From: Jan Kara <jack@suse.cz>
To: Shankara Pailoor <sp3485@columbia.edu>
Cc: LKML <linux-kernel@vger.kernel.org>,
viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org
Subject: Re: KASAN: use-after-free in move_expired_inodes
Date: Wed, 15 Nov 2017 14:41:44 +0100 [thread overview]
Message-ID: <20171115134144.GB13707@quack2.suse.cz> (raw)
In-Reply-To: <CAASgV=uFkfFg3HeG_GnHWbCc=-OFq6nqH7bDKQt2HymdD+wiDA@mail.gmail.com>
Hi,
On Tue 31-10-17 22:04:49, Shankara Pailoor wrote:
> I was unable to find a reproducer but I was looking at
> move_expired_inodes (fs/fs-writeback.c 1093.c) and how do you ensure
> that the inode can't be freed after retrieving it from the work queue?
> Any insights would be appreciated.
In move_expired_inodes() we hold wb->list_lock which protects the list
inode is in. fs/inode.c:evict() checks for inode being in the list and
removes it from the list blocking on the wb->list_lock as well. Granted
list_empty(&inode->i_io_list) is not protected by any lock so that check
*could* be somewhat stale but it cannot be older than e.g. time when
inode's refcount dropped to 0 at which point inode->i_io_list should be
already stable. But maybe flusher is shuffling inode between lists and
evict() saw some intermediate state. So far I don't see how that could
happen but maybe it could - will look more into that later...
Honza
> On Tue, Oct 31, 2017 at 9:24 AM, Shankara Pailoor <sp3485@columbia.edu> wrote:
> > Hi,
> >
> > We got the following error:
> >
> > BUG: KASAN: use-after-free in move_expired_inodes+0xce6/0xdf0
> > Write of size 8 at addr ffff8800a3a36bf8 by task kworker/u8:0/5
> >
> > while fuzzing with Syzkaller on 4.14-rc4 on x86_64. Included is the
> > trace of the crash along with the programs running around the time of
> > the crash.
> >
> > Programs can be found here: https://pastebin.com/RYGtNn3z
> >
> > Stack trace here: https://pastebin.com/SaJXWMg3
> >
> > We don't have a C reproducer but we will send one if we have it.
> >
> > Regards,
> > Shankara
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
prev parent reply other threads:[~2017-11-15 13:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-31 13:24 KASAN: use-after-free in move_expired_inodes Shankara Pailoor
2017-11-01 2:04 ` Shankara Pailoor
2017-11-15 13:41 ` Jan Kara [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171115134144.GB13707@quack2.suse.cz \
--to=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sp3485@columbia.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).