Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3687030img;
        Mon, 25 Mar 2019 15:51:11 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxkWeYVFBKU9s4z1/5kAfvFYRe/ia3C9BeaE0AvEdAVnKixxCQ3JDJU+P5XtFeD4kYOtLuX
X-Received: by 2002:a17:902:8d8b:: with SMTP id v11mr28275570plo.241.1553554271073;
        Mon, 25 Mar 2019 15:51:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553554271; cv=none;
        d=google.com; s=arc-20160816;
        b=B13D6k+AzCZqChANCWp7GksSFKDd+0W17HQjRZwNaGOk6b1okRZJ56FDkcBHySqeuM
         njDHFIEDFXLmm9o4lSdEcgsCMdzgRPoA8HTF6djIDDAlehuTTzO5QVX5UtpPeRDsY+nD
         L7GwS4yr+CFZY2hXgpZh31iJwh4luhQuFyr7rYns4zbGqPSbYZR/h6/iXVi1/h4XFY6G
         NEILtNM10qdss1OF/0cUd+IIoVe/to9lQY1OPkg/DLlnrt2BDTcCpVsbdHsdGPciD34X
         oIK1ENblOoitkFuGotD7Q5OyX9W9aTmnUsc8N0joZOmAwXsFXCfkq7pVcn3L48S7WW4F
         EYTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=L8fLXMboLwBOueIgaYNNmFKNhhOrEWfyGSxISGZzaqs=;
        b=AyRNs47Ew+/Jq2jkkYT8mNGZdVoYqqZTp+k4hwP3+DtD3Wl+yjCvbLVGZ76yt1TsVa
         32VA3mYPzHRtWJSHSJeI9bODRw1l0HWoms/LrYgyv1PY+XfDTGjLhuKLpQSD0SeR+5z8
         9/+6iquEjYLGuombAZFhddCgwr+AQZgeZA+ltm1ze16xOPUbl/qYj08Wsh9Mri4ICekO
         Ey1k/Z8v4RhKHWq7HAFPIiFs0RYxmQ320EtJCbpc2nERpCB0kNmQ6nqnuLNlDw9iqJ1W
         QtSGhmClwn67+Oz+19zwuQi8GuRYIHZ7T/4P5hi3t3qfTSRfKUh5HsiafopSnaqkxRNG
         YzrA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e96si15608865plb.123.2019.03.25.15.50.55;
        Mon, 25 Mar 2019 15:51:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730555AbfCYWuI (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Mon, 25 Mar 2019 18:50:08 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:56656 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729204AbfCYWuH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Mar 2019 18:50:07 -0400
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux))
        id 1h8YPn-0000cr-PD; Mon, 25 Mar 2019 22:49:59 +0000
Date:   Mon, 25 Mar 2019 22:49:59 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Daniel Borkmann <daniel@iogearbox.net>
Cc:     Linus Torvalds <torvalds@linux-foundation.org>,
        syzbot <syzbot+7a8ba368b47fdefca61e@syzkaller.appspotmail.com>,
        Alexei Starovoitov <ast@kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: use-after-free Read in path_lookupat
Message-ID: <20190325224959.GQ2217@ZenIV.linux.org.uk>
References: <0000000000006946d2057bbd0eef@google.com>
 <CAHk-=wiijJMTw=nTj_ED+YWMCrvHzh3ezfVYRxvzcW6+trgyPA@mail.gmail.com>
 <20190325045744.GK2217@ZenIV.linux.org.uk>
 <CAHk-=wg4iJsMHBzK52WzP+5_92HbwvX_vh_s4mMUuN0FJGdM5A@mail.gmail.com>
 <CAHk-=whJ4M5FegOLvnjUtJ0+pHv4L8UNFt+9jJDhox3Ada8kwA@mail.gmail.com>
 <20190325211405.GP2217@ZenIV.linux.org.uk>
 <CAHk-=wj+-e=X9cvvNwc5+QuvBOyYT7OtZTBzy-Wg8zGrUwxSbw@mail.gmail.com>
 <f4eccb87-1ea2-c0d5-19db-d638f2c5aa57@iogearbox.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <f4eccb87-1ea2-c0d5-19db-d638f2c5aa57@iogearbox.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 25, 2019 at 11:04:53PM +0100, Daniel Borkmann wrote:

> +static void bpf_destroy_inode_deferred(struct rcu_head *head)
> +{
> +	struct inode *inode = container_of(head, struct inode, i_rcu);
> +	enum bpf_type type;
> +
> +	if (S_ISLNK(inode->i_mode))
> +		kfree(inode->i_link);
> +	if (!bpf_inode_type(inode, &type))
> +		bpf_any_put(inode->i_private, type);
> +	free_inode_nonrcu(inode);
> +}

Umm...  Can bpf_any_put() can be called in that context?  It's going
to run in softirq; if that's OK (I'm not familiar enough with BPF guts
to tell), sure, that's probably the best approach.

Note, BTW, that it's obviously -stable fodder, so any splitting
of ->destroy_inode() would live on top of that fix.