Re: [PATCH] ovl: fix null pointer when filesystem doesn't support direct IO

Re: [PATCH] ovl: fix null pointer when filesystem doesn't support direct IO

[Huang Jianan]

在 2021/9/22 9:56, Chengguang Xu 写道:
> 在 2021/9/18 20:13, Huang Jianan 写道:
>> From: Huang Jianan <huangjianan@oppo.com>
>>
>> At present, overlayfs provides overlayfs inode to users. Overlayfs
>> inode provides ovl_aops with noop_direct_IO to avoid open failure
>> with O_DIRECT. But some compressed filesystems, such as erofs and
>> squashfs, don't support direct_IO.
>>
>> Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
>> will read file through this way. This will cause overlayfs to access
>> a non-existent direct_IO function and cause panic due to null pointer:
>>
>> Kernel panic - not syncing: CFI failure (target: 0x0)
>> CPU: 6 PID: 247 Comm: loop0
>> Call Trace:
>>   panic+0x188/0x45c
>>   __cfi_slowpath+0x0/0x254
>>   __cfi_slowpath+0x200/0x254
>>   generic_file_read_iter+0x14c/0x150
>>   vfs_iocb_iter_read+0xac/0x164
>>   ovl_read_iter+0x13c/0x2fc
>>   lo_rw_aio+0x2bc/0x458
>>   loop_queue_work+0x4a4/0xbc0
>>   kthread_worker_fn+0xf8/0x1d0
>>   loop_kthread_worker_fn+0x24/0x38
>>   kthread+0x29c/0x310
>>   ret_from_fork+0x10/0x30
>>
>> The filesystem may only support direct_IO for some file types. For
>> example, erofs supports direct_IO for uncompressed files. So fall
>> back to buffered io only when the file doesn't support direct_IO to
>> fix this problem.
>
>
> IMO, return error to user seems better option than fall back to
>
> buffered io directly.
>
Agreed, I will send v2 to fix it.

Thanks,
Jianan
>
> Thanks,
>
> Chengguang
>
>
>>
>> Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from 
>> overlayfs over xfs")
>> Signed-off-by: Huang Jianan <huangjianan@oppo.com>
>> ---
>>   fs/overlayfs/file.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>> index d081faa55e83..998c60770b81 100644
>> --- a/fs/overlayfs/file.c
>> +++ b/fs/overlayfs/file.c
>> @@ -296,6 +296,10 @@ static ssize_t ovl_read_iter(struct kiocb *iocb, 
>> struct iov_iter *iter)
>>       if (ret)
>>           return ret;
>>   +    if ((iocb->ki_flags & IOCB_DIRECT) && 
>> (!real.file->f_mapping->a_ops ||
>> +        !real.file->f_mapping->a_ops->direct_IO))
>> +        iocb->ki_flags &= ~IOCB_DIRECT;
>> +
>>       old_cred = ovl_override_creds(file_inode(file)->i_sb);
>>       if (is_sync_kiocb(iocb)) {
>>           ret = vfs_iter_read(real.file, iter, &iocb->ki_pos,
>

[PATCH v2] ovl: fix null pointer when filesystem doesn't support direct IO

[Huang Jianan]

At present, overlayfs provides overlayfs inode to users. Overlayfs
inode provides ovl_aops with noop_direct_IO to avoid open failure
with O_DIRECT. But some compressed filesystems, such as erofs and
squashfs, don't support direct_IO.

Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
will read file through this way. This will cause overlayfs to access
a non-existent direct_IO function and cause panic due to null pointer:

Kernel panic - not syncing: CFI failure (target: 0x0)
CPU: 6 PID: 247 Comm: loop0
Call Trace:
 panic+0x188/0x45c
 __cfi_slowpath+0x0/0x254
 __cfi_slowpath+0x200/0x254
 generic_file_read_iter+0x14c/0x150
 vfs_iocb_iter_read+0xac/0x164
 ovl_read_iter+0x13c/0x2fc
 lo_rw_aio+0x2bc/0x458
 loop_queue_work+0x4a4/0xbc0
 kthread_worker_fn+0xf8/0x1d0
 loop_kthread_worker_fn+0x24/0x38
 kthread+0x29c/0x310
 ret_from_fork+0x10/0x30

The filesystem may only support direct_IO for some file types. For
example, erofs supports direct_IO for uncompressed files. So reset
f_mapping->a_ops to NULL when the file doesn't support direct_IO to
fix this problem.

Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from overlayfs over xfs")
Signed-off-by: Huang Jianan <huangjianan@oppo.com>
---
Change since v1:
 - Return error to user rather than fall back to buffered io. (Chengguang Xu)

 fs/overlayfs/file.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index d081faa55e83..38118d3b46f8 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -157,6 +157,10 @@ static int ovl_open(struct inode *inode, struct file *file)
 	if (IS_ERR(realfile))
 		return PTR_ERR(realfile);
 
+	if ((f->f_flags & O_DIRECT) && (!realfile->f_mapping->a_ops ||
+		!realfile->f_mapping->a_ops->direct_IO))
+		file->f_mapping->a_ops = NULL;
+
 	file->private_data = realfile;
 
 	return 0;
-- 
2.25.1

Re: [PATCH v2] ovl: fix null pointer when filesystem doesn't support direct IO

[Chengguang Xu]

在 2021/9/22 11:47, Huang Jianan 写道:
> At present, overlayfs provides overlayfs inode to users. Overlayfs
> inode provides ovl_aops with noop_direct_IO to avoid open failure
> with O_DIRECT. But some compressed filesystems, such as erofs and
> squashfs, don't support direct_IO.
>
> Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
> will read file through this way. This will cause overlayfs to access
> a non-existent direct_IO function and cause panic due to null pointer:
>
> Kernel panic - not syncing: CFI failure (target: 0x0)
> CPU: 6 PID: 247 Comm: loop0
> Call Trace:
>   panic+0x188/0x45c
>   __cfi_slowpath+0x0/0x254
>   __cfi_slowpath+0x200/0x254
>   generic_file_read_iter+0x14c/0x150
>   vfs_iocb_iter_read+0xac/0x164
>   ovl_read_iter+0x13c/0x2fc
>   lo_rw_aio+0x2bc/0x458
>   loop_queue_work+0x4a4/0xbc0
>   kthread_worker_fn+0xf8/0x1d0
>   loop_kthread_worker_fn+0x24/0x38
>   kthread+0x29c/0x310
>   ret_from_fork+0x10/0x30
>
> The filesystem may only support direct_IO for some file types. For
> example, erofs supports direct_IO for uncompressed files. So reset
> f_mapping->a_ops to NULL when the file doesn't support direct_IO to
> fix this problem.
>
> Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from overlayfs over xfs")
> Signed-off-by: Huang Jianan <huangjianan@oppo.com>
> ---
> Change since v1:
>   - Return error to user rather than fall back to buffered io. (Chengguang Xu)
>
>   fs/overlayfs/file.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> index d081faa55e83..38118d3b46f8 100644
> --- a/fs/overlayfs/file.c
> +++ b/fs/overlayfs/file.c
> @@ -157,6 +157,10 @@ static int ovl_open(struct inode *inode, struct file *file)
>   	if (IS_ERR(realfile))
>   		return PTR_ERR(realfile);
>   
> +	if ((f->f_flags & O_DIRECT) && (!realfile->f_mapping->a_ops ||
> +		!realfile->f_mapping->a_ops->direct_IO))
> +		file->f_mapping->a_ops = NULL;


There are many other functions in a_ops and also address_space struct 
will be shared

between files which belong to same inode. Although overlayfs currently 
only defines

->direct_IO in a_ops, it will be extended in the future. (like 
containerized sycnfs [1])


It seems the simplest solution is directly return error to upper layer.


Thanks,

Chengguang


[1] https://www.spinics.net/lists/linux-unionfs/msg08569.html



> +
>   	file->private_data = realfile;
>   
>   	return 0;

Re: [PATCH v2] ovl: fix null pointer when filesystem doesn't support direct IO

[Huang Jianan]

在 2021/9/22 13:09, Chengguang Xu 写道:
> 在 2021/9/22 11:47, Huang Jianan 写道:
>> At present, overlayfs provides overlayfs inode to users. Overlayfs
>> inode provides ovl_aops with noop_direct_IO to avoid open failure
>> with O_DIRECT. But some compressed filesystems, such as erofs and
>> squashfs, don't support direct_IO.
>>
>> Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
>> will read file through this way. This will cause overlayfs to access
>> a non-existent direct_IO function and cause panic due to null pointer:
>>
>> Kernel panic - not syncing: CFI failure (target: 0x0)
>> CPU: 6 PID: 247 Comm: loop0
>> Call Trace:
>>   panic+0x188/0x45c
>>   __cfi_slowpath+0x0/0x254
>>   __cfi_slowpath+0x200/0x254
>>   generic_file_read_iter+0x14c/0x150
>>   vfs_iocb_iter_read+0xac/0x164
>>   ovl_read_iter+0x13c/0x2fc
>>   lo_rw_aio+0x2bc/0x458
>>   loop_queue_work+0x4a4/0xbc0
>>   kthread_worker_fn+0xf8/0x1d0
>>   loop_kthread_worker_fn+0x24/0x38
>>   kthread+0x29c/0x310
>>   ret_from_fork+0x10/0x30
>>
>> The filesystem may only support direct_IO for some file types. For
>> example, erofs supports direct_IO for uncompressed files. So reset
>> f_mapping->a_ops to NULL when the file doesn't support direct_IO to
>> fix this problem.
>>
>> Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from 
>> overlayfs over xfs")
>> Signed-off-by: Huang Jianan <huangjianan@oppo.com>
>> ---
>> Change since v1:
>>   - Return error to user rather than fall back to buffered io. 
>> (Chengguang Xu)
>>
>>   fs/overlayfs/file.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>> index d081faa55e83..38118d3b46f8 100644
>> --- a/fs/overlayfs/file.c
>> +++ b/fs/overlayfs/file.c
>> @@ -157,6 +157,10 @@ static int ovl_open(struct inode *inode, struct 
>> file *file)
>>       if (IS_ERR(realfile))
>>           return PTR_ERR(realfile);
>>   +    if ((f->f_flags & O_DIRECT) && (!realfile->f_mapping->a_ops ||
>> +        !realfile->f_mapping->a_ops->direct_IO))
>> +        file->f_mapping->a_ops = NULL;
>
>
> There are many other functions in a_ops and also address_space struct 
> will be shared
>
> between files which belong to same inode. Although overlayfs currently 
> only defines
>
> ->direct_IO in a_ops, it will be extended in the future. (like 
> containerized sycnfs [1])
>
>
> It seems the simplest solution is directly return error to upper layer.
>

I think that after reset a_ops, do_dentry_open will check 
f_mapping->a_ops->direct_IO
and return error. But return error directly in ovl_open seems to be a 
better solution, and
won't affect future extend of ovl_aops. Thanks for pointing this out.

Thanks,
Jianan

>
> Thanks,
>
> Chengguang
>
>
> [1] 
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.spinics.net%2Flists%2Flinux-unionfs%2Fmsg08569.html&amp;data=04%7C01%7Chuangjianan%40oppo.com%7Ce01c8bb9ad4e4ac2670008d97d87321c%7Cf1905eb1c35341c5951662b4a54b5ee6%7C0%7C0%7C637678842352759179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=Wo2uMfbYhqDOzDPSwHci2AVtM9y9nNstmayb741gspQ%3D&amp;reserved=0
>
>
>
>> +
>>       file->private_data = realfile;
>>         return 0;
>

[PATCH v3] ovl: fix null pointer when filesystem doesn't support direct IO

[Huang Jianan]

From: Huang Jianan <huangjianan@oppo.com>

At present, overlayfs provides overlayfs inode to users. Overlayfs
inode provides ovl_aops with noop_direct_IO to avoid open failure
with O_DIRECT. But some compressed filesystems, such as erofs and
squashfs, don't support direct_IO.

Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
will read file through this way. This will cause overlayfs to access
a non-existent direct_IO function and cause panic due to null pointer:

Kernel panic - not syncing: CFI failure (target: 0x0)
CPU: 6 PID: 247 Comm: loop0
Call Trace:
 panic+0x188/0x45c
 __cfi_slowpath+0x0/0x254
 __cfi_slowpath+0x200/0x254
 generic_file_read_iter+0x14c/0x150
 vfs_iocb_iter_read+0xac/0x164
 ovl_read_iter+0x13c/0x2fc
 lo_rw_aio+0x2bc/0x458
 loop_queue_work+0x4a4/0xbc0
 kthread_worker_fn+0xf8/0x1d0
 loop_kthread_worker_fn+0x24/0x38
 kthread+0x29c/0x310
 ret_from_fork+0x10/0x30

The filesystem may only support direct_IO for some file types. For
example, erofs supports direct_IO for uncompressed files. So return
-EINVAL when the file doesn't support direct_IO to fix this problem.

Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from overlayfs over xfs")
Signed-off-by: Huang Jianan <huangjianan@oppo.com>
---
change since v2:
 - Return error in ovl_open directly. (Chengguang Xu)

Change since v1:
 - Return error to user rather than fall back to buffered io. (Chengguang Xu)

 fs/overlayfs/file.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index d081faa55e83..a0c99ea35daf 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -157,6 +157,10 @@ static int ovl_open(struct inode *inode, struct file *file)
 	if (IS_ERR(realfile))
 		return PTR_ERR(realfile);
 
+	if ((f->f_flags & O_DIRECT) && (!realfile->f_mapping->a_ops ||
+		!realfile->f_mapping->a_ops->direct_IO))
+		return -EINVAL;
+
 	file->private_data = realfile;
 
 	return 0;
-- 
2.25.1

Re: [PATCH v3] ovl: fix null pointer when filesystem doesn't support direct IO

[Chengguang Xu]

在 2021/9/22 15:23, Huang Jianan 写道:
> From: Huang Jianan <huangjianan@oppo.com>
>
> At present, overlayfs provides overlayfs inode to users. Overlayfs
> inode provides ovl_aops with noop_direct_IO to avoid open failure
> with O_DIRECT. But some compressed filesystems, such as erofs and
> squashfs, don't support direct_IO.
>
> Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
> will read file through this way. This will cause overlayfs to access
> a non-existent direct_IO function and cause panic due to null pointer:

I just looked around the code more closely, in open_with_fake_path(),

do_dentry_open() has already checked O_DIRECT open flag and 
a_ops->direct_IO of underlying real address_space.

Am I missing something?


Thanks,

Chengguang


>
> Kernel panic - not syncing: CFI failure (target: 0x0)
> CPU: 6 PID: 247 Comm: loop0
> Call Trace:
>   panic+0x188/0x45c
>   __cfi_slowpath+0x0/0x254
>   __cfi_slowpath+0x200/0x254
>   generic_file_read_iter+0x14c/0x150
>   vfs_iocb_iter_read+0xac/0x164
>   ovl_read_iter+0x13c/0x2fc
>   lo_rw_aio+0x2bc/0x458
>   loop_queue_work+0x4a4/0xbc0
>   kthread_worker_fn+0xf8/0x1d0
>   loop_kthread_worker_fn+0x24/0x38
>   kthread+0x29c/0x310
>   ret_from_fork+0x10/0x30
>
> The filesystem may only support direct_IO for some file types. For
> example, erofs supports direct_IO for uncompressed files. So return
> -EINVAL when the file doesn't support direct_IO to fix this problem.
>
> Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from overlayfs over xfs")
> Signed-off-by: Huang Jianan <huangjianan@oppo.com>
> ---
> change since v2:
>   - Return error in ovl_open directly. (Chengguang Xu)
>
> Change since v1:
>   - Return error to user rather than fall back to buffered io. (Chengguang Xu)
>
>   fs/overlayfs/file.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> index d081faa55e83..a0c99ea35daf 100644
> --- a/fs/overlayfs/file.c
> +++ b/fs/overlayfs/file.c
> @@ -157,6 +157,10 @@ static int ovl_open(struct inode *inode, struct file *file)
>   	if (IS_ERR(realfile))
>   		return PTR_ERR(realfile);
>   
> +	if ((f->f_flags & O_DIRECT) && (!realfile->f_mapping->a_ops ||
> +		!realfile->f_mapping->a_ops->direct_IO))
> +		return -EINVAL;
> +
>   	file->private_data = realfile;
>   
>   	return 0;

Re: [PATCH v3] ovl: fix null pointer when filesystem doesn't support direct IO

[Huang Jianan]

在 2021/9/22 16:06, Chengguang Xu 写道:
> 在 2021/9/22 15:23, Huang Jianan 写道:
>> From: Huang Jianan <huangjianan@oppo.com>
>>
>> At present, overlayfs provides overlayfs inode to users. Overlayfs
>> inode provides ovl_aops with noop_direct_IO to avoid open failure
>> with O_DIRECT. But some compressed filesystems, such as erofs and
>> squashfs, don't support direct_IO.
>>
>> Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
>> will read file through this way. This will cause overlayfs to access
>> a non-existent direct_IO function and cause panic due to null pointer:
>
> I just looked around the code more closely, in open_with_fake_path(),
>
> do_dentry_open() has already checked O_DIRECT open flag and 
> a_ops->direct_IO of underlying real address_space.
>
> Am I missing something?
>
>

It seems that loop_update_dio will set lo->use_dio after open file 
without set O_DIRECT.
loop_update_dio will check f_mapping->a_ops->direct_IO but it deal with 
ovl_aops with
noop _direct_IO.

So I think we still need a new aops?

Thanks,
Jianan

> Thanks,
>
> Chengguang
>
>
>>
>> Kernel panic - not syncing: CFI failure (target: 0x0)
>> CPU: 6 PID: 247 Comm: loop0
>> Call Trace:
>>   panic+0x188/0x45c
>>   __cfi_slowpath+0x0/0x254
>>   __cfi_slowpath+0x200/0x254
>>   generic_file_read_iter+0x14c/0x150
>>   vfs_iocb_iter_read+0xac/0x164
>>   ovl_read_iter+0x13c/0x2fc
>>   lo_rw_aio+0x2bc/0x458
>>   loop_queue_work+0x4a4/0xbc0
>>   kthread_worker_fn+0xf8/0x1d0
>>   loop_kthread_worker_fn+0x24/0x38
>>   kthread+0x29c/0x310
>>   ret_from_fork+0x10/0x30
>>
>> The filesystem may only support direct_IO for some file types. For
>> example, erofs supports direct_IO for uncompressed files. So return
>> -EINVAL when the file doesn't support direct_IO to fix this problem.
>>
>> Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from 
>> overlayfs over xfs")
>> Signed-off-by: Huang Jianan <huangjianan@oppo.com>
>> ---
>> change since v2:
>>   - Return error in ovl_open directly. (Chengguang Xu)
>>
>> Change since v1:
>>   - Return error to user rather than fall back to buffered io. 
>> (Chengguang Xu)
>>
>>   fs/overlayfs/file.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>> index d081faa55e83..a0c99ea35daf 100644
>> --- a/fs/overlayfs/file.c
>> +++ b/fs/overlayfs/file.c
>> @@ -157,6 +157,10 @@ static int ovl_open(struct inode *inode, struct 
>> file *file)
>>       if (IS_ERR(realfile))
>>           return PTR_ERR(realfile);
>>   +    if ((f->f_flags & O_DIRECT) && (!realfile->f_mapping->a_ops ||
>> +        !realfile->f_mapping->a_ops->direct_IO))
>> +        return -EINVAL;
>> +
>>       file->private_data = realfile;
>>         return 0;
>

Re: [PATCH v3] ovl: fix null pointer when filesystemdoesn'tsupportdirect IO

[Chengguang Xu]

