Received: by 2002:a4a:301c:0:0:0:0:0 with SMTP id q28-v6csp638758oof; Tue, 25 Sep 2018 02:38:59 -0700 (PDT) X-Google-Smtp-Source: ACcGV60MHyugVa4S7EB6gVWqWWHA30Jr4b1lZZxFWkxzkkuL7c8Io7s3qqU0m6lk/5QlDuoK+Md4 X-Received: by 2002:a17:902:4a0c:: with SMTP id w12-v6mr133607pld.289.1537868339490; Tue, 25 Sep 2018 02:38:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537868339; cv=none; d=google.com; s=arc-20160816; b=wz9+OEmR0zclBFx7U90ktesL02tkotEevgjRNCih0b0YmVv7gIHH+AGaQQfryeYWmr dIiA2MbKL/h63No+FK0a2/zxvUVyX+XX6Uiy7CxCR5AyQt+RDthrcSb51cpQ62dIfeHP 52SUY3KUQSbpNFIrY5Oyj2KpBeyhgGvCBOd9OpdFH/+U6Sc/XKdtYcos9/GTl9iYlxhP /CgIamDfgJ3vZREiyIIEGot6YExFKrsv5RcOeVhh/g/NxTegdsYE0WlTsnM0y0P6TJOA ZyoNKGI97U+I1gIsRyewKhFZcMJliy7Wez3QHB2L8oAdCaW2y8x+g5mJkYzViINE1gD2 DYGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=uUHXLFlK8h5allcLYt8mEcPOiAG8/XUjL02nAOfBDH8=; b=LmzZIYbQmHXKPBL3j5BlDzPpCal4wYRDhJaoohawy4qgeJi5Cwcg0oiBhIQOsCuYax EApyxGVdFgB+NAXa+eu1jOSRI4Yzjh/lFHsxRUdc2kX7XaJigpN6ZsCEkFglaRnrdMzx 0yhLGgaqEtqnszH4SAUibb1KsZJTK/2uKDb8T3akQlZct6TlqwA9ARkvcb1hHFjb4fkf KxCp9Mnoae3vO5J9Sfd4I918etWH0fTidWPdLgP6C1IM6iKNCMAHEZ7zF+/MF18f2WVs kPfztBzv5BiKsywSu6+ohaPQc834hKU4Nnsi/IV4+6Pjk+VFZSU8Vl3E9AHRHtVCnmuZ I6fQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oYhfZqBc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 137-v6si1822615pfb.45.2018.09.25.02.38.43; Tue, 25 Sep 2018 02:38:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oYhfZqBc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728676AbeIYPpE (ORCPT + 99 others); Tue, 25 Sep 2018 11:45:04 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:39540 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726201AbeIYPpD (ORCPT ); Tue, 25 Sep 2018 11:45:03 -0400 Received: by mail-it1-f195.google.com with SMTP id w200-v6so6150510itc.4 for ; Tue, 25 Sep 2018 02:38:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uUHXLFlK8h5allcLYt8mEcPOiAG8/XUjL02nAOfBDH8=; b=oYhfZqBcYUi0ZeIXUrQvrDSs75iNncSleOEE8ZwYYNxHtaaOlSy+4OLD4vQ7/xjiyk J/7k+vet8JY6cK61fPTLKHoKfhPVstCNq7fh1t63w6D5keZrGSnq8I3Nia/EpDQ++gmf YSK8PE863ldzPpccprEpcc4MwWkaiJLZo6W+IW5yXU1C8fKC9vKj49r2tnt45vdQsJP0 SQT/UfMiJKggVTkIJzZtG8m+mpw8s/vJw4K0U/XlJ8yxytG3eb8MCAgG5GrNlR5vAceD ZkmI//dI8n0C27cBU86uOao2R6cjSl/72J5kL2Uj7bn4eJi9wdMqVLYNqZkcgEOf8JzU OUSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uUHXLFlK8h5allcLYt8mEcPOiAG8/XUjL02nAOfBDH8=; b=jgxOhg1PSeCJZpY+y0yd6eHCGtGux0yr992RC2GKSNyIiuqwoi3aZ27rPh5ef3mXMA cYQ7NFd8Mld3Jrey8WMNELyz16OJLAeFvndvZ4/wDYCWLX1mpxcz1fP4U0J7TooD/oJQ GFWs6R7+f4ZesQ+mw9PPsDrZ53DZzj30azUCveSwn2z3oSz0X/srrs8zHKhsu04qEG3A jUjSFeaEdvvFbPvpnZTwC2ghCKl7MfGi846rUOc8nKs1jbleLc3KiZiRx6x8iyTGWbBY Fl6n4QxJoV1qG/oDmyNlDPi545xq9ctjtgeNfVlj1aS80J9U7p2ZhXhi6EBa0S+IBoYL WEVQ== X-Gm-Message-State: ABuFfojQMtER5bFF59DUfLy+UtoyTU6AMGtu4XJFMvOFiY38KuB1I9F6 Y7+4owMa2EhSe7mEF6irnShYQ2zyd7/wTQavVBJQKg== X-Received: by 2002:a24:3383:: with SMTP id k125-v6mr97298itk.14.1537868301732; Tue, 25 Sep 2018 02:38:21 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:ab8c:0:0:0:0:0 with HTTP; Tue, 25 Sep 2018 02:38:01 -0700 (PDT) In-Reply-To: <274aafd2-5076-6b14-f55e-360411fb8169@virtuozzo.com> References: <0000000000006971fa05769d22f6@google.com> <274aafd2-5076-6b14-f55e-360411fb8169@virtuozzo.com> From: Dmitry Vyukov Date: Tue, 25 Sep 2018 11:38:01 +0200 Message-ID: Subject: Re: WARNING in request_end To: Kirill Tkhai Cc: Miklos Szeredi , syzbot , linux-fsdevel , LKML , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 25, 2018 at 11:18 AM, Kirill Tkhai wrote: > On 24.09.2018 17:44, Miklos Szeredi wrote: >> On Mon, Sep 24, 2018 at 2:29 PM, syzbot >> wrote: >>> Hello, >>> >>> syzbot found the following crash on: >>> >>> HEAD commit: 6bf4ca7fbc85 Linux 4.19-rc5 >>> git tree: upstream >>> console output: https://syzkaller.appspot.com/x/log.txt?x=159149c6400000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=22a62640793a83c9 >>> dashboard link: https://syzkaller.appspot.com/bug?extid=ef054c4d3f64cd7f7cec >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >>> >>> Unfortunately, I don't have any reproducer for this crash yet. >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmail.com >>> >>> WARNING: CPU: 0 PID: 9445 at fs/fuse/dev.c:390 request_end+0x82e/0xaa0 >> >> And there we have the bug likely caused by the set_bit(FR_SENT, ...) >> not being inside the fpq->lock-ed region. >> >> So that needs to be fixed anyway, apparently. > > I can't confirm, since I haven't found yet the direct way, that set_bit() results > in this stack... > > We have one more (unrelated) possible use-after-free here: > > cpu0 cpu1 > fuse_dev_do_write() fuse_dev_do_write() > req = request_find(fpq, oh.unique) ... > spin_unlock(&fpq->lock) ... > ... req = request_find(fpq, oh.unique) > ... spin_unlock(&fpq->lock) > queue_interrupt(&fc->iq, req); ... > ... ... > ... ... > request freed ... > ... queue_interrupt(&fc->iq, req); <- use after free > > Something like below is needed: There is a bunch of open bugs in fuse on syzbot dashboard, perhaps it's one of them: https://syzkaller.appspot.com/bug?id=19aabec97cbf73dd0475d6e599113a7861c4b306 https://syzkaller.appspot.com/bug?id=24aa489e6929205e40ec4aa52cd8f47897f2ad63 https://syzkaller.appspot.com/bug?id=400d6a977a0dbd8836d7c7ec8481782a674ee855 https://syzkaller.appspot.com/bug?id=ff9ab4a23afa7553fb79f745a92be87ba4144508 https://syzkaller.appspot.com/bug?id=d0f258de27b6d7ccecbba09385b3376cc4a12ffe https://syzkaller.appspot.com/bug?id=e8077bce636d52d9c40e1ea904699c27b7454354 > @@ -1875,16 +1877,20 @@ static ssize_t fuse_dev_do_write(struct fuse_dev *fud, > > /* Is it an interrupt reply? */ > if (req->intr_unique == oh.unique) { > + __fuse_get_request(req); > spin_unlock(&fpq->lock); > > err = -EINVAL; > - if (nbytes != sizeof(struct fuse_out_header)) > + if (nbytes != sizeof(struct fuse_out_header)) { > + fuse_put_request(fc, req); > goto err_finish; > + } > > if (oh.error == -ENOSYS) > fc->no_interrupt = 1; > else if (oh.error == -EAGAIN) > queue_interrupt(&fc->iq, req); > + fuse_put_request(fc, req); > > fuse_copy_finish(cs); > return nbytes; > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/274aafd2-5076-6b14-f55e-360411fb8169%40virtuozzo.com. > For more options, visit https://groups.google.com/d/optout.