Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3766551pxu;
        Mon, 30 Nov 2020 09:48:53 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzZOxVGE/Iu9mbxcwNQdDJkkmBqn59o05d8nvRkLsLgG4ddOJxglfnPd1ScnpGNcBXAGHBC
X-Received: by 2002:a17:906:9253:: with SMTP id c19mr2105332ejx.283.1606758532964;
        Mon, 30 Nov 2020 09:48:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606758532; cv=none;
        d=google.com; s=arc-20160816;
        b=xQl7er9UccGLuolhNndqVYTQ5wucCoFduOLR/gSzxn/cHHlFdlt58pwxdJqWMRvrRe
         gmgqDCDiYBweU1OMkR85K52FpkPImub02aEoWWzCZ+qEeNzYKaHrlMOwKE9IS/a6RJvR
         b2qI1ExvWZPPkRQLgMWNZy4eDEn6hVIPD6GK11dlAfiz3CWzrp4MEvHYQItCEQBO2aCR
         10MrnflVyaY+7d3XKpDhTYhtZ8XDpOz4itID+GH3WRJ/B+NwMCmj4QjRRS/jhmrMW7zO
         BdTRiGkcDOCrCBde8+D6JBQK45iyExTTCPQ/ck4DikHjgcse6l6QlFGElLDl82RcnY/F
         DmlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature;
        bh=cfvABh5YtxZzQmbDgFIM5w7aNHd2XpaihkN8Q1Q54fY=;
        b=c5O0Jq+Af1QcxSM+6ZTKOKdttCDob8zDGRx6QpiB7rzh+NyXU6IlwtDE+6ZjM5YNUA
         8jonEDhi8/Swmp7V4OFa3YZvsvwelx3Px+iD2HyooXXsFbNXC3WRoBXL2KLpAevmxzvX
         i8dSfXCITkNhlNmOfDRO9MQ02HHkYC6IzFXZFNHzI4AUp8dWp9SCPCxYexXE8kvaDsn8
         SqRZCuUE7bUhn27c+pLYevtT2Ayd/4TfOrKqfvSgFMNBf4B5YE3HikElMbpHfW77uzVT
         CDatf4E61UOcZ2yq/xfzWNWEb2XzI9gL5UvwzGpxdWw+BJSQbhhyNaW+8smLFMGiRA+H
         RqsA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=eBpofPo6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ox26si12615929ejb.605.2020.11.30.09.48.29;
        Mon, 30 Nov 2020 09:48:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=eBpofPo6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387823AbgK3Rof (ORCPT <rfc822;1dalishi1@gmail.com> + 99 others);
        Mon, 30 Nov 2020 12:44:35 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49728 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2387624AbgK3Roe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Nov 2020 12:44:34 -0500
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCD60C0613D3
        for <linux-kernel@vger.kernel.org>; Mon, 30 Nov 2020 09:43:48 -0800 (PST)
Received: by mail-pl1-x629.google.com with SMTP id t18so6899175plo.0
        for <linux-kernel@vger.kernel.org>; Mon, 30 Nov 2020 09:43:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20150623.gappssmtp.com; s=20150623;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=cfvABh5YtxZzQmbDgFIM5w7aNHd2XpaihkN8Q1Q54fY=;
        b=eBpofPo6jUPwdd7vhwDA4D0nGZnCcbEyGiw1pp0EPAIQZo0Ux5LUT3JvFqGSKIS8SW
         zYbpeLI21jpJ9nzpqXVAuyVGRHCIVP5AA32GIJu8Vo0r6Ve9DJgFQwgjOvcHZCkY2ehT
         wRXqtRtASuBo/PVZm3KYlZmWzzCsjuEF0WGeGDi2A+Q3WxD4OIqZ0BlR89xRZIa3LJGj
         2OMS43lDhGBCyGLj1M6mu0R+E3Tk1yPpZS0ExvT49kPgxeVqxkNOzse664cwJUrRbppV
         Lgp7OCMBs0dXOAHRHDBD3ADuA6ok8XcAeeaQE1gA95dXV+TOJ4HuIU/wcBSChNz2d0/C
         4Nvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=cfvABh5YtxZzQmbDgFIM5w7aNHd2XpaihkN8Q1Q54fY=;
        b=EWgp1EVqVGLw2EwVPwRoRVbc2Hkgwm3GNi3pqjfl3Nbk1t4T70EX3EGIKVYuFUUT8g
         lW0Kh3Dr/d2ywitkFo1sPOkHlkxFfqz52kNXodN5VpDgJKlOfxiUA4o/uLw5K/o9DMgs
         WFRuZjBXjcMAzQigMt9JDJ5L7Z1zA+cUu3EPxyfiLacz14P8zHHNfaTaPnhUX8WOhApz
         wy4b6qx/ccr6DT2OKZAobeJfjOnaZPFy4FBAz8+hx7668gDcsZyl40n/bYkfmPwde0wo
         PJD9oBEpAJVJFsjrIYMvZHXerx+6domsKwrnuTNQSb9xB9bSAkj/Azkrkj8QlPMWGyZI
         vyog==
X-Gm-Message-State: AOAM530niEH4noCSoZkTXk0jUi1+0kMgGS/2UU686j/J5wEtx++H+G6P
        2yjRSrse1+IQ3PPFcMvzNpA7gQ==
X-Received: by 2002:a17:902:a5c1:b029:da:1140:df85 with SMTP id t1-20020a170902a5c1b02900da1140df85mr19898472plq.46.1606758228271;
        Mon, 30 Nov 2020 09:43:48 -0800 (PST)
Received: from [192.168.1.134] ([66.219.217.173])
        by smtp.gmail.com with ESMTPSA id n20sm16480570pgb.77.2020.11.30.09.43.46
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 30 Nov 2020 09:43:47 -0800 (PST)
Subject: Re: KASAN: use-after-free Read in idr_for_each (2)
To:     Matthew Wilcox <willy@infradead.org>,
        Hillf Danton <hdanton@sina.com>
Cc:     syzbot <syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com>,
        io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzkaller-bugs@googlegroups.com
References: <000000000000ca835605b0e8a723@google.com>
 <20201129113429.13660-1-hdanton@sina.com>
 <20201129122600.GA4327@casper.infradead.org>
From:   Jens Axboe <axboe@kernel.dk>
Message-ID: <851bd25a-ff64-3d3a-f1f5-f9e4f83c2dab@kernel.dk>
Date:   Mon, 30 Nov 2020 10:43:46 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20201129122600.GA4327@casper.infradead.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 11/29/20 5:26 AM, Matthew Wilcox wrote:
> On Sun, Nov 29, 2020 at 07:34:29PM +0800, Hillf Danton wrote:
>>>  radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
>>>  idr_for_each+0x206/0x220 lib/idr.c:202
>>>  io_destroy_buffers fs/io_uring.c:8275 [inline]
>>
>> Matthew, can you shed any light on the link between the use of idr
>> routines and the UAF reported?
> 
> I presume it's some misuse of IDR by io_uring.  I'd rather io_uring
> didn't use the IDR at all.  This compiles; I promise no more than that.

Looks reasonable to me. Care to send as an actual patch?

This would just leave the personality idr as the last idr use case in
io_uring, hint hint :-)

Would be nice to fully understand why this issue exists with idr, I
don't immediately see anything wrong. But as I cannot even reproduce, I
can't verify that the xa version is sane wrt fixing it either...

-- 
Jens Axboe