diff mbox series

[next] fs/9p: fix uaf in in v9fs_stat2inode_dotl

Message ID 20240202121531.2550018-1-lizhi.xu@windriver.com (mailing list archive)
State New, archived
Headers show
Series [next] fs/9p: fix uaf in in v9fs_stat2inode_dotl | expand

Commit Message

Lizhi Xu Feb. 2, 2024, 12:15 p.m. UTC
The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl
is causing this uaf.

Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths")
Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 fs/9p/vfs_inode_dotl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Breno Leitao Feb. 28, 2024, 10:33 a.m. UTC | #1
On Fri, Feb 02, 2024 at 08:15:31PM +0800, Lizhi Xu wrote:
> The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl
> is causing this uaf.
> 
> Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths")
> Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>

Tested-by: Breno Leitao <leitao@debian.org>
Dominique Martinet March 4, 2024, 1:02 p.m. UTC | #2
Lizhi Xu wrote on Fri, Feb 02, 2024 at 08:15:31PM +0800:
> The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl
> is causing this uaf.

Thanks for the fix!

Eric, this is also for your tree.

> 
> Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths")

(careful if you rebase your tree as this commit isn't merged yet)

> Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>

Reviewed-by: Dominique Martinet <asmadeus@codewreck.org>
Jakub Kicinski March 22, 2024, 1:28 a.m. UTC | #3
On Mon, 4 Mar 2024 22:02:29 +0900 asmadeus@codewreck.org wrote:
> Lizhi Xu wrote on Fri, Feb 02, 2024 at 08:15:31PM +0800:
> > The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl
> > is causing this uaf.  
> 
> Thanks for the fix!
> 
> Eric, this is also for your tree.
> 
> > Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths")  
> 
> (careful if you rebase your tree as this commit isn't merged yet)
> 
> > Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com
> > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>  
> 
> Reviewed-by: Dominique Martinet <asmadeus@codewreck.org>

Looks like this UAF is in Linus's tree now, and possibly getting hit
by anyone using virtme to test the kernel? I can't vouch for the
correctness of the fix but it does make the KASAN splat go away for me.

