On Fri, Aug 30, 2019 at 10:10:24PM -0500, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> syzbot reported an invalid free in debugfs_release_dentry(). The
> reproducer tries to mount debugfs with the 'dirsync' option, which is
> not allowed. The bug is that if reconfigure_super() fails in
> vfs_get_super(), deactivate_locked_super() is called, but also
> fs_context::root is left non-NULL which causes deactivate_super() to be
> called again later.
>
> Fix it by releasing fs_context::root in the error path.
>
> Reported-by: syzbot+5aca688dac0796c56129@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: e478b48498a7 ("vfs: Add a single-or-reconfig keying to vfs_get_super()")
> Cc: David Howells <dhowells@xxxxxxxxxx>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
> fs/super.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/super.c b/fs/super.c
> index 0f913376fc4c..99195e15be05 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -1194,8 +1194,11 @@ int vfs_get_super(struct fs_context *fc,
> fc->root = dget(sb->s_root);
> if (keying == vfs_get_single_reconf_super) {
> err = reconfigure_super(fc);
> - if (err < 0)
> + if (err < 0) {
> + dput(fc->root);
> + fc->root = NULL;
> goto error;
> + }
> }
> }
>
Ping. This is still broken in linux-next.
- Eric
