From: Edward Adam Davis <eadavis@qq.com>
To: amir73il@gmail.com
Cc: eadavis@qq.com, linux-kernel@vger.kernel.org,
linux-unionfs@vger.kernel.org, miklos@szeredi.hu,
syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [overlayfs?] WARNING in ovl_encode_real_fh
Date: Wed, 6 Nov 2024 18:45:16 +0800 [thread overview]
Message-ID: <tencent_26AD044DF763D77266CFF361A365496AE305@qq.com> (raw)
In-Reply-To: <CAOQ4uxgU0fdEtksACCmvrUEU+hhsBJqK+HSVEhW9vqcvAakCrA@mail.gmail.com>
On Wed, 6 Nov 2024 11:34:13 +0100, Amir Goldstein <amir73il@gmail.com> wrote:
> On Wed, Nov 6, 2024 at 11:18 AM Edward Adam Davis <eadavis@qq.com> wrote:
> >
> > On Wed, 6 Nov 2024 09:20:24 +0100, Amir Goldstein <amir73il@gmail.com> wrote:
> > > On Wed, Nov 6, 2024 at 3:43 AM Edward Adam Davis <eadavis@qq.com> wrote:
> > > >
> > > > On Mon, 4 Nov 2024 20:30:41 +0100, Amir Goldstein <amir73il@gmail.com> wrote:
> > > > > > When the memory is insufficient, the allocation of fh fails, which causes
> > > > > > the failure to obtain the dentry fid, and finally causes the dentry encoding
> > > > > > to fail.
> > > > > > Retry is used to avoid the failure of fh allocation caused by temporary
> > > > > > insufficient memory.
> > > > > >
> > > > > > #syz test
> > > > > >
> > > > > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> > > > > > index 2ed6ad641a20..1e027a3cf084 100644
> > > > > > --- a/fs/overlayfs/copy_up.c
> > > > > > +++ b/fs/overlayfs/copy_up.c
> > > > > > @@ -423,15 +423,22 @@ struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real,
> > > > > > int fh_type, dwords;
> > > > > > int buflen = MAX_HANDLE_SZ;
> > > > > > uuid_t *uuid = &real->d_sb->s_uuid;
> > > > > > - int err;
> > > > > > + int err, rtt = 0;
> > > > > >
> > > > > > /* Make sure the real fid stays 32bit aligned */
> > > > > > BUILD_BUG_ON(OVL_FH_FID_OFFSET % 4);
> > > > > > BUILD_BUG_ON(MAX_HANDLE_SZ + OVL_FH_FID_OFFSET > 255);
> > > > > >
> > > > > > +retry:
> > > > > > fh = kzalloc(buflen + OVL_FH_FID_OFFSET, GFP_KERNEL);
> > > > > > - if (!fh)
> > > > > > + if (!fh) {
> > > > > > + if (!rtt) {
> > > > > > + cond_resched();
> > > > > > + rtt++;
> > > > > > + goto retry;
> > > > > > + }
> > > > > > return ERR_PTR(-ENOMEM);
> > > > > > + }
> > > > > >
> > > > > > /*
> > > > > > * We encode a non-connectable file handle for non-dir, because we
> > > > > >
> > > > >
> > > > > This endless loop is out of the question and anyway, syzbot reported
> > > > > a WARN_ON in line 448:
> > > > > WARN_ON(fh_type == FILEID_INVALID))
> > > > >
> > > > > How does that have to do with memory allocation failure?
> > > > > What am I missing?
> > > > Look following log, it in https://syzkaller.appspot.com/text?tag=CrashLog&x=178bf640580000:
> > > > [ 64.050342][ T5103] FAULT_INJECTION: forcing a failure.
