From: Eric Biggers <ebiggers@kernel.org>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
David Howells <dhowells@redhat.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com
Subject: Re: [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling
Date: Thu, 5 Sep 2019 20:01:39 -0700 [thread overview]
Message-ID: <20190906030139.GC803@sol.localdomain> (raw)
In-Reply-To: <20190831031024.26008-1-ebiggers@kernel.org>
On Fri, Aug 30, 2019 at 10:10:24PM -0500, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> syzbot reported an invalid free in debugfs_release_dentry(). The
> reproducer tries to mount debugfs with the 'dirsync' option, which is
> not allowed. The bug is that if reconfigure_super() fails in
> vfs_get_super(), deactivate_locked_super() is called, but also
> fs_context::root is left non-NULL which causes deactivate_super() to be
> called again later.
>
> Fix it by releasing fs_context::root in the error path.
>
> Reported-by: syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com
> Fixes: e478b48498a7 ("vfs: Add a single-or-reconfig keying to vfs_get_super()")
> Cc: David Howells <dhowells@redhat.com>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> fs/super.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/super.c b/fs/super.c
> index 0f913376fc4c..99195e15be05 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -1194,8 +1194,11 @@ int vfs_get_super(struct fs_context *fc,
> fc->root = dget(sb->s_root);
> if (keying == vfs_get_single_reconf_super) {
> err = reconfigure_super(fc);
> - if (err < 0)
> + if (err < 0) {
> + dput(fc->root);
> + fc->root = NULL;
> goto error;
> + }
> }
> }
>
Ping. This is still broken in linux-next.
- Eric
next prev parent reply other threads:[~2019-09-06 3:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-30 19:28 WARNING in kfree syzbot
2019-08-31 3:10 ` [PATCH vfs/for-next] vfs: fix vfs_get_single_reconf_super error handling Eric Biggers
2019-09-06 3:01 ` Eric Biggers [this message]
2019-09-01 14:06 ` WARNING in kfree syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190906030139.GC803@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+5aca688dac0796c56129@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.