All of lore.kernel.org
 help / color / mirror / Atom feed
From: asmadeus@codewreck.org
To: Christian Schoenebeck <linux_oss@crudebyte.com>
Cc: syzbot <syzbot+de52531662ebb8823b26@syzkaller.appspotmail.com>,
	davem@davemloft.net, edumazet@google.com, ericvh@gmail.com,
	kuba@kernel.org, linux-kernel@vger.kernel.org, lucho@ionkov.net,
	netdev@vger.kernel.org, pabeni@redhat.com,
	syzkaller-bugs@googlegroups.com,
	v9fs-developer@lists.sourceforge.net
Subject: Re: [syzbot] KASAN: use-after-free Read in p9_req_put
Date: Fri, 19 Aug 2022 05:23:36 +0900	[thread overview]
Message-ID: <Yv6fyMxHq1CI5iZf@codewreck.org> (raw)
In-Reply-To: <2207113.SgyDDyVIbp@silver>

Christian Schoenebeck wrote on Thu, Aug 18, 2022 at 05:12:17PM +0200:
> > @@ -997,12 +997,8 @@ struct p9_client *p9_client_create(const char
> > *dev_name, char *options)
> > 
> >  	return clnt;
> > 
> > -close_trans:
> > -	clnt->trans_mod->close(clnt);
> > -put_trans:
> > -	v9fs_put_trans(clnt->trans_mod);
> > -free_client:
> > -	kfree(clnt);
> > +out:
> > +	p9_client_destroy(clnt);
> >  	return ERR_PTR(err);
> >  }
> >  EXPORT_SYMBOL(p9_client_create);
> 
> Looks like a nice reduction to me!
> 
> As p9_client_destroy() is doing a bit more than current code, I would probably 
> additionally do s/kmalloc/kzmalloc/ at the start of the function, which would 
> add more safety & reduction.

Good point, I checked the variables p9_client_destroy cares about get
initialized but kzalloc is safer, let's switch that as well.
> > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> > index e758978b44be..60fcc6b30b46 100644
> > --- a/net/9p/trans_fd.c
> > +++ b/net/9p/trans_fd.c
> > @@ -205,6 +205,8 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
> >  		list_move(&req->req_list, &cancel_list);
> >  	}
> > 
> > +	spin_unlock(&m->client->lock);
> > +
> >  	list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) {
> >  		p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req);
> >  		list_del(&req->req_list);
> > @@ -212,7 +214,6 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
> >  			req->t_err = err;
> >  		p9_client_cb(m->client, req, REQ_STATUS_ERROR);
> >  	}
> > -	spin_unlock(&m->client->lock);
> >  }
> 
> Are you sure that would resolve that (other) syzbot report? I just had a 
> glimpse at it yet, but I don't see this list iteration portion being involved 
> in the backtrace provided by the report, is it?

It won't fix the inconsistent locking ones, but should take care of
http://lkml.kernel.org/r/000000000000cad57405e5b5dbb7@google.com

ffff888026be2c18 (&clnt->lock){+.+.}-{2:2}, at: p9_conn_cancel+0xaa/0x970 net/9p/trans_fd.c:192
holding the lock in that function, calling
p9_client_cb itself calling p9_req_put and locking again when refcount
hits 0.

And that one has a reproducer, so syzbot will confirm if it helps when I
get around to pushing it (probably this weekend) :)

--
Dominique

  reply	other threads:[~2022-08-18 20:24 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-17  5:36 [syzbot] KASAN: use-after-free Read in p9_req_put syzbot
2022-08-17  5:59 ` asmadeus
2022-08-18 15:12   ` Christian Schoenebeck
2022-08-18 20:23     ` asmadeus [this message]
2022-09-04  6:39 ` [PATCH 1/2] 9p: p9_client_create: use p9_client_destroy on failure Dominique Martinet
2022-09-04 16:31   ` Christian Schoenebeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yv6fyMxHq1CI5iZf@codewreck.org \
    --to=asmadeus@codewreck.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=ericvh@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux_oss@crudebyte.com \
    --cc=lucho@ionkov.net \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzbot+de52531662ebb8823b26@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=v9fs-developer@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.