Re: KASAN: use-after-free Read in rds_find_bound

Re: KASAN: use-after-free Read in rds_find_bound

[santosh.shilimkar]

On 12/30/17 1:17 AM, syzbot wrote:
> Hello,
> 
> syzkaller hit the following crash on 
> fba961ab29e5ffb055592442808bb0f7962e05da
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> Unfortunately, I don't have any reproducer for this bug yet.
> 
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com

Posted a fix[1] for above issue. Didn't test it but looks straight
forward.

Regards,
Santosh

Re: KASAN: use-after-free Read in rds_find_bound

[Dmitry Vyukov]

On Sat, Dec 30, 2017 at 8:41 PM, santosh.shilimkar@oracle.com
<santosh.shilimkar@oracle.com> wrote:
> On 12/30/17 1:17 AM, syzbot wrote:
>>
>> Hello,
>>
>> syzkaller hit the following crash on
>> fba961ab29e5ffb055592442808bb0f7962e05da
>> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> Unfortunately, I don't have any reproducer for this bug yet.
>>
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com
>
>
> Posted a fix[1] for above issue. Didn't test it but looks straight
> forward.


Hi Santosh,

What is that fix? You forgot to provide any link/reference. I also
don't see any patches from you at around that date...

Re: KASAN: use-after-free Read in rds_find_bound

[Santosh Shilimkar]

On 2/13/2018 12:12 PM, Dmitry Vyukov wrote:
> On Sat, Dec 30, 2017 at 8:41 PM, santosh.shilimkar@oracle.com
> <santosh.shilimkar@oracle.com> wrote:
>> On 12/30/17 1:17 AM, syzbot wrote:
>>>
>>> Hello,
>>>
>>> syzkaller hit the following crash on
>>> fba961ab29e5ffb055592442808bb0f7962e05da
>>> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached
>>> Raw console output is attached.
>>> Unfortunately, I don't have any reproducer for this bug yet.
>>>
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com
>>
>>
>> Posted a fix[1] for above issue. Didn't test it but looks straight
>> forward.
> 
> 
> Hi Santosh,
> 
> What is that fix? You forgot to provide any link/reference. I also
> don't see any patches from you at around that date...
> 
Fix [1] was later not added since there was a still a race. Wanted to
see if the issue re-appears after recent netns fix [2].

Regards,
Santosh


[1] https://patchwork.kernel.org/patch/10137901/
[2] https://patchwork.ozlabs.org/patch/868902/

Re: KASAN: use-after-free Read in rds_find_bound

[Dmitry Vyukov]

On Wed, Feb 14, 2018 at 5:53 PM, Santosh Shilimkar
<santosh.shilimkar@oracle.com> wrote:
>>> On 12/30/17 1:17 AM, syzbot wrote:
>>>>
>>>>
>>>> Hello,
>>>>
>>>> syzkaller hit the following crash on
>>>> fba961ab29e5ffb055592442808bb0f7962e05da
>>>> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
>>>> compiler: gcc (GCC) 7.1.1 20170620
>>>> .config is attached
>>>> Raw console output is attached.
>>>> Unfortunately, I don't have any reproducer for this bug yet.
>>>>
>>>>
>>>> IMPORTANT: if you fix the bug, please add the following tag to the
>>>> commit:
>>>> Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com
>>>
>>>
>>>
>>> Posted a fix[1] for above issue. Didn't test it but looks straight
>>> forward.
>>
>>
>>
>> Hi Santosh,
>>
>> What is that fix? You forgot to provide any link/reference. I also
>> don't see any patches from you at around that date...
>>
> Fix [1] was later not added since there was a still a race. Wanted to
> see if the issue re-appears after recent netns fix [2].


We will not see if the bug re-appears or not until this bug is closed.
Please see this recent discussion about another rds bug:
https://groups.google.com/d/msg/syzkaller-bugs/3XjmOzr5jRU/g7pXIsY1BgAJ
In the current state syzbot will never report bugs in these functions again.

Re: KASAN: use-after-free Read in rds_find_bound

[Santosh Shilimkar]

On 2/14/2018 9:14 AM, Dmitry Vyukov wrote:
> On Wed, Feb 14, 2018 at 5:53 PM, Santosh Shilimkar
> <santosh.shilimkar@oracle.com> wrote:

[...]

>>> Hi Santosh,
>>>
>>> What is that fix? You forgot to provide any link/reference. I also
>>> don't see any patches from you at around that date...
>>>
>> Fix [1] was later not added since there was a still a race. Wanted to
>> see if the issue re-appears after recent netns fix [2].
> 
> 
> We will not see if the bug re-appears or not until this bug is closed.
> Please see this recent discussion about another rds bug:
> https://groups.google.com/d/msg/syzkaller-bugs/3XjmOzr5jRU/g7pXIsY1BgAJ
> In the current state syzbot will never report bugs in these functions again.
> 
OK. Can you close that one then in that case ?

Re: KASAN: use-after-free Read in rds_find_bound

[Dmitry Vyukov]

On Wed, Feb 14, 2018 at 6:35 PM, Santosh Shilimkar
<santosh.shilimkar@oracle.com> wrote:
>>>> Hi Santosh,
>>>>
>>>> What is that fix? You forgot to provide any link/reference. I also
>>>> don't see any patches from you at around that date...
>>>>
>>> Fix [1] was later not added since there was a still a race. Wanted to
>>> see if the issue re-appears after recent netns fix [2].
>>
>>
>>
>> We will not see if the bug re-appears or not until this bug is closed.
>> Please see this recent discussion about another rds bug:
>> https://groups.google.com/d/msg/syzkaller-bugs/3XjmOzr5jRU/g7pXIsY1BgAJ
>> In the current state syzbot will never report bugs in these functions
>> again.
>>
> OK. Can you close that one then in that case ?

Anybody can do this:

#syz fix: rds: tcp: use rds_destroy_pending() to synchronize
netns/module teardown and rds connection/workq management

syzbot provides full self-service, see first email and in particular this:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot

Thanks

Re: KASAN: use-after-free Read in rds_find_bound

[Santosh Shilimkar]

On 2/14/2018 9:52 AM, Dmitry Vyukov wrote:
> On Wed, Feb 14, 2018 at 6:35 PM, Santosh Shilimkar
> <santosh.shilimkar@oracle.com> wrote:
>>>>> Hi Santosh,
>>>>>
>>>>> What is that fix? You forgot to provide any link/reference. I also
>>>>> don't see any patches from you at around that date...
>>>>>
>>>> Fix [1] was later not added since there was a still a race. Wanted to
>>>> see if the issue re-appears after recent netns fix [2].
>>>
>>>
>>>
>>> We will not see if the bug re-appears or not until this bug is closed.
>>> Please see this recent discussion about another rds bug:
>>> https://groups.google.com/d/msg/syzkaller-bugs/3XjmOzr5jRU/g7pXIsY1BgAJ
>>> In the current state syzbot will never report bugs in these functions
>>> again.
>>>
>> OK. Can you close that one then in that case ?
> 
> Anybody can do this:
>
I see.

> #syz fix: rds: tcp: use rds_destroy_pending() to synchronize
> netns/module teardown and rds connection/workq management
> 
> syzbot provides full self-service, see first email and in particular this:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot
> 
ok will have a look.

Regards,
Santosh