I report a bug (in linux-5.7.0-rc7) found by syzkaller.
kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/config-v5.7.0-rc7
and can reproduce.
A param->string held by exfat_mount_options.
BUG: memory leak
unreferenced object 0xffff88801972e090 (size 8):
comm "syz-executor.2", pid 16298, jiffies 4295172466 (age 14.060s)
hex dump (first 8 bytes):
6b 6f 69 38 2d 75 00 00 koi8-u..
backtrace:
[<000000005bfe35d6>] kstrdup+0x36/0x70 mm/util.c:60
[<0000000018ed3277>] exfat_parse_param+0x160/0x5e0 fs/exfat/super.c:276
[<000000007680462b>] vfs_parse_fs_param+0x2b4/0x610 fs/fs_context.c:147
[<0000000097c027f2>] vfs_parse_fs_string+0xe6/0x150 fs/fs_context.c:191
[<00000000371bf78f>] generic_parse_monolithic+0x16f/0x1f0
fs/fs_context.c:231
[<000000005ce5eb1b>] do_new_mount fs/namespace.c:2812 [inline]
[<000000005ce5eb1b>] do_mount+0x12bb/0x1b30 fs/namespace.c:3141
[<00000000b642040c>] __do_sys_mount fs/namespace.c:3350 [inline]
[<00000000b642040c>] __se_sys_mount fs/namespace.c:3327 [inline]
[<00000000b642040c>] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3327
[<000000003b024e98>] do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
[<00000000ce2b698c>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
On Tue, Jun 02, 2020 at 01:03:05PM +0800, butt3rflyh4ck wrote:
> I report a bug (in linux-5.7.0-rc7) found by syzkaller.
>
> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/config-v5.7.0-rc7
>
> and can reproduce.
>
> A param->string held by exfat_mount_options.
Humm...
First of all, exfat_free() ought to call exfat_free_upcase_table().
What's more, WTF bother with that kstrdup(), anyway? Just steal the string
and be done with that...
Signed-off-by: Al Viro <[email protected]>
---
diff --git a/fs/exfat/super.c b/fs/exfat/super.c
index 0565d5539d57..01cd7ed1614d 100644
--- a/fs/exfat/super.c
+++ b/fs/exfat/super.c
@@ -259,9 +259,8 @@ static int exfat_parse_param(struct fs_context *fc, struct fs_parameter *param)
break;
case Opt_charset:
exfat_free_iocharset(sbi);
- opts->iocharset = kstrdup(param->string, GFP_KERNEL);
- if (!opts->iocharset)
- return -ENOMEM;
+ opts->iocharset = param->string;
+ param->string = NULL;
break;
case Opt_errors:
opts->errors = result.uint_32;
@@ -611,7 +610,10 @@ static int exfat_get_tree(struct fs_context *fc)
static void exfat_free(struct fs_context *fc)
{
- kfree(fc->s_fs_info);
+ struct exfat_sb_info *sbi = fc->s_fs_info;
+
+ exfat_free_iocharset(sbi);
+ kfree(sbi);
}
static const struct fs_context_operations exfat_context_ops = {
> On Tue, Jun 02, 2020 at 01:03:05PM +0800, butt3rflyh4ck wrote:
> > I report a bug (in linux-5.7.0-rc7) found by syzkaller.
> >
> > kernel config:
> > https://protect2.fireeye.com/url?k=f3a88a7d-ae6446d8-f3a90132-0cc47a30
> > d446-6021a2fbdd1681a8&q=1&u=https%3A%2F%2Fgithub.com%2Fbutterflyhack%2
> > Fsyzkaller-fuzz%2Fblob%2Fmaster%2Fconfig-v5.7.0-rc7
> >
> > and can reproduce.
> >
> > A param->string held by exfat_mount_options.
>
> Humm...
>
> First of all, exfat_free() ought to call exfat_free_upcase_table().
> What's more, WTF bother with that kstrdup(), anyway? Just steal the string and be done with that...
Thanks for your patch. I will push it to exfat tree.
>
> Signed-off-by: Al Viro <[email protected]>
> ---
> diff --git a/fs/exfat/super.c b/fs/exfat/super.c index 0565d5539d57..01cd7ed1614d 100644
> --- a/fs/exfat/super.c
> +++ b/fs/exfat/super.c
> @@ -259,9 +259,8 @@ static int exfat_parse_param(struct fs_context *fc, struct fs_parameter *param)
> break;
> case Opt_charset:
> exfat_free_iocharset(sbi);
> - opts->iocharset = kstrdup(param->string, GFP_KERNEL);
> - if (!opts->iocharset)
> - return -ENOMEM;
> + opts->iocharset = param->string;
> + param->string = NULL;
> break;
> case Opt_errors:
> opts->errors = result.uint_32;
> @@ -611,7 +610,10 @@ static int exfat_get_tree(struct fs_context *fc)
>
> static void exfat_free(struct fs_context *fc) {
> - kfree(fc->s_fs_info);
> + struct exfat_sb_info *sbi = fc->s_fs_info;
> +
> + exfat_free_iocharset(sbi);
> + kfree(sbi);
> }
>
> static const struct fs_context_operations exfat_context_ops = {