Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2291442imm;
        Thu, 19 Jul 2018 17:28:27 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpdd/ymw8+E9SKKkdldY2NAZhHDO8chtGv4/yFfxDcD6enbqWRXVCIb+c0fWngROq78A3Ao+
X-Received: by 2002:a63:b256:: with SMTP id t22-v6mr12275313pgo.101.1532046507818;
        Thu, 19 Jul 2018 17:28:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532046507; cv=none;
        d=google.com; s=arc-20160816;
        b=XL9+/vnk0Y0bpJg12LTg2gDNCkREbHEah3ziE1dB+2Lhn9LTRFYmNznRhUXuQZx+vi
         XYEsTr44F/Qybw3pARQLftIXRkPFJavttWmBMpfz4erzm5aHP3PCb91qqmcamfYBlkUx
         ZXwzkNdYh8DnDop7IVxT0qJXhKI1M3jC5DvVW/fVb/VKcmRSpUcIb5MsXSscF6mAuhYk
         h/2+L7ufQHWearXwRB8uWviCUy5WWZyI4b100F/w5lYmX1FtenMF5GtaeJSTnFsLXGFz
         p2RgwflpgG/2eksTa3bK12Idk+ayq5JKZn1hV0Fvo/uujsLYVgTQo/VD+GrOxwb2JzuI
         dGww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=TMZMhWXi9BJM+7lqNqsKidsDVaoAygMZAuifTJDXUm4=;
        b=0T1OT8efUFP8nr9Y2FPqKN1GGwfwgXf316bmufceFHNAB86Z1MrcCGTs+jX9njW4A7
         GXzBhPPKKW5+KGs5dWkO3G4ixn9JQ5kzXW2QJ7tJYe+jcKOdenf7vX8ViCm4DNgE9UIs
         3+k+OHdiHidFnzbAvS693Nvi4RcWP62L7r+WtIZck7l5J9sPV5RfBB71Htt4UyODDwEq
         dr2CMN+YYDYXWpPA5SQ9fVpteB/eLA+Du+kBjvPEm2t9WVupPBuBLX0npKmYczqy8az4
         5TlJbj59Dp5e+oXZANb0L9YOYTHt1fj4MIxwSufmyRS74dngL8/3wzEt275vgsFfdm7N
         ojBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t18-v6si522308pga.301.2018.07.19.17.28.13;
        Thu, 19 Jul 2018 17:28:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731221AbeGTBM5 (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Thu, 19 Jul 2018 21:12:57 -0400
Received: from nautica.notk.org ([91.121.71.147]:48362 "EHLO nautica.notk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730798AbeGTBM5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Jul 2018 21:12:57 -0400
Received: by nautica.notk.org (Postfix, from userid 1001)
        id 11D49C009; Fri, 20 Jul 2018 02:27:20 +0200 (CEST)
Date:   Fri, 20 Jul 2018 02:27:05 +0200
From:   Dominique Martinet <asmadeus@codewreck.org>
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     syzbot <syzbot+b173e77096a8ba815511@syzkaller.appspotmail.com>,
        jack@suse.cz, jlayton@redhat.com, syzkaller-bugs@googlegroups.com,
        linux-kernel@vger.kernel.org, willy@infradead.org,
        linux-mm@kvack.org, v9fs-developer@lists.sourceforge.net,
        mgorman@techsingularity.net
Subject: Re: [V9fs-developer] KASAN: use-after-free Read in
 generic_perform_write
Message-ID: <20180720002704.GA20844@nautica>
References: <00000000000047116205715df655@google.com>
 <20180719170718.8d4e7344fe79b2ad411dde98@linux-foundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180719170718.8d4e7344fe79b2ad411dde98@linux-foundation.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Andrew Morton wrote on Thu, Jul 19, 2018:
> On Thu, 19 Jul 2018 11:01:01 -0700 syzbot <syzbot+b173e77096a8ba815511@syzkaller.appspotmail.com> wrote:
> > Hello,
> > 
> > syzbot found the following crash on:
> > 
> > HEAD commit:    1c34981993da Add linux-next specific files for 20180719
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16e6ac44400000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=7002497517b09aec
> > dashboard link: https://syzkaller.appspot.com/bug?extid=b173e77096a8ba815511
> > compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> > 
> > Unfortunately, I don't have any reproducer for this crash yet.
> 
> Thanks.  I cc'ed v9fs-developer, optimistically.  That list manager is
> weird :(

I agree that list is weird, does anyone know the reason v9fs-developer
is not a vger.k.o list? Or a reason not to change? It's still not too
late...

> I'm suspecting v9fs.  Does that fs attempt to write to the fs from a
> kmalloced buffer?

Difficult to say without any idea of what syzkaller tried doing, but it
looks like it hook'd up a fd opened to a local ext4 file into a trans_fd
mount; so sending a packet to the "server" would trigger a local write
instead.
The reason it's freed too early probably is that the reply came from a
read before the write happened; this is going to be tricky to fix as
that write is 100% asynchronous without any feedback right now (the
design assumes that the write has to have finished by the time reply
came), but if we want to protect ourselves from rogue servers we'll have
to think about something.

I'll write it down to not forget, thanks for the cc.

-- 
Dominique Martinet