subject:"KASAN\: use\-after\-free Read in cma_cancel

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

2021-04-19 Thread Jason Gunthorpe

On Tue, Apr 13, 2021 at 10:19:25PM +0800, Hao Sun wrote:
> Jason Gunthorpe  于2021年4月13日周二 下午9:45写道：
> >
> > On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> > > Jason Gunthorpe  于2021年4月13日周二 下午9:34写道：
> > > >
> > > > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > > > Hi
> > > > >
> > > > > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > > > > the Linux kernel, I found two use-after-free bugs which have been
> > > > > reported a long time ago by Syzbot.
> > > > > Although the corresponding patches have been merged into upstream,
> > > > > these two bugs can still be triggered easily.
> > > > > The original information about Syzbot report can be found here:
> > > > > https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
> > > > > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> > > >
> > > > Then why hasn't syzbot seen this in a year's time? Seems strange
> > > >
> > >
> > > Seems strange to me too, but the fact is that the reproduction program
> > > in attachment can trigger these two bugs quickly.
> >
> > Do you have this in the C format?
> >
> 
> Just tried to use syz-prog2c to convert the repro-prog to C format.
> The repro program of  rdma_listen was successfully reproduced
> (uploaded in attachment), the other one failed. it looks like
> syz-prog2c may not be able to do the equivalent conversion.
> You can use syz-execprog to execute the reprogram directly, this
> method can reproduce both crashes, I have tried it.

I tried this program and it reliably deadlocks my kernel :|

So there is certainly something here

Jason

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

2021-04-13 Thread Hao Sun

Jason Gunthorpe  于2021年4月13日周二 下午9:45写道：
>
> On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> > Jason Gunthorpe  于2021年4月13日周二 下午9:34写道：
> > >
> > > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > > Hi
> > > >
> > > > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > > > the Linux kernel, I found two use-after-free bugs which have been
> > > > reported a long time ago by Syzbot.
> > > > Although the corresponding patches have been merged into upstream,
> > > > these two bugs can still be triggered easily.
> > > > The original information about Syzbot report can be found here:
> > > > https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
> > > > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> > >
> > > Then why hasn't syzbot seen this in a year's time? Seems strange
> > >
> >
> > Seems strange to me too, but the fact is that the reproduction program
> > in attachment can trigger these two bugs quickly.
>
> Do you have this in the C format?
>

Just tried to use syz-prog2c to convert the repro-prog to C format.
The repro program of  rdma_listen was successfully reproduced
(uploaded in attachment), the other one failed. it looks like
syz-prog2c may not be able to do the equivalent conversion.
You can use syz-execprog to execute the reprogram directly, this
method can reproduce both crashes, I have tried it.

For reproduction prog of  cma_cancel_operation,  using syz-execprog
can run this reproduction program directly:
 ./syz-execprog  -threaded -repeat 0 -procs 2 -slowdown 1 -enable tun
-enable netdev -enable resetnet -enable cgroups -enable binfmt-misc
-enable close_fds -enable devlinkpci -enable usb -enable vhci -enable
wifi -enable ieee802154 -enable sysctl repro.prog
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

static __thread int skip_segv;
static __thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
  uintptr_t addr = (uintptr_t)info->si_addr;
  const uintptr_t prog_start = 1 << 20;
  const uintptr_t prog_end = 100 << 20;
  int skip = __atomic_load_n(_segv, __ATOMIC_RELAXED) != 0;
  int valid = addr < prog_start || addr > prog_end;
  if (skip && valid) {
_longjmp(segv_env, 1);
  }
  exit(sig);
}

static void install_segv_handler(void)
{
  struct sigaction sa;
  memset(, 0, sizeof(sa));
  sa.sa_handler = SIG_IGN;
  syscall(SYS_rt_sigaction, 0x20, , NULL, 8);
  syscall(SYS_rt_sigaction, 0x21, , NULL, 8);
  memset(, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, , NULL);
  sigaction(SIGBUS, , NULL);
}

#define NONFAILING(...)\
  ({   \
int ok = 1;\
__atomic_fetch_add(_segv, 1, __ATOMIC_SEQ_CST);   \
if (_setjmp(segv_env) == 0) {  \
  __VA_ARGS__; \
} else \
  ok = 0;  \
__atomic_fetch_sub(_segv, 1, __ATOMIC_SEQ_CST);   \
ok;\
  })

