Received: by 10.223.164.202 with SMTP id h10csp183374wrb; Mon, 13 Nov 2017 22:59:19 -0800 (PST) X-Google-Smtp-Source: AGs4zMbez7WPCEFU9RqhMj2CUNczbH/EbxKjMHbB/KNuZkxStWDY32v4TohN8EKYIXYabyNK6OoC X-Received: by 10.84.194.1 with SMTP id g1mr11377099pld.394.1510642759153; Mon, 13 Nov 2017 22:59:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510642759; cv=none; d=google.com; s=arc-20160816; b=t2Nj1RSwHeTbGi2gMMcUm7MpwbNxBy1hX8q8wpWxumK9gkeaBCnsFbInozlyo1eAWK pv+L2tiBX+B6ALGatq7RHzYV17Imqk2rmHvWTgBp70yMk2voNuNGzKQpVjlV86cXidg5 U2Tc/9Rz2cH2G2CjnnzrLf+UXCvUKrr+1TTd5BsZzzWUAj+lfU4CK6BjYD2HMNtkvIkc wCstv5NMbSlLris1EuLSlwehEFTWk15RcHOmFSx1OK9A0jYFuof09erxhq5B5aZkvqUg SxLWOXsyhUmFZt8i7LaGRx7FQFdR25Vy+LNGmXfwKBrmvurvXLdP3OSQDqAVbzGT5ebt 5xoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=GYCWkXUn0j6aYP0huuFQzwgGCEBp4P3Xe9dI0idDH7M=; b=TIa3FUoGz47DB7bqM7h4LF/90j3ObVlO6OGg2l3HNmxkSHHw+ehDGqTByeK18phwU9 7DBCaX1wcCZzMJnRD6knDqSR0oGmCUodGlSrDrTnQ/RTD/pHlNYuKFpXRYg4Kx+eUCiC 5ObgAjTpjfxry8lPX6f91YqHBJScRYlvVZtRpUebv9zEQQuGGx+j0UgEK0OuIrFVXMgX bW7dKLDo7FsqF1aWmXeVhdFulUydL527qFZzUqGwCSBymsQnHr0xD/NqvQ+8pHu7AyAG IR9Vn8BiM01IegYj6vAxn3JTc9MoHiCH6CEdfWEKvLNZoNmjZ+46unJZszlvhrPnM6h0 UQJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m3si15023532pgd.250.2017.11.13.22.59.07; Mon, 13 Nov 2017 22:59:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753184AbdKNG5U (ORCPT + 89 others); Tue, 14 Nov 2017 01:57:20 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:40316 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751626AbdKNG5N (ORCPT ); Tue, 14 Nov 2017 01:57:13 -0500 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vAE6v57p001270 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 14 Nov 2017 06:57:06 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vAE6v5eY003783 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 14 Nov 2017 06:57:05 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id vAE6v49m027927; Tue, 14 Nov 2017 06:57:04 GMT Received: from oracle.com (/10.154.127.138) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 13 Nov 2017 22:57:04 -0800 Date: Tue, 14 Nov 2017 01:57:00 -0500 From: Sowmini Varadhan To: Girish Moodalbail Cc: syzbot , davem@davemloft.net, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, netdev@vger.kernel.org, rds-devel@oss.oracle.com, santosh.shilimkar@oracle.com, syzkaller-bugs@googlegroups.com Subject: Re: KASAN: use-after-free Read in rds_tcp_dev_event Message-ID: <20171114065700.GK26261@oracle.com> References: <001a1148d244ade0aa055d6a69b9@google.com> <9e71dff9-7ba8-a3c2-6862-fb8557546a54@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9e71dff9-7ba8-a3c2-6862-fb8557546a54@oracle.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On (11/13/17 19:30), Girish Moodalbail wrote: > (L538-540). However, it leaves behind some of the rds_tcp connections that > shared the same underlying RDS connection (L534 and 535). These connections > with pointer to stale network namespace are left behind in the global list. It leaves behind no such thing. After mprds, you want to collect only one instance of the conn that is being removed, that's why lines 534-535 skips over duplicat instances of the same conn (for multiple paths in the same conn). > When the 2nd network namespace is deleted, we will hit the above stale > pointer and hit UAF panic. > I think we should move away from global list to a per-namespace list. The > global list are used only in two places (both of which are per-namespace > operations): Nice try, but not so. Let me look at this tomorrow, I missed this mail in my mbox. --Sowmini From 1584010581342537607@xxx Tue Nov 14 03:30:08 +0000 2017 X-GM-THRID: 1584010581342537607 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread