Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp888050lqt; Fri, 19 Apr 2024 13:40:13 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUdCqQrQVIlheG2yAgFVX6bnacUbeUMoQ/MekE/yMbchP2fRBa4fQS0Nxi0JszxL8B4jDgbudG5yqMNLgxQtzqHMBJ+2gya0+YAvHqE/Q== X-Google-Smtp-Source: AGHT+IHZJdjut/vyc45JrTtVBSWa0rmO56md3srIKKaE8Fk41ry24rdYNiKTgaz7dFyDWwZfMIzl X-Received: by 2002:a50:d542:0:b0:568:cdd8:cf60 with SMTP id f2-20020a50d542000000b00568cdd8cf60mr2978887edj.8.1713559212872; Fri, 19 Apr 2024 13:40:12 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713559212; cv=pass; d=google.com; s=arc-20160816; b=d8r2GB1QPg0pqJ25DDyFcoooSXjmf8ErFtKeE6Y0Dn9GzL6U8u+lcqzRAkj4YUsnh4 HD0+Ol3i6ar0xOGnWUV+2MER6OC0MEgJ92Wi9VtvlNbmpbJtOUHay/D4xF4dc+d+H0P/ tnGQ1Frt3CFimfRof69uvV9HPFe6yqpVhgV+lSp+R1pyYKCAy5KHPITY+lchvCnbLxZt K0IOV67LJ8HYU4Cq7bK6u1IJ3HLoYfFSbe2jJ1YKO/3C9i8G0n9bZwRTzmq72WC5LH+O jypOnCQmEzOoKPiS6CBWTyGoYNdoSAfAsCXaw7p+SqxEnRLyrBsG+q9/40z0qlMP+vTZ W4YQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=IRuBkaMcszXg+KTdvnEUlTUzHHfrN+PqN5MSTK6YgWM=; fh=MDm/x/06iupu6sSylcfew2AKy0K5AjcF8Wo8fUfMwNU=; b=VoatVETPPVbCJ9IwJbjBRfm+JUde2B9oCJV25dsXT5Zx2mu31ZKtOZH/q55Xzyz4GS 1mZAu7g0I0LycRKrRKA1ganLlGURAqEjCP4pi4WCqY9kOcylLguxrdzAOJL5eyic8QZ+ ngKGq/s/rIuR4yYagyJ6EdqvKYJiw4nem+bHTpfRljODHh/4791N6AUKYviiQYxYwNwF PesarNQ6VXhc/TmBZ4YonVeNvLItShpjR2iGbRtBe4iD3X4KcJ2Gj11Fup0RIbKjp5we a4okV2cfND+gllJ5zy4cZgLhPB2yJBDvZt5yuOeY/ee04o6mBE8YeGLQqksHXGEQdJFO BrdQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b="FHGa/hhi"; arc=pass (i=1 spf=pass spfdomain=amazon.co.jp dkim=pass dkdomain=amazon.com dmarc=pass fromdomain=amazon.com); spf=pass (google.com: domain of linux-kernel+bounces-151939-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-151939-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id u15-20020a50a40f000000b0056e23afe278si2505097edb.569.2024.04.19.13.40.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Apr 2024 13:40:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-151939-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b="FHGa/hhi"; arc=pass (i=1 spf=pass spfdomain=amazon.co.jp dkim=pass dkdomain=amazon.com dmarc=pass fromdomain=amazon.com); spf=pass (google.com: domain of linux-kernel+bounces-151939-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-151939-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 98C221F22DFA for ; Fri, 19 Apr 2024 20:40:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8616C168A9; Fri, 19 Apr 2024 20:40:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b="FHGa/hhi" Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D553D3232; Fri, 19 Apr 2024 20:40:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.95.49.90 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713559203; cv=none; b=jxUc65iGH1bSDVMDie+wK/qP+mM+Knfn3JoEmt7xchAe9l9pZe+idhtfO1Mqi03P/NHcRAIom/gjrZWl+IbN3pV1b2q7He/8u2PTBSiYp86uk9wzWIbxdj87a++Y34JqzyW8A49DRhqx0P02kk27geRsZKyOwhIP1d5ORUNGQJ0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713559203; c=relaxed/simple; bh=daj69iQuPmHlidj57wnECNVMqOAzumWf8ig+6xOnVlk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=G7ixomxWIBAK0RoItfZvyCo42gogSMAfTE1kOsdtHkhci8EegNpfXvfuZdYxn91oWGmdAk6/ImDLAJIT96CYeKvsUvAjo+uxv/EsWyZJ2MKd3P9Cg3X1Va5UjdbAAaofClQAuN8tMGnO1hoeQUJEH/35Fde1wg186Z06TPrQ3X0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.co.jp; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b=FHGa/hhi; arc=none smtp.client-ip=52.95.49.90 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.co.jp DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1713559202; x=1745095202; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=IRuBkaMcszXg+KTdvnEUlTUzHHfrN+PqN5MSTK6YgWM=; b=FHGa/hhiDRMTtdjL9Og9qb9Hvg8QRZ75EEr0FKx75JySEegqDVgjYcxE