| From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Date: Tue, 1 May 2018 13:12:14 +0900 |
| Subject: fuse: don't keep dead fuse_conn at fuse_fill_super(). |
| |
| commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream. |
| |
| syzbot is reporting use-after-free at fuse_kill_sb_blk() [1]. |
| Since sb->s_fs_info field is not cleared after fc was released by |
| fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds |
| already released fc and tries to hold the lock. Fix this by clearing |
| sb->s_fs_info field after calling fuse_conn_put(). |
| |
| [1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db |
| |
| Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Reported-by: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com> |
| Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls") |
| Cc: John Muir <john@jmuir.com> |
| Cc: Csaba Henk <csaba@gluster.com> |
| Cc: Anand Avati <avati@redhat.com> |
| Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| fs/fuse/inode.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/fs/fuse/inode.c |
| +++ b/fs/fuse/inode.c |
| @@ -1125,6 +1125,7 @@ static int fuse_fill_super(struct super_ |
| err_put_conn: |
| fuse_bdi_destroy(fc); |
| fuse_conn_put(fc); |
| + sb->s_fs_info = NULL; |
| err_fput: |
| fput(file); |
| err: |
