From: "Dae R. Jeong" <threeearcat@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: David Miller <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: KASAN: use-after-free Read in cfusbl_device_notify
Date: Fri, 24 Jun 2022 15:56:48 +0900 [thread overview]
Message-ID: <YrVgMPxy2vNT9stU@archdragon> (raw)
In-Reply-To: <CANn89iJOibYQCsY+ekObagmwmPap0FGqYdJacsO1mVvOgkKmdg@mail.gmail.com>
On Fri, Jun 24, 2022 at 08:32:31AM +0200, Eric Dumazet wrote:
> On Fri, Jun 24, 2022 at 8:25 AM Dae R. Jeong <threeearcat@gmail.com> wrote:
> >
> > On Fri, Jun 24, 2022 at 08:15:54AM +0200, Eric Dumazet wrote:
> > > On Fri, Jun 24, 2022 at 8:08 AM Dae R. Jeong <threeearcat@gmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > We observed a crash "KASAN: use-after-free Read in cfusbl_device_notify" during fuzzing.
> > >
> > > This is a known problem.
> > >
> > > Some drivers do not like NETDEV_UNREGISTER being delivered multiple times.
> > >
> > > Make sure in your fuzzing to have NET_DEV_REFCNT_TRACKER=y
> > >
> > > Thanks.
> >
> > Our config already have CONFIG_NET_DEV_REFCNT_TRACKER=y.
>
> Are you also setting netdev_unregister_timeout_secs to a smaller value ?
>
> netdev_unregister_timeout_secs
> ------------------------------
>
> Unregister network device timeout in seconds.
> This option controls the timeout (in seconds) used to issue a warning while
> waiting for a network device refcount to drop to 0 during device
> unregistration. A lower value may be useful during bisection to detect
> a leaked reference faster. A larger value may be useful to prevent false
> warnings on slow/loaded systems.
> Default value is 10, minimum 1, maximum 3600.
We are using the same config that Syzkaller uses. So its value is 140.
I'm not a network developer so I don't know whether there is a
possibility of a false alarm. Our fuzzer is a research prototype in
development, and I don't want to interrupt you with false alarms...
> > Anyway, this UAF report seems not interesting.
> >
> > Thank you for your quick reply.
> >
> >
> > Best regards,
> > Dae R. Jeong.
Best regards,
Dae R. Jeong.
prev parent reply other threads:[~2022-06-24 6:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-24 6:07 KASAN: use-after-free Read in cfusbl_device_notify Dae R. Jeong
2022-06-24 6:15 ` Eric Dumazet
2022-06-24 6:25 ` Dae R. Jeong
2022-06-24 6:32 ` Eric Dumazet
2022-06-24 6:56 ` Dae R. Jeong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YrVgMPxy2vNT9stU@archdragon \
--to=threeearcat@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.