lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171114132221.GB1980@oracle.com>
Date:   Tue, 14 Nov 2017 08:22:21 -0500
From:   Sowmini Varadhan <sowmini.varadhan@...cle.com>
To:     Girish Moodalbail <girish.moodalbail@...cle.com>
Cc:     syzbot 
        <bot+643ecad3f5bb49700e839363b608c4928f6db8f0@...kaller.appspotmail.com>,
        davem@...emloft.net, netdev@...r.kernel.org,
        rds-devel@....oracle.com, santosh.shilimkar@...cle.com,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in rds_tcp_dev_event



A few questions. 

- First off, why am I not seeing the original mail in this thread 
  even when I search the mail archives, e.g.,
    https://lkml.org/lkml/2017/11/13/954

-  Girish Moodalbail writes:

> The issue here is that we are trying to reference a network namespace
> (struct net *) that is long gone (i.e., L532 below -- c_net is the culprit).

  The netns is not "long gone", we are still processing
  the NETDEV_UNREGISTER_FINAL for loopback. As I said in my
  earlier mail, the idea is to extract the list of unique conns
  that belong to the netns and then destroy both the conn, and
  all associated paths. Thus there can only be a single thread
  going through rds_tcp_kill_sock at any time (since we should
  only get the unregister_final/loopback one time for the netns).
  (See alos comment block in rds_tcp_dev_event about network activity
  quiescing). Thus there should be no concurrency issue.  

  However when I just ehecked this, there may be some rds connection
  refcounting bug. When I quickly tested this, I'm not seeing the
  expected calls to conn_path_destroy. I'll need some time to take
  a look, this has been known to work, so something got broken along
  the way
 
> I think we should move away from global list to a per-namespace list. The
> global list are used only in two places (both of which are per-namespace
> operations):

let's first understand the real root-cause before we start
redesigning data-structures.

--Sowmini

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