Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp61545pxy;
        Wed, 21 Apr 2021 18:33:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxnXfgI0PSKsuHcbTK6gK/102z9zND8vXvX6UrMcsCFfwZqZYD4OQvj9AUCcH8b2Sa7zf9W
X-Received: by 2002:a17:90a:de17:: with SMTP id m23mr1195108pjv.16.1619055183276;
        Wed, 21 Apr 2021 18:33:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619055183; cv=none;
        d=google.com; s=arc-20160816;
        b=p3xh/oZ42gEvH3bASdsrT3lXdgn4bSWFfmoQNGUko6dYi5CQHJCCjP2oFwanQooyou
         qkKj1auabTVrybh3+yQ1cRZ2rr0Y46nBg1soIm6RVl55SYZSRVfoVq7WN0p9/6s5cVW1
         IU5wbSE5EhTF59Ti68l+UE+ZjP0NLJKfJXxRz02sz4FtSs18Ue04F7tYrSPn8lIBTU1j
         CoWI0rVatZhN9Xc6xJiDPdc0roGgdAipeGTkeVBe8bzzKoHeoSwkZfqkLQZ6bRgZpw1f
         T4cthataVy0ncrv8DKQN0cvXJ8h832+ydIQlmt6WUrno9NXDtw3eduYRp3v4sBgKnRjh
         xz2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=wDmVQKyzDC8tpUel/r2mNn35JTKvdMCsU8hAXMYIkvY=;
        b=f8B7MF4NhSwuevoey6phdF+Gas6RC+TxNVTqWzW7eqfhZ5cTcLrcPQJmHBFJ7Hrbi8
         cqeMkGtOiGhKfvCatxDiQiqvuk3GqsX5bgK9JaECs+vI4y8/Pw8JmLp5S+Nne3lKjg7Y
         vwIYP/vPshy8Frqm8rXmBQJOhIyLkrVEOObOY1AW7jmocXtnZZrvKvozWEK9yTKIwNFq
         4C1a4RCb22bTiW3s2InkeCsF2fHyy2JRv/12RiOTQnMWFlCFm6Abf0lXOzfEIdugu7/D
         sMnuvYtpjKQ6LDwKG7bCiUakEyDNLdnc/nkr9Hz2C++ZpS2p9h3tIQFSsoDUuoQICETo
         XGzA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y130si1283564pfc.151.2021.04.21.18.32.51;
        Wed, 21 Apr 2021 18:33:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235423AbhDVAoz (ORCPT <rfc822;littledro@gmail.com> + 99 others);
        Wed, 21 Apr 2021 20:44:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52240 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230338AbhDVAox (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Apr 2021 20:44:53 -0400
Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00CC1C06174A;
        Wed, 21 Apr 2021 17:44:19 -0700 (PDT)
Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux))
        id 1lZNRw-007B5f-KZ; Thu, 22 Apr 2021 00:44:08 +0000
Date:   Thu, 22 Apr 2021 00:44:08 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Aditya Pakki <pakki001@umn.edu>
Cc:     Vivek Goyal <vgoyal@redhat.com>,
        Stefan Hajnoczi <stefanha@redhat.com>,
        Miklos Szeredi <miklos@szeredi.hu>,
        virtualization@lists.linux-foundation.org,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fuse: Avoid potential use after free
Message-ID: <YIDG2MOSITJxJBqd@zeniv-ca.linux.org.uk>
References: <20210406235332.2206460-1-pakki001@umn.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210406235332.2206460-1-pakki001@umn.edu>
Sender: Al Viro <viro@ftp.linux.org.uk>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 06, 2021 at 06:53:32PM -0500, Aditya Pakki wrote:
> In virtio_fs_get_tree, after fm is freed, it is again freed in case
> s_root is NULL and virtio_fs_fill_super() returns an error. To avoid
> a double free, set fm to NULL.
> 
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> ---
>  fs/fuse/virtio_fs.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
> index 4ee6f734ba83..a7484c1539bf 100644
> --- a/fs/fuse/virtio_fs.c
> +++ b/fs/fuse/virtio_fs.c
> @@ -1447,6 +1447,7 @@ static int virtio_fs_get_tree(struct fs_context *fsc)
>  	if (fsc->s_fs_info) {
>  		fuse_conn_put(fc);
>  		kfree(fm);
> +		fm = NULL;
>  	}
>  	if (IS_ERR(sb))
>  		return PTR_ERR(sb);

NAK.  The only cases when sget_fc() returns without having ->s_fs_info
zeroed are when it has successfull grabbed a reference to existing live
superblock or when it has failed.  In the former case we proceed straight
to
        fsc->root = dget(sb->s_root);
	return 0;
and in the latter we bugger off on IS_ERR(sb).  No double-free in either
case.  Said that, the logics in there (especially around the cleanups
on virtio_fs_fill_super() failures) is bloody convoluted, but sorting
that out would take a lot more RTFS than I'm willing to start right now.

In any case, this patch does not fix any bugs and does not make the
thing easier to follow, so...

NAKed-by: Al Viro <viro@zeniv.linux.org.uk>