Re: [syzbot] [netfs?] KASAN: slab-use-after-free Read in iov_iter_advance

From: Hillf Danton
Date: Fri Sep 20 2024 - 22:09:06 EST


On Fri, 20 Sep 2024 07:26:34 -0700
> syzbot found the following issue on:
>
> HEAD commit: a430d95c5efa Merge tag 'lsm-pr-20240911' of git://git.kern..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10c7d69f980000

#syz test

--- x/fs/netfs/write_collect.c
+++ y/fs/netfs/write_collect.c
@@ -548,7 +548,9 @@ void netfs_write_collection_worker(struc
return;
}

+ mutex_lock(&ictx->wb_lock);
netfs_collect_write_results(wreq);
+ mutex_unlock(&ictx->wb_lock);

/* We're done when the app thread has finished posting subreqs and all
* the queues in all the streams are empty.
--- l/net/9p/client.c
+++ c/net/9p/client.c
@@ -1039,7 +1039,7 @@ struct p9_client *p9_client_create(const
* followed by data accessed from userspace by read
*/
clnt->fcall_cache =
- kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize,
+ kmem_cache_create_usercopy(client_id, clnt->msize,
0, 0, P9_HDRSZ + 4,
clnt->msize - (P9_HDRSZ + 4),
NULL);
--