On Thu, Jun 26, 2025 at 11:14:59AM +0900, Tetsuo Handa wrote:
> But when commit b5ae6b15bd73 ("merge d_materialise_unique() into
> d_splice_alias()") was merged into v3.19-rc1, d_splice_alias() started
> returning -ELOOP as one of ERR_PTR values.
>
> As a result, when syzkaller mounts a crafted ocfs2 filesystem image that
> hits d_splice_alias() == -ELOOP case from ocfs2_lookup(), ocfs2_lookup()
> fails to handle -ELOOP case and generic_shutdown_super() hits "VFS: Busy
> inodes after unmount" message.
>
> Don't call ocfs2_dentry_attach_lock() nor ocfs2_dentry_attach_gen()
> when d_splice_alias() returned -ELOOP.
>
> Reported-by: syzbot <syzbot+1134d3a5b062e9665a7a@xxxxxxxxxxxxxxxxxxxxxxxxx>
> Closes: https://syzkaller.appspot.com/bug?extid=1134d3a5b062e9665a7a
> Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> ---
> This patch wants review from maintainers. I'm not familiar with this change.
Not the right fix. If nothing else, -ELOOP is not the only possible value
there.
This
status = ocfs2_dentry_attach_lock(dentry, inode,
OCFS2_I(dir)->ip_blkno);
if (status) {
mlog_errno(status);
ret = ERR_PTR(status);
goto bail_unlock;
}
looks like pretty obvious leak in its own right? What's more, on IS_ERR(ret)
we should stop playing silly buggers and just return the damn error.
So basically
ret = d_splice_alias(inode, dentry);
if (IS_ERR(ret))
goto bail_unlock;
if (inode) {
if (ret)
dentry = ret;
status = ocfs2_dentry_attach_lock(dentry, inode,
OCFS2_I(dir)->ip_blkno);
if (unlikely(status)) {
if (ret)
dput(ret);
ret = ERR_PTR(status);
}
} else {
ocfs2_dentry_attach_gen(dentry);
}
bail_unlock:
