On Mon, May 11, 2020 at 05:52:16AM +0000, Kyungtae Kim wrote: > We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version > of syzkaller) > > kernel config: https://kt0755.github.io/etc/config_v5.6.8 > > > This bug happened when accessing a configfs_item instance right after being > deallocated. > Specifically, config_item_get() tries to access ci_kref element in a > config_item instance. > But this led to memory access violation because that instance (held by a > fsg_opts structure) > had been freed by fsg_free_inst() in another thread (PID: 2603). > > To fix, it needs to check if the config_item instance is still in use > when trying to deallocate it.
Great, can you create a patch to fix this now that you have a solid test for it? thanks, greg k-h