From: Benjamin LaHaise <ben@communityfibre.ca>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Edward Adam Davis <eadavis@qq.com>,
syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com,
brauner@kernel.org, jack@suse.cz, linux-aio@kvack.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: [PATCH] fs/aio: fix uaf in sys_io_cancel
Date: Mon, 4 Mar 2024 12:31:20 -0500 [thread overview]
Message-ID: <20240304173120.GP20455@kvack.org> (raw)
In-Reply-To: <73949a4d-6087-4d8c-bae0-cda60e733442@acm.org>
On Mon, Mar 04, 2024 at 09:15:47AM -0800, Bart Van Assche wrote:
> On 3/4/24 09:03, Benjamin LaHaise wrote:
> >This is just so wrong there aren't even words to describe it. I
> >recommending reverting all of Bart's patches since they were not reviewed
> >by anyone with a sufficient level of familiarity with fs/aio.c to get it
> >right.
>
> Where were you while my patches were posted for review on the fsdevel
> mailing list and before these were sent to Linus?
That doesn't negate the need for someone with experience in a given
subsystem to sign off on the patches. There are at least 2 other people I
would trust to properly review these patches, and none of their signoffs
are present either.
> A revert request should include a detailed explanation of why the revert
> should happen. Just claiming that something is wrong is not sufficient
> to motivate a revert.
A revert is justified when a series of patches is buggy and had
insufficient review prior to merging. Mainline is not the place to be
testing half baked changes. Getting cancellation semantics and locking
right is *VERY HARD*, and the results of getting it wrong are very subtle
and user exploitable. Using the "a kernel warning hit" approach for work
on cancellation is very much a sign that the patches were half baked.
What testing did you do on your patch series? The commit messages show
nothing of interest regarding testing. Why are you touching the kiocb
after ownership has already been passed on to another entity? This is as
bad as touching memory that has been freed. You clearly do not understand
how that code works.
-ben
--
"Thought is the essence of where you are now."
next prev parent reply other threads:[~2024-03-04 17:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-03 7:29 [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel syzbot
2024-03-03 12:21 ` [PATCH] fs/aio: fix uaf " Edward Adam Davis
2024-03-04 16:15 ` Bart Van Assche
2024-03-04 17:03 ` Benjamin LaHaise
2024-03-04 17:15 ` Bart Van Assche
2024-03-04 17:31 ` Benjamin LaHaise [this message]
2024-03-04 17:40 ` Bart Van Assche
2024-03-04 17:47 ` Benjamin LaHaise
2024-03-04 17:58 ` Bart Van Assche
2024-03-04 18:02 ` Benjamin LaHaise
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304173120.GP20455@kvack.org \
--to=ben@communityfibre.ca \
--cc=brauner@kernel.org \
--cc=bvanassche@acm.org \
--cc=eadavis@qq.com \
--cc=jack@suse.cz \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).