[   12.474676][    T1] ==================================================================
[   12.474870][    T1] BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x9d6/0xb80
[   12.475060][    T1] Read of size 8 at addr ffff888002bdbad8 by task swapper/0/1
[   12.475248][    T1] 
[   12.475314][    T1] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.8.0-virtme #1
[   12.475503][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[   12.475811][    T1] Call Trace:
[   12.475908][    T1]  <TASK>
[   12.475976][    T1]  dump_stack_lvl+0x82/0xd0
[   12.476133][    T1]  print_address_description.constprop.0+0x2c/0x3b0
[   12.476295][    T1]  ? v9fs_stat2inode_dotl+0x9d6/0xb80
[   12.476425][    T1]  print_report+0xb4/0x270
[   12.476552][    T1]  ? kasan_addr_to_slab+0x4e/0x90
[   12.476679][    T1]  kasan_report+0xbd/0xf0
[   12.476775][    T1]  ? v9fs_stat2inode_dotl+0x9d6/0xb80
[   12.476903][    T1]  v9fs_stat2inode_dotl+0x9d6/0xb80
[   12.477053][    T1]  v9fs_fid_iget_dotl+0x18c/0x210
[   12.477180][    T1]  v9fs_mount+0x3fe/0x7d0
[   12.477281][    T1]  ? __pfx_v9fs_mount+0x10/0x10
[   12.477406][    T1]  ? vfs_parse_fs_string+0xdb/0x130
[   12.477533][    T1]  ? __pfx_vfs_parse_fs_string+0x10/0x10
[   12.477660][    T1]  ? __pfx_v9fs_mount+0x10/0x10
[   12.477786][    T1]  legacy_get_tree+0x107/0x200
[   12.477912][    T1]  vfs_get_tree+0x8a/0x2e0
[   12.478042][    T1]  do_new_mount+0x27d/0x5e0
[   12.478170][    T1]  ? __pfx_do_new_mount+0x10/0x10
[   12.478294][    T1]  ? __pfx___debug_check_no_obj_freed+0x10/0x10
[   12.478453][    T1]  ? __virt_addr_valid+0x227/0x420
[   12.478583][    T1]  path_mount+0x271/0x14f0
[   12.478713][    T1]  ? __pfx_path_mount+0x10/0x10
[   12.478840][    T1]  ? kmem_cache_free+0xd7/0x220
[   12.478970][    T1]  ? kern_path+0x3d/0x50
[   12.479068][    T1]  init_mount+0x9d/0xf0
[   12.479164][    T1]  ? __pfx_init_mount+0x10/0x10
[   12.479292][    T1]  do_mount_root+0xbc/0x330
[   12.479419][    T1]  mount_root_generic+0x22c/0x470
[   12.479550][    T1]  ? __pfx_mount_root_generic+0x10/0x10
[   12.479680][    T1]  ? mount_root+0x25b/0x2f0
[   12.479807][    T1]  prepare_namespace+0xa5/0x2d0
[   12.479933][    T1]  ? __pfx_prepare_namespace+0x10/0x10
[   12.480061][    T1]  ? __pfx_kernel_init+0x10/0x10
[   12.480188][    T1]  kernel_init+0x20/0x200
[   12.480285][    T1]  ? __pfx_kernel_init+0x10/0x10
[   12.480410][    T1]  ret_from_fork+0x31/0x70
[   12.480543][    T1]  ? __pfx_kernel_init+0x10/0x10
[   12.480670][    T1]  ret_from_fork_asm+0x1a/0x30
[   12.480807][    T1]  </TASK>
[   12.480904][    T1] 
[   12.480969][    T1] Allocated by task 1:
[   12.481063][    T1]  kasan_save_stack+0x24/0x50
[   12.481191][    T1]  kasan_save_track+0x14/0x30
[   12.481323][    T1]  __kasan_kmalloc+0x7f/0x90
[   12.481449][    T1]  p9_client_getattr_dotl+0x4c/0x1a0
[   12.481576][    T1]  v9fs_fid_iget_dotl+0xca/0x210
[   12.481706][    T1]  v9fs_mount+0x3fe/0x7d0
[   12.481801][    T1]  legacy_get_tree+0x107/0x200
[   12.481927][    T1]  vfs_get_tree+0x8a/0x2e0
[   12.482053][    T1]  do_new_mount+0x27d/0x5e0
[   12.482178][    T1]  path_mount+0x271/0x14f0
[   12.482303][    T1]  init_mount+0x9d/0xf0
[   12.482397][    T1]  do_mount_root+0xbc/0x330
[   12.482523][    T1]  mount_root_generic+0x22c/0x470
[   12.482649][    T1]  prepare_namespace+0xa5/0x2d0
[   12.482779][    T1]  kernel_init+0x20/0x200
[   12.482876][    T1]  ret_from_fork+0x31/0x70
[   12.483002][    T1]  ret_from_fork_asm+0x1a/0x30
[   12.483128][    T1] 
[   12.483191][    T1] Freed by task 1:
[   12.483283][    T1]  kasan_save_stack+0x24/0x50
[   12.483409][    T1]  kasan_save_track+0x14/0x30
[   12.483535][    T1]  kasan_save_free_info+0x3b/0x60
[   12.483662][    T1]  __kasan_slab_free+0xf4/0x180
[   12.483788][    T1]  kfree+0xd3/0x230
[   12.483886][    T1]  v9fs_fid_iget_dotl+0x15e/0x210
[   12.484017][    T1]  v9fs_mount+0x3fe/0x7d0
[   12.484112][    T1]  legacy_get_tree+0x107/0x200
[   12.484238][    T1]  vfs_get_tree+0x8a/0x2e0
[   12.484365][    T1]  do_new_mount+0x27d/0x5e0
[   12.484492][    T1]  path_mount+0x271/0x14f0
[   12.484619][    T1]  init_mount+0x9d/0xf0
[   12.484713][    T1]  do_mount_root+0xbc/0x330
[   12.484846][    T1]  mount_root_generic+0x22c/0x470
[   12.484974][    T1]  prepare_namespace+0xa5/0x2d0
[   12.485100][    T1]  kernel_init+0x20/0x200
[   12.485196][    T1]  ret_from_fork+0x31/0x70
[   12.485324][    T1]  ret_from_fork_asm+0x1a/0x30
[   12.485449][    T1] 
[   12.485512][    T1] The buggy address belongs to the object at ffff888002bdbad8
[   12.485512][    T1]  which belongs to the cache kmalloc-192 of size 192
[   12.485825][    T1] The buggy address is located 0 bytes inside of
[   12.485825][    T1]  freed 192-byte region [ffff888002bdbad8, ffff888002bdbb98)
[   12.486131][    T1] 
[   12.486194][    T1] The buggy address belongs to the physical page:
[   12.486347][    T1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888002bdbc10 pfn:0x2bda
[   12.486600][    T1] head: order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   12.486795][    T1] flags: 0x80000000000a40(workingset|slab|head|node=0|zone=1)
[   12.486989][    T1] page_type: 0xffffffff()
[   12.487088][    T1] raw: 0080000000000a40 ffff888001042c40 ffff888001040a88 ffff888001040a88
[   12.487315][    T1] raw: ffff888002bdbc10 00000000001a0017 00000001ffffffff 0000000000000000
[   12.487538][    T1] head: 0080000000000a40 ffff888001042c40 ffff888001040a88 ffff888001040a88
[   12.487765][    T1] head: ffff888002bdbc10 00000000001a0017 00000001ffffffff 0000000000000000
[   12.487992][    T1] head: 0080000000000001 ffffea00000af681 dead000000000122 00000000ffffffff
[   12.488213][    T1] head: 0000000200000000 0000000000000000 00000000ffffffff 0000000000000000
[   12.488436][    T1] page dumped because: kasan: bad access detected
[   12.488590][    T1] 
[   12.488653][    T1] Memory state around the buggy address:
[   12.488797][    T1]  ffff888002bdb980: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
[   12.488986][    T1]  ffff888002bdba00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[   12.489168][    T1] >ffff888002bdba80: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb
[   12.489353][    T1]                                                     ^
[   12.489506][    T1]  ffff888002bdbb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.489688][    T1]  ffff888002bdbb80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.489873][    T1] ==================================================================
Eric Van Hensbergen March 22, 2024, 2:26 p.m. UTC | #4
Patch is in the unapplied portion of my for-next tree along with another one.  I was hoping to hear some feedback on the other one before i did a pull request and was torn on whether or not I wait on -rc1 to send since we are so close.

