From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: KASAN: use-after-free Read in tcf_block_find Date: Thu, 27 Sep 2018 06:00:39 -0700 Message-ID: References: <00000000000084e2450576c817cc@google.com> <7fcb1c03-6976-9b34-601d-5f50b74c5b0a@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: Eric Dumazet , syzbot+37b8770e6d5a8220a039@syzkaller.appspotmail.com, David Miller , Jamal Hadi Salim , Jiri Pirko , LKML , Linux Kernel Network Developers , syzkaller-bugs To: Dmitry Vyukov , Cong Wang Return-path: In-Reply-To: Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 09/27/2018 01:10 AM, Dmitry Vyukov wrote: > > Would a stack trace for call_rcu be helpful here? I have this idea for > a long time, but never get around to implementing it: > https://bugzilla.kernel.org/show_bug.cgi?id=198437 > > Also FWIW I recently used the following hack for another net bug. It > made that other bug involving call_rcu way more likely to fire. Maybe > it will be helpful here too. > > diff --git a/net/core/dst.c b/net/core/dst.c > index 81ccf20e28265..591a8d0aca545 100644 > --- a/net/core/dst.c > +++ b/net/core/dst.c > @@ -187,8 +187,16 @@ void dst_release(struct dst_entry *dst) > if (unlikely(newrefcnt < 0)) > net_warn_ratelimited("%s: dst:%p refcnt:%d\n", > __func__, dst, newrefcnt); > - if (!newrefcnt) > - call_rcu(&dst->rcu_head, dst_destroy_rcu); > + if (!newrefcnt) { > + if (lock_is_held(&rcu_bh_lock_map) || > + lock_is_held(&rcu_lock_map) || > + lock_is_held(&rcu_sched_lock_map)) { > + call_rcu(&dst->rcu_head, dst_destroy_rcu); > + } else { > + synchronize_rcu(); dst_release() can be called in context we hold a spinlock, this would be bad to reschedule here. > + dst_destroy_rcu(&dst->rcu_head); > + } > + } > } > } >