HusD6VPgFxqJpFANH35TMUzBIAJV+mhhLWzcFbhr7L2vY/WhuaWui2Dvf HKqxfF01yLouKvvR66qDvufZcrq0QYmx0GSMUrnT86ZYXsDPQDH0DQ4bf k=; X-IronPort-AV: E=Sophos;i="6.07,214,1708387200"; d="scan'208";a="401460617" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Apr 2024 20:39:58 +0000 Received: from EX19MTAUWA002.ant.amazon.com [10.0.21.151:36091] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.25.238:2525] with esmtp (Farcaster) id 8d75b2de-2a2e-4d6e-9655-a255832ceedf; Fri, 19 Apr 2024 20:39:57 +0000 (UTC) X-Farcaster-Flow-ID: 8d75b2de-2a2e-4d6e-9655-a255832ceedf Received: from EX19D004ANA001.ant.amazon.com (10.37.240.138) by EX19MTAUWA002.ant.amazon.com (10.250.64.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Fri, 19 Apr 2024 20:39:57 +0000 Received: from 88665a182662.ant.amazon.com (10.119.231.92) by EX19D004ANA001.ant.amazon.com (10.37.240.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Fri, 19 Apr 2024 20:39:54 +0000 From: Kuniyuki Iwashima To: CC: , , , , , , , Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in unix_del_edges Date: Fri, 19 Apr 2024 13:39:45 -0700 Message-ID: <20240419203945.2526-1-kuniyu@amazon.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <000000000000c1fa0506166fdcfe@google.com> References: <000000000000c1fa0506166fdcfe@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: EX19D042UWB001.ant.amazon.com (10.13.139.160) To EX19D004ANA001.ant.amazon.com (10.37.240.138) From: syzbot Date: Fri, 19 Apr 2024 02:39:21 -0700 > Hello, > > syzbot found the following issue on: > > HEAD commit: 7b4f2bc91c15 Add linux-next specific files for 20240418 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=14a54a53180000 > kernel config: https://syzkaller.appspot.com/x/.config?x=ae644165a243bf62 > dashboard link: https://syzkaller.appspot.com/bug?extid=f3f3eef1d2100200e593 > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=155e53af180000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128b1d53180000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/524a18e6c5be/disk-7b4f2bc9.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/029f1b84d653/vmlinux-7b4f2bc9.xz > kernel image: https://storage.googleapis.com/syzbot-assets/c02d1542e886/bzImage-7b4f2bc9.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+f3f3eef1d2100200e593@syzkaller.appspotmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main diff --git a/net/unix/garbage.c b/net/unix/garbage.c index 95240a59808f..039c1c8c73f4 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c @@ -158,11 +158,14 @@ static void unix_add_edge(struct scm_fp_list *fpl, struct unix_edge *edge) unix_update_graph(unix_edge_successor(edge)); } +static bool gc_in_progress; + static void unix_del_edge(struct scm_fp_list *fpl, struct unix_edge *edge) { struct unix_vertex *vertex = edge->predecessor->vertex; - unix_update_graph(unix_edge_successor(edge)); + if (!gc_in_progress) + unix_update_graph(unix_edge_successor(edge)); list_del(&edge->vertex_entry); vertex->out_degree--; @@ -237,8 +240,10 @@ void unix_del_edges(struct scm_fp_list *fpl) unix_del_edge(fpl, edge); } while (i < fpl->count_unix); - receiver = fpl->edges[0].successor; - receiver->scm_stat.nr_unix_fds -= fpl->count_unix; + if (!gc_in_progress) { + receiver = fpl->edges[0].successor; + receiver->scm_stat.nr_unix_fds -= fpl->count_unix; + } WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - fpl->count_unix); out: WRITE_ONCE(fpl->user->unix_inflight, fpl->user->unix_inflight - fpl->count); @@ -550,8 +555,6 @@ static void unix_walk_scc_fast(struct sk_buff_head *hitlist) list_replace_init(&unix_visited_vertices, &unix_unvisited_vertices); } -static bool gc_in_progress; - static void __unix_gc(struct work_struct *work) { struct sk_buff_head hitlist;