gfs2: Don't clear sb->s_fs_info in gfs2_sys_fs_add

When gfs2_sys_fs_add() fails, it sets sb->s_fs_info to NULL on its error
path (see commit 0d515210b696 ("GFS2: Add kobject release method")).
The intention seems to be to prevent dereferencing sb->s_fs_info once
the object pointed to has been deallocated, but that would be better
achieved by setting the pointer to NULL in free_sbd().

As a consequence, when the call to gfs2_sys_fs_add() fails in
gfs2_fill_super(), sdp = GFS2_SB(inode) will evaluate to NULL in iput()
-> gfs2_drop_inode(), and accessing sdp->sd_flags will be a NULL pointer
dereference.

Fix that by only setting sb->s_fs_info to NULL when actually freeing the
object pointed to in free_sbd().

Fixes: ae9f3bd8259a ("gfs2: replace sd_aspace with sd_inode")
Reported-by: syzbot+b12826218502df019f9d@syzkaller.appspotmail.com
Signed-off-by: Andrew Price <anprice@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 653f0ff4b0571f52f88b79b2d14238504764071a..85c491fcf1a3669d71d71837e2f38cbeca033f91 100644 (file)
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -64,7 +64,10 @@ static void gfs2_tune_init(struct gfs2_tune *gt)
 
 void free_sbd(struct gfs2_sbd *sdp)
 {
+       struct super_block *sb = sdp->sd_vfs;
+
        free_percpu(sdp->sd_lkstats);
+       sb->s_fs_info = NULL;
        kfree(sdp);
 }
 
@@ -1314,7 +1317,6 @@ fail_iput:
        iput(sdp->sd_inode);
 fail_free:
        free_sbd(sdp);
-       sb->s_fs_info = NULL;
        return error;
 }
 

diff --git a/fs/gfs2/sys.c b/fs/gfs2/sys.c
index 748125653d6c2df64a23dcaec18b916243d71e41..c3c8842920d247bbd5a2bc68c4a68b262509ba52 100644 (file)
--- a/fs/gfs2/sys.c
+++ b/fs/gfs2/sys.c
@@ -764,7 +764,6 @@ fail_reg:
        fs_err(sdp, "error %d adding sysfs files\n", error);
        kobject_put(&sdp->sd_kobj);
        wait_for_completion(&sdp->sd_kobj_unregister);
-       sb->s_fs_info = NULL;
        return error;
 }