From: Jason Gunthorpe <jgg@ziepe.ca>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com>,
dledford@redhat.com, leon@kernel.org,
linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Aleksandr Nogikh <nogikh@google.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)
Date: Thu, 16 Sep 2021 12:08:50 -0300 [thread overview]
Message-ID: <20210916150850.GN3544071@ziepe.ca> (raw)
In-Reply-To: <CACT4Y+ZrXft1cMg0X48TrvbLj0moCb5nyWs1HG0WAZkpKmiBaA@mail.gmail.com>
On Thu, Sep 16, 2021 at 04:55:16PM +0200, Dmitry Vyukov wrote:
> > I noticed we also had 2 KCSAN reports that mention rdma_resolve_addr.
> >
> > On commit 1df0d896:
> > ==================================================================
> > BUG: KCSAN: data-race in addr_handler / cma_check_port
> >
> > write to 0xffff88809fa40a1c of 4 bytes by task 21 on cpu 1:
> > cma_comp_exch drivers/infiniband/core/cma.c:426 [inline]
> > addr_handler+0x9f/0x2b0 drivers/infiniband/core/cma.c:3141
> > process_one_req+0x22f/0x300 drivers/infiniband/core/addr.c:645
> > process_one_work+0x3e1/0x9a0 kernel/workqueue.c:2269
> > worker_thread+0x665/0xbe0 kernel/workqueue.c:2415
> > kthread+0x20d/0x230 kernel/kthread.c:291
> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> >
> > read to 0xffff88809fa40a1c of 4 bytes by task 11997 on cpu 0:
> > cma_check_port+0xbd/0x700 drivers/infiniband/core/cma.c:3506
This has since been fixed, cma_check_port() no longer reads state
> > and on commit 5863cc79:
I can't find this commit? Current rdma_resolve_addr should not trigger
this KCSAN.
> This does not immediately explain the use-after-free for me, but these
> races suggest that everything is not protected by a single mutex and
> that there may be some surprising interleavings.
> E.g. rdma_resolve_addr checks status, and then conditionally executes
> cma_bind_addr, but the status can change concurrently.
It is true, they weren't, however I've fixed them all. These hits look
like they all from before it got fixed up..
Jason
next prev parent reply other threads:[~2021-09-16 15:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-15 12:41 [syzbot] KASAN: use-after-free Read in addr_handler (4) syzbot
2021-09-15 19:36 ` Jason Gunthorpe
2021-09-16 7:43 ` Dmitry Vyukov
2021-09-16 13:04 ` Jason Gunthorpe
2021-09-16 14:45 ` Dmitry Vyukov
2021-09-16 14:47 ` Dmitry Vyukov
2021-09-16 14:55 ` Dmitry Vyukov
2021-09-16 15:08 ` Jason Gunthorpe [this message]
2021-09-16 15:17 ` Dmitry Vyukov
2021-09-16 16:02 ` Jason Gunthorpe
2021-09-16 16:28 ` Jason Gunthorpe
2021-09-20 8:13 ` Dmitry Vyukov
[not found] ` <20211005032901.1876-1-hdanton@sina.com>
2021-10-05 12:23 ` Jason Gunthorpe
[not found] ` <20211006031800.2066-1-hdanton@sina.com>
2021-10-06 11:41 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210916150850.GN3544071@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=dledford@redhat.com \
--cc=dvyukov@google.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=nogikh@google.com \
--cc=syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).