On Tue, Jan 18, 2022 at 04:52:00PM -0800, Samuel Mendoza-Jonas wrote:
From: Miklos Szeredi mszeredi@redhat.com
commit 5d069dbe8aaf2a197142558b6fb2978189ba3454 upstream.
Jan Kara's analysis of the syzbot report (edited):
The reproducer opens a directory on FUSE filesystem, it then attaches dnotify mark to the open directory. After that a fuse_do_getattr() call finds that attributes returned by the server are inconsistent, and calls make_bad_inode() which, among other things does:
inode->i_mode = S_IFREG;This then confuses dnotify which doesn't tear down its structures properly and eventually crashes.
Avoid calling make_bad_inode() on a live inode: switch to a private flag on the fuse inode. Also add the test to ops which the bad_inode_ops would have caught.
This bug goes back to the initial merge of fuse in 2.6.14...
Reported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com Signed-off-by: Miklos Szeredi mszeredi@redhat.com Tested-by: Jan Kara jack@suse.cz Cc: stable@vger.kernel.org [adjusted for missing fs/fuse/readdir.c and changes in fuse_evict_inode() in 4.14] Signed-off-by: Samuel Mendoza-Jonas samjonas@amazon.com
What about 4.19.y, will this work there as well? We need it for that kernel before we can take it into 4.14.y.
Also what about 4.4.y and 4.9.y?
thanks,
greg k-h