       -eric


March 21, 2024 at 8:28 PM, "Jakub Kicinski" <kuba@kernel.org> wrote:
> 
> On Mon, 4 Mar 2024 22:02:29 +0900 asmadeus@codewreck.org wrote:
> 
> > 
> > Lizhi Xu wrote on Fri, Feb 02, 2024 at 08:15:31PM +0800:
> > 
> >  The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl
> > 
> >  is causing this uaf. 
> > 
> >  
> > 
> >  Thanks for the fix!
> > 
> >  
> > 
> >  Eric, this is also for your tree.
> > 
> >  
> > 
> >  Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths") 
> > 
> >  
> > 
> >  (careful if you rebase your tree as this commit isn't merged yet)
> > 
> >  
> > 
> >  Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com
> > 
> >  Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> 
> > 
> >  
> > 
> >  Reviewed-by: Dominique Martinet <asmadeus@codewreck.org>
> > 
> 
> Looks like this UAF is in Linus's tree now, and possibly getting hit
> 
> by anyone using virtme to test the kernel? I can't vouch for the
> 
> correctness of the fix but it does make the KASAN splat go away for me.
> 
> [ 12.474676][ T1] ==================================================================
> 
> [ 12.474870][ T1] BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x9d6/0xb80
> 
> [ 12.475060][ T1] Read of size 8 at addr ffff888002bdbad8 by task swapper/0/1
> 
> [ 12.475248][ T1] 
> 
> [ 12.475314][ T1] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.8.0-virtme #1
> 
> [ 12.475503][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> 
> [ 12.475811][ T1] Call Trace:
> 
> [ 12.475908][ T1] <TASK>
> 
> [ 12.475976][ T1] dump_stack_lvl+0x82/0xd0
> 
> [ 12.476133][ T1] print_address_description.constprop.0+0x2c/0x3b0
> 
> [ 12.476295][ T1] ? v9fs_stat2inode_dotl+0x9d6/0xb80
> 
> [ 12.476425][ T1] print_report+0xb4/0x270
> 
> [ 12.476552][ T1] ? kasan_addr_to_slab+0x4e/0x90
> 
> [ 12.476679][ T1] kasan_report+0xbd/0xf0
> 
> [ 12.476775][ T1] ? v9fs_stat2inode_dotl+0x9d6/0xb80
> 
> [ 12.476903][ T1] v9fs_stat2inode_dotl+0x9d6/0xb80
> 
> [ 12.477053][ T1] v9fs_fid_iget_dotl+0x18c/0x210
> 
> [ 12.477180][ T1] v9fs_mount+0x3fe/0x7d0
> 
> [ 12.477281][ T1] ? __pfx_v9fs_mount+0x10/0x10
> 
> [ 12.477406][ T1] ? vfs_parse_fs_string+0xdb/0x130
> 
> [ 12.477533][ T1] ? __pfx_vfs_parse_fs_string+0x10/0x10
> 
> [ 12.477660][ T1] ? __pfx_v9fs_mount+0x10/0x10
> 
> [ 12.477786][ T1] legacy_get_tree+0x107/0x200
> 
> [ 12.477912][ T1] vfs_get_tree+0x8a/0x2e0
> 
> [ 12.478042][ T1] do_new_mount+0x27d/0x5e0
> 
> [ 12.478170][ T1] ? __pfx_do_new_mount+0x10/0x10
> 
> [ 12.478294][ T1] ? __pfx___debug_check_no_obj_freed+0x10/0x10
> 
> [ 12.478453][ T1] ? __virt_addr_valid+0x227/0x420
> 
> [ 12.478583][ T1] path_mount+0x271/0x14f0
> 
> [ 12.478713][ T1] ? __pfx_path_mount+0x10/0x10
> 
> [ 12.478840][ T1] ? kmem_cache_free+0xd7/0x220
> 
> [ 12.478970][ T1] ? kern_path+0x3d/0x50
> 
> [ 12.479068][ T1] init_mount+0x9d/0xf0
> 
> [ 12.479164][ T1] ? __pfx_init_mount+0x10/0x10
> 
> [ 12.479292][ T1] do_mount_root+0xbc/0x330
> 
> [ 12.479419][ T1] mount_root_generic+0x22c/0x470
> 
> [ 12.479550][ T1] ? __pfx_mount_root_generic+0x10/0x10
> 
> [ 12.479680][ T1] ? mount_root+0x25b/0x2f0
> 
> [ 12.479807][ T1] prepare_namespace+0xa5/0x2d0
> 
> [ 12.479933][ T1] ? __pfx_prepare_namespace+0x10/0x10
> 
> [ 12.480061][ T1] ? __pfx_kernel_init+0x10/0x10
> 
> [ 12.480188][ T1] kernel_init+0x20/0x200
> 
> [ 12.480285][ T1] ? __pfx_kernel_init+0x10/0x10
> 
> [ 12.480410][ T1] ret_from_fork+0x31/0x70
> 
> [ 12.480543][ T1] ? __pfx_kernel_init+0x10/0x10
> 
> [ 12.480670][ T1] ret_from_fork_asm+0x1a/0x30
> 
> [ 12.480807][ T1] </TASK>
> 
> [ 12.480904][ T1] 
> 
> [ 12.480969][ T1] Allocated by task 1:
> 
> [ 12.481063][ T1] kasan_save_stack+0x24/0x50
> 
> [ 12.481191][ T1] kasan_save_track+0x14/0x30
> 
> [ 12.481323][ T1] __kasan_kmalloc+0x7f/0x90
> 
> [ 12.481449][ T1] p9_client_getattr_dotl+0x4c/0x1a0
> 
> [ 12.481576][ T1] v9fs_fid_iget_dotl+0xca/0x210
> 
