bisecting fixing commit since c98875d930e915d01e8c40c7d3c16f00b3c8abe1
building syzkaller on 8e3c52b11d5d0843be47f41e00c5612ce29811b0
testing commit c98875d930e915d01e8c40c7d3c16f00b3c8abe1 with gcc (GCC) 8.1.0
kernel signature: e806928eb4b40fdb639f7e03cfca95181f6ebc9e
run #0: crashed: possible deadlock in path_openat
run #1: crashed: possible deadlock in path_openat
run #2: crashed: possible deadlock in path_openat
run #3: crashed: possible deadlock in path_openat
run #4: crashed: possible deadlock in mnt_want_write
run #5: crashed: possible deadlock in path_openat
run #6: crashed: possible deadlock in mnt_want_write
run #7: crashed: possible deadlock in mnt_want_write
run #8: crashed: possible deadlock in path_openat
run #9: crashed: possible deadlock in path_openat
testing current HEAD 14260788bbb9c94b0e36abc17294266b69dd46e4
testing commit 14260788bbb9c94b0e36abc17294266b69dd46e4 with gcc (GCC) 8.1.0
kernel signature: 670e516b6f0d9a7397fb6e00023b460b83d96983
all runs: OK
# git bisect start 14260788bbb9c94b0e36abc17294266b69dd46e4 c98875d930e915d01e8c40c7d3c16f00b3c8abe1
Bisecting: 2497 revisions left to test after this (roughly 11 steps)
[1bb2dd37cb878da69b43957804f2925d6ce33d1b] ip6_tunnel: fix possible use-after-free on xmit
testing commit 1bb2dd37cb878da69b43957804f2925d6ce33d1b with gcc (GCC) 8.1.0
kernel signature: f97118136c41ff38f860126ca768c104a2e536af
all runs: OK
# git bisect bad 1bb2dd37cb878da69b43957804f2925d6ce33d1b
Bisecting: 1248 revisions left to test after this (roughly 10 steps)
[221c44d2d7fa51c90d0a278b3c20da64e5c068d9] Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"
testing commit 221c44d2d7fa51c90d0a278b3c20da64e5c068d9 with gcc (GCC) 8.1.0
kernel signature: b66d7ee499b996a3f5688fc414f5a8c9852c3b9b
run #0: crashed: possible deadlock in path_openat
run #1: crashed: possible deadlock in path_openat
run #2: crashed: possible deadlock in path_openat
run #3: crashed: possible deadlock in mnt_want_write
run #4: crashed: possible deadlock in mnt_want_write
run #5: crashed: possible deadlock in path_openat
run #6: crashed: possible deadlock in path_openat
run #7: crashed: possible deadlock in path_openat
run #8: crashed: possible deadlock in mnt_want_write
run #9: crashed: possible deadlock in mnt_want_write
# git bisect good 221c44d2d7fa51c90d0a278b3c20da64e5c068d9
Bisecting: 624 revisions left to test after this (roughly 9 steps)
[d202b5adccfb093c4859d67ec74d5f3fb9fcfc54] VMCI: Fix integer overflow in VMCI handle arrays
testing commit d202b5adccfb093c4859d67ec74d5f3fb9fcfc54 with gcc (GCC) 8.1.0
kernel signature: 6399fe0fbcb50f918811945171a92084b06434ad
all runs: OK
# git bisect bad d202b5adccfb093c4859d67ec74d5f3fb9fcfc54
Bisecting: 311 revisions left to test after this (roughly 8 steps)
[d64f99ef010dba5ffc19d233442479f207f91067] brcmfmac: sdio: Don't tune while the card is off
testing commit d64f99ef010dba5ffc19d233442479f207f91067 with gcc (GCC) 8.1.0
kernel signature: a5919771d6b530a12e465bb584125d9d6bac9f2e
all runs: OK
# git bisect bad d64f99ef010dba5ffc19d233442479f207f91067
Bisecting: 155 revisions left to test after this (roughly 7 steps)
[b7f8bbbbb97368b9187b42da20d33f5d7309759c] libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
testing commit b7f8bbbbb97368b9187b42da20d33f5d7309759c with gcc (GCC) 8.1.0
kernel signature: 363f9e1f32c1b961d149fdd8af92ec31cf357c0e
run #0: crashed: possible deadlock in mnt_want_write
run #1: crashed: possible deadlock in path_openat
run #2: crashed: possible deadlock in path_openat
run #3: crashed: possible deadlock in path_openat
run #4: crashed: possible deadlock in mnt_want_write
run #5: crashed: possible deadlock in path_openat
run #6: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #7: crashed: possible deadlock in path_openat
run #8: crashed: possible deadlock in mnt_want_write
run #9: crashed: possible deadlock in path_openat
# git bisect good b7f8bbbbb97368b9187b42da20d33f5d7309759c
Bisecting: 77 revisions left to test after this (roughly 6 steps)
[b6a1eabf72a01228543462d3961fc3e298832318] net: mvpp2: prs: Fix parser range for VID filtering
testing commit b6a1eabf72a01228543462d3961fc3e298832318 with gcc (GCC) 8.1.0
kernel signature: 7e332ba115663ff5bab1dc840d117692e5d1ccb0
run #0: crashed: possible deadlock in path_openat
run #1: crashed: possible deadlock in path_openat
run #2: crashed: possible deadlock in path_openat
run #3: crashed: possible deadlock in path_openat
run #4: crashed: possible deadlock in path_openat
run #5: crashed: possible deadlock in path_openat
run #6: crashed: possible deadlock in mnt_want_write
run #7: crashed: possible deadlock in path_openat
run #8: crashed: possible deadlock in path_openat
run #9: crashed: possible deadlock in mnt_want_write
