Dmitry Vyukov wrote: > This looks very similar to "KASAN: use-after-free Read in fuse_kill_sb_blk": > https://groups.google.com/d/msg/syzkaller-bugs/4C4oiBX8vZ0/0NTQRcUYBgAJ > > which you fixed with "fuse: don't keep dead fuse_conn at fuse_fill_super().": > https://groups.google.com/d/msg/syzkaller-bugs/4C4oiBX8vZ0/W6pi8NdbBgAJ > > However, here we have use-after-free in fuse_kill_sb_anon instead of > use_kill_sb_blk. Do you think your patch will fix this as well? Yes, for fuse_kill_sb_anon() and fuse_kill_sb_blk() are symmetrical. I'm waiting for Miklos Szeredi to apply that patch. static inline struct fuse_conn *get_fuse_conn_super(struct super_block *sb) { return sb->s_fs_info; } static struct file_system_type fuse_fs_type = { .owner = THIS_MODULE, .name = "fuse", .fs_flags = FS_HAS_SUBTYPE, .mount = fuse_mount, .kill_sb = fuse_kill_sb_anon, }; static struct file_system_type fuseblk_fs_type = { .owner = THIS_MODULE, .name = "fuseblk", .mount = fuse_mount_blk, .kill_sb = fuse_kill_sb_blk, .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, }; static void fuse_kill_sb_anon(struct super_block *sb) { struct fuse_conn *fc = get_fuse_conn_super(sb); if (fc) { down_write(&fc->killsb); fc->sb = NULL; up_write(&fc->killsb); } kill_anon_super(sb); } static void fuse_kill_sb_blk(struct super_block *sb) { struct fuse_conn *fc = get_fuse_conn_super(sb); if (fc) { down_write(&fc->killsb); fc->sb = NULL; up_write(&fc->killsb); } kill_block_super(sb); }
