lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240517235925.1584-1-hdanton@sina.com>
Date: Sat, 18 May 2024 07:59:25 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+d7c7a495a5e466c031b6@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [v9fs?] KASAN: slab-use-after-free Read in p9_fid_destroy

On Fri, 17 May 2024 04:31:28 -0700
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    ea5f6ad9ad96 Merge tag 'platform-drivers-x86-v6.10-1' of g..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11df3084980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  ea5f6ad9ad96

--- x/include/net/9p/client.h
+++ y/include/net/9p/client.h
@@ -11,6 +11,7 @@
 
 #include <linux/utsname.h>
 #include <linux/idr.h>
+#include <linux/mutex.h>
 #include <linux/tracepoint-defs.h>
 
 /* Number of requests per row */
@@ -122,6 +123,7 @@ struct p9_client {
 
 	struct idr fids;
 	struct idr reqs;
+	struct mutex destroy_mutex;
 
 	char name[__NEW_UTS_LEN + 1];
 };
--- x/net/9p/client.c
+++ y/net/9p/client.c
@@ -1041,6 +1041,7 @@ struct p9_client *p9_client_create(const
 					   0, 0, P9_HDRSZ + 4,
 					   clnt->msize - (P9_HDRSZ + 4),
 					   NULL);
+	mutex_init(&clnt->destroy_mutex);
 
 	return clnt;
 
@@ -1065,11 +1066,13 @@ void p9_client_destroy(struct p9_client
 		clnt->trans_mod->close(clnt);
 
 	v9fs_put_trans(clnt->trans_mod);
+	mutex_lock(&clnt->destroy_mutex);
 
 	idr_for_each_entry(&clnt->fids, fid, id) {
 		pr_info("Found fid %d not clunked\n", fid->fid);
 		p9_fid_destroy(fid);
 	}
+	mutex_unlock(&clnt->destroy_mutex);
 
 	p9_tag_cleanup(clnt);
 
@@ -1454,7 +1457,10 @@ error:
 		if (retries++ == 0)
 			goto again;
 	} else {
-		p9_fid_destroy(fid);
+		if (mutex_trylock(&clnt->destroy_mutex)) {
+			p9_fid_destroy(fid);
+			mutex_unlock(&clnt->destroy_mutex);
+		}
 	}
 	return err;
 }
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