Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1650713rwd; Thu, 18 May 2023 15:24:20 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5keI1c9mZtwjpW3MMOWhsPstc/QczzOBO/FoeuSt50NbVox6agKsH80G+t12uQvWJ3+0BV X-Received: by 2002:a05:6a20:94ce:b0:101:1f8:735e with SMTP id ht14-20020a056a2094ce00b0010101f8735emr52825pzb.0.1684448660055; Thu, 18 May 2023 15:24:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684448660; cv=none; d=google.com; s=arc-20160816; b=xw++yHaQh3Jx7JafZZEbZbCd0vNM1VpqQM8ls5LuGwMFpojdYU228fCw0GROaAqhCd uT8eKU+359hPbDzcERAfIIqq8xctbfgWbxCZq79fTOf9+l4wTDeSTbEZWrbkSe/eGm2D jO3kqT1bbvOH5balMJuJdBXS2/8IUrWIR7mG5IyIK5jQTWp5TTglW8gN/hD1EUaRaeiY /J7GUQch2r9Os72YYJWg/MwmR4Nl6+Uh+P7clFUKKcLfljSFRXcunDrOLLU8ZjjPIzzP Qr8hto8fjIzrGnxQd0PBs9EURoGxNd8N4O+5ycQemu+MHaBNRh5x5EpWSPGXa0Srdidp KuVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=jUU/Qb4Rb1bx/St6g2GmmqKpbpADV9kknE6PAWb4v2I=; b=u7jsuLUM+S745tYQj1MvmiM9CTZr9z+VGerHC71c9xuVKggzzv2U+TDd8nAOT5G+aq nB8yxJ4f/4HoBy69zP3IG566acTg6LJhPZkD5Grvgdn4LdzU+8XKa5PjkLjnlXSlbbUp ns6kKok5UUfiBnssiQ3Lut3Y8K57AvGR93BefeBadYzszZbjZ/WmRSpA8WBJGVL3CwYF LhSVZBwOdxTuLa0NWItYC/+aU9IDOIAcOlz3+qPSnVng6OVXVAx/g6zS+N008oRnCeHx 34J9u+I/pVynD3JWwaZT3Wsk+LZSfNWzNiqldb/eZx6QFIok7BccuaC56fl3Ck/8AG8E 3/Pg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c6-20020a6566c6000000b0053071bc497dsi2564741pgw.90.2023.05.18.15.24.08; Thu, 18 May 2023 15:24:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230233AbjERWU4 (ORCPT + 99 others); Thu, 18 May 2023 18:20:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230049AbjERWUy (ORCPT ); Thu, 18 May 2023 18:20:54 -0400 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45A74121; Thu, 18 May 2023 15:20:53 -0700 (PDT) Received: from fsav111.sakura.ne.jp (fsav111.sakura.ne.jp [27.133.134.238]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 34IMJxQ0031357; Fri, 19 May 2023 07:19:59 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav111.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav111.sakura.ne.jp); Fri, 19 May 2023 07:19:59 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav111.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 34IMJxoE031353 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 19 May 2023 07:19:59 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Fri, 19 May 2023 07:19:57 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [syzbot] [rdma?] KASAN: slab-use-after-free Read in siw_query_port Content-Language: en-US To: Fedor Pchelkin , Guoqing Jiang Cc: syzbot , bmt@zurich.ibm.com, jgg@ziepe.ca, leon@kernel.org, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, syzkaller-bugs@googlegroups.com, Alexey Khoroshilov , lvc-project@linuxtesting.org References: <0000000000001f992805fb79ce97@google.com> <5eacf66d-053e-d82b-1e73-c808fb4c8aad@linux.dev> <20230518202116.rpx53vp7rrtuixoa@fpc> From: Tetsuo Handa In-Reply-To: <20230518202116.rpx53vp7rrtuixoa@fpc> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023/05/19 5:21, Fedor Pchelkin wrote: > On our local Syzkaller instance the bug started to be caught after > 266e9b3475ba ("RDMA/siw: Remove namespace check from siw_netdev_event()") > so CC'ing Tetsuo Handa if maybe he would be also interested in the bug. UAF could not be observed until that commit because hung task was observed until that commit because syzkaller is testing non init_net namespace. > This fix seems to be good and perhaps it just made a bigger opportunity > for the UAF bug to happen. Actually, the C repro was taken from there [2]. > > With your suggested solution the UAF is not reproduced. I don't know the > exact reasons why dev_put() was placed before calling query_port() but the > context implies that netdev can be freed in that period. And some of > ->query_port() realizations may touch netdev. So it seems reasonable to > move ref count put after performing query_port(). Since ib_device_get_netdev() calls dev_hold() on success, I think that we need to call dev_put() after query_port(). Please send as a formal patch.