Received: by 10.223.185.116 with SMTP id b49csp802099wrg; Wed, 14 Feb 2018 07:13:21 -0800 (PST) X-Google-Smtp-Source: AH8x224zvZVIkYGBpnNZ9+3kXAhE7wj3hG0rBNFbzK838g6n4FrPcjt1kgHXybOknUo5kqEDndgA X-Received: by 10.101.89.74 with SMTP id g10mr4161815pgu.415.1518621201494; Wed, 14 Feb 2018 07:13:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518621201; cv=none; d=google.com; s=arc-20160816; b=VziUrqGKFbpptCkUpvDFZSj61MUiLaH2hhJZEW03jl+3ZLrUK/4NYnfEszyEndPTNm KcONUT8IWHEvt9O+ntHbu2nnWlEE3o7KGkzdMDCvS5WBslzfPTaXdVmTGGOV49KdefFG uVzc9rhULYipbYqztacBtmdVx0KiH6UPNLMxpmgfdN/WYjFjSm5q+iloTf1S98pVgkCD Seohn59ZOW+Uxom9Ccyx1t1kZ+nnxJWDI5lqNetdyUGcnGKrlz+mxZY2pTHJfjuGBdQ3 qTWTqkjFBaED5vnq135bk2aDjRyrYnHbzhVwnI5wOGKweb6LAh/864DSwEfFUCVzcLbj LGxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=9OYHER5AHh5Xd66WtaNi3FCJTvDMi0pFQ1nyZxb6YCc=; b=BC/6wf1dXuktnPT3akqqGeF0oyTND2r0IIXBS7yXtaoxibG016/XyJW2j5D+kEaFVS AMYg6ZIjJ6DgCRgK/o9IDt30byv45RSvXzYoThTZAWIp503nw1VIvHWWzLCkZqbAA2OA JCBa/kNhBBA1qBoiUE7KuTlsWUD4emEruke9DV7KaNS1wmtvG5ZiLCNkyRqQrWGfA3g/ zl+XagdcYJyEBYqNISHsYMGKJ3Xai7Jh/ADi6n1X+w9oJv9Ob/vdyDOfav7FVKVodRlB IIouZ7Dxc5zmtAGQeKlCmnOePzHshZSJDJd92ob8d7S8A81n/lgn2ZqEcRPPmqEyibb4 ziZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qCqqKM+b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f10si95205pgu.783.2018.02.14.07.12.59; Wed, 14 Feb 2018 07:13:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qCqqKM+b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031191AbeBNPMU (ORCPT + 99 others); Wed, 14 Feb 2018 10:12:20 -0500 Received: from mail-pl0-f51.google.com ([209.85.160.51]:42319 "EHLO mail-pl0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031126AbeBNPMS (ORCPT ); Wed, 14 Feb 2018 10:12:18 -0500 Received: by mail-pl0-f51.google.com with SMTP id 31so3173005ple.9 for ; Wed, 14 Feb 2018 07:12:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9OYHER5AHh5Xd66WtaNi3FCJTvDMi0pFQ1nyZxb6YCc=; b=qCqqKM+bFzZdG3Y0sRnbRRSq/FLfZC9cKjvz9DxPX5evjWASFtfOZHrtSfl9IPstLq fY/d/XO8iCOprHL0mjkLYZjrc/Y+GyEYiKPVEWNd5kTF1oe5oR19C8Uvdd+6jHhPGh/a fq4291slPmuzRTbzHOjXW3Qmg9VJEzrTB59XfA1fMjXaodHJMjsJDy3WX17uDFoiuwVv LiuGR3IEqkKqGtEkIDBE9l7tINHITki+2h5CEDGYU1fJvf4kaMZTIKQnygP7Iro6RiVG M3URzCBuUMj7kfQpGK5Hw5yAFEiHug1/4v12b4QqulJv0FLAGDG65YgEW8Uc+phB+5hy lILw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9OYHER5AHh5Xd66WtaNi3FCJTvDMi0pFQ1nyZxb6YCc=; b=IQnUMixIbOF3z/wVLz29R9LppQqbV3M3exXK1+LdMq+bWy/OP9r8bV8GsqWdSuFNLu dSa4+ocWeU7sg/2hkf0YOWsGK5G4IWjmAKXu/SM9fYsuwV4QfN2Lt4+t4BF8HFpRz8ag x1NzKRtjCfpZPOS/1SPkFZTC5/lOaqR8gUe0ee4/j1yX1zFMSAw7/B7SkN55LVHaMZD2 Kol7b94Zc20uvfSl121LpZsCmGUN0s542qJKGH1CTONKn1WJDSqchKQW4Hpa669BDIqE d7LwaTOhqB8I5OHCeQgIaGc58zw62EW2DPldL496+wWHET5XWUw6ZWe3oNb1I8OP/Kyi SRQA== X-Gm-Message-State: APf1xPBFZwP3afpW01hQHgcX7SKTESR3KRY8GpAO9evZOyM6PqE9WKiz k1I34MFxvlfpiOZkZKPBdpk0bNOuXry4r5ZztJ9GMIzQXOffxQ== X-Received: by 2002:a17:902:860b:: with SMTP id f11-v6mr4928961plo.135.1518621137667; Wed, 14 Feb 2018 07:12:17 -0800 (PST) MIME-Version: 1.0 Received: by 10.236.140.151 with HTTP; Wed, 14 Feb 2018 07:11:57 -0800 (PST) In-Reply-To: <20180112183046.GA26098@oracle.com> References: <001a1141a524c513ca05628d8ad4@google.com> <20180112183046.GA26098@oracle.com> From: Dmitry Vyukov Date: Wed, 14 Feb 2018 16:11:57 +0100 Message-ID: Subject: Re: KASAN: use-after-free Read in rds_tcp_tune To: Sowmini Varadhan Cc: syzbot , David Miller , LKML , linux-rdma@vger.kernel.org, netdev , rds-devel@oss.oracle.com, Santosh Shilimkar , syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 12, 2018 at 7:30 PM, Sowmini Varadhan wrote: > On (01/11/18 21:29), syzbot wrote: >> ================================================================== >> BUG: KASAN: use-after-free in rds_tcp_tune+0x491/0x520 net/rds/tcp.c:397 >> Read of size 4 at addr ffff8801cd5f6c58 by task kworker/u4:4/4954 > > Just had an offline discussion with santosh around this, here's a summary > of that discussion for the archives: > > Looks like an rds_connect_worker workq got scheduled after the > netns was deleted. This could happen if an an rds_connection got > added between lines 528 and 529 of > > 506 static void rds_tcp_kill_sock(struct net *net) > : > /* code to pull out all the rds_connections that should be destroyed */ > : > 528 spin_unlock_irq(&rds_tcp_conn_lock); > 529 list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node) > 530 rds_conn_destroy(tc->t_cpath->cp_conn); > > Such an rds_connection would miss out the rds_conn_destroy() > loop (that cancels all pending work) and (if it was scheduled > after netns deletion) could trigger the use-after-free. > > Evaluating various fixes for this (including using _bh instead of _irq > as suggested by santosh), I'll get back with a patch soon. Hi Sowmini, Was this ever fixed? What's the fix? This still hangs as open. Please provide "syz fix" tag.