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, ))
exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 100;
}

static void use_temporary_dir(void)
{
  char tmpdir_template[] = "./syzkaller.XX";
  char* tmpdir = mkdtemp(tmpdir_template);
  if (!tmpdir)
exit(1);
  if (chmod(tmpdir, 0777))
exit(1);
  if (chdir(tmpdir))
exit(1);
}

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
return false;
  if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
  }
  close(fd);
  return true;
}

#define FS_IOC_SETFLAGS _IOW('f', 2, long)
static void remove_dir(const char* dir)
{
  int iter = 0;
  DIR* dp = 0;
retry:
  while (umount2(dir, MNT_DETACH) == 0) {
  }
  dp = opendir(dir);
  if (dp == NULL) {
if (errno == EMFILE) {
  exit(1);
}
exit(1);
  }
  struct dirent* ep = 0;
  while ((ep = readdir(dp))) {
if

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

2021-04-13 Thread Haakon Bugge



> On 13 Apr 2021, at 15:44, Jason Gunthorpe  wrote:
> 
> On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
>> Jason Gunthorpe  于2021年4月13日周二 下午9:34写道：
>>> 
>>> On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
 Hi
 
 When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
 the Linux kernel, I found two use-after-free bugs which have been
 reported a long time ago by Syzbot.
 Although the corresponding patches have been merged into upstream,
 these two bugs can still be triggered easily.
 The original information about Syzbot report can be found here:
 https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
 https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
>>> 
>>> Then why hasn't syzbot seen this in a year's time? Seems strange
>>> 
>> 
>> Seems strange to me too, but the fact is that the reproduction program
>> in attachment can trigger these two bugs quickly.
> 
> Do you have this in the C format?

How can a commit changing arch m68k provoke a bug when running on x86_64?


Håkon

> 
> Jason

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

2021-04-13 Thread Jason Gunthorpe

On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> Jason Gunthorpe  于2021年4月13日周二 下午9:34写道：
> >
> > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > Hi
> > >
> > > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > > the Linux kernel, I found two use-after-free bugs which have been
> > > reported a long time ago by Syzbot.
> > > Although the corresponding patches have been merged into upstream,
> > > these two bugs can still be triggered easily.
> > > The original information about Syzbot report can be found here:
> > > https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
> > > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> >
> > Then why hasn't syzbot seen this in a year's time? Seems strange
> >
> 
> Seems strange to me too, but the fact is that the reproduction program
> in attachment can trigger these two bugs quickly.

Do you have this in the C format?

Jason

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

2021-04-13 Thread Hao Sun

Jason Gunthorpe  于2021年4月13日周二 下午9:34写道：
>
> On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > Hi
> >
> > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > the Linux kernel, I found two use-after-free bugs which have been
> > reported a long time ago by Syzbot.
> > Although the corresponding patches have been merged into upstream,
> > these two bugs can still be triggered easily.
> > The original information about Syzbot report can be found here:
> > https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
> > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
>
> Then why hasn't syzbot seen this in a year's time? Seems strange
>

Seems strange to me too, but the fact is that the reproduction program
in attachment can trigger these two bugs quickly.

> > Current report Information:
> > commit:   89698becf06d341a700913c3d89ce2a914af69a2
>
> What commit is this?

The latest commit in the master branch,
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

2021-04-13 Thread Jason Gunthorpe

On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> Hi
> 
> When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> the Linux kernel, I found two use-after-free bugs which have been
> reported a long time ago by Syzbot.
> Although the corresponding patches have been merged into upstream,
> these two bugs can still be triggered easily.
> The original information about Syzbot report can be found here:
> https://syzkaller.appspot.com/bug?id=8dc0bcd9dd6ec915ba10b3354740eb420884acaa
> https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b

Then why hasn't syzbot seen this in a year's time? Seems strange
 
> Current report Information:
> commit:   89698becf06d341a700913c3d89ce2a914af69a2

What commit is this?

Jason

Re: KASAN: use-after-free Read in cma_cancel_operation

2019-02-20 Thread Dmitry Vyukov

On Tue, Apr 3, 2018 at 5:01 AM syzbot
 wrote:
>
> Hello,
>
> syzbot hit the following crash on upstream commit
> 86bbbebac1933e6e95e8234c4f7d220c5ddd38bc (Mon Apr 2 18:47:07 2018 +)
> Merge branch 'ras-core-for-linus' of
> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=6956235342b7317ec564
>
> So far this crash happened 4 times on upstream.
> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6621340819783680
> syzkaller reproducer:
> https://syzkaller.appspot.com/x/repro.syz?id=6075521074987008
> Raw console output:
> https://syzkaller.appspot.com/x/log.txt?id=6447569127342080
> Kernel config:
> https://syzkaller.appspot.com/x/.config?id=6801295859785128502
> compiler: gcc (GCC) 7.1.1 20170620
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6956235342b7317ec...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.

First crash: 323d, last: 12h23m

https://syzkaller.appspot.com/bug?extid=6956235342b7317ec564

> ==
> BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150
> lib/list_debug.c:54
> Read of size 8 at addr 8801d8dc7d20 by task syzkaller468166/4496
>
> CPU: 0 PID: 4496 Comm: syzkaller468166 Not tainted 4.16.0+ #376
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:17 [inline]
>   dump_stack+0x1a7/0x27d lib/dump_stack.c:53
>   print_address_description+0x73/0x250 mm/kasan/report.c:256
>   kasan_report_error mm/kasan/report.c:354 [inline]
>   kasan_report+0x23c/0x360 mm/kasan/report.c:412
>   __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
>   __list_del_entry_valid+0x144/0x150 lib/list_debug.c:54
>   __list_del_entry include/linux/list.h:117 [inline]
>   list_del include/linux/list.h:125 [inline]
>   cma_cancel_listens drivers/infiniband/core/cma.c:1569 [inline]
>   cma_cancel_operation+0x455/0xd60 drivers/infiniband/core/cma.c:1597
>   rdma_destroy_id+0xff/0xda0 drivers/infiniband/core/cma.c:1661
>   ucma_close+0x100/0x2f0 drivers/infiniband/core/ucma.c:1735
>   __fput+0x327/0x7f0 fs/file_table.c:209
>   fput+0x15/0x20 fs/file_table.c:243
>   task_work_run+0x1ab/0x280 kernel/task_work.c:113
>   exit_task_work include/linux/task_work.h:22 [inline]
>   do_exit+0x1986/0x2700 kernel/exit.c:865
>   do_group_exit+0x149/0x400 kernel/exit.c:968
>   get_signal+0x74c/0x16e0 kernel/signal.c:2469
>   do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
>   exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
>   prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
>   syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
>   do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
> RIP: 0033:0x446b09
> RSP: 002b:7f2b89150da8 EFLAGS: 0246 ORIG_RAX: 00ca
> RAX: fe00 RBX: 006e29fc RCX: 00446b09
> RDX:  RSI:  RDI: 006e29fc
> RBP: 006e29f8 R08:  R09: 
> R10:  R11: 0246 R12: 006d635f616d6472
> R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0005
>
> Allocated by task 4493:
>   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>   set_track mm/kasan/kasan.c:459 [inline]
>   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
>   kmem_cache_alloc_trace+0x136/0x740 mm/slab.c:3608
>   kmalloc include/linux/slab.h:512 [inline]
>   kzalloc include/linux/slab.h:701 [inline]
>   rdma_create_id+0xd0/0x640 drivers/infiniband/core/cma.c:787
>   ucma_create_id+0x35f/0x920 drivers/infiniband/core/ucma.c:480
>   ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1656
>   __vfs_write+0xef/0x970 fs/read_write.c:480
>   vfs_write+0x189/0x510 fs/read_write.c:544
>   SYSC_write fs/read_write.c:589 [inline]
>   SyS_write+0xef/0x220 fs/read_write.c:581
>   do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>
> Freed by task 4496:
>   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>   set_track mm/kasan/kasan.c:459 [inline]
>   __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
>   kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
>   __cache_free mm/slab.c:3486 [inline]
>   kfree+0xd9/0x260 mm/slab.c:3801
>   rdma_destroy_id+0x821/0xda0 drivers/infiniband/core/cma.c:1691
>   ucma_close+0x100/0x2f0 drivers/infiniband/core/ucma.c:1735
>   __fput+0x327/0x7f0 fs/file_table.c:209
>   fput+0x15/0x20 fs/file_table.c:243
>   task_work_run+0x1ab/0x280 kernel/task_work.c:113
>   exit_task_work include/linux/task_work.h:22 [inline]
>   do_exit+0x1986/0x2700 kernel/exit.c:865
>   do_group_exit+0x149/0x400 kernel/exit.c:968
>   get_signal+0x74c/0x16e0

Re: KASAN: use-after-free Read in cma_cancel_operation

2018-05-17 Thread DaeRyong Jeong

On Sun, May 13, 2018 at 02:34:13PM -0600, Jason Gunthorpe wrote:
> On Fri, May 11, 2018 at 02:25:22PM +0900, DaeRyong Jeong wrote:
> > We report the crash: KASAN: use-after-free Read in cma_cancel_operation
> > 
> > Note that this bug is previously reported by syzkaller.
> > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> > Nonetheless, this bug has not fixed yet, and we hope that this report and 
> > our
> > analysis, which gets help by the RaceFuzzer's feature, will helpful to fix 
> > the
> > crash.
> > 
> > This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
> > version of Syzkaller), which we describe more at the end of this
> > report. Our analysis shows that the race occurs when invoking two
> > syscalls concurrently, write$rdma_cm and write$rdma_cm.
> 
> Well, calling rdma_destroy_id() twice/concurrently is invalid.. The
> confusing part of this is how does it happen from ucma.c ..
> 
> Double calls via write look OK to me, the ID is removed from the IDR
> at the top so it cannot be invoked twice.. So not sure what
> "write$rdma_cm and write$rdma_cm." is supposed to me?

It meant two write syscalls. One for ucma_listen, one for ucma_resolve_ip.
> 
> Is your test showing that write() vs close() is the problem? The oops
> suggests that.. And the logic around ctx->closing looks tortured
> enough that it is probably wrong...

My previous dianosis seems wrong... I'm sorry to make you confusing.
I'm looking into the code and trying to find out the cause of the crash.

> 
> Jason

We have found the one more crash. null-ptr-deref in cma_bind_listen caused
by two ucma_listen calls.
I think I have the clear idea why null-ptr-deref occured. I will send the
report for the null-ptr-deref. Please look at it.

We suspect that this crash and null-ptr-deref have the same root cause,
incomplete state check.
Hopefully, the second report is helpful to find out the root cause of this
bug.

DaeRyong Jeong

Re: KASAN: use-after-free Read in cma_cancel_operation

2018-05-17 Thread DaeRyong Jeong

On Sun, May 13, 2018 at 02:34:13PM -0600, Jason Gunthorpe wrote:
> On Fri, May 11, 2018 at 02:25:22PM +0900, DaeRyong Jeong wrote:
> > We report the crash: KASAN: use-after-free Read in cma_cancel_operation
> > 
> > Note that this bug is previously reported by syzkaller.
> > https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> > Nonetheless, this bug has not fixed yet, and we hope that this report and 
> > our
> > analysis, which gets help by the RaceFuzzer's feature, will helpful to fix 
> > the
> > crash.
> > 
> > This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
> > version of Syzkaller), which we describe more at the end of this
> > report. Our analysis shows that the race occurs when invoking two
> > syscalls concurrently, write$rdma_cm and write$rdma_cm.
> 
> Well, calling rdma_destroy_id() twice/concurrently is invalid.. The
> confusing part of this is how does it happen from ucma.c ..
> 
> Double calls via write look OK to me, the ID is removed from the IDR
> at the top so it cannot be invoked twice.. So not sure what
> "write$rdma_cm and write$rdma_cm." is supposed to me?

It meant two write syscalls. One for ucma_listen, one for ucma_resolve_ip.
> 
> Is your test showing that write() vs close() is the problem? The oops
> suggests that.. And the logic around ctx->closing looks tortured
> enough that it is probably wrong...

My previous dianosis seems wrong... I'm sorry to make you confusing.
I'm looking into the code and trying to find out the cause of the crash.

> 
> Jason

We have found the one more crash. null-ptr-deref in cma_bind_listen caused
by two ucma_listen calls.
I think I have the clear idea why null-ptr-deref occured. I will send the
report for the null-ptr-deref. Please look at it.