在 2021/9/22 16:24, Huang Jianan 写道:
>
>
> 在 2021/9/22 16:06, Chengguang Xu 写道:
>> 在 2021/9/22 15:23, Huang Jianan 写道:
>>> From: Huang Jianan <huangjianan@oppo.com>
>>>
>>> At present, overlayfs provides overlayfs inode to users. Overlayfs
>>> inode provides ovl_aops with noop_direct_IO to avoid open failure
>>> with O_DIRECT. But some compressed filesystems, such as erofs and
>>> squashfs, don't support direct_IO.
>>>
>>> Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
>>> will read file through this way. This will cause overlayfs to access
>>> a non-existent direct_IO function and cause panic due to null pointer:
>>
>> I just looked around the code more closely, in open_with_fake_path(),
>>
>> do_dentry_open() has already checked O_DIRECT open flag and 
>> a_ops->direct_IO of underlying real address_space.
>>
>> Am I missing something?
>>
>>
>
> It seems that loop_update_dio will set lo->use_dio after open file 
> without set O_DIRECT.
> loop_update_dio will check f_mapping->a_ops->direct_IO but it deal 
> with ovl_aops with
> noop _direct_IO.
>
> So I think we still need a new aops?


It means we should only set ->direct_IO for overlayfs inodes whose 
underlying fs has DIRECT IO ability.


Hi Miklos,

Is it right solution for this kind of issue? What do you think?


Thanks,

Chengguang



>
> Thanks,
> Jianan
>
>> Thanks,
>>
>> Chengguang
>>
>>
>>>
>>> Kernel panic - not syncing: CFI failure (target: 0x0)
>>> CPU: 6 PID: 247 Comm: loop0
>>> Call Trace:
>>>   panic+0x188/0x45c
>>>   __cfi_slowpath+0x0/0x254
>>>   __cfi_slowpath+0x200/0x254
>>>   generic_file_read_iter+0x14c/0x150
>>>   vfs_iocb_iter_read+0xac/0x164
>>>   ovl_read_iter+0x13c/0x2fc
>>>   lo_rw_aio+0x2bc/0x458
>>>   loop_queue_work+0x4a4/0xbc0
>>>   kthread_worker_fn+0xf8/0x1d0
>>>   loop_kthread_worker_fn+0x24/0x38
>>>   kthread+0x29c/0x310
>>>   ret_from_fork+0x10/0x30
>>>
>>> The filesystem may only support direct_IO for some file types. For
>>> example, erofs supports direct_IO for uncompressed files. So return
>>> -EINVAL when the file doesn't support direct_IO to fix this problem.
>>>
>>> Fixes: 5b910bd615ba ("ovl: fix GPF in swapfile_activate of file from 
>>> overlayfs over xfs")
>>> Signed-off-by: Huang Jianan <huangjianan@oppo.com>
>>> ---
>>> change since v2:
>>>   - Return error in ovl_open directly. (Chengguang Xu)
>>>
>>> Change since v1:
>>>   - Return error to user rather than fall back to buffered io. 
>>> (Chengguang Xu)
>>>
>>>   fs/overlayfs/file.c | 4 ++++
>>>   1 file changed, 4 insertions(+)
>>>
>>> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>>> index d081faa55e83..a0c99ea35daf 100644
>>> --- a/fs/overlayfs/file.c
>>> +++ b/fs/overlayfs/file.c
>>> @@ -157,6 +157,10 @@ static int ovl_open(struct inode *inode, struct 
>>> file *file)
>>>       if (IS_ERR(realfile))
>>>           return PTR_ERR(realfile);
>>>   +    if ((f->f_flags & O_DIRECT) && (!realfile->f_mapping->a_ops ||
>>> +        !realfile->f_mapping->a_ops->direct_IO))
>>> +        return -EINVAL;
>>> +
>>>       file->private_data = realfile;
>>>         return 0;
>>
>

Re: [PATCH v3] ovl: fix null pointer when filesystemdoesn'tsupportdirect IO

[Miklos Szeredi]

