Received: by 10.192.165.148 with SMTP id m20csp3266875imm;
        Mon, 23 Apr 2018 03:42:43 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48f7V9e/U4NiQQjekDZFf29Xfv8Vu+bNVhStshpFBVHBvs3Q+ireuz7ZpI5o6IFre9DdJfJ
X-Received: by 2002:a17:902:8f96:: with SMTP id z22-v6mr20185801plo.200.1524480163701;
        Mon, 23 Apr 2018 03:42:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524480163; cv=none;
        d=google.com; s=arc-20160816;
        b=wg1G6qOWR52T29Hb7/O9Cc1H63KtKyMc0TxQA3O2z7yC2L6iAsDqKeka41A5egzZnA
         d2PyT8arOueW3doMU0lGpfSSDDdZkNrxpEnNzFFk1PHRL0RtiW95P+2R7+fkoETXUxmB
         /ed/3zy8x1GQJeEg5CDOgt96Xs5EluxMREAD9D5FdMljxLqSs9sOIGFzs1WzKUmzIn4T
         GfpNnmHlcIS2evwGQlt+ucgMk6ZwYowNZbfBZuV+Iy0P7f4JHNyGrpYDM4WKyeBt8Vea
         YudB3Tu9RR9Hh693v+JJ0lEjrO89IwcarKwypDHlBx+PjFVfp+zAPSp6fjQxCplbZ/B2
         vC9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=d1rHcyn/pnJLDoaq7TiF6mf8D7kcvZgH1rVOUxljEzY=;
        b=Lwht80lQQdJGHyKjaMfMBMRJzgmTMAyRNmyLhhxeYBNakHdN/pSopFV04iBOyEYYlH
         5B5YvkQG9UnQD311oItGCSWV5lu6b71TaaXuqkeRVVoJb7kK7IN/0VI9ivlVTi3PhDGS
         bmS75WxclDUdLFDR2dl5lD6k4zHqDn3nGF7QLb4m+DNwNQTIu/jQpglEuAPL6M0VJtYH
         5R4VqJ3mKHgY9pNQkq/Q1XYV/z7BAsV4j8Um++gfRo+F2vXApWEOZjDiphCMc4DNSbug
         uyZafqYvGU6OAKuaNv/KrctuDpRGQlEUYoelYgwzIBS/tmEvSWg4naZajsTDrC0vjm7+
         PAfQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v40-v6si11547057plg.84.2018.04.23.03.41.59;
        Mon, 23 Apr 2018 03:42:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754859AbeDWKh3 (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Mon, 23 Apr 2018 06:37:29 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:47552 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754600AbeDWKh2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Apr 2018 06:37:28 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 9F1B5DB8;
        Mon, 23 Apr 2018 10:37:27 +0000 (UTC)
Date:   Mon, 23 Apr 2018 12:37:16 +0200
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc:     syzbot <syzbot+db48ce201b524603190a@syzkaller.appspotmail.com>,
        syzkaller-bugs@googlegroups.com,
        weiping zhang <zhangweiping@didichuxing.com>,
        Jan Kara <jack@suse.cz>, Jens Axboe <axboe@kernel.dk>,
        linux-kernel@vger.kernel.org
Subject: Re: KASAN: use-after-free Read in debugfs_remove (2)
Message-ID: <20180423103716.GA16081@kroah.com>
References: <000000000000fbda89056a818f20@google.com>
 <a5b6e0ff-ad8e-18f4-8c24-cdfafe4e3883@I-love.SAKURA.ne.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a5b6e0ff-ad8e-18f4-8c24-cdfafe4e3883@I-love.SAKURA.ne.jp>
User-Agent: Mutt/1.9.5 (2018-04-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Apr 23, 2018 at 07:34:45PM +0900, Tetsuo Handa wrote:
> >From be88e559ec13f49b1c3aec2457c14c70f6b1926a Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Mon, 23 Apr 2018 11:21:03 +0900
> Subject: [PATCH] bdi: Fix use after free bug in debugfs_remove()
> 
> syzbot is reporting use after free bug in debugfs_remove() [1].
> 
> This is because fault injection made memory allocation for
> debugfs_create_file() from bdi_debug_register() from bdi_register_va()
> fail and continued with setting WB_registered. But when debugfs_remove()
> is called from debugfs_remove(bdi->debug_dir) from bdi_debug_unregister()
>  from bdi_unregister() from release_bdi() because WB_registered was set
> by bdi_register_va(), IS_ERR_OR_NULL(bdi->debug_dir) == false despite
> debugfs_remove(bdi->debug_dir) was already called from bdi_register_va().
> 
> Fix this by making IS_ERR_OR_NULL(bdi->debug_dir) == true.
> 
> [1] https://syzkaller.appspot.com/bug?id=5ab4efd91a96dcea9b68104f159adf4af2a6dfc1
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Reported-by: syzbot <syzbot+049cb4ae097049dac137@syzkaller.appspotmail.com>
> Fixes: 97f07697932e6faf ("bdi: convert bdi_debug_register to int")
> Cc: weiping zhang <zhangweiping@didichuxing.com>
> Cc: Jan Kara <jack@suse.cz>
> Cc: Jens Axboe <axboe@kernel.dk>

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>