We suspect that this crash and null-ptr-deref have the same root cause,
incomplete state check.
Hopefully, the second report is helpful to find out the root cause of this
bug.

DaeRyong Jeong

Re: KASAN: use-after-free Read in cma_cancel_operation

2018-05-13 Thread Jason Gunthorpe

On Fri, May 11, 2018 at 02:25:22PM +0900, DaeRyong Jeong wrote:
> We report the crash: KASAN: use-after-free Read in cma_cancel_operation
> 
> Note that this bug is previously reported by syzkaller.
> https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> Nonetheless, this bug has not fixed yet, and we hope that this report and our
> analysis, which gets help by the RaceFuzzer's feature, will helpful to fix the
> crash.
> 
> This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
> version of Syzkaller), which we describe more at the end of this
> report. Our analysis shows that the race occurs when invoking two
> syscalls concurrently, write$rdma_cm and write$rdma_cm.

Well, calling rdma_destroy_id() twice/concurrently is invalid.. The
confusing part of this is how does it happen from ucma.c ..

Double calls via write look OK to me, the ID is removed from the IDR
at the top so it cannot be invoked twice.. So not sure what
"write$rdma_cm and write$rdma_cm." is supposed to me?

Is your test showing that write() vs close() is the problem? The oops
suggests that.. And the logic around ctx->closing looks tortured
enough that it is probably wrong...

Jason

Re: KASAN: use-after-free Read in cma_cancel_operation

2018-05-13 Thread Jason Gunthorpe

On Fri, May 11, 2018 at 02:25:22PM +0900, DaeRyong Jeong wrote:
> We report the crash: KASAN: use-after-free Read in cma_cancel_operation
> 
> Note that this bug is previously reported by syzkaller.
> https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
> Nonetheless, this bug has not fixed yet, and we hope that this report and our
> analysis, which gets help by the RaceFuzzer's feature, will helpful to fix the
> crash.
> 
> This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
> version of Syzkaller), which we describe more at the end of this
> report. Our analysis shows that the race occurs when invoking two
> syscalls concurrently, write$rdma_cm and write$rdma_cm.

Well, calling rdma_destroy_id() twice/concurrently is invalid.. The
confusing part of this is how does it happen from ucma.c ..

Double calls via write look OK to me, the ID is removed from the IDR
at the top so it cannot be invoked twice.. So not sure what
"write$rdma_cm and write$rdma_cm." is supposed to me?

Is your test showing that write() vs close() is the problem? The oops
suggests that.. And the logic around ctx->closing looks tortured
enough that it is probably wrong...

Jason

KASAN: use-after-free Read in cma_cancel_operation

2018-05-10 Thread DaeRyong Jeong

We report the crash: KASAN: use-after-free Read in cma_cancel_operation

Note that this bug is previously reported by syzkaller.
https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
Nonetheless, this bug has not fixed yet, and we hope that this report and our
analysis, which gets help by the RaceFuzzer's feature, will helpful to fix the
crash.

This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occurs when invoking two
syscalls concurrently, write$rdma_cm and write$rdma_cm.


Analysis:
We think the concurrent execution of rdma_destroy_id() causes the crash.
The first execution of rdma_destroy_id() calls kfree(id_priv), and the
second execution of rdma_destry_id() dereferences the id_priv in
cma_cancel_listens(). Therefore use-after-free read occurs.
We observed that rdma_destroy_id() is called during the write$rdma_cm
syscall. After returing from vfs_write(), fput() is called and
ucma_close() is called as a pending work before returing to the user
space.


Thread interleaving:
CPU0 (rdma_destory_id)  CPU1 (rdma_destroy_id)
=   =
kfree(id_priv->id.route.path_rec);
put_net(id_priv->id.route.addr.dev_addr.net);
kfree(id_priv);
id_priv = 
container_of(id, struct rdma_id_private, id);
state = 
cma_exch(id_priv, RDMA_CM_DESTROYING);

cma_cancel_operation(id_priv, state);

(in cma_cancel_listens)

list_del(_priv->list);

Call Sequence:
Both CPU0 and CPU1
=
ucma_close
rdma_destroy_id


==
BUG: KASAN: use-after-free in __list_del_entry_valid+0x5c/0xc0 
lib/list_debug.c:54
Read of size 8 at addr 8801e86deca0 by task syz-executor0/3524

CPU: 1 PID: 3524 Comm: syz-executor0 Not tainted 4.17.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x166/0x21c lib/dump_stack.c:113
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23f/0x360 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 __asan_load8+0x54/0x90 mm/kasan/kasan.c:699
 __list_del_entry_valid+0x5c/0xc0 lib/list_debug.c:54
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 cma_cancel_listens drivers/infiniband/core/cma.c:1527 [inline]
 cma_cancel_operation+0x2d2/0x750 drivers/infiniband/core/cma.c:1555
 rdma_destroy_id+0xe9/0x760 drivers/infiniband/core/cma.c:1619
 ucma_close+0x9f/0x1c0 drivers/infiniband/core/ucma.c:1743
 __fput+0x22c/0x450 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x152/0x1b0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1387/0x1860 kernel/exit.c:865
 do_group_exit+0xfb/0x220 kernel/exit.c:968
 get_signal+0x5b7/0xf70 kernel/signal.c:2469
 do_signal+0x94/0xde0 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop+0x1eb/0x270 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x473/0x4a0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4563f9
RSP: 002b:7fdd885d9ba8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 0072bfc8 RCX: 004563f9
RDX:  RSI:  RDI: 0072bfc8
RBP: 7fdd885d9bd0 R08:  R09: 0072bfa0
R10:  R11: 0246 R12: 0001
R13: 7fdd885d9c50 R14:  R15: 7fdd885da700

Allocated by task 3521:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xae/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x136/0x740 mm/slab.c:3620
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 __rdma_create_id+0xc5/0x450 drivers/infiniband/core/cma.c:751
 ucma_create_id+0x219/0x510 drivers/infiniband/core/ucma.c:485
 ucma_write+0x1d6/0x260 drivers/infiniband/core/ucma.c:1664
 __vfs_write+0xdd/0x480 fs/read_write.c:485
 vfs_write+0x12d/0x2d0 fs/read_write.c:549
 ksys_write+0xca/0x190 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x43/0x50 fs/read_write.c:607
 do_syscall_64+0x15f/0x4a0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwf

KASAN: use-after-free Read in cma_cancel_operation

2018-05-10 Thread DaeRyong Jeong

We report the crash: KASAN: use-after-free Read in cma_cancel_operation

Note that this bug is previously reported by syzkaller.
https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
Nonetheless, this bug has not fixed yet, and we hope that this report and our
analysis, which gets help by the RaceFuzzer's feature, will helpful to fix the
crash.

This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occurs when invoking two
syscalls concurrently, write$rdma_cm and write$rdma_cm.


Analysis:
We think the concurrent execution of rdma_destroy_id() causes the crash.
The first execution of rdma_destroy_id() calls kfree(id_priv), and the
second execution of rdma_destry_id() dereferences the id_priv in
cma_cancel_listens(). Therefore use-after-free read occurs.
We observed that rdma_destroy_id() is called during the write$rdma_cm
syscall. After returing from vfs_write(), fput() is called and
ucma_close() is called as a pending work before returing to the user
space.


Thread interleaving:
CPU0 (rdma_destory_id)  CPU1 (rdma_destroy_id)
=   =
kfree(id_priv->id.route.path_rec);
put_net(id_priv->id.route.addr.dev_addr.net);
kfree(id_priv);
id_priv = 
container_of(id, struct rdma_id_private, id);
state = 
cma_exch(id_priv, RDMA_CM_DESTROYING);

cma_cancel_operation(id_priv, state);

(in cma_cancel_listens)

list_del(_priv->list);

Call Sequence:
Both CPU0 and CPU1
=
ucma_close
rdma_destroy_id


==
BUG: KASAN: use-after-free in __list_del_entry_valid+0x5c/0xc0 
lib/list_debug.c:54
Read of size 8 at addr 8801e86deca0 by task syz-executor0/3524

