From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: syzbot <syzbot+bbd8e9a06452cc48059b@syzkaller.appspotmail.com>
Cc: davem@davemloft.net, linux-kernel@vger.kernel.org,
linux-rdma@vger.kernel.org, netdev@vger.kernel.org,
rds-devel@oss.oracle.com, santosh.shilimkar@oracle.com,
syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in rds_tcp_tune
Date: Fri, 12 Jan 2018 13:30:46 -0500 [thread overview]
Message-ID: <20180112183046.GA26098@oracle.com> (raw)
In-Reply-To: <001a1141a524c513ca05628d8ad4@google.com>
On (01/11/18 21:29), syzbot wrote:
> ==================================================================
> BUG: KASAN: use-after-free in rds_tcp_tune+0x491/0x520 net/rds/tcp.c:397
> Read of size 4 at addr ffff8801cd5f6c58 by task kworker/u4:4/4954
Just had an offline discussion with santosh around this, here's a summary
of that discussion for the archives:
Looks like an rds_connect_worker workq got scheduled after the
netns was deleted. This could happen if an an rds_connection got
added between lines 528 and 529 of
506 static void rds_tcp_kill_sock(struct net *net)
:
/* code to pull out all the rds_connections that should be destroyed */
:
528 spin_unlock_irq(&rds_tcp_conn_lock);
529 list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node)
530 rds_conn_destroy(tc->t_cpath->cp_conn);
Such an rds_connection would miss out the rds_conn_destroy()
loop (that cancels all pending work) and (if it was scheduled
after netns deletion) could trigger the use-after-free.
Evaluating various fixes for this (including using _bh instead of _irq
as suggested by santosh), I'll get back with a patch soon.
--Sowmini
next prev parent reply other threads:[~2018-01-12 18:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-12 5:29 KASAN: use-after-free Read in rds_tcp_tune syzbot
2018-01-12 18:30 ` Sowmini Varadhan [this message]
2018-02-14 15:11 ` Dmitry Vyukov
2018-02-14 15:21 ` Sowmini Varadhan
2018-02-14 15:28 ` Dmitry Vyukov
2018-02-14 15:35 ` Sowmini Varadhan
2018-02-14 15:55 ` Dmitry Vyukov
2018-02-14 17:02 ` Joe Perches
2018-02-14 17:16 ` Dmitry Vyukov
2018-02-14 17:32 ` Joe Perches
2018-02-14 18:49 ` Jason Gunthorpe
2018-02-14 18:58 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180112183046.GA26098@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rds-devel@oss.oracle.com \
--cc=santosh.shilimkar@oracle.com \
--cc=syzbot+bbd8e9a06452cc48059b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.