bisecting fixing commit since 6d906f99817951e2257d577656899da02bb33105 building syzkaller on b0e8efcb4b0aac61f4647a76bbe54a5d38a370ba testing commit 6d906f99817951e2257d577656899da02bb33105 with gcc (GCC) 8.1.0 kernel signature: fc6cd5541ad5e0bd24c7a3b9d84c6a1c58a300fd0194aaa319196fd2d003846d run #0: crashed: possible deadlock in path_openat run #1: crashed: possible deadlock in path_openat run #2: crashed: possible deadlock in path_openat run #3: crashed: possible deadlock in path_openat run #4: crashed: possible deadlock in mnt_want_write run #5: crashed: possible deadlock in path_openat run #6: crashed: possible deadlock in path_openat run #7: crashed: possible deadlock in path_openat run #8: crashed: possible deadlock in path_openat run #9: crashed: possible deadlock in path_openat testing current HEAD 659caaf65dc9c7150aa3e80225ec6e66b25ab3ce testing commit 659caaf65dc9c7150aa3e80225ec6e66b25ab3ce with gcc (GCC) 8.1.0 kernel signature: 56b6cae6b6a5b3913d40184b6b18f4742da42f99c63d9e89f31ba47812475b42 all runs: OK # git bisect start 659caaf65dc9c7150aa3e80225ec6e66b25ab3ce 6d906f99817951e2257d577656899da02bb33105 Bisecting: 70276 revisions left to test after this (roughly 16 steps) [0196be12aab2dc3a3e44824045229b0e539be8fd] Merge tag 'for_v5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit 0196be12aab2dc3a3e44824045229b0e539be8fd with gcc (GCC) 8.1.0 kernel signature: 122596fdcf38fb4fc4ac4e05d8e0f93721e75771ff5a5a4212adf7852f715bfb all runs: OK # git bisect bad 0196be12aab2dc3a3e44824045229b0e539be8fd Bisecting: 35086 revisions left to test after this (roughly 15 steps) [77dcfe2b9edc98286cf18e03c243c9b999f955d9] Merge tag 'pm-5.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 77dcfe2b9edc98286cf18e03c243c9b999f955d9 with gcc (GCC) 8.1.0 kernel signature: 6b2f37d2ad4d7bb86edb16cb167df679e2d9d20d50507fca11074afdc0d79604 all runs: OK # git bisect bad 77dcfe2b9edc98286cf18e03c243c9b999f955d9 Bisecting: 17559 revisions left to test after this (roughly 14 steps) [af144a983402f7fd324ce556d9f9011a8b3e01fe] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit af144a983402f7fd324ce556d9f9011a8b3e01fe with gcc (GCC) 8.1.0 kernel signature: 4867332dd060b3c3d6c17184fd892d00b9e5dbe461680ec71b35b01b7fff177f all runs: OK # git bisect bad af144a983402f7fd324ce556d9f9011a8b3e01fe Bisecting: 8994 revisions left to test after this (roughly 13 steps) [a2d635decbfa9c1e4ae15cb05b68b2559f7f827c] Merge tag 'drm-next-2019-05-09' of git://anongit.freedesktop.org/drm/drm testing commit a2d635decbfa9c1e4ae15cb05b68b2559f7f827c with gcc (GCC) 8.1.0 kernel signature: 1cccdd8a32f9d5f91abd162e5b8f550e6af9cf49dad44a1ddf0fd52d547a253d run #0: crashed: possible deadlock in path_openat run #1: crashed: possible deadlock in mnt_want_write run #2: crashed: possible deadlock in path_openat run #3: crashed: possible deadlock in mnt_want_write run #4: crashed: possible deadlock in path_openat run #5: crashed: possible deadlock in mnt_want_write run #6: crashed: possible deadlock in mnt_want_write run #7: crashed: possible deadlock in mnt_want_write run #8: crashed: possible deadlock in path_openat run #9: crashed: possible deadlock in mnt_want_write # git bisect good a2d635decbfa9c1e4ae15cb05b68b2559f7f827c Bisecting: 4480 revisions left to test after this (roughly 12 steps) [d9351ea14ddca708d3cb384f828af4bf82fcc772] Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit