linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@ziepe.ca>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com>,
	dledford@redhat.com, leon@kernel.org,
	linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	Aleksandr Nogikh <nogikh@google.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)
Date: Thu, 16 Sep 2021 12:08:50 -0300	[thread overview]
Message-ID: <20210916150850.GN3544071@ziepe.ca> (raw)
In-Reply-To: <CACT4Y+ZrXft1cMg0X48TrvbLj0moCb5nyWs1HG0WAZkpKmiBaA@mail.gmail.com>

On Thu, Sep 16, 2021 at 04:55:16PM +0200, Dmitry Vyukov wrote:

> > I noticed we also had 2 KCSAN reports that mention rdma_resolve_addr.
> >
> > On commit 1df0d896:
> > ==================================================================
> > BUG: KCSAN: data-race in addr_handler / cma_check_port
> >
> > write to 0xffff88809fa40a1c of 4 bytes by task 21 on cpu 1:
> >  cma_comp_exch drivers/infiniband/core/cma.c:426 [inline]
> >  addr_handler+0x9f/0x2b0 drivers/infiniband/core/cma.c:3141
> >  process_one_req+0x22f/0x300 drivers/infiniband/core/addr.c:645
> >  process_one_work+0x3e1/0x9a0 kernel/workqueue.c:2269
> >  worker_thread+0x665/0xbe0 kernel/workqueue.c:2415
> >  kthread+0x20d/0x230 kernel/kthread.c:291
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> >
> > read to 0xffff88809fa40a1c of 4 bytes by task 11997 on cpu 0:
> >  cma_check_port+0xbd/0x700 drivers/infiniband/core/cma.c:3506

This has since been fixed, cma_check_port() no longer reads state

> > and on commit 5863cc79:

I can't find this commit? Current rdma_resolve_addr should not trigger
this KCSAN.

> This does not immediately explain the use-after-free for me, but these
> races suggest that everything is not protected by a single mutex and
> that there may be some surprising interleavings.
> E.g. rdma_resolve_addr checks status, and then conditionally executes
> cma_bind_addr, but the status can change concurrently.

It is true, they weren't, however I've fixed them all. These hits look
like they all from before it got fixed up..

Jason

  reply	other threads:[~2021-09-16 15:08 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-15 12:41 syzbot
2021-09-15 19:36 ` Jason Gunthorpe
2021-09-16  7:43   ` Dmitry Vyukov
2021-09-16 13:04     ` Jason Gunthorpe
2021-09-16 14:45       ` Dmitry Vyukov
2021-09-16 14:47         ` Dmitry Vyukov
2021-09-16 14:55           ` Dmitry Vyukov
2021-09-16 15:08             ` Jason Gunthorpe [this message]
2021-09-16 15:17               ` Dmitry Vyukov
2021-09-16 16:02         ` Jason Gunthorpe
2021-09-16 16:28         ` Jason Gunthorpe
2021-09-20  8:13           ` Dmitry Vyukov
     [not found]           ` <20211005032901.1876-1-hdanton@sina.com>
2021-10-05 12:23             ` Jason Gunthorpe
     [not found]             ` <20211006031800.2066-1-hdanton@sina.com>
2021-10-06 11:41               ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210916150850.GN3544071@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=dledford@redhat.com \
    --cc=dvyukov@google.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=nogikh@google.com \
    --cc=syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --subject='Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).