Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()

[PATCH v3 00/50] tree-in-dcache stuff · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 24/50] convert ibmasmfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 13/50] convert hugetlbfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 25/50] ibmasmfs: get rid of ibmasmfs_dir_ops · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 14/50] convert mqueue · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 02/50] tracefs: fix a leak in eventfs_create_events_dir() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 05/50] introduce a flag for explicitly marking persistently pinned dentries · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 08/50] convert ramfs and tmpfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 21/50] debugfs: remove duplicate checks in callers of start_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 17/50] convert fuse_ctl · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 17/50] convert fuse_ctl · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 19/50] convert tracefs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 01/50] fuse_ctl_add_conn(): fix nlink breakage in case of early failure · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 01/50] fuse_ctl_add_conn(): fix nlink breakage in case of early failure · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 12/50] convert smackfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 04/50] new helper: simple_done_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 22/50] convert efivarfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 09/50] procfs: make /self and /thread_self dentries persistent · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 10/50] configfs, securityfs: kill_litter_super() not needed · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 16/50] convert dlmfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 18/50] convert pstore · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 15/50] convert bpf · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 28/50] binderfs_binder_ctl_create(): kill a bogus check · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 30/50] autofs_{rmdir,unlink}: dentry->d_fsdata->dentry == dentry there · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 27/50] binderfs: use simple_start_creating() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 23/50] convert spufs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 06/50] primitives for maintaining persisitency · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 03/50] new helper: simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 03/50] new helper: simple_remove_by_name() · Miklos Szeredi <miklos@szeredi.hu> · 2025-11-11
[PATCH v3 11/50] convert xenfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 20/50] convert debugfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 26/50] convert devpts · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 07/50] convert simple_{link,unlink,rmdir,rename,fill_super}() to new primitives · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 32/50] convert binfmt_misc · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 29/50] convert binderfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 31/50] convert autofs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 33/50] selinuxfs: don't stash the dentry of /policy_capabilities · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · bot+bpf-ci@kernel.org · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree · Chris Mason <hidden> · 2025-11-12
[PATCH v3 35/50] convert selinuxfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 39/50] convert gadgetfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · bot+bpf-ci@kernel.org · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Christian Brauner <brauner@kernel.org> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Chris Mason <hidden> · 2025-11-11
Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() · Chris Mason <hidden> · 2025-11-12
[functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-13
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-13
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Chris Mason <hidden> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Christian Brauner <brauner@kernel.org> · 2025-11-14
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-15
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-16
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 1/4] functionfs: don't abuse ffs_data_closed() on fs shutdown · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 2/4] functionfs: don't bother with ffs->ref in ffs_data_{opened,closed}() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 3/4] functionfs: need to cancel ->reset_work in ->kill_sb() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
[PATCH 4/4] functionfs: fix the open/removal races · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-17
Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2025-11-18
[PATCH v3 37/50] convert functionfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 38/50] gadgetfs: switch to simple_remove_by_name() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 40/50] hypfs: don't pin dentries twice · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 41/50] hypfs: switch hypfs_create_str() to returning int · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 43/50] convert hypfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 42/50] hypfs: swich hypfs_create_u64() to returning int · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 44/50] convert rpc_pipefs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 45/50] convert nfsctl · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 46/50] convert rust_binderfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 47/50] get rid of kill_litter_super() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 48/50] convert securityfs · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 49/50] kill securityfs_recursive_remove() · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11
[PATCH v3 50/50] d_make_discardable(): warn if given a non-persistent dentry · Al Viro <viro@zeniv.linux.org.uk> · 2025-11-11

From: bot+bpf-ci@kernel.org
Date: 2025-11-11 07:53:17
Also in: bpf, linux-efi, linux-fsdevel, linux-mm, linux-usb, ocfs2-devel, selinux

quoted hunk ↗ jump to hunk

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 47cfbe41f..43dcd39b7 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c

[ ... ]

quoted hunk ↗ jump to hunk

@@ -2323,6 +2316,7 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
 {
 	struct ffs_epfile *epfile, *epfiles;
 	unsigned i, count;
+	int err;

 	count = ffs->eps_count;
 	epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL);
@@ -2339,12 +2333,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
 			sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]);
 		else
 			sprintf(epfile->name, "ep%u", i);
-		epfile->dentry = ffs_sb_create_file(ffs->sb, epfile->name,
-						 epfile,
-						 &ffs_epfile_operations);
-		if (!epfile->dentry) {
+		err = ffs_sb_create_file(ffs->sb, epfile->name,
+					 epfile, &ffs_epfile_operations);
+		if (err) {
 			ffs_epfiles_destroy(epfiles, i - 1);
-			return -ENOMEM;
+			return err;
 		}
 	}
@@ -2355,13 +2348,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
 {
 	struct ffs_epfile *epfile = epfiles;
+	struct dentry *root = epfile->ffs->sb->s_root;

Can this dereference uninitialized memory in ffs_epfiles_destroy()?

When ffs_epfiles_create() calls ffs_epfiles_destroy(epfiles, i - 1) after
the first ffs_sb_create_file() call fails (when i=1), it passes count=0.
The initialization loop starts at i=1, so epfiles[0].ffs is never
initialized. The kcalloc() zeros the memory, making epfiles[0].ffs NULL.

The new code unconditionally dereferences epfile->ffs->sb->s_root before
the loop, causing a NULL pointer dereference when count=0. The old code
was safe because the dereference only happened inside the loop.

 	for (; count; --count, ++epfile) {
 		BUG_ON(mutex_is_locked(&epfile->mutex));
-		if (epfile->dentry) {
-			simple_recursive_removal(epfile->dentry, NULL);
-			epfile->dentry = NULL;
-		}
+		simple_remove_by_name(root, epfile->name, NULL);
 	}

 	kfree(epfiles);


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19257803162

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help