Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5516323imm; Sun, 26 Aug 2018 22:27:01 -0700 (PDT) X-Google-Smtp-Source: ANB0Vda5SDCfRBCi5XwTsmxzN1FDzusH+I20UAuz3ZbdiVjmSSwAVTEHfEAU5zrQ0He3b5TJBjqI X-Received: by 2002:a17:902:558f:: with SMTP id g15-v6mr529315pli.38.1535347621182; Sun, 26 Aug 2018 22:27:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535347621; cv=none; d=google.com; s=arc-20160816; b=ycrFkYHsexvO0LT+0mKOaFn2M2zns6xaA9EP8rEKTik47q58n4GqA2CzhpaRPGL4ou Nnx45rF4PQ5GI6Fy2BBYSoVczsOqpHAFsnDwDhc9XeAYw5K3Z3PVwXUK0/FwZ3YHE1LO HOsTusieJtbVxM1pvyOoiBtg7puBSoK77EL9p7HC0y2cCS5T7/4vzsTZAFQG7r8kcaVt fy401ChCPvbIvrC9fWPw/lpcUXLX0k88ZfEN+WGarMAbMvGjVOCc8xkN2mn9VHOj6eQh twon0IZj7vT9lzuhsA/w0HeryQcfO2+N/4/otwFkXO4m+dOhmQwhazr4u4mli77ft2Qy t1Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=yCKbAt1RWzW+sj5RuNlkkvZtH2L18ubWollO3CZkTSQ=; b=RJh65UAInG9rRzCYkvcTe09Ncd9T1PBlCWXnPFFMhsqiPjrxQHZT33zhK3AlpbM374 85P7yYRdkbfhHPUhUsqORYrLd8SwFO9tz5sgYxOWThVABpm91gxHHIVKaUvwyCbpP7Sg 5bNe351ahsp7kwC5ar1uw2fUWwMhwkKJmVrmoQ0KjZs6NSULw2iITFWb2dNWp0mHk5Dm W+nOGYLFhtWgrCYMpXjDuF3tMZhMZpRBJtHoC5hgEz0TmOPo76ASn4dQB9yokMeMndhl v38SYnB9BmBaRlHRQJptt4WEq/4l10JLtIoexPaUSwJwZx5b4CBaNED8n6Z2txX7mZcm pZ3A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t188-v6si14651079pfd.148.2018.08.26.22.26.46; Sun, 26 Aug 2018 22:27:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726972AbeH0JJc (ORCPT + 99 others); Mon, 27 Aug 2018 05:09:32 -0400 Received: from nautica.notk.org ([91.121.71.147]:47505 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726771AbeH0JJc (ORCPT ); Mon, 27 Aug 2018 05:09:32 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id A18ABC009; Mon, 27 Aug 2018 07:24:27 +0200 (CEST) Date: Mon, 27 Aug 2018 07:24:12 +0200 From: Dominique Martinet To: syzbot Cc: davem@davemloft.net, ericvh@gmail.com, linux-kernel@vger.kernel.org, lucho@ionkov.net, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, v9fs-developer@lists.sourceforge.net Subject: Re: KASAN: invalid-free in p9stat_free Message-ID: <20180827052412.GA26294@nautica> References: <000000000000af648b057456e234@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <000000000000af648b057456e234@google.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org syzbot wrote on Sun, Aug 26, 2018: > HEAD commit: e27bc174c9c6 Add linux-next specific files for 20180824 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=15dc19a6400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=28446088176757ea > dashboard link: https://syzkaller.appspot.com/bug?extid=d4252148d198410b864f > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f8efba400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1178256a400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com > > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > ================================================================== > BUG: KASAN: double-free or invalid-free in p9stat_free+0x35/0x100 > net/9p/protocol.c:48 That looks straight-forward enough, p9pdu_vreadf does p9stat_free on error then v9fs_dir_readdir does the same ; there is nothing else that could return an error without going through the first free so we could just remove the later one... There are a couple other users of the 'S' pdu read (that reads the stat struct and frees it on error), so it's probably best to keep the current behaviour as far as this is concerned, what we could do though is make the free function idempotent (write NULLs in the freed fields), but I do not see this being done often, do you know what the policy is about this kind of pattern nowadays? The struct is cleanly zeroed before being read so there is no risk of double-frees between iterations so zeroing pointers is not strictly required, but it does make things safer in general. -- Dominique Martinet