Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2791811pxf; Sun, 28 Mar 2021 02:15:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxrZ42JdpPRIqtUFzQ8mJTZaTesSgQ1D4V/J5QpTLq+0cVr8Mr32beiungrXVzgoUzK6ygk X-Received: by 2002:a05:6402:30a5:: with SMTP id df5mr23886086edb.24.1616922935194; Sun, 28 Mar 2021 02:15:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616922935; cv=none; d=google.com; s=arc-20160816; b=IkegeQqHIsh2JJkfARRXs5wUgPnMW2lB6MyzBDNHjpKSNqdj/1ATY35R3GIGfvbtdn xqu2jMJ46/ZE2mFv5NRkSEhqHFOQYxo/u/ShS+lJuzFzWqLnuaw1mrhetIm2tOMW/5Xc Q8hG9e+LZoIzAg1/Wa0smzmlEqHCmdjM+HSD7s7M3LvB2yQP41T4h8Y/+FMQrZVyQ6nt m7ztlzAo8mbu+5SE/LLFTi8AFq54DbQKENx6aC/+1DQ1JyDsagU3wwG26ihcVAkJNSmj wv9ZyoU0rXEeuJ6BjbCLgk1KqL7Wraug1L4PehYLEvR0Os483EB9xrwFGrz6U2aCSwSa aY5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:mime-version :content-transfer-encoding:subject:cc:to:from:date:dkim-signature; bh=jSDB76cKI45AnX0KGZxYz6mDtclIJTURQk2j8oHwPlo=; b=LldBDKBK5KzKES04mWEes7Wt9bEV4QmcCZBNrGgSQdkQecAjuet9pRsmLgbDuOCdtT uopI+7wL5GnM2vk5Zf09ZGz8CD0iPv2tAeeGcw33ZwXvNnN0WGC0dJ6I2ry0F90ELAHU p/hxSpml1xr1bsAPTrNB7GsRzsIzLlAgWzvUgl67nDMyfC6OCB4lucc4xM/BLGGll0gY h7jW6Q8zu3GMxV+TTu/Yon+/xkCR/+NjyQMaM3IjgMVNKtzj9nCAjGaRO+ziYM/QLbMz 6XzOUcrxd/Zg5md/Bb1lzBQhowD5ATlqEIoIkKIhzosmltiDtxdcdho383lMdtVIHVV/ SSvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=qX4JpVuA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s15si10573181edd.547.2021.03.28.02.15.12; Sun, 28 Mar 2021 02:15:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=qX4JpVuA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231195AbhC1JMK (ORCPT + 99 others); Sun, 28 Mar 2021 05:12:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229560AbhC1JLy (ORCPT ); Sun, 28 Mar 2021 05:11:54 -0400 Received: from ustc.edu.cn (email6.ustc.edu.cn [IPv6:2001:da8:d800::8]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B2771C061762; Sun, 28 Mar 2021 02:11:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.ustc.edu.cn; s=dkim; h=Received:Date:From:To:Cc:Subject: Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID; bh=jSDB76cKI45AnX0KGZxYz6mDtclIJTURQk2j8oHwPlo=; b=qX4JpVuA+TfC6 AxKdbzmxUD0LGqSE60Gher5H7rwu1qos8FwUDgaJ6Ot1AY1S8oSu2pdt/wNKq+hZ pVDMkCsOyMPEda/q4bofLOGz9arm3hu1zlr2O+hAKMbPK0kEhDeFE5xPssrKr9oS Brd71zIR5ECkGEAnhEkADyQ3t3T+rQ= Received: by ajax-webmail-newmailweb.ustc.edu.cn (Coremail) ; Sun, 28 Mar 2021 17:11:43 +0800 (GMT+08:00) X-Originating-IP: [203.184.132.238] Date: Sun, 28 Mar 2021 17:11:43 +0800 (GMT+08:00) X-CM-HeaderCharset: UTF-8 From: lyl2019@mail.ustc.edu.cn To: jack@suse.cz, amir73il@gmail.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [BUG] fs/notify/mark: A potential use after free in fsnotify_put_mark_wake X-Priority: 3 X-Mailer: Coremail Webmail Server Version XT3.0.8 dev build 20190610(cb3344cf) Copyright (c) 2002-2021 www.mailtech.cn ustc-xl X-SendMailWithSms: false Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0 Message-ID: <39095113.1936a.178781a774a.Coremail.lyl2019@mail.ustc.edu.cn> X-Coremail-Locale: zh_CN X-CM-TRANSID: LkAmygBnb0tPSGBgJjNdAA--.0W X-CM-SenderInfo: ho1ojiyrz6zt1loo32lwfovvfxof0/1tbiAQoOBlQhn5fqvwABsq X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VW7Jw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, My static analyzer tool reported a use after free in fsnotify_put_mark_wake of the file: fs/notify/mark.c. In fsnotify_put_mark_wake, it calls fsnotify_put_mark(mark). Inside the function fsnotify_put_mark(), if conn is NULL, it will call fsnotify_final_mark_destroy(mark) to free mark->group by fsnotify_put_group(group) and return. I also had inspected the implementation of fsnotify_put_group() and found that there is no cleanup operation about group->user_waits. But after fsnotify_put_mark_wake() returned, mark->group is still used by if (atomic_dec_and_test(&group->user_waits) && group->shutdown) and later. Is this an issue? Thanks.