Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp61301lqs;
        Thu, 13 Jun 2024 04:02:41 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXGusv4JbovmFGTrrC+sZ09aHnQS3ltMpqvi3WLQeUhGlabBFxc4/XWO/wZKBQnK9BSBr0HMUdc5VYfdZNJ0ffHVx/rhqnEomn/Wzicvg==
X-Google-Smtp-Source: AGHT+IEd24EgSkdhKtCD1h/DSNjyD+Eh2n7lpKj21HuWDoeK4A9Q4Zl0FfRzrQmdvBZrbWPWFSgd
X-Received: by 2002:a05:6a20:12c1:b0:1b8:6ed5:a6c with SMTP id adf61e73a8af0-1b8ab6774dfmr5001825637.50.1718276561506;
        Thu, 13 Jun 2024 04:02:41 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1718276561; cv=pass;
        d=google.com; s=arc-20160816;
        b=MFqf9xXQeiloPhfaA84niB4ZxeweD0HXRlS+wGZcWffIlY0PZIB2gF0t4npPWy/qlN
         MIq+Jyu5ab/+2IgPXzxUPfs3TSjndezxuKKpTg7+zPd8ufmuX+25nuNMopiqXfSCN41g
         TpzfE/1RlGCzegWIT5eONs7kW0PUTruNGdYKr/28rdZ0doGIRzg+bsr/AYd+6b837IFL
         EjI+/lgdI8hjUos70TYF3ltNlzQd3EusKNLx/YVJVO1tH4Gky+wxUhUG00ibEaix9tG6
         S50xPDfYFqPGlVU13yolJNGpQwCE6cy2C58i0albP0sn6ESBKZFDqECDupQO+nAivv5l
         ZkKA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=KI1LCS9sSocAuZ/9IUFSJQTD0kqRBk2RZmnR0aFYbOE=;
        fh=saDFzb8XH/fsyCAPCgnXHQYabHFgY8pQa56eeXK7xBY=;
        b=zEO5B7lHdk/eHEnW1ss+Wqpi9f8FZtAAA+zWEJ0VkSEvTJLFv9I4lfAT0GXJEk/bAf
         jPGo5dimpzrWrrM8xF6mNkKUJSUUVe1hOnup+td4nqo7aiG9Ln7PpO2AY3GE//ZsxRJo
         MUi74lJMtRHe4ZyOnCNwtZl6xhWfg32+XsndBYY2CWmM4Rtr1DJq6QamwHF0ks2UwuXQ
         vsV+gY5HNfErcp6y09703l56ier0y1B5+Oz2VVGEu4MaWtSlDkgX6bbH0QyL4utWF8Ad
         W9Hf3k+YRkHgn61FttwYPBXz2jHWb+2bx0SOQPSkkE74Z+3FQBzb+X0kMnSTlQpCjhpW
         wL3g==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-213066-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213066-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-213066-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id 98e67ed59e1d1-2c4a761b8d2si3388398a91.79.2024.06.13.04.02.40
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 13 Jun 2024 04:02:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-213066-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-213066-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213066-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id E6145B230E6
	for <linux.lists.archive@gmail.com>; Thu, 13 Jun 2024 10:58:16 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 950C31428EF;
	Thu, 13 Jun 2024 10:58:08 +0000 (UTC)
Received: from mail78-59.sinamail.sina.com.cn (mail78-59.sinamail.sina.com.cn [219.142.78.59])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E4AE13D534
	for <linux-kernel@vger.kernel.org>; Thu, 13 Jun 2024 10:58:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=219.142.78.59
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1718276288; cv=none; b=K3+HygPMhJ+zc0iZm+4WZwV2up+A/M2sc6k0WFAVpopKIr7yAFfa5DFbahtFXiI7XoXJyLmltYP8NoH1GeKHKKB1+iR2BcPS1V/vaihx8lmgC+xSN8oCsO4/hixoNkOKN7cPnAv5rvsL0/7HUWmhCUCktQyfIEpVD5uryebwOjc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1718276288; c=relaxed/simple;
	bh=8/8N98dtnuGnocrm29FSFaydJECYzafJ/9Ktn7njb+c=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=AsZj9vD08UMIPYWdOcdrZcccNd8U9QozouSaHOsjFXvqYCGBcbohCm7R9GnrKLmUWKXf0/7pX9ZeANm5UAbLZCpwKpshy2TNnLK1WCaK7xACG/Mer6PQvRILU+tY9gDisovvEPdLjV/bdY8D3VUicnygHvy7Ri7g/Ii9E+TVqFo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=219.142.78.59
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com
X-SMAIL-HELO: localhost.localdomain
Received: from unknown (HELO localhost.localdomain)([113.118.64.164])
	by sina.com (172.16.235.25) with ESMTP
	id 666AD0AE00007EA1; Thu, 13 Jun 2024 18:57:53 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
Authentication-Results: sina.com;
	 spf=none smtp.mailfrom=hdanton@sina.com;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=hdanton@sina.com
X-SMAIL-MID: 4686634210564
X-SMAIL-UIID: 56118CC1132A43D5AEE54EB72863AB41-20240613-185753-1
From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [nilfs?] [mm?] KASAN: slab-use-after-free Read in lru_add_fn
Date: Thu, 13 Jun 2024 18:57:41 +0800
Message-Id: <20240613105741.2380-1-hdanton@sina.com>
In-Reply-To: <000000000000cae276061aa12d5e@google.com>
References: 
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

On Tue, 11 Jun 2024 11:10:20 -0700
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    83a7eefedc9b Linux 6.10-rc3
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17c645e2980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  master

--- x/fs/read_write.c
+++ y/fs/read_write.c
@@ -570,6 +570,7 @@ EXPORT_SYMBOL(kernel_write);
 ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_t *pos)
 {
 	ssize_t ret;
+	struct super_block *sb;
 
 	if (!(file->f_mode & FMODE_WRITE))
 		return -EBADF;
@@ -583,6 +584,9 @@ ssize_t vfs_write(struct file *file, con
 		return ret;
 	if (count > MAX_RW_COUNT)
 		count =  MAX_RW_COUNT;
+	sb = file_inode(file)->i_sb;
+	if (!down_read_trylock(&sb->s_umount))
+		return -EINVAL;
 	file_start_write(file);
 	if (file->f_op->write)
 		ret = file->f_op->write(file, buf, count, pos);
@@ -596,6 +600,7 @@ ssize_t vfs_write(struct file *file, con
 	}
 	inc_syscw(current);
 	file_end_write(file);
+	up_read(&sb->s_umount);
 	return ret;
 }
 
--