Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2660066imm; Mon, 24 Sep 2018 08:00:09 -0700 (PDT) X-Google-Smtp-Source: ACcGV622y0JbLqCWMkBbEP/y4HyVEQiy9mmjKmGqQqbg3z2kK3oBQcXrWvS/V5LJKzGlxj7PGPq2 X-Received: by 2002:a17:902:b81:: with SMTP id 1-v6mr11232726plr.319.1537801209234; Mon, 24 Sep 2018 08:00:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537801209; cv=none; d=google.com; s=arc-20160816; b=cD5+u7aTqbmz+3YO21sDlgvxZGGx4Fu2OspeYGU1wvOEayBicxDf3mAXtkH9A3gVIK nV99D3PV0Im4e4lpAZYofQ3BiHruVlojPn033kZHnASYJOzfcgbKdWGgN7v9RtcB/eIk dUMggSnnYJtH/Bs+PxHkH4MCbmY6wcbbFL4vo0Vxp8yJr4o3q3aDUeuofrnLrKUAdxSO ZdMwur90pP7mawUQptEfIeknc53h1/Idss0It6+GgznLEp5QtIAu1IadHoiAl6jWSMbZ MS9CPMpy8/8WUTz6NUb8trymPf1UTskW8FJXvvzWeLWawMwebwN2lXdue2W/ZQ5O0cLN 1ZXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=Yd+MC/OV2Kl7oTAK02UeN9wb+JsQnv59pHxxbXE5IbI=; b=HkSpLpRKZZpr4UQVQX+3M2/zPgh6t2EIm5PKegFZaDBCdbMZHbA6HsB5YIVH9q+Vb7 2WvIbdr9DRgG6JwKxQPCVfq/gLMuwkyT74OjuYgEjh1of2SyNv7RO2uXDXrddl2lkiwP m+5yJF+J45u2Bivih27WqLGrZjeVu2KV1WhEUIbwaikT6Ki1RDSPBq4w//K+zcgzcAju dg0kCeZD/mxQZpJwsZKbgK3OxYB68wtxzs+byMFfTGtkOqStYt6hT9GA9ojV9NbNxR4m JauYV+9EqFYRNAPWWtDvB0LSAZRcIWrlyykcOgBxlDX1myC1aYV08fjGTtT1ehu37C2p 8cyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=J13ARZIn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d36-v6si34193881pgm.97.2018.09.24.07.59.53; Mon, 24 Sep 2018 08:00:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=J13ARZIn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730857AbeIXU3r (ORCPT + 99 others); Mon, 24 Sep 2018 16:29:47 -0400 Received: from mail-io1-f51.google.com ([209.85.166.51]:46781 "EHLO mail-io1-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725982AbeIXU3q (ORCPT ); Mon, 24 Sep 2018 16:29:46 -0400 Received: by mail-io1-f51.google.com with SMTP id y12-v6so17701780ioj.13 for ; Mon, 24 Sep 2018 07:27:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Yd+MC/OV2Kl7oTAK02UeN9wb+JsQnv59pHxxbXE5IbI=; b=J13ARZIn+Z/qA4m4l2vJ1YWgUsyDypokqA3Rp4gklny6ARxf3K7t22Oc6OC8F0Slz8 JdWHfb3ZORepDeU4DJamorRnx1LVHGm52x8h+we2/+uxKrGUdumucTZGp03xhWLP4ghk y8P9Gd0OXiHlHeH0AJrzT9eOuOjzRCuVEYv3A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Yd+MC/OV2Kl7oTAK02UeN9wb+JsQnv59pHxxbXE5IbI=; b=isaH7RG8aHZK2hPje+uh6v1ImdwREmpmy8UMr93CkqtigxvuOgIc8n/EUdb3y8ybEk n+cYX+wjavJqncdU2TFkqXOa5CpGf5YhaGW4rLRACLL5gMvN7RM1qeaN2QUbH3GfOJPs soTDQcDJbpPbaTP496FmU4t4VKqTRdavYm56Hm4/8K6XTJX7+4U3/V+2ZTBbZjTV1OxN cMEdieEU4MbCimh4iK0U7MWczMw6fUZ4NI9Vs/q8ZE5JBwTAMCcCxP+UBWK3SeOY4EYJ Cu47TVqoioZgEsdS6z+CDEk92N6URaLNv6a5aqbPoWmo5x0Gy/FN2UcNQnnpOTXkpr62 lTtQ== X-Gm-Message-State: ABuFfoh6BkzAp0SELoXjfhiq2pH828rgSFOwnXBrgIh6hHzlKxbsPVxO 38MA+kecZlGFBKVVIK3C+zcR9kDrCpQBVIuCXzHcoQ== X-Received: by 2002:a6b:fe09:: with SMTP id x9-v6mr7179214ioh.294.1537799242402; Mon, 24 Sep 2018 07:27:22 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a6b:bf41:0:0:0:0:0 with HTTP; Mon, 24 Sep 2018 07:27:21 -0700 (PDT) X-Originating-IP: [212.96.48.140] In-Reply-To: References: <00000000000059484105767ac88f@google.com> From: Miklos Szeredi Date: Mon, 24 Sep 2018 16:27:21 +0200 Message-ID: Subject: Re: KASAN: use-after-free Read in fuse_dev_do_read To: Kirill Tkhai Cc: syzbot , Dmitry Vyukov , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 24, 2018 at 2:06 PM, Kirill Tkhai wrote: > Fix from my previous message makes the use-after-free does not reproduce > with the reproducer in my setup. Excellent. > > I can prepare the patch, but before this some comments from Miklos would > be welcome. > > Miklos, what you think about this? I like the patch. We could optimize away the get/put by moving the set_bit/test_bit part inside the fpq->lock-ed region and only get the refcount for the (unlikely) interrupted case. OTOH it's probably not worth the extra complexity, so let's stay with this simpler fix. Thanks, Miklos