> [ 12.481706][ T1] v9fs_mount+0x3fe/0x7d0
> 
> [ 12.481801][ T1] legacy_get_tree+0x107/0x200
> 
> [ 12.481927][ T1] vfs_get_tree+0x8a/0x2e0
> 
> [ 12.482053][ T1] do_new_mount+0x27d/0x5e0
> 
> [ 12.482178][ T1] path_mount+0x271/0x14f0
> 
> [ 12.482303][ T1] init_mount+0x9d/0xf0
> 
> [ 12.482397][ T1] do_mount_root+0xbc/0x330
> 
> [ 12.482523][ T1] mount_root_generic+0x22c/0x470
> 
> [ 12.482649][ T1] prepare_namespace+0xa5/0x2d0
> 
> [ 12.482779][ T1] kernel_init+0x20/0x200
> 
> [ 12.482876][ T1] ret_from_fork+0x31/0x70
> 
> [ 12.483002][ T1] ret_from_fork_asm+0x1a/0x30
> 
> [ 12.483128][ T1] 
> 
> [ 12.483191][ T1] Freed by task 1:
> 
> [ 12.483283][ T1] kasan_save_stack+0x24/0x50
> 
> [ 12.483409][ T1] kasan_save_track+0x14/0x30
> 
> [ 12.483535][ T1] kasan_save_free_info+0x3b/0x60
> 
> [ 12.483662][ T1] __kasan_slab_free+0xf4/0x180
> 
> [ 12.483788][ T1] kfree+0xd3/0x230
> 
> [ 12.483886][ T1] v9fs_fid_iget_dotl+0x15e/0x210
> 
> [ 12.484017][ T1] v9fs_mount+0x3fe/0x7d0
> 
> [ 12.484112][ T1] legacy_get_tree+0x107/0x200
> 
> [ 12.484238][ T1] vfs_get_tree+0x8a/0x2e0
> 
> [ 12.484365][ T1] do_new_mount+0x27d/0x5e0
> 
> [ 12.484492][ T1] path_mount+0x271/0x14f0
> 
> [ 12.484619][ T1] init_mount+0x9d/0xf0
> 
> [ 12.484713][ T1] do_mount_root+0xbc/0x330
> 
> [ 12.484846][ T1] mount_root_generic+0x22c/0x470
> 
> [ 12.484974][ T1] prepare_namespace+0xa5/0x2d0
> 
> [ 12.485100][ T1] kernel_init+0x20/0x200
> 
> [ 12.485196][ T1] ret_from_fork+0x31/0x70
> 
> [ 12.485324][ T1] ret_from_fork_asm+0x1a/0x30
> 
> [ 12.485449][ T1] 
> 
> [ 12.485512][ T1] The buggy address belongs to the object at ffff888002bdbad8
> 
> [ 12.485512][ T1] which belongs to the cache kmalloc-192 of size 192
> 
> [ 12.485825][ T1] The buggy address is located 0 bytes inside of
> 
> [ 12.485825][ T1] freed 192-byte region [ffff888002bdbad8, ffff888002bdbb98)
> 
> [ 12.486131][ T1] 
> 
> [ 12.486194][ T1] The buggy address belongs to the physical page:
> 
> [ 12.486347][ T1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888002bdbc10 pfn:0x2bda
> 
> [ 12.486600][ T1] head: order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> 
> [ 12.486795][ T1] flags: 0x80000000000a40(workingset|slab|head|node=0|zone=1)
> 
> [ 12.486989][ T1] page_type: 0xffffffff()
> 
> [ 12.487088][ T1] raw: 0080000000000a40 ffff888001042c40 ffff888001040a88 ffff888001040a88
> 
> [ 12.487315][ T1] raw: ffff888002bdbc10 00000000001a0017 00000001ffffffff 0000000000000000
> 
> [ 12.487538][ T1] head: 0080000000000a40 ffff888001042c40 ffff888001040a88 ffff888001040a88
> 
> [ 12.487765][ T1] head: ffff888002bdbc10 00000000001a0017 00000001ffffffff 0000000000000000
> 
> [ 12.487992][ T1] head: 0080000000000001 ffffea00000af681 dead000000000122 00000000ffffffff
> 
> [ 12.488213][ T1] head: 0000000200000000 0000000000000000 00000000ffffffff 0000000000000000
> 
> [ 12.488436][ T1] page dumped because: kasan: bad access detected
> 
> [ 12.488590][ T1] 
> 
> [ 12.488653][ T1] Memory state around the buggy address:
> 
> [ 12.488797][ T1] ffff888002bdb980: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
> 
> [ 12.488986][ T1] ffff888002bdba00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
> 
> [ 12.489168][ T1] >ffff888002bdba80: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb
> 
> [ 12.489353][ T1] ^
> 
> [ 12.489506][ T1] ffff888002bdbb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> 
> [ 12.489688][ T1] ffff888002bdbb80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
> 
> [ 12.489873][ T1] ==================================================================
>
Jakub Kicinski March 22, 2024, 3:13 p.m. UTC | #5
On Fri, 22 Mar 2024 14:26:07 +0000 Eric Van Hensbergen wrote:
> Patch is in the unapplied portion of my for-next tree along with
> another one.  I was hoping to hear some feedback on the other one
> before i did a pull request and was torn on whether or not I wait on
> -rc1 to send since we are so close.

