lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240906221658.2144-1-hdanton@sina.com>
Date: Sat,  7 Sep 2024 06:16:58 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+f82b36bffae7ef78b6a7@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in lockref_get_not_dead (2)

On Fri, 06 Sep 2024 01:40:23 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    9b0874286768 Merge branch 'mctp-serial-tx-escapes'
> git tree:       net
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1627ab2b980000

#syz test

--- x/fs/libfs.c
+++ y/fs/libfs.c
@@ -2234,6 +2234,7 @@ int path_from_stashed(struct dentry **st
 	path->dentry = stash_dentry(stashed, dentry);
 	if (path->dentry != dentry)
 		dput(dentry);
+	dget(dentry);
 
 out_path:
 	WARN_ON_ONCE(path->dentry->d_fsdata != stashed);
@@ -2258,5 +2259,6 @@ void stashed_dentry_prune(struct dentry
 	 * already cleared out @dentry and stashed their own
 	 * dentry in there.
 	 */
-	cmpxchg(stashed, dentry, NULL);
+	if (dentry == cmpxchg(stashed, dentry, NULL))
+		dput(dentry);
 }
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