Re: KASAN: use-after-free Read in fscache_alloc_cookie

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com>
To: dhowells@redhat.com, linux-cachefs@redhat.com,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in fscache_alloc_cookie
Date: Tue, 13 Oct 2020 16:22:10 -0700	[thread overview]
Message-ID: <00000000000025a54905b195af3d@google.com> (raw)
In-Reply-To: <157941.1602619974@warthog.procyon.org.uk>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: proc registration bug in afs_manage_cell_work

------------[ cut here ]------------
proc_dir_entry 'afs/^]$[+%]0${' already registered
WARNING: CPU: 0 PID: 8309 at fs/proc/generic.c:371 proc_register+0x34c/0x700 fs/proc/generic.c:371
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 8309 Comm: kworker/0:4 Not tainted 5.9.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: afs afs_manage_cell_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 panic+0x382/0x7fb kernel/panic.c:231
 __warn.cold+0x20/0x4b kernel/panic.c:600
 report_bug+0x1bd/0x210 lib/bug.c:198
 handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234
 exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:proc_register+0x34c/0x700 fs/proc/generic.c:371
Code: df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 5d 03 00 00 48 8b 44 24 28 48 c7 c7 a0 62 9a 88 48 8b b0 d8 00 00 00 e8 46 03 5d ff <0f> 0b 48 c7 c7 e0 f6 1e 8a e8 36 df 3d 06 48 8b 4c 24 38 48 b8 00
RSP: 0018:ffffc90009dffac8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880923a4480 RSI: ffffffff815f5a55 RDI: fffff520013bff4b
RBP: ffff888088829b88 R08: 0000000000000001 R09: ffff8880ae4318e7
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880904699d8
R13: ffff8880931d3340 R14: dffffc0000000000 R15: 000000000000000a
 proc_mkdir_data+0x140/0x1a0 fs/proc/generic.c:487
 proc_net_mkdir include/linux/proc_fs.h:201 [inline]
 afs_proc_cell_setup+0xb2/0x1f0 fs/afs/proc.c:619
 afs_activate_cell fs/afs/cell.c:684 [inline]
 afs_manage_cell fs/afs/cell.c:768 [inline]
 afs_manage_cell_work+0x5b7/0x11c0 fs/afs/cell.c:832
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit:         f8eb8d1c afs: Add tracing for cell refcount and active use..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1414b0d8500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=302928762dfb5528
dashboard link: https://syzkaller.appspot.com/bug?extid=2d0585e5efcd43d113c2
compiler:       gcc (GCC) 10.1.0-syz 20200507

     prev parent reply	other threads:[~2020-10-13 23:22 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-25  8:57 KASAN: use-after-free Read in fscache_alloc_cookie syzbot
2020-10-11 12:28 ` syzbot
2020-10-13 20:12 ` David Howells
2020-10-13 23:22   ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000025a54905b195af3d@google.com \
    --to=syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com \
    --cc=dhowells@redhat.com \
    --cc=linux-cachefs@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.