From: Eric Biggers <ebiggers@kernel.org>
To: Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org
Cc: syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com,
David Howells <dhowells@redhat.com>
Subject: [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling
Date: Fri, 30 Aug 2019 22:10:24 -0500 [thread overview]
Message-ID: <20190831031024.26008-1-ebiggers@kernel.org> (raw)
In-Reply-To: <0000000000003675ae05915a9fd3@google.com>
From: Eric Biggers <ebiggers@google.com>
syzbot reported an invalid free in debugfs_release_dentry(). The
reproducer tries to mount debugfs with the 'dirsync' option, which is
not allowed. The bug is that if reconfigure_super() fails in
vfs_get_super(), deactivate_locked_super() is called, but also
fs_context::root is left non-NULL which causes deactivate_super() to be
called again later.
Fix it by releasing fs_context::root in the error path.
Reported-by: syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com
Fixes: e478b48498a7 ("vfs: Add a single-or-reconfig keying to vfs_get_super()")
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
fs/super.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/super.c b/fs/super.c
index 0f913376fc4c..99195e15be05 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1194,8 +1194,11 @@ int vfs_get_super(struct fs_context *fc,
fc->root = dget(sb->s_root);
if (keying == vfs_get_single_reconf_super) {
err = reconfigure_super(fc);
- if (err < 0)
+ if (err < 0) {
+ dput(fc->root);
+ fc->root = NULL;
goto error;
+ }
}
}
--
2.23.0
next prev parent reply other threads:[~2019-08-31 3:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-30 19:28 WARNING in kfree syzbot
2019-08-31 3:10 ` Eric Biggers [this message]
2019-09-06 3:01 ` [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling Eric Biggers
2019-09-01 14:06 ` WARNING in kfree syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190831031024.26008-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.