On Wed, 22 Sept 2021 at 15:21, Chengguang Xu <cgxu519@139.com> wrote:
>
> 在 2021/9/22 16:24, Huang Jianan 写道:
> >
> >
> > 在 2021/9/22 16:06, Chengguang Xu 写道:
> >> 在 2021/9/22 15:23, Huang Jianan 写道:
> >>> From: Huang Jianan <huangjianan@oppo.com>
> >>>
> >>> At present, overlayfs provides overlayfs inode to users. Overlayfs
> >>> inode provides ovl_aops with noop_direct_IO to avoid open failure
> >>> with O_DIRECT. But some compressed filesystems, such as erofs and
> >>> squashfs, don't support direct_IO.
> >>>
> >>> Users who use f_mapping->a_ops->direct_IO to check O_DIRECT support,
> >>> will read file through this way. This will cause overlayfs to access
> >>> a non-existent direct_IO function and cause panic due to null pointer:
> >>
> >> I just looked around the code more closely, in open_with_fake_path(),
> >>
> >> do_dentry_open() has already checked O_DIRECT open flag and
> >> a_ops->direct_IO of underlying real address_space.
> >>
> >> Am I missing something?
> >>
> >>
> >
> > It seems that loop_update_dio will set lo->use_dio after open file
> > without set O_DIRECT.
> > loop_update_dio will check f_mapping->a_ops->direct_IO but it deal
> > with ovl_aops with
> > noop _direct_IO.
> >
> > So I think we still need a new aops?
>
>
> It means we should only set ->direct_IO for overlayfs inodes whose
> underlying fs has DIRECT IO ability.

First let's fix the oops: ovl_read_iter()/ovl_write_iter() must check
real file's ->direct_IO if IOCB_DIRECT is set in iocb->ki_flags and
return -EINVAL if not.

To fix the loop -> overlay -> squashfs case your suggestion of having
separate aops depending on the real inode's ->direct_IO sounds good.

Thanks,
Miklos

Re: [PATCH v3] ovl: fix null pointer when filesystemdoesn'tsupportdirect IO

[Miklos Szeredi]

On Wed, Sep 22, 2021 at 04:00:47PM +0200, Miklos Szeredi wrote:

> First let's fix the oops: ovl_read_iter()/ovl_write_iter() must check
> real file's ->direct_IO if IOCB_DIRECT is set in iocb->ki_flags and
> return -EINVAL if not.

And here's that fix.  Please test.

Thanks,
Miklos

---
From: Miklos Szeredi <mszeredi@redhat.com>
Subject: ovl: fix IOCB_DIRECT if underlying fs doesn't support direct IO

Normally the check at open time suffices, but e.g loop device does set
IOCB_DIRECT after doing its own checks (which are not sufficent for
overlayfs).

Make sure we don't call the underlying filesystem read/write method with
the IOCB_DIRECT if it's not supported.

Reported-by: Huang Jianan <huangjianan@oppo.com>
Fixes: 16914e6fc7e1 ("ovl: add ovl_read_iter()")
Cc: <stable@vger.kernel.org> # v4.19
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/overlayfs/file.c |   15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -296,6 +296,12 @@ static ssize_t ovl_read_iter(struct kioc
 	if (ret)
 		return ret;
 
+	ret = -EINVAL;
+	if (iocb->ki_flags & IOCB_DIRECT &&
+	    (!real.file->f_mapping->a_ops ||
+	     !real.file->f_mapping->a_ops->direct_IO))
+		goto out_fdput;
+
 	old_cred = ovl_override_creds(file_inode(file)->i_sb);
 	if (is_sync_kiocb(iocb)) {
 		ret = vfs_iter_read(real.file, iter, &iocb->ki_pos,
@@ -320,7 +326,7 @@ static ssize_t ovl_read_iter(struct kioc
 out:
 	revert_creds(old_cred);
 	ovl_file_accessed(file);
-
+out_fdput:
 	fdput(real);
 
 	return ret;
@@ -349,6 +355,12 @@ static ssize_t ovl_write_iter(struct kio
 	if (ret)
 		goto out_unlock;
 
+	ret = -EINVAL;
+	if (iocb->ki_flags & IOCB_DIRECT &&
+	    (!real.file->f_mapping->a_ops ||
+	     !real.file->f_mapping->a_ops->direct_IO))
+		goto out_fdput;
+
 	if (!ovl_should_sync(OVL_FS(inode->i_sb)))
 		ifl &= ~(IOCB_DSYNC | IOCB_SYNC);
 
@@ -384,6 +396,7 @@ static ssize_t ovl_write_iter(struct kio
 	}
 out:
 	revert_creds(old_cred);
+out_fdput:
 	fdput(real);
 
 out_unlock:

Re: [PATCH v3] ovl: fix null pointer when filesystemdoesn'tsupportdirect IO

[Huang Jianan]

在 2021/9/27 17:38, Miklos Szeredi 写道:
> On Wed, Sep 22, 2021 at 04:00:47PM +0200, Miklos Szeredi wrote:
>
>> First let's fix the oops: ovl_read_iter()/ovl_write_iter() must check
>> real file's ->direct_IO if IOCB_DIRECT is set in iocb->ki_flags and
>> return -EINVAL if not.
> And here's that fix.  Please test.

