Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1144518imm; Mon, 9 Jul 2018 18:26:50 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfZ9WFgNeolPTQAhiK2CHWJemCJp819yQPh2uLzjcCddK6ecnakOaM07O3JmOT4KC+XtC+I X-Received: by 2002:a63:82c7:: with SMTP id w190-v6mr20729555pgd.253.1531186010067; Mon, 09 Jul 2018 18:26:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531186010; cv=none; d=google.com; s=arc-20160816; b=QX6+GQTBRmVbqjP3YWca3V9WuHecRPKq4XIVOGO504I8tx8v0ipQSt4xvnY50dph8K 8xmT5DnwxnJ92QdN9wIqlsFJu68Yvfc+7yPzeP0xEYGRS2zTzcS1GnmlwzIM9PD7Saqo ls3YuKg92qU/HEMAdH0gLeKbDxGNCj2QlC3WwyYiINyWw/UEN832rM+C6YhcoRegD1wQ 7VlmxY1t9WxEv3rfi2LBRV2H4Z04l38jc3asDdZXUhQCzQU4B0bTUT2bNXdw143K2LUV gwnVOjBvgRaUSqO722DXNcGRXcvnoOqLKnJz17KvWc5EcaUtZXAPdLZ1FjiZ5Yk0p7/q ifcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=NibA++xsIgXeiAy/mtOxYWqoCh/zt3axaqNJtVUMAsg=; b=y8GpVj7di70KtalzXCLNbcq+dpBDKHi5ax5grYxlNl6fAow767GWWCfciKDfLTIq8i MWmaAlVY+rMT9pMqkKGGvTakNal83UaOG/dtQdecZDgLQQ2yAVbV9gVTterpoEryEAxM 2bA8BUwgvpVjy2DE8Seymx4MqQuiX/nUeZ12sscrmEaHp4NIllHn1nMcAlaZEmLUNdpY /RUei44dugVkECj6n7R89deZ/LER2Ft9jUW1RX94WN3KS/IfnEwMlmlVNWnp0RLE06Rz PrJGEWR2rdNwV0tv2puevrZfbsz+OXwneXNo2QFKQIk9c+eOZZ57heR9rPh5w0fANp6F loeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IFHeGPMT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e65-v6si15998264pfc.336.2018.07.09.18.26.35; Mon, 09 Jul 2018 18:26:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IFHeGPMT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754634AbeGJBZY (ORCPT + 99 others); Mon, 9 Jul 2018 21:25:24 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:37538 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754581AbeGJBZU (ORCPT ); Mon, 9 Jul 2018 21:25:20 -0400 Received: by mail-pg1-f194.google.com with SMTP id n15-v6so1626162pgv.4; Mon, 09 Jul 2018 18:25:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=NibA++xsIgXeiAy/mtOxYWqoCh/zt3axaqNJtVUMAsg=; b=IFHeGPMTlZVLblCL1V/SLPWDZzVo4fpsWFdBKzJxAVDXbGBk3v7Peg0Of0SSqR0AEq 2NpE3mbcWtXqJE7xw2x6DGPmCtIQaMVfj+EP0qDz+lwS82kX+iu98ECMDVWlykWqVNok uYkiRM9rvOSTzCyBpYMM1gsfiiVJb9IFuLDEWoHhut120G6stonV9sIVqOBD4WHYdHqy c9Na55e/XEg3mBerpfRm8HC/7OAUi9C5lnTa+jjqoWr6ACJ+LVqSbbMEuRYSCNCS34SC xp3QwttTFV2eiNfMntM5+QR7jBFXKbgbWBdSQdS6kpdEtVZ6srdQSRTQF/QIzWJIf3aB 3E8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=NibA++xsIgXeiAy/mtOxYWqoCh/zt3axaqNJtVUMAsg=; b=chcvpcHAzZSaCSQkFGI9LpggGXdmcojoIERSbvGVLioPkNdSc8sMrBBPx0wUwph358 qTl04Q/KBvnH+44n8XZWbyYE9KIzzRscv4FMAY9B7MuD+m10MkIQQWhmkRL+RVmrMvud jrH+SX4wJlrcAa9INBN8za2yc2enNGVWcPMqzwpXkBfcDYIkfvlA/6eiPuJouftqWZ3h gp6wHpci+O4GZPgDfjGAar/Cx3V3EwhUABms2LI82P14N3m4B2Jz6sGx49pZQRh/60nX U63R/uOCNDcUkGcQfpvxV42nXs/ypl/i2LtQQkxbg27G4eFljEATBfTuOuOUVIE8mWPI 2jKg== X-Gm-Message-State: APt69E11t5hbUn+LA+Wv/hGj2PiQAWQQ8AO9mJm6she3reX0MgrmV+HS xOZ4QAF0j2J9JW10Yu4sRt0= X-Received: by 2002:a65:5307:: with