Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3337066imu; Sun, 11 Nov 2018 12:40:22 -0800 (PST) X-Google-Smtp-Source: AJdET5cpDfX+RW5CqSTCA8T5zVqsGkBK3nqliPICqlIZdGdHLS4r4rW6jx3WUMZZSdDw0q33jSie X-Received: by 2002:a63:ec4b:: with SMTP id r11mr14724910pgj.44.1541968821966; Sun, 11 Nov 2018 12:40:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541968821; cv=none; d=google.com; s=arc-20160816; b=y+lz8IjTCF7HDN1F0171o7WAtl7doidqovp/AQP56CzwdCt10IcmktIEynJQL1IbOd dWCSG5/ORiEOEYBVXfAQhZoPJ0pfWOOR2+KCGxdwK0Z5DuLvhBM2Z8YQ4KL3ySE6eE/O hMvCf5U+mVqA3BOjjzpOA88wEvyeeoGL0a6Cn+Wf8J/J42KlpWplSINUXRnC9tXgwJTm IH6VW9+7/M9cx+gblCs7wjJKyO8d0m7pedTPFd6RHM2UbDBSncKbstMArTPRKUU3on9j /E40RjbgFyugN2LiOwLn9cLs23++iALErPpmVepsx00hEv06MyJmEeXIhm5nVPzK1/DI BFIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=rLtZaXCxMqIYDcs4RVr6LZr+u888JTy2c6wCtUV18iU=; b=ri0AWjUltHdGhT/NrvjAzG6eA6MUp9TdgGBuVCay2gaN2mmRbhbX1vBqH7kHU+xN3s G+OzGN22R/8NjVJDLKeNZ8Q1g1bdShT7Q/fBF48GaJjBlfay7LnU8p8NWF8jWQmramXk 3etsmQ5hNBnh/CFRCytVNhyZFLtkUZeq2jx/wUjVZ/3dlfPkSyfNarzA84OOPjwZGHXZ QL5xVJOl+m8qGfrQiYp6xgmPRSE/3RgvuayAKskdcSFI7ykyzOLUhGcxQInFTpQwiva8 VTk4FN9aMvniAYJM7NFaOx/vVTq1tiZgYM5Hn5w5QSISY8lPzCu3sa/PTmlZCTzX+hmY S/1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 189si13854897pgh.320.2018.11.11.12.40.06; Sun, 11 Nov 2018 12:40:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729989AbeKLFsH (ORCPT + 99 others); Mon, 12 Nov 2018 00:48:07 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49496 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729532AbeKLFsG (ORCPT ); Mon, 12 Nov 2018 00:48:06 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsT-0000l6-64; Sun, 11 Nov 2018 19:58:37 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsQ-0001Un-MY; Sun, 11 Nov 2018 19:58:34 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "syzbot" , "Miklos Szeredi" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 100/366] fuse: fix control dir setup and teardown In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Miklos Szeredi commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream. syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1]. Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode() failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to clear d_inode(dentry)->i_private field. Fix by only adding the dentry to the array after being fully set up. When tearing down the control directory, do d_invalidate() on it to get rid of any mounts that might have been added. [1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6 Reported-by: syzbot Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem") Signed-off-by: Miklos Szeredi [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/fuse/control.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/fs/fuse/control.c +++ b/fs/fuse/control.c @@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr if (!dentry) return NULL; - fc->ctl_dentry[fc->ctl_ndents++] = dentry; inode = new_inode(fuse_control_sb); - if (!inode) + if (!inode) { + dput(dentry); return NULL; + } inode->i_ino = get_next_ino(); inode->i_mode = mode; @@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr set_nlink(inode, nlink); inode->i_private = fc; d_add(dentry, inode); + + fc->ctl_dentry[fc->ctl_ndents++] = dentry; + return dentry; } @@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co for (i = fc->ctl_ndents - 1; i >= 0; i--) { struct dentry *dentry = fc->ctl_dentry[i]; dentry->d_inode->i_private = NULL; - d_drop(dentry); + if (!i) { + /* Get rid of submounts: */ + d_invalidate(dentry); + } dput(dentry); } drop_nlink(fuse_control_sb->s_root->d_inode);