* [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
@ 2020-02-18 21:04 Jason Gunthorpe
2020-02-18 22:10 ` KASAN: use-after-free Read in rdma_listen (2) syzbot
` (2 more replies)
0 siblings, 3 replies; 13+ messages in thread
From: Jason Gunthorpe @ 2020-02-18 21:04 UTC (permalink / raw)
To: linux-rdma, Eric Biggers
Cc: syzbot+adb15cf8c2798e4e0db4, syzbot+e5579222b6a3edd96522,
syzbot+4b628fcc748474003457, syzbot+29ee8f76017ce6cf03da,
syzbot+6956235342b7317ec564, syzbot+b358909d8d01556b790b,
syzbot+6b46b135602a3f3ac99e, syzbot+8458d13b13562abf6b77,
syzbot+bd034f3fdc0402e942ed, syzbot+c92378b32760a4eef756,
syzbot+68b44a1597636e0b342c
The rdma_cm must be used single threaded.
This appears to be a bug in the design, as it does have lots of locking
that seems like it should allow concurrency. However, when it is all said
and done every single place that uses the cma_exch() scheme is broken, and
all the unlocked reads from the ucma of the cm_id data are wrong too.
syzkaller has been finding endless bugs related to this.
Fixing this in any elegant way is some enormous amount of work. Take a
very big hammer and put a mutex around everything to do with the
ucma_context at the top of every syscall.
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com
Reported-by: syzbot+e5579222b6a3edd96522@syzkaller.appspotmail.com
Reported-by: syzbot+4b628fcc748474003457@syzkaller.appspotmail.com
Reported-by: syzbot+29ee8f76017ce6cf03da@syzkaller.appspotmail.com
Reported-by: syzbot+6956235342b7317ec564@syzkaller.appspotmail.com
Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com
Reported-by: syzbot+6b46b135602a3f3ac99e@syzkaller.appspotmail.com
Reported-by: syzbot+8458d13b13562abf6b77@syzkaller.appspotmail.com
Reported-by: syzbot+bd034f3fdc0402e942ed@syzkaller.appspotmail.com
Reported-by: syzbot+c92378b32760a4eef756@syzkaller.appspotmail.com
Reported-by: syzbot+68b44a1597636e0b342c@syzkaller.appspotmail.com
Cc: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
---
drivers/infiniband/core/ucma.c | 50 ++++++++++++++++++++++++++++++++--
1 file changed, 48 insertions(+), 2 deletions(-)
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git for-rc
Lets see if I told syzkaller about this properly..
EricB: If there are other rdma_cm related hits in syzkaller besides
these 11 lets include them as well. I wasn't able to find a way to
search for things, this list is from your past email, thanks.
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 4b72a3f7c134b2..0e8846ab86b5b6 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -91,6 +91,7 @@ struct ucma_context {
struct ucma_file *file;
struct rdma_cm_id *cm_id;
+ struct mutex mutex;
u64 uid;
struct list_head list;
@@ -216,6 +217,7 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file)
init_completion(&ctx->comp);
INIT_LIST_HEAD(&ctx->mc_list);
ctx->file = file;
+ mutex_init(&ctx->mutex);
if (xa_alloc(&ctx_table, &ctx->id, ctx, xa_limit_32b, GFP_KERNEL))
goto error;
@@ -589,6 +591,7 @@ static int ucma_free_ctx(struct ucma_context *ctx)
}
events_reported = ctx->events_reported;
+ mutex_destroy(&ctx->mutex);
kfree(ctx);
return events_reported;
}
@@ -658,7 +661,10 @@ static ssize_t ucma_bind_ip(struct ucma_file *file, const char __user *inbuf,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr);
+ mutex_unlock(&ctx->mutex);
+
ucma_put_ctx(ctx);
return ret;
}
@@ -681,7 +687,9 @@ static ssize_t ucma_bind(struct ucma_file *file, const char __user *inbuf,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -705,8 +713,10 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
(struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -731,8 +741,10 @@ static ssize_t ucma_resolve_addr(struct ucma_file *file,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
(struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -752,7 +764,9 @@ static ssize_t ucma_resolve_route(struct ucma_file *file,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
ret = rdma_resolve_route(ctx->cm_id, cmd.timeout_ms);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -841,6 +855,7 @@ static ssize_t ucma_query_route(struct ucma_file *file,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
memset(&resp, 0, sizeof resp);
addr = (struct sockaddr *) &ctx->cm_id->route.addr.src_addr;
memcpy(&resp.src_addr, addr, addr->sa_family == AF_INET ?
@@ -864,6 +879,7 @@ static ssize_t ucma_query_route(struct ucma_file *file,
ucma_copy_iw_route(&resp, &ctx->cm_id->route);
out:
+ mutex_unlock(&ctx->mutex);
if (copy_to_user(u64_to_user_ptr(cmd.response),
&resp, sizeof(resp)))
ret = -EFAULT;
@@ -1014,6 +1030,7 @@ static ssize_t ucma_query(struct ucma_file *file,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
switch (cmd.option) {
case RDMA_USER_CM_QUERY_ADDR:
ret = ucma_query_addr(ctx, response, out_len);
@@ -1028,6 +1045,7 @@ static ssize_t ucma_query(struct ucma_file *file,
ret = -ENOSYS;
break;
}
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
@@ -1068,7 +1086,9 @@ static ssize_t ucma_connect(struct ucma_file *file, const char __user *inbuf,
return PTR_ERR(ctx);
ucma_copy_conn_param(ctx->cm_id, &conn_param, &cmd.conn_param);
+ mutex_lock(&ctx->mutex);
ret = rdma_connect(ctx->cm_id, &conn_param);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -1089,7 +1109,9 @@ static ssize_t ucma_listen(struct ucma_file *file, const char __user *inbuf,
ctx->backlog = cmd.backlog > 0 && cmd.backlog < max_backlog ?
