Re: [syzbot] Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)

From: syzbot
Date: Mon Jun 03 2024 - 02:19:54 EST

Next message: Chengming Zhou: "Re: [PATCH 0/3] mm: zswap: trivial folio conversions"
Previous message: Jingbo Xu: "[HELP] FUSE writeback performance bottleneck"
In reply to: syzbot: "Re: [syzbot] Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Next in thread: syzbot: "Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)
Author: nightu.pwn@xxxxxxxxx

please test file uaf in udmabuf_create

#syz test

---
drivers/dma-buf/udmabuf.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index afa8bfd2a2a9..53035c601e92 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -382,6 +382,7 @@ static long udmabuf_create(struct miscdevice *device,

kfree(folios);
fput(memfd);
+ memfd = NULL;
}

flags = head->flags & UDMABUF_FLAGS_CLOEXEC ? O_CLOEXEC : 0;
--

Next message: Chengming Zhou: "Re: [PATCH 0/3] mm: zswap: trivial folio conversions"
Previous message: Jingbo Xu: "[HELP] FUSE writeback performance bottleneck"
In reply to: syzbot: "Re: [syzbot] Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Next in thread: syzbot: "Re: [syzbot] [squashfs?] VFS: Close: file count is zero (use-after-free)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]