* Re: Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry [not found] <691059ff.a70a0220.22f260.00a6.GAE@google.com> @ 2025-11-09 11:05 ` kernel test robot 2025-11-09 12:26 ` Philip Li 0 siblings, 1 reply; 2+ messages in thread From: kernel test robot @ 2025-11-09 11:05 UTC (permalink / raw) To: syzbot, linux-kernel, syzkaller-bugs; +Cc: llvm, oe-kbuild-all Hi syzbot, kernel test robot noticed the following build warnings: [auto build test WARNING on brauner-vfs/vfs.all] [also build test WARNING on linus/master v6.18-rc4 next-20251107] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/syzbot/Forwarded-PATCH-fs-fix-inode-use-after-free-in-chown_common-delegation-retry/20251109-171000 base: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all patch link: https://lore.kernel.org/r/691059ff.a70a0220.22f260.00a6.GAE%40google.com patch subject: Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry config: arm-allnoconfig (https://download.01.org/0day-ci/archive/20251109/202511091815.6q5WUuzH-lkp@intel.com/config) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project b9ea93cd5c37fb6d606502fd01208dd48330549d) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251109/202511091815.6q5WUuzH-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202511091815.6q5WUuzH-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/open.c:771:9: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] 769 | printk("DEBUG: [%s] retry_deleg: inode=%p, i_count=%d, i_rwsem.owner=%px\n", | ~~ | %ld 770 | current->comm, inode, atomic_read(&inode->i_count), 771 | atomic_long_read(&inode->i_rwsem.owner)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/printk.h:512:60: note: expanded from macro 'printk' 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' 484 | _p_func(_fmt, ##__VA_ARGS__); \ | ~~~~ ^~~~~~~~~~~ fs/open.c:785:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] 784 | printk("DEBUG: [%s] after inode_lock: inode=%p, i_rwsem.owner=%px (current=%px)\n", | ~~ | %ld 785 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), current); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/printk.h:512:60: note: expanded from macro 'printk' 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' 484 | _p_func(_fmt, ##__VA_ARGS__); \ | ~~~~ ^~~~~~~~~~~ fs/open.c:798:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] 797 | printk("DEBUG: [%s] before inode_unlock: inode=%p, i_rwsem.owner=%px, delegated_inode=%p\n", | ~~ | %ld 798 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), delegated_inode); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/printk.h:512:60: note: expanded from macro 'printk' 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' 484 | _p_func(_fmt, ##__VA_ARGS__); \ | ~~~~ ^~~~~~~~~~~ fs/open.c:801:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] 800 | printk("DEBUG: [%s] after inode_unlock: inode=%p, i_rwsem.owner=%px\n", | ~~ | %ld 801 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/printk.h:512:60: note: expanded from macro 'printk' 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' 484 | _p_func(_fmt, ##__VA_ARGS__); \ | ~~~~ ^~~~~~~~~~~ 4 warnings generated. vim +771 fs/open.c 750 751 int chown_common(const struct path *path, uid_t user, gid_t group) 752 { 753 struct mnt_idmap *idmap; 754 struct user_namespace *fs_userns; 755 struct inode *inode = path->dentry->d_inode; 756 struct inode *delegated_inode = NULL; 757 int error; 758 struct iattr newattrs; 759 kuid_t uid; 760 kgid_t gid; 761 762 uid = make_kuid(current_user_ns(), user); 763 gid = make_kgid(current_user_ns(), group); 764 765 idmap = mnt_idmap(path->mnt); 766 fs_userns = i_user_ns(inode); 767 768 retry_deleg: 769 printk("DEBUG: [%s] retry_deleg: inode=%p, i_count=%d, i_rwsem.owner=%px\n", 770 current->comm, inode, atomic_read(&inode->i_count), > 771 atomic_long_read(&inode->i_rwsem.owner)); 772 newattrs.ia_vfsuid = INVALID_VFSUID; 773 newattrs.ia_vfsgid = INVALID_VFSGID; 774 newattrs.ia_valid = ATTR_CTIME; 775 if ((user != (uid_t)-1) && !setattr_vfsuid(&newattrs, uid)) 776 return -EINVAL; 777 if ((group != (gid_t)-1) && !setattr_vfsgid(&newattrs, gid)) 778 return -EINVAL; 779 printk("DEBUG: [%s] before inode_lock: inode=%p, i_count=%d\n", 780 current->comm, inode, atomic_read(&inode->i_count)); 781 error = inode_lock_killable(inode); 782 if (error) 783 return error; 784 printk("DEBUG: [%s] after inode_lock: inode=%p, i_rwsem.owner=%px (current=%px)\n", 785 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), current); 786 if (!S_ISDIR(inode->i_mode)) 787 newattrs.ia_valid |= ATTR_KILL_SUID | ATTR_KILL_PRIV | 788 setattr_should_drop_sgid(idmap, inode); 789 /* Continue to send actual fs values, not the mount values. */ 790 error = security_path_chown( 791 path, 792 from_vfsuid(idmap, fs_userns, newattrs.ia_vfsuid), 793 from_vfsgid(idmap, fs_userns, newattrs.ia_vfsgid)); 794 if (!error) 795 error = notify_change(idmap, path->dentry, &newattrs, 796 &delegated_inode); 797 printk("DEBUG: [%s] before inode_unlock: inode=%p, i_rwsem.owner=%px, delegated_inode=%p\n", 798 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), delegated_inode); 799 inode_unlock(inode); 800 printk("DEBUG: [%s] after inode_unlock: inode=%p, i_rwsem.owner=%px\n", 801 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner)); 802 if (delegated_inode) { 803 printk("DEBUG: [%s] calling break_deleg_wait: inode=%p, i_count=%d, delegated_inode=%p\n", 804 current->comm, inode, atomic_read(&inode->i_count), delegated_inode); 805 error = break_deleg_wait(&delegated_inode); 806 printk("DEBUG: [%s] after break_deleg_wait: inode=%p, i_count=%d, error=%d\n", 807 current->comm, inode, atomic_read(&inode->i_count), error); 808 if (!error) 809 goto retry_deleg; 810 } 811 return error; 812 } 813 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry 2025-11-09 11:05 ` Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry kernel test robot @ 2025-11-09 12:26 ` Philip Li 0 siblings, 0 replies; 2+ messages in thread From: Philip Li @ 2025-11-09 12:26 UTC (permalink / raw) To: kernel test robot Cc: syzbot, linux-kernel, syzkaller-bugs, llvm, oe-kbuild-all On Sun, Nov 09, 2025 at 07:05:11PM +0800, kernel test robot wrote: > Hi syzbot, > > kernel test robot noticed the following build warnings: Sorry, kindly ignore this report. > > [auto build test WARNING on brauner-vfs/vfs.all] > [also build test WARNING on linus/master v6.18-rc4 next-20251107] > [If your patch is applied to the wrong git tree, kindly drop us a note. > And when submitting patch, we suggest to use '--base' as documented in > https://git-scm.com/docs/git-format-patch#_base_tree_information] > > url: https://github.com/intel-lab-lkp/linux/commits/syzbot/Forwarded-PATCH-fs-fix-inode-use-after-free-in-chown_common-delegation-retry/20251109-171000 > base: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all > patch link: https://lore.kernel.org/r/691059ff.a70a0220.22f260.00a6.GAE%40google.com > patch subject: Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry > config: arm-allnoconfig (https://download.01.org/0day-ci/archive/20251109/202511091815.6q5WUuzH-lkp@intel.com/config) > compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project b9ea93cd5c37fb6d606502fd01208dd48330549d) > reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251109/202511091815.6q5WUuzH-lkp@intel.com/reproduce) > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > the same patch/commit), kindly add following tags > | Reported-by: kernel test robot <lkp@intel.com> > | Closes: https://lore.kernel.org/oe-kbuild-all/202511091815.6q5WUuzH-lkp@intel.com/ > > All warnings (new ones prefixed by >>): > > >> fs/open.c:771:9: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] > 769 | printk("DEBUG: [%s] retry_deleg: inode=%p, i_count=%d, i_rwsem.owner=%px\n", > | ~~ > | %ld > 770 | current->comm, inode, atomic_read(&inode->i_count), > 771 | atomic_long_read(&inode->i_rwsem.owner)); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > include/linux/printk.h:512:60: note: expanded from macro 'printk' > 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) > | ~~~ ^~~~~~~~~~~ > include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' > 484 | _p_func(_fmt, ##__VA_ARGS__); \ > | ~~~~ ^~~~~~~~~~~ > fs/open.c:785:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] > 784 | printk("DEBUG: [%s] after inode_lock: inode=%p, i_rwsem.owner=%px (current=%px)\n", > | ~~ > | %ld > 785 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), current); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > include/linux/printk.h:512:60: note: expanded from macro 'printk' > 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) > | ~~~ ^~~~~~~~~~~ > include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' > 484 | _p_func(_fmt, ##__VA_ARGS__); \ > | ~~~~ ^~~~~~~~~~~ > fs/open.c:798:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] > 797 | printk("DEBUG: [%s] before inode_unlock: inode=%p, i_rwsem.owner=%px, delegated_inode=%p\n", > | ~~ > | %ld > 798 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), delegated_inode); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > include/linux/printk.h:512:60: note: expanded from macro 'printk' > 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) > | ~~~ ^~~~~~~~~~~ > include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' > 484 | _p_func(_fmt, ##__VA_ARGS__); \ > | ~~~~ ^~~~~~~~~~~ > fs/open.c:801:31: warning: format specifies type 'void *' but the argument has type 'long' [-Wformat] > 800 | printk("DEBUG: [%s] after inode_unlock: inode=%p, i_rwsem.owner=%px\n", > | ~~ > | %ld > 801 | current->comm, inode, atomic_long_read(&inode->i_rwsem.owner)); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > include/linux/printk.h:512:60: note: expanded from macro 'printk' > 512 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) > | ~~~ ^~~~~~~~~~~ > include/linux/printk.h:484:19: note: expanded from macro 'printk_index_wrap' > 484 | _p_func(_fmt, ##__VA_ARGS__); \ > | ~~~~ ^~~~~~~~~~~ > 4 warnings generated. > > > vim +771 fs/open.c > > 750 > 751 int chown_common(const struct path *path, uid_t user, gid_t group) > 752 { > 753 struct mnt_idmap *idmap; > 754 struct user_namespace *fs_userns; > 755 struct inode *inode = path->dentry->d_inode; > 756 struct inode *delegated_inode = NULL; > 757 int error; > 758 struct iattr newattrs; > 759 kuid_t uid; > 760 kgid_t gid; > 761 > 762 uid = make_kuid(current_user_ns(), user); > 763 gid = make_kgid(current_user_ns(), group); > 764 > 765 idmap = mnt_idmap(path->mnt); > 766 fs_userns = i_user_ns(inode); > 767 > 768 retry_deleg: > 769 printk("DEBUG: [%s] retry_deleg: inode=%p, i_count=%d, i_rwsem.owner=%px\n", > 770 current->comm, inode, atomic_read(&inode->i_count), > > 771 atomic_long_read(&inode->i_rwsem.owner)); > 772 newattrs.ia_vfsuid = INVALID_VFSUID; > 773 newattrs.ia_vfsgid = INVALID_VFSGID; > 774 newattrs.ia_valid = ATTR_CTIME; > 775 if ((user != (uid_t)-1) && !setattr_vfsuid(&newattrs, uid)) > 776 return -EINVAL; > 777 if ((group != (gid_t)-1) && !setattr_vfsgid(&newattrs, gid)) > 778 return -EINVAL; > 779 printk("DEBUG: [%s] before inode_lock: inode=%p, i_count=%d\n", > 780 current->comm, inode, atomic_read(&inode->i_count)); > 781 error = inode_lock_killable(inode); > 782 if (error) > 783 return error; > 784 printk("DEBUG: [%s] after inode_lock: inode=%p, i_rwsem.owner=%px (current=%px)\n", > 785 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), current); > 786 if (!S_ISDIR(inode->i_mode)) > 787 newattrs.ia_valid |= ATTR_KILL_SUID | ATTR_KILL_PRIV | > 788 setattr_should_drop_sgid(idmap, inode); > 789 /* Continue to send actual fs values, not the mount values. */ > 790 error = security_path_chown( > 791 path, > 792 from_vfsuid(idmap, fs_userns, newattrs.ia_vfsuid), > 793 from_vfsgid(idmap, fs_userns, newattrs.ia_vfsgid)); > 794 if (!error) > 795 error = notify_change(idmap, path->dentry, &newattrs, > 796 &delegated_inode); > 797 printk("DEBUG: [%s] before inode_unlock: inode=%p, i_rwsem.owner=%px, delegated_inode=%p\n", > 798 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner), delegated_inode); > 799 inode_unlock(inode); > 800 printk("DEBUG: [%s] after inode_unlock: inode=%p, i_rwsem.owner=%px\n", > 801 current->comm, inode, atomic_long_read(&inode->i_rwsem.owner)); > 802 if (delegated_inode) { > 803 printk("DEBUG: [%s] calling break_deleg_wait: inode=%p, i_count=%d, delegated_inode=%p\n", > 804 current->comm, inode, atomic_read(&inode->i_count), delegated_inode); > 805 error = break_deleg_wait(&delegated_inode); > 806 printk("DEBUG: [%s] after break_deleg_wait: inode=%p, i_count=%d, error=%d\n", > 807 current->comm, inode, atomic_read(&inode->i_count), error); > 808 if (!error) > 809 goto retry_deleg; > 810 } > 811 return error; > 812 } > 813 > > -- > 0-DAY CI Kernel Test Service > https://github.com/intel/lkp-tests/wiki > ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-09 12:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <691059ff.a70a0220.22f260.00a6.GAE@google.com>
2025-11-09 11:05 ` Forwarded: [PATCH] fs: fix inode use-after-free in chown_common delegation retry kernel test robot
2025-11-09 12:26 ` Philip Li
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox