https://source.android.com/security/bulletin/2021-11-01
CVE-2021-0920
CVE-2021-0924
CVE-2021-0929
ANDROID: Incremental fs: Fix dentry get/put imbalance on vfs_mkdir() failure
Syz{bot,kaller} reports[0]:
BUG: Dentry ffff888119d8a000{i=0,n=.index} still in use (1) [unmount of ramfs ramfs]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 367 at fs/dcache.c:1616 umount_check+0x18d/0x1d0 fs/dcache.c:1607
Modules linked in:
CPU: 0 PID: 367 Comm: syz-executor388 Not tainted 5.10.75-syzkaller-01082-g234d53d2bb60 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:umount_check+0x18d/0x1d0 fs/dcache.c:1607
Code: 8b 0b 49 81 c6 f8 03 00 00 48 c7 c7 00 40 2e 85 4c 89 e6 48 8b 55 d0 4c 89 e1 45 89 f8 31 c0 41 56 e8 ae d9 9e ff 48 83 c4 08 <0f> 0b e9 f1 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c c9 fe ff
RSP: 0018:ffffc9000096f770 EFLAGS: 00010292
RAX: 0000000000000055 RBX: ffffffff866af200 RCX: 1ad6b89836e5b500
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: ffffc9000096f7a0 R08: ffffffff81545368 R09: 0000000000000003
R10: fffff5200012de41 R11: 0000000000000004 R12: ffff888119d8a000
R13: dffffc0000000000 R14: ffff88811d7373f8 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01b7bddb68 CR3: 000000010c4f0000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
d_walk+0x309/0x540 fs/dcache.c:1326
do_one_tree fs/dcache.c:1623 [inline]
shrink_dcache_for_umount+0x8e/0x1b0 fs/dcache.c:1639
generic_shutdown_super+0x66/0x2c0 fs/super.c:447
kill_anon_super fs/super.c:1108 [inline]
kill_litter_super+0x75/0xa0 fs/super.c:1117
ramfs_kill_sb+0x44/0x50 fs/ramfs/inode.c:270
deactivate_locked_super+0xb0/0x100 fs/super.c:335
deactivate_super+0xa5/0xd0 fs/super.c:366
cleanup_mnt+0x45f/0x510 fs/namespace.c:1118
__cleanup_mnt+0x19/0x20 fs/namespace.c:1125
task_work_run+0x147/0x1b0 kernel/task_work.c:154
exit_task_work include/linux/task_work.h:30 [inline]
do_exit+0x70e/0x23a0 kernel/exit.c:813
do_group_exit+0x16a/0x2d0 kernel/exit.c:910
get_signal+0x133e/0x1f80 kernel/signal.c:2790
arch_do_signal+0x8d/0x620 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
exit_to_user_mode_prepare+0xaa/0xe0 kernel/entry/common.c:191
syscall_exit_to_user_mode+0x24/0x40 kernel/entry/common.c:266
do_syscall_64+0x3d/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f01b7b884f9
Code: Unable to access opcode bytes at RIP 0x7f01b7b884cf.
RSP: 002b:00007f01b7b19308 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f01b7c103f8 RCX: 00007f
Which was due to a missing dput() before returning from a vfs_mkdir() failure.
Bug: 203827798
Link: [0] https://syzkaller.appspot.com/bug?extid=81b5ca9b2848f4dad8fa
Reported-by: syzbot+81b5ca9b2848f4dad8fa@syzkaller.appspotmail.com
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: Iaef9aa0aecc964645aaca5fe8d79388ae28527bd
1 file changed