cmd.backlog : max_backlog;
+ mutex_lock(&ctx->mutex);
ret = rdma_listen(ctx->cm_id, ctx->backlog);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -1112,13 +1134,17 @@ static ssize_t ucma_accept(struct ucma_file *file, const char __user *inbuf,
if (cmd.conn_param.valid) {
ucma_copy_conn_param(ctx->cm_id, &conn_param, &cmd.conn_param);
mutex_lock(&file->mut);
+ mutex_lock(&ctx->mutex);
ret = __rdma_accept(ctx->cm_id, &conn_param, NULL);
+ mutex_unlock(&ctx->mutex);
if (!ret)
ctx->uid = cmd.uid;
mutex_unlock(&file->mut);
- } else
+ } else {
+ mutex_lock(&ctx->mutex);
ret = __rdma_accept(ctx->cm_id, NULL, NULL);
-
+ mutex_unlock(&ctx->mutex);
+ }
ucma_put_ctx(ctx);
return ret;
}
@@ -1137,7 +1163,9 @@ static ssize_t ucma_reject(struct ucma_file *file, const char __user *inbuf,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
ret = rdma_reject(ctx->cm_id, cmd.private_data, cmd.private_data_len);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -1156,7 +1184,9 @@ static ssize_t ucma_disconnect(struct ucma_file *file, const char __user *inbuf,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
ret = rdma_disconnect(ctx->cm_id);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -1187,7 +1217,9 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
resp.qp_attr_mask = 0;
memset(&qp_attr, 0, sizeof qp_attr);
qp_attr.qp_state = cmd.qp_state;
+ mutex_lock(&ctx->mutex);
ret = rdma_init_qp_attr(ctx->cm_id, &qp_attr, &resp.qp_attr_mask);
+ mutex_unlock(&ctx->mutex);
if (ret)
goto out;
@@ -1273,9 +1305,13 @@ static int ucma_set_ib_path(struct ucma_context *ctx,
struct sa_path_rec opa;
sa_convert_path_ib_to_opa(&opa, &sa_path);
+ mutex_lock(&ctx->mutex);
ret = rdma_set_ib_path(ctx->cm_id, &opa);
+ mutex_unlock(&ctx->mutex);
} else {
+ mutex_lock(&ctx->mutex);
ret = rdma_set_ib_path(ctx->cm_id, &sa_path);
+ mutex_unlock(&ctx->mutex);
}
if (ret)
return ret;
@@ -1308,7 +1344,9 @@ static int ucma_set_option_level(struct ucma_context *ctx, int level,
switch (level) {
case RDMA_OPTION_ID:
+ mutex_lock(&ctx->mutex);
ret = ucma_set_option_id(ctx, optname, optval, optlen);
+ mutex_unlock(&ctx->mutex);
break;
case RDMA_OPTION_IB:
ret = ucma_set_option_ib(ctx, optname, optval, optlen);
@@ -1368,8 +1406,10 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
if (ctx->cm_id->device)
ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
@@ -1403,6 +1443,7 @@ static ssize_t ucma_process_join(struct ucma_file *file,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ mutex_lock(&ctx->mutex);
mutex_lock(&file->mut);
mc = ucma_alloc_multicast(ctx);
if (!mc) {
@@ -1427,6 +1468,7 @@ static ssize_t ucma_process_join(struct ucma_file *file,
xa_store(&multicast_table, mc->id, mc, 0);
mutex_unlock(&file->mut);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return 0;
@@ -1439,6 +1481,7 @@ static ssize_t ucma_process_join(struct ucma_file *file,
kfree(mc);
err1:
mutex_unlock(&file->mut);
+ mutex_unlock(&ctx->mutex);
ucma_put_ctx(ctx);
return ret;
}
@@ -1513,7 +1556,10 @@ static ssize_t ucma_leave_multicast(struct ucma_file *file,
goto out;
}
+ mutex_lock(&mc->ctx->mutex);
rdma_leave_multicast(mc->ctx->cm_id, (struct sockaddr *) &mc->addr);
+ mutex_unlock(&mc->ctx->mutex);
+
mutex_lock(&mc->ctx->file->mut);
ucma_cleanup_mc_events(mc);
list_del(&mc->list);
--
2.25.0
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: KASAN: use-after-free Read in rdma_listen (2)
2020-02-18 21:04 [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Jason Gunthorpe
@ 2020-02-18 22:10 ` syzbot
2020-02-19 6:07 ` [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Eric Biggers
2020-02-27 20:42 ` Jason Gunthorpe
2 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2020-02-18 22:10 UTC (permalink / raw)
To: ebiggers, jgg, linux-rdma, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com
Tested on:
commit: 11a48a5a Linux 5.6-rc2
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git for-rc
kernel config: https://syzkaller.appspot.com/x/.config?x=3e5684f9a45838bb
dashboard link: https://syzkaller.appspot.com/bug?extid=adb15cf8c2798e4e0db4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=14709845e00000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-02-18 21:04 [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Jason Gunthorpe
2020-02-18 22:10 ` KASAN: use-after-free Read in rdma_listen (2) syzbot
@ 2020-02-19 6:07 ` Eric Biggers
2020-02-19 20:22 ` Jason Gunthorpe
2020-02-27 20:42 ` Jason Gunthorpe
2 siblings, 1 reply; 13+ messages in thread
From: Eric Biggers @ 2020-02-19 6:07 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: linux-rdma, syzbot+adb15cf8c2798e4e0db4,
syzbot+e5579222b6a3edd96522, syzbot+4b628fcc748474003457,
syzbot+29ee8f76017ce6cf03da, syzbot+6956235342b7317ec564,
syzbot+b358909d8d01556b790b, syzbot+6b46b135602a3f3ac99e,
syzbot+8458d13b13562abf6b77, syzbot+bd034f3fdc0402e942ed,
syzbot+c92378b32760a4eef756, syzbot+68b44a1597636e0b342c
On Tue, Feb 18, 2020 at 09:04:36PM +0000, Jason Gunthorpe wrote:
> The rdma_cm must be used single threaded.
>
> This appears to be a bug in the design, as it does have lots of locking
> that seems like it should allow concurrency. However, when it is all said
> and done every single place that uses the cma_exch() scheme is broken, and
> all the unlocked reads from the ucma of the cm_id data are wrong too.
>
> syzkaller has been finding endless bugs related to this.
>
> Fixing this in any elegant way is some enormous amount of work. Take a
> very big hammer and put a mutex around everything to do with the
> ucma_context at the top of every syscall.
>
> Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
> Reported-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com
> Reported-by: syzbot+e5579222b6a3edd96522@syzkaller.appspotmail.com
> Reported-by: syzbot+4b628fcc748474003457@syzkaller.appspotmail.com
> Reported-by: syzbot+29ee8f76017ce6cf03da@syzkaller.appspotmail.com
> Reported-by: syzbot+6956235342b7317ec564@syzkaller.appspotmail.com
> Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com
> Reported-by: syzbot+6b46b135602a3f3ac99e@syzkaller.appspotmail.com
> Reported-by: syzbot+8458d13b13562abf6b77@syzkaller.appspotmail.com
> Reported-by: syzbot+bd034f3fdc0402e942ed@syzkaller.appspotmail.com
> Reported-by: syzbot+c92378b32760a4eef756@syzkaller.appspotmail.com
> Reported-by: syzbot+68b44a1597636e0b342c@syzkaller.appspotmail.com
> Cc: Eric Biggers <ebiggers@kernel.org>
> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
> ---
> drivers/infiniband/core/ucma.c | 50 ++++++++++++++++++++++++++++++++--
> 1 file changed, 48 insertions(+), 2 deletions(-)
>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git for-rc
>
> Lets see if I told syzkaller about this properly..
>
> EricB: If there are other rdma_cm related hits in syzkaller besides
> these 11 lets include them as well. I wasn't able to find a way to
> search for things, this list is from your past email, thanks.
>
Unfortunately I haven't had time to work on syzkaller bugs lately, so I can't
provide an updated list until I go through the long backlog of bugs.
A comment on the patch below:
> @@ -1112,13 +1134,17 @@ static ssize_t ucma_accept(struct ucma_file *file, const char __user *inbuf,
> if (cmd.conn_param.valid) {
> ucma_copy_conn_param(ctx->cm_id, &conn_param, &cmd.conn_param);
> mutex_lock(&file->mut);
> + mutex_lock(&ctx->mutex);
> ret = __rdma_accept(ctx->cm_id, &conn_param, NULL);
> + mutex_unlock(&ctx->mutex);
> if (!ret)
> ctx->uid = cmd.uid;
> mutex_unlock(&file->mut);
This is nesting the new ucma_context::mutex inside the existing ucma_file::mut.
> @@ -1403,6 +1443,7 @@ static ssize_t ucma_process_join(struct ucma_file *file,
> if (IS_ERR(ctx))
> return PTR_ERR(ctx);
>
> + mutex_lock(&ctx->mutex);
> mutex_lock(&file->mut);
> mc = ucma_alloc_multicast(ctx);
> if (!mc) {
... but this is doing the opposite. So it can deadlock.
What's the intended order?
Also, are these two separate mutexes actually needed? I.e., did you consider
using the existing ucma_file::mut, but it didn't work or it wasn't fine-grained
enough? (It looks like one ucma_file can have multiple ucma_contexts.)
- Eric
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-02-19 6:07 ` [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Eric Biggers
@ 2020-02-19 20:22 ` Jason Gunthorpe
2020-03-07 20:41 ` Eric Biggers
0 siblings, 1 reply; 13+ messages in thread
From: Jason Gunthorpe @ 2020-02-19 20:22 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-rdma
On Tue, Feb 18, 2020 at 10:07:01PM -0800, Eric Biggers wrote:
> > these 11 lets include them as well. I wasn't able to find a way to
> > search for things, this list is from your past email, thanks.
> >
>
> Unfortunately I haven't had time to work on syzkaller bugs lately, so I can't
> provide an updated list until I go through the long backlog of bugs.
