Received: by 10.192.165.148 with SMTP id m20csp1993854imm;
        Thu, 3 May 2018 08:38:51 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpQLjPPioJX/aSMIAuRNnNjssO+drkVuix0Og34obuIi1+PVnhg8fCzTEMzz573cgjNLzNj
X-Received: by 2002:a17:902:f24:: with SMTP id 33-v6mr25087149ply.242.1525361931526;
        Thu, 03 May 2018 08:38:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525361931; cv=none;
        d=google.com; s=arc-20160816;
        b=gF9wOep0iNUAUNse1OI61/7ZzxuYoPbtWg1WvGXLZLn2+yb0jy3j9CwmLUx/aIMr/+
         ZoNX3PUjVZiU/+xXJTbiWoyp5RJ7DVaZrZgqjKySpKIDY0mGT2QekA/hvWvSQQRpxDod
         U74b9lJqZsbAEtXvL3t6hlVysPC5mQ5KFz6XaKVK40/YMIuVvUeBOACuWeoLQeFT/7bz
         5UP+KeQCBwMNBHGXe7cx1vukzjlKRgvs0VWjIcqN0XTKREfmbvhKlp001i7z0I2jC8Wq
         6lQwE3c5zjVIWe549zXIV9gyA2pDBk9kN1o7JTrJfmn3wx9R8YJYt1RenY4jer338KsU
         pDoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=Y2AOU4bMAM1LYmkU6mF2laC0jM/eVfs2WsiWjIQUv10=;
        b=sJ5MiU5Y1GkrWfkx96cZ+75trA5G0DfJtcBAna/PQcUOVdfwp9paBbVo32HMGDKKBK
         i2ruO9FpCkTL63FImKt5fXlYjwLOtoz55FB2/Arp/toP9xnyZB92XFwOc25wrZ5m5GaE
         QLo6zS+tH/1qcUtzSpLt0ni47JtParoEC46lT3BgBKzbPfuBk9S394gSgmiFfuVKcnQr
         9QEupft5yCPsCVdyHRxqU9XBPvdzlQ8qP6AanOi/d7tAdhFfm5o+6LgWpOKH1EIOVlGm
         GCbIUuMpK+e3VvbFZOP/Q+1L7C/BoYw39/gNi27pjSS78GkS2ShY4m6f1oXuv/TrTTTE
         xnXQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=eu1UCTTJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g15-v6si11612656pgu.112.2018.05.03.08.38.36;
        Thu, 03 May 2018 08:38:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=eu1UCTTJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751279AbeECPhC (ORCPT <rfc822;ereslibre@gmail.com> + 99 others);
        Thu, 3 May 2018 11:37:02 -0400
Received: from mail-io0-f180.google.com ([209.85.223.180]:33825 "EHLO
        mail-io0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751007AbeECPhB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 May 2018 11:37:01 -0400
Received: by mail-io0-f180.google.com with SMTP id p124-v6so22162145iod.1
        for <linux-kernel@vger.kernel.org>; Thu, 03 May 2018 08:37:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20150623.gappssmtp.com; s=20150623;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=Y2AOU4bMAM1LYmkU6mF2laC0jM/eVfs2WsiWjIQUv10=;
        b=eu1UCTTJzO0ccAamVn0NbnnfRTknzlJIYJa1MB3njSGsemMkZnmkwpQCycuPPsI9fq
         KdFXm0ix3be1BYgMysVWdA3xEe3tYencrTr0QU9tJMeqCQF+cmD7XTQOk0Ju8t3iKDan
         ZUXdm/YHnPSimiFRLFPMbp7mttbrPsSos2G0wv/5BnItlsa/PKLSic+NDdNDJww2iYen
         SQ7OPosiZwFcIJ69AsUbBJKiwAgoFuiHMZNpBI8vPqRQgBaZXPiT7gheNud8QSu1EiCp
         dYbOuQQMGMS6b7w2EFuBR6YqJa/J0TfJGP+6YLoyv92vUDqXcyo549h9rObevrVGdc08
