From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: "santosh.shilimkar@oracle.com" <santosh.shilimkar@oracle.com>
Cc: netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH] rds: fix use-after-free read in rds_find_bound
Date: Sat, 30 Dec 2017 17:32:38 -0500 [thread overview]
Message-ID: <20171230223238.GC27855@oracle.com> (raw)
In-Reply-To: <27c5708f-5d56-b2bd-c9b8-82a3e5f728f9@oracle.com>
On (12/30/17 13:37), santosh.shilimkar@oracle.com wrote:
> Well thats what the report says o.w flag test wouldn't have
> been attempted.
the bug report says "use-after-free".
It doesnt say that rds_rs_to_sk(rs) is null (if rds_rs_to_sk(rs) was null,
rs would also be null, please cscope struct rds_sock)
What the bug report says is
" The buggy address belongs to the object at ffff8801c09a6080
which belongs to the cache RDS of size 1472
The buggy address is located 96 bytes inside of .."
96 is the offset of sk->sk_flags. so yes, there is a socket refcount
issue.
But the patch you sent (see next two lines) will not solve that.
> >>- if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
> >>+ if (rs && rds_rs_to_sk(rs) && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
Sowmini>I think the real issue is refcount bug somewhere,
> Thats what I thought as well initially but since the reported case,
> the rs seems to be valid where as sk seems to be freed up as part of
> sock_release callback.
I dont understand the statement above- how can "rs be valid, and sk
be freed"?
rs_sk is embedded in the struct rds_sock, it is not a pointer.
let's find and fix the refcount bug. See stack trace in commit comment.
The socket release is happening prematurely and existing WARN_ONs
are not catching it.
> >Was the syzbot test run with http://patchwork.ozlabs.org/patch/852492/
> >this sounds like that type of bug.
--Sowmini
next prev parent reply other threads:[~2017-12-30 22:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-30 19:36 [PATCH] rds: fix use-after-free read in rds_find_bound Santosh Shilimkar
2017-12-30 20:26 ` Sowmini Varadhan
2017-12-30 21:37 ` santosh.shilimkar
2017-12-30 22:32 ` Sowmini Varadhan [this message]
2017-12-31 5:09 ` santosh.shilimkar
2017-12-31 12:33 ` Sowmini Varadhan
2017-12-31 22:30 ` santosh.shilimkar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171230223238.GC27855@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=santosh.shilimkar@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).