Re: [RDMA bug] KASAN: use-after-free Read in __list_del_entry_valid (4)

From: Jason Gunthorpe
Date: Thu Aug 23 2018 - 10:55:04 EST

Next message: Pierre Morel: "Re: [PATCH v9 21/22] KVM: s390: CPU model support for AP virtualization"
Previous message: Kedareswararao Appana: "Query on dma_set_mask_and_coherent() Usage"
In reply to: Eric Biggers: "Re: [RDMA bug] KASAN: use-after-free Read in __list_del_entry_valid (4)"
Next in thread: Parav Pandit: "RE: [RDMA bug] KASAN: use-after-free Read in __list_del_entry_valid (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 22, 2018 at 11:16:31PM -0700, Eric Biggers wrote:
> Hello RDMA / InfiniBand maintainers,
>
> This is an RDMA bug and it still occurs on Linus' tree as of today
> (commit 815f0ddb346c1960).
>
> I've also simplified the reproducer for it; see below after the original report.
> Apparently it involves a race between RDMA_USER_CM_CMD_RESOLVE_IP and
> RDMA_USER_CM_CMD_LISTEN.

That is an amazing reproducer!

I have a feeling this is the same cause as all the other syzkaller
bugs in this code: lack of any sane locking at all :\

We've talked about chucking a big lock around this whole thing, but
nobody has done it yet.. It isn't so simple.

Jason

Next message: Pierre Morel: "Re: [PATCH v9 21/22] KVM: s390: CPU model support for AP virtualization"
Previous message: Kedareswararao Appana: "Query on dma_set_mask_and_coherent() Usage"
In reply to: Eric Biggers: "Re: [RDMA bug] KASAN: use-after-free Read in __list_del_entry_valid (4)"
Next in thread: Parav Pandit: "RE: [RDMA bug] KASAN: use-after-free Read in __list_del_entry_valid (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]