Ok
> A comment on the patch below:
>
> > @@ -1112,13 +1134,17 @@ static ssize_t ucma_accept(struct ucma_file *file, const char __user *inbuf,
> > if (cmd.conn_param.valid) {
> > ucma_copy_conn_param(ctx->cm_id, &conn_param, &cmd.conn_param);
> > mutex_lock(&file->mut);
> > + mutex_lock(&ctx->mutex);
> > ret = __rdma_accept(ctx->cm_id, &conn_param, NULL);
> > + mutex_unlock(&ctx->mutex);
> > if (!ret)
> > ctx->uid = cmd.uid;
> > mutex_unlock(&file->mut);
>
> This is nesting the new ucma_context::mutex inside the existing ucma_file::mut.
Ah, indeed
> > @@ -1403,6 +1443,7 @@ static ssize_t ucma_process_join(struct ucma_file *file,
> > if (IS_ERR(ctx))
> > return PTR_ERR(ctx);
> >
> > + mutex_lock(&ctx->mutex);
> > mutex_lock(&file->mut);
> > mc = ucma_alloc_multicast(ctx);
> > if (!mc) {
>
> ... but this is doing the opposite. So it can deadlock.
Lets narrow this one to just rdma_join_multicast(), looks safe
> What's the intended order?
The code works better if mut is the exterior lock, it seems
> Also, are these two separate mutexes actually needed? I.e., did you consider
> using the existing ucma_file::mut, but it didn't work or it wasn't fine-grained
> enough? (It looks like one ucma_file can have multiple ucma_contexts.)
It would probably work, but it is not as fine grained as a per-ctx
lock, and some people do care about performance with this stuff.
The file->mut is protecting some global per-fd lists it seems.
Thanks,
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-02-19 20:22 ` Jason Gunthorpe
@ 2020-03-07 20:41 ` Eric Biggers
2020-03-09 19:30 ` Jason Gunthorpe
0 siblings, 1 reply; 13+ messages in thread
From: Eric Biggers @ 2020-03-07 20:41 UTC (permalink / raw)
To: Jason Gunthorpe; +Cc: linux-rdma
On Wed, Feb 19, 2020 at 08:22:25PM +0000, Jason Gunthorpe wrote:
> On Tue, Feb 18, 2020 at 10:07:01PM -0800, Eric Biggers wrote:
> > > these 11 lets include them as well. I wasn't able to find a way to
> > > search for things, this list is from your past email, thanks.
> > >
> >
> > Unfortunately I haven't had time to work on syzkaller bugs lately, so I can't
> > provide an updated list until I go through the long backlog of bugs.
>
> Ok
Here's an updated list:
--------------------------------------------------------------------------------
Title: general protection fault in rds_ib_add_one
Last occurred: 0 days ago
Reported: 12 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=15f96d171c64999196ac7db3de107f24b9182a8e
Original thread: https://lore.kernel.org/lkml/000000000000b9b7d4059f4e4ac7@google.com/T/#u
This bug has a C reproducer.
The original thread for this bug has received 5 replies; the last was 5 days
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+274094e62023782eeb17@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread, which had activity only 5 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lore.kernel.org/r/000000000000b9b7d4059f4e4ac7@google.com
--------------------------------------------------------------------------------
Title: INFO: trying to register non-static key in xa_destroy
Last occurred: 0 days ago
Reported: 11 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=c0a75a31c5fa84e6e5d3131fd98a5b56e2141b9a
Original thread: https://lore.kernel.org/lkml/00000000000046895c059f5cae37@google.com/T/#u
This bug has a C reproducer.
No one has replied to the original thread for this bug yet.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+2e80962bedd9559fe0b3@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/00000000000046895c059f5cae37@google.com
--------------------------------------------------------------------------------
Title: general protection fault in nldev_stat_set_doit
Last occurred: 4 days ago
Reported: 11 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=1fbcb607cf49d8b5a3c8e056971f045f9bfa34f3
Original thread: https://lore.kernel.org/lkml/0000000000004aa34d059f5caedc@google.com/T/#u
This bug has a C reproducer.
The original thread for this bug has received 1 reply, 11 days ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+bd4af81bc51ee0283445@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread, which had activity only 11 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lore.kernel.org/r/0000000000004aa34d059f5caedc@google.com
--------------------------------------------------------------------------------
Title: BUG: corrupted list in _cma_attach_to_dev
Last occurred: 2 days ago
Reported: 6 days ago
Branches: Mainline
Dashboard link: https://syzkaller.appspot.com/bug?id=067b1e60bab1b617c1208f078cd76c9087f070e0
Original thread: https://lore.kernel.org/lkml/000000000000cfed90059fcfdccb@google.com/T/#u
This bug has a C reproducer.
No one has replied to the original thread for this bug yet.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+06b50ee4a9bd73e8b89f@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000cfed90059fcfdccb@google.com
--------------------------------------------------------------------------------
Title: WARNING: kobject bug in ib_register_device
Last occurred: 1 day ago
Reported: 12 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=805ad726feb6910e35088ae7bbe61f4125e573b7
Original thread: https://lore.kernel.org/lkml/000000000000026ac5059f4e27f3@google.com/T/#u
This bug has a C reproducer.
No one has replied to the original thread for this bug yet.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+da615ac67d4dbea32cbc@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000026ac5059f4e27f3@google.com
--------------------------------------------------------------------------------
Title: BUG: corrupted list in cma_listen_on_dev
Last occurred: 4 days ago
Reported: 4 days ago
Branches: Mainline
Dashboard link: https://syzkaller.appspot.com/bug?id=e8fcdea4e5a443c597c94fb6eda7d6646eafe6a2
Original thread: https://lore.kernel.org/lkml/00000000000020c5d205a001c308@google.com/T/#u
This bug has a C reproducer.
The original thread for this bug has received 1 reply, 3 days ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+2b10b240fbbed30f10fb@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread, which had activity only 3 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lore.kernel.org/r/00000000000020c5d205a001c308@google.com
--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in rxe_query_port
Last occurred: 0 days ago
Reported: 6 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=f00443e97b44c466dc75edc31601110bf62a6f69
Original thread: https://lore.kernel.org/lkml/0000000000000c9e12059fc941ff@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
No one has replied to the original thread for this bug yet.
