| Message ID | tencent_2975FB767367603CED3622962437524A8C09@qq.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [next] fs/9p: fix uaf in in __fscache_relinquish_cookie | expand |
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c index 360a5304ec03..d27b7ecf7163 100644 --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -353,7 +353,8 @@ void v9fs_evict_inode(struct inode *inode) filemap_fdatawrite(&inode->i_data); #ifdef CONFIG_9P_FSCACHE - fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false); + if (mapping_release_always(inode->i_mapping)) + fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false); #endif }
In v9fs_fid_get_dotl(), if p9_client_getattr_dotl() or v9fs_init_inode() fails, the cookie will not be properly initialized and will result in accessing improperly allocated cookies. When the cookie is not initialized, exit the subsequent cookie recycling process to avoid this issue. Reported-and-tested-by: syzbot+a4c1a7875b2babd9e359@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- fs/9p/vfs_inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)