linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@ziepe.ca>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com>,
	dledford@redhat.com, leon@kernel.org,
	linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	Aleksandr Nogikh <nogikh@google.com>
Subject: Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)
Date: Thu, 16 Sep 2021 13:28:50 -0300	[thread overview]
Message-ID: <20210916162850.GQ3544071@ziepe.ca> (raw)
In-Reply-To: <CACT4Y+aUFbj3_+iBpeP2qrQ=RbGrssr0-6EZv1nx73at7fdbfA@mail.gmail.com>

On Thu, Sep 16, 2021 at 04:45:27PM +0200, Dmitry Vyukov wrote:

> Answering your question re what was running concurrently with what.
> Each of the syscalls in these programs can run up to 2 times and
> ultimately any of these calls can race with any. Potentially syzkaller
> can predict values kernel will return (e.g. id's) before kernel
> actually returned them. I guess this does not restrict search area for
> the bug a lot...

I have a reasonable theory now..

Based on the ops you provided this FSM sequence is possible

RDMA_USER_CM_CMD_RESOLVE_IP
  RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY
  does rdma_resolve_ip(addr_handler)

			  addr_handler
			    RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND
			    [.. handler still running ..]

RDMA_USER_CM_CMD_RESOLVE_IP
  RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY
  does rdma_resolve_ip(addr_handler)

RDMA_DESTROY_ID
  rdma_addr_cancel()

Which, if it happens fast enough, could trigger a situation where the
'&id_priv->id.route.addr.dev_addr' "handle" is in the req_list twice
beacause the addr_handler work queue hasn't yet got to the point of
deleting it from the req_list before the the 2nd one is added.

The issue is rdma_addr_cancel() has to be called rdma_resolve_ip() can
be called again.

Skipping it will cause 'req_list' to have two items in the internal
linked list with the same key and it will not cancel the newest one
with the active timer. This would cause the use after free syndrome
like this trace is showing.

I can make a patch, but have no way to know if it is any good :\

Jason

  parent reply	other threads:[~2021-09-16 17:52 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-15 12:41 syzbot
2021-09-15 19:36 ` Jason Gunthorpe
2021-09-16  7:43   ` Dmitry Vyukov
2021-09-16 13:04     ` Jason Gunthorpe
2021-09-16 14:45       ` Dmitry Vyukov
2021-09-16 14:47         ` Dmitry Vyukov
2021-09-16 14:55           ` Dmitry Vyukov
2021-09-16 15:08             ` Jason Gunthorpe
2021-09-16 15:17               ` Dmitry Vyukov
2021-09-16 16:02         ` Jason Gunthorpe
2021-09-16 16:28         ` Jason Gunthorpe [this message]
2021-09-20  8:13           ` Dmitry Vyukov
     [not found]           ` <20211005032901.1876-1-hdanton@sina.com>
2021-10-05 12:23             ` Jason Gunthorpe
     [not found]             ` <20211006031800.2066-1-hdanton@sina.com>
2021-10-06 11:41               ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210916162850.GQ3544071@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=dledford@redhat.com \
    --cc=dvyukov@google.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=nogikh@google.com \
    --cc=syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --subject='Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).