netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Girish Moodalbail <girish.moodalbail@oracle.com>
To: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Cc: syzbot
	<bot+643ecad3f5bb49700e839363b608c4928f6db8f0@syzkaller.appspotmail.com>,
	davem@davemloft.net, netdev@vger.kernel.org,
	rds-devel@oss.oracle.com, santosh.shilimkar@oracle.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in rds_tcp_dev_event
Date: Tue, 14 Nov 2017 10:02:59 -0800	[thread overview]
Message-ID: <c11bca37-08fd-66bf-26b3-c6bf5edea6a0@oracle.com> (raw)
In-Reply-To: <20171114132221.GB1980@oracle.com>

On 11/14/17 5:22 AM, Sowmini Varadhan wrote:
> 
> 
> A few questions.
> 
> - First off, why am I not seeing the original mail in this thread
>    even when I search the mail archives, e.g.,
>      https://lkml.org/lkml/2017/11/13/954
> 
> -  Girish Moodalbail writes:
> 
>> The issue here is that we are trying to reference a network namespace
>> (struct net *) that is long gone (i.e., L532 below -- c_net is the culprit).
> 
>    The netns is not "long gone", we are still processing
>    the NETDEV_UNREGISTER_FINAL for loopback.

Obviously, I was not talking about the current namespace.

Say there are two namespaces - ns1 and ns2 and that both have RDS connections. 
Deletion of ns1 will be fine. However when ns2 is being deleted, in the 
rds_tcp_dev_event() callback we walk through the global list and some nodes in 
that list will be referring to ns1 (that is "long gone"). If you read my earlier 
email, I was talking about ns1 which is already gone, and we are trying to 
access it from ns2.

~Girish


> As I said in my
>    earlier mail, the idea is to extract the list of unique conns
>    that belong to the netns and then destroy both the conn, and
>    all associated paths. Thus there can only be a single thread
>    going through rds_tcp_kill_sock at any time (since we should
>    only get the unregister_final/loopback one time for the netns).
>    (See alos comment block in rds_tcp_dev_event about network activity
>    quiescing). Thus there should be no concurrency issue.
> 
>    However when I just ehecked this, there may be some rds connection
>    refcounting bug. When I quickly tested this, I'm not seeing the
>    expected calls to conn_path_destroy. I'll need some time to take
>    a look, this has been known to work, so something got broken along
>    the way
>   
>> I think we should move away from global list to a per-namespace list. The
>> global list are used only in two places (both of which are per-namespace
>> operations):
> 
> let's first understand the real root-cause before we start
> redesigning data-structures.
> 
> --Sowmini
> 
> 
> 

  parent reply	other threads:[~2017-11-14 18:01 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-07 20:28 KASAN: use-after-free Read in rds_tcp_dev_event syzbot
2017-11-14  3:30 ` Girish Moodalbail
     [not found]   ` <9e71dff9-7ba8-a3c2-6862-fb8557546a54-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-11-14  6:57     ` Sowmini Varadhan
2017-11-14 13:22   ` Sowmini Varadhan
2017-11-14 14:04     ` Dmitry Vyukov
2017-11-14 14:26       ` Dmitry Vyukov
2017-11-14 18:02     ` Girish Moodalbail [this message]
2018-02-13 18:52   ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c11bca37-08fd-66bf-26b3-c6bf5edea6a0@oracle.com \
    --to=girish.moodalbail@oracle.com \
    --cc=bot+643ecad3f5bb49700e839363b608c4928f6db8f0@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=rds-devel@oss.oracle.com \
    --cc=santosh.shilimkar@oracle.com \
    --cc=sowmini.varadhan@oracle.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).