From: Philip Li <philip.li@intel.com>
To: kernel test robot <lkp@intel.com>
Cc: syzbot <syzbot+04c2672c56fbb9401640@syzkaller.appspotmail.com>,
<linux-kernel@vger.kernel.org>, <syzkaller-bugs@googlegroups.com>,
<llvm@lists.linux.dev>, <oe-kbuild-all@lists.linux.dev>
Subject: Re: Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry
Date: Sun, 9 Nov 2025 20:26:25 +0800 [thread overview]
Message-ID: <aRCIcSYkYLI4a3Pk@rli9-mobl> (raw)
In-Reply-To: <202511091815.6q5WUuzH-lkp@intel.com>
On Sun, Nov 09, 2025 at 07:05:11PM +0800, kernel test robot wrote:
> Hi syzbot,
>
> kernel test robot noticed the following build warnings:
Sorry, kindly ignore this report.
>
> [auto build test WARNING on brauner-vfs/vfs.all]
> [also build test WARNING on linus/master v6.18-rc4 next-20251107]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/syzbot/Forwarded-PATCH-fs-fix-inode-use-after-free-in-chown_common-delegation-retry/20251109-171000
> base: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
> patch link: https://lore.kernel.org/r/691059ff.a70a0220.22f260.00a6.GAE%40google.com
> patch subject: Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry
> config: arm-allnoconfig (https://download.01.org/0day-ci/archive/20251109/202511091815.6q5WUuzH-lkp@intel.com/config)
> compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project b9ea93cd5c37fb6d606502fd01208dd48330549d)
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251109/202511091815.6q5WUuzH-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202511091815.6q5WUuzH-lkp@intel.com/
>
> All warnings (new ones prefixed by >>):
>
> >> fs/open.c:771:9: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat]
> 769 | printk("DEBUG: [%s] retry_deleg: inode=%p, i_count=%d, i_rwsem.owner=%px\n",
> | ~~
> | %ld
> 770 | current->comm, inode, atomic_read(&inode->i_count),
> 771 | atomic_long_read(&inode->i_rwsem.owner));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/printk.h:512:60: note: expanded from macro 'printk'
> 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
> | ~~~ ^~~~~~~~~~~
> include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap'
> 484 | _p_func(_fmt, ##__VA_ARGS__); \
> | ~~~~ ^~~~~~~~~~~
> fs/open.c:785:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat]
> 784 | printk("DEBUG: [%s] after inode_lock: inode=%p, i_rwsem.owner=%px (current=%px)\n",
> | ~~
> | %ld
> 785 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), current);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/printk.h:512:60: note: expanded from macro 'printk'
> 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
> | ~~~ ^~~~~~~~~~~
> include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap'
> 484 | _p_func(_fmt, ##__VA_ARGS__); \
> | ~~~~ ^~~~~~~~~~~
> fs/open.c:798:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat]
> 797 | printk("DEBUG: [%s] before inode_unlock: inode=%p, i_rwsem.owner=%px, delegated_inode=%p\n",
> | ~~
> | %ld
> 798 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), delegated_inode);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/printk.h:512:60: note: expanded from macro 'printk'
> 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
> | ~~~ ^~~~~~~~~~~
> include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap'
> 484 | _p_func(_fmt, ##__VA_ARGS__); \
> | ~~~~ ^~~~~~~~~~~
> fs/open.c:801:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat]
> 800 | printk("DEBUG: [%s] after inode_unlock: inode=%p, i_rwsem.owner=%px\n",
> | ~~
> | %ld
> 801 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/printk.h:512:60: note: expanded from macro 'printk'
> 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
> | ~~~ ^~~~~~~~~~~
> include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap'
> 484 | _p_func(_fmt, ##__VA_ARGS__); \
> | ~~~~ ^~~~~~~~~~~
> 4 warnings generated.
