Re: [syzbot] [overlayfs?] WARNING in ovl_encode_real_fh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 6 Nov 2024 11:34:13 +0100, Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> On Wed, Nov 6, 2024 at 11:18 AM Edward Adam Davis <eadavis@xxxxxx> wrote:
> >
> > On Wed, 6 Nov 2024 09:20:24 +0100, Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> > > On Wed, Nov 6, 2024 at 3:43 AM Edward Adam Davis <eadavis@xxxxxx> wrote:
> > > >
> > > > On Mon, 4 Nov 2024 20:30:41 +0100, Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> > > > > > When the memory is insufficient, the allocation of fh fails, which causes
> > > > > > the failure to obtain the dentry fid, and finally causes the dentry encoding
> > > > > > to fail.
> > > > > > Retry is used to avoid the failure of fh allocation caused by temporary
> > > > > > insufficient memory.
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> > > > > > index 2ed6ad641a20..1e027a3cf084 100644
> > > > > > --- a/fs/overlayfs/copy_up.c
> > > > > > +++ b/fs/overlayfs/copy_up.c
> > > > > > @@ -423,15 +423,22 @@ struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real,
> > > > > >         int fh_type, dwords;
> > > > > >         int buflen = MAX_HANDLE_SZ;
> > > > > >         uuid_t *uuid = &real->d_sb->s_uuid;
> > > > > > -       int err;
> > > > > > +       int err, rtt = 0;
> > > > > >
> > > > > >         /* Make sure the real fid stays 32bit aligned */
> > > > > >         BUILD_BUG_ON(OVL_FH_FID_OFFSET % 4);
> > > > > >         BUILD_BUG_ON(MAX_HANDLE_SZ + OVL_FH_FID_OFFSET > 255);
> > > > > >
> > > > > > +retry:
> > > > > >         fh = kzalloc(buflen + OVL_FH_FID_OFFSET, GFP_KERNEL);
> > > > > > -       if (!fh)
> > > > > > +       if (!fh) {
> > > > > > +               if (!rtt) {
> > > > > > +                       cond_resched();
> > > > > > +                       rtt++;
> > > > > > +                       goto retry;
> > > > > > +               }
> > > > > >                 return ERR_PTR(-ENOMEM);
> > > > > > +       }
> > > > > >
> > > > > >         /*
> > > > > >          * We encode a non-connectable file handle for non-dir, because we
> > > > > >
> > > > >
> > > > > This endless loop is out of the question and anyway, syzbot reported
> > > > > a WARN_ON in line 448:
> > > > >             WARN_ON(fh_type == FILEID_INVALID))
> > > > >
> > > > > How does that have to do with memory allocation failure?
> > > > > What am I missing?
> > > > Look following log, it in https://syzkaller.appspot.com/text?tag=CrashLog&x=178bf640580000:
> > > > [   64.050342][ T5103] FAULT_INJECTION: forcing a failure.
> > > > [   64.050342][ T5103] name failslab, interval 1, probability 0, space 0, times 0
> > > > [   64.055933][ T5103] CPU: 0 UID: 0 PID: 5103 Comm: syz-executor195 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
> > > > [   64.060023][ T5103] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> > > > [   64.063941][ T5103] Call Trace:
> > > > [   64.065199][ T5103]  <TASK>
> > > > [   64.066296][ T5103]  dump_stack_lvl+0x241/0x360
> > > > [   64.068028][ T5103]  ? __pfx_dump_stack_lvl+0x10/0x10
> > > > [   64.069939][ T5103]  ? __pfx__printk+0x10/0x10
> > > > [   64.071667][ T5103]  ? __kmalloc_cache_noprof+0x44/0x2c0
> > > > [   64.073756][ T5103]  ? __pfx___might_resched+0x10/0x10
> > > > [   64.075720][ T5103]  should_fail_ex+0x3b0/0x4e0
> > > > [   64.077525][ T5103]  should_failslab+0xac/0x100
> > > > [   64.079341][ T5103]  ? ovl_encode_real_fh+0xdf/0x410
> > > > [   64.081295][ T5103]  __kmalloc_cache_noprof+0x6c/0x2c0
> > > > [   64.083282][ T5103]  ? dput+0x37/0x2b0
> > > > [   64.084758][ T5103]  ovl_encode_real_fh+0xdf/0x410
> > > > [   64.086578][ T5103]  ? __pfx_ovl_encode_real_fh+0x10/0x10
> > > > [   64.088687][ T5103]  ? _raw_spin_unlock+0x28/0x50
> > > > [   64.090550][ T5103]  ovl_encode_fh+0x388/0xc20
> > > > [   64.092281][ T5103]  exportfs_encode_fh+0x1bd/0x3e0
> > > > [   64.094122][ T5103]  ovl_encode_real_fh+0x129/0x410
> > > > [   64.095883][ T5103]  ? __pfx_ovl_encode_real_fh+0x10/0x10
> > > > [   64.097852][ T5103]  ? bpf_lsm_capable+0x9/0x10
> > > > [   64.099620][ T5103]  ? capable+0x89/0xe0
> > > > [   64.101064][ T5103]  ovl_copy_up_flags+0x1068/0x46f0
> > >
> > > I see. it is nested overlayfs, so a memory allocation failure in the lower
> > > overlayfs, causes ovl_encode_fh() to return FILEID_INVALID.
> > >
> > > > >
> > > > > Probably this WARN_ON as well as the one in line 446 should be
> > > > > relaxed because it is perfectly possible for fs to return negative or
> > > > > FILEID_INVALID for encoding a file handle even if fs supports encoding
> > > > > file handles.
> > > > >
> > >
> > > As I wrote, the correct fix is to relax the WARN_ON from
> > > fh_type == FILEID_INVALID and fh_type < 0 conditions because
> > > those are valid return values from filesystems.
> > Oh, You mean is following diff?
> 
> > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> > index 2ed6ad641a20..32890cc0dd4a 100644
> > --- a/fs/overlayfs/copy_up.c
> > +++ b/fs/overlayfs/copy_up.c
> > @@ -443,9 +443,7 @@ struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real,
> >         buflen = (dwords << 2);
> >
> >         err = -EIO;
> > -       if (WARN_ON(fh_type < 0) ||
> > -           WARN_ON(buflen > MAX_HANDLE_SZ) ||
> > -           WARN_ON(fh_type == FILEID_INVALID))
> > +       if (WARN_ON(buflen > MAX_HANDLE_SZ))
> >                 goto out_err;
> >
> 
> No. sorry, what I meant with "relax WARN_ON" was to remove the WARN_ON, so:
> 
>        err = -EIO;
>        if (fh_type < 0 || fh_type == FILEID_INVALID ||
>            WARN_ON(buflen > MAX_HANDLE_SZ))
>                  goto out_err;
> 
> Meaning that error should definitely be returned in those cases,
> but there is no reason for the assertion which is what syzbot
> was complaining about.
Haha, I was a little dizzy, I deleted too much. Yes, I meant it as your diff.

BR,
Edward





[Index of Archives]     [Linux Filesystems Devel]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux