lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <xoz24h3357hot5caj46ug72rw3tpcscrt2qtmjdpl2hymvuvyx@szn4js4453wx>
Date: Fri, 28 Nov 2025 13:40:51 +0100
From: Jan Kara <jack@...e.cz>
To: syzbot <syzbot+94048264da5715c251f9@...kaller.appspotmail.com>
Cc: brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org, 
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk
Subject: Re: [syzbot] [fs?] general protection fault in mntput

On Fri 28-11-25 13:29:06, Jan Kara wrote:
> Hello,
> 
> On Thu 27-11-25 13:42:27, syzbot wrote:
> > syzbot found the following issue on:
> > 
> > HEAD commit:    92fd6e84175b Add linux-next specific files for 20251125
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13a55612580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=bf77a4e0e3514deb
> > dashboard link: https://syzkaller.appspot.com/bug?extid=94048264da5715c251f9
> > compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1215f612580000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17082f42580000
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/bee2604d495b/disk-92fd6e84.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/b12aade49e2c/vmlinux-92fd6e84.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/286fd34158cb/bzImage-92fd6e84.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+94048264da5715c251f9@...kaller.appspotmail.com
> > 
> > Oops: general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] SMP KASAN PTI
> 
> This is caused by 67c68da01266d ("namespace: convert fsmount() to
> FD_PREPARE()") and the problem is we do:
> 
> 	struct path newmount __free(path_put) = {};
> 
> 	...
> 
> 	newmount.mnt = vfs_create_mount(fc);
> 	if (IS_ERR(newmount.mnt))
> 		return PTR_ERR(ns);
> 
> Which is not safe to do because path_put() unconditionally calls
> mntput(path.mnt) which only has "if (mnt)" so it tries to put error
> pointer.
> 
> There are several ways to fix this:
> 
> 1) We can just add IS_ERR_OR_NULL(mnt) check to mntput(). It is convenient
> but I know Al didn't like these wholesale IS_ERR_OR_NULL() checks because
> they kind of hide occasional sloppy programming practices.
> 
> 2) We can provide alternative for path_put() as a destructor which properly
> deals with error pointers.
> 
> 3) We can just store result of vfs_create_mount() in a temporary variable
> and store the result in newmount after we verify it is valid.
> 
> I'm leaning towards 3) but what do other people think?

Ah, OK, now I see you've already picked up a fix for this so please ignore
this message.

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