* [PATCH] f2fs: fix double free of f2fs_sb_info
[not found] <20240113005031.GA1147@sol.localdomain>
@ 2024-01-13 0:57 ` Eric Biggers
2024-01-13 1:01 ` Eric Biggers
2024-01-13 1:14 ` [f2fs-dev] " Chao Yu
0 siblings, 2 replies; 6+ messages in thread
From: Eric Biggers @ 2024-01-13 0:57 UTC (permalink / raw)
To: linux-f2fs-devel; +Cc: linux-fscrypt, syzbot+8f477ac014ff5b32d81f
From: Eric Biggers <ebiggers@google.com>
kill_f2fs_super() is called even if f2fs_fill_super() fails.
f2fs_fill_super() frees the struct f2fs_sb_info, so it must set
sb->s_fs_info to NULL to prevent it from being freed again.
Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()")
Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
fs/f2fs/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index d00d21a8b53ad..d45ab0992ae59 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4873,20 +4873,21 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
kfree(F2FS_OPTION(sbi).s_qf_names[i]);
#endif
fscrypt_free_dummy_policy(&F2FS_OPTION(sbi).dummy_enc_policy);
kvfree(options);
free_sb_buf:
kfree(raw_super);
free_sbi:
if (sbi->s_chksum_driver)
crypto_free_shash(sbi->s_chksum_driver);
kfree(sbi);
+ sb->s_fs_info = NULL;
/* give only one another chance */
if (retry_cnt > 0 && skip_recovery) {
retry_cnt--;
shrink_dcache_sb(sb);
goto try_onemore;
}
return err;
}
base-commit: 38814330fedd778edffcabe0c8cb462ee365782e
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info
2024-01-13 0:57 ` [PATCH] f2fs: fix double free of f2fs_sb_info Eric Biggers
@ 2024-01-13 1:01 ` Eric Biggers
2024-01-13 1:28 ` Jaegeuk Kim
2024-01-13 1:14 ` [f2fs-dev] " Chao Yu
1 sibling, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2024-01-13 1:01 UTC (permalink / raw)
To: linux-f2fs-devel, Jaegeuk Kim; +Cc: linux-fscrypt, syzbot+8f477ac014ff5b32d81f
On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> kill_f2fs_super() is called even if f2fs_fill_super() fails.
> f2fs_fill_super() frees the struct f2fs_sb_info, so it must set
> sb->s_fs_info to NULL to prevent it from being freed again.
>
> Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()")
> Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my
broken commit came from. But let me know if you want to just take this through
the f2fs tree.
- Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [f2fs-dev] [PATCH] f2fs: fix double free of f2fs_sb_info
2024-01-13 0:57 ` [PATCH] f2fs: fix double free of f2fs_sb_info Eric Biggers
2024-01-13 1:01 ` Eric Biggers
@ 2024-01-13 1:14 ` Chao Yu
1 sibling, 0 replies; 6+ messages in thread
From: Chao Yu @ 2024-01-13 1:14 UTC (permalink / raw)
To: Eric Biggers, linux-f2fs-devel; +Cc: syzbot+8f477ac014ff5b32d81f, linux-fscrypt
On 2024/1/13 8:57, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> kill_f2fs_super() is called even if f2fs_fill_super() fails.
> f2fs_fill_super() frees the struct f2fs_sb_info, so it must set
> sb->s_fs_info to NULL to prevent it from being freed again.
Oh, I missed that case as well during reviewing, my bad.
