Received: by 10.192.165.148 with SMTP id m20csp1989316imm; Thu, 3 May 2018 08:34:26 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqYFmnDCmdHSm8YJq9Xk8DdjJ+z+vj1wN15a/K5QwtzxmL2WmiYZI3XAKSCfdb8s94CJ9il X-Received: by 2002:a63:7c04:: with SMTP id x4-v6mr19379933pgc.67.1525361665993; Thu, 03 May 2018 08:34:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525361665; cv=none; d=google.com; s=arc-20160816; b=objyqy/8JIy7p9PUqLazF2qVAPZkW2zXFLUit8fFlCOroilUf3WTuFBUZiaG1SimyY hZ2C9bPml83EpZyB6gzwA1nYqUwSXXDficTi1BcIuAJrzTRWFiqo+1h//AFVcmdRFbg5 w1K5hU+RXhchYJNuSLkadluiWuLllb9D/KbbIk6J7iB8BY6qLAXt8YeRs1ze7kPdWXi3 N372yqLFEheogKIBlHsq8Qxar+euQs0nMX7w3j0RNp5mnkT03tcvMZ88OOdy5dKcToJi 4+STUlT3D2LZ3+Nmra0UWcvLcBszxh22ewim9HoLWFdTW/IPd/IWymZMecK9+SgKOaTt DuPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=COZSdTRREV3i4igF7cjJMtyze6wvXZxTfzNuFn895Zc=; b=LaZpa6LTTi+68C9beg0UuUVhEfzt3CqLlEHsrEMUThYWqbdVGiu242nv1bLLzpXULH f5KdjlCy13M0hnAerXQxwU8l4Jlr05Kxz8AuaUr3gMQ5JuF1nIvADCUzLdQ60xYUhV5V qfPbICa4DUTh0JFPDvfKg5L1YZ8Im9zD3qcL8/ZGxz92qYqRF+5TOlRZeeLuwz+qqFfQ nhtJzcJCyVDO7QnHrjqkfgCm93i82cF9etm/AvXIUmshTcT6bSjN0CcYaHL38VJPwCKZ JVG+q1P/NE3sL5w3qk2n/cZ+Zf1b6bWIIe0FxyUhCGcI44N6THtf647u7jD7cWwoeJxZ DTag== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4-v6si14346640plm.448.2018.05.03.08.34.11; Thu, 03 May 2018 08:34:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751354AbeECPdy (ORCPT + 99 others); Thu, 3 May 2018 11:33:54 -0400 Received: from mx2.suse.de ([195.135.220.15]:54726 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751069AbeECPdx (ORCPT ); Thu, 3 May 2018 11:33:53 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 2F5AEAE73; Thu, 3 May 2018 15:33:52 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id 3C0C11E0C5F; Thu, 3 May 2018 17:33:51 +0200 (CEST) Date: Thu, 3 May 2018 17:33:51 +0200 From: Jan Kara To: Tetsuo Handa Cc: syzbot , syzkaller-bugs@googlegroups.com, weiping zhang , Jan Kara , Jens Axboe , gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org Subject: Re: KASAN: use-after-free Read in debugfs_remove (2) Message-ID: <20180503153351.zmtmo2g6gxw5p6a4@quack2.suse.cz> References: <000000000000fbda89056a818f20@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170421 (1.8.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon 23-04-18 19:34:45, Tetsuo Handa wrote: > From be88e559ec13f49b1c3aec2457c14c70f6b1926a Mon Sep 17 00:00:00 2001 > From: Tetsuo Handa > Date: Mon, 23 Apr 2018 11:21:03 +0900 > Subject: [PATCH] bdi: Fix use after free bug in debugfs_remove() > > syzbot is reporting use after free bug in debugfs_remove() [1]. > > This is because fault injection made memory allocation for > debugfs_create_file() from bdi_debug_register() from bdi_register_va() > fail and continued with setting WB_registered. But when debugfs_remove() > is called from debugfs_remove(bdi->debug_dir) from bdi_debug_unregister() > from bdi_unregister() from release_bdi() because WB_registered was set > by bdi_register_va(), IS_ERR_OR_NULL(bdi->debug_dir) == false despite > debugfs_remove(bdi->debug_dir) was already called from bdi_register_va(). > > Fix this by making IS_ERR_OR_NULL(bdi->debug_dir) == true. > > [1] https://syzkaller.appspot.com/bug?id=5ab4efd91a96dcea9b68104f159adf4af2a6dfc1 > > Signed-off-by: Tetsuo Handa > Reported-by: syzbot > Fixes: 97f07697932e6faf ("bdi: convert bdi_debug_register to int") > Cc: weiping zhang > Cc: Jan Kara > Cc: Jens Axboe Looks good to me. You can add: Reviewed-by: Jan Kara Jens, can you please merge this fix? Thanks! Honza > --- > mm/backing-dev.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mm/backing-dev.c b/mm/backing-dev.c > index 023190c..7fe73fa 100644 > --- a/mm/backing-dev.c > +++ b/mm/backing-dev.c > @@ -115,6 +115,7 @@ static int bdi_debug_register(struct backing_dev_info *bdi, const char *name) > bdi, &bdi_debug_stats_fops); > if (!bdi->debug_stats) { > debugfs_remove(bdi->debug_dir); > + bdi->debug_dir = NULL; > return -ENOMEM; > } > > -- > 1.8.3.1 > -- Jan Kara SUSE Labs, CR