d9351ea14ddca708d3cb384f828af4bf82fcc772 with gcc (GCC) 8.1.0 kernel signature: 1ab97e278d6560a82a43b9ca4cd81bf55f61770c871cb77d7a72e27a94eb4a63 run #0: crashed: possible deadlock in path_openat run #1: crashed: possible deadlock in path_openat run #2: crashed: possible deadlock in path_openat run #3: crashed: possible deadlock in path_openat run #4: crashed: possible deadlock in path_openat run #5: crashed: possible deadlock in path_openat run #6: crashed: possible deadlock in path_openat run #7: crashed: possible deadlock in mnt_want_write run #8: crashed: possible deadlock in path_openat run #9: crashed: possible deadlock in path_openat # git bisect good d9351ea14ddca708d3cb384f828af4bf82fcc772 Bisecting: 2235 revisions left to test after this (roughly 11 steps) [fe2da896fd9469317ff693fb08a86d9c435e101a] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit fe2da896fd9469317ff693fb08a86d9c435e101a with gcc (GCC) 8.1.0 kernel signature: dbc0382ad57a8b859994d47778eb7fadaa253653cb52c6ba130c533c120778ac all runs: OK # git bisect bad fe2da896fd9469317ff693fb08a86d9c435e101a Bisecting: 1122 revisions left to test after this (roughly 10 steps) [5a8e0ff9b3f756759492f5e7ba3c4ae3f5641bfe] treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 393 testing commit 5a8e0ff9b3f756759492f5e7ba3c4ae3f5641bfe with gcc (GCC) 8.1.0 kernel signature: 93554df627a12e494943ef4e3d0de683dfbe4694bc00fec875253cbd28dd1d8e run #0: crashed: possible deadlock in path_openat run #1: crashed: possible deadlock in path_openat run #2: crashed: possible deadlock in mnt_want_write run #3: crashed: possible deadlock in mnt_want_write run #4: crashed: possible deadlock in mnt_want_write run #5: crashed: possible deadlock in path_openat run #6: crashed: possible deadlock in path_openat run #7: crashed: possible deadlock in path_openat run #8: crashed: possible deadlock in path_openat run #9: crashed: possible deadlock in path_openat # git bisect good 5a8e0ff9b3f756759492f5e7ba3c4ae3f5641bfe Bisecting: 561 revisions left to test after this (roughly 9 steps) [f763cf8e47d3aa4b081e0537d060c12818de8d0f] Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit f763cf8e47d3aa4b081e0537d060c12818de8d0f with gcc (GCC) 8.1.0 kernel signature: 29d48170da3dee7a21360a5cbe52fd854914757e5a0d9deb63cdcd56a8063816 all runs: OK # git bisect bad f763cf8e47d3aa4b081e0537d060c12818de8d0f Bisecting: 296 revisions left to test after this (roughly 8 steps) [1ce2c85137b1db5b0e4158d558cb93dcff7674df] Merge tag 'char-misc-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 1ce2c85137b1db5b0e4158d558cb93dcff7674df with gcc (GCC) 8.1.0 kernel signature: 90485e2de7a086fb23fbd0ade1d3da7ced21e4129b164662b5bfd3fa979e34eb all runs: OK # git bisect bad 1ce2c85137b1db5b0e4158d558cb93dcff7674df Bisecting: 131 revisions left to test after this (roughly 7 steps) [1e1d926369545ea09c98c6c7f5d109aa4ee0cd0b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 1e1d926369545ea09c98c6c7f5d109aa4ee0cd0b with gcc (GCC) 8.1.0 kernel signature: 11714a147c920263421353107c21e1ebff8126f1b8e6e4139823a3c786274e07 all runs: OK # git bisect bad 1e1d926369545ea09c98c6c7f5d109aa4ee0cd0b Bisecting: 66 revisions left to test after this (roughly 6 steps) [01047631df813f6247185547c3778c80af088a20] Merge tag 'xfs-5.2-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 01047631df813f6247185547c3778c80af088a20 with gcc (GCC) 8.1.0 kernel signature: 425f386d2a15857ba3d44b63bf6295fdc668897546e8cd39213ec2cb625a6670 