From: Jason Gunthorpe <jgg@ziepe.ca>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com>,
dledford@redhat.com, leon@kernel.org,
linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Aleksandr Nogikh <nogikh@google.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)
Date: Thu, 16 Sep 2021 13:02:24 -0300 [thread overview]
Message-ID: <20210916160224.GP3544071@ziepe.ca> (raw)
In-Reply-To: <CACT4Y+aUFbj3_+iBpeP2qrQ=RbGrssr0-6EZv1nx73at7fdbfA@mail.gmail.com>
On Thu, Sep 16, 2021 at 04:45:27PM +0200, Dmitry Vyukov wrote:
> It looks like a very hard to trigger race (few crashes, no reproducer,
> but KASAN reports look sensible). That's probably the reason syzkaller
> can't create a reproducer.
> From the log it looks like it was triggered by one of these programs
> below. But I tried to reproduce manually and had no success.
> We are currently doing some improvements to race triggering code in
> syzkaller, and may try to use this as a litmus test to see if
> syzkaller will do any better:
> https://github.com/google/syzkaller/issues/612#issuecomment-920961538
I would suggest to look at this:
https://patchwork.kernel.org/project/linux-rdma/patch/0-v1-9fbb33f5e201+2a-cma_listen_jgg@nvidia.com/
Which I think should be completely deterministic, just do the RDMA_CM
ops in the right order, but syzbot didn't find a reproducer.
The "healer" fork did however:
https://lore.kernel.org/all/CACkBjsY-CNzO74XGo0uJrcaZTubC+Yw9Sg1bNNi+evUOGaZTCg@mail.gmail.com/#r
> Answering your question re what was running concurrently with what.
> Each of the syscalls in these programs can run up to 2 times and
> ultimately any of these calls can race with any. Potentially syzkaller
> can predict values kernel will return (e.g. id's) before kernel
> actually returned them. I guess this does not restrict search area for
> the bug a lot...
Well, it does help if it is only those system calls
And I think I can discount the workqueue as a problem as I'd expect a
kasn hit on the 'req' allocation if the workqueue was malfunctioning -
thus I must conclude we are not calling work cancelation for some
reason.
Jason
next prev parent reply other threads:[~2021-09-16 16:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-15 12:41 [syzbot] KASAN: use-after-free Read in addr_handler (4) syzbot
2021-09-15 19:36 ` Jason Gunthorpe
2021-09-16 7:43 ` Dmitry Vyukov
2021-09-16 13:04 ` Jason Gunthorpe
2021-09-16 14:45 ` Dmitry Vyukov
2021-09-16 14:47 ` Dmitry Vyukov
2021-09-16 14:55 ` Dmitry Vyukov
2021-09-16 15:08 ` Jason Gunthorpe
2021-09-16 15:17 ` Dmitry Vyukov
2021-09-16 16:02 ` Jason Gunthorpe [this message]
2021-09-16 16:28 ` Jason Gunthorpe
2021-09-20 8:13 ` Dmitry Vyukov
[not found] ` <20211005032901.1876-1-hdanton@sina.com>
2021-10-05 12:23 ` Jason Gunthorpe
[not found] ` <20211006031800.2066-1-hdanton@sina.com>
2021-10-06 11:41 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210916160224.GP3544071@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=dledford@redhat.com \
--cc=dvyukov@google.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=nogikh@google.com \
--cc=syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).