Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp2336732lqb; Mon, 27 May 2024 16:57:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU2JcAFLD6617rUFwhHLzD+7i57v8eUWIYTbbcCYWbKElENkW3s04SZCVnDQCA1wJUJG41QWCvlSqpHn8wa+rNLxzNtlKH5LYojE7gSeA== X-Google-Smtp-Source: AGHT+IHISHyogLfIvo16VOSqKLkB9jsxRJAVLQ9fPhbvS1idb94vr1j6gvbbCpxE1bnX/WYxTXjw X-Received: by 2002:a2e:b88a:0:b0:2d4:50b2:62e9 with SMTP id 38308e7fff4ca-2e95b08fa35mr71781761fa.14.1716854269211; Mon, 27 May 2024 16:57:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716854269; cv=pass; d=google.com; s=arc-20160816; b=d8KRYvQiIxWPmyomVWHiEybSs8dHaowiT05AbjF2t9rDeXSbWDSa1csEzkd+vc1U52 hwvxaeS/L2PFbv60MRiDfI+1efOz1w8XZMPcweMZPdd3eLpTIGym88lbAPIvDMqo78pb /wGRa0xOfeSWXvLd4cgw1NkBzCmUruuh59Bl2aUKiel+uBJUNcPKrwopR5DypqdWInUf WP/1AWdspCulxpzJ8FBPWptAYX2jbLtDhiBBIU3NRAeF7NFZEeS2tUJj7JrdJyofOWxY MPLqBMZyiLAZERXued6lSrJDnRZ9ByYvpqflmkOBUXkfik+wiydelh0V8SQxw4zVAljC AmsQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=/ilOTJ9H/NVPHUNur5pUgFlH/vMWpVFku/Egb2YAMaU=; fh=yaXYBe9sbkmvlk2mHY0QupCsCyiBqDs07jTvbP5wp9k=; b=k0fVfreha489605qw374XVxDkf2UWbFj2ZU9MOyJXdGFLDbGwrfxqAsz51P1+gewvz uFgEWMLlKU7IdjVQTSk6cc1nY75OQqiodrt+k13Skr8AauajBEycN1u7kIbUNKp/UGmu TTLfXH/utAl8PX4wnmNOE7SqADAkoQdpwhV8jYrUxHUeHtO9Alwb8QgMpqjvbcvO7ip3 5F0O6P4v8RxMatOBKIJ7VCbGM/jC6TdFjeyalm8Ba18/w/3HkqbMzJD5HWBv8hNHtUJ4 Nhegek7/RjflD9+oECvBxJsxrguEESis9sBCaX/UFx25s22K0sBinrXLxs/GRqFkyV4s RMPA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-191524-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191524-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-579d61153desi1394369a12.601.2024.05.27.16.57.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 May 2024 16:57:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-191524-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=sina.com); spf=pass (google.com: domain of linux-kernel+bounces-191524-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191524-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 740A91F210BD for ; Mon, 27 May 2024 23:57:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6B4F013A88B; Mon, 27 May 2024 23:57:42 +0000 (UTC) Received: from mail115-100.sinamail.sina.com.cn (mail115-100.sinamail.sina.com.cn [218.30.115.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9341817E912 for ; Mon, 27 May 2024 23:57:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=218.30.115.100 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716854261; cv=none; b=L0J04w5DXepgBfXtDTMIRoh4aYh6Dzexf8n3KAOeHSvLcInjvDzlnIgFUSX4DMvtSgSmew8wyhcTqXAncdr8RorfKLeQApfDkFCJDDDqAVtfJF2Jmo2GNvGzjhT/UHmQ7OaR7Rx8dMHnNZRBXfO5gZf1DHf1EydDdF2OYYx0inE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716854261; c=relaxed/simple; bh=eBy7/C2nvx6ptlpgjMKipDZUULm3tHFWinQpj/iOXzs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=mFJCx/pic6rOhCrDNvoQwEpvEuKFRaEFa53uB7/f6esunqhWDFTfqf09VXQ0rJy1IvTwNdXFTlqI1luM5H+EBHUo53Ng5nPMsVa2U+qcBVHsGDFjYXPomeFm04fj6u4G0/zeGvfeCQBmrRQGT7i6zytC8T0B2O/MlztgurNxah4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=218.30.115.100 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([113.118.66.255]) by sina.com (172.16.235.24) with ESMTP id 66551DEA000074B0; Mon, 28 May 2024 07:57:33 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 12261845089259 X-SMAIL-UIID: 3EDD15FBE5E74D039590144CA24D506A-20240528-075733-1 From: Hillf Danton To: syzbot Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [ntfs3?] KASAN: slab-use-after-free Read in chrdev_open Date: Tue, 28 May 2024 07:57:21 +0800 Message-Id: <20240527235721.2643-1-hdanton@sina.com> In-Reply-To: <000000000000f386f90616fea5ef@google.com> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- x/fs/open.c +++ y/fs/open.c @@ -907,6 +907,7 @@ static int do_dentry_open(struct file *f static const struct file_operations empty_fops = {}; struct inode *inode = f->f_path.dentry->d_inode; int error; + struct super_block *sb = inode->i_sb; path_get(&f->f_path); f->f_inode = inode; @@ -929,6 +930,7 @@ static int do_dentry_open(struct file *f f->f_mode |= FMODE_WRITER; } + down_read(&sb->s_umount); /* POSIX.1-2008/SUSv4 Section XSI 2.9.7 */ if (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)) f->f_mode |= FMODE_ATOMIC_POS; @@ -956,6 +958,7 @@ static int do_dentry_open(struct file *f if (error) goto cleanup_all; } + up_read(&sb->s_umount); f->f_mode |= FMODE_OPENED; if ((f->f_mode & FMODE_READ) && likely(f->f_op->read || f->f_op->read_iter)) --