Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

From: Luis Chamberlain
Date: Tue Nov 15 2022 - 14:35:40 EST

Next message: Sean Christopherson: "Re: [PATCH v3 0/3] x86/crash: Fix double NMI shootdown bug"
Previous message: Chaitanya Kulkarni: "Re: [PATCH] coredump: Fix build error for ‘dump_emit_page’ defined but not used"
In reply to: Dmitry Torokhov: "Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)"
Next in thread: Dmitry Torokhov: "Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 14, 2022 at 10:07:02AM -0800, Dmitry Torokhov wrote:
> I do not see how moving the point where we acquire device refcount
> around fixes anything.

The patch I posted does two things, moving the point where we acquire
device refcount was just one so it was not clear that what I really
wanted to be enforce a check for first, and that is that the driver
*did* do the correct thing.

So while we can surely expect the driver to do proper device refcounting
and waiting on device removal, buggy drivers do exist and we should
strive to not allow UAF with them.

So something like this:

Next message: Sean Christopherson: "Re: [PATCH v3 0/3] x86/crash: Fix double NMI shootdown bug"
Previous message: Chaitanya Kulkarni: "Re: [PATCH] coredump: Fix build error for ‘dump_emit_page’ defined but not used"
In reply to: Dmitry Torokhov: "Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)"
Next in thread: Dmitry Torokhov: "Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]