From: Al Viro <viro@ZenIV.linux.org.uk>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: syzbot <syzbot+481ad819c717f6b78df9@syzkaller.appspotmail.com>,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
gregkh@linuxfoundation.org, tj@kernel.org
Subject: Re: general protection fault in kernfs_kill_sb (2)
Date: Mon, 14 May 2018 05:32:39 +0100 [thread overview]
Message-ID: <20180514043239.GE30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180514040415.GD30522@ZenIV.linux.org.uk>
On Mon, May 14, 2018 at 05:04:15AM +0100, Al Viro wrote:
> diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
> index b428d317ae92..92682fcc41f6 100644
> --- a/fs/sysfs/mount.c
> +++ b/fs/sysfs/mount.c
> @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,
> {
> struct dentry *root;
> void *ns;
> - bool new_sb;
> + bool new_sb = false;
>
> if (!(flags & SB_KERNMOUNT)) {
> if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
> @@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,
> ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
> root = kernfs_mount_ns(fs_type, flags, sysfs_root,
> SYSFS_MAGIC, &new_sb, ns);
> - if (IS_ERR(root) || !new_sb)
> + if (!new_sb)
> kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
> - else if (new_sb)
> + else if (!IS_ERR(root))
> root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
>
> return root;
What we want for that kobj_ns_drop() is "no fs instances created" (== no
->kill_sb(), be it now or later, to drop that kobj reference); for setting
->s_iflags - "new instance successfully set up".
That's it; all we need is new_sb that would be accurate on its own.
The problem is with kludging over the cases when it's left uninitialized
(early exits from kernfs_mount_ns()) with IS_ERR(root), which happens to
grab the cases when new_sb *was* set to true. So the fix is to initialize
new_sb properly and get rid of that kludge. Which turns the whole thing
into
if (!new_sb)
...
if (!IS_ERR(root) && new_sb)
...
i.e.
if (!new_sb)
...
else if (!IS_ERR(root))
...
next prev parent reply other threads:[~2018-05-14 4:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-12 17:01 general protection fault in kernfs_kill_sb (2) syzbot
2018-05-13 2:19 ` Tetsuo Handa
2018-05-14 2:47 ` Al Viro
[not found] ` <201805140320.w4E3KG2o056158@www262.sakura.ne.jp>
2018-05-14 4:04 ` Al Viro
2018-05-14 4:32 ` Al Viro [this message]
2018-05-15 0:17 ` Stephen Rothwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180514043239.GE30522@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+481ad819c717f6b78df9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.