From: Jason Gunthorpe <firstname.lastname@example.org> To: Dmitry Vyukov <email@example.com> Cc: syzbot <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, Aleksandr Nogikh <firstname.lastname@example.org> Subject: Re: [syzbot] KASAN: use-after-free Read in addr_handler (4) Date: Thu, 16 Sep 2021 13:02:24 -0300 [thread overview] Message-ID: <20210916160224.GP3544071@ziepe.ca> (raw) In-Reply-To: <CACT4Y+aUFbj3_+iBpeP2qrQ=RbGrssr0-6EZv1nx73at7fdbfA@mail.gmail.com> On Thu, Sep 16, 2021 at 04:45:27PM +0200, Dmitry Vyukov wrote: > It looks like a very hard to trigger race (few crashes, no reproducer, > but KASAN reports look sensible). That's probably the reason syzkaller > can't create a reproducer. > From the log it looks like it was triggered by one of these programs > below. But I tried to reproduce manually and had no success. > We are currently doing some improvements to race triggering code in > syzkaller, and may try to use this as a litmus test to see if > syzkaller will do any better: > https://github.com/google/syzkaller/issues/612#issuecomment-920961538 I would suggest to look at this: https://email@example.com/ Which I think should be completely deterministic, just do the RDMA_CM ops in the right order, but syzbot didn't find a reproducer. The "healer" fork did however: https://lore.kernel.org/all/CACkBjsY-CNzO74XGo0uJrcaZTubC+Yw9Sg1bNNi+evUOGaZTCg@mail.gmail.com/#r > Answering your question re what was running concurrently with what. > Each of the syscalls in these programs can run up to 2 times and > ultimately any of these calls can race with any. Potentially syzkaller > can predict values kernel will return (e.g. id's) before kernel > actually returned them. I guess this does not restrict search area for > the bug a lot... Well, it does help if it is only those system calls And I think I can discount the workqueue as a problem as I'd expect a kasn hit on the 'req' allocation if the workqueue was malfunctioning - thus I must conclude we are not calling work cancelation for some reason. Jason
next prev parent reply other threads:[~2021-09-16 16:02 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-09-15 12:41 syzbot 2021-09-15 19:36 ` Jason Gunthorpe 2021-09-16 7:43 ` Dmitry Vyukov 2021-09-16 13:04 ` Jason Gunthorpe 2021-09-16 14:45 ` Dmitry Vyukov 2021-09-16 14:47 ` Dmitry Vyukov 2021-09-16 14:55 ` Dmitry Vyukov 2021-09-16 15:08 ` Jason Gunthorpe 2021-09-16 15:17 ` Dmitry Vyukov 2021-09-16 16:02 ` Jason Gunthorpe [this message] 2021-09-16 16:28 ` Jason Gunthorpe 2021-09-20 8:13 ` Dmitry Vyukov [not found] ` <firstname.lastname@example.org> 2021-10-05 12:23 ` Jason Gunthorpe [not found] ` <email@example.com> 2021-10-06 11:41 ` Jason Gunthorpe
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210916160224.GP3544071@ziepe.ca \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).