I'm not confident this bug is really in the net/rdma subsystem. I also think it
might be in the net/smc subsystem.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+e11efb687f5ab7f01f3d@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/0000000000000c9e12059fc941ff@google.com
--------------------------------------------------------------------------------
Title: WARNING in ib_free_port_attrs
Last occurred: 1 day ago
Reported: 6 days ago
Branches: net and net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=4ec089798f282f2d2c3219151e420ed1ba10120d
Original thread: https://lore.kernel.org/lkml/000000000000460717059fd83734@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 1 reply, 4 days ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+e909641b84b5bc17ad8b@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread, which had activity only 4 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lore.kernel.org/r/000000000000460717059fd83734@google.com
--------------------------------------------------------------------------------
Title: INFO: task hung in rdma_destroy_id
Last occurred: 3 days ago
Reported: 5 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=e89b86960c3636f57dbb16bb25a829377ebdf43d
Original thread: https://lore.kernel.org/lkml/00000000000059e701059fe3ec2f@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
No one has replied to the original thread for this bug yet.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+0abbad99bee187cf63d4@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/00000000000059e701059fe3ec2f@google.com
--------------------------------------------------------------------------------
Title: general protection fault in kobject_get
Last occurred: 6 days ago
Reported: 6 days ago
Branches: net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=f8e0f99b310558dd489cc7427711a640c10b93e5
Original thread: https://lore.kernel.org/lkml/000000000000c4b371059fd83a92@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 2 replies; the last was 4 days
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+46fe08363dbba223dec5@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread, which had activity only 4 days ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lore.kernel.org/r/000000000000c4b371059fd83a92@google.com
--------------------------------------------------------------------------------
Title: WARNING: kobject bug in add_one_compat_dev
Last occurred: 8 days ago
Reported: 10 days ago
Branches: linux-next and net-next
Dashboard link: https://syzkaller.appspot.com/bug?id=f8880fdc3cd0ba268421672360cf79bfa7fa4272
Original thread: https://lore.kernel.org/lkml/0000000000005f77d6059f888f2e@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
No one has replied to the original thread for this bug yet.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+ab4dae63f7d310641ded@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/0000000000005f77d6059f888f2e@google.com
--------------------------------------------------------------------------------
Title: WARNING in srp_remove_one
Last occurred: 9 days ago
Reported: 6 days ago
Branches: Mainline
Dashboard link: https://syzkaller.appspot.com/bug?id=16a5827f8f6f6ef0967e6492ffb2e2ca54c8c0fb
Original thread: https://lore.kernel.org/lkml/000000000000144d79059fc9415d@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
No one has replied to the original thread for this bug yet.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+687bc62a84a6a2a3555a@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000144d79059fc9415d@google.com
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-03-07 20:41 ` Eric Biggers
@ 2020-03-09 19:30 ` Jason Gunthorpe
2020-06-27 22:57 ` Eric Biggers
0 siblings, 1 reply; 13+ messages in thread
From: Jason Gunthorpe @ 2020-03-09 19:30 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-rdma
On Sat, Mar 07, 2020 at 12:41:53PM -0800, Eric Biggers wrote:
> On Wed, Feb 19, 2020 at 08:22:25PM +0000, Jason Gunthorpe wrote:
> > On Tue, Feb 18, 2020 at 10:07:01PM -0800, Eric Biggers wrote:
> > > > these 11 lets include them as well. I wasn't able to find a way to
> > > > search for things, this list is from your past email, thanks.
> > > >
> > >
> > > Unfortunately I haven't had time to work on syzkaller bugs lately, so I can't
> > > provide an updated list until I go through the long backlog of bugs.
> >
> > Ok
>
> Here's an updated list:
>
> --------------------------------------------------------------------------------
> Title: general protection fault in rds_ib_add_one
> Last occurred: 0 days ago
> Reported: 12 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=15f96d171c64999196ac7db3de107f24b9182a8e
> Original thread: https://lore.kernel.org/lkml/000000000000b9b7d4059f4e4ac7@google.com/T/#u
>
> This bug has a C reproducer.
Looks like this is fixed by Hillf
> --------------------------------------------------------------------------------
> Title: INFO: trying to register non-static key in xa_destroy
> Last occurred: 0 days ago
> Reported: 11 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=c0a75a31c5fa84e6e5d3131fd98a5b56e2141b9a
> Original thread: https://lore.kernel.org/lkml/00000000000046895c059f5cae37@google.com/T/#u
>
> This bug has a C reproducer.
Fixed in v5.6-rc5
> --------------------------------------------------------------------------------
> Title: general protection fault in nldev_stat_set_doit
> Last occurred: 4 days ago
> Reported: 11 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=1fbcb607cf49d8b5a3c8e056971f045f9bfa34f3
> Original thread: https://lore.kernel.org/lkml/0000000000004aa34d059f5caedc@google.com/T/#u
>
> This bug has a C reproducer.
Fixed in v5.6-rc5
> --------------------------------------------------------------------------------
> Title: BUG: corrupted list in _cma_attach_to_dev
> Last occurred: 2 days ago
> Reported: 6 days ago
> Branches: Mainline
> Dashboard link: https://syzkaller.appspot.com/bug?id=067b1e60bab1b617c1208f078cd76c9087f070e0
> Original thread: https://lore.kernel.org/lkml/000000000000cfed90059fcfdccb@google.com/T/#u
>
> This bug has a C reproducer.
Most likely fixed by this patch, syzkaller is re-testing
> --------------------------------------------------------------------------------
> Title: WARNING: kobject bug in ib_register_device
> Last occurred: 1 day ago
> Reported: 12 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=805ad726feb6910e35088ae7bbe61f4125e573b7
> Original thread: https://lore.kernel.org/lkml/000000000000026ac5059f4e27f3@google.com/T/#u
>
> This bug has a C reproducer.
Oh, this wasn't sent to rdma, yes, obvious rdma bug, made a patch
> --------------------------------------------------------------------------------
> Title: BUG: corrupted list in cma_listen_on_dev
> Last occurred: 4 days ago
> Reported: 4 days ago
> Branches: Mainline
> Dashboard link: https://syzkaller.appspot.com/bug?id=e8fcdea4e5a443c597c94fb6eda7d6646eafe6a2
> Original thread: https://lore.kernel.org/lkml/00000000000020c5d205a001c308@google.com/T/#u
>
> This bug has a C reproducer.
Fixed by this patch, syzkaller confirmed, now duped to another bug
> --------------------------------------------------------------------------------
> Title: KASAN: use-after-free Read in rxe_query_port
> Last occurred: 0 days ago
> Reported: 6 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=f00443e97b44c466dc75edc31601110bf62a6f69
> Original thread: https://lore.kernel.org/lkml/0000000000000c9e12059fc941ff@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
Perhaps Yanjun Zhu will look at this
> --------------------------------------------------------------------------------
> Title: WARNING in ib_free_port_attrs
> Last occurred: 1 day ago
> Reported: 6 days ago
> Branches: net and net-next
> Dashboard link: https://syzkaller.appspot.com/bug?id=4ec089798f282f2d2c3219151e420ed1ba10120d
> Original thread: https://lore.kernel.org/lkml/000000000000460717059fd83734@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
Parav and I looked at this for a while and couldn't figure how how it
is possible. Hoping for a reproducer
> --------------------------------------------------------------------------------
> Title: INFO: task hung in rdma_destroy_id
> Last occurred: 3 days ago
> Reported: 5 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=e89b86960c3636f57dbb16bb25a829377ebdf43d
> Original thread: https://lore.kernel.org/lkml/00000000000059e701059fe3ec2f@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
Most likely fixed by this patch
> --------------------------------------------------------------------------------
> Title: general protection fault in kobject_get
> Last occurred: 6 days ago
> Reported: 6 days ago
> Branches: net-next
> Dashboard link: https://syzkaller.appspot.com/bug?id=f8e0f99b310558dd489cc7427711a640c10b93e5
> Original thread: https://lore.kernel.org/lkml/000000000000c4b371059fd83a92@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
Really surprised no reproducer, this is not a race bug. I wrote a fix,
it is being tested now.
> --------------------------------------------------------------------------------
> Title: WARNING: kobject bug in add_one_compat_dev
> Last occurred: 8 days ago
> Reported: 10 days ago
> Branches: linux-next and net-next
> Dashboard link: https://syzkaller.appspot.com/bug?id=f8880fdc3cd0ba268421672360cf79bfa7fa4272
> Original thread: https://lore.kernel.org/lkml/0000000000005f77d6059f888f2e@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
Hmm. I wonder if this is because 'dev_set_name' failed and we ignored
it? Is that possible with this log? Lets fix that at least - I have no
other idea how we could get an empty name.
> --------------------------------------------------------------------------------
> Title: WARNING in srp_remove_one
> Last occurred: 9 days ago
> Reported: 6 days ago
> Branches: Mainline
> Dashboard link: https://syzkaller.appspot.com/bug?id=16a5827f8f6f6ef0967e6492ffb2e2ca54c8c0fb
> Original thread: https://lore.kernel.org/lkml/000000000000144d79059fc9415d@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
This looks a lot like 'WARNING in ib_free_port_attrs' - I don't have a
clear idea how these sysfs errors are possible. I wonder if there is
something strange going on in sysfs land during net ns actions?
