From: Nirmoy Das <nirmoyd@nvidia.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
Christian Brauner <brauner@kernel.org>,
<linux-unionfs@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<syzbot+a16fb0cce329a320661c@syzkaller.appspotmail.com>,
<stable@vger.kernel.org>
Subject: Re: [PATCH v2] ovl: keep err zero after successful ovl_cache_get()
Date: Fri, 15 May 2026 13:15:41 +0200 [thread overview]
Message-ID: <20be39e1-8da7-4f81-9134-d748841b3611@nvidia.com> (raw)
In-Reply-To: <CAOQ4uxgad=DE9wMAS6Wn9rrEkOX3p0S8jEhsjnj=Or=_7HsqyA@mail.gmail.com>
Hi Amir,
On 14.05.26 22:19, Amir Goldstein wrote:
> On Thu, May 14, 2026 at 5:26 PM Amir Goldstein <amir73il@gmail.com> wrote:
>> On Thu, May 14, 2026 at 4:43 PM Nirmoy Das <nirmoyd@nvidia.com> wrote:
>>> ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
>>> IS_ERR(cache). On success err holds the truncated cache pointer and
>>> can be returned as a bogus non-zero error.
>>>
>>> The syzbot reproducer reaches this through overlay-on-overlay readdir:
>>>
>>> getdents64
>>> iterate_dir(outer overlay file)
>>> ovl_iterate_merged()
>>> ovl_cache_get()
>>> ovl_dir_read_merged()
>>> ovl_dir_read()
>>> iterate_dir(inner overlay file)
>>> ovl_iterate_merged()
>>>
>>> Only compute PTR_ERR(cache) on the error path.
>>>
>>> Fixes: d25e4b739f83 ("ovl: refactor ovl_iterate() and port to cred guard")
>>> Reported-by: syzbot+a16fb0cce329a320661c@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=a16fb0cce329a320661c
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com>
>>> ---
>>> v2:
>>> - Drop the now-redundant 'int err = 0' initializer and the trailing
>>> 'return err' in ovl_iterate_merged(); err is only used inside the
>>> loop's update-check, so the function can just return 0 on success.
>>> (Amir Goldstein)
>>> - Link to v1:
>>> https://lore.kernel.org/all/20260514111354.3552538-1-nirmoyd@nvidia.com/
>>>
>> I queue this up and will work on fortifying patches.
> Nirmoy,
>
> I pushed fortify patches to ovl-fixes on my github [1].
>
> Can you verify that the assertions trigger if you revert your fix
> and run the reproducer?
>
> I imagine they would trigger much more frequently than the KASAN
> warnings do.
Yes, the assertion triggers with your ovl-fixes branch after reverting
my fix.
9541f25af774 Revert "ovl: keep err zero after successful ovl_cache_get()"
1c067d912e47 ovl: add assertions in dir cache code
98e3a2d258e9 ovl: fix race between copy-up and open of a directory
4f80bb375112 ovl: keep err zero after successful ovl_cache_get()
18de6460b6bd ovl: opt-in for fortified ERR_PTR()
690bd87e1fef err_ptr.h: introduce ERR_PTR_SAFE()
7fd2df204f34 Linux 7.1-rc2
Running the syz reproducer with panic_on_warn=1 triggered:
[ 55.404636] ------------[ cut here ]------------
[ 55.404646] WARNING: fs/overlayfs/readdir.c:511 at
ovl_iterate+0x4c0/0x5bc, CPU#2: syz-ovl-iterate/14575
[ 55.406875] CPU: 2 UID: 0 PID: 14575 Comm: syz-ovl-iterate Not
tainted 7.1.0-rc2-g9541f25af774 #1 PREEMPT
[ 55.408328] pc : ovl_iterate+0x4c0/0x5bc
[ 55.408632] lr : ovl_iterate+0x4b4/0x5bc
[ 55.413504] x2 : 0000000000000000 x1 : 0000000000000000 x0 :
ffffffffc152db40
[ 55.414036] Call trace:
[ 55.414209] ovl_iterate+0x4c0/0x5bc (P)
[ 55.414503] wrap_directory_iterator+0x60/0x90
[ 55.414809] shared_ovl_iterate+0x18/0x24
[ 55.415125] iterate_dir+0x10c/0x3a4
[ 55.415365] __arm64_sys_getdents64+0xe0/0x1e4
[ 55.417312] Kernel panic - not syncing: kernel: panic_on_warn set ...
Regards,
Nirmoy
>
> Thanks,
> Amir.
>
> [1] https://github.com/amir73il/linux/commits/ovl-fixes/
prev parent reply other threads:[~2026-05-15 11:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 11:13 [PATCH] ovl: keep err zero after successful ovl_cache_get() Nirmoy Das
2026-05-14 12:36 ` Amir Goldstein
2026-05-14 14:37 ` Nirmoy Das
2026-05-14 14:42 ` [PATCH v2] " Nirmoy Das
2026-05-14 15:26 ` Amir Goldstein
2026-05-14 19:19 ` Amir Goldstein
2026-05-15 11:15 ` Nirmoy Das [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20be39e1-8da7-4f81-9134-d748841b3611@nvidia.com \
--to=nirmoyd@nvidia.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=stable@vger.kernel.org \
--cc=syzbot+a16fb0cce329a320661c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox