Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp674244imm; Thu, 31 May 2018 07:30:38 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJG+dixxrwpxm9RSkaWtBlDQlEpDDJrAnm4vEl53NThBhKj2zAein+JjL6SffD6mCgdhiRY X-Received: by 2002:a63:89c2:: with SMTP id v185-v6mr5646151pgd.196.1527777038432; Thu, 31 May 2018 07:30:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527777038; cv=none; d=google.com; s=arc-20160816; b=wOrDkI+L3LyzO8sQUOSrtpdO+4UZfi+MDz6MCKIjVTcRhG+snNE8e2IhpHFS9ReaEl AoI0iiz0DxWEMNfKnSlZzW99eZ7ZvKsUi7g9vqEOQ5jfQvvMLRYFHUt/WD4soGYNDA6u Uqurij88KmzKrFrXCnW2/o3X9arkiJZik+UfQhbwtGd02ulg3lgDqyYLQLsEVFs9yanq yzzHVJ86zChtKpVqMOfISmWC6MnOFJzzLIgar6wCV7hTjv8f6gGVW4wGsk2A450pnt6F H7FMEVouoPe8druK+w3uSjvpHK/pJIMcTcpnG5ZTPSqzzNkSqJ/+ULY8krJrpGtf7Qcr 2sgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=EB0bomDVxGV9K69MB3ZCaIJPWI3oi4dc2x1kvwXnZ3w=; b=FbD+Etp3fFLgxB/2SNqlTuwBMcVmOeOW5P3oeHxhBHRGjO0ZnQm52yg9Mlkj0lPBb1 6+uoU/8/qYECwgUK3AMdbySjF+/BaJvMVK6kdRotdWZQ50p0YNUZtR4DEBcEHCSAk5rY 0gwezMt7/L1YNJ7NjBgNDF8hzdUHUf7We0X1JyFmARPeHrvqlTBQeUHiMISUI9AaO6ID iWkBmG4C+fBgKRQFrAF9QYFxvyk+FrTkMz+qD8CvlDXkWlX2ejRQgvA2J6xUTrZLi+8u UMJrQCQ8DMLuO6t0OBrj70WNjRD0ouB11Le5eC7OaCtrhsYdU6UvuV427HSro1qp9Nwl Btlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=DHXSFApn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r5-v6si29634822pgp.379.2018.05.31.07.30.24; Thu, 31 May 2018 07:30:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=DHXSFApn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755488AbeEaO2C (ORCPT + 99 others); Thu, 31 May 2018 10:28:02 -0400 Received: from mail-oi0-f67.google.com ([209.85.218.67]:38812 "EHLO mail-oi0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755309AbeEaO17 (ORCPT ); Thu, 31 May 2018 10:27:59 -0400 Received: by mail-oi0-f67.google.com with SMTP id d5-v6so16646786oib.5 for ; Thu, 31 May 2018 07:27:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=EB0bomDVxGV9K69MB3ZCaIJPWI3oi4dc2x1kvwXnZ3w=; b=DHXSFApnj0zxyiPWt4OLQKXFfA7gzJ9MseAvxyXyUCt3q1gpJnWCZHseb4B26su6Vj 772M+p6NsJNoout/7M5bgAxrtwk6XYphgzHYEGm5KzJ5mTX+o6gPFLpDYg4kSuOW5gax f01rBTtwqnES4hYxt0zGhwNR1lTHPFZFOWNGM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=EB0bomDVxGV9K69MB3ZCaIJPWI3oi4dc2x1kvwXnZ3w=; b=Z2XXbVcjQDuRH71q7UCUCpweahqDBfk+8V+Zl05L37vhw5hGvx4mCEqJhHiVTMWAjB tMLmuEGVd2l6w/nuurERVCKM9YzpOWxPTy6dt7N3DPiKPltakylkMhHEOA4aWD9vRnoV JfXr25PRwxvkSyBdvBsq3TswodN31bc72giWmYeJBEimejSOGKqh5h/9hEpq/Bqzz0MB Q/COOEjwuU6sdhut/WXfdgo4ooqXjVwt8tbmpoh46JXi6vJ7mIu39fiDcYPjo1GWV/x6 2GngTOWh8A1wADaA5iEGWmcGXlo8yivsFDJR7QWMuVw/fFXlr9mRe1lWQWWh4lOPPw4M DrVA== X-Gm-Message-State: ALKqPwcBjIoDcAH58MpZBl+fkRVLe/2fk5erjWxRbC+setreio7WkgnB xzTEw4MAseudVx3h5Gu6AxYlbS0rGqtnKzA4RKMn0ugg X-Received: by 2002:aca:4205:: with SMTP id p5-v6mr4234660oia.13.1527776878665; Thu, 31 May 2018 07:27:58 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:5303:0:0:0:0:0 with HTTP; Thu, 31 May 2018 07:27:58 -0700 (PDT) X-Originating-IP: [176.63.54.97] In-Reply-To: References: <000000000000c0a706056ad69897@google.com> From: Miklos Szeredi Date: Thu, 31 May 2018 16:27:58 +0200 Message-ID: Subject: Re: general protection fault in fuse_ctl_remove_conn To: Tetsuo Handa Cc: syzbot , syzkaller-bugs@googlegroups.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 28, 2018 at 4:29 AM, Tetsuo Handa wrote: > From 9f41081f8bd6762a6f629e5e23e6d07a62bba69c Mon Sep 17 00:00:00 2001 > From: Tetsuo Handa > Date: Sat, 28 Apr 2018 11:24:09 +0900 > Subject: [PATCH] fuse: don't keep inode-less dentry at fuse_ctl_add_dentry(). > > syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1]. > Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode() > failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to > clear d_inode(dentry)->i_private field. Fix this by calling dput() rather > than incrementing fc->ctl_ndents when new_inode() failed. > > [1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6 Slightly different fix pushed to: git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next Thanks, Miklos