bisecting cause commit starting from 6642d600b541b81931fb1ab0c041b0d68f77be7e building syzkaller on fc9fd31ee7998c8b747752791000ea4eef07b5c6 testing commit 6642d600b541b81931fb1ab0c041b0d68f77be7e with gcc (GCC) 8.1.0 kernel signature: fffecc25f519e7ccdeb04baf8b08a2a6e245b8cdb4a1066baa21db724ed70828 all runs: crashed: possible deadlock in ovl_dir_real_file testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 1176f6e3da191cd9a4f0adcc96b27926a7b0fee4c392f5c3802a03719279a08f all runs: OK # git bisect start 6642d600b541b81931fb1ab0c041b0d68f77be7e 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 7462 revisions left to test after this (roughly 13 steps) [ee249d30fadec7677364063648f5547e243bf93f] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input testing commit ee249d30fadec7677364063648f5547e243bf93f with gcc (GCC) 8.1.0 kernel signature: 02cd97a3265d6327b9dc2c99c350f8d831e3669ead3405c75427fe788b29b37a all runs: OK # git bisect good ee249d30fadec7677364063648f5547e243bf93f Bisecting: 3727 revisions left to test after this (roughly 12 steps) [09c0796adf0c793462fda1d7c8c43324551405c7] Merge tag 'trace-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 09c0796adf0c793462fda1d7c8c43324551405c7 with gcc (GCC) 8.1.0 kernel signature: b1d4bf45aa9480af833b843a596a61385f04fb120e13815c50387c1ded9b8a87 all runs: crashed: possible deadlock in ovl_dir_real_file # git bisect bad 09c0796adf0c793462fda1d7c8c43324551405c7 Bisecting: 1840 revisions left to test after this (roughly 11 steps) [19778dd504b5ff5c3c1283aa3da7a56f34c2c3b0] Merge tag 'iommu-updates-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit 19778dd504b5ff5c3c1283aa3da7a56f34c2c3b0 with gcc (GCC) 8.1.0 kernel signature: fffefbccf5b4fa4c3260b3ab0fa017e0a5d71b2fe1a53dc35c1a879fd3e99b0a all runs: OK # git bisect good 19778dd504b5ff5c3c1283aa3da7a56f34c2c3b0 Bisecting: 1116 revisions left to test after this (roughly 10 steps) [13719d8d0d67998435c5748998ef686a10eefb4a] Merge branch 'sparx5-next' of https://github.com/microchip-ung/linux-upstream into arm/dt testing commit 13719d8d0d67998435c5748998ef686a10eefb4a with gcc (GCC) 8.1.0 kernel signature: b9718abe5bf03dfee898db1109502e76dc73980142fd186e54d5107a2400f15f run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 13719d8d0d67998435c5748998ef686a10eefb4a Bisecting: 685 revisions left to test after this (roughly 9 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e with gcc (GCC) 8.1.0 kernel signature: 65993e7867388edc139d718be1f61798dd2e610add17660c7e442d0d41a2bdcf all runs: OK # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 357 revisions left to test after this (roughly 9 steps) [b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3] Merge tag 'for_v5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3 with gcc (GCC) 8.1.0 kernel signature: 2ae993c82ec42033d78dd6d1680e4fe14b4a7257fcb250221c4c6edf8e024a5e all runs: OK # git bisect good b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3 Bisecting: 133 revisions left to test after this (roughly 8 steps) [74f602dc96dd854c7b2034947798c1e2a6b84066] Merge tag 'nfs-for-5.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 74f602dc96dd854c7b2034947798c1e2a6b84066 with gcc (GCC) 8.1.0 kernel signature: 9c7a48c7107e6e2722d6e64a3a48b0aae8dd93f29ec22de2b2265d6b40f0c5b4 all runs: crashed: possible deadlock in ovl_dir_real_file # git bisect bad 74f602dc96dd854c7b2034947798c1e2a6b84066 Bisecting: 91 revisions left to test after this (roughly 7 steps) [be695ee29e8fc0af266d9f1882868c47da01a790] Merge tag 'ceph-for-5.11-rc1' of git://github.com/ceph/ceph-client testing commit be695ee29e8fc0af266d9f1882868c47da01a790 with gcc (GCC) 8.1.0 kernel signature: 7f1c6b71f6ff2ddbf4a028a0121c3b00bc3aee8d738fc552adab867ff577c842 all runs: crashed: possible deadlock in ovl_dir_real_file # git bisect bad be695ee29e8fc0af266d9f1882868c47da01a790 Bisecting: 59 revisions left to test after this (roughly 6 steps) [92dbc9dedccb9759c7f9f2f0ae6242396376988f] Merge tag 'ovl-update-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f with gcc (GCC) 8.1.0 kernel signature: 4ab6a0bd608186d8aadde5acb76d056b857b62b72ee36f59be52d1457511a44e all runs: crashed: possible deadlock in ovl_dir_real_file # git bisect bad 92dbc9dedccb9759c7f9f2f0ae6242396376988f Bisecting: 35 revisions left to test after this (roughly 5 steps) [75e91c888989cf2df5c78b251b07de1f5052e30e] f2fs: compress: fix compression chksum testing commit 75e91c888989cf2df5c78b251b07de1f5052e30e with gcc (GCC) 8.1.0 kernel signature: 85d7eebe218758962018ff710a4d0026fafb55ebb8e1eb4923d9cc2ab5d77f59 all runs: OK # git bisect good 75e91c888989cf2df5c78b251b07de1f5052e30e Bisecting: 17 revisions left to test after this (roughly 4 steps) [65de0b89d7d5e173d71cb50dfae786133c579308] Merge tag 'fuse-update-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse testing commit 65de0b89d7d5e173d71cb50dfae786133c579308 with gcc (GCC) 8.1.0 kernel signature: 788d427dac08f0941bca1990016631940efc0c039f42eff01cad91b70c4574cb all runs: OK # git bisect good 65de0b89d7d5e173d71cb50dfae786133c579308 Bisecting: 8 revisions left to test after this (roughly 3 steps) [3078d85c9a1099405a0463c4d112ba97ee5bd217] vfs: verify source area in vfs_dedupe_file_range_one() testing commit 3078d85c9a1099405a0463c4d112ba97ee5bd217 with gcc (GCC) 8.1.0 kernel signature: b53cdeddb50a45af419670c594e41504bd67af28f1e17196e7a1e0e98bd96323 all runs: OK # git bisect good 3078d85c9a1099405a0463c4d112ba97ee5bd217 Bisecting: 4 revisions left to test after this (roughly 2 steps) [2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1] ovl: user xattr testing commit 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 with gcc (GCC) 8.1.0 kernel signature: 1d4173ed656f49d96f8df5fa5baa3991e5d85a098d546bacfd1196d9844faa1e all runs: crashed: possible deadlock in ovl_dir_real_file # git bisect bad 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 Bisecting: 1 revision left to test after this (roughly 1 step) [89bdfaf93d9157499c3a0d61f489df66f2dead7f] ovl: make ioctl() safe testing commit 89bdfaf93d9157499c3a0d61f489df66f2dead7f with gcc (GCC) 8.1.0 kernel signature: 865cdad108049d83078baf7b64814fd70d37fd63a5826baefc394bab0ff7786e all runs: crashed: possible deadlock in ovl_dir_real_file # git bisect bad 89bdfaf93d9157499c3a0d61f489df66f2dead7f Bisecting: 0 revisions left to test after this (roughly 0 steps) [c846af050f944d584f28bc0de310383003c8096d] ovl: check privs before decoding file handle testing commit c846af050f944d584f28bc0de310383003c8096d with gcc (GCC) 8.1.0 kernel signature: 739b24661294ffb8b2d79ccaa2b5232734f06e1de707084e3f2021aaf08b86f7 all runs: OK # git bisect good c846af050f944d584f28bc0de310383003c8096d 89bdfaf93d9157499c3a0d61f489df66f2dead7f is the first bad commit commit 89bdfaf93d9157499c3a0d61f489df66f2dead7f Author: Miklos Szeredi Date: Mon Dec 14 15:26:14 2020 +0100 ovl: make ioctl() safe ovl_ioctl_set_flags() does a capability check using flags, but then the real ioctl double-fetches flags and uses potentially different value. The "Check the capability before cred override" comment misleading: user can skip this check by presenting benign flags first and then overwriting them to