Re: possible deadlock in mnt_want_write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 21, 2018 at 8:33 PM syzbot
<syzbot+ae82084b07d0297e566b@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:    442b8cea2477 Add linux-next specific files for 20181109
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11a1426d400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2f72bdb11df9fbe8
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1632326d400000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17a16ed5400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+ae82084b07d0297e566b@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
> IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
> 8021q: adding VLAN 0 to HW filter on device team0
>
> ======================================================
> WARNING: possible circular locking dependency detected
> 4.20.0-rc1-next-20181109+ #110 Not tainted
> ------------------------------------------------------
> syz-executor599/5968 is trying to acquire lock:
> 00000000e42cbf00 (sb_writers#3){.+.+}, at: sb_start_write
> include/linux/fs.h:1607 [inline]
> 00000000e42cbf00 (sb_writers#3){.+.+}, at: mnt_want_write+0x3f/0xc0
> fs/namespace.c:359
>
> but task is already holding lock:
> 00000000166f985a (&iint->mutex){+.+.}, at: process_measurement+0x438/0x1bf0
> security/integrity/ima/ima_main.c:224
>
> which lock already depends on the new lock.
>
>
> the existing dependency chain (in reverse order) is:
>
> -> #1 (&iint->mutex){+.+.}:
>         __mutex_lock_common kernel/locking/mutex.c:925 [inline]
>         __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072
>         mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
>         process_measurement+0x438/0x1bf0
> security/integrity/ima/ima_main.c:224
>         ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
>         do_last fs/namei.c:3422 [inline]
>         path_openat+0x134a/0x5150 fs/namei.c:3534
>         do_filp_open+0x255/0x380 fs/namei.c:3564
>         do_sys_open+0x568/0x700 fs/open.c:1063
>         __do_sys_open fs/open.c:1081 [inline]
>         __se_sys_open fs/open.c:1076 [inline]
>         __x64_sys_open+0x7e/0xc0 fs/open.c:1076
>         do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
>         entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> -> #0 (sb_writers#3){.+.+}:
>         lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
>         percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36
> [inline]
>         percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
>         __sb_start_write+0x214/0x370 fs/super.c:1564
>         sb_start_write include/linux/fs.h:1607 [inline]
>         mnt_want_write+0x3f/0xc0 fs/namespace.c:359
>         ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24
>         ovl_open_maybe_copy_up+0x12c/0x190 fs/overlayfs/copy_up.c:888
>         ovl_open+0xb3/0x260 fs/overlayfs/file.c:123
>         do_dentry_open+0x499/0x1250 fs/open.c:771
>         vfs_open fs/open.c:880 [inline]
>         dentry_open+0x143/0x1d0 fs/open.c:896
>         ima_calc_file_hash+0x324/0x570

I suppose ima_calc_file_hash opens the file with write flags
and cause overlay to try to copy up which takes mnt_want_write().
Why does IMA need to open the file with write flags?

Isn't this commit supposed to prevent that:
a408e4a86b36 ima: open a new file instance if no read permissions

Thanks,
Amir.



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux