On 20:57 21/11, Amir Goldstein wrote: > On Wed, Nov 21, 2018 at 8:33 PM syzbot > <syzbot+ae82084b07d0297e566b@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit: 442b8cea2477 Add linux-next specific files for 20181109 > > git tree: linux-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=11a1426d400000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=2f72bdb11df9fbe8 > > dashboard link: https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1632326d400000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a16ed5400000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+ae82084b07d0297e566b@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready > > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > ====================================================== > > WARNING: possible circular locking dependency detected > > 4.20.0-rc1-next-20181109+ #110 Not tainted > > ------------------------------------------------------ > > syz-executor599/5968 is trying to acquire lock: > > 00000000e42cbf00 (sb_writers#3){.+.+}, at: sb_start_write > > include/linux/fs.h:1607 [inline] > > 00000000e42cbf00 (sb_writers#3){.+.+}, at: mnt_want_write+0x3f/0xc0 > > fs/namespace.c:359 > > > > but task is already holding lock: > > 00000000166f985a (&iint->mutex){+.+.}, at: process_measurement+0x438/0x1bf0 > > security/integrity/ima/ima_main.c:224 > > > > which lock already depends on the new lock. > > > > > > the existing dependency chain (in reverse order) is: > > > > -> #1 (&iint->mutex){+.+.}: > > __mutex_lock_common kernel/locking/mutex.c:925 [inline] > > __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072 > > mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 > > process_measurement+0x438/0x1bf0 > > security/integrity/ima/ima_main.c:224 > > ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391 > > do_last fs/namei.c:3422 [inline] > > path_openat+0x134a/0x5150 fs/namei.c:3534 > > do_filp_open+0x255/0x380 fs/namei.c:3564 > > do_sys_open+0x568/0x700 fs/open.c:1063 > > __do_sys_open fs/open.c:1081 [inline] > > __se_sys_open fs/open.c:1076 [inline] > > __x64_sys_open+0x7e/0xc0 fs/open.c:1076 > > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > -> #0 (sb_writers#3){.+.+}: > > lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 > > percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 > > [inline] > > percpu_down_read include/linux/percpu-rwsem.h:59 [inline] > > __sb_start_write+0x214/0x370 fs/super.c:1564 > > sb_start_write include/linux/fs.h:1607 [inline] > > mnt_want_write+0x3f/0xc0 fs/namespace.c:359 > > ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24 > > ovl_open_maybe_copy_up+0x12c/0x190 fs/overlayfs/copy_up.c:888 > > ovl_open+0xb3/0x260 fs/overlayfs/file.c:123 > > do_dentry_open+0x499/0x1250 fs/open.c:771 > > vfs_open fs/open.c:880 [inline] > > dentry_open+0x143/0x1d0 fs/open.c:896 > > ima_calc_file_hash+0x324/0x570 > > I suppose ima_calc_file_hash opens the file with write flags > and cause overlay to try to copy up which takes mnt_want_write(). > Why does IMA need to open the file with write flags? > > Isn't this commit supposed to prevent that: > a408e4a86b36 ima: open a new file instance if no read permissions > Not write, read flags. This patch re-opens the files in O_RDONLY for files opened with O_WRONLY and cannot be read, so that the hash can be calculated. IOW, the user opened the file in overlayfs with write flags. The copy-up, since it is already in write mode can add the security.ima xattrs. -- Goldwyn
