All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@ziepe.ca>
To: Hillf Danton <hdanton@sina.com>
Cc: syzbot <syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com>,
	chuck.lever@oracle.com, danielj@mellanox.com,
	danitg@mellanox.com, dledford@redhat.com, leon@kernel.org,
	linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
	parav@mellanox.com, swise@opengridcomputing.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in rdma_listen (2)
Date: Tue, 18 Feb 2020 15:13:51 -0400	[thread overview]
Message-ID: <20200218191351.GF31668@ziepe.ca> (raw)
In-Reply-To: <20200218122717.10748-1-hdanton@sina.com>

On Tue, Feb 18, 2020 at 08:27:17PM +0800, Hillf Danton wrote:
> Check if rdma is being reclaimed before listening on device while
> reclaimer is waiting for rdma to become quiesce.

This is the usual syzkaller bug in rdma_cm

The test causes rdma_resolve_addr() and rdma_listen() to run
concurrently.

There is no sane locking, so in turn this causes invariants to become
violated, in particular, in rdma_listen() we can have !id->device
but also !cma_any_addr(cma_src_addr(id_priv).

This causes cma_listen_on_all() to wrongly be called and because the
invariant is screwed up cma_cancel_listens() doesn't undo it.

Thus we fail to list_del id_priv->list from the listen_any_list and
the next manipulation of the list gets a use-after on the list member
which was now freed.

The fix is the same as all the others, add some kind of locking
instead of all this defective cma_comp_exch() thing..

Jason

  parent reply	other threads:[~2020-02-18 19:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-30  6:44 KASAN: use-after-free Read in rdma_listen (2) syzbot
2020-02-17 23:33 ` syzbot
     [not found] ` <20200218122717.10748-1-hdanton@sina.com>
2020-02-18 19:13   ` Jason Gunthorpe [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-02-18 21:04 [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Jason Gunthorpe
2020-02-18 22:10 ` KASAN: use-after-free Read in rdma_listen (2) syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200218191351.GF31668@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=chuck.lever@oracle.com \
    --cc=danielj@mellanox.com \
    --cc=danitg@mellanox.com \
    --cc=dledford@redhat.com \
    --cc=hdanton@sina.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=parav@mellanox.com \
    --cc=swise@opengridcomputing.com \
    --cc=syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.