summaryrefslogtreecommitdiff
path: root/lib/mpi/mpih-div.c
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2020-11-01 07:40:21 +0300
committerAl Viro <viro@zeniv.linux.org.uk>2020-12-11 01:33:17 +0300
commitedf7ddbf1c5eb98b720b063b73e20e8a4a1ce673 (patch)
tree5321f8cfe08651844642d27d217b012701f0dbc3 /lib/mpi/mpih-div.c
parentb65054597872ce3aefbc6a666385eabdf9e288da (diff)
downloadlinux-edf7ddbf1c5eb98b720b063b73e20e8a4a1ce673.tar.xz
fs/namespace.c: WARN if mnt_count has become negative
Missing calls to mntget() (or equivalently, too many calls to mntput()) are hard to detect because mntput() delays freeing mounts using task_work_add(), then again using call_rcu(). As a result, mnt_count can often be decremented to -1 without getting a KASAN use-after-free report. Such cases are still bugs though, and they point to real use-after-frees being possible. For an example of this, see the bug fixed by commit 1b0b9cc8d379 ("vfs: fsmount: add missing mntget()"), discussed at https://lkml.kernel.org/linux-fsdevel/20190605135401.GB30925@xxxxxxxxxxxxxxxxxxxxxxxxx/T/#u. This bug *should* have been trivial to find. But actually, it wasn't found until syzkaller happened to use fchdir() to manipulate the reference count just right for the bug to be noticeable. Address this by making mntput_no_expire() issue a WARN if mnt_count has become negative. Suggested-by: Miklos Szeredi <miklos@szeredi.hu> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'lib/mpi/mpih-div.c')
0 files changed, 0 insertions, 0 deletions