SMTP id m7-v6mr21420993pgq.431.1531185920155; Mon, 09 Jul 2018 18:25:20 -0700 (PDT) Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id c5-v6sm41675754pfe.169.2018.07.09.18.25.19 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Jul 2018 18:25:19 -0700 (PDT) Date: Mon, 9 Jul 2018 18:25:18 -0700 From: Eric Biggers To: David Howells Cc: Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers Subject: Re: [PATCH 07/18] fs_context: fix double free of legacy_fs_context data Message-ID: <20180710012518.GB1014@sol.localdomain> References: <20180708210154.10423-8-ebiggers3@gmail.com> <20180708210154.10423-1-ebiggers3@gmail.com> <3014.1531139469@warthog.procyon.org.uk> <20180710011741.GA1014@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180710011741.GA1014@sol.localdomain> User-Agent: Mutt/1.10.0 (2018-05-17) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 09, 2018 at 06:17:41PM -0700, Eric Biggers wrote: > On Mon, Jul 09, 2018 at 01:31:09PM +0100, David Howells wrote: > > Eric Biggers wrote: > > > > > sys_fsmount() calls fc->ops->free() to free the data, zeroes > > > ->fs_private, then proceeds to reuse the context. But legacy_fs_context > > > doesn't use ->fs_private, so we need to handle zeroing it too; otherwise > > > there's a double free of legacy_fs_context::{legacy_data,secdata}. > > > > I think the attached is better. I stopped embedding the fs_context in the > > xxx_fs_context to make certain things simpler, but I missed the legacy > > wrapper. > > > > David > > --- > > diff --git a/fs/fs_context.c b/fs/fs_context.c > > index f91facc769f7..ab93a0b73dc6 100644 > > --- a/fs/fs_context.c > > +++ b/fs/fs_context.c > > @@ -34,7 +34,6 @@ enum legacy_fs_param { > > }; > > > > struct legacy_fs_context { > > - struct fs_context fc; > > char *legacy_data; /* Data page for legacy filesystems */ > > char *secdata; > > size_t data_size; > > @@ -239,12 +238,21 @@ struct fs_context *vfs_new_fs_context(struct file_system_type *fs_type, > > enum fs_context_purpose purpose) > > { > > struct fs_context *fc; > > - int ret; > > + int ret = -ENOMEM; > > > > - fc = kzalloc(sizeof(struct legacy_fs_context), GFP_KERNEL); > > + fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL); > > if (!fc) > > return ERR_PTR(-ENOMEM); > > > > + if (!fs_type->init_fs_context) { > > + fc->fs_private = kzalloc(sizeof(struct legacy_fs_context), > > + GFP_KERNEL); > > + if (!fc->fs_private) > > + goto err_fc; > > + > > + fc->ops = &legacy_fs_context_ops; > > + } > > + > > Why isn't this done in the same place that ->init_fs_context() would otherwise > be called? It logically does the same thing, right? Case in point: if allocating ->fs_private fails here, you'll get a NULL pointer dereference during put_fs_context() not only from the NULL ->fs_private in legacy_fs_context_free(), but also from put_filesystem() since ->fs_type hasn't been set yet. - Eric