On Sun, Jun 21, 2020 at 8:38 AM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
>
> Mounting with nfs_export=on, xfstests overlay/031 triggers a kernel panic
> since v5.8-rc1 overlayfs updates.
>
> overlayfs: orphan index entry (index/00fb1..., ftype=4000, nlink=2)
> BUG: kernel NULL pointer dereference, address: 0000000000000030
> RIP: 0010:ovl_cleanup_and_whiteout+0x28/0x220 [overlay]
>
> Bisect point at commit c21c839b8448 ("ovl: whiteout inode sharing")
>
> Minimal reproducer:
> --------------------------------------------------
> rm -rf l u w m
> mkdir -p l u w m
> mkdir -p l/testdir
> touch l/testdir/testfile
> mount -t overlay -o lowerdir=l,upperdir=u,workdir=w,nfs_export=on overlay m
> echo 1 > m/testdir/testfile
> umount m
> rm -rf u/testdir
> mount -t overlay -o lowerdir=l,upperdir=u,workdir=w,nfs_export=on overlay m
> umount m
> --------------------------------------------------
>
> When mount with nfs_export=on, and fail to verify an orphan index, we're
> cleaning this index from indexdir by calling ovl_cleanup_and_whiteout().
> This dereferences ofs->workdir, that was earlier set to NULL.
>
> The design was that ovl->workdir will point at ovl->indexdir, but we are
> assigning ofs->indexdir to ofs->workdir only after ovl_indexdir_cleanup().
> There is no reason not to do it sooner, because once we get success from
> ofs->indexdir = ovl_workdir_create(... there is no turning back.
>
> Reported-and-tested-by: Murphy Zhou <jencce.kernel@xxxxxxxxx>
> Fixes: commit c21c839b8448 ("ovl: whiteout inode sharing")
> Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
Thanks, applied.
Miklos
