Re: KASAN: use-after-free Read in rdma_listen (2)

From: Jason Gunthorpe
Date: Tue Feb 18 2020 - 14:13:55 EST

Next message: Mike Kravetz: "Re: [PATCH v12 1/9] hugetlb_cgroup: Add hugetlb_cgroup reservation counter"
Previous message: Jeffrey Kardatzke: "[PATCH] media: venus: support frame rate control"
In reply to: syzbot: "Re: KASAN: use-after-free Read in rdma_listen (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 18, 2020 at 08:27:17PM +0800, Hillf Danton wrote:
> Check if rdma is being reclaimed before listening on device while
> reclaimer is waiting for rdma to become quiesce.

This is the usual syzkaller bug in rdma_cm

The test causes rdma_resolve_addr() and rdma_listen() to run
concurrently.

There is no sane locking, so in turn this causes invariants to become
violated, in particular, in rdma_listen() we can have !id->device
but also !cma_any_addr(cma_src_addr(id_priv).

This causes cma_listen_on_all() to wrongly be called and because the
invariant is screwed up cma_cancel_listens() doesn't undo it.

Thus we fail to list_del id_priv->list from the listen_any_list and
the next manipulation of the list gets a use-after on the list member
which was now freed.

The fix is the same as all the others, add some kind of locking
instead of all this defective cma_comp_exch() thing..

Jason

Next message: Mike Kravetz: "Re: [PATCH v12 1/9] hugetlb_cgroup: Add hugetlb_cgroup reservation counter"
Previous message: Jeffrey Kardatzke: "[PATCH] media: venus: support frame rate control"
In reply to: syzbot: "Re: KASAN: use-after-free Read in rdma_listen (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]