Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel

From: Edward Adam Davis
Date: Sun Mar 03 2024 - 06:39:47 EST

Next message: fuyuanli: "[PATCH net-next v2] net/nlmon: Cancel setting the fields of statistics to zero."
Previous message: Lukas Wunner: "Re: [PATCH v4 05/12] crypto: ecc - Add nbits field to ecc_curve structure"
In reply to: syzbot: "Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel"
Next in thread: syzbot: "Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

please test uaf in sys_io_cancel

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/fs/aio.c b/fs/aio.c
index 28223f511931..38c556514198 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1762,6 +1762,8 @@ static void aio_poll_complete_work(struct work_struct *work)
} /* else, POLLFREE has freed the waitqueue, so we must complete */
list_del_init(&iocb->ki_list);
iocb->ki_res.res = mangle_poll(mask);
+ if (refcount_read(&iocb->ki_refcnt) == 1)
+ iocb->ki_res.obj = -EINVAL;
spin_unlock_irq(&ctx->ctx_lock);

iocb_put(iocb);

Next message: fuyuanli: "[PATCH net-next v2] net/nlmon: Cancel setting the fields of statistics to zero."
Previous message: Lukas Wunner: "Re: [PATCH v4 05/12] crypto: ecc - Add nbits field to ecc_curve structure"
In reply to: syzbot: "Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel"
Next in thread: syzbot: "Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]