Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp6420275imm; Mon, 27 Aug 2018 15:50:06 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdbu4IgRqsaVJTmY9TkJw6VGLKrJMAV6F9TRvTJ8GuYKtABZew96f+BKsX8Fy4U+3Lqu/Wwq X-Received: by 2002:a17:902:4906:: with SMTP id u6-v6mr14685090pld.44.1535410206305; Mon, 27 Aug 2018 15:50:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535410206; cv=none; d=google.com; s=arc-20160816; b=b2Q6JkvtccssNHUHifA0FoRmT6XK4Q6Uw5bXhhx2EeVe2oyUxxEF67aXCNJgRUX8If mkDk93Sliyes2olvWlXXiqM7NS9/wCRbcy4mTVOURNTOpNJ1/h2K05FqL4BtNrjtX5fj GooRthuzAUHxz/V6K99klIM6Qz3dSZMxlFl8jn7+/XKgAV2yl+Rw/8X6j5G5HJ5oGOL/ kC9KZQPz3RxUC7FH6Sapk3xmrFqbwAzYjaXs7CsP6uvK1t9XZ+kRKQ+3nS5vdIcrO0aA /LI9qtZenHE68MITZrgpp0c4MoPekm+nillHUJzQkG/AYcSe8r1gTOzajOPCwrPIcfAf U2Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=bZqmvnHdyP4DZP/OPblc6xmNWQCoPu7qhpBYqnhE1DA=; b=FQb5ycdheZvjkloxCOAs0nVxdIlEvZCb2JBsQx3RXxIizWqZuoE7NTTJ0Hr/BRicwm kRXXHa7YuCZd1PN1fLjwjLGf/5bNR5zgKiNNcIBhBdRApcXOKVRICz2GqCmkAaS69gfU ytYO1uPjejdPTA0jb9kd7IxVF96NEIUaRKgxMb/pnf9Q+8b+gy2NiKaAbF6VMjuRD1TW ZTL1TZPfbhp+Ygy8qyl1zcgE33PShx181dvVCEHWex0LN3uHymLAbXkucE9YzfLRjiVj wJaIatyvy81Oe+q2OXn2OmUrTisqinWscQGuo6ot9s/qAib+uTZ+JheDvEAyEuLxChJf aQeA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i184-v6si564418pfb.98.2018.08.27.15.49.51; Mon, 27 Aug 2018 15:50:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727389AbeH1ChX (ORCPT + 99 others); Mon, 27 Aug 2018 22:37:23 -0400 Received: from nautica.notk.org ([91.121.71.147]:54355 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727180AbeH1ChV (ORCPT ); Mon, 27 Aug 2018 22:37:21 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id 371C0C01A; Tue, 28 Aug 2018 00:48:41 +0200 (CEST) From: Dominique Martinet To: v9fs-developer@lists.sourceforge.net Cc: Dominique Martinet , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, Eric Van Hensbergen , Latchesar Ionkov Subject: [PATCH 2/2] 9p: clear dangling pointers in p9stat_free Date: Tue, 28 Aug 2018 00:48:28 +0200 Message-Id: <1535410108-20650-2-git-send-email-asmadeus@codewreck.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1535410108-20650-1-git-send-email-asmadeus@codewreck.org> References: <000000000000af648b057456e234@google.com> <1535410108-20650-1-git-send-email-asmadeus@codewreck.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dominique Martinet p9stat_free is more of a cleanup function than a 'free' function as it only frees the content of the struct; there are chances of use-after-free if it is improperly used (e.g. p9stat_free called twice as it used to be possible to) Clearing dangling pointers makes the function idempotent and safer to use. Signed-off-by: Dominique Martinet Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov --- net/9p/protocol.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index 4a1e1dd30b52..ee32bbf12675 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -46,10 +46,15 @@ p9pdu_writef(struct p9_fcall *pdu, int proto_version, const char *fmt, ...); void p9stat_free(struct p9_wstat *stbuf) { kfree(stbuf->name); + stbuf->name = NULL; kfree(stbuf->uid); + stbuf->uid = NULL; kfree(stbuf->gid); + stbuf->gid = NULL; kfree(stbuf->muid); + stbuf->muid = NULL; kfree(stbuf->extension); + stbuf->extension = NULL; } EXPORT_SYMBOL(p9stat_free); -- 2.17.1