This patch can fix the oops.

Tested-by: Huang Jianan <huangjianan@oppo.com>

Thanks,
Jianan

> Thanks,
> Miklos
>
> ---
> From: Miklos Szeredi <mszeredi@redhat.com>
> Subject: ovl: fix IOCB_DIRECT if underlying fs doesn't support direct IO
>
> Normally the check at open time suffices, but e.g loop device does set
> IOCB_DIRECT after doing its own checks (which are not sufficent for
> overlayfs).
>
> Make sure we don't call the underlying filesystem read/write method with
> the IOCB_DIRECT if it's not supported.
>
> Reported-by: Huang Jianan <huangjianan@oppo.com>
> Fixes: 16914e6fc7e1 ("ovl: add ovl_read_iter()")
> Cc: <stable@vger.kernel.org> # v4.19
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> ---
>   fs/overlayfs/file.c |   15 ++++++++++++++-
>   1 file changed, 14 insertions(+), 1 deletion(-)
>
> --- a/fs/overlayfs/file.c
> +++ b/fs/overlayfs/file.c
> @@ -296,6 +296,12 @@ static ssize_t ovl_read_iter(struct kioc
>   	if (ret)
>   		return ret;
>   
> +	ret = -EINVAL;
> +	if (iocb->ki_flags & IOCB_DIRECT &&
> +	    (!real.file->f_mapping->a_ops ||
> +	     !real.file->f_mapping->a_ops->direct_IO))
> +		goto out_fdput;
> +
>   	old_cred = ovl_override_creds(file_inode(file)->i_sb);
>   	if (is_sync_kiocb(iocb)) {
>   		ret = vfs_iter_read(real.file, iter, &iocb->ki_pos,
> @@ -320,7 +326,7 @@ static ssize_t ovl_read_iter(struct kioc
>   out:
>   	revert_creds(old_cred);
>   	ovl_file_accessed(file);
> -
> +out_fdput:
>   	fdput(real);
>   
>   	return ret;
> @@ -349,6 +355,12 @@ static ssize_t ovl_write_iter(struct kio
>   	if (ret)
>   		goto out_unlock;
>   
> +	ret = -EINVAL;
> +	if (iocb->ki_flags & IOCB_DIRECT &&
> +	    (!real.file->f_mapping->a_ops ||
> +	     !real.file->f_mapping->a_ops->direct_IO))
> +		goto out_fdput;
> +
>   	if (!ovl_should_sync(OVL_FS(inode->i_sb)))
>   		ifl &= ~(IOCB_DSYNC | IOCB_SYNC);
>   
> @@ -384,6 +396,7 @@ static ssize_t ovl_write_iter(struct kio
>   	}
>   out:
>   	revert_creds(old_cred);
> +out_fdput:
>   	fdput(real);
>   
>   out_unlock:

Re: [PATCH v3] ovl: fix null pointer when filesystemdoesn'tsupportdirect IO

[Miklos Szeredi]

On Tue, 28 Sept 2021 at 09:01, Huang Jianan <huangjianan@oppo.com> wrote:
>
> 在 2021/9/27 17:38, Miklos Szeredi 写道:
> > On Wed, Sep 22, 2021 at 04:00:47PM +0200, Miklos Szeredi wrote:
> >
> >> First let's fix the oops: ovl_read_iter()/ovl_write_iter() must check
> >> real file's ->direct_IO if IOCB_DIRECT is set in iocb->ki_flags and
> >> return -EINVAL if not.
> > And here's that fix.  Please test.
>
> This patch can fix the oops.
>
> Tested-by: Huang Jianan <huangjianan@oppo.com>

Thanks for testing!

Miklos