Thanks,
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-03-09 19:30 ` Jason Gunthorpe
@ 2020-06-27 22:57 ` Eric Biggers
2020-06-29 14:30 ` Jason Gunthorpe
2020-11-16 20:46 ` Jason Gunthorpe
0 siblings, 2 replies; 13+ messages in thread
From: Eric Biggers @ 2020-06-27 22:57 UTC (permalink / raw)
To: Jason Gunthorpe; +Cc: linux-rdma
On Mon, Mar 09, 2020 at 04:30:12PM -0300, Jason Gunthorpe wrote:
> On Sat, Mar 07, 2020 at 12:41:53PM -0800, Eric Biggers wrote:
> > On Wed, Feb 19, 2020 at 08:22:25PM +0000, Jason Gunthorpe wrote:
> > > On Tue, Feb 18, 2020 at 10:07:01PM -0800, Eric Biggers wrote:
> > > > > these 11 lets include them as well. I wasn't able to find a way to
> > > > > search for things, this list is from your past email, thanks.
> > > > >
> > > >
> > > > Unfortunately I haven't had time to work on syzkaller bugs lately, so I can't
> > > > provide an updated list until I go through the long backlog of bugs.
> > >
> > > Ok
> >
> > Here's an updated list:
> >
> > --------------------------------------------------------------------------------
> > Title: general protection fault in rds_ib_add_one
> > Last occurred: 0 days ago
> > Reported: 12 days ago
> > Branches: Mainline and others
> > Dashboard link: https://syzkaller.appspot.com/bug?id=15f96d171c64999196ac7db3de107f24b9182a8e
> > Original thread: https://lore.kernel.org/lkml/000000000000b9b7d4059f4e4ac7@google.com/T/#u
> >
> > This bug has a C reproducer.
>
> Looks like this is fixed by Hillf
>
> > --------------------------------------------------------------------------------
> > Title: INFO: trying to register non-static key in xa_destroy
> > Last occurred: 0 days ago
> > Reported: 11 days ago
> > Branches: Mainline and others
> > Dashboard link: https://syzkaller.appspot.com/bug?id=c0a75a31c5fa84e6e5d3131fd98a5b56e2141b9a
> > Original thread: https://lore.kernel.org/lkml/00000000000046895c059f5cae37@google.com/T/#u
> >
> > This bug has a C reproducer.
>
> Fixed in v5.6-rc5
>
> > --------------------------------------------------------------------------------
> > Title: general protection fault in nldev_stat_set_doit
> > Last occurred: 4 days ago
> > Reported: 11 days ago
> > Branches: Mainline and others
> > Dashboard link: https://syzkaller.appspot.com/bug?id=1fbcb607cf49d8b5a3c8e056971f045f9bfa34f3
> > Original thread: https://lore.kernel.org/lkml/0000000000004aa34d059f5caedc@google.com/T/#u
> >
> > This bug has a C reproducer.
>
> Fixed in v5.6-rc5
>
> > --------------------------------------------------------------------------------
> > Title: BUG: corrupted list in _cma_attach_to_dev
> > Last occurred: 2 days ago
> > Reported: 6 days ago
> > Branches: Mainline
> > Dashboard link: https://syzkaller.appspot.com/bug?id=067b1e60bab1b617c1208f078cd76c9087f070e0
> > Original thread: https://lore.kernel.org/lkml/000000000000cfed90059fcfdccb@google.com/T/#u
> >
> > This bug has a C reproducer.
>
> Most likely fixed by this patch, syzkaller is re-testing
>
> > --------------------------------------------------------------------------------
> > Title: WARNING: kobject bug in ib_register_device
> > Last occurred: 1 day ago
> > Reported: 12 days ago
> > Branches: Mainline and others
> > Dashboard link: https://syzkaller.appspot.com/bug?id=805ad726feb6910e35088ae7bbe61f4125e573b7
> > Original thread: https://lore.kernel.org/lkml/000000000000026ac5059f4e27f3@google.com/T/#u
> >
> > This bug has a C reproducer.
>
> Oh, this wasn't sent to rdma, yes, obvious rdma bug, made a patch
>
> > --------------------------------------------------------------------------------
> > Title: BUG: corrupted list in cma_listen_on_dev
> > Last occurred: 4 days ago
> > Reported: 4 days ago
> > Branches: Mainline
> > Dashboard link: https://syzkaller.appspot.com/bug?id=e8fcdea4e5a443c597c94fb6eda7d6646eafe6a2
> > Original thread: https://lore.kernel.org/lkml/00000000000020c5d205a001c308@google.com/T/#u
> >
> > This bug has a C reproducer.
>
> Fixed by this patch, syzkaller confirmed, now duped to another bug
>
> > --------------------------------------------------------------------------------
> > Title: KASAN: use-after-free Read in rxe_query_port
> > Last occurred: 0 days ago
> > Reported: 6 days ago
> > Branches: Mainline and others
> > Dashboard link: https://syzkaller.appspot.com/bug?id=f00443e97b44c466dc75edc31601110bf62a6f69
> > Original thread: https://lore.kernel.org/lkml/0000000000000c9e12059fc941ff@google.com/T/#u
> >
> > Unfortunately, this bug does not have a reproducer.
>
> Perhaps Yanjun Zhu will look at this
>
> > --------------------------------------------------------------------------------
> > Title: WARNING in ib_free_port_attrs
> > Last occurred: 1 day ago
> > Reported: 6 days ago
> > Branches: net and net-next
> > Dashboard link: https://syzkaller.appspot.com/bug?id=4ec089798f282f2d2c3219151e420ed1ba10120d
> > Original thread: https://lore.kernel.org/lkml/000000000000460717059fd83734@google.com/T/#u
> >
> > Unfortunately, this bug does not have a reproducer.
>
> Parav and I looked at this for a while and couldn't figure how how it
> is possible. Hoping for a reproducer
>
> > --------------------------------------------------------------------------------
> > Title: INFO: task hung in rdma_destroy_id
> > Last occurred: 3 days ago
> > Reported: 5 days ago
> > Branches: Mainline and others
> > Dashboard link: https://syzkaller.appspot.com/bug?id=e89b86960c3636f57dbb16bb25a829377ebdf43d
> > Original thread: https://lore.kernel.org/lkml/00000000000059e701059fe3ec2f@google.com/T/#u
> >
> > Unfortunately, this bug does not have a reproducer.
>
> Most likely fixed by this patch
>
> > --------------------------------------------------------------------------------
> > Title: general protection fault in kobject_get
> > Last occurred: 6 days ago
> > Reported: 6 days ago
> > Branches: net-next
> > Dashboard link: https://syzkaller.appspot.com/bug?id=f8e0f99b310558dd489cc7427711a640c10b93e5
> > Original thread: https://lore.kernel.org/lkml/000000000000c4b371059fd83a92@google.com/T/#u
> >
> > Unfortunately, this bug does not have a reproducer.
>
> Really surprised no reproducer, this is not a race bug. I wrote a fix,
> it is being tested now.
>
> > --------------------------------------------------------------------------------
> > Title: WARNING: kobject bug in add_one_compat_dev
> > Last occurred: 8 days ago
> > Reported: 10 days ago
> > Branches: linux-next and net-next
> > Dashboard link: https://syzkaller.appspot.com/bug?id=f8880fdc3cd0ba268421672360cf79bfa7fa4272
> > Original thread: https://lore.kernel.org/lkml/0000000000005f77d6059f888f2e@google.com/T/#u
> >
> > Unfortunately, this bug does not have a reproducer.
>
> Hmm. I wonder if this is because 'dev_set_name' failed and we ignored
> it? Is that possible with this log? Lets fix that at least - I have no
> other idea how we could get an empty name.
>
> > --------------------------------------------------------------------------------
> > Title: WARNING in srp_remove_one
> > Last occurred: 9 days ago
> > Reported: 6 days ago
> > Branches: Mainline
> > Dashboard link: https://syzkaller.appspot.com/bug?id=16a5827f8f6f6ef0967e6492ffb2e2ca54c8c0fb
> > Original thread: https://lore.kernel.org/lkml/000000000000144d79059fc9415d@google.com/T/#u
> >
> > Unfortunately, this bug does not have a reproducer.
