* [PATCH] f2fs: fix double free of f2fs_sb_info [not found] <20240113005031.GA1147@sol.localdomain> @ 2024-01-13 0:57 ` Eric Biggers 2024-01-13 1:01 ` Eric Biggers 2024-01-13 1:14 ` [f2fs-dev] " Chao Yu 0 siblings, 2 replies; 6+ messages in thread From: Eric Biggers @ 2024-01-13 0:57 UTC (permalink / raw) To: linux-f2fs-devel; +Cc: linux-fscrypt, syzbot+8f477ac014ff5b32d81f From: Eric Biggers <ebiggers@google.com> kill_f2fs_super() is called even if f2fs_fill_super() fails. f2fs_fill_super() frees the struct f2fs_sb_info, so it must set sb->s_fs_info to NULL to prevent it from being freed again. Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()") Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com Signed-off-by: Eric Biggers <ebiggers@google.com> --- fs/f2fs/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index d00d21a8b53ad..d45ab0992ae59 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -4873,20 +4873,21 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) kfree(F2FS_OPTION(sbi).s_qf_names[i]); #endif fscrypt_free_dummy_policy(&F2FS_OPTION(sbi).dummy_enc_policy); kvfree(options); free_sb_buf: kfree(raw_super); free_sbi: if (sbi->s_chksum_driver) crypto_free_shash(sbi->s_chksum_driver); kfree(sbi); + sb->s_fs_info = NULL; /* give only one another chance */ if (retry_cnt > 0 && skip_recovery) { retry_cnt--; shrink_dcache_sb(sb); goto try_onemore; } return err; } base-commit: 38814330fedd778edffcabe0c8cb462ee365782e -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info 2024-01-13 0:57 ` [PATCH] f2fs: fix double free of f2fs_sb_info Eric Biggers @ 2024-01-13 1:01 ` Eric Biggers 2024-01-13 1:28 ` Jaegeuk Kim 2024-01-13 1:14 ` [f2fs-dev] " Chao Yu 1 sibling, 1 reply; 6+ messages in thread From: Eric Biggers @ 2024-01-13 1:01 UTC (permalink / raw) To: linux-f2fs-devel, Jaegeuk Kim; +Cc: linux-fscrypt, syzbot+8f477ac014ff5b32d81f On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > kill_f2fs_super() is called even if f2fs_fill_super() fails. > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set > sb->s_fs_info to NULL to prevent it from being freed again. > > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()") > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com > Signed-off-by: Eric Biggers <ebiggers@google.com> Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my broken commit came from. But let me know if you want to just take this through the f2fs tree. - Eric ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info 2024-01-13 1:01 ` Eric Biggers @ 2024-01-13 1:28 ` Jaegeuk Kim 2024-01-13 1:32 ` Eric Biggers 0 siblings, 1 reply; 6+ messages in thread From: Jaegeuk Kim @ 2024-01-13 1:28 UTC (permalink / raw) To: Eric Biggers; +Cc: linux-f2fs-devel, linux-fscrypt, syzbot+8f477ac014ff5b32d81f On 01/12, Eric Biggers wrote: > On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > kill_f2fs_super() is called even if f2fs_fill_super() fails. > > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set > > sb->s_fs_info to NULL to prevent it from being freed again. > > > > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()") > > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com > > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com > > Signed-off-by: Eric Biggers <ebiggers@google.com> > > Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my Ok, are you heading to push this in -rc1? > broken commit came from. But let me know if you want to just take this through > the f2fs tree. > > - Eric ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info 2024-01-13 1:28 ` Jaegeuk Kim @ 2024-01-13 1:32 ` Eric Biggers 2024-01-13 1:46 ` Jaegeuk Kim 0 siblings, 1 reply; 6+ messages in thread From: Eric Biggers @ 2024-01-13 1:32 UTC (permalink / raw) To: Jaegeuk Kim; +Cc: linux-f2fs-devel, linux-fscrypt, syzbot+8f477ac014ff5b32d81f On Fri, Jan 12, 2024 at 05:28:31PM -0800, Jaegeuk Kim wrote: > On 01/12, Eric Biggers wrote: > > On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote: > > > From: Eric Biggers <ebiggers@google.com> > > > > > > kill_f2fs_super() is called even if f2fs_fill_super() fails. > > > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set > > > sb->s_fs_info to NULL to prevent it from being freed again. > > > > > > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()") > > > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com > > > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com > > > Signed-off-by: Eric Biggers <ebiggers@google.com> > > > > Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my > > Ok, are you heading to push this in -rc1? > > > broken commit came from. But let me know if you want to just take this through > > the f2fs tree. > > Yes, we should get this into -rc1. - Eric ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] f2fs: fix double free of f2fs_sb_info 2024-01-13 1:32 ` Eric Biggers @ 2024-01-13 1:46 ` Jaegeuk Kim 0 siblings, 0 replies; 6+ messages in thread From: Jaegeuk Kim @ 2024-01-13 1:46 UTC (permalink / raw) To: Eric Biggers; +Cc: linux-f2fs-devel, linux-fscrypt, syzbot+8f477ac014ff5b32d81f On 01/12, Eric Biggers wrote: > On Fri, Jan 12, 2024 at 05:28:31PM -0800, Jaegeuk Kim wrote: > > On 01/12, Eric Biggers wrote: > > > On Fri, Jan 12, 2024 at 04:57:47PM -0800, Eric Biggers wrote: > > > > From: Eric Biggers <ebiggers@google.com> > > > > > > > > kill_f2fs_super() is called even if f2fs_fill_super() fails. > > > > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set > > > > sb->s_fs_info to NULL to prevent it from being freed again. > > > > > > > > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()") > > > > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com > > > > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com > > > > Signed-off-by: Eric Biggers <ebiggers@google.com> > > > > > > Jaegeuk, I'd be glad to take this through the fscrypt tree since that's where my > > > > Ok, are you heading to push this in -rc1? > > > > > broken commit came from. But let me know if you want to just take this through > > > the f2fs tree. > > > > > Yes, we should get this into -rc1. Ok, please do so. > > - Eric ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [f2fs-dev] [PATCH] f2fs: fix double free of f2fs_sb_info 2024-01-13 0:57 ` [PATCH] f2fs: fix double free of f2fs_sb_info Eric Biggers 2024-01-13 1:01 ` Eric Biggers @ 2024-01-13 1:14 ` Chao Yu 1 sibling, 0 replies; 6+ messages in thread From: Chao Yu @ 2024-01-13 1:14 UTC (permalink / raw) To: Eric Biggers, linux-f2fs-devel; +Cc: syzbot+8f477ac014ff5b32d81f, linux-fscrypt On 2024/1/13 8:57, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > kill_f2fs_super() is called even if f2fs_fill_super() fails. > f2fs_fill_super() frees the struct f2fs_sb_info, so it must set > sb->s_fs_info to NULL to prevent it from being freed again. Oh, I missed that case as well during reviewing, my bad. > > Fixes: 275dca4630c1 ("f2fs: move release of block devices to after kill_block_super()") > Reported-by: syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/r/0000000000006cb174060ec34502@google.com > Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Chao Yu <chao@kernel.org> Thanks, > --- > fs/f2fs/super.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > index d00d21a8b53ad..d45ab0992ae59 100644 > --- a/fs/f2fs/super.c > +++ b/fs/f2fs/super.c > @@ -4873,20 +4873,21 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) > kfree(F2FS_OPTION(sbi).s_qf_names[i]); > #endif > fscrypt_free_dummy_policy(&F2FS_OPTION(sbi).dummy_enc_policy); > kvfree(options); > free_sb_buf: > kfree(raw_super); > free_sbi: > if (sbi->s_chksum_driver) > crypto_free_shash(sbi->s_chksum_driver); > kfree(sbi); > + sb->s_fs_info = NULL; > > /* give only one another chance */ > if (retry_cnt > 0 && skip_recovery) { > retry_cnt--; > shrink_dcache_sb(sb); > goto try_onemore; > } > return err; > } > > > base-commit: 38814330fedd778edffcabe0c8cb462ee365782e ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-01-13 1:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20240113005031.GA1147@sol.localdomain>
2024-01-13 0:57 ` [PATCH] f2fs: fix double free of f2fs_sb_info Eric Biggers
2024-01-13 1:01 ` Eric Biggers
2024-01-13 1:28 ` Jaegeuk Kim
2024-01-13 1:32 ` Eric Biggers
2024-01-13 1:46 ` Jaegeuk Kim
2024-01-13 1:14 ` [f2fs-dev] " Chao Yu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox