linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: syzbot <syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com>,
	dledford@redhat.com, leon@kernel.org,
	linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	Aleksandr Nogikh <nogikh@google.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)
Date: Thu, 16 Sep 2021 17:17:27 +0200	[thread overview]
Message-ID: <CACT4Y+bSb8ck4C-Uc2E-2xP=W_r-2i3KUSnqfHr=Z7GB46+CAg@mail.gmail.com> (raw)
In-Reply-To: <20210916150850.GN3544071@ziepe.ca>

On Thu, 16 Sept 2021 at 17:08, Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> On Thu, Sep 16, 2021 at 04:55:16PM +0200, Dmitry Vyukov wrote:
>
> > > I noticed we also had 2 KCSAN reports that mention rdma_resolve_addr.
> > >
> > > On commit 1df0d896:
> > > ==================================================================
> > > BUG: KCSAN: data-race in addr_handler / cma_check_port
> > >
> > > write to 0xffff88809fa40a1c of 4 bytes by task 21 on cpu 1:
> > >  cma_comp_exch drivers/infiniband/core/cma.c:426 [inline]
> > >  addr_handler+0x9f/0x2b0 drivers/infiniband/core/cma.c:3141
> > >  process_one_req+0x22f/0x300 drivers/infiniband/core/addr.c:645
> > >  process_one_work+0x3e1/0x9a0 kernel/workqueue.c:2269
> > >  worker_thread+0x665/0xbe0 kernel/workqueue.c:2415
> > >  kthread+0x20d/0x230 kernel/kthread.c:291
> > >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> > >
> > > read to 0xffff88809fa40a1c of 4 bytes by task 11997 on cpu 0:
> > >  cma_check_port+0xbd/0x700 drivers/infiniband/core/cma.c:3506
>
> This has since been fixed, cma_check_port() no longer reads state
>
> > > and on commit 5863cc79:
>
> I can't find this commit? Current rdma_resolve_addr should not trigger
> this KCSAN.
>
> > This does not immediately explain the use-after-free for me, but these
> > races suggest that everything is not protected by a single mutex and
> > that there may be some surprising interleavings.
> > E.g. rdma_resolve_addr checks status, and then conditionally executes
> > cma_bind_addr, but the status can change concurrently.
>
> It is true, they weren't, however I've fixed them all. These hits look
> like they all from before it got fixed up..

Then sorry for false leads.
The second commit was from https://github.com/google/ktsan.git kcsan
branch. I am not sure if it's still present or was rebased. But either
way it's even older than the first report on upstream (we used ktsan
tree before switched to upstream).

  reply	other threads:[~2021-09-16 15:17 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-15 12:41 [syzbot] KASAN: use-after-free Read in addr_handler (4) syzbot
2021-09-15 19:36 ` Jason Gunthorpe
2021-09-16  7:43   ` Dmitry Vyukov
2021-09-16 13:04     ` Jason Gunthorpe
2021-09-16 14:45       ` Dmitry Vyukov
2021-09-16 14:47         ` Dmitry Vyukov
2021-09-16 14:55           ` Dmitry Vyukov
2021-09-16 15:08             ` Jason Gunthorpe
2021-09-16 15:17               ` Dmitry Vyukov [this message]
2021-09-16 16:02         ` Jason Gunthorpe
2021-09-16 16:28         ` Jason Gunthorpe
2021-09-20  8:13           ` Dmitry Vyukov
     [not found]           ` <20211005032901.1876-1-hdanton@sina.com>
2021-10-05 12:23             ` Jason Gunthorpe
     [not found]             ` <20211006031800.2066-1-hdanton@sina.com>
2021-10-06 11:41               ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+bSb8ck4C-Uc2E-2xP=W_r-2i3KUSnqfHr=Z7GB46+CAg@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=dledford@redhat.com \
    --cc=jgg@ziepe.ca \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=nogikh@google.com \
    --cc=syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).