Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp314427lqa;
        Sat, 27 Apr 2024 03:44:48 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXKTF7RkMnEB04Qus1Unna8tpuSds9xhr9LFRWN4xPqOaHII4jEeDCpNCBMufT7TuyK8NDp0NgmUsXZyd9I0JYwnpGGT56kMUpE9/kJkA==
X-Google-Smtp-Source: AGHT+IFIHmbMqYUTHBeZ/YdgcJX+ObhKXFEqyoLFUeS/aLdXiPTZe3z+WX6RRkLKnhvS3hZDUj6f
X-Received: by 2002:a17:902:f70f:b0:1e5:4743:deba with SMTP id h15-20020a170902f70f00b001e54743debamr240211plo.58.1714214688288;
        Sat, 27 Apr 2024 03:44:48 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714214688; cv=pass;
        d=google.com; s=arc-20160816;
        b=yKoVa9/nG3ZppEiQ7RZ5h/DXyncfV/Qo9JeHUO1vgNXrv/DlXqUDRSM0XIZub1fXGv
         kcRG/l9z5dZnMFLqb+lFZsBTgIxeNv/lt7UiLU/w+WN4alZUvPyFc95Kzc/pYJgkohKB
         6s74gtBUJytRMPWXfbNXl16n6V+lqvUqEr1fBlMM96VB9BQUNPQdycrkwH6zManenv+M
         cf5Vw8CWjw4tPXzkWdUKBZBpGLcQPJDQ8vlNN1FGn9ApXAxYjUrlIARs6HZHZto6guoO
         QavxiuNsa5WaMXk7ITffvfe5xiwB/7Xlz6NjJqasJ9zWrOL+jEsDJeKHkYMllOtDjR2a
         hL4g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=gyqyfIXRSobSCxDjMcK0U45cyf+A2u2a1qCKTo52boE=;
        fh=yaXYBe9sbkmvlk2mHY0QupCsCyiBqDs07jTvbP5wp9k=;
        b=OTEnbkFwdzMXEP1xo+yJ/XMm7qxwyRVNPUteejZwGwr4mviodKNufttn/iMJjXvu3v
         4g9KotCvbTobBgqQesUylfGeFoP5Hah5ViY024Ik7lGL2uYyTeZSEzj3TqQzKq254d2q
         /OA5po0b3DVhPv3bXm5nndfIth4GoRcRwp0r1Ir8mwj4KHb07QEWF4KwN0mOfWiyJpTB
         /tiwS/H/+UMfMCMzSvbZ92s1dJWw+uIhXTOVoerM7xHSTbQsdeZFlyVztU/KCjcKMRyz
         wLVWht0GFDTDXYVlbSdPw+13Y0CyWDsNS07To0fxox57kWe18E0wcIQ/z7RjKwnpck9k
         a9pg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-160999-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-160999-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-160999-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id i5-20020a17090332c500b001eb6b4eab7bsi504461plr.63.2024.04.27.03.44.47
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 27 Apr 2024 03:44:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-160999-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-160999-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-160999-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3A983B21579
	for <linux.lists.archive@gmail.com>; Sat, 27 Apr 2024 10:44:43 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E930C446A9;
	Sat, 27 Apr 2024 10:44:34 +0000 (UTC)
Received: from mail115-118.sinamail.sina.com.cn (mail115-118.sinamail.sina.com.cn [218.30.115.118])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3922A347B6
	for <linux-kernel@vger.kernel.org>; Sat, 27 Apr 2024 10:44:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=218.30.115.118
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714214674; cv=none; b=ssE+RYtnwLt7p8Z9lSYmQHjMCPvXoqMn88jBM/CvyxXUx/b9jXTEnv8nl3anCTsie7nwRGJXdBKiCwAupYA8KTzn3BOItCIkc9d4x7G852elHvZ8djezngyJlaYARy/EqSn5GCaU2OeXUn8plFmf4evFQ2FmdG0HmKPGeBmR0rE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714214674; c=relaxed/simple;
	bh=f5LFMIxtIn4Rb0vSwTaO9c6vSDOK8fB6BXUCWnoX2BM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=Ia567cOeQriRJra9If4K+J3PkRw6ZKhzzOOSPpCACWvuW+goikGXbdDRsox3Exn4JI//v2+iyTIDsK33UtoS/y45T7f5hxzk9pgBWxSmEtoJhx55vt7tpsuKuWTRfGlS3MZsbdg+WuUUpYZ3sK6a5ldeJJFFJgPRfBm57KvrJgQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=218.30.115.118
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com
X-SMAIL-HELO: localhost.localdomain
Received: from unknown (HELO localhost.localdomain)([113.88.50.155])
	by sina.com (172.16.235.25) with ESMTP
	id 662CD70600001F62; Sat, 27 Apr 2024 18:44:26 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
Authentication-Results: sina.com;
	 spf=none smtp.mailfrom=hdanton@sina.com;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=hdanton@sina.com
X-SMAIL-MID: 43268034210304
X-SMAIL-UIID: 23A085A6FDF24E87B8BBFAAE0EA0B55B-20240427-184426-1
From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+5d34cc6474499a5ff516@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ntfs3?] KASAN: slab-use-after-free Read in chrdev_open
Date: Sat, 27 Apr 2024 18:44:25 +0800
Message-Id: <20240427104425.3926-1-hdanton@sina.com>
In-Reply-To: <000000000000f386f90616fea5ef@google.com>
References: 
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

On Fri, 26 Apr 2024 05:00:21 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    e33c4963bf53 Merge tag 'nfsd-6.9-5' of git://git.kernel.or..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12499380980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  e33c4963bf53

--- x/fs/char_dev.c
+++ y/fs/char_dev.c
@@ -377,6 +377,9 @@ static int chrdev_open(struct inode *ino
 	struct cdev *new = NULL;
 	int ret = 0;
 
+	if (!igrab(inode))
+		return -ENXIO;
+
 	spin_lock(&cdev_lock);
 	p = inode->i_cdev;
 	if (!p) {
@@ -384,8 +387,10 @@ static int chrdev_open(struct inode *ino
 		int idx;
 		spin_unlock(&cdev_lock);
 		kobj = kobj_lookup(cdev_map, inode->i_rdev, &idx);
-		if (!kobj)
+		if (!kobj) {
+			iput(inode);
 			return -ENXIO;
+		}
 		new = container_of(kobj, struct cdev, kobj);
 		spin_lock(&cdev_lock);
 		/* Check i_cdev again in case somebody beat us to it while
@@ -401,8 +406,10 @@ static int chrdev_open(struct inode *ino
 		ret = -ENXIO;
 	spin_unlock(&cdev_lock);
 	cdev_put(new);
-	if (ret)
+	if (ret) {
+		iput(inode);
 		return ret;
+	}
 
 	ret = -ENXIO;
 	fops = fops_get(p->ops);
@@ -416,10 +423,12 @@ static int chrdev_open(struct inode *ino
 			goto out_cdev_put;
 	}
 
+	iput(inode);
 	return 0;
 
  out_cdev_put:
 	cdev_put(p);
+	iput(inode);
 	return ret;
 }
 
--