fuse: don't keep dead fuse_conn at fuse_fill_super().

Message ID	cfafbb9a-9e47-2489-8c71-9a6bc0d40e80@I-love.SAKURA.ne.jp (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> Subject: [PATCH] fuse: don't keep dead fuse_conn at fuse_fill_super(). To: miklos@szeredi.hu References: <0000000000002aeada056b10e833@google.com> <37d2030a-124c-9927-aa48-bb769da792cf@I-love.SAKURA.ne.jp> Cc: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>, linux-fsdevel@vger.kernel.org, syzkaller-bugs@googlegroups.com From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Message-ID: <cfafbb9a-9e47-2489-8c71-9a6bc0d40e80@I-love.SAKURA.ne.jp> Date: Wed, 9 May 2018 20:01:26 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <37d2030a-124c-9927-aa48-bb769da792cf@I-love.SAKURA.ne.jp> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk

Message ID

cfafbb9a-9e47-2489-8c71-9a6bc0d40e80@I-love.SAKURA.ne.jp (mailing list archive)

State

New, archived

Headers

Subject: [PATCH] fuse: don't keep dead fuse_conn at fuse_fill_super().
To: miklos@szeredi.hu
References: <0000000000002aeada056b10e833@google.com>
	<37d2030a-124c-9927-aa48-bb769da792cf@I-love.SAKURA.ne.jp>
Cc: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>,
	linux-fsdevel@vger.kernel.org, syzkaller-bugs@googlegroups.com
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Message-ID: <cfafbb9a-9e47-2489-8c71-9a6bc0d40e80@I-love.SAKURA.ne.jp>
Date: Wed, 9 May 2018 20:01:26 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101
	Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <37d2030a-124c-9927-aa48-bb769da792cf@I-love.SAKURA.ne.jp>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Tetsuo Handa May 9, 2018, 11:01 a.m. UTC

From 606d54cd24b5b00e7a7e3597aabbe89719defc56 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 1 May 2018 13:12:14 +0900
Subject: [PATCH] fuse: don't keep dead fuse_conn at fuse_fill_super().

syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
Since sb->s_fs_info field is not cleared after fc was released by
fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
already released fc and tries to hold the lock. Fix this by clearing
sb->s_fs_info field after calling fuse_conn_put().

[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>
Fixes: 3b463ae0c6264f70 ("fuse: invalidation reverse calls")
Cc: John Muir <john@jmuir.com>
Cc: Csaba Henk <csaba@gluster.com>
Cc: Anand Avati <avati@redhat.com>
Cc: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/fuse/inode.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Tetsuo Handa May 19, 2018, 2:03 p.m. UTC | #1

Not yet applied to fuse.git. But I assume it will be applied by Miklos...

#syz fix: fuse: don't keep dead fuse_conn at fuse_fill_super().

Miklos Szeredi May 31, 2018, 10:19 a.m. UTC | #2

On Wed, May 9, 2018 at 1:01 PM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> From 606d54cd24b5b00e7a7e3597aabbe89719defc56 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Tue, 1 May 2018 13:12:14 +0900
> Subject: [PATCH] fuse: don't keep dead fuse_conn at fuse_fill_super().
>
> syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
> Since sb->s_fs_info field is not cleared after fc was released by
> fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
> already released fc and tries to hold the lock. Fix this by clearing
> sb->s_fs_info field after calling fuse_conn_put().

Thanks, applied.

Miklos

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index ef30995..9b37cf8 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1179,6 +1179,7 @@  static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 	fuse_dev_free(fud);
  err_put_conn:
 	fuse_conn_put(fc);
+	sb->s_fs_info = NULL;
  err_fput:
 	fput(file);
  err:

fuse: don't keep dead fuse_conn at fuse_fill_super().

Commit Message

Comments

Patch