         l2HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=Y2AOU4bMAM1LYmkU6mF2laC0jM/eVfs2WsiWjIQUv10=;
        b=BMRH7xvd+nZsSJFdKhLcUdJxbjTtN3pMvhpNCNPnXQS0cugxdjt6Wm3HB3ZK9zDcHT
         /5bqpB8MTVAZwevz0frNLsBNzYagI+kdR7wZTSv9x4WIKmkQxTFrm+pq34xawEjxhqTc
         19YctYW13EZGrSDGOaoAk6hhdzFiALWIvNFC4vkecjamCqUd0pDPmFr/jhLncI+qadEr
         tPPvSdxXOubs0pRHLGKFBOaWBmh56ui4XuczXPkjCqWWcqWlqhRkD2XzPpCnQOD8r1O0
         219yqbrn8MpvjdSySf87HNorl5ixTNOntu7CjogB5kbq00QpUTajD2xhyBwuDXcnrCEL
         kxIA==
X-Gm-Message-State: ALQs6tB7RbcOR3PMhjdnkeYoTFL6aMKwbpzb6/o7A7yrc1QRXWAPxnXu
        fJCPyVcZPJ6E9uDldhnIM+fyjvBaG3E=
X-Received: by 2002:a6b:acb:: with SMTP id 72-v6mr26806017iok.24.1525361819880;
        Thu, 03 May 2018 08:36:59 -0700 (PDT)
Received: from [192.168.1.167] ([216.160.245.98])
        by smtp.gmail.com with ESMTPSA id e18-v6sm7230446itc.3.2018.05.03.08.36.58
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 03 May 2018 08:36:58 -0700 (PDT)
Subject: Re: KASAN: use-after-free Read in debugfs_remove (2)
To:     Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
        syzbot <syzbot+db48ce201b524603190a@syzkaller.appspotmail.com>,
        syzkaller-bugs@googlegroups.com,
        weiping zhang <zhangweiping@didichuxing.com>,
        Jan Kara <jack@suse.cz>
Cc:     gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org
References: <000000000000fbda89056a818f20@google.com>
 <a5b6e0ff-ad8e-18f4-8c24-cdfafe4e3883@I-love.SAKURA.ne.jp>
From:   Jens Axboe <axboe@kernel.dk>
Message-ID: <7156e8d9-4c4a-1a98-2767-3508b9b3798f@kernel.dk>
Date:   Thu, 3 May 2018 09:36:56 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <a5b6e0ff-ad8e-18f4-8c24-cdfafe4e3883@I-love.SAKURA.ne.jp>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 4/23/18 4:34 AM, Tetsuo Handa wrote:
> From be88e559ec13f49b1c3aec2457c14c70f6b1926a Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Mon, 23 Apr 2018 11:21:03 +0900
> Subject: [PATCH] bdi: Fix use after free bug in debugfs_remove()
> 
> syzbot is reporting use after free bug in debugfs_remove() [1].
> 
> This is because fault injection made memory allocation for
> debugfs_create_file() from bdi_debug_register() from bdi_register_va()
> fail and continued with setting WB_registered. But when debugfs_remove()
> is called from debugfs_remove(bdi->debug_dir) from bdi_debug_unregister()
>  from bdi_unregister() from release_bdi() because WB_registered was set
> by bdi_register_va(), IS_ERR_OR_NULL(bdi->debug_dir) == false despite
> debugfs_remove(bdi->debug_dir) was already called from bdi_register_va().
> 
> Fix this by making IS_ERR_OR_NULL(bdi->debug_dir) == true.
> 
> [1] https://syzkaller.appspot.com/bug?id=5ab4efd91a96dcea9b68104f159adf4af2a6dfc1

Applied for 4.17, thanks.

-- 
Jens Axboe