From patchwork Mon Aug 24 08:31:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 265043 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD678C433E3 for ; Mon, 24 Aug 2020 09:36:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8BF49207D3 for ; Mon, 24 Aug 2020 09:36:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598261777; bh=iMzsFT6t7SGlhIOUqQv2/+hi3POeH7jRh46e6QHr64I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=zRuABtXlhEp5u4pLKXY4gq1ZHSvjIjN523ZQjxcubPPKPpIbQlzoDeW/SBzAX//qB NpUK2LeLQGmSOr7ozeOveCpKilK4v5NNPYjH2ChPfq2XOL/fzNRKCPvVS8mbPFdFx8 p+kJAsiBscTXFtZw2ZKnn3RyNV7DexuZkM7TcUgQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729110AbgHXJgQ (ORCPT ); Mon, 24 Aug 2020 05:36:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:50454 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729606AbgHXIst (ORCPT ); Mon, 24 Aug 2020 04:48:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 30576204FD; Mon, 24 Aug 2020 08:48:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598258928; bh=iMzsFT6t7SGlhIOUqQv2/+hi3POeH7jRh46e6QHr64I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WdyH+ePRPAaf1MMr7QyxFpY4tJ2sGppk4XH+/jCFiM/W79oLPLcNLo5ulfqKfCXgP gF9G0cDLrnzg7iQA8mmI5V0Kq2qiUwm0flxzwrKluBjkoWuV25AWkVyxkiS79c/CqG z1t0OdWvigTzUjMcHPh3zj2MNS7vlJmNBD3jrsbI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com, David Howells , Linus Torvalds , Sasha Levin Subject: [PATCH 5.4 095/107] afs: Fix NULL deref in afs_dynroot_depopulate() Date: Mon, 24 Aug 2020 10:31:01 +0200 Message-Id: <20200824082409.801233634@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200824082405.020301642@linuxfoundation.org> References: <20200824082405.020301642@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Howells [ Upstream commit 5e0b17b026eb7c6de9baa9b0d45a51b05f05abe1 ] If an error occurs during the construction of an afs superblock, it's possible that an error occurs after a superblock is created, but before we've created the root dentry. If the superblock has a dynamic root (ie. what's normally mounted on /afs), the afs_kill_super() will call afs_dynroot_depopulate() to unpin any created dentries - but this will oops if the root hasn't been created yet. Fix this by skipping that bit of code if there is no root dentry. This leads to an oops looking like: general protection fault, ... KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] ... RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385 ... Call Trace: afs_kill_super+0x13b/0x180 fs/afs/super.c:535 deactivate_locked_super+0x94/0x160 fs/super.c:335 afs_get_tree+0x1124/0x1460 fs/afs/super.c:598 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x1387/0x2070 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount fs/namespace.c:3390 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 which is oopsing on this line: inode_lock(root->d_inode); presumably because sb->s_root was NULL. Fixes: 0da0b7fd73e4 ("afs: Display manually added cells in dynamic root mount") Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- fs/afs/dynroot.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c index 7503899c0a1b5..f07e53ab808e3 100644 --- a/fs/afs/dynroot.c +++ b/fs/afs/dynroot.c @@ -289,15 +289,17 @@ void afs_dynroot_depopulate(struct super_block *sb) net->dynroot_sb = NULL; mutex_unlock(&net->proc_cells_lock); - inode_lock(root->d_inode); - - /* Remove all the pins for dirs created for manually added cells */ - list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { - if (subdir->d_fsdata) { - subdir->d_fsdata = NULL; - dput(subdir); + if (root) { + inode_lock(root->d_inode); + + /* Remove all the pins for dirs created for manually added cells */ + list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) { + if (subdir->d_fsdata) { + subdir->d_fsdata = NULL; + dput(subdir); + } } - } - inode_unlock(root->d_inode); + inode_unlock(root->d_inode); + } }