From: Eric Biggers <ebiggers@xxxxxxxxxx>
syzbot reported an invalid free in debugfs_release_dentry(). The
reproducer tries to mount debugfs with the 'dirsync' option, which is
not allowed. The bug is that if reconfigure_super() fails in
vfs_get_super(), deactivate_locked_super() is called, but also
fs_context::root is left non-NULL which causes deactivate_super() to be
called again later.
Fix it by releasing fs_context::root in the error path.
Reported-by: syzbot+5aca688dac0796c56129@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: e478b48498a7 ("vfs: Add a single-or-reconfig keying to vfs_get_super()")
Cc: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
---
fs/super.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/super.c b/fs/super.c
index 0f913376fc4c..99195e15be05 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1194,8 +1194,11 @@ int vfs_get_super(struct fs_context *fc,
fc->root = dget(sb->s_root);
if (keying == vfs_get_single_reconf_super) {
err = reconfigure_super(fc);
- if (err < 0)
+ if (err < 0) {
+ dput(fc->root);
+ fc->root = NULL;
goto error;
+ }
}
}
--
2.23.0
