Re: KASAN: use-after-free Read in tcf_block_find

From: Cong Wang
Date: Thu Sep 27 2018 - 13:50:15 EST

Next message: Rajat Jain: "Re: sdhci driver card-detect is broken because gpiolib can't fallback to _CRS?"
Previous message: Souptick Joarder: "[PATCH] mm: Introduce new function vm_insert_kmem_page"
In reply to: Dmitry Vyukov: "Re: KASAN: use-after-free Read in tcf_block_find"
Next in thread: Dmitry Vyukov: "Re: KASAN: use-after-free Read in tcf_block_find"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 27, 2018 at 1:11 AM Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
>
> Would a stack trace for call_rcu be helpful here? I have this idea for
> a long time, but never get around to implementing it:
> https://bugzilla.kernel.org/show_bug.cgi?id=198437

Yes. Generally speaking, showing backtrace of call_rcu()
or schedule_work(0 etc. is very helpful, we are more interested
in who calls call_rcu() than what that RCU callback does.

BTW, yesterday I asked syzbot to test this:
https://github.com/congwang/linux/commit/b7815584cf1c0bbb79e8f6fe3e4b66ba10375560
I still don't get any result.

For this specific bug, we should hold a refcnt in dev->qdisc, I don't
even see how call_rcu() could be invoked, unless of course we mess
up with qdisc refcnt.

Next message: Rajat Jain: "Re: sdhci driver card-detect is broken because gpiolib can't fallback to _CRS?"
Previous message: Souptick Joarder: "[PATCH] mm: Introduce new function vm_insert_kmem_page"
In reply to: Dmitry Vyukov: "Re: KASAN: use-after-free Read in tcf_block_find"
Next in thread: Dmitry Vyukov: "Re: KASAN: use-after-free Read in tcf_block_find"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]