Re: [syzbot] [v9fs?] KASAN: slab-use-after-free Read in p9_fid_destroy
From: Hillf Danton
Date: Fri May 17 2024 - 21:34:16 EST
On Fri, 17 May 2024 04:31:28 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: ea5f6ad9ad96 Merge tag 'platform-drivers-x86-v6.10-1' of g..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11df3084980000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ea5f6ad9ad96
--- x/include/net/9p/client.h
+++ y/include/net/9p/client.h
@@ -11,6 +11,7 @@
#include <linux/utsname.h>
#include <linux/idr.h>
+#include <linux/mutex.h>
#include <linux/tracepoint-defs.h>
/* Number of requests per row */
@@ -122,6 +123,7 @@ struct p9_client {
struct idr fids;
struct idr reqs;
+ struct mutex destroy_mutex;
char name[__NEW_UTS_LEN + 1];
};
--- x/net/9p/client.c
+++ y/net/9p/client.c
@@ -1041,6 +1041,7 @@ struct p9_client *p9_client_create(const
0, 0, P9_HDRSZ + 4,
clnt->msize - (P9_HDRSZ + 4),
NULL);
+ mutex_init(&clnt->destroy_mutex);
return clnt;
@@ -1058,6 +1059,7 @@ void p9_client_destroy(struct p9_client
{
struct p9_fid *fid;
int id;
+ int clean;
p9_debug(P9_DEBUG_MUX, "clnt %p\n", clnt);
@@ -1066,9 +1068,18 @@ void p9_client_destroy(struct p9_client
v9fs_put_trans(clnt->trans_mod);
+again:
+ clean = 1;
+ mutex_lock(&clnt->destroy_mutex);
idr_for_each_entry(&clnt->fids, fid, id) {
pr_info("Found fid %d not clunked\n", fid->fid);
- p9_fid_destroy(fid);
+ clean = 0;
+ break;
+ }
+ mutex_unlock(&clnt->destroy_mutex);
+ if (!clean) {
+ schedule_timeout_idle(2);
+ goto again;
}
p9_tag_cleanup(clnt);
@@ -1454,7 +1465,9 @@ error:
if (retries++ == 0)
goto again;
} else {
+ mutex_lock(&clnt->destroy_mutex);
p9_fid_destroy(fid);
+ mutex_unlock(&clnt->destroy_mutex);
}
return err;
}
--