>
>
> vim +771 fs/open.c
>
> 750
> 751 int chown_common(const struct path *path, uid_t user, gid_t group)
> 752 {
> 753 struct mnt_idmap *idmap;
> 754 struct user_namespace *fs_userns;
> 755 struct inode *inode = path->dentry->d_inode;
> 756 struct inode *delegated_inode = NULL;
> 757 int error;
> 758 struct iattr newattrs;
> 759 kuid_t uid;
> 760 kgid_t gid;
> 761
> 762 uid = make_kuid(current_user_ns(), user);
> 763 gid = make_kgid(current_user_ns(), group);
> 764
> 765 idmap = mnt_idmap(path->mnt);
> 766 fs_userns = i_user_ns(inode);
> 767
> 768 retry_deleg:
> 769 printk("DEBUG: [%s] retry_deleg: inode=%p, i_count=%d, i_rwsem.owner=%px\n",
> 770 current->comm, inode, atomic_read(&inode->i_count),
> > 771 atomic_long_read(&inode->i_rwsem.owner));
> 772 newattrs.ia_vfsuid = INVALID_VFSUID;
> 773 newattrs.ia_vfsgid = INVALID_VFSGID;
> 774 newattrs.ia_valid = ATTR_CTIME;
> 775 if ((user != (uid_t)-1) && !setattr_vfsuid(&newattrs, uid))
> 776 return -EINVAL;
> 777 if ((group != (gid_t)-1) && !setattr_vfsgid(&newattrs, gid))
> 778 return -EINVAL;
> 779 printk("DEBUG: [%s] before inode_lock: inode=%p, i_count=%d\n",
> 780 current->comm, inode, atomic_read(&inode->i_count));
> 781 error = inode_lock_killable(inode);
> 782 if (error)
> 783 return error;
> 784 printk("DEBUG: [%s] after inode_lock: inode=%p, i_rwsem.owner=%px (current=%px)\n",
> 785 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), current);
> 786 if (!S_ISDIR(inode->i_mode))
> 787 newattrs.ia_valid |= ATTR_KILL_SUID | ATTR_KILL_PRIV |
> 788 setattr_should_drop_sgid(idmap, inode);
> 789 /* Continue to send actual fs values, not the mount values. */
> 790 error = security_path_chown(
> 791 path,
> 792 from_vfsuid(idmap, fs_userns, newattrs.ia_vfsuid),
> 793 from_vfsgid(idmap, fs_userns, newattrs.ia_vfsgid));
> 794 if (!error)
> 795 error = notify_change(idmap, path->dentry, &newattrs,
> 796 &delegated_inode);
> 797 printk("DEBUG: [%s] before inode_unlock: inode=%p, i_rwsem.owner=%px, delegated_inode=%p\n",
> 798 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), delegated_inode);
> 799 inode_unlock(inode);
> 800 printk("DEBUG: [%s] after inode_unlock: inode=%p, i_rwsem.owner=%px\n",
> 801 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner));
> 802 if (delegated_inode) {
> 803 printk("DEBUG: [%s] calling break_deleg_wait: inode=%p, i_count=%d, delegated_inode=%p\n",
> 804 current->comm, inode, atomic_read(&inode->i_count), delegated_inode);
> 805 error = break_deleg_wait(&delegated_inode);
> 806 printk("DEBUG: [%s] after break_deleg_wait: inode=%p, i_count=%d, error=%d\n",
> 807 current->comm, inode, atomic_read(&inode->i_count), error);
> 808 if (!error)
> 809 goto retry_deleg;
> 810 }
> 811 return error;
> 812 }
> 813
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
next prev parent reply other threads:[~2025-11-09 12:26 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-12 5:45 [syzbot] [gfs2?] WARNING in chown_common syzbot
2025-10-17 8:57 ` Forwarded: [PATCH] fs: fix stale inode access in chown_common() retry path syzbot
2025-10-17 8:57 ` syzbot
2025-10-29 8:23 ` Forwarded: Test patch for [syzbot] [gfs2?] WARNING in chown_common syzbot
2025-11-09 5:02 ` Forwarded: [PATCH] fs: fix inode reference leak in chown_common delegation retry path syzbot
2025-11-09 9:08 ` Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry syzbot
2025-11-09 11:05 ` kernel test robot
2025-11-09 12:26 ` Philip Li [this message]
2025-11-09 12:17 ` kernel test robot
2025-11-09 12:26 ` Philip Li
2025-11-09 11:40 ` syzbot
2025-11-09 11:57 ` syzbot
2025-11-09 12:25 ` syzbot
2025-11-09 13:27 ` syzbot
2025-11-09 14:29 ` syzbot
2025-11-09 15:16 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRCIcSYkYLI4a3Pk@rli9-mobl \
--to=philip.li@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=llvm@lists.linux.dev \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=syzbot+04c2672c56fbb9401640@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.