>
> This looks a lot like 'WARNING in ib_free_port_attrs' - I don't have a
> clear idea how these sysfs errors are possible. I wonder if there is
> something strange going on in sysfs land during net ns actions?
>
> Thanks,
> Jason
Hi Jason, here's my latest list (updated today) of bugs that are probably in
drivers/infiniband/:
--------------------------------------------------------------------------------
Title: general protection fault in rds_ib_add_one
Last occurred: 1 day ago
Reported: 124 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=15f96d171c64999196ac7db3de107f24b9182a8e
Original thread: https://lore.kernel.org/lkml/000000000000b9b7d4059f4e4ac7@google.com/T/#u
This bug has a C reproducer.
The original thread for this bug received 5 replies; the last was 117 days ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+274094e62023782eeb17@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000b9b7d4059f4e4ac7@google.com
--------------------------------------------------------------------------------
Title: WARNING in srp_remove_one
Last occurred: 0 days ago
Reported: 118 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=16a5827f8f6f6ef0967e6492ffb2e2ca54c8c0fb
Original thread: https://lore.kernel.org/lkml/000000000000144d79059fc9415d@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
No one replied to the original thread for this bug.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+687bc62a84a6a2a3555a@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000144d79059fc9415d@google.com
--------------------------------------------------------------------------------
Title: WARNING in ib_uverbs_remove_one
Last occurred: 0 days ago
Reported: 99 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=7d092a26c44ac45dc0a59a1a0474be064db8fa66
Original thread: https://lore.kernel.org/lkml/000000000000c3a75205a14cb8c9@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
No one replied to the original thread for this bug.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+d3f37b9458fe8281d078@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000c3a75205a14cb8c9@google.com
--------------------------------------------------------------------------------
Title: WARNING in ib_free_port_attrs
Last occurred: 1 day ago
Reported: 117 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=4ec089798f282f2d2c3219151e420ed1ba10120d
Original thread: https://lore.kernel.org/lkml/000000000000460717059fd83734@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug received 1 reply, 116 days ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+e909641b84b5bc17ad8b@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000460717059fd83734@google.com
--------------------------------------------------------------------------------
Title: WARNING in ib_umad_kill_port
Last occurred: 1 day ago
Reported: 82 days ago
Branches: Mainline and others
Dashboard link: https://syzkaller.appspot.com/bug?id=4ecc18c71d37b62b131aee8184a642ae5d2d21a6
Original thread: https://lore.kernel.org/lkml/00000000000075245205a2997f68@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 8 replies; the last was 79 days
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+9627a92b1f9262d5d30c@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/00000000000075245205a2997f68@google.com
--------------------------------------------------------------------------------
Title: KASAN: use-after-free Write in addr_resolve
Last occurred: 20 days ago
Reported: 17 days ago
Branches: Mainline
Dashboard link: https://syzkaller.appspot.com/bug?id=e0a96faaf6799220954d5f5d8ec6fa0c386f85ac
Original thread: https://lore.kernel.org/lkml/000000000000eb293205a7bdd19a@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
No one has replied to the original thread for this bug yet.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+08092148130652a6faae@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000eb293205a7bdd19a@google.com
--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in addr_handler (2)
Last occurred: 17 days ago
Reported: 17 days ago
Branches: Mainline
Dashboard link: https://syzkaller.appspot.com/bug?id=cfd37bf8b5d2768b6b87e7b4c3a588a06ea6284a
Original thread: https://lore.kernel.org/lkml/000000000000107b4605a7bdce7d@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 2 replies; the last was 20 hours
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+a929647172775e335941@syzkaller.appspotmail.com
If you send any email or patch for this bug, please reply to the original
thread, which had activity only 20 hours ago. For the git send-email command to
use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
instructions" at https://lore.kernel.org/r/000000000000107b4605a7bdce7d@google.com
--------------------------------------------------------------------------------
Title: KASAN: use-after-free Read in ib_uverbs_remove_one
Last occurred: 33 days ago
Reported: 30 days ago
Branches: linux-next
Dashboard link: https://syzkaller.appspot.com/bug?id=f1a3b9d9350867a50d642b8e2cee217569b8adca
Original thread: https://lore.kernel.org/lkml/00000000000095442505a6b63551@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 2 replies; the last was 28 days
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+478fd0d54412b8759e0d@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/00000000000095442505a6b63551@google.com
--------------------------------------------------------------------------------
Title: WARNING in ib_unregister_device_queued
Last occurred: 51 days ago
Reported: 62 days ago
Branches: net
Dashboard link: https://syzkaller.appspot.com/bug?id=979c332b27ca869bd26c337574ef068908c1da3c
Original thread: https://lore.kernel.org/lkml/000000000000aa012505a431c7d9@google.com/T/#u
Unfortunately, this bug does not have a reproducer.
The original thread for this bug has received 2 replies; the last was 60 days
ago.
If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+4088ed905e4ae2b0e13b@syzkaller.appspotmail.com
If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lore.kernel.org/r/000000000000aa012505a431c7d9@google.com
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-06-27 22:57 ` Eric Biggers
@ 2020-06-29 14:30 ` Jason Gunthorpe
2020-11-16 20:46 ` Jason Gunthorpe
1 sibling, 0 replies; 13+ messages in thread
From: Jason Gunthorpe @ 2020-06-29 14:30 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-rdma
On Sat, Jun 27, 2020 at 03:57:34PM -0700, Eric Biggers wrote:
> Hi Jason, here's my latest list (updated today) of bugs that are probably in
> drivers/infiniband/:
Thanks, lets see:
> Title: general protection fault in rds_ib_add_one
> Last occurred: 1 day ago
> Reported: 124 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=15f96d171c64999196ac7db3de107f24b9182a8e
> Original thread: https://lore.kernel.org/lkml/000000000000b9b7d4059f4e4ac7@google.com/T/#u
>
> This bug has a C reproducer.
>
> The original thread for this bug received 5 replies; the last was 117 days ago.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+274094e62023782eeb17@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/000000000000b9b7d4059f4e4ac7@google.com
This is RDS, Hillif and Santos were handling it.. I pinged the thread
> Title: WARNING in srp_remove_one
> Last occurred: 0 days ago
> Reported: 118 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=16a5827f8f6f6ef0967e6492ffb2e2ca54c8c0fb
> Original thread: https://lore.kernel.org/lkml/000000000000144d79059fc9415d@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> No one replied to the original thread for this bug.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+687bc62a84a6a2a3555a@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/000000000000144d79059fc9415d@google.com
This is *probably* the 'sysfs problem'
I have a good guess what this is, but I really need to see a
reproduction on it before trying to fix it. I can probably make the
odds of hitting this much higher with a patch, but syzkaller would
have to chew on that patch for a while to find a reproduction..
> Title: WARNING in ib_uverbs_remove_one
> Last occurred: 0 days ago
> Reported: 99 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=7d092a26c44ac45dc0a59a1a0474be064db8fa66
> Original thread: https://lore.kernel.org/lkml/000000000000c3a75205a14cb8c9@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> No one replied to the original thread for this bug.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+d3f37b9458fe8281d078@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/000000000000c3a75205a14cb8c9@google.com
This is *probably* the 'sysfs problem'
> Title: WARNING in ib_free_port_attrs
> Last occurred: 1 day ago
> Reported: 117 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=4ec089798f282f2d2c3219151e420ed1ba10120d
> Original thread: https://lore.kernel.org/lkml/000000000000460717059fd83734@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> The original thread for this bug received 1 reply, 116 days ago.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+e909641b84b5bc17ad8b@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/000000000000460717059fd83734@google.com
This is *probably* the 'sysfs problem', but not as clear
> Title: WARNING in ib_umad_kill_port
> Last occurred: 1 day ago
> Reported: 82 days ago
> Branches: Mainline and others
> Dashboard link: https://syzkaller.appspot.com/bug?id=4ecc18c71d37b62b131aee8184a642ae5d2d21a6
> Original thread: https://lore.kernel.org/lkml/00000000000075245205a2997f68@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> The original thread for this bug has received 8 replies; the last was 79 days
> ago.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+9627a92b1f9262d5d30c@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/00000000000075245205a2997f68@google.com
This is *probably* the 'sysfs problem'
> Title: KASAN: use-after-free Write in addr_resolve
> Last occurred: 20 days ago
> Reported: 17 days ago
> Branches: Mainline
> Dashboard link: https://syzkaller.appspot.com/bug?id=e0a96faaf6799220954d5f5d8ec6fa0c386f85ac
> Original thread: https://lore.kernel.org/lkml/000000000000eb293205a7bdd19a@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> No one has replied to the original thread for this bug yet.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+08092148130652a6faae@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/000000000000eb293205a7bdd19a@google.com
I think I have a fix for this
> Title: KASAN: use-after-free Read in addr_handler (2)
> Last occurred: 17 days ago
> Reported: 17 days ago
> Branches: Mainline
> Dashboard link: https://syzkaller.appspot.com/bug?id=cfd37bf8b5d2768b6b87e7b4c3a588a06ea6284a
> Original thread: https://lore.kernel.org/lkml/000000000000107b4605a7bdce7d@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> The original thread for this bug has received 2 replies; the last was 20 hours
> ago.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+a929647172775e335941@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please reply to the original
> thread, which had activity only 20 hours ago. For the git send-email command to
> use, or tips on how to reply if the thread isn't in your mailbox, see the "Reply
> instructions" at https://lore.kernel.org/r/000000000000107b4605a7bdce7d@google.com
Probably a dup of the above
> Title: KASAN: use-after-free Read in ib_uverbs_remove_one
> Last occurred: 33 days ago
> Reported: 30 days ago
> Branches: linux-next
> Dashboard link: https://syzkaller.appspot.com/bug?id=f1a3b9d9350867a50d642b8e2cee217569b8adca
> Original thread: https://lore.kernel.org/lkml/00000000000095442505a6b63551@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> The original thread for this bug has received 2 replies; the last was 28 days
> ago.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+478fd0d54412b8759e0d@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/00000000000095442505a6b63551@google.com
Couldn't figure it out.
> Title: WARNING in ib_unregister_device_queued
> Last occurred: 51 days ago
> Reported: 62 days ago
> Branches: net
> Dashboard link: https://syzkaller.appspot.com/bug?id=979c332b27ca869bd26c337574ef068908c1da3c
> Original thread: https://lore.kernel.org/lkml/000000000000aa012505a431c7d9@google.com/T/#u
>
> Unfortunately, this bug does not have a reproducer.
>
> The original thread for this bug has received 2 replies; the last was 60 days
> ago.
>
> If you fix this bug, please add the following tag to the commit:
> Reported-by: syzbot+4088ed905e4ae2b0e13b@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please consider replying to the
> original thread. For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lore.kernel.org/r/000000000000aa012505a431c7d9@google.com
Fix sent
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-06-27 22:57 ` Eric Biggers
2020-06-29 14:30 ` Jason Gunthorpe
@ 2020-11-16 20:46 ` Jason Gunthorpe
1 sibling, 0 replies; 13+ messages in thread
From: Jason Gunthorpe @ 2020-11-16 20:46 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-rdma
On Sat, Jun 27, 2020 at 03:57:34PM -0700, Eric Biggers wrote:
> Hi Jason, here's my latest list (updated today) of bugs that are probably in
> drivers/infiniband/:
I'm going to apply this patch and I think it will clean out a bunch of
the non-reproducer syzkaller bugs related to sysfs:
https://patchwork.kernel.org/project/linux-rdma/patch/0-v1-dcbfc68c4b4a+d6-virtual_dev_jgg@nvidia.com/
But I have no idea how to tell if it fixes it or not??
Any advice on how best to use syzbot here?
Thanks,
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer
2020-02-18 21:04 [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Jason Gunthorpe
2020-02-18 22:10 ` KASAN: use-after-free Read in rdma_listen (2) syzbot
2020-02-19 6:07 ` [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Eric Biggers
@ 2020-02-27 20:42 ` Jason Gunthorpe
2 siblings, 0 replies; 13+ messages in thread
From: Jason Gunthorpe @ 2020-02-27 20:42 UTC (permalink / raw)
To: linux-rdma, Eric Biggers
On Tue, Feb 18, 2020 at 09:04:36PM +0000, Jason Gunthorpe wrote:
> The rdma_cm must be used single threaded.
>
> This appears to be a bug in the design, as it does have lots of locking
> that seems like it should allow concurrency. However, when it is all said
> and done every single place that uses the cma_exch() scheme is broken, and
> all the unlocked reads from the ucma of the cm_id data are wrong too.
>
> syzkaller has been finding endless bugs related to this.
>
> Fixing this in any elegant way is some enormous amount of work. Take a
> very big hammer and put a mutex around everything to do with the
> ucma_context at the top of every syscall.
>
> Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
> Reported-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com
> Reported-by: syzbot+e5579222b6a3edd96522@syzkaller.appspotmail.com
> Reported-by: syzbot+4b628fcc748474003457@syzkaller.appspotmail.com
> Reported-by: syzbot+29ee8f76017ce6cf03da@syzkaller.appspotmail.com
> Reported-by: syzbot+6956235342b7317ec564@syzkaller.appspotmail.com
> Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com
> Reported-by: syzbot+6b46b135602a3f3ac99e@syzkaller.appspotmail.com
> Reported-by: syzbot+8458d13b13562abf6b77@syzkaller.appspotmail.com
> Reported-by: syzbot+bd034f3fdc0402e942ed@syzkaller.appspotmail.com
> Reported-by: syzbot+c92378b32760a4eef756@syzkaller.appspotmail.com
> Reported-by: syzbot+68b44a1597636e0b342c@syzkaller.appspotmail.com
> Cc: Eric Biggers <ebiggers@kernel.org>
> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
> ---
> drivers/infiniband/core/ucma.c | 50 ++++++++++++++++++++++++++++++++--
> 1 file changed, 48 insertions(+), 2 deletions(-)
It has had some testing on the Mellanox test suite, so applied to
for-next.
