Re: [syzbot] [v9fs?] KASAN: slab-use-after-free Read in p9_fid_destroy

From: Hillf Danton
Date: Fri May 17 2024 - 20:00:01 EST


On Fri, 17 May 2024 04:31:28 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: ea5f6ad9ad96 Merge tag 'platform-drivers-x86-v6.10-1' of g..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11df3084980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ea5f6ad9ad96

--- x/include/net/9p/client.h
+++ y/include/net/9p/client.h
@@ -11,6 +11,7 @@

#include <linux/utsname.h>
#include <linux/idr.h>
+#include <linux/mutex.h>
#include <linux/tracepoint-defs.h>

/* Number of requests per row */
@@ -122,6 +123,7 @@ struct p9_client {

struct idr fids;
struct idr reqs;
+ struct mutex destroy_mutex;

char name[__NEW_UTS_LEN + 1];
};
--- x/net/9p/client.c
+++ y/net/9p/client.c
@@ -1041,6 +1041,7 @@ struct p9_client *p9_client_create(const
0, 0, P9_HDRSZ + 4,
clnt->msize - (P9_HDRSZ + 4),
NULL);
+ mutex_init(&clnt->destroy_mutex);

return clnt;

@@ -1065,11 +1066,13 @@ void p9_client_destroy(struct p9_client
clnt->trans_mod->close(clnt);

v9fs_put_trans(clnt->trans_mod);
+ mutex_lock(&clnt->destroy_mutex);

idr_for_each_entry(&clnt->fids, fid, id) {
pr_info("Found fid %d not clunked\n", fid->fid);
p9_fid_destroy(fid);
}
+ mutex_unlock(&clnt->destroy_mutex);

p9_tag_cleanup(clnt);

@@ -1454,7 +1457,10 @@ error:
if (retries++ == 0)
goto again;
} else {
- p9_fid_destroy(fid);
+ if (mutex_trylock(&clnt->destroy_mutex)) {
+ p9_fid_destroy(fid);
+ mutex_unlock(&clnt->destroy_mutex);
+ }
}
return err;
}
--