Re: [syzbot] [overlayfs?] possible deadlock in seq_read_iter (2)

From: Hillf Danton
Date: Mon Jan 29 2024 - 00:08:11 EST


On Sun, 28 Jan 2024 21:43:35 +0000 Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> On Sat, Jan 27, 2024 at 07:46:10PM +0800, Hillf Danton wrote:
> > On Tue, 19 Dec 2023 11:43:27 -0800
> > > syzbot has found a reproducer for the following issue on:
> > >
> > > HEAD commit: 2cf4f94d8e86 Merge tag 'scsi-fixes' of git://git.kernel.or..
> > > git tree: upstream
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154aa8d6e80000
> >
> > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 2cf4f94d8e86
> >
> > --- x/fs/namei.c
> > +++ y/fs/namei.c
> > @@ -3533,6 +3533,8 @@ static const char *open_last_lookups(str
> >
> > if (open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {
> > got_write = !mnt_want_write(nd->path.mnt);
> > + if (!got_write && (open_flag & O_CREAT))
> > + return ERR_PTR(-EISDIR);
>
> NAK.

Thanks for looking at it, the AV legend.
>
> Please, RTFComment just below your addition.

That is a simple debug patch to test why mnt_want_write() is needed in
ovl_create_object() as per the syzbot report [1], given the locking
order in open_last_lookups() in case of O_CREAT.

mnt_want_write();
inode_lock();

> Besides, EISDIR is
> obviously bogus in a lot of cases, starting with attempting to
> create a new file on a read-only filesystem.

EISDIR should have been replaced with EDEADLOCK.

-> #3
(sb_writers#4){.+.+}-{0:0}:
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1635 [inline]
sb_start_write+0x4d/0x1c0 include/linux/fs.h:1710
mnt_want_write+0x3f/0x90 fs/namespace.c:404
ovl_create_object+0x13b/0x360 fs/overlayfs/dir.c:629
lookup_open fs/namei.c:3477 [inline]
open_last_lookups fs/namei.c:3546 [inline]
path_openat+0x13fa/0x3290 fs/namei.c:3776
do_filp_open+0x234/0x490 fs/namei.c:3809
do_sys_openat2+0x13e/0x1d0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_open fs/open.c:1460 [inline]
__se_sys_open fs/open.c:1456 [inline]
__x64_sys_open+0x225/0x270 fs/open.c:1456
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

[1] https://lore.kernel.org/lkml/0000000000008efd70060ce21487@xxxxxxxxxx/