From: David Howells <dhowells@redhat.com>
To: Christian Brauner <christian@brauner.io>
Cc: David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
linux-afs@lists.infradead.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
Matvey Kovalev <matvey.kovalev@ispras.ru>,
stable@vger.kernel.org
Subject: [PATCH v4 03/21] afs: fix NULL pointer dereference in afs_get_tree()
Date: Mon, 22 Jun 2026 10:08:37 +0100 [thread overview]
Message-ID: <20260622090856.2746629-4-dhowells@redhat.com> (raw)
In-Reply-To: <20260622090856.2746629-1-dhowells@redhat.com>
From: Matvey Kovalev <matvey.kovalev@ispras.ru>
afs_alloc_sbi() uses kzalloc for memory allocation. And, if
ctx->dyn_root is not null, as->cell and as->volume are null.
In trace_afs_get_tree() they are dereferenced.
KASAN error message:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 2 PID: 18478 Comm: syz-executor.7 Not tainted 5.10.246-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1
04/01/2014
RIP: 0010:perf_trace_afs_get_tree+0x1d9/0x550
include/trace/events/afs.h:1365
Call Trace:
trace_afs_get_tree include/trace/events/afs.h:1365 [inline]
afs_get_tree+0x922/0x1350 fs/afs/super.c:599
vfs_get_tree+0x8e/0x300 fs/super.c:1572
do_new_mount fs/namespace.c:3011 [inline]
path_mount+0x14a5/0x2220 fs/namespace.c:3341
do_mount fs/namespace.c:3354 [inline]
__do_sys_mount fs/namespace.c:3562 [inline]
__se_sys_mount fs/namespace.c:3539 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3539
do_syscall_64+0x33/0x50 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 80548b03991f5 ("afs: Add more tracepoints")
Cc: stable@vger.kernel.org
Signed-off-by: Matvey Kovalev <matvey.kovalev@ispras.ru>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
---
fs/afs/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/afs/super.c b/fs/afs/super.c
index 942f3e9800d7..dec091e569c4 100644
--- a/fs/afs/super.c
+++ b/fs/afs/super.c
@@ -587,7 +587,8 @@ static int afs_get_tree(struct fs_context *fc)
}
fc->root = dget(sb->s_root);
- trace_afs_get_tree(as->cell, as->volume);
+ if (!ctx->dyn_root)
+ trace_afs_get_tree(as->cell, as->volume);
_leave(" = 0 [%p]", sb);
return 0;
next prev parent reply other threads:[~2026-06-22 9:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 9:08 [PATCH v4 00/21] afs: Miscellaneous fixes David Howells
2026-06-22 9:08 ` [PATCH v4 01/21] afs: handle CB.InitCallBackState3 requests without a server record David Howells
2026-06-22 9:08 ` [PATCH v4 02/21] afs: Fix error code in afs_extract_vl_addrs() David Howells
2026-06-22 9:08 ` David Howells [this message]
2026-06-22 9:08 ` [PATCH v4 04/21] afs: Fix double netfs initialisation in afs_root_iget() David Howells
2026-06-22 9:08 ` [PATCH v4 05/21] afs: Remove setting of AS_RELEASE_ALWAYS for symlinks and mountpoints David Howells
2026-06-22 9:08 ` [PATCH v4 06/21] afs: Fix directory inode initialisation order David Howells
2026-06-22 9:08 ` [PATCH v4 07/21] afs: use kvfree() to free memory allocated by kvcalloc() David Howells
2026-06-22 9:08 ` [PATCH v4 08/21] afs: Remove erroneous seq |= 1 in volume lookup loop David Howells
2026-06-22 9:08 ` [PATCH v4 09/21] afs: check for duplicate servers in VL server list David Howells
2026-06-22 9:08 ` [PATCH v4 10/21] afs: Fix bulk lookup malfunction due to change in dir_emit() API David Howells
2026-06-22 9:08 ` [PATCH v4 11/21] afs: Fix misplaced inc of net->cells_outstanding David Howells
2026-06-22 9:08 ` [PATCH v4 12/21] afs: Fix reinitialisation of the inode, in particular ->lock_work David Howells
2026-06-22 9:08 ` [PATCH v4 13/21] afs: Fix callback service message parsers to pass through -EAGAIN David Howells
2026-06-22 9:08 ` [PATCH v4 14/21] afs: Use scoped_seqlock_read() rather than manually doing seqlock stuff David Howells
2026-06-22 9:08 ` [PATCH v4 15/21] afs: Fix missing NULL pointer check in afs_break_some_callbacks() David Howells
2026-06-22 9:08 ` [PATCH v4 16/21] afs: Fix leak of ungot volume David Howells
2026-06-22 9:08 ` [PATCH v4 17/21] afs: Fix vllist leak David Howells
2026-06-22 9:08 ` [PATCH v4 18/21] afs: Fix lack of locking around modifications of net->cells_dyn_ino David Howells
2026-06-22 9:08 ` [PATCH v4 19/21] afs: Fix premature cell exposure through /afs David Howells
2026-06-22 9:29 ` David Howells
2026-06-22 9:08 ` [PATCH v4 20/21] afs: Fix the volume AFS_VOLUME_RM_TREE is set on David Howells
2026-06-22 9:08 ` [PATCH v4 21/21] afs: Fix unchecked-length string display in debug statement David Howells
2026-06-22 14:37 ` [PATCH v4 00/21] afs: Miscellaneous fixes Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622090856.2746629-4-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=christian@brauner.io \
--cc=linux-afs@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=matvey.kovalev@ispras.ru \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.