Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp866986rdb;
        Fri, 2 Feb 2024 06:31:38 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGdg2fZ/CJAx33K5V+Xsdnz/sSciqjCZGvF8cRDT+UF745sr+iZWDyZFcmU0nuVfUg+Q+Wc
X-Received: by 2002:a05:6a20:d392:b0:19e:4f91:42b2 with SMTP id iq18-20020a056a20d39200b0019e4f9142b2mr1891122pzb.18.1706884298615;
        Fri, 02 Feb 2024 06:31:38 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706884298; cv=pass;
        d=google.com; s=arc-20160816;
        b=B9X9eLiGUKRVZcysH/8unNlm7kC6/4g4AjJpadurACNQu7Kd1ZutXnaCMP638vwZZX
         LD/BvB3V11uWwbeohSmXSCEqxamOWKSxkXKPALdfh4g8TwOr4/rEScHBSAaYGnsi6ANa
         mW7Nz882zRuQOhp1nwICdR3KV/ZcVO3Y25o6xzM19ievGpimtKWbBwb1x/SKA3vX5Kc9
         jaryWdVDpf+ekBU4bnEpzpbtWruSe3k0vFSJQEBO2T5Zs98xuGAC9jCr1pwwtm6jALYu
         4zt1GMtdomzMiJcSv81gdgEIPomF9D2/h3ibfEYvVLSqP5Nsih3Wa+za+Eo/QiJPc4AM
         vBqQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=utGP6OZSBLpmJu+9Td/7txs00XIiQw4x9gVWwrER68U=;
        fh=s1WqSfQJRvkXArr9Y72e0q4KwDDLAmZ+TXJWRaj+tzI=;
        b=03UtVJZXk/T8yUIX9QfI8X8RVWTXVWDRw4ZuFiJ69WVHGPgSt1e13lQUXM8ZEDPjXR
         zIuoFJpihBd7Ms9EN0vh2iQ5S8gGBM2uUf6vHh+2vFytEzOW1Q6miHbHl5iWfqYcUtPF
         PFeDbGhhE0pWECDynFWWPXqEuhwi4lQR+n5yEElHmvIqEqcgoNue8rdma+yjTOI1SuLC
         z5TPOnhn34D96rKvoKZDNFZCw6NphoIVo7KkmRXC5HeRjRCYJ71JaL+XTelT7rEotnEA
         07Y0Minf5+G/TosuP+e1rODLHN6moMPIuUyvJ3A19mzaIkPdyFCUEKkwXGluNABBior0
         gpOg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=HlGjcscK;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-49931-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49931-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
X-Forwarded-Encrypted: i=1; AJvYcCVgwim3F5KuNFjyO0nXSHECqopq2+XKrRoXALu3LgQgpNANcBF1Glkqq4zkVgbBX9D9tmYDNLfJo+qcbOhpVS9AA0TxjlL4LsgcwZi/Gg==
Return-Path: <linux-kernel+bounces-49931-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id q16-20020a63d610000000b005cee03a1bf9si1674608pgg.448.2024.02.02.06.31.38
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 02 Feb 2024 06:31:38 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-49931-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=HlGjcscK;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-49931-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-49931-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id E415EB248A3
	for <linux.lists.archive@gmail.com>; Fri,  2 Feb 2024 14:15:07 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 724DA77654;
	Fri,  2 Feb 2024 14:14:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="HlGjcscK"
Received: from out162-62-57-49.mail.qq.com (out162-62-57-49.mail.qq.com [162.62.57.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7546F17C77;
	Fri,  2 Feb 2024 14:14:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.49
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706883297; cv=none; b=Ak6TI6CSRC7JjWHDj5qfR5nOOmnirlNDwHadeZ8mVhD96kf+opWA+G9fi+V2+RKS4T0MBChKbZH6WycuiqJ8pioSquURU7D0VAr6otCJbwt0WnG0dnl/wiytHyoTLG8CU4Zsi/ykU9YGphlz7d94hJyHw18OSKeOjhoRSbKsYeY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706883297; c=relaxed/simple;
