fs/afs/cell.c | 1 + 1 file changed, 1 insertion(+)
From: Edward Adam Davis <eadavis@qq.com>
syzbot reported a bug in in afs_put_vlserverlist.
kAFS: bad VL server IP address
BUG: unable to handle page fault for address: fffffffffffffffa
...
Oops: Oops: 0002 [#1] SMP KASAN PTI
...
RIP: 0010:refcount_dec_and_test include/linux/refcount.h:450 [inline]
RIP: 0010:afs_put_vlserverlist+0x3a/0x220 fs/afs/vl_list.c:67
...
Call Trace:
<TASK>
afs_alloc_cell fs/afs/cell.c:218 [inline]
afs_lookup_cell+0x12a5/0x1680 fs/afs/cell.c:264
afs_cell_init+0x17a/0x380 fs/afs/cell.c:386
afs_proc_rootcell_write+0x21f/0x290 fs/afs/proc.c:247
proc_simple_write+0x114/0x1b0 fs/proc/generic.c:825
pde_write fs/proc/inode.c:330 [inline]
proc_reg_write+0x23d/0x330 fs/proc/inode.c:342
vfs_write+0x25c/0x1180 fs/read_write.c:682
ksys_write+0x12a/0x240 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Because afs_parse_text_addrs() parses incorrectly, its return value -EINVAL
is assigned to vllist, which results in -EINVAL being used as the vllist
address when afs_put_vlserverlist() is executed.
Set the vllist value to NULL when a parsing error occurs to avoid this
issue.
Fixes: e2c2cb8ef07a ("afs: Simplify cell record handling")
Reported-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5c042fbab0b292c98fc6
Tested-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: linux-fsdevel@vger.kernel.org
---
fs/afs/cell.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index 0168bbf53fe0..f31359922e98 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -177,6 +177,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
VL_SERVICE, AFS_VL_PORT);
if (IS_ERR(vllist)) {
ret = PTR_ERR(vllist);
+ vllist = NULL;
goto parse_failed;
}
On Mon, 21 Jul 2025 15:26:51 +0100, David Howells wrote:
> syzbot reported a bug in in afs_put_vlserverlist.
>
> kAFS: bad VL server IP address
> BUG: unable to handle page fault for address: fffffffffffffffa
> ...
> Oops: Oops: 0002 [#1] SMP KASAN PTI
> ...
> RIP: 0010:refcount_dec_and_test include/linux/refcount.h:450 [inline]
> RIP: 0010:afs_put_vlserverlist+0x3a/0x220 fs/afs/vl_list.c:67
> ...
> Call Trace:
> <TASK>
> afs_alloc_cell fs/afs/cell.c:218 [inline]
> afs_lookup_cell+0x12a5/0x1680 fs/afs/cell.c:264
> afs_cell_init+0x17a/0x380 fs/afs/cell.c:386
> afs_proc_rootcell_write+0x21f/0x290 fs/afs/proc.c:247
> proc_simple_write+0x114/0x1b0 fs/proc/generic.c:825
> pde_write fs/proc/inode.c:330 [inline]
> proc_reg_write+0x23d/0x330 fs/proc/inode.c:342
> vfs_write+0x25c/0x1180 fs/read_write.c:682
> ksys_write+0x12a/0x240 fs/read_write.c:736
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> [...]
Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes
[1/1] afs: Set vllist to NULL if addr parsing fails
https://git.kernel.org/vfs/vfs/c/8b3c655fa240
© 2016 - 2025 Red Hat, Inc.