Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp2002006lqg; Mon, 4 Mar 2024 09:47:52 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCV3IWqMyjFzb4aSVRald3RGX2kEJ4LFoveb4CgT9Jmov2S8NB6z7onDFgxjWj/3nYGkwZ7Dd9GMfXmlxzJt8lGfOUiHg9OuCLTKHv7d3A== X-Google-Smtp-Source: AGHT+IH49egswB3mfWSyonlz5KsM30JpuEbGURcSLpLYUjdB+4+8B9FRP/e0lR8N2fYrUra7oeMB X-Received: by 2002:a17:903:22d1:b0:1db:d7a8:8508 with SMTP id y17-20020a17090322d100b001dbd7a88508mr9705575plg.52.1709574472559; Mon, 04 Mar 2024 09:47:52 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709574472; cv=pass; d=google.com; s=arc-20160816; b=dsxKi7nfOI/feQ9fjoQ7gz4pptt2XZ64WSjcRWlbWaS6fQ/zXEHVHyhsQXibNRfqkt Cjjh9O11Nm0/9liTnjAXu7UUb/BPrCptfcuv7ZI/5PrfdQpnmDcrZ3PxsZ5GKg/yFB6Y hHC7Asj6/K3Ja6zd2pIDISllAFQGs2/4zUq9/zVIQAwzeZATR8NVCa/dwc2r/dXJ3k1A ylBOaVCib/+AYYadPDFqy1bawXyB8xAKTEqRd7HlrTHKz2UXMAHVB1txEfHfzjIahFzm B43/8rWkYRYiOtJiwZbQrvRga7DnrSdaOe5XRuMvkXT64C+X1xT3qtMYiJ9APVDbs1CN Tj4g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date; bh=zFSDpZoNalj+nM3TPT4WJtCm5WIaTrxXUS8kJKl/VoE=; fh=98KwVV8RpDNth19YVoL1G0g1wneJOt7kGhMv/1sMvIU=; b=VjobpXxEYIjh0yfElzy/bwVYOPjF2XSKt7seWTEtlXCQHC55sv+wiJvcCc+pXsTDpU RBb3m8tV0K0K6fnTXI3K0qpQvc9N9gn7Yvs4BU2rS2NpNHbusdT/P7pGAER9AD1SZdb2 mKIvepQWUwTbTCdofIni3dOqR0SpUDpbo3R5tzj9Kbpvxdjlau6uItkU0O7FHCpaoD81 8PW+thcoaVEppYXK+CJYrrPgmKdYXEM1sz9+A7fdmU3oSD+k4wlOZl05pmz2raIcBI6j sLfei0+/gAlOvlcsefL56tyU6XqnfU1V9QGwkKVHD2KqO1TRApt2hAylddtzuayVexjC G1kA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=communityfibre.ca); spf=pass (google.com: domain of linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id b15-20020a170902b60f00b001dc2ee53f25si8229346pls.142.2024.03.04.09.47.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Mar 2024 09:47:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=communityfibre.ca); spf=pass (google.com: domain of linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7F03A2848F9 for ; Mon, 4 Mar 2024 17:47:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A08606168D; Mon, 4 Mar 2024 17:47:24 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 75DFC6166E; Mon, 4 Mar 2024 17:47:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.233.56.17 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709574444; cv=none; b=TT533DDIGO0D2RPungpF8e8/8qjNpTOEabKeWlokTUB6gj83smv3DCMVla/tc4+Y0KwavLryLauTaCcW+tT4vyw3ZBVib6u0LmqDPonKtS9f/iiqm0hR663ptPGP8n7jmrCrYbYr0nTVDyZ4557qHHPnoxlLO03DZa9OxU5ltSw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709574444; c=relaxed/simple; bh=Jva+x7rbRCUGadKDKjz7ce9+Gv5TBrbgMXjNaNg3mnQ=; h=Date:From:To:Cc:Subject:Message-ID:References:Mime-Version: Content-Type:Content-Disposition:In-Reply-To; b=NWvbtxQYux6Z+klJt3Wx7gpgD2n2up7m3D1O6KE2C3+GPHztQyImD7LJQAk6hXBZG9NnuQJasID8sB2bUPm6g+32CqKRaTYbfvGDwwaIZYT2C65Os2ibL/bHzVOziX3p8rYvBAUxxmlGG7+SIO3KA1vAc2vGzMrmw3gMnWadE/E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=communityfibre.ca; spf=pass smtp.mailfrom=communityfibre.ca; arc=none smtp.client-ip=205.233.56.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=communityfibre.ca Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=communityfibre.ca Received: by kanga.kvack.org (Postfix, from userid 63042) id 9D5926B0083; Mon, 4 Mar 2024 12:47:21 -0500 (EST) Date: Mon, 4 Mar 2024 12:47:21 -0500 From: Benjamin LaHaise To: Bart Van Assche Cc: Edward Adam Davis , syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com, brauner@kernel.org, jack@suse.cz, linux-aio@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: [PATCH] fs/aio: fix uaf in sys_io_cancel Message-ID: <20240304174721.GQ20455@kvack.org> References: <0000000000006945730612bc9173@google.com> <14f85d0c-8303-4710-b8b1-248ce27a6e1f@acm.org> <20240304170343.GO20455@kvack.org> <73949a4d-6087-4d8c-bae0-cda60e733442@acm.org> <20240304173120.GP20455@kvack.org> <5ee4df86-458f-4544-85db-81dc82c2df4c@acm.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5ee4df86-458f-4544-85db-81dc82c2df4c@acm.org> User-Agent: Mutt/1.4.2.2i On Mon, Mar 04, 2024 at 09:40:35AM -0800, Bart Van Assche wrote: > On 3/4/24 09:31, Benjamin LaHaise wrote: > >A revert is justified when a series of patches is buggy and had > >insufficient review prior to merging. > > That's not how Linux kernel development works. If a bug can get fixed > easily, a fix is preferred instead of reverting + reapplying a patch. Your original "fix" is not right, and it wasn't properly tested. Commit 54cbc058d86beca3515c994039b5c0f0a34f53dd needs to be reverted. > >Using the "a kernel warning hit" approach for work on cancellation is > >very much a sign that the patches were half baked. > Is there perhaps a misunderstanding? My patches fix a kernel warning and > did not introduce any new WARN*() statements. The change that introduced that callback by you was incorrect and should be reverted. > >Why are you touching the kiocb after ownership has already been > >passed on to another entity? > Touching the kiocb after ownership has been passed is the result of an > oversight. Whether or not kiocb->ki_cancel() transfers ownership depends > on the I/O type. The use-after-free was not introduced on purpose. Your fix is still incorrect. You're still touching memory that you don't own. The event should be generated via the ->ki_cancel method, not in the io_cancel() syscall. -ben > Bart. > > -- "Thought is the essence of where you are now."