From: Sowmini Varadhan <sowmini.varadhan-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Cc: santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org,
David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>,
netdev <netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
rds-devel-N0ozoZBvEnrZJqsBc5GL+g@public.gmane.org,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Eric Dumazet <edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
syzkaller <syzkaller-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
Subject: Re: net/rds: use-after-free in inet_create
Date: Tue, 28 Feb 2017 12:33:28 -0500 [thread overview]
Message-ID: <20170228173328.GL31155@oracle.com> (raw)
In-Reply-To: <CACT4Y+Y5eM8hKQ7BgA4hEN7ozkhRGgvGJRU6Smrths6noC-PMw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On (02/28/17 17:51), Dmitry Vyukov wrote:
> Searching other crashes for "net/rds" I found 2 more crashes that may
> be related. They suggest that the delayed works are not properly
> stopped when the socket is destroyed. That would explain how
> rds_connect_worker accesses freed net, right?
yes, I think we may want to explicitly cancel this workq.. this
in rds_conn_destroy().
I'm trying to build/sanity-test (if lucky, reproduce the bug)
as I send this out.. let me get back to you..
If I have a patch against net-next, would you be willing/able to
try it out? given that this does not show up on demand, I'm not
sure how we can check that "the fix worked"..
--Sowmini
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: santosh.shilimkar@oracle.com, David Miller <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com,
LKML <linux-kernel@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net/rds: use-after-free in inet_create
Date: Tue, 28 Feb 2017 12:33:28 -0500 [thread overview]
Message-ID: <20170228173328.GL31155@oracle.com> (raw)
In-Reply-To: <CACT4Y+Y5eM8hKQ7BgA4hEN7ozkhRGgvGJRU6Smrths6noC-PMw@mail.gmail.com>
On (02/28/17 17:51), Dmitry Vyukov wrote:
> Searching other crashes for "net/rds" I found 2 more crashes that may
> be related. They suggest that the delayed works are not properly
> stopped when the socket is destroyed. That would explain how
> rds_connect_worker accesses freed net, right?
yes, I think we may want to explicitly cancel this workq.. this
in rds_conn_destroy().
I'm trying to build/sanity-test (if lucky, reproduce the bug)
as I send this out.. let me get back to you..
If I have a patch against net-next, would you be willing/able to
try it out? given that this does not show up on demand, I'm not
sure how we can check that "the fix worked"..
--Sowmini
next prev parent reply other threads:[~2017-02-28 17:33 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 14:22 net/rds: use-after-free in inet_create Dmitry Vyukov
[not found] ` <CACT4Y+bi=rZr9yrajA0o0iUeR4N0q-sXYudBVsOeOiHbuApBeA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 15:37 ` Sowmini Varadhan
2017-02-28 15:37 ` Sowmini Varadhan
2017-02-28 15:49 ` Dmitry Vyukov
2017-02-28 16:15 ` Sowmini Varadhan
2017-02-28 16:32 ` Dmitry Vyukov
2017-02-28 16:38 ` Sowmini Varadhan
[not found] ` <20170228163833.GI31155-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-02-28 16:51 ` Dmitry Vyukov
2017-02-28 16:51 ` Dmitry Vyukov
[not found] ` <CACT4Y+Y5eM8hKQ7BgA4hEN7ozkhRGgvGJRU6Smrths6noC-PMw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 17:33 ` Sowmini Varadhan [this message]
2017-02-28 17:33 ` Sowmini Varadhan
[not found] ` <20170228173328.GL31155-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-02-28 17:45 ` Dmitry Vyukov
2017-02-28 17:45 ` Dmitry Vyukov
2017-02-28 17:48 ` Sowmini Varadhan
2017-02-28 22:24 ` Sowmini Varadhan
2017-02-28 22:24 ` Sowmini Varadhan
2017-03-01 9:47 ` Dmitry Vyukov
2017-02-28 21:06 ` Sowmini Varadhan
2017-02-28 21:14 ` Dmitry Vyukov
2017-02-28 21:37 ` Sowmini Varadhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170228173328.GL31155@oracle.com \
--to=sowmini.varadhan-qhclzuegtsvqt0dzr+alfa@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=rds-devel-N0ozoZBvEnrZJqsBc5GL+g@public.gmane.org \
--cc=santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=syzkaller-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.