all runs: OK # git bisect bad 01047631df813f6247185547c3778c80af088a20 Bisecting: 33 revisions left to test after this (roughly 5 steps) [db309f2aedb88a938e37a6eac02be7a7e0e850b1] Merge tag 'pidfd-fixes-v5.2-rc4' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux testing commit db309f2aedb88a938e37a6eac02be7a7e0e850b1 with gcc (GCC) 8.1.0 kernel signature: 46510640a209107cae1c5c5953c2b28315c0cbe767423b53e2efd1c203b1c4ea run #0: crashed: possible deadlock in path_openat run #1: crashed: possible deadlock in path_openat run #2: crashed: possible deadlock in mnt_want_write run #3: crashed: possible deadlock in path_openat run #4: crashed: possible deadlock in path_openat run #5: crashed: possible deadlock in path_openat run #6: crashed: possible deadlock in path_openat run #7: crashed: possible deadlock in path_openat run #8: crashed: possible deadlock in mnt_want_write run #9: crashed: possible deadlock in path_openat # git bisect good db309f2aedb88a938e37a6eac02be7a7e0e850b1 Bisecting: 19 revisions left to test after this (roughly 4 steps) [44e843eb5cc383fe58fc8ec17dba0ab1dc45db2d] Merge tag 'for-rc-adfs' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit 44e843eb5cc383fe58fc8ec17dba0ab1dc45db2d with gcc (GCC) 8.1.0 kernel signature: 46510640a209107cae1c5c5953c2b28315c0cbe767423b53e2efd1c203b1c4ea run #0: crashed: possible deadlock in mnt_want_write run #1: crashed: possible deadlock in path_openat run #2: crashed: possible deadlock in mnt_want_write run #3: crashed: possible deadlock in mnt_want_write run #4: crashed: possible deadlock in mnt_want_write run #5: crashed: possible deadlock in path_openat run #6: crashed: possible deadlock in path_openat run #7: crashed: possible deadlock in path_openat run #8: crashed: possible deadlock in path_openat run #9: crashed: possible deadlock in mnt_want_write # git bisect good 44e843eb5cc383fe58fc8ec17dba0ab1dc45db2d Bisecting: 8 revisions left to test after this (roughly 3 steps) [211758573b01f4cd27308464573d112ef85e0e1a] Merge tag 'fuse-fixes-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse testing commit 211758573b01f4cd27308464573d112ef85e0e1a with gcc (GCC) 8.1.0 kernel signature: ad224c2192c9b064e12ac1a19ffdd40f95271d659c12c635498e000ce5fc0801 all runs: crashed: possible deadlock in path_openat # git bisect good 211758573b01f4cd27308464573d112ef85e0e1a Bisecting: 4 revisions left to test after this (roughly 2 steps) [5d6b501fe5421c5df662e2935f55f5e3d2b5e012] Merge tag 'ovl-fixes-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 5d6b501fe5421c5df662e2935f55f5e3d2b5e012 with gcc (GCC) 8.1.0 kernel signature: f487a6337fa0ecd1fc8aebb7605d32b0240eccc4fedf57093ae43fe6e636ab11 all runs: OK # git bisect bad 5d6b501fe5421c5df662e2935f55f5e3d2b5e012 Bisecting: 1 revision left to test after this (roughly 1 step) [146d62e5a5867fbf84490d82455718bfb10fe824] ovl: detect overlapping layers testing commit 146d62e5a5867fbf84490d82455718bfb10fe824 with gcc (GCC) 8.1.0 kernel signature: a6019652eb4cd30f8c4f949a748c78c4d7300426398e82af352c5b0cb71552df all runs: OK # git bisect bad 146d62e5a5867fbf84490d82455718bfb10fe824 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b21d9c435f935014d3e3fa6914f2e4fbabb0e94d] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls testing commit b21d9c435f935014d3e3fa6914f2e4fbabb0e94d with gcc (GCC) 8.1.0 kernel signature: 