* [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling [not found] <0000000000003675ae05915a9fd3@google.com> @ 2019-08-31 3:10 ` Eric Biggers 2019-09-06 3:01 ` Eric Biggers 2019-09-01 14:06 ` WARNING in kfree syzbot 1 sibling, 1 reply; 3+ messages in thread From: Eric Biggers @ 2019-08-31 3:10 UTC (permalink / raw) To: Alexander Viro, linux-fsdevel Cc: syzkaller-bugs, linux-kernel, syzbot+5aca688dac0796c56129, David Howells From: Eric Biggers <ebiggers@google.com> syzbot reported an invalid free in debugfs_release_dentry(). The reproducer tries to mount debugfs with the 'dirsync' option, which is not allowed. The bug is that if reconfigure_super() fails in vfs_get_super(), deactivate_locked_super() is called, but also fs_context::root is left non-NULL which causes deactivate_super() to be called again later. Fix it by releasing fs_context::root in the error path. Reported-by: syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com Fixes: e478b48498a7 ("vfs: Add a single-or-reconfig keying to vfs_get_super()") Cc: David Howells <dhowells@redhat.com> Signed-off-by: Eric Biggers <ebiggers@google.com> --- fs/super.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/super.c b/fs/super.c index 0f913376fc4c..99195e15be05 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1194,8 +1194,11 @@ int vfs_get_super(struct fs_context *fc, fc->root = dget(sb->s_root); if (keying == vfs_get_single_reconf_super) { err = reconfigure_super(fc); - if (err < 0) + if (err < 0) { + dput(fc->root); + fc->root = NULL; goto error; + } } } -- 2.23.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling 2019-08-31 3:10 ` [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling Eric Biggers @ 2019-09-06 3:01 ` Eric Biggers 0 siblings, 0 replies; 3+ messages in thread From: Eric Biggers @ 2019-09-06 3:01 UTC (permalink / raw) To: Alexander Viro, David Howells Cc: linux-fsdevel, linux-kernel, syzkaller-bugs, syzbot+5aca688dac0796c56129 On Fri, Aug 30, 2019 at 10:10:24PM -0500, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > syzbot reported an invalid free in debugfs_release_dentry(). The > reproducer tries to mount debugfs with the 'dirsync' option, which is > not allowed. The bug is that if reconfigure_super() fails in > vfs_get_super(), deactivate_locked_super() is called, but also > fs_context::root is left non-NULL which causes deactivate_super() to be > called again later. > > Fix it by releasing fs_context::root in the error path. > > Reported-by: syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com > Fixes: e478b48498a7 ("vfs: Add a single-or-reconfig keying to vfs_get_super()") > Cc: David Howells <dhowells@redhat.com> > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > fs/super.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/fs/super.c b/fs/super.c > index 0f913376fc4c..99195e15be05 100644 > --- a/fs/super.c > +++ b/fs/super.c > @@ -1194,8 +1194,11 @@ int vfs_get_super(struct fs_context *fc, > fc->root = dget(sb->s_root); > if (keying == vfs_get_single_reconf_super) { > err = reconfigure_super(fc); > - if (err < 0) > + if (err < 0) { > + dput(fc->root); > + fc->root = NULL; > goto error; > + } > } > } > Ping. This is still broken in linux-next. - Eric ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: WARNING in kfree [not found] <0000000000003675ae05915a9fd3@google.com> 2019-08-31 3:10 ` [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling Eric Biggers @ 2019-09-01 14:06 ` syzbot 1 sibling, 0 replies; 3+ messages in thread From: syzbot @ 2019-09-01 14:06 UTC (permalink / raw) To: dhowells, ebiggers, gregkh, linux-fsdevel, linux-kernel, rafael, syzkaller-bugs, viro syzbot has bisected this bug to: commit 3deadeebafcec6a0a7c9397bd32ea5ac6d5191c1 Author: David Howells <dhowells@redhat.com> Date: Mon Jan 21 14:04:22 2019 +0000 vfs: Convert debugfs to use the new mount API bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=115d9e56600000 start commit: ed2393ca Add linux-next specific files for 20190827 git tree: linux-next final crash: https://syzkaller.appspot.com/x/report.txt?x=135d9e56600000 console output: https://syzkaller.appspot.com/x/log.txt?x=155d9e56600000 kernel config: https://syzkaller.appspot.com/x/.config?x=2ef5940a07ed45f4 dashboard link: https://syzkaller.appspot.com/bug?extid=5aca688dac0796c56129 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1595ee12600000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16df7fd2600000 Reported-by: syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com Fixes: 3deadeebafce ("vfs: Convert debugfs to use the new mount API") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-09-06 3:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <0000000000003675ae05915a9fd3@google.com>
2019-08-31 3:10 ` [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling Eric Biggers
2019-09-06 3:01 ` Eric Biggers
2019-09-01 14:06 ` WARNING in kfree syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).