non-benign flags. Just remove the cred override for now, hoping this doesn't cause a regression. The proper solution is to create a new setxflags i_op (patches are in the works). Xfstests don't show a regression. Reported-by: Dmitry Vyukov Signed-off-by: Miklos Szeredi Reviewed-by: Amir Goldstein Fixes: dab5ca8fd9dd ("ovl: add lsattr/chattr support") Cc: # v4.19 fs/overlayfs/file.c | 87 ++++++++++------------------------------------------- 1 file changed, 16 insertions(+), 71 deletions(-) culprit signature: 865cdad108049d83078baf7b64814fd70d37fd63a5826baefc394bab0ff7786e parent signature: 739b24661294ffb8b2d79ccaa2b5232734f06e1de707084e3f2021aaf08b86f7 revisions tested: 17, total time: 3h11m48.915128269s (build: 1h24m55.00358731s, test: 1h44m48.978578861s) first bad commit: 89bdfaf93d9157499c3a0d61f489df66f2dead7f ovl: make ioctl() safe recipients (to): ["amir73il@gmail.com" "linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: possible deadlock in ovl_dir_real_file ============================================ WARNING: possible recursive locking detected 5.10.0-rc1-syzkaller #0 Not tainted -------------------------------------------- syz-executor.3/10150 is trying to acquire lock: ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: inode_lock include/linux/fs.h:774 [inline] ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: ovl_dir_real_file+0xd3/0x140 fs/overlayfs/readdir.c:886 but task is already holding lock: ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: inode_lock include/linux/fs.h:774 [inline] ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: ovl_ioctl_set_flags fs/overlayfs/file.c:577 [inline] ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: ovl_ioctl+0x82/0x160 fs/overlayfs/file.c:616 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ovl_i_mutex_dir_key[depth]); lock(&ovl_i_mutex_dir_key[depth]); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by syz-executor.3/10150: #0: ffff88811eeb5460 (sb_writers#15){.+.+}-{0:0}, at: sb_start_write include/linux/fs.h:1648 [inline] #0: ffff88811eeb5460 (sb_writers#15){.+.+}-{0:0}, at: mnt_want_write_file+0x1f/0x60 fs/namespace.c:412 #1: ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: inode_lock include/linux/fs.h:774 [inline] #1: ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: ovl_ioctl_set_flags fs/overlayfs/file.c:577 [inline] #1: ffff888114d69e20 (&ovl_i_mutex_dir_key[depth]){++++}-{3:3}, at: ovl_ioctl+0x82/0x160 fs/overlayfs/file.c:616 stack backtrace: CPU: 1 PID: 10150 Comm: syz-executor.3 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 print_deadlock_bug kernel/locking/lockdep.c:2759 [inline] check_deadlock kernel/locking/lockdep.c:2800 [inline] validate_chain kernel/locking/lockdep.c:3591 [inline] __lock_acquire.cold.60+0x17a/0x2e8 kernel/locking/lockdep.c:4837 lock_acquire+0xd0/0x420 kernel/locking/lockdep.c:5442 down_write+0x33/0x70 kernel/locking/rwsem.c:1531 inode_lock include/linux/fs.h:774 [inline] ovl_dir_real_file+0xd3/0x140 fs/overlayfs/readdir.c:886 ovl_real_fdget+0x32/0x70 fs/overlayfs/file.c:141 ovl_real_ioctl+0x25/0x90 fs/overlayfs/file.c:546 ovl_ioctl_set_flags fs/overlayfs/file.c:592 [inline] ovl_ioctl+0xc9/0x160 fs/overlayfs/file.c:616 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x7c/0xb0 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fce60297c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 RDX: 0000000000000000 RSI: 0000000040086602 RDI: 0000000000000003 RBP: 000000000119bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c R13: 00007ffc8c9eb7cf R14: 00007fce602989c0 R15: 000000000119bf8c