On Sun, May 13, 2018 at 12:20 PM, Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > Dmitry Vyukov wrote: >> This looks very similar to "KASAN: use-after-free Read in fuse_kill_sb_blk": >> https://groups.google.com/d/msg/syzkaller-bugs/4C4oiBX8vZ0/0NTQRcUYBgAJ >> >> which you fixed with "fuse: don't keep dead fuse_conn at fuse_fill_super().": >> https://groups.google.com/d/msg/syzkaller-bugs/4C4oiBX8vZ0/W6pi8NdbBgAJ >> >> However, here we have use-after-free in fuse_kill_sb_anon instead of >> use_kill_sb_blk. Do you think your patch will fix this as well? > > Yes, for fuse_kill_sb_anon() and fuse_kill_sb_blk() are symmetrical. > I'm waiting for Miklos Szeredi to apply that patch. Thanks for confirming. Let's do: #syz fix: fuse: don't keep dead fuse_conn at fuse_fill_super(). > static inline struct fuse_conn *get_fuse_conn_super(struct super_block *sb) > { > return sb->s_fs_info; > } > > static struct file_system_type fuse_fs_type = { > .owner = THIS_MODULE, > .name = "fuse", > .fs_flags = FS_HAS_SUBTYPE, > .mount = fuse_mount, > .kill_sb = fuse_kill_sb_anon, > }; > > static struct file_system_type fuseblk_fs_type = { > .owner = THIS_MODULE, > .name = "fuseblk", > .mount = fuse_mount_blk, > .kill_sb = fuse_kill_sb_blk, > .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, > }; > > static void fuse_kill_sb_anon(struct super_block *sb) > { > struct fuse_conn *fc = get_fuse_conn_super(sb); > > if (fc) { > down_write(&fc->killsb); > fc->sb = NULL; > up_write(&fc->killsb); > } > > kill_anon_super(sb); > } > > static void fuse_kill_sb_blk(struct super_block *sb) > { > struct fuse_conn *fc = get_fuse_conn_super(sb); > > if (fc) { > down_write(&fc->killsb); > fc->sb = NULL; > up_write(&fc->killsb); > } > > kill_block_super(sb); > }
