Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp1259627lqg;
        Sun, 3 Mar 2024 02:00:18 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUZ2zJfhNE25hdlq1wuYA1zkNE38YU5OkIhs6fon3MQJ6MviQgSL88p/1G/DZnDYY8ppSNzGIMw3yyCP+riSXRnlE5f3RcHVuk0Mfbv5A==
X-Google-Smtp-Source: AGHT+IGhxfm1ndQ5BcX4c2+PUY4gBKuK6EEJL5zSRuRf7b8N0tNRA55KiGOq6xgLFeb8bL5BZ1NK
X-Received: by 2002:a05:6e02:1c22:b0:365:44:1ed6 with SMTP id m2-20020a056e021c2200b0036500441ed6mr8551031ilh.5.1709460018285;
        Sun, 03 Mar 2024 02:00:18 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709460018; cv=pass;
        d=google.com; s=arc-20160816;
        b=sSvfsgVXkSMJxJ7dHS0TknvhF1GXdF/Vyb0mBwh1NQJJg4j9z+01VTgPPoeoKJjv9w
         BEm/XwsciEQOjO9Nbd0DWSmJxCE5hDn79IhekXFHMkXqIWxx2MUNCcYz+a8rHuDOeyps
         6wJKXIURpGws32rxRcdfbfknMC/TfaTpxhT8xNHe+Harx+nhqOE7P71OGTgBPUsWTxzz
         07CQVdaqC/o6A4Li5YyHhJClGeGxcurw3z5nZLT2uFh4BURVJVonDihEPjO4YclduAQV
         6pzOqpI0aQofaOIPIgkyf3kJxmu7+l7B/6KFzpsd8+FM2pJIy3AgW7kc9adCtqQaELRQ
         bxpA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=Pyd0R/H1GCUYWEEmLv/msqnms2K/V2Adl4vdvLJRepM=;
        fh=4Omz9A/nbFgEzbA5TutNsxlJWvKw5iyklq5vpHjwWHw=;
        b=sdz+CR5glj8+0RYqmEDUEw4zxvohhzFtYV+SODiETjMQj3eYCzYSg53T40dWMNI1an
         lAhCHijbWApXDVpapbDf9jctZ2ISUy8giZu8lyoWZttd45Ifyt5LH0Q0YuDwD3W1hhKD
         ij1twDHJarqbtk+Oph4zTh8lfkCDU0ybX+aFxH4uTprL2n0TzRSyMzhlJjN+VdF5kTgJ
         f65K2oQ7R6Pe1WHfX/MxnX5yViYDfzwxo0N4r/ahzWNpwAWzP1Eh8t/iiULOIfaqqe4n
         4zMYxawkpbqWIPJ0f2J+oz9VLFq3YbOuVn2I3IjomzkK2NzkYTvAGMhhW0ON23kmTUtB
         9XDQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=VxNYqvyQ;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-89693-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-89693-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-89693-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id bw24-20020a056a02049800b005cf0e5119fesi7210488pgb.304.2024.03.03.02.00.18
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 03 Mar 2024 02:00:18 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-89693-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=VxNYqvyQ;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-89693-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-89693-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id C70DF282A59
	for <linux.lists.archive@gmail.com>; Sun,  3 Mar 2024 10:00:16 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D4F41B653;
	Sun,  3 Mar 2024 10:00:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="VxNYqvyQ"
Received: from out203-205-221-239.mail.qq.com (out203-205-221-239.mail.qq.com [203.205.221.239])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F5E6B64C
	for <linux-kernel@vger.kernel.org>; Sun,  3 Mar 2024 10:00:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.221.239
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709460011; cv=none; b=OMlax2bU3BzGu4b0F5vQzEJQnFBbKb73rylOGqhWCEbRNpBFaRWatP5rQDC1RjfQA2ziRYg9nuTvM77qXfHevH6tj6tKlSLeDaUGa/8ug0ay1UhzPaLOhKYtKsOO4Y75HlHmXFB0z0XuTI9XleTcabrrarauoCBr5l3d4NdGAvk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709460011; c=relaxed/simple;
