Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3667276imm; Mon, 1 Oct 2018 02:26:15 -0700 (PDT) X-Google-Smtp-Source: ACcGV62MGPSr7RvO+6Qv1uA8yZPWeEYSwa+vGzYZHcEvE3QmTxARCr4pLUmRDOt4JCTQ67JXL7Lr X-Received: by 2002:a17:902:7283:: with SMTP id d3-v6mr10727584pll.326.1538385975623; Mon, 01 Oct 2018 02:26:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538385975; cv=none; d=google.com; s=arc-20160816; b=JSkzG9U6A1jVMHwHkHBcxj55l7Imw2Lr96qaikpgCfv9mpKf55pVZaClYsrMmeakmC Bq/2JhoalOXHTnBJFjnzJ3ix0Jw8xHizU7zDANMYmJP9vhr7MbAw2NMcDXElJTKmXTun hC4y+hziFNDgasp+n5SRnH/xZKiVhsNc4mZKY9xFaNtsbenp7sUwQiGqLW1/Yo6b4O3M xLutY2YQbqCiFZJTjyeRO+f3iv9jTLc0iFkd21grDujRhyjtKWjdeeLbO2y/JnM7cBEm EeNbzQyTxUhYNJeQWSLWTCo3RpYO7CdGyzLuFzzJJqfYkuR0KENLoma/A0Bhiltqrh7F e9bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=b143ZQiP+DIxMDp1sBV+3LZK4i+kPJwYRbOJFGnM3M8=; b=iNcMf88FmdLowStcx7jM430UpJ8m/Y7cn9cfgq8bdAocRVmxwz49Zd6VGPN5gMJAMX cLS4eTNQ61d1rzwciXlGp2HDllTd/t3Y9YCCTmdrwUtccfd/2pVM5t6GXiJOmKyZcppG 8mcIIVZ79keJKWJXtAaiCir97F9pxQHfSKeI3lxT7cTX1T7XaSH5OzgjXjLrLOnLTzmB wYFEtKMT6wWNUpLhmWIJ+UaJaU7vxK0NARVNGkrJ7zFY/z2H2ImAo7IDxFcJh7n6UOwO btsdF5Dp5a7y2GFusAWwgGmS02DIyuyKvK0PsBchmIQhV/qnVzpFqnOciZB6ZIVYUAL6 YpYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=IrvMAwu5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u18-v6si8788917pgl.59.2018.10.01.02.26.01; Mon, 01 Oct 2018 02:26:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=IrvMAwu5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729125AbeJAQCe (ORCPT + 99 others); Mon, 1 Oct 2018 12:02:34 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:32816 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729055AbeJAQCd (ORCPT ); Mon, 1 Oct 2018 12:02:33 -0400 Received: by mail-io1-f65.google.com with SMTP id l25-v6so8852812ioj.0 for ; Mon, 01 Oct 2018 02:25:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=b143ZQiP+DIxMDp1sBV+3LZK4i+kPJwYRbOJFGnM3M8=; b=IrvMAwu5uy/WtnIJpxUa6408YegSi9UqW13kgQW1T88Y1m5UaoREGk9uMimZZdEWES AhBLx+wk2o4v5UBmmLcoDgZ8geSHptTmdLzhuLOn6bKgsaR70/zlWULb/zMzpdiL7xgV QHEgPwc+sw/eYdPUouLJQdgin1O8DtkyCFeFE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=b143ZQiP+DIxMDp1sBV+3LZK4i+kPJwYRbOJFGnM3M8=; b=GEzwEnjnLkGDM0kmyO+b6kS8C5B9oz7cmWTWWcdN7m67iLckOU9Fu1A9/HwmL1Ntjb Lt7SQpZ23qZmYFNz1ql0QKmWGb4DGmn0a37gaCI+o97OKPyJLEXtppLJgg6lfaqe+FI9 FAw0gU0/qgvhFW64h5oUAMHRQcnZu5thSMK4jeqiydyl4M5rGzS1Vqsx7ODSVe3BVmsV SWVVOQAe/QzB0BJ8Dmmei6bUwWl6PvOQciNME+JSENHb+tm0rvahaYErPUIV6rXDTovU ZLr9m9pdNdBhMsVd0gnX0+v8g5dnG0Zi3/xqzJFBIBdDjqEC5wIcHCg7+dMeUd7vYWpm 8lSw== X-Gm-Message-State: ABuFfohw7VbWLwCZdL7PrTBY+TSTIS8BLMBmPUiKWqE8v7IhyOrIcxNo NjbJ6vF87FW8Uf/dRiDL537SxdBgxwsVv9Hd61aUU3nE X-Received: by 2002:a6b:fe09:: with SMTP id x9-v6mr6063659ioh.294.1538385943104; Mon, 01 Oct 2018 02:25:43 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a6b:bf41:0:0:0:0:0 with HTTP; Mon, 1 Oct 2018 02:25:42 -0700 (PDT) X-Originating-IP: [212.96.48.140] In-Reply-To: <153786771676.20496.9149001582398031266.stgit@localhost.localdomain> References: <153786771676.20496.9149001582398031266.stgit@localhost.localdomain> From: Miklos Szeredi Date: Mon, 1 Oct 2018 11:25:42 +0200 Message-ID: Subject: Re: [PATCH] fuse: Fix use-after-free in fuse_dev_do_read() To: Kirill Tkhai Cc: syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 25, 2018 at 11:28 AM, Kirill Tkhai wrote: > We may pick freed req in this way: > > [cpu0] [cpu1] > fuse_dev_do_read() fuse_dev_do_write() > list_move_tail(&req->list, &fpq->processing); ... > spin_unlock(&fpq->lock); ... > ... request_end(fc, req); > ... fuse_put_request(fc, req); > if (test_bit(FR_INTERRUPTED, &req->flags)) > queue_interrupt(fiq, req); > > Fix that by keeping req alive till we finish all manipulations. > > Reported-by: syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com > Signed-off-by: Kirill Tkhai Applied. Thanks, Miklos