From: Benjamin LaHaise <ben@communityfibre.ca>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Edward Adam Davis <eadavis@qq.com>,
syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com,
brauner@kernel.org, jack@suse.cz, linux-aio@kvack.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: [PATCH] fs/aio: fix uaf in sys_io_cancel
Date: Mon, 4 Mar 2024 13:02:20 -0500 [thread overview]
Message-ID: <20240304180220.GR20455@kvack.org> (raw)
In-Reply-To: <2587412f-454d-472c-84b3-d7b9776a105a@acm.org>
On Mon, Mar 04, 2024 at 09:58:37AM -0800, Bart Van Assche wrote:
> On 3/4/24 09:47, Benjamin LaHaise wrote:
> >On Mon, Mar 04, 2024 at 09:40:35AM -0800, Bart Van Assche wrote:
> >>On 3/4/24 09:31, Benjamin LaHaise wrote:
> >>>A revert is justified when a series of patches is buggy and had
> >>>insufficient review prior to merging.
> >>
> >>That's not how Linux kernel development works. If a bug can get fixed
> >>easily, a fix is preferred instead of reverting + reapplying a patch.
> >
> >Your original "fix" is not right, and it wasn't properly tested. Commit
> >54cbc058d86beca3515c994039b5c0f0a34f53dd needs to be reverted.
>
> As I explained before, the above reply is not sufficiently detailed to
> motivate a revert.
You have introduced a use-after-free. You have not corrected the
underlying cause of that use-after-free.
Once you call ->ki_cancel(), you can't touch the kiocb. The call into
->ki_cancel() can result in a subsequent aio_complete() happening on that
kiocb. Your change is wrong, your "fix" is wrong, and you are refusing to
understand *why* your change was wrong in the first place.
You haven't even given me a test case justifying your change. You need to
justify your change to the maintainer, not the other way around.
Revert 54cbc058d86beca3515c994039b5c0f0a34f53dd and the problem goes away.
-ben
> Bart.
>
--
"Thought is the essence of where you are now."
next prev parent reply other threads:[~2024-03-04 18:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-03 7:29 [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel syzbot
2024-03-03 9:53 ` Edward Adam Davis
2024-03-03 10:22 ` syzbot
2024-03-03 11:33 ` Edward Adam Davis
2024-03-03 11:50 ` syzbot
2024-03-03 12:21 ` [PATCH] fs/aio: fix uaf " Edward Adam Davis
2024-03-04 16:15 ` Bart Van Assche
2024-03-04 17:03 ` Benjamin LaHaise
2024-03-04 17:15 ` Bart Van Assche
2024-03-04 17:31 ` Benjamin LaHaise
2024-03-04 17:40 ` Bart Van Assche
2024-03-04 17:47 ` Benjamin LaHaise
2024-03-04 17:58 ` Bart Van Assche
2024-03-04 18:02 ` Benjamin LaHaise [this message]
2024-03-04 10:44 ` [syzbot] [fs?] KASAN: slab-use-after-free Read " Hillf Danton
2024-03-04 13:33 ` syzbot
2024-03-04 14:07 ` Hillf Danton
2024-03-04 14:57 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304180220.GR20455@kvack.org \
--to=ben@communityfibre.ca \
--cc=brauner@kernel.org \
--cc=bvanassche@acm.org \
--cc=eadavis@qq.com \
--cc=jack@suse.cz \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.