My guess would be that quite a few folks use 9p for in-VM kernel
testing. Real question is how many actually update their work tree
before -rc1 or even -rc2, given the anticipated merge window code
instability.. so maybe there's no extreme urgency?

From netdev's perspective, FWIW, it'd be great if the fix reached
Linux before Thursday, which is when we will forward our tree again.
Jakub Kicinski March 27, 2024, 6:53 p.m. UTC | #6
On Fri, 22 Mar 2024 08:13:12 -0700 Jakub Kicinski wrote:
> On Fri, 22 Mar 2024 14:26:07 +0000 Eric Van Hensbergen wrote:
> > Patch is in the unapplied portion of my for-next tree along with
> > another one.  I was hoping to hear some feedback on the other one
> > before i did a pull request and was torn on whether or not I wait on
> > -rc1 to send since we are so close.  
> 
> My guess would be that quite a few folks use 9p for in-VM kernel
> testing. Real question is how many actually update their work tree
> before -rc1 or even -rc2, given the anticipated merge window code
> instability.. so maybe there's no extreme urgency?
> 
> From netdev's perspective, FWIW, it'd be great if the fix reached
> Linux before Thursday, which is when we will forward our tree again.

Any progress on getting the fix to Linus? I didn't spot it getting
merged.

I'm a bit surprised there aren't more people complaining TBH
I'd have thought any CI setup with KASAN enabled has a good 
chance of hitting this..
Alexei Starovoitov March 27, 2024, 7:02 p.m. UTC | #7
On Wed, Mar 27, 2024 at 11:53 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 22 Mar 2024 08:13:12 -0700 Jakub Kicinski wrote:
> > On Fri, 22 Mar 2024 14:26:07 +0000 Eric Van Hensbergen wrote:
> > > Patch is in the unapplied portion of my for-next tree along with
> > > another one.  I was hoping to hear some feedback on the other one
> > > before i did a pull request and was torn on whether or not I wait on
> > > -rc1 to send since we are so close.
> >
> > My guess would be that quite a few folks use 9p for in-VM kernel
> > testing. Real question is how many actually update their work tree
> > before -rc1 or even -rc2, given the anticipated merge window code
> > instability.. so maybe there's no extreme urgency?
> >
> > From netdev's perspective, FWIW, it'd be great if the fix reached
> > Linux before Thursday, which is when we will forward our tree again.
>
> Any progress on getting the fix to Linus? I didn't spot it getting
> merged.
>
> I'm a bit surprised there aren't more people complaining TBH
> I'd have thought any CI setup with KASAN enabled has a good
> chance of hitting this..

The proposed fix is no brainer:
https://lore.kernel.org/all/20240202121531.2550018-1-lizhi.xu@windriver.com/

+ v9fs_stat2inode_dotl(st, inode, 0);
  kfree(st);
  if (retval)
    goto error;

- v9fs_stat2inode_dotl(st, inode, 0);

Please ship it to Linus asap.
I'm surprised this bug slipped through.

It does affect bpf developers and our CI, since we run with KASAN and use 9P.
diff mbox series

Patch

diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index ef9db3e03506..2b313fe7003e 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -78,11 +78,11 @@  struct inode *v9fs_fid_iget_dotl(struct super_block *sb, struct p9_fid *fid)
 
 	retval = v9fs_init_inode(v9ses, inode, &fid->qid,
 				 st->st_mode, new_decode_dev(st->st_rdev));
+	v9fs_stat2inode_dotl(st, inode, 0);
 	kfree(st);
 	if (retval)
 		goto error;
 
-	v9fs_stat2inode_dotl(st, inode, 0);
 	v9fs_set_netfs_context(inode);
 	v9fs_cache_inode_get_cookie(inode);
 	retval = v9fs_get_acl(inode, fid);