public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: asmadeus@codewreck.org
To: David Howells <dhowells@redhat.com>
Cc: syzbot <syzbot+df038d463cca332e8414@syzkaller.appspotmail.com>,
	ericvh@kernel.org, linux-kernel@vger.kernel.org,
	linux_oss@crudebyte.com, lucho@ionkov.net,
	syzkaller-bugs@googlegroups.com, v9fs@lists.linux.dev
Subject: Re: [syzbot] [v9fs?] KASAN: slab-use-after-free Write in v9fs_free_request
Date: Mon, 20 May 2024 16:32:27 +0900	[thread overview]
Message-ID: <Zkr8i9XxpkJ9AABZ@codewreck.org> (raw)
In-Reply-To: <0000000000005be0aa061846f8d6@google.com>

+To David as I need help with netfs

syzbot wrote on Sun, May 12, 2024 at 12:42:33PM -0700:
> UAF in
> Workqueue: events_unbound v9fs_upload_to_server_worker
>  refcount_dec_and_test include/linux/refcount.h:325 [inline]
>  p9_fid_put include/net/9p/client.h:275 [inline]
>  v9fs_free_request+0x5f/0xe0 fs/9p/vfs_addr.c:128
>  netfs_free_request+0x246/0x600 fs/netfs/objects.c:97
>  v9fs_upload_to_server fs/9p/vfs_addr.c:36 [inline]
>  v9fs_upload_to_server_worker+0x200/0x3e0 fs/9p/vfs_addr.c:44
>  process_one_work kernel/workqueue.c:3267 [inline]

> Freed by task 32641:
>  p9_fid_destroy net/9p/client.c:889 [inline]
>  p9_client_destroy+0x1fb/0x660 net/9p/client.c:1070
>  v9fs_session_close+0x51/0x210 fs/9p/v9fs.c:506
>  v9fs_kill_super+0x5c/0x90 fs/9p/vfs_super.c:196
>  deactivate_locked_super+0xc6/0x130 fs/super.c:472
>  cleanup_mnt+0x426/0x4c0 fs/namespace.c:1267

That's a tough one: netfs took a ref in v9fs_init_request (netfs op's
init_request) and expects to be able to use it until v9fs_free_request
(net op's free_request()), but the fs was dismounted first and we kill
the kmem cache at this point so we aggressively drop any dangling ref
there as there's no way of waiting.
(this is corroborated by "9pnet: Found fid 1 not clunked" in dmesg in
the syzcaller logs)

The other two recent kasan errors are similar:
https://lkml.kernel.org/r/000000000000b86c5e06130da9c6@google.com
is pretty much the same (it's just that the decrement here hit 0 as
umount was in the middle of doing it?), and
https://lkml.kernel.org/r/000000000000041f960618206d7e@google.com
is yet another step faster (netfs freed the last ref while the cache
was being emptied and destroyed the fid first; which is possible because
we're not taking the client lock at this point as we weren't expecting
any other access after umount)

David, got an idea on how we could wait for these async writebacks?


Notes:
 - David removed v9fs_upload_to_server in 2df86547b23d ("netfs: Cut
over to using new writeback code") (and c245868524cc ("netfs: Remove the
old writeback code")) in master, but the problem is still present
conceptually.
 - layering wise, 9p (fs) depends on 9pnet, so 9pnet cannot call into the
fs code; the wait has to be in v9fs_session_close() before calling
p9_client_destroy or earlier


Thanks,
-- 
Dominique Martinet | Asmadeus

  reply	other threads:[~2024-05-20  7:32 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-12 19:42 [syzbot] [v9fs?] KASAN: slab-use-after-free Write in v9fs_free_request syzbot
2024-05-20  7:32 ` asmadeus [this message]
2024-05-21 14:24   ` David Howells
2024-05-22 10:56   ` David Howells
2024-05-22 21:09   ` David Howells
2024-05-22 21:09     ` syzbot
  -- strict thread matches above, loose matches on Subject: below --
2024-05-13 11:50 lee bruce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Zkr8i9XxpkJ9AABZ@codewreck.org \
    --to=asmadeus@codewreck.org \
    --cc=dhowells@redhat.com \
    --cc=ericvh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux_oss@crudebyte.com \
    --cc=lucho@ionkov.net \
    --cc=syzbot+df038d463cca332e8414@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=v9fs@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox