Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751763AbeAPS4H (ORCPT + 1 other); Tue, 16 Jan 2018 13:56:07 -0500 Received: from mail-pg0-f41.google.com ([74.125.83.41]:37358 "EHLO mail-pg0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750941AbeAPS4F (ORCPT ); Tue, 16 Jan 2018 13:56:05 -0500 X-Google-Smtp-Source: ACJfBovs/My0rx+de3JBOPS/qguh6mzXPDY/sBGYmGiv4jqGuljYe3SEC1y24th1mW+2b5EsBPqdal2iHWDIQ5FOiBs= MIME-Version: 1.0 In-Reply-To: References: <001a114454c0af5a300562dcbc51@google.com> From: Cong Wang Date: Tue, 16 Jan 2018 10:55:43 -0800 Message-ID: Subject: Re: KASAN: use-after-free Read in tipc_group_is_open To: Jon Maloy Cc: syzbot , David Miller , LKML , Linux Kernel Network Developers , "syzkaller-bugs@googlegroups.com" , "tipc-discussion@lists.sourceforge.net" , Ying Xue Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Tue, Jan 16, 2018 at 5:23 AM, Jon Maloy wrote: > > >> -----Original Message----- >> From: Cong Wang [mailto:xiyou.wangcong@gmail.com] >> Sent: Monday, January 15, 2018 23:44 >> To: syzbot >> Cc: David Miller ; Jon Maloy >> ; LKML ; Linux >> Kernel Network Developers ; syzkaller- >> bugs@googlegroups.com; tipc-discussion@lists.sourceforge.net; Ying Xue >> >> Subject: Re: KASAN: use-after-free Read in tipc_group_is_open >> >> On Mon, Jan 15, 2018 at 7:58 PM, syzbot >> wrote: >> > Hello, >> > >> > syzkaller hit the following crash on >> > 594831a8aba3fd045c3212a3e3bb9788c77b989d >> > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/maste >> > r >> > compiler: gcc (GCC) 7.1.1 20170620 >> > .config is attached >> > Raw console output is attached. >> > C reproducer is attached >> > syzkaller reproducer is attached. See https://goo.gl/kgGztJ for >> > information about syzkaller reproducers >> > >> > >> > IMPORTANT: if you fix the bug, please add the following tag to the commit: >> > Reported-by: syzbot+799dafde0286795858ac@syzkaller.appspotmail.com >> > It will help syzbot understand when the bug is fixed. See footer for >> > details. >> > If you forward the report, please keep this part and the footer. >> > >> > >> ========================================================== >> ======== >> > BUG: KASAN: use-after-free in tipc_group_is_open+0x3a/0x40 >> > net/tipc/group.c:106 >> > Read of size 1 at addr ffff8801d89f7378 by task syzkaller275009/3704 >> > >> > CPU: 0 PID: 3704 Comm: syzkaller275009 Not tainted 4.15.0-rc7+ #190 >> > Hardware name: Google Google Compute Engine/Google Compute Engine, >> > BIOS Google 01/01/2011 Call Trace: >> > __dump_stack lib/dump_stack.c:17 [inline] >> > dump_stack+0x194/0x257 lib/dump_stack.c:53 >> > print_address_description+0x73/0x250 mm/kasan/report.c:252 >> > kasan_report_error mm/kasan/report.c:351 [inline] >> > kasan_report+0x25b/0x340 mm/kasan/report.c:409 >> > __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 >> > tipc_group_is_open+0x3a/0x40 net/tipc/group.c:106 >> > tipc_poll+0x364/0x4d0 net/tipc/socket.c:740 >> >> >> commit eb929a91b213d2a72c5a8b4af9a1acf63bfb8287 >> Author: Jon Maloy >> Date: Mon Jan 8 21:03:31 2018 +0100 >> >> tipc: improve poll() for group member socket >> >> Apparently Jon's commit doesn't fix this. I also don't understand why Jon >> believes sock_poll_wait() could sync with setsockopt path... > > While sock_poll_wait() is sleeping, it is possible that the item the 'grp' stack variable is pointing to might be deleted, invalidating the pointer. > This is why I moved the initialization of the pointer to after sock_poll_wait(). This doesn't matter at all as long as it doesn't sync setsockopt() path. > However, now tipc_sock->group is clearly set to NULL at both locations where a group item might be deleted, so the reason for the warning must be something else. > I am open to suggestions. Another thread calling tipc_sk_join() could jump in at any time since we don't have the sock locked here. This is why I said we probably need to lock the sock here, unless of course you can refactor the logic to make tipc_poll() not to touch tsk->group.