* [PATCH] vfs: namespace: error pointer dereference in do_remount()
@ 2018-09-07 12:25 Dan Carpenter
2018-09-24 6:10 ` Sabin Rapan
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2018-09-07 12:25 UTC (permalink / raw)
To: Alexander Viro, David Howells; +Cc: linux-fsdevel, kernel-janitors
We need to check if vfs_new_fs_context() returns an error pointer.
Fixes: fd0002870b45 ("vfs: Implement a filesystem superblock creation/configuration context")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/fs/namespace.c b/fs/namespace.c
index a240e20093e0..841517520c08 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2384,6 +2384,8 @@ static int do_remount(struct path *path, int ms_flags, int sb_flags,
fc = vfs_new_fs_context(path->dentry->d_sb->s_type,
path->dentry, sb_flags, MS_RMT_MASK,
FS_CONTEXT_FOR_RECONFIGURE);
+ if (IS_ERR(fc))
+ return PTR_ERR(fc);
err = parse_monolithic_mount_data(fc, data, data_size);
if (err < 0)
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] vfs: namespace: error pointer dereference in do_remount()
2018-09-07 12:25 [PATCH] vfs: namespace: error pointer dereference in do_remount() Dan Carpenter
@ 2018-09-24 6:10 ` Sabin Rapan
0 siblings, 0 replies; 2+ messages in thread
From: Sabin Rapan @ 2018-09-24 6:10 UTC (permalink / raw)
To: Dan Carpenter, Alexander Viro, David Howells
Cc: linux-fsdevel, kernel-janitors
This patch also fixes the syzbot bug (BUG: unable to handle kernel paging
request in do_mount)
(https://syzkaller.appspot.com/bug?id=611b50e30eb1634e75688903289148fe2a042c1d)
Short description of the syzbot reproducer:
* do_mount() is called with remount flag
* vfs_new_fs_context() is called and tries to allocate a new context
* slab allocation fails due to injected fault
* an invalid context is passed to parse_monolithic_mount_data()
* kernel crash due to invalid pointer access
On 07.09.2018 15:25, Dan Carpenter wrote:
> We need to check if vfs_new_fs_context() returns an error pointer.
>
> Fixes: fd0002870b45 ("vfs: Implement a filesystem superblock creation/configuration context")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index a240e20093e0..841517520c08 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2384,6 +2384,8 @@ static int do_remount(struct path *path, int ms_flags, int sb_flags,
> fc = vfs_new_fs_context(path->dentry->d_sb->s_type,
> path->dentry, sb_flags, MS_RMT_MASK,
> FS_CONTEXT_FOR_RECONFIGURE);
> + if (IS_ERR(fc))
> + return PTR_ERR(fc);
>
> err = parse_monolithic_mount_data(fc, data, data_size);
> if (err < 0)
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-09-24 12:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-07 12:25 [PATCH] vfs: namespace: error pointer dereference in do_remount() Dan Carpenter
2018-09-24 6:10 ` Sabin Rapan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).