| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z-XOvkE-i2fEtRZS@codewreck.org> Date: Fri, 28 Mar 2025 07:18:38 +0900 From: asmadeus@...ewreck.org To: syzbot <syzbot+62262fdc0e01d99573fc@...kaller.appspotmail.com> Cc: brauner@...nel.org, dhowells@...hat.com, ericvh@...nel.org, jack@...e.cz, jlayton@...nel.org, kprateek.nayak@....com, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux_oss@...debyte.com, lucho@...kov.net, mjguzik@...il.com, netfs@...ts.linux.dev, oleg@...hat.com, swapnil.sapkal@....com, syzkaller-bugs@...glegroups.com, v9fs@...ts.linux.dev, viro@...iv.linux.org.uk Subject: Re: [syzbot] [netfs?] INFO: task hung in netfs_unbuffered_write_iter syzbot wrote on Thu, Mar 27, 2025 at 02:19:03PM -0700: > BUG: KASAN: slab-use-after-free in p9_conn_cancel+0x900/0x910 net/9p/trans_fd.c:205 > Read of size 8 at addr ffff88807b19ea50 by task syz-executor/6595 Ugh, why... Ah, if ->request() fails p9_client_rpc assumes the request was not written (e.g. write error), so you can't return an error after the list_add_tail call in p9_fd_request. I think you can call p9_conn_cancel with the error and return 0 anyway, and this paticular workaround will probably work, regardless of whether it's the correct thing to do here (still haven't had time to look at the patch here) Sorry for this mess (even if most of it predates me...) -- Dominique
Powered by blists - more mailing lists