	bh=BJQfplmaSyBDDhVs/RstyS/GWbcJ/Hf09yPAoLpwVRQ=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=hSNlps2iV6sMIorJIg76+Cda7YLqnUUHalaW3lj6LpkG0e+6wngrxItdsVKgrUgW+HcJonBceLz4UF1Rq8LBhqv0GZzNzWWEljNz2TNJ8CYPmfsMfseNgjYLRLfNHA2nId7GvnpAfKDmsV5RJI+v8JabmcYB9SVG0z9jX3oJA+0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=HlGjcscK; arc=none smtp.client-ip=162.62.57.49
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1706882984; bh=utGP6OZSBLpmJu+9Td/7txs00XIiQw4x9gVWwrER68U=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=HlGjcscKpYIaUpYlkJdx1tCd4V3OAU8gBztf1fOCEJVuYsxtENrCrgHUPuyr+KVeB
	 2uMrmS3gA3miH3DWBn9RjgmlLQdZQNxdmN/NUSiFCfGpI6keBEW5KhgEaqnyfV8nOi
	 JRB134zXODyPzGo49nTXl3yoXG+0tJ1wLF32M+hU=
Received: from pek-lxu-l1.wrs.com ([111.198.228.140])
	by newxmesmtplogicsvrsza1-0.qq.com (NewEsmtp) with SMTP
	id D329E61; Fri, 02 Feb 2024 22:03:19 +0800
X-QQ-mid: xmsmtpt1706882599tcbkviljv
Message-ID: <tencent_2975FB767367603CED3622962437524A8C09@qq.com>
X-QQ-XMAILINFO: NyTsQ4JOu2J2VwOlPHaW7j2tsaSYtv5nx4xX96Q8K3YFvj37RAaq+YBf17GGzv
	 ArWxQSrW//mfyCBLhKljL6oRifpo4iGAx8GJ/Bea5/efYq0zN4jXPfZsSyxeFzr7xqc98q7KOh2E
	 JfG6AWuktRJq8mIlhX6jVhtE3VuMLnq8FEAKm7q+65dvDwLAQVoRh1xAq52WRbgJFFoQ/32YlcD6
	 eJGFtNUJ7B4WMD2ESJSn9ifhCHkuB22E5pm2jmS19XBqcDyq9ZGK4hZ1W8xhdwWabgYXcvwR0qSZ
	 W57mVLGvJ5/ub9VBlvex/ONfMZ53lJl/w0NdRaur+SERaZ5J3P7MSKu73wqh0UCECZJnPf8vgfUD
	 LnGg+VnpYeZyIXsGjrDjbfwouY+A5p/Fh8g7UK3szkmFdwKiAYLo2waBt6ALnY/WwFevedbzPIUX
	 z8EHR+ADf3DrbkmXf6H51uoiu0z2mH4CA+/SjVpLQGsDqmR1OfATo0WfX70lyo4YluhwXpFUeTry
	 40uq6W8XD0vzTw2JnFiTKEn9Bna/CL2GpqMHL5HKZWFMX9tjXKUq7RHhU+2LNs73HOTCK6s6Mcut
	 3BhElnjH9JPhFPOMKJN3YxHkD/fAbyAB3JMg6XE8+N7i6iHxw+ei6MpsoW51Ct+8PD+dVeH6efdU
	 NmJtJb+UxiQMPyCcnAcNPCN7v8rFwZ8YPGmTbTwCU+bpA/SM2qdw+Qpryif0X2IcIDs54Vhlhwr+
	 F3f1i+0LqiAzzVV8t5K3f8tiMvrG5VqdREWgwzI/7mxQZ8sHTHxgkWOEaRTIgfrNA8wgR9I0CPWj
	 Shi2zr51gKhzx8E2Gaw2IMoLSEmEzuzX+LtAePqOQAI7Gur5m0V1QVIuYztVnNEPBB3F07XUOuBP
	 DLA7Bs2cTpxPFOlOpur+IfFcTsqOPQ94sNawXvT70qIIuuV+0igsmTTlupsGk1j0xs+lFnWr4i
X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+a4c1a7875b2babd9e359@syzkaller.appspotmail.com
Cc: dhowells@redhat.com,
	jlayton@kernel.org,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	netfs@lists.linux.dev,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH next] fs/9p: fix uaf in in __fscache_relinquish_cookie
Date: Fri,  2 Feb 2024 22:03:19 +0800
X-OQ-MSGID: <20240202140318.4147829-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <0000000000007e7a63061062fcd9@google.com>
References: <0000000000007e7a63061062fcd9@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

In v9fs_fid_get_dotl(), if p9_client_getattr_dotl() or v9fs_init_inode() fails,
the cookie will not be properly initialized and will result in accessing improperly
allocated cookies.

When the cookie is not initialized, exit the subsequent cookie recycling process
to avoid this issue.

Reported-and-tested-by: syzbot+a4c1a7875b2babd9e359@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/9p/vfs_inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 360a5304ec03..d27b7ecf7163 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -353,7 +353,8 @@ void v9fs_evict_inode(struct inode *inode)
 	filemap_fdatawrite(&inode->i_data);
 
 #ifdef CONFIG_9P_FSCACHE
-	fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);
+	if (mapping_release_always(inode->i_mapping))
+		fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);
 #endif
 }
 
-- 
2.43.0