From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-io1-f48.google.com ([209.85.166.48]:36168 "EHLO
        mail-io1-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729045AbeIXU3r (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Mon, 24 Sep 2018 16:29:47 -0400
Received: by mail-io1-f48.google.com with SMTP id q5-v6so17753856iop.3
        for <linux-fsdevel@vger.kernel.org>; Mon, 24 Sep 2018 07:27:22 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <be262e04-df8a-c248-26a8-d42bf081be1c@virtuozzo.com>
References: <00000000000059484105767ac88f@google.com> <be262e04-df8a-c248-26a8-d42bf081be1c@virtuozzo.com>
From: Miklos Szeredi <miklos@szeredi.hu>
Date: Mon, 24 Sep 2018 16:27:21 +0200
Message-ID: <CAJfpeguTiN22KqMCH9NMs0Hj+ZcshdzFUk7Mb38Jt0ewHEOHpg@mail.gmail.com>
Subject: Re: KASAN: use-after-free Read in fuse_dev_do_read
To: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: syzbot <syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Mon, Sep 24, 2018 at 2:06 PM, Kirill Tkhai <ktkhai@virtuozzo.com> wrote:

> Fix from my previous message makes the use-after-free does not reproduce
> with the reproducer in my setup.

Excellent.

>
> I can prepare the patch, but before this some comments from Miklos would
> be welcome.
>
> Miklos, what you think about this?

I like the patch.

We could optimize away the get/put by moving the set_bit/test_bit part
inside the fpq->lock-ed region and only get the refcount for the
(unlikely) interrupted case.  OTOH it's probably not worth the extra
complexity, so let's stay with this simpler fix.

Thanks,
Miklos