>
> Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()")
> Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Thanks,
> ---
> fs/f2fs/super.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index d00d21a8b53ad..d45ab0992ae59 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -4873,20 +4873,21 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> kfree(F2FS_OPTION(sbi).s_qf_names[i]);
> #endif
> fscrypt_free_dummy_policy(&F2FS_OPTION(sbi).dummy_enc_policy);
> kvfree(options);
> free_sb_buf:
> kfree(raw_super);
> free_sbi:
> if (sbi->s_chksum_driver)
> crypto_free_shash(sbi->s_chksum_driver);
> kfree(sbi);
> + sb->s_fs_info = NULL;
>
> /* give only one another chance */
> if (retry_cnt > 0 && skip_recovery) {
> retry_cnt--;
> shrink_dcache_sb(sb);
> goto try_onemore;
> }
> return err;
> }
>
>
> base-commit: 38814330fedd778edffcabe0c8cb462ee365782e
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info
2024-01-13 1:01 ` Eric Biggers
@ 2024-01-13 1:28 ` Jaegeuk Kim
2024-01-13 1:32 ` Eric Biggers
0 siblings, 1 reply; 6+ messages in thread
From: Jaegeuk Kim @ 2024-01-13 1:28 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-f2fs-devel, linux-fscrypt, syzbot+8f477ac014ff5b32d81f
On 01/12, Eric Biggers wrote:
> On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > kill_f2fs_super() is called even if f2fs_fill_super() fails.
> > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set
> > sb->s_fs_info to NULL to prevent it from being freed again.
> >
> > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()")
> > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
>
> Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my
Ok, are you heading to push this in -rc1?
> broken commit came from. But let me know if you want to just take this through
> the f2fs tree.
>
> - Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info
2024-01-13 1:28 ` Jaegeuk Kim
@ 2024-01-13 1:32 ` Eric Biggers
2024-01-13 1:46 ` Jaegeuk Kim
0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2024-01-13 1:32 UTC (permalink / raw)
To: Jaegeuk Kim; +Cc: linux-f2fs-devel, linux-fscrypt, syzbot+8f477ac014ff5b32d81f
On Fri, Jan 12, 2024 at 05:28:31PM -0800, Jaegeuk Kim wrote:
> On 01/12, Eric Biggers wrote:
> > On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote:
> > > From: Eric Biggers <ebiggers@google.com>
> > >
> > > kill_f2fs_super() is called even if f2fs_fill_super() fails.
> > > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set
> > > sb->s_fs_info to NULL to prevent it from being freed again.
> > >
> > > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()")
> > > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com
> > > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com
> > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> >
> > Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my
>
> Ok, are you heading to push this in -rc1?
>
> > broken commit came from. But let me know if you want to just take this through
> > the f2fs tree.
> >
Yes, we should get this into -rc1.
- Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info
2024-01-13 1:32 ` Eric Biggers
@ 2024-01-13 1:46 ` Jaegeuk Kim
0 siblings, 0 replies; 6+ messages in thread
From: Jaegeuk Kim @ 2024-01-13 1:46 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-f2fs-devel, linux-fscrypt, syzbot+8f477ac014ff5b32d81f
On 01/12, Eric Biggers wrote:
> On Fri, Jan 12, 2024 at 05:28:31PM -0800, Jaegeuk Kim wrote:
> > On 01/12, Eric Biggers wrote:
> > > On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote:
> > > > From: Eric Biggers <ebiggers@google.com>
> > > >
> > > > kill_f2fs_super() is called even if f2fs_fill_super() fails.
> > > > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set
> > > > sb->s_fs_info to NULL to prevent it from being freed again.
> > > >
> > > > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()")
> > > > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com
> > > > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com
> > > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > >
> > > Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my
> >
> > Ok, are you heading to push this in -rc1?
> >
> > > broken commit came from. But let me know if you want to just take this through
> > > the f2fs tree.
> > >
>
> Yes, we should get this into -rc1.
Ok, please do so.
>
> - Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-01-13 1:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20240113005031.GA1147@sol.localdomain>
2024-01-13 0:57 ` [PATCH] f2fs: fix double free of f2fs_sb_info Eric Biggers
2024-01-13 1:01 ` Eric Biggers
2024-01-13 1:28 ` Jaegeuk Kim
2024-01-13 1:32 ` Eric Biggers
2024-01-13 1:46 ` Jaegeuk Kim
2024-01-13 1:14 ` [f2fs-dev] " Chao Yu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).