From patchwork Fri Aug 24 15:37:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Dryomov X-Patchwork-Id: 10575491 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EA06914E1 for ; Fri, 24 Aug 2018 15:37:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 995F223B34 for ; Fri, 24 Aug 2018 15:37:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8BC6E2022C; Fri, 24 Aug 2018 15:37:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2AFC22973F for ; Fri, 24 Aug 2018 15:37:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727474AbeHXTNB (ORCPT ); Fri, 24 Aug 2018 15:13:01 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:32799 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726268AbeHXTNB (ORCPT ); Fri, 24 Aug 2018 15:13:01 -0400 Received: by mail-wm0-f67.google.com with SMTP id i134-v6so4767711wmf.0 for ; Fri, 24 Aug 2018 08:37:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=Zk8HMRtd+T0Idr4bfUEIDFCOk59htbBRwxT7rJcSgSc=; b=sbtk7Enr58iYIwvTRrP5gt1tQ6ytgWco5bHfUKwXkIYLFOhyUXo6oh5XWImesYtExi n6m00UFl3lS0yleV3pB5YD0vctKoLgaen/ExAM1J4Ygv0O7DH5l3NrzJEZsn6gFKYtS7 hauIK35wfTiwBEN6f/AfyKAQeGn8L6ND6q6toR8eTAoLGQt5dasPJFqIU0e1vSvsrLIN GGrkiH4RrNy4yiRjfYpK8aSPQ7grxqXvDjsgJVSFftdYFzrGEVjNuGtLg13c7fxj6UFi XYpyhUQWFUN5flSJ4vQnxftP/5BR7JTZKjr5F5EM4Nk3UArVI6dP0H51QfxomFYdz/si 4CbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=Zk8HMRtd+T0Idr4bfUEIDFCOk59htbBRwxT7rJcSgSc=; b=X2FyJHuzB6IMAPg3F0F3OgP2RXfm7jwtPKHLS3mefSxAehFUoxkwxCem1Z/bLD3xCd 7a81x/pSEWgLSq3cq3x5I89meFl8sLhsB94JE3zCaIMj3/p66UsonCiMiH+0HcxBccVS ckrR1F+cvXCUK6fOyo7orCQQFMggWBnR+ULn+RhU449xB27nodd6NO06TAEATqYbkBrG GhAzPa+OkoA07PRAIU7Go8OJuO5fKWPv3bXBieQFoTSUDIn0uTGSXaDEj02TcyIPFuSg gxz3808nerRj5buKvZceC6CEJAyWErOqitTfOqUoxEUko7ubrlf9JgINh+qSR+hi6L8w 1kJw== X-Gm-Message-State: APzg51AS6PNDVC76Zw8BVlT6BFnwQRRdhXFqJYu++jFqzYx6zZzK28UC 5tvk4eFs6Q40OdH8E2ElF5Ix1y+Z X-Google-Smtp-Source: ANB0Vdap/xCu8f8lApHXpnkHA3D/dZumOjwJ1LOrJe4M7zhs3bIJ3nTA54hdMYBVbAGir3XEfYUyZQ== X-Received: by 2002:a1c:1bca:: with SMTP id b193-v6mr1721290wmb.6.1535125069751; Fri, 24 Aug 2018 08:37:49 -0700 (PDT) Received: from orange.redhat.com ([213.175.37.12]) by smtp.gmail.com with ESMTPSA id q135-v6sm3640964wmd.4.2018.08.24.08.37.48 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 24 Aug 2018 08:37:49 -0700 (PDT) From: Ilya Dryomov To: ceph-devel@vger.kernel.org Subject: [PATCH] ceph: avoid a use-after-free in ceph_destroy_options() Date: Fri, 24 Aug 2018 17:37:26 +0200 Message-Id: <20180824153726.11815-1-idryomov@gmail.com> X-Mailer: git-send-email 2.14.4 Sender: ceph-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP syzbot reported a use-after-free in ceph_destroy_options(), called from ceph_mount(). The problem was that create_fs_client() consumed the opt pointer on some errors, but not on all of them. Make sure it always consumes both libceph and ceph options. Reported-by: syzbot+8ab6f1042021b4eed062@syzkaller.appspotmail.com Signed-off-by: Ilya Dryomov Acked-by: "Yan, Zheng" --- fs/ceph/super.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/fs/ceph/super.c b/fs/ceph/super.c index 43ca3b763875..eab1359d0553 100644 --- a/fs/ceph/super.c +++ b/fs/ceph/super.c @@ -602,6 +602,8 @@ static int extra_mon_dispatch(struct ceph_client *client, struct ceph_msg *msg) /* * create a new fs client + * + * Success or not, this function consumes @fsopt and @opt. */ static struct ceph_fs_client *create_fs_client(struct ceph_mount_options *fsopt, struct ceph_options *opt) @@ -609,17 +611,20 @@ static struct ceph_fs_client *create_fs_client(struct ceph_mount_options *fsopt, struct ceph_fs_client *fsc; int page_count; size_t size; - int err = -ENOMEM; + int err; fsc = kzalloc(sizeof(*fsc), GFP_KERNEL); - if (!fsc) - return ERR_PTR(-ENOMEM); + if (!fsc) { + err = -ENOMEM; + goto fail; + } fsc->client = ceph_create_client(opt, fsc); if (IS_ERR(fsc->client)) { err = PTR_ERR(fsc->client); goto fail; } + opt = NULL; /* fsc->client now owns this */ fsc->client->extra_mon_dispatch = extra_mon_dispatch; fsc->client->osdc.abort_on_full = true; @@ -677,6 +682,9 @@ static struct ceph_fs_client *create_fs_client(struct ceph_mount_options *fsopt, ceph_destroy_client(fsc->client); fail: kfree(fsc); + if (opt) + ceph_destroy_options(opt); + destroy_mount_options(fsopt); return ERR_PTR(err); } @@ -1042,8 +1050,6 @@ static struct dentry *ceph_mount(struct file_system_type *fs_type, fsc = create_fs_client(fsopt, opt); if (IS_ERR(fsc)) { res = ERR_CAST(fsc); - destroy_mount_options(fsopt); - ceph_destroy_options(opt); goto out_final; }