From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: santosh.shilimkar@oracle.com, David Miller <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com,
LKML <linux-kernel@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net/rds: use-after-free in inet_create
Date: Tue, 28 Feb 2017 11:15:44 -0500 [thread overview]
Message-ID: <20170228161544.GH31155@oracle.com> (raw)
In-Reply-To: <CACT4Y+aobp+g_AYoX6j1eftyyirK4pBxhOXz9hDu+XU+-jxSYw@mail.gmail.com>
On (02/28/17 16:49), Dmitry Vyukov wrote:
>
> Grepping "socket" there, it was doing lots of things with sockets. Are
> we looking for some particular socket type? If there are few programs
> that create sockets of that type, then we can narrow down the set:
Yes, we are looking for PF_RDS/AF_RDS - this should be
#define AF_RDS 21 /* RDS sockets */
I see PF_KCM there (value 41) but no instances of 0x15.. how did
the rds_connect_worker thread get kicked off at all?
the way this is supposed to work is
1. someone modprobes rds-tcp
2. app tries to do rds_sendmsg to some ip address in a netns - this triggers the
creation of an rds_connection, and subsequent kernel socket TCP connection
threads (i.e., rds_connect_worker) for that netns
3. if you unload rds-tcp, the module_unload should do all the cleanup
needed via rds_tcp_conn_paths_destroy. This is done
Its not clear to me that the test is doing any of this...
is this reproducible? let me check if there is some race window where
we can restart a connection attempt when rds_tcp_kill_sock assumes
that the connect worker has been quiesced..
--Sowmini
next prev parent reply other threads:[~2017-02-28 16:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 14:22 net/rds: use-after-free in inet_create Dmitry Vyukov
[not found] ` <CACT4Y+bi=rZr9yrajA0o0iUeR4N0q-sXYudBVsOeOiHbuApBeA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 15:37 ` Sowmini Varadhan
2017-02-28 15:49 ` Dmitry Vyukov
2017-02-28 16:15 ` Sowmini Varadhan [this message]
2017-02-28 16:32 ` Dmitry Vyukov
2017-02-28 16:38 ` Sowmini Varadhan
[not found] ` <20170228163833.GI31155-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-02-28 16:51 ` Dmitry Vyukov
[not found] ` <CACT4Y+Y5eM8hKQ7BgA4hEN7ozkhRGgvGJRU6Smrths6noC-PMw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-28 17:33 ` Sowmini Varadhan
[not found] ` <20170228173328.GL31155-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-02-28 17:45 ` Dmitry Vyukov
2017-02-28 17:48 ` Sowmini Varadhan
2017-02-28 22:24 ` Sowmini Varadhan
2017-03-01 9:47 ` Dmitry Vyukov
2017-02-28 21:06 ` Sowmini Varadhan
2017-02-28 21:14 ` Dmitry Vyukov
2017-02-28 21:37 ` Sowmini Varadhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170228161544.GH31155@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rds-devel@oss.oracle.com \
--cc=santosh.shilimkar@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).