> > > > [ 64.050342][ T5103] name failslab, interval 1, probability 0, space 0, times 0
> > > > [ 64.055933][ T5103] CPU: 0 UID: 0 PID: 5103 Comm: syz-executor195 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
> > > > [ 64.060023][ T5103] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> > > > [ 64.063941][ T5103] Call Trace:
> > > > [ 64.065199][ T5103] <TASK>
> > > > [ 64.066296][ T5103] dump_stack_lvl+0x241/0x360
> > > > [ 64.068028][ T5103] ? __pfx_dump_stack_lvl+0x10/0x10
> > > > [ 64.069939][ T5103] ? __pfx__printk+0x10/0x10
> > > > [ 64.071667][ T5103] ? __kmalloc_cache_noprof+0x44/0x2c0
> > > > [ 64.073756][ T5103] ? __pfx___might_resched+0x10/0x10
> > > > [ 64.075720][ T5103] should_fail_ex+0x3b0/0x4e0
> > > > [ 64.077525][ T5103] should_failslab+0xac/0x100
> > > > [ 64.079341][ T5103] ? ovl_encode_real_fh+0xdf/0x410
> > > > [ 64.081295][ T5103] __kmalloc_cache_noprof+0x6c/0x2c0
> > > > [ 64.083282][ T5103] ? dput+0x37/0x2b0
> > > > [ 64.084758][ T5103] ovl_encode_real_fh+0xdf/0x410
> > > > [ 64.086578][ T5103] ? __pfx_ovl_encode_real_fh+0x10/0x10
> > > > [ 64.088687][ T5103] ? _raw_spin_unlock+0x28/0x50
> > > > [ 64.090550][ T5103] ovl_encode_fh+0x388/0xc20
> > > > [ 64.092281][ T5103] exportfs_encode_fh+0x1bd/0x3e0
> > > > [ 64.094122][ T5103] ovl_encode_real_fh+0x129/0x410
> > > > [ 64.095883][ T5103] ? __pfx_ovl_encode_real_fh+0x10/0x10
> > > > [ 64.097852][ T5103] ? bpf_lsm_capable+0x9/0x10
> > > > [ 64.099620][ T5103] ? capable+0x89/0xe0
> > > > [ 64.101064][ T5103] ovl_copy_up_flags+0x1068/0x46f0
> > >
> > > I see. it is nested overlayfs, so a memory allocation failure in the lower
> > > overlayfs, causes ovl_encode_fh() to return FILEID_INVALID.
> > >
> > > > >
> > > > > Probably this WARN_ON as well as the one in line 446 should be
> > > > > relaxed because it is perfectly possible for fs to return negative or
> > > > > FILEID_INVALID for encoding a file handle even if fs supports encoding
> > > > > file handles.
> > > > >
> > >
> > > As I wrote, the correct fix is to relax the WARN_ON from
> > > fh_type == FILEID_INVALID and fh_type < 0 conditions because
> > > those are valid return values from filesystems.
> > Oh, You mean is following diff?
>
> > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> > index 2ed6ad641a20..32890cc0dd4a 100644
> > --- a/fs/overlayfs/copy_up.c
> > +++ b/fs/overlayfs/copy_up.c
> > @@ -443,9 +443,7 @@ struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real,
> > buflen = (dwords << 2);
> >
> > err = -EIO;
> > - if (WARN_ON(fh_type < 0) ||
> > - WARN_ON(buflen > MAX_HANDLE_SZ) ||
> > - WARN_ON(fh_type == FILEID_INVALID))
> > + if (WARN_ON(buflen > MAX_HANDLE_SZ))
> > goto out_err;
> >
>
> No. sorry, what I meant with "relax WARN_ON" was to remove the WARN_ON, so:
>
> err = -EIO;
> if (fh_type < 0 || fh_type == FILEID_INVALID ||
> WARN_ON(buflen > MAX_HANDLE_SZ))
> goto out_err;
>
> Meaning that error should definitely be returned in those cases,
> but there is no reason for the assertion which is what syzbot
> was complaining about.
Haha, I was a little dizzy, I deleted too much. Yes, I meant it as your diff.
BR,
Edward
next prev parent reply other threads:[~2024-11-06 10:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 18:12 [syzbot] [overlayfs?] WARNING in ovl_encode_real_fh syzbot
2024-10-30 10:31 ` Edward Adam Davis
2024-10-30 10:52 ` syzbot
2024-11-04 19:30 ` Amir Goldstein
2024-11-06 2:43 ` Edward Adam Davis
2024-11-06 8:20 ` Amir Goldstein
2024-11-06 10:18 ` Edward Adam Davis
2024-11-06 10:34 ` Amir Goldstein
2024-11-06 10:45 ` Edward Adam Davis [this message]
2024-10-30 13:30 ` [PATCH] overlayfs: retry when getting the dentry fid fails due to lack of memory Edward Adam Davis
2024-12-19 11:17 ` [syzbot] [overlayfs?] WARNING in ovl_encode_real_fh Amir Goldstein
2024-12-19 11:38 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_26AD044DF763D77266CFF361A365496AE305@qq.com \
--to=eadavis@qq.com \
--cc=amir73il@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.