I did not put this in -rc or cc stable since it seems like it should
have more testing
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
* KASAN: use-after-free Read in rdma_listen (2)
@ 2019-03-30 6:44 syzbot
2020-02-17 23:33 ` syzbot
[not found] ` <20200218122717.10748-1-hdanton@sina.com>
0 siblings, 2 replies; 13+ messages in thread
From: syzbot @ 2019-03-30 6:44 UTC (permalink / raw)
To: danielj, danitg, dledford, jgg, leon, linux-kernel, linux-rdma,
parav, swise, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 9936328b Merge tag 'pci-v5.1-fixes-1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16380473200000
kernel config: https://syzkaller.appspot.com/x/.config?x=8dcdce25ea72bedf
dashboard link: https://syzkaller.appspot.com/bug?extid=adb15cf8c2798e4e0db4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11580c3f200000
Bisection is inconclusive: the bug happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14b80c3f200000
final crash: https://syzkaller.appspot.com/x/report.txt?x=16b80c3f200000
console output: https://syzkaller.appspot.com/x/log.txt?x=12b80c3f200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 lib/list_debug.c:26
Read of size 8 at addr ffff8880a5d2b3e0 by task syz-executor.0/7797
CPU: 1 PID: 7797 Comm: syz-executor.0 Not tainted 5.1.0-rc2+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
__list_add_valid+0x9a/0xa0 lib/list_debug.c:26
__list_add include/linux/list.h:60 [inline]
list_add_tail include/linux/list.h:93 [inline]
cma_listen_on_all drivers/infiniband/core/cma.c:2483 [inline]
rdma_listen+0x6b7/0x970 drivers/infiniband/core/cma.c:3537
ucma_listen+0x14d/0x1c0 drivers/infiniband/core/ucma.c:1100
ucma_write+0x2da/0x3c0 drivers/infiniband/core/ucma.c:1696
__vfs_write+0x8d/0x110 fs/read_write.c:485
vfs_write+0x20c/0x580 fs/read_write.c:549
ksys_write+0xea/0x1f0 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458209
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb9c2080c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209
RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb9c20816d4
R13: 00000000004c77c2 R14: 00000000004dd780 R15: 00000000ffffffff
Allocated by task 7794:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3621
kmalloc include/linux/slab.h:545 [inline]
kzalloc include/linux/slab.h:740 [inline]
__rdma_create_id+0x5f/0x4e0 drivers/infiniband/core/cma.c:878
ucma_create_id+0x1de/0x640 drivers/infiniband/core/ucma.c:506
ucma_write+0x2da/0x3c0 drivers/infiniband/core/ucma.c:1696
__vfs_write+0x8d/0x110 fs/read_write.c:485
vfs_write+0x20c/0x580 fs/read_write.c:549
ksys_write+0xea/0x1f0 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7789:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3821
rdma_destroy_id+0x719/0xaa0 drivers/infiniband/core/cma.c:1852
ucma_close+0x115/0x320 drivers/infiniband/core/ucma.c:1777
__fput+0x2e5/0x8d0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x14a/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a5d2b200
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 480 bytes inside of
2048-byte region [ffff8880a5d2b200, ffff8880a5d2ba00)
The buggy address belongs to the page:
page:ffffea0002974a80 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0
compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000231da88 ffff88812c3f1948 ffff88812c3f0c40
raw: 0000000000000000 ffff8880a5d2a100 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a5d2b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a5d2b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a5d2b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a5d2b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a5d2b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: KASAN: use-after-free Read in rdma_listen (2)
2019-03-30 6:44 KASAN: use-after-free Read in rdma_listen (2) syzbot
@ 2020-02-17 23:33 ` syzbot
[not found] ` <20200218122717.10748-1-hdanton@sina.com>
1 sibling, 0 replies; 13+ messages in thread
From: syzbot @ 2020-02-17 23:33 UTC (permalink / raw)
To: chuck.lever, danielj, danitg, dledford, jgg, leon, linux-kernel,
linux-rdma, parav, swise, syzkaller-bugs
syzbot has found a reproducer for the following crash on:
HEAD commit: c25a951c Add linux-next specific files for 20200217
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10df082de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c727d8fc485ff049
dashboard link: https://syzkaller.appspot.com/bug?extid=adb15cf8c2798e4e0db4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112b9d6ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147abb11e00000
Bisection is inconclusive: the bug happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14b80c3f200000
final crash: https://syzkaller.appspot.com/x/report.txt?x=16b80c3f200000
console output: https://syzkaller.appspot.com/x/log.txt?x=12b80c3f200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 lib/list_debug.c:26
Read of size 8 at addr ffff888093bbb1e0 by task syz-executor570/10159
CPU: 1 PID: 10159 Comm: syz-executor570 Not tainted 5.6.0-rc2-next-20200217-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:641
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
__list_add_valid+0x9a/0xa0 lib/list_debug.c:26
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
cma_listen_on_all drivers/infiniband/core/cma.c:2517 [inline]
rdma_listen+0x6b7/0x970 drivers/infiniband/core/cma.c:3628
ucma_listen+0x14d/0x1c0 drivers/infiniband/core/ucma.c:1092
ucma_write+0x2d7/0x3c0 drivers/infiniband/core/ucma.c:1684
__vfs_write+0x8a/0x110 fs/read_write.c:494
vfs_write+0x268/0x5d0 fs/read_write.c:558
ksys_write+0x220/0x290 fs/read_write.c:611
__do_sys_write fs/read_write.c:623 [inline]
__se_sys_write fs/read_write.c:620 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:620
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446a69
Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fdd8433eda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446a69
RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
Allocated by task 10155:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
__rdma_create_id+0x5e/0x870 drivers/infiniband/core/cma.c:861
ucma_create_id+0x1de/0x620 drivers/infiniband/core/ucma.c:501
ucma_write+0x2d7/0x3c0 drivers/infiniband/core/ucma.c:1684
__vfs_write+0x8a/0x110 fs/read_write.c:494
vfs_write+0x268/0x5d0 fs/read_write.c:558
ksys_write+0x220/0x290 fs/read_write.c:611
__do_sys_write fs/read_write.c:623 [inline]
__se_sys_write fs/read_write.c:620 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:620
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 10157:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3757
rdma_destroy_id+0x7c6/0xdd0 drivers/infiniband/core/cma.c:1866
ucma_close+0x115/0x310 drivers/infiniband/core/ucma.c:1762
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbcb/0x3030 kernel/exit.c:802
do_group_exit+0x135/0x360 kernel/exit.c:900
get_signal+0x47c/0x24f0 kernel/signal.c:2734
do_signal+0x87/0x1700 arch/x86/kernel/signal.c:813
exit_to_usermode_loop+0x286/0x380 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
do_syscall_64+0x676/0x790 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888093bbb000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 480 bytes inside of
2048-byte region [ffff888093bbb000, ffff888093bbb800)
The buggy address belongs to the page:
page:ffffea00024eeec0 refcount:1 mapcount:0 mapping:00000000f8d67f88 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00026b2908 ffffea00024eee88 ffff8880aa400e00
raw: 0000000000000000 ffff888093bbb000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093bbb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888093bbb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888093bbb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888093bbb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888093bbb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
^ permalink raw reply [flat|nested] 13+ messages in thread[parent not found: <20200218122717.10748-1-hdanton@sina.com>]
* Re: KASAN: use-after-free Read in rdma_listen (2)
[not found] ` <20200218122717.10748-1-hdanton@sina.com>
@ 2020-02-18 19:13 ` Jason Gunthorpe
0 siblings, 0 replies; 13+ messages in thread
From: Jason Gunthorpe @ 2020-02-18 19:13 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, chuck.lever, danielj, danitg, dledford, leon,
linux-kernel, linux-rdma, parav, swise, syzkaller-bugs
On Tue, Feb 18, 2020 at 08:27:17PM +0800, Hillf Danton wrote:
> Check if rdma is being reclaimed before listening on device while
> reclaimer is waiting for rdma to become quiesce.
This is the usual syzkaller bug in rdma_cm
The test causes rdma_resolve_addr() and rdma_listen() to run
concurrently.
There is no sane locking, so in turn this causes invariants to become
violated, in particular, in rdma_listen() we can have !id->device
but also !cma_any_addr(cma_src_addr(id_priv).
This causes cma_listen_on_all() to wrongly be called and because the
invariant is screwed up cma_cancel_listens() doesn't undo it.
Thus we fail to list_del id_priv->list from the listen_any_list and
the next manipulation of the list gets a use-after on the list member
which was now freed.
The fix is the same as all the others, add some kind of locking
instead of all this defective cma_comp_exch() thing..
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2020-11-16 20:46 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-18 21:04 [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Jason Gunthorpe
2020-02-18 22:10 ` KASAN: use-after-free Read in rdma_listen (2) syzbot
2020-02-19 6:07 ` [PATCH] RDMA/ucma: Put a lock around every call to the rdma_cm layer Eric Biggers
2020-02-19 20:22 ` Jason Gunthorpe
2020-03-07 20:41 ` Eric Biggers
2020-03-09 19:30 ` Jason Gunthorpe
2020-06-27 22:57 ` Eric Biggers
2020-06-29 14:30 ` Jason Gunthorpe
2020-11-16 20:46 ` Jason Gunthorpe
2020-02-27 20:42 ` Jason Gunthorpe
-- strict thread matches above, loose matches on Subject: below --
2019-03-30 6:44 KASAN: use-after-free Read in rdma_listen (2) syzbot
2020-02-17 23:33 ` syzbot
[not found] ` <20200218122717.10748-1-hdanton@sina.com>
2020-02-18 19:13 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).