From nobody Fri Dec 19 22:01:53 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 996441F2C2C for ; Tue, 7 Jan 2025 14:52:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736261566; cv=none; b=YrTAclqHSj+xnQpOM5gRjAZR45VnnLbvNqRapHFRa23hzlfoFgN+0HjgT70ZupwcW5KATAMT5dEnD1qOC4q/wNGSgjVstetQsaJ8WR2IiuOrnBzeKtR0U8m6AoePGRAsCZGZ2xZqPu1MS+bIq9CdrODf8ksFyPhp3bblNrfzgwU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736261566; c=relaxed/simple; bh=vh4HzRyg2mafPmxHioNzTuZHAi9lCrCOpLMxWHuimQM=; h=From:To:cc:Subject:MIME-Version:Content-Type:Date:Message-ID; b=rbCUkcyn9xPUs8I4/Bd9c4xEXtTZVFiQAo87ajzc3iOGgdByp+CkqsLyPMYAaCA9XRtrB+XPBwSnr4T3tSmylny8W88eeQwzs3HnmsNlQWNvPKNfID7k6SLBbFepOQuzAepUpJiMdxckNBJZ94e7BOXPi3OXfoanFGYuGBp/nLs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=VY2rZFHq; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="VY2rZFHq" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1736261561; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=48ueJcmLn8YXLZ1XsF7jIwgX9NlCxENDYRk2dabGfC4=; b=VY2rZFHqt1tlflAn0rGwMbCovvNOT4Zj6tiEz2AT/1NxWxVOZCAVwTSa1eCk9W+B/+IEUD tFCCrIP+vkrjp7CHHoRmIT2ZH5ENRbcXyMx1Ga/ksuYThO/e3vqwVRRkqwAA7BCLNXxJgr CqGTN6A8DsS66lLzXNiwjdehZAhsO7k= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-616-f0kGwz-mPf6i673dsYc0xQ-1; Tue, 07 Jan 2025 09:52:39 -0500 X-MC-Unique: f0kGwz-mPf6i673dsYc0xQ-1 X-Mimecast-MFC-AGG-ID: f0kGwz-mPf6i673dsYc0xQ Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A7E471956046; Tue, 7 Jan 2025 14:52:35 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.42.28.12]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D3C6119560A2; Tue, 7 Jan 2025 14:52:33 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells To: Christian Brauner cc: dhowells@redhat.com, Lizhi Xu , Marc Dionne , linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] afs: Fix merge preference rule failure condition Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-ID: <529849.1736261552.1@warthog.procyon.org.uk> Content-Transfer-Encoding: quoted-printable Date: Tue, 07 Jan 2025 14:52:32 +0000 Message-ID: <529850.1736261552@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by store the error in ret and jump to done to clean up instead of returning directly. [dh: Modified Lizhi Xu's original patch to make it honour the error code from afs_split_string()] [1] WARNING: lock held when returning to user space! 6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted Reported-by: syzbot+76f33569875eb708e575@syzkaller.appspotmail.com Tested-by: syzbot+76f33569875eb708e575@syzkaller.appspotmail.com ------------------------------------------------ syz-executor133/5823 is leaving the kernel with locks still held! 1 lock held by syz-executor133/5823: #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_l= ock include/linux/fs.h:818 [inline] #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_pro= c_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388 Reported-by: syzbot+76f33569875eb708e575@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D76f33569875eb708e575 Signed-off-by: Lizhi Xu Signed-off-by: David Howells Tested-by: syzbot+76f33569875eb708e575@syzkaller.appspotmail.com cc: Marc Dionne cc: linux-afs@lists.infradead.org Link: https://lore.kernel.org/r/20241226012616.2348907-1-lizhi.xu@windriver= .com/ --- diff --git a/fs/afs/addr_prefs.c b/fs/afs/addr_prefs.c index a189ff8a5034..c0384201b8fe 100644 --- a/fs/afs/addr_prefs.c +++ b/fs/afs/addr_prefs.c @@ -413,8 +413,10 @@ int afs_proc_addr_prefs_write(struct file *file, char = *buf, size_t size) =20 do { argc =3D afs_split_string(&buf, argv, ARRAY_SIZE(argv)); - if (argc < 0) - return argc; + if (argc < 0) { + ret =3D argc; + goto done; + } if (argc < 2) goto inval; =20