj1iIeYsfPlgLh5dyMBXYo85u0m2GO8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=218.30.115.118 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([116.24.8.153]) by sina.com (172.16.235.25) with ESMTP id 65B732A6000007B4; Mon, 29 Jan 2024 13:07:52 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 77711334210205 X-SMAIL-UIID: 5876B911FDAA459388955DD1AD8FC127-20240129-130752-1 From: Hillf Danton To: Al Viro Cc: syzbot , Amir Goldstein , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [overlayfs?] possible deadlock in seq_read_iter (2) Date: Mon, 29 Jan 2024 13:07:45 +0800 Message-Id: <20240129050745.1271-1-hdanton@sina.com> In-Reply-To: <20240128214335.GE2087318@ZenIV> References: <0000000000008efd70060ce21487@google.com> <20240127114610.961-1-hdanton@sina.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Sun, 28 Jan 2024 21:43:35 +0000 Al Viro > On Sat, Jan 27, 2024 at 07:46:10PM +0800, Hillf Danton wrote: > > On Tue, 19 Dec 2023 11:43:27 -0800 > > > syzbot has found a reproducer for the following issue on: > > > > > > HEAD commit: 2cf4f94d8e86 Merge tag 'scsi-fixes' of git://git.kernel.or.. > > > git tree: upstream > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154aa8d6e80000 > > > > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 2cf4f94d8e86 > > > > --- x/fs/namei.c > > +++ y/fs/namei.c > > @@ -3533,6 +3533,8 @@ static const char *open_last_lookups(str > > > > if (open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) { > > got_write = !mnt_want_write(nd->path.mnt); > > + if (!got_write && (open_flag & O_CREAT)) > > + return ERR_PTR(-EISDIR); > > NAK. Thanks for looking at it, the AV legend. > > Please, RTFComment just below your addition. That is a simple debug patch to test why mnt_want_write() is needed in ovl_create_object() as per the syzbot report [1], given the locking order in open_last_lookups() in case of O_CREAT. mnt_want_write(); inode_lock(); > Besides, EISDIR is > obviously bogus in a lot of cases, starting with attempting to > create a new file on a read-only filesystem. EISDIR should have been replaced with EDEADLOCK. -> #3 (sb_writers#4){.+.+}-{0:0}: lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 percpu_down_read include/linux/percpu-rwsem.h:51 [inline] __sb_start_write include/linux/fs.h:1635 [inline] sb_start_write+0x4d/0x1c0 include/linux/fs.h:1710 mnt_want_write+0x3f/0x90 fs/namespace.c:404 ovl_create_object+0x13b/0x360 fs/overlayfs/dir.c:629 lookup_open fs/namei.c:3477 [inline] open_last_lookups fs/namei.c:3546 [inline] path_openat+0x13fa/0x3290 fs/namei.c:3776 do_filp_open+0x234/0x490 fs/namei.c:3809 do_sys_openat2+0x13e/0x1d0 fs/open.c:1437 do_sys_open fs/open.c:1452 [inline] __do_sys_open fs/open.c:1460 [inline] __se_sys_open fs/open.c:1456 [inline] __x64_sys_open+0x225/0x270 fs/open.c:1456 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b [1] https://lore.kernel.org/lkml/0000000000008efd70060ce21487@google.com/