From: syzbot <syzbot+d7c7a495a5e466c031b6@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [v9fs?] KASAN: slab-use-after-free Read in p9_fid_destroy
Date: Sat, 18 May 2024 06:55:04 -0700 [thread overview]
Message-ID: <000000000000b4fca50618bad06f@google.com> (raw)
In-Reply-To: <20240518133234.1786-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: refcount bug in p9_req_put
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 1092 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 3 PID: 1092 Comm: kworker/u32:8 Not tainted 6.9.0-syzkaller-08284-gea5f6ad9ad96-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: events_unbound netfs_write_collection_worker
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 98 2d 0d fd 84 db 0f 85 66 ff ff ff e8 0b 33 0d fd c6 05 97 cc 4c 0b 01 90 48 c7 c7 00 24 8f 8b e8 f7 47 cf fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 e8 32 0d fd 0f b6 1d 72 cc 4c 0b 31
RSP: 0018:ffffc90003a5f830 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff814ff319
RDX: ffff888023018000 RSI: ffffffff814ff326 RDI: 0000000000000001
RBP: ffff88804070b768 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000002 R12: ffff88804070b760
R13: ffff88804070b768 R14: ffff88802d844c00 R15: 00000000ffffffea
FS: 0000000000000000(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc1bfd2c38 CR3: 000000000d97a000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_sub_and_test include/linux/refcount.h:275 [inline]
__refcount_dec_and_test include/linux/refcount.h:307 [inline]
refcount_dec_and_test include/linux/refcount.h:325 [inline]
p9_req_put+0x1f4/0x250 net/9p/client.c:402
p9_client_rpc+0x5fd/0xc00 net/9p/client.c:757
p9_client_clunk+0x93/0x170 net/9p/client.c:1448
p9_fid_put include/net/9p/client.h:280 [inline]
v9fs_free_request+0xdc/0x110 fs/9p/vfs_addr.c:138
netfs_free_request+0x22c/0x690 fs/netfs/objects.c:133
netfs_put_request+0x19b/0x1f0 fs/netfs/objects.c:165
netfs_write_collection_worker+0x19d0/0x59e0 fs/netfs/write_collect.c:701
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Tested on:
commit: ea5f6ad9 Merge tag 'platform-drivers-x86-v6.10-1' of g..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=140cc3d0980000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1cd4092753f97c5
dashboard link: https://syzkaller.appspot.com/bug?extid=d7c7a495a5e466c031b6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1755df84980000
next prev parent reply other threads:[~2024-05-18 13:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 8:14 [syzbot] [v9fs?] KASAN: slab-use-after-free Read in p9_fid_destroy syzbot
2024-05-17 11:31 ` syzbot
2024-05-17 23:59 ` Hillf Danton
2024-05-18 0:20 ` syzbot
2024-05-18 1:33 ` Hillf Danton
2024-05-18 1:58 ` syzbot
2024-05-18 11:41 ` Hillf Danton
2024-05-18 12:01 ` syzbot
2024-05-18 13:32 ` Hillf Danton
2024-05-18 13:55 ` syzbot [this message]
2024-05-18 23:08 ` Hillf Danton
2024-05-18 23:30 ` syzbot
2024-05-19 0:14 ` Hillf Danton
2024-05-19 0:39 ` syzbot
2024-05-22 23:19 ` Hillf Danton
2024-05-22 23:44 ` syzbot
2024-05-23 14:37 ` David Howells
2024-05-23 15:04 ` syzbot
2024-05-23 16:46 ` asmadeus
2024-05-23 18:07 ` David Howells
2024-05-23 20:57 ` asmadeus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000b4fca50618bad06f@google.com \
--to=syzbot+d7c7a495a5e466c031b6@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox