git.openwrt.org Git - openwrt/staging/blogic.git/commit

author	Tetsuo Handa <[email protected]>
	Mon, 23 Apr 2018 02:21:03 +0000 (11:21 +0900)
committer	Jens Axboe <[email protected]>
	Thu, 3 May 2018 15:36:24 +0000 (09:36 -0600)
commit	f53823c18131e755905b4f654196fd2cc3953f6e
tree	94a1ced15776f1ec274d53b337f5640201b32265	tree \| snapshot
parent	8236b0ae31c837d2b3a2565c5f8d77f637e824cc	commit \| diff

bdi: Fix use after free bug in debugfs_remove()

syzbot is reporting use after free bug in debugfs_remove() [1].

This is because fault injection made memory allocation for
debugfs_create_file() from bdi_debug_register() from bdi_register_va()
fail and continued with setting WB_registered. But when debugfs_remove()
is called from debugfs_remove(bdi->debug_dir) from bdi_debug_unregister()
from bdi_unregister() from release_bdi() because WB_registered was set
by bdi_register_va(), IS_ERR_OR_NULL(bdi->debug_dir) == false despite
debugfs_remove(bdi->debug_dir) was already called from bdi_register_va().

Fix this by making IS_ERR_OR_NULL(bdi->debug_dir) == true.

[1] https://syzkaller.appspot.com/bug?id=5ab4efd91a96dcea9b68104f159adf4af2a6dfc1

Signed-off-by: Tetsuo Handa <[email protected]>
Reported-by: syzbot <[email protected]>
Fixes: 97f07697932e6faf ("bdi: convert bdi_debug_register to int")
Cc: weiping zhang <[email protected]>
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Reviewed-by: Jan Kara <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>