From: syzbot <syzbot+d7c7a495a5e466c031b6@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [v9fs?] KASAN: slab-use-after-free Read in p9_fid_destroy
Date: Sat, 18 May 2024 05:01:04 -0700 [thread overview]
Message-ID: <000000000000022f9c0618b9391e@google.com> (raw)
In-Reply-To: <20240518114105.1730-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: refcount bug in p9_req_put
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 90 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 90 Comm: kworker/u32:4 Not tainted 6.9.0-syzkaller-08284-gea5f6ad9ad96-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: events_unbound netfs_write_collection_worker
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 98 2d 0d fd 84 db 0f 85 66 ff ff ff e8 0b 33 0d fd c6 05 97 cc 4c 0b 01 90 48 c7 c7 00 24 8f 8b e8 f7 47 cf fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 e8 32 0d fd 0f b6 1d 72 cc 4c 0b 31
RSP: 0018:ffffc9000163f830 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff814ff319
RDX: ffff88801c180000 RSI: ffffffff814ff326 RDI: 0000000000000001
RBP: ffff8880127f4bb8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000002 R12: ffff8880127f4bb0
R13: ffff8880127f4bb8 R14: ffff88802ad24400 R15: 00000000ffffffea
FS: 0000000000000000(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 000000002c226000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_sub_and_test include/linux/refcount.h:275 [inline]
__refcount_dec_and_test include/linux/refcount.h:307 [inline]
refcount_dec_and_test include/linux/refcount.h:325 [inline]
p9_req_put+0x1f4/0x250 net/9p/client.c:402
p9_client_rpc+0x591/0xc10 net/9p/client.c:759
p9_client_clunk+0x93/0x170 net/9p/client.c:1450
p9_fid_put include/net/9p/client.h:280 [inline]
v9fs_free_request+0xdc/0x110 fs/9p/vfs_addr.c:138
netfs_free_request+0x22c/0x690 fs/netfs/objects.c:133
netfs_put_request+0x19b/0x1f0 fs/netfs/objects.c:165
netfs_write_collection_worker+0x19d0/0x59e0 fs/netfs/write_collect.c:701
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Tested on:
commit: ea5f6ad9 Merge tag 'platform-drivers-x86-v6.10-1' of g..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16c7da34980000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1cd4092753f97c5
dashboard link: https://syzkaller.appspot.com/bug?extid=d7c7a495a5e466c031b6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1097adf0980000
next prev parent reply other threads:[~2024-05-18 12:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 8:14 [syzbot] [v9fs?] KASAN: slab-use-after-free Read in p9_fid_destroy syzbot
2024-05-17 11:31 ` syzbot
2024-05-17 23:59 ` Hillf Danton
2024-05-18 0:20 ` syzbot
2024-05-18 1:33 ` Hillf Danton
2024-05-18 1:58 ` syzbot
2024-05-18 11:41 ` Hillf Danton
2024-05-18 12:01 ` syzbot [this message]
2024-05-18 13:32 ` Hillf Danton
2024-05-18 13:55 ` syzbot
2024-05-18 23:08 ` Hillf Danton
2024-05-18 23:30 ` syzbot
2024-05-19 0:14 ` Hillf Danton
2024-05-19 0:39 ` syzbot
2024-05-22 23:19 ` Hillf Danton
2024-05-22 23:44 ` syzbot
2024-05-23 14:37 ` David Howells
2024-05-23 15:04 ` syzbot
2024-05-23 16:46 ` asmadeus
2024-05-23 18:07 ` David Howells
2024-05-23 20:57 ` asmadeus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000022f9c0618b9391e@google.com \
--to=syzbot+d7c7a495a5e466c031b6@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.