75900661db9526992de0e97378042a0fbc7c2c533eea61d36371441447b32d17 all runs: crashed: possible deadlock in path_openat # git bisect good b21d9c435f935014d3e3fa6914f2e4fbabb0e94d 146d62e5a5867fbf84490d82455718bfb10fe824 is the first bad commit commit 146d62e5a5867fbf84490d82455718bfb10fe824 Author: Amir Goldstein Date: Thu Apr 18 17:42:08 2019 +0300 ovl: detect overlapping layers Overlapping overlay layers are not supported and can cause unexpected behavior, but overlayfs does not currently check or warn about these configurations. User is not supposed to specify the same directory for upper and lower dirs or for different lower layers and user is not supposed to specify directories that are descendants of each other for overlay layers, but that is exactly what this zysbot repro did: https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000 Moving layer root directories into other layers while overlayfs is mounted could also result in unexpected behavior. This commit places "traps" in the overlay inode hash table. Those traps are dummy overlay inodes that are hashed by the layers root inodes. On mount, the hash table trap entries are used to verify that overlay layers are not overlapping. While at it, we also verify that overlay layers are not overlapping with directories "in-use" by other overlay instances as upperdir/workdir. On lookup, the trap entries are used to verify that overlay layers root inodes have not been moved into other layers after mount. Some examples: $ ./run --ov --samefs -s ... ( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt mount -o bind base/lower lower mount -o bind base/upper upper mount -t overlay none mnt ... -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w) $ umount mnt $ mount -t overlay none mnt ... -o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w [ 94.434900] overlayfs: overlapping upperdir path mount: mount overlay on mnt failed: Too many levels of symbolic links $ mount -t overlay none mnt ... -o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w [ 151.350132] overlayfs: conflicting lowerdir path mount: none is already mounted or mnt busy $ mount -t overlay none mnt ... -o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w [ 201.205045] overlayfs: overlapping lowerdir path mount: mount overlay on mnt failed: Too many levels of symbolic links $ mount -t overlay none mnt ... -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w $ mv base/upper/0/ base/lower/ $ find mnt/0 mnt/0 mnt/0/w find: 'mnt/0/w/work': Too many levels of symbolic links find: 'mnt/0/u': Too many levels of symbolic links Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi fs/overlayfs/inode.c | 48 ++++++++++++++ fs/overlayfs/namei.c | 8 +++ fs/overlayfs/overlayfs.h | 3 + fs/overlayfs/ovl_entry.h | 6 ++ fs/overlayfs/super.c | 169 ++++++++++++++++++++++++++++++++++++++++++----- fs/overlayfs/util.c | 12 ++++ 6 files changed, 229 insertions(+), 17 deletions(-) culprit signature: a6019652eb4cd30f8c4f949a748c78c4d7300426398e82af352c5b0cb71552df parent signature: 75900661db9526992de0e97378042a0fbc7c2c533eea61d36371441447b32d17 revisions tested: 19, total time: 4h7m18.359498475s (build: 1h46m20.423419758s, test: 2h17m44.906978354s) first good commit: 146d62e5a5867fbf84490d82455718bfb10fe824 ovl: detect overlapping layers recipients (to): ["amir73il@gmail.com" "linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"] recipients (cc): ["linux-kernel@vger.kernel.org"]