Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp2002006lqg;
        Mon, 4 Mar 2024 09:47:52 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCV3IWqMyjFzb4aSVRald3RGX2kEJ4LFoveb4CgT9Jmov2S8NB6z7onDFgxjWj/3nYGkwZ7Dd9GMfXmlxzJt8lGfOUiHg9OuCLTKHv7d3A==
X-Google-Smtp-Source: AGHT+IH49egswB3mfWSyonlz5KsM30JpuEbGURcSLpLYUjdB+4+8B9FRP/e0lR8N2fYrUra7oeMB
X-Received: by 2002:a17:903:22d1:b0:1db:d7a8:8508 with SMTP id y17-20020a17090322d100b001dbd7a88508mr9705575plg.52.1709574472559;
        Mon, 04 Mar 2024 09:47:52 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709574472; cv=pass;
        d=google.com; s=arc-20160816;
        b=dsxKi7nfOI/feQ9fjoQ7gz4pptt2XZ64WSjcRWlbWaS6fQ/zXEHVHyhsQXibNRfqkt
         Cjjh9O11Nm0/9liTnjAXu7UUb/BPrCptfcuv7ZI/5PrfdQpnmDcrZ3PxsZ5GKg/yFB6Y
         hHC7Asj6/K3Ja6zd2pIDISllAFQGs2/4zUq9/zVIQAwzeZATR8NVCa/dwc2r/dXJ3k1A
         ylBOaVCib/+AYYadPDFqy1bawXyB8xAKTEqRd7HlrTHKz2UXMAHVB1txEfHfzjIahFzm
         B43/8rWkYRYiOtJiwZbQrvRga7DnrSdaOe5XRuMvkXT64C+X1xT3qtMYiJ9APVDbs1CN
         Tj4g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :message-id:subject:cc:to:from:date;
        bh=zFSDpZoNalj+nM3TPT4WJtCm5WIaTrxXUS8kJKl/VoE=;
        fh=98KwVV8RpDNth19YVoL1G0g1wneJOt7kGhMv/1sMvIU=;
        b=VjobpXxEYIjh0yfElzy/bwVYOPjF2XSKt7seWTEtlXCQHC55sv+wiJvcCc+pXsTDpU
         RBb3m8tV0K0K6fnTXI3K0qpQvc9N9gn7Yvs4BU2rS2NpNHbusdT/P7pGAER9AD1SZdb2
         mKIvepQWUwTbTCdofIni3dOqR0SpUDpbo3R5tzj9Kbpvxdjlau6uItkU0O7FHCpaoD81
         8PW+thcoaVEppYXK+CJYrrPgmKdYXEM1sz9+A7fdmU3oSD+k4wlOZl05pmz2raIcBI6j
         sLfei0+/gAlOvlcsefL56tyU6XqnfU1V9QGwkKVHD2KqO1TRApt2hAylddtzuayVexjC
         G1kA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=communityfibre.ca);
       spf=pass (google.com: domain of linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id b15-20020a170902b60f00b001dc2ee53f25si8229346pls.142.2024.03.04.09.47.52
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Mar 2024 09:47:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=communityfibre.ca);
       spf=pass (google.com: domain of linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91021-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7F03A2848F9
	for <linux.lists.archive@gmail.com>; Mon,  4 Mar 2024 17:47:40 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id A08606168D;
	Mon,  4 Mar 2024 17:47:24 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 75DFC6166E;
	Mon,  4 Mar 2024 17:47:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.233.56.17
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709574444; cv=none; b=TT533DDIGO0D2RPungpF8e8/8qjNpTOEabKeWlokTUB6gj83smv3DCMVla/tc4+Y0KwavLryLauTaCcW+tT4vyw3ZBVib6u0LmqDPonKtS9f/iiqm0hR663ptPGP8n7jmrCrYbYr0nTVDyZ4557qHHPnoxlLO03DZa9OxU5ltSw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709574444; c=relaxed/simple;
	bh=Jva+x7rbRCUGadKDKjz7ce9+Gv5TBrbgMXjNaNg3mnQ=;
	h=Date:From:To:Cc:Subject:Message-ID:References:Mime-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=NWvbtxQYux6Z+klJt3Wx7gpgD2n2up7m3D1O6KE2C3+GPHztQyImD7LJQAk6hXBZG9NnuQJasID8sB2bUPm6g+32CqKRaTYbfvGDwwaIZYT2C65Os2ibL/bHzVOziX3p8rYvBAUxxmlGG7+SIO3KA1vAc2vGzMrmw3gMnWadE/E=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=communityfibre.ca; spf=pass smtp.mailfrom=communityfibre.ca; arc=none smtp.client-ip=205.233.56.17
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=communityfibre.ca
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=communityfibre.ca
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9D5926B0083; Mon,  4 Mar 2024 12:47:21 -0500 (EST)
Date: Mon, 4 Mar 2024 12:47:21 -0500
From: Benjamin LaHaise <ben@communityfibre.ca>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Edward Adam Davis <eadavis@qq.com>,
	syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com,
	brauner@kernel.org, jack@suse.cz, linux-aio@kvack.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: [PATCH] fs/aio: fix uaf in sys_io_cancel
Message-ID: <20240304174721.GQ20455@kvack.org>
References: <0000000000006945730612bc9173@google.com> <tencent_DC4C9767C786D2D2FDC64F099FAEFDEEC106@qq.com> <14f85d0c-8303-4710-b8b1-248ce27a6e1f@acm.org> <20240304170343.GO20455@kvack.org> <73949a4d-6087-4d8c-bae0-cda60e733442@acm.org> <20240304173120.GP20455@kvack.org> <5ee4df86-458f-4544-85db-81dc82c2df4c@acm.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5ee4df86-458f-4544-85db-81dc82c2df4c@acm.org>
User-Agent: Mutt/1.4.2.2i

On Mon, Mar 04, 2024 at 09:40:35AM -0800, Bart Van Assche wrote:
> On 3/4/24 09:31, Benjamin LaHaise wrote:
> >A revert is justified when a series of patches is buggy and had
> >insufficient review prior to merging.
> 
> That's not how Linux kernel development works. If a bug can get fixed
> easily, a fix is preferred instead of reverting + reapplying a patch.

Your original "fix" is not right, and it wasn't properly tested.  Commit
54cbc058d86beca3515c994039b5c0f0a34f53dd needs to be reverted.

> >Using the "a kernel warning hit" approach for work on cancellation is
> >very much a sign that the patches were half baked.
> Is there perhaps a misunderstanding? My patches fix a kernel warning and
> did not introduce any new WARN*() statements.

The change that introduced that callback by you was incorrect and should
be reverted.

> >Why are you touching the kiocb after ownership has already been
> >passed on to another entity?
> Touching the kiocb after ownership has been passed is the result of an
> oversight. Whether or not kiocb->ki_cancel() transfers ownership depends
> on the I/O type. The use-after-free was not introduced on purpose.

Your fix is still incorrect.  You're still touching memory that you don't
own.  The event should be generated via the ->ki_cancel method, not in the
io_cancel() syscall.

		-ben

> Bart.
> 
> 

-- 
"Thought is the essence of where you are now."