Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5966766imm; Mon, 27 Aug 2018 07:27:29 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbzEfmfolBO2PEL30TDfM3A1ZBgk8THPcue548vRiWRC1M3bBJKTNvnmmrSlBwHq2FJNBb7 X-Received: by 2002:a17:902:ac1:: with SMTP id 59-v6mr13471347plp.18.1535380049700; Mon, 27 Aug 2018 07:27:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535380049; cv=none; d=google.com; s=arc-20160816; b=lJJfnmzKItBNSKhEsP9ZfFCTX6BjiL0UzcXQEQxE3/Wy70FH1Gz8F5JA7C/FXKIyTu SUNhxF8dyOZTyesIBbRuZpePRTIvk+IVvZbzYTLaUiQok/wcTULdb+EE1ac2e+YvcCKn EG7776udFs3jnMHyGKAav3nFzB0Wy0JNwY+XGLyHRYqI3hzav0ZthuCMZIq+h+vIKDDz 8v7AXqRNXB8Vso7+2fG1UiDLpdWsVK0/yj2HLoPudHYW7r5pe7I5OWJNNl+2gMWZ1vfh aV626gGEPtcubhz+zF0xocnk+6s51AJRX9+LBHsVI9jCQNeso2lZswXsLFfyN2y5B2// 73QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=77Hg5SAXBbLnn128ZLaXgNQPCrX2iC248IWI1ACyDPs=; b=W6Kh3hkvE46CxgCzx2aaI2ftnB3f+G9k+3TYl39EUqJRBSIEm8S0lnnDnx7qwEuvhY ZhQdEMxGMOCOCpRPjHkD00RfLFZXMoRvqNya5n15Cv0iA93N6WrT0XJw4Efei21xU0w6 L1FW9PuIZRhOg4MHWMTYt1nDLi3iArQootDiSOkGhGsIEvfMD+x/TjAed9grD2+Ob0Pw l+018hg9mISOXhDe0J2m4wV7BFANr9bhgBiuW3HzGXsY4u7N1v/O3qlOFShDs7Ts+OiT E8EK1QRsWoiMwM5khvEJbTxpR4KhU44hRt34eeb+aIR0KDXkab2GYPV//C6ysomP/4WU ZD0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qN1rxIq6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b62-v6si14748350pgc.491.2018.08.27.07.27.14; Mon, 27 Aug 2018 07:27:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qN1rxIq6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727535AbeH0SMa (ORCPT + 99 others); Mon, 27 Aug 2018 14:12:30 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:41284 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726958AbeH0SMa (ORCPT ); Mon, 27 Aug 2018 14:12:30 -0400 Received: by mail-pf1-f196.google.com with SMTP id h79-v6so6946406pfk.8 for ; Mon, 27 Aug 2018 07:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=77Hg5SAXBbLnn128ZLaXgNQPCrX2iC248IWI1ACyDPs=; b=qN1rxIq6J6Nm8d5Qesm/pygLyjJuIK6fwDJ/LPQ33LuNMGQSX/x0F4huNPNUmeyyDK H3AGplC49LBHyc1MLiRG0hZoBLQ3em7GdBUFvi0Zkx7XtHFr1dnluZowTPQY34jo9diE i/pEvy9MRKFWuYk/dhHGUNrv/V/VXSjw7P2m3x79EhXB0WLHKXiVv5hemOQDEjO80j7w ++aqUKHFQ+tnsXTH1AFbqAi7h4EDa5vX7tLUQws8aEzpKjc3V1PT17sCraGlP86Tv09K +3aNSXyEDIpxw0sMahyMAwTPQWsmznHBwBBAoCoJNaClbV9diQOlf+GRGuhbsNtPdLMF Q8Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=77Hg5SAXBbLnn128ZLaXgNQPCrX2iC248IWI1ACyDPs=; b=ssRXu5sPIOWNX037MNC08EqnvW+XTUs0vMYrewfuBZ3VOEwoE7SKvHVd47siIPcNyc a4yDFUJCaVnoCLqIgJbOmPLFBmafQ6d9L3tUNBQmmljQEDqyCNyfunLsfU61EZWssjZH MBWzqYxpg9bUnwxFIUFz6FDHv5K3nZ/2RGIxbP2uD9+GlM8XXThszZDBAm2pcm7bDrN4 QuyOKyqWPxKY/5x8I3M9mWhK/+IVDWHVv5ayinwqCG+C28Iux1PHYW0wDY/dBvDhmq66 JdqlX/Lf68Ms1mdn+XJGpl5JN4W7k9Kynu6QuRkV75D5US4C+/xDpBpCs+DMxxNkG5Tw Mfqg== X-Gm-Message-State: APzg51Bsi8iw7gEp+sTcAVbDSJJBZHGSyZpJxS4hBhr4C2VJ+NlmoH0T V77om8YB9ub53AaTk2EHYP7FyYJbHNqQ0zIldBlWPQ== X-Received: by 2002:a62:a05:: with SMTP id s5-v6mr14872271pfi.147.1535379938595; Mon, 27 Aug 2018 07:25:38 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:ac14:0:0:0:0 with HTTP; Mon, 27 Aug 2018 07:25:18 -0700 (PDT) In-Reply-To: <20180827052412.GA26294@nautica> References: <000000000000af648b057456e234@google.com> <20180827052412.GA26294@nautica> From: Dmitry Vyukov Date: Mon, 27 Aug 2018 07:25:18 -0700 Message-ID: Subject: Re: KASAN: invalid-free in p9stat_free To: Dominique Martinet Cc: syzbot , David Miller , Eric Van Hensbergen , LKML , Latchesar Ionkov , netdev , syzkaller-bugs , v9fs-developer@lists.sourceforge.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 26, 2018 at 10:24 PM, Dominique Martinet wrote: > syzbot wrote on Sun, Aug 26, 2018: >> HEAD commit: e27bc174c9c6 Add linux-next specific files for 20180824 >> git tree: linux-next >> console output: https://syzkaller.appspot.com/x/log.txt?x=15dc19a6400000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=28446088176757ea >> dashboard link: https://syzkaller.appspot.com/bug?extid=d4252148d198410b864f >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f8efba400000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1178256a400000 >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com >> >> random: sshd: uninitialized urandom read (32 bytes read) >> random: sshd: uninitialized urandom read (32 bytes read) >> random: sshd: uninitialized urandom read (32 bytes read) >> random: sshd: uninitialized urandom read (32 bytes read) >> ================================================================== >> BUG: KASAN: double-free or invalid-free in p9stat_free+0x35/0x100 >> net/9p/protocol.c:48 > > That looks straight-forward enough, p9pdu_vreadf does p9stat_free on > error then v9fs_dir_readdir does the same ; there is nothing else that > could return an error without going through the first free so we could > just remove the later one... > > There are a couple other users of the 'S' pdu read (that reads the stat > struct and frees it on error), so it's probably best to keep the current > behaviour as far as this is concerned, what we could do though is make > the free function idempotent (write NULLs in the freed fields), but I do > not see this being done often, do you know what the policy is about > this kind of pattern nowadays? Hi Dominique, kfree and then null pointer is pretty common, try to run: find -name "*.c" -exec grep -A 1 "kfree(" {} \; | grep -B 1 " = NULL;" Leaving dangling pointers behind is not the best idea. And from what I remember a bunch of similar double frees were fixed by nulling the pointer after the first kfree. > The struct is cleanly zeroed before being read so there is no risk of > double-frees between iterations so zeroing pointers is not strictly > required, but it does make things safer in general.