On Wed, Nov 21, 2018 at 8:33 PM syzbot <syzbot+ae82084b07d0297e566b@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > syzbot has found a reproducer for the following crash on: > > HEAD commit: 442b8cea2477 Add linux-next specific files for 20181109 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=11a1426d400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2f72bdb11df9fbe8 > dashboard link: https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1632326d400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a16ed5400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+ae82084b07d0297e566b@xxxxxxxxxxxxxxxxxxxxxxxxx > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready > 8021q: adding VLAN 0 to HW filter on device team0 > > ====================================================== > WARNING: possible circular locking dependency detected > 4.20.0-rc1-next-20181109+ #110 Not tainted > ------------------------------------------------------ > syz-executor599/5968 is trying to acquire lock: > 00000000e42cbf00 (sb_writers#3){.+.+}, at: sb_start_write > include/linux/fs.h:1607 [inline] > 00000000e42cbf00 (sb_writers#3){.+.+}, at: mnt_want_write+0x3f/0xc0 > fs/namespace.c:359 > > but task is already holding lock: > 00000000166f985a (&iint->mutex){+.+.}, at: process_measurement+0x438/0x1bf0 > security/integrity/ima/ima_main.c:224 > > which lock already depends on the new lock. > > > the existing dependency chain (in reverse order) is: > > -> #1 (&iint->mutex){+.+.}: > __mutex_lock_common kernel/locking/mutex.c:925 [inline] > __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072 > mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 > process_measurement+0x438/0x1bf0 > security/integrity/ima/ima_main.c:224 > ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391 > do_last fs/namei.c:3422 [inline] > path_openat+0x134a/0x5150 fs/namei.c:3534 > do_filp_open+0x255/0x380 fs/namei.c:3564 > do_sys_open+0x568/0x700 fs/open.c:1063 > __do_sys_open fs/open.c:1081 [inline] > __se_sys_open fs/open.c:1076 [inline] > __x64_sys_open+0x7e/0xc0 fs/open.c:1076 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > -> #0 (sb_writers#3){.+.+}: > lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 > percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 > [inline] > percpu_down_read include/linux/percpu-rwsem.h:59 [inline] > __sb_start_write+0x214/0x370 fs/super.c:1564 > sb_start_write include/linux/fs.h:1607 [inline] > mnt_want_write+0x3f/0xc0 fs/namespace.c:359 > ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24 > ovl_open_maybe_copy_up+0x12c/0x190 fs/overlayfs/copy_up.c:888 > ovl_open+0xb3/0x260 fs/overlayfs/file.c:123 > do_dentry_open+0x499/0x1250 fs/open.c:771 > vfs_open fs/open.c:880 [inline] > dentry_open+0x143/0x1d0 fs/open.c:896 > ima_calc_file_hash+0x324/0x570 I suppose ima_calc_file_hash opens the file with write flags and cause overlay to try to copy up which takes mnt_want_write(). Why does IMA need to open the file with write flags? Isn't this commit supposed to prevent that: a408e4a86b36 ima: open a new file instance if no read permissions Thanks, Amir.
