Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2327177imm;
        Thu, 19 Jul 2018 18:26:32 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpdRrBxW36LAmyoAliG5YVCl1O9FJjnqdcx1zz8slhDCwhy2Sr5apDdWlMkDxAejwGu0JYHa
X-Received: by 2002:a17:902:d70d:: with SMTP id w13-v6mr62100ply.40.1532049992472;
        Thu, 19 Jul 2018 18:26:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532049992; cv=none;
        d=google.com; s=arc-20160816;
        b=fTiXUVrdbsjP9i+jrc2eKWA2GvO34sYyQE3U6UFk7cB40KzB/o6anPXH1M9dsDIWz+
         wnbMGjcr6cYR+zq3B5hACx1mQIqS1NJe5HDuam0riVhTGAVNEwznSecrhMm7kb52jH9W
         VI+XlZooOdfQlzxdRfHjH4CB+ooqolT1mS+2Pmx7L4ID0gAmAIprb/sSFl9ERAQpQ/SH
         WFjaf/ZI7CyhBvMfy+zAeJJMHTr4fgfoCxbK+n9evSGbwMJwn/30uz2i46SudGtlBmQA
         BJ/F5Z8CUV6NXQioxbvg5CaAuZwC4BoqGVbZ7SsAU5hDpwgE/NYYL12qh2LWibpiWAiJ
         q9Nw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=/vqA3JYo6kYqrtPKg3h/IW4GQuM+/SGZXzmqNxV2oMY=;
        b=Id0X53Q09OZjACu/3YRWtAsV1bBcyvs/xSeyjWTa1Iqor54QLRptkyUp30y3+zC8Kk
         OGgS8S1NZ7ffjD3o6KxUmf0/mdPTRGiETeexqXAtLx/Kp27xEsF9k2X4snif6JGG2h4X
         rw7awjOt9DGQarpXuA8xM4T7g7pXYkPjxP4KiZoIyRpPeHpUPrHbJ6FPKsmSqUlMYIrA
         qv0PhqPPNYjIeUW5I9IGRxiipWBoiKhR4fjLwC5WhnVCgV5+E1sOkmrXoGBEav09GLsQ
         KTbGlnzdi3leXL1g7abe/Wm9isJ7CKMCos+gQXRoEtoqKoP/HUh2ZTjRLfDHvn3eUanF
         TI8A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=dzq8NqPj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z18-v6si631021pgg.332.2018.07.19.18.26.17;
        Thu, 19 Jul 2018 18:26:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=dzq8NqPj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730926AbeGTCL2 (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Thu, 19 Jul 2018 22:11:28 -0400
Received: from bombadil.infradead.org ([198.137.202.133]:46824 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730651AbeGTCL1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Jul 2018 22:11:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version
        :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=/vqA3JYo6kYqrtPKg3h/IW4GQuM+/SGZXzmqNxV2oMY=; b=dzq8NqPjDJrSRKAxXlyuq0y1J
        GkQffvFBEEWsv6JKnpWw7Qsd5E/TF1wdbAMUXyFIqic9FV52p+lJVPfM8aGyzJmIXQ8VDNGZwqL0g
        FYEyNZXITqWfHdJEZpKFs5X5m8wsg1fNmfsWTqpsaRtP9CgqygxWKi5yVsyGxvxCM7rz5cZHOLTji
        kxmjwDboWydvp+/BFHMXC1R6fi5qILzjl2fIQp39wdRrCZZSfN3+l2DBjZuuwjfcRObKdbCNb5QPz
        d1wPLPlu7YU0AaOg8tUxcajd5a42YQFzKJns2eMtfQ+dCJ86ZUpWIY8M5yRRWzfeoyFlJ4XiBpZP4
        a/rFcHxOA==;
Received: from willy by bombadil.infradead.org with local (Exim 4.90_1 #2 (Red Hat Linux))
        id 1fgKAq-0003If-B5; Fri, 20 Jul 2018 01:25:36 +0000
Date:   Thu, 19 Jul 2018 18:25:36 -0700
From:   Matthew Wilcox <willy@infradead.org>
To:     Dominique Martinet <asmadeus@codewreck.org>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        syzbot <syzbot+b173e77096a8ba815511@syzkaller.appspotmail.com>,
        jack@suse.cz, jlayton@redhat.com, syzkaller-bugs@googlegroups.com,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        v9fs-developer@lists.sourceforge.net, mgorman@techsingularity.net
Subject: Re: [V9fs-developer] KASAN: use-after-free Read in
 generic_perform_write
Message-ID: <20180720012536.GA27335@bombadil.infradead.org>
References: <00000000000047116205715df655@google.com>
 <20180719170718.8d4e7344fe79b2ad411dde98@linux-foundation.org>
 <20180720002704.GA20844@nautica>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180720002704.GA20844@nautica>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jul 20, 2018 at 02:27:05AM +0200, Dominique Martinet wrote:
> Andrew Morton wrote on Thu, Jul 19, 2018:
> > On Thu, 19 Jul 2018 11:01:01 -0700 syzbot <syzbot+b173e77096a8ba815511@syzkaller.appspotmail.com> wrote:
> > > Hello,
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:    1c34981993da Add linux-next specific files for 20180719
> > > git tree:       linux-next
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16e6ac44400000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=7002497517b09aec
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=b173e77096a8ba815511
> > > compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> > > 
> > > Unfortunately, I don't have any reproducer for this crash yet.
> 
> > I'm suspecting v9fs.  Does that fs attempt to write to the fs from a
> > kmalloced buffer?
> 
> Difficult to say without any idea of what syzkaller tried doing, but it
> looks like it hook'd up a fd opened to a local ext4 file into a trans_fd
> mount; so sending a packet to the "server" would trigger a local write
> instead.
> The reason it's freed too early probably is that the reply came from a
> read before the write happened; this is going to be tricky to fix as
> that write is 100% asynchronous without any feedback right now (the
> design assumes that the write has to have finished by the time reply
> came), but if we want to protect ourselves from rogue servers we'll have
> to think about something.
> 
> I'll write it down to not forget, thanks for the cc.

I suspect this got unmasked by my changes; before it would allocate
buffers and just leave them around.  Now it'll free them, which means we
get to see this reuse (rather than having the buffer reused and getting
corrupt data written).

Not that I'm volunteering to fix this problem ;-)