Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2977929imu; Sun, 9 Dec 2018 14:08:41 -0800 (PST) X-Google-Smtp-Source: AFSGD/XClHEnN4AJRg59tUiTvYJ+q0PSSDuueCCX8bU/tMEdQ5q+LvSOsnNCPsOFw+AKHnkvR0Y2 X-Received: by 2002:a62:7e93:: with SMTP id z141mr9876377pfc.239.1544393321685; Sun, 09 Dec 2018 14:08:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544393321; cv=none; d=google.com; s=arc-20160816; b=kNs0o4wJcR5HwSy3urExLzwc79OXOM1I2S1iZLX2ACGUDk8OhUPv28W7q876/GZE5X f4KERFNFwKZYb7SP9FwPpGwyz9JHY3nHRKTBPg7ZFSkPVTjd+kT+kq+UbX6tAW9dEtOB pRRsp44uTXeN6tWBPRYaPdOxufv3NcUNZgsitSYR8blwZmayl11Yh5KSXIE4xgzJto2I csQB0biyDLk+IYW0ExCfb8n9hqmIAmWtlVNmbpOv/FpQhaYncAgixLkqb4U5ZDo6nGlN In6J/1GgYHkhEZOlKjVo3x0HSXOSCI7IjnunG2ak/Kd6Fs61b0PGbHDoVokFUD51b6wP vq+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=TjeMa7gp1AQfucUD8klzA3S/gj4CR9UTEwE3iUcFp00=; b=Y2m2LujALnbuak+S6Fz4dIjlEhRgZw7Rg8/BibMEj4+qR8u+Iz1E6G7RP2edEN5+5q BVzjfI4kR74rzd1f6ADE9rVGCa54zBK/eMQU4V2VjQi6dwux2FeXWM91ftKOmgimeZ20 htbZH129/32GbEHhcbkp3+PBfHYVx0yXJSTZgDHLTy28wr7iS9dDxYqta8+9YpSQMLGX IBjPOUTxZ4BqiXsXOvR2etB0tsrvZkQpBl6p4aW5UCFjtEMZiSqR41BCQygNNhN+OM7h yywkPgkM2HDGulwYl69UElHpuzaTK+DZHhCogs4Wru5278/wdVSIfm7YhQPDFRpnXblQ DDfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o6si8550152plh.23.2018.12.09.14.08.26; Sun, 09 Dec 2018 14:08:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727702AbeLIWGB (ORCPT + 99 others); Sun, 9 Dec 2018 17:06:01 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:37024 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727332AbeLIWF6 (ORCPT ); Sun, 9 Dec 2018 17:05:58 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW73L-0002iq-IJ; Sun, 09 Dec 2018 21:55:55 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72a-0003Hz-Nu; Sun, 09 Dec 2018 21:55:08 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Miklos Szeredi" , "syzbot" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 073/328] fuse: Fix oops at process_init_reply() In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Miklos Szeredi commit e8f3bd773d22f488724dffb886a1618da85c2966 upstream. syzbot is hitting NULL pointer dereference at process_init_reply(). This is because deactivate_locked_super() is called before response for initial request is processed. Fix this by aborting and waiting for all requests (including FUSE_INIT) before resetting fc->sb. Original patch by Tetsuo Handa . Reported-by: syzbot Fixes: e27c9d3877a0 ("fuse: fuse: add time_gran to INIT_OUT") Signed-off-by: Miklos Szeredi [bwh: Backported to 3.16: - Drop second argument to fuse_abort_conn() - fuse_wait_aborted() is not needed] Signed-off-by: Ben Hutchings --- --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -380,9 +380,6 @@ static void fuse_put_super(struct super_ { struct fuse_conn *fc = get_fuse_conn_super(sb); - fuse_send_destroy(fc); - - fuse_abort_conn(fc); mutex_lock(&fuse_mutex); list_del(&fc->entry); fuse_ctl_remove_conn(fc); @@ -1124,16 +1121,24 @@ static struct dentry *fuse_mount(struct return mount_nodev(fs_type, flags, raw_data, fuse_fill_super); } -static void fuse_kill_sb_anon(struct super_block *sb) +static void fuse_sb_destroy(struct super_block *sb) { struct fuse_conn *fc = get_fuse_conn_super(sb); if (fc) { + fuse_send_destroy(fc); + + fuse_abort_conn(fc); + down_write(&fc->killsb); fc->sb = NULL; up_write(&fc->killsb); } +} +static void fuse_kill_sb_anon(struct super_block *sb) +{ + fuse_sb_destroy(sb); kill_anon_super(sb); } @@ -1156,14 +1161,7 @@ static struct dentry *fuse_mount_blk(str static void fuse_kill_sb_blk(struct super_block *sb) { - struct fuse_conn *fc = get_fuse_conn_super(sb); - - if (fc) { - down_write(&fc->killsb); - fc->sb = NULL; - up_write(&fc->killsb); - } - + fuse_sb_destroy(sb); kill_block_super(sb); }