Re: [syzbot] [netfs?] INFO: task hung in netfs_unbuffered_write_iter

From: asmadeus
Date: Thu Mar 27 2025 - 18:19:18 EST

Next message: Linus Torvalds: "Re: [PATCH 00/41] Simplify, reorganize and clean up the x86 INT3 based batch-patching code (alternative.c)"
Previous message: Benno Lossin: "Re: [PATCH v7 7/7] rust: enable `clippy::ref_as_ptr` lint"
In reply to: syzbot: "Re: [syzbot] [netfs?] INFO: task hung in netfs_unbuffered_write_iter"
Next in thread: K Prateek Nayak: "Re: [syzbot] [netfs?] INFO: task hung in netfs_unbuffered_write_iter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

syzbot wrote on Thu, Mar 27, 2025 at 02:19:03PM -0700:
> BUG: KASAN: slab-use-after-free in p9_conn_cancel+0x900/0x910 net/9p/trans_fd.c:205
> Read of size 8 at addr ffff88807b19ea50 by task syz-executor/6595

Ugh, why...
Ah, if ->request() fails p9_client_rpc assumes the request was not
written (e.g. write error), so you can't return an error after the
list_add_tail call in p9_fd_request.

I think you can call p9_conn_cancel with the error and return 0 anyway,
and this paticular workaround will probably work, regardless of whether
it's the correct thing to do here (still haven't had time to look at the
patch here)

Sorry for this mess (even if most of it predates me...)
--
Dominique

Next message: Linus Torvalds: "Re: [PATCH 00/41] Simplify, reorganize and clean up the x86 INT3 based batch-patching code (alternative.c)"
Previous message: Benno Lossin: "Re: [PATCH v7 7/7] rust: enable `clippy::ref_as_ptr` lint"
In reply to: syzbot: "Re: [syzbot] [netfs?] INFO: task hung in netfs_unbuffered_write_iter"
Next in thread: K Prateek Nayak: "Re: [syzbot] [netfs?] INFO: task hung in netfs_unbuffered_write_iter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]