diff mbox series

Re: KASAN: use-after-free Read in path_init (2)

Message ID 20200812041518.GO1236603@ZenIV.linux.org.uk (mailing list archive)
State New, archived
Headers show
Series Re: KASAN: use-after-free Read in path_init (2) | expand

Commit Message

Al Viro Aug. 12, 2020, 4:15 a.m. UTC 
On Tue, Aug 11, 2020 at 08:17:16PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    5631c5e0 Merge tag 'xfs-5.9-merge-7' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17076984900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=afba7c06f91e56eb
> dashboard link: https://syzkaller.appspot.com/bug?extid=bbeb1c88016c7db4aa24
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1502ce02900000

fix breakage in do_rmdir()

putname() should happen only after we'd *not* branched to
retry, same as it's done in do_unlinkat().

Fixes: e24ab0ef689d "fs: push the getname from do_rmdir into the callers"
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---

Comments

Linus Torvalds Aug. 12, 2020, 4:29 a.m. UTC | #1 
On Tue, Aug 11, 2020 at 9:15 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> fix breakage in do_rmdir()
>
> putname() should happen only after we'd *not* branched to
> retry, same as it's done in do_unlinkat().

Looks obviously correct.

Do you want me to apply directly, or do you have other fixes pending
and I'll get a pull request?

                  Linus
Al Viro Aug. 12, 2020, 5:55 a.m. UTC | #2 
On Tue, Aug 11, 2020 at 09:29:47PM -0700, Linus Torvalds wrote:
> On Tue, Aug 11, 2020 at 9:15 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > fix breakage in do_rmdir()
> >
> > putname() should happen only after we'd *not* branched to
> > retry, same as it's done in do_unlinkat().
> 
> Looks obviously correct.
> 
> Do you want me to apply directly, or do you have other fixes pending
> and I'll get a pull request?

Not at the moment - I can throw it into #fixes and send a pull request
if you wish, but there won't be anything else in it...
Linus Torvalds Aug. 12, 2020, 5:23 p.m. UTC | #3 
On Tue, Aug 11, 2020 at 10:56 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Tue, Aug 11, 2020 at 09:29:47PM -0700, Linus Torvalds wrote:
> >
> > Do you want me to apply directly, or do you have other fixes pending
> > and I'll get a pull request?
>
> Not at the moment - I can throw it into #fixes and send a pull request
> if you wish, but there won't be anything else in it...

Ok, I applied the patch directly. Thanks,

                Linus
diff mbox series

Patch

diff --git a/fs/namei.c b/fs/namei.c
index fde8fe086c09..9fa10c614de7 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3770,11 +3770,11 @@  long do_rmdir(int dfd, struct filename *name)
 	mnt_drop_write(path.mnt);
 exit1:
 	path_put(&path);
-	putname(name);
 	if (retry_estale(error, lookup_flags)) {
 		lookup_flags |= LOOKUP_REVAL;
 		goto retry;
 	}
+	putname(name);
 	return error;
 }