	bh=oTNm2sz94HQbmc54Z1Yh40klQw3t4+DI6D97vMSEdlU=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=kNsZ7cjBh48VFfZJgTuRDv0kAkdgPk3WhoviEUogQxObhW1WcsC36E2Z9Ah6h5ua9VCtfa9VhV7404a43xReYQqZ23+Hkc53ky0sjbQASAu5YcxyTlD/9HZwsnAzoCoTGeZAfGt37gfYo1JpDeWITJRujzjziQYVcO7oIdRnUfk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=VxNYqvyQ; arc=none smtp.client-ip=203.205.221.239
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1709459999; bh=Pyd0R/H1GCUYWEEmLv/msqnms2K/V2Adl4vdvLJRepM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=VxNYqvyQo/mnDb34yq+AXBrf5FdWvdgALdUxsqmWUktX6MnHFVXOT3hOsJnQ8dbXU
	 bOiEvyoZkS6/p22cuYlSo92MQKuILUseeRWqx7Ju3S2ce6kluGpXbv5DCChgJANSty
	 HQUgcauGCZFAQ+aPM/dqa43T62iz+1Mp4ycCUKwE=
Received: from pek-lxu-l1.wrs.com ([111.198.228.140])
	by newxmesmtplogicsvrsza1-0.qq.com (NewEsmtp) with SMTP
	id D75012AF; Sun, 03 Mar 2024 17:53:53 +0800
X-QQ-mid: xmsmtpt1709459633th45589k2
Message-ID: <tencent_BF366E402C056C3C97D8E9DEEE0ECDEC7A0A@qq.com>
X-QQ-XMAILINFO: MvTK+AXQ7a4FK5B8iB3iGPYOCYHqr+HIjfbMFReRzJAQMTRQZoyWAdoMHcZo8y
	 CW5ISZy5zOb1qMMwGU0hifmVQx55lgdnBJZTnhQ0YqASfAQHtG8q0HAwNkLUCt+/eaxgdB7FdU81
	 8UZl8Uj3OZW/Hw78NISTa+g/pcsFvRn0HVYnJcYADTlCWVVGC+LC4wYT/a4AmuvHVS1ojB1JJCsq
	 aJxJi2wdrhqsGQHPXjjelR69GYybJpYPdb2pTG3pHCRplVW5zhdzskvYXKUY0henM/bqGCciMXe1
	 588sQwZa1RLhxd/dWAjgRrRBx+aMHXWhYXtuqkdpAT6KKL/HX6/ev4VIz+0MBhN5UKw26+MkUpus
	 USGYSB+qVs5RDCeKSj8yzmGbouTEsD7S/CEz7i6oN9ipNxkVN0AlENYaB5ND5bcZ8rULkt/3fZ0U
	 NakCd0TIIluKkcsqJpDETdPFW9MoDFfUr2CGp+B8qCE/Zef24m1ZB52cOe4Cp4Oq8xkq3+QIuvsX
	 cwBVSgYFLwOKpb8FFpvTCl2Ql7T5QIsO5tsZfrv1L1C0ABIdrLy/UmPNhcEmdwhieoueLNPOo+yO
	 NGwuZT16Sq6De2Ppq21IRwbraQG/RXTY3ILlyQgT6vyHcCFAXe9VdteDBBcArujvAGfdsRKwbvFl
	 vJynr5fE0Ag8z8VFlpfgWOC8LCI8zle4uFbInomIeU0VnOtN++qTLleCmz7bghia5HxYXXSgB5ri
	 YcRy7QQf7fCl22EzbbfCnxjMCMngUGFm+HkK7XVHLE83u0WbEXM6Gl8QX8qMUocVMhPKfofIntMp
	 a7hTkERNjWW7g3n9Ryqcg34LD7gMc649tKxwCIVNzrNhTwKIKtsAfx6FHmkjg4rk7jnDQ/lgLXKf
	 ge88JRBoVBsEnRWB7H6Cd09irp6asqdAMp66KVQVo5+U4RhlhJzPYcA0ZLPv6+2dawUAf5tHZD
X-QQ-XMRINFO: NI4Ajvh11aEj8Xl/2s1/T8w=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel
Date: Sun,  3 Mar 2024 17:53:53 +0800
X-OQ-MSGID: <20240303095352.445841-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <0000000000006945730612bc9173@google.com>
References: <0000000000006945730612bc9173@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

please test uaf in sys_io_cancel

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/fs/aio.c b/fs/aio.c
index 28223f511931..0fed22ed9eb8 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1762,9 +1762,8 @@ static void aio_poll_complete_work(struct work_struct *work)
 	} /* else, POLLFREE has freed the waitqueue, so we must complete */
 	list_del_init(&iocb->ki_list);
 	iocb->ki_res.res = mangle_poll(mask);
-	spin_unlock_irq(&ctx->ctx_lock);
-
 	iocb_put(iocb);
+	spin_unlock_irq(&ctx->ctx_lock);
 }
 
 /* assumes we are called with irqs disabled */
@@ -2198,7 +2197,6 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
 			break;
 		}
 	}
-	spin_unlock_irq(&ctx->ctx_lock);
 
 	/*
 	 * The result argument is no longer used - the io_event is always
@@ -2206,6 +2204,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
 	 */
 	if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
 		aio_complete_rw(&kiocb->rw, -EINTR);
+	spin_unlock_irq(&ctx->ctx_lock);
 
 	percpu_ref_put(&ctx->users);