On Mon 23-04-18 19:34:45, Tetsuo Handa wrote: > From be88e559ec13f49b1c3aec2457c14c70f6b1926a Mon Sep 17 00:00:00 2001 > From: Tetsuo Handa <[email protected]> > Date: Mon, 23 Apr 2018 11:21:03 +0900 > Subject: [PATCH] bdi: Fix use after free bug in debugfs_remove() > > syzbot is reporting use after free bug in debugfs_remove() [1]. > > This is because fault injection made memory allocation for > debugfs_create_file() from bdi_debug_register() from bdi_register_va() > fail and continued with setting WB_registered. But when debugfs_remove() > is called from debugfs_remove(bdi->debug_dir) from bdi_debug_unregister() > from bdi_unregister() from release_bdi() because WB_registered was set > by bdi_register_va(), IS_ERR_OR_NULL(bdi->debug_dir) == false despite > debugfs_remove(bdi->debug_dir) was already called from bdi_register_va(). > > Fix this by making IS_ERR_OR_NULL(bdi->debug_dir) == true. > > [1] > https://syzkaller.appspot.com/bug?id=5ab4efd91a96dcea9b68104f159adf4af2a6dfc1 > > Signed-off-by: Tetsuo Handa <[email protected]> > Reported-by: syzbot <[email protected]> > Fixes: 97f07697932e6faf ("bdi: convert bdi_debug_register to int") > Cc: weiping zhang <[email protected]> > Cc: Jan Kara <[email protected]> > Cc: Jens Axboe <[email protected]>
Looks good to me. You can add: Reviewed-by: Jan Kara <[email protected]> Jens, can you please merge this fix? Thanks! Honza > --- > mm/backing-dev.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mm/backing-dev.c b/mm/backing-dev.c > index 023190c..7fe73fa 100644 > --- a/mm/backing-dev.c > +++ b/mm/backing-dev.c > @@ -115,6 +115,7 @@ static int bdi_debug_register(struct backing_dev_info > *bdi, const char *name) > bdi, &bdi_debug_stats_fops); > if (!bdi->debug_stats) { > debugfs_remove(bdi->debug_dir); > + bdi->debug_dir = NULL; > return -ENOMEM; > } > > -- > 1.8.3.1 > -- Jan Kara <[email protected]> SUSE Labs, CR
