[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20200218191351.GF31668@ziepe.ca>
Date: Tue, 18 Feb 2020 15:13:51 -0400
From: Jason Gunthorpe <jgg@...pe.ca>
To: Hillf Danton <hdanton@...a.com>
Cc: syzbot <syzbot+adb15cf8c2798e4e0db4@...kaller.appspotmail.com>,
chuck.lever@...cle.com, danielj@...lanox.com, danitg@...lanox.com,
dledford@...hat.com, leon@...nel.org, linux-kernel@...r.kernel.org,
linux-rdma@...r.kernel.org, parav@...lanox.com,
swise@...ngridcomputing.com, syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in rdma_listen (2)
On Tue, Feb 18, 2020 at 08:27:17PM +0800, Hillf Danton wrote:
> Check if rdma is being reclaimed before listening on device while
> reclaimer is waiting for rdma to become quiesce.
This is the usual syzkaller bug in rdma_cm
The test causes rdma_resolve_addr() and rdma_listen() to run
concurrently.
There is no sane locking, so in turn this causes invariants to become
violated, in particular, in rdma_listen() we can have !id->device
but also !cma_any_addr(cma_src_addr(id_priv).
This causes cma_listen_on_all() to wrongly be called and because the
invariant is screwed up cma_cancel_listens() doesn't undo it.
Thus we fail to list_del id_priv->list from the listen_any_list and
the next manipulation of the list gets a use-after on the list member
which was now freed.
The fix is the same as all the others, add some kind of locking
instead of all this defective cma_comp_exch() thing..
Jason
Powered by blists - more mailing lists