# git bisect good b6a1eabf72a01228543462d3961fc3e298832318
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[214c5933ffcf703112656f5e3d98505fbfb97cb3] scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
testing commit 214c5933ffcf703112656f5e3d98505fbfb97cb3 with gcc (GCC) 8.1.0
kernel signature: 222c2c8b9ebb5ffb9bafdda8619e95d7887ffebc
run #0: crashed: possible deadlock in path_openat
run #1: crashed: possible deadlock in mnt_want_write
run #2: crashed: possible deadlock in path_openat
run #3: crashed: possible deadlock in path_openat
run #4: crashed: possible deadlock in path_openat
run #5: crashed: possible deadlock in path_openat
run #6: crashed: possible deadlock in mnt_want_write
run #7: crashed: possible deadlock in path_openat
run #8: crashed: possible deadlock in mnt_want_write
run #9: crashed: possible deadlock in path_openat
# git bisect good 214c5933ffcf703112656f5e3d98505fbfb97cb3
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[0319ef1d40ff39d2c0f942a46fb73918669b2350] ovl: fix bogus -Wmaybe-unitialized warning
testing commit 0319ef1d40ff39d2c0f942a46fb73918669b2350 with gcc (GCC) 8.1.0
kernel signature: 58d0a94f988f63659d6adbb09a512d2c8f809a21
all runs: OK
# git bisect bad 0319ef1d40ff39d2c0f942a46fb73918669b2350
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[dad3a9314ac95dedc007bc7dacacb396ea10e376] tcp: refine memory limit test in tcp_fragment()
testing commit dad3a9314ac95dedc007bc7dacacb396ea10e376 with gcc (GCC) 8.1.0
kernel signature: 59824bd2942f49aa795f6c117b9aeef5e576b582
run #0: crashed: possible deadlock in path_openat
run #1: crashed: possible deadlock in mnt_want_write
run #2: crashed: possible deadlock in path_openat
run #3: crashed: possible deadlock in path_openat
run #4: crashed: possible deadlock in path_openat
run #5: crashed: possible deadlock in path_openat
run #6: crashed: possible deadlock in path_openat
run #7: crashed: possible deadlock in path_openat
run #8: crashed: possible deadlock in mnt_want_write
run #9: crashed: possible deadlock in path_openat
# git bisect good dad3a9314ac95dedc007bc7dacacb396ea10e376
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[3cb5d7fa8f7db47cf4c0016df87c7589474ed09b] ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
testing commit 3cb5d7fa8f7db47cf4c0016df87c7589474ed09b with gcc (GCC) 8.1.0
kernel signature: 5e85c3880a96ab06c6bc5dd5088181892705fcf0
run #0: crashed: possible deadlock in mnt_want_write
run #1: crashed: possible deadlock in path_openat
run #2: crashed: possible deadlock in mnt_want_write
run #3: crashed: possible deadlock in path_openat
run #4: crashed: possible deadlock in path_openat
run #5: crashed: possible deadlock in path_openat
run #6: crashed: possible deadlock in path_openat
run #7: crashed: possible deadlock in mnt_want_write
run #8: crashed: possible deadlock in path_openat
run #9: crashed: possible deadlock in mnt_want_write
# git bisect good 3cb5d7fa8f7db47cf4c0016df87c7589474ed09b
Bisecting: 2 revisions left to test after this (roughly 1 step)
[a00f405e133fb486a34fb7cc1bdc64deab4d4fa0] ovl: make i_ino consistent with st_ino in more cases
testing commit a00f405e133fb486a34fb7cc1bdc64deab4d4fa0 with gcc (GCC) 8.1.0
kernel signature: 78ca61474f611311c7e382456cb86f3cd5d5d817
run #0: crashed: possible deadlock in path_openat
run #1: crashed: possible deadlock in path_openat
run #2: crashed: possible deadlock in path_openat
run #3: crashed: possible deadlock in path_openat
run #4: crashed: possible deadlock in path_openat
run #5: crashed: possible deadlock in path_openat
run #6: crashed: possible deadlock in mnt_want_write
run #7: crashed: possible deadlock in path_openat
run #8: crashed: possible deadlock in path_openat
run #9: crashed: possible deadlock in mnt_want_write
# git bisect good a00f405e133fb486a34fb7cc1bdc64deab4d4fa0
Bisecting: 0 revisions left to test after this (roughly 1 step)
[639e8c2f0910a57e9a29d9508ea6ed0960e8d4fe] ovl: don't fail with disconnected lower NFS
testing commit 639e8c2f0910a57e9a29d9508ea6ed0960e8d4fe with gcc (GCC) 8.1.0
kernel signature: e73ff9a54fd1fbc61e1fdfa6796c0ebb7186a16f
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 639e8c2f0910a57e9a29d9508ea6ed0960e8d4fe
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f1c5aa5eda08710c2ba619d93126380881fa1114] ovl: detect overlapping layers
testing commit f1c5aa5eda08710c2ba619d93126380881fa1114 with gcc (GCC) 8.1.0
kernel signature: 099610951e85cb68701d5311b984854940344972
all runs: OK
# git bisect bad f1c5aa5eda08710c2ba619d93126380881fa1114
f1c5aa5eda08710c2ba619d93126380881fa1114 is the first bad commit
commit f1c5aa5eda08710c2ba619d93126380881fa1114
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Thu Apr 18 17:42:08 2019 +0300

    ovl: detect overlapping layers
    
    [ Upstream commit 146d62e5a5867fbf84490d82455718bfb10fe824 ]
    
    Overlapping overlay layers are not supported and can cause unexpected
    behavior, but overlayfs does not currently check or warn about these
    configurations.
    
    User is not supposed to specify the same directory for upper and
    lower dirs or for different lower layers and user is not supposed to
    specify directories that are descendants of each other for overlay
    layers, but that is exactly what this zysbot repro did:
    
        https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000
    
    Moving layer root directories into other layers while overlayfs
    is mounted could also result in unexpected behavior.
    
    This commit places "traps" in the overlay inode hash table.
    Those traps are dummy overlay inodes that are hashed by the layers
    root inodes.
    
    On mount, the hash table trap entries are used to verify that overlay
    layers are not overlapping.  While at it, we also verify that overlay
    layers are not overlapping with directories "in-use" by other overlay
    instances as upperdir/workdir.
    
    On lookup, the trap entries are used to verify that overlay layers
    root inodes have not been moved into other layers after mount.
    
    Some examples:
    
    $ ./run --ov --samefs -s
    ...
    ( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt
      mount -o bind base/lower lower
      mount -o bind base/upper upper
      mount -t overlay none mnt ...
            -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w)
    
    $ umount mnt
    $ mount -t overlay none mnt ...
            -o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w
    
      [   94.434900] overlayfs: overlapping upperdir path
      mount: mount overlay on mnt failed: Too many levels of symbolic links
    
    $ mount -t overlay none mnt ...
            -o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w
    
      [  151.350132] overlayfs: conflicting lowerdir path
      mount: none is already mounted or mnt busy
    
    $ mount -t overlay none mnt ...
            -o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w
    
      [  201.205045] overlayfs: overlapping lowerdir path
      mount: mount overlay on mnt failed: Too many levels of symbolic links
    
    $ mount -t overlay none mnt ...
            -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w
    $ mv base/upper/0/ base/lower/
    $ find mnt/0
      mnt/0
      mnt/0/w
      find: 'mnt/0/w/work': Too many levels of symbolic links
      find: 'mnt/0/u': Too many levels of symbolic links
    
    Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 fs/overlayfs/inode.c     |  48 ++++++++++++++
 fs/overlayfs/namei.c     |   8 +++
 fs/overlayfs/overlayfs.h |   3 +
 fs/overlayfs/ovl_entry.h |   6 ++
 fs/overlayfs/super.c     | 169 ++++++++++++++++++++++++++++++++++++++++++-----
 fs/overlayfs/util.c      |  12 ++++
 6 files changed, 229 insertions(+), 17 deletions(-)
kernel signature:   099610951e85cb68701d5311b984854940344972
previous signature: 78ca61474f611311c7e382456cb86f3cd5d5d817
revisions tested: 15, total time: 3h52m46.702878169s (build: 2h2m57.858745022s, test: 1h44m53.862493659s)
first good commit: f1c5aa5eda08710c2ba619d93126380881fa1114 ovl: detect overlapping layers
cc: ["amir73il@gmail.com" "linux-kernel@vger.kernel.org" "linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com" "sashal@kernel.org"]