Re: [PATCH v2] ovl: keep err zero after successful ovl_cache_get()

[Amir Goldstein]

On Thu, May 14, 2026 at 5:26 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
>
> On Thu, May 14, 2026 at 4:43 PM Nirmoy Das <nirmoyd@xxxxxxxxxx> wrote:
> >
> > ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
> > IS_ERR(cache). On success err holds the truncated cache pointer and
> > can be returned as a bogus non-zero error.
> >
> > The syzbot reproducer reaches this through overlay-on-overlay readdir:
> >
> >   getdents64
> >     iterate_dir(outer overlay file)
> >       ovl_iterate_merged()
> >         ovl_cache_get()
> >           ovl_dir_read_merged()
> >             ovl_dir_read()
> >               iterate_dir(inner overlay file)
> >                 ovl_iterate_merged()
> >
> > Only compute PTR_ERR(cache) on the error path.
> >
> > Fixes: d25e4b739f83 ("ovl: refactor ovl_iterate() and port to cred guard")
> > Reported-by: syzbot+a16fb0cce329a320661c@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=a16fb0cce329a320661c
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Nirmoy Das <nirmoyd@xxxxxxxxxx>
> > ---
> > v2:
> >  - Drop the now-redundant 'int err = 0' initializer and the trailing
> >    'return err' in ovl_iterate_merged(); err is only used inside the
> >    loop's update-check, so the function can just return 0 on success.
> >    (Amir Goldstein)
> >  - Link to v1:
> >    https://lore.kernel.org/all/20260514111354.3552538-1-nirmoyd@xxxxxxxxxx/
> >
>
> I queue this up and will work on fortifying patches.

Nirmoy,

I pushed fortify patches to ovl-fixes on my github [1].

Can you verify that the assertions trigger if you revert your fix
and run the reproducer?

I imagine they would trigger much more frequently than the KASAN
warnings do.

Thanks,
Amir.

[1] https://github.com/amir73il/linux/commits/ovl-fixes/