CPU: 1 PID: 3524 Comm: syz-executor0 Not tainted 4.17.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x166/0x21c lib/dump_stack.c:113
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23f/0x360 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 __asan_load8+0x54/0x90 mm/kasan/kasan.c:699
 __list_del_entry_valid+0x5c/0xc0 lib/list_debug.c:54
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 cma_cancel_listens drivers/infiniband/core/cma.c:1527 [inline]
 cma_cancel_operation+0x2d2/0x750 drivers/infiniband/core/cma.c:1555
 rdma_destroy_id+0xe9/0x760 drivers/infiniband/core/cma.c:1619
 ucma_close+0x9f/0x1c0 drivers/infiniband/core/ucma.c:1743
 __fput+0x22c/0x450 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x152/0x1b0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1387/0x1860 kernel/exit.c:865
 do_group_exit+0xfb/0x220 kernel/exit.c:968
 get_signal+0x5b7/0xf70 kernel/signal.c:2469
 do_signal+0x94/0xde0 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop+0x1eb/0x270 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x473/0x4a0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4563f9
RSP: 002b:7fdd885d9ba8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 0072bfc8 RCX: 004563f9
RDX:  RSI:  RDI: 0072bfc8
RBP: 7fdd885d9bd0 R08:  R09: 0072bfa0
R10:  R11: 0246 R12: 0001
R13: 7fdd885d9c50 R14:  R15: 7fdd885da700

Allocated by task 3521:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xae/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x136/0x740 mm/slab.c:3620
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 __rdma_create_id+0xc5/0x450 drivers/infiniband/core/cma.c:751
 ucma_create_id+0x219/0x510 drivers/infiniband/core/ucma.c:485
 ucma_write+0x1d6/0x260 drivers/infiniband/core/ucma.c:1664
 __vfs_write+0xdd/0x480 fs/read_write.c:485
 vfs_write+0x12d/0x2d0 fs/read_write.c:549
 ksys_write+0xca/0x190 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x43/0x50 fs/read_write.c:607
 do_syscall_64+0x15f/0x4a0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwf

KASAN: use-after-free Read in cma_cancel_operation

2018-04-02 Thread syzbot


Hello,

syzbot hit the following crash on upstream commit
86bbbebac1933e6e95e8234c4f7d220c5ddd38bc (Mon Apr 2 18:47:07 2018 +)
Merge branch 'ras-core-for-linus' of  
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=6956235342b7317ec564


So far this crash happened 4 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6621340819783680
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6075521074987008
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6447569127342080
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6801295859785128502

compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6956235342b7317ec...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150  
lib/list_debug.c:54

Read of size 8 at addr 8801d8dc7d20 by task syzkaller468166/4496

CPU: 0 PID: 4496 Comm: syzkaller468166 Not tainted 4.16.0+ #376
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1a7/0x27d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __list_del_entry_valid+0x144/0x150 lib/list_debug.c:54
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 cma_cancel_listens drivers/infiniband/core/cma.c:1569 [inline]
 cma_cancel_operation+0x455/0xd60 drivers/infiniband/core/cma.c:1597
 rdma_destroy_id+0xff/0xda0 drivers/infiniband/core/cma.c:1661
 ucma_close+0x100/0x2f0 drivers/infiniband/core/ucma.c:1735
 __fput+0x327/0x7f0 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1ab/0x280 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1986/0x2700 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x74c/0x16e0 kernel/signal.c:2469
 do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446b09
RSP: 002b:7f2b89150da8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 006e29fc RCX: 00446b09
RDX:  RSI:  RDI: 006e29fc
RBP: 006e29f8 R08:  R09: 
R10:  R11: 0246 R12: 006d635f616d6472
R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0005

Allocated by task 4493:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
 kmem_cache_alloc_trace+0x136/0x740 mm/slab.c:3608
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 rdma_create_id+0xd0/0x640 drivers/infiniband/core/cma.c:787
 ucma_create_id+0x35f/0x920 drivers/infiniband/core/ucma.c:480
 ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1656
 __vfs_write+0xef/0x970 fs/read_write.c:480
 vfs_write+0x189/0x510 fs/read_write.c:544
 SYSC_write fs/read_write.c:589 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:581
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 4496:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
 __cache_free mm/slab.c:3486 [inline]
 kfree+0xd9/0x260 mm/slab.c:3801
 rdma_destroy_id+0x821/0xda0 drivers/infiniband/core/cma.c:1691
 ucma_close+0x100/0x2f0 drivers/infiniband/core/ucma.c:1735
 __fput+0x327/0x7f0 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1ab/0x280 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1986/0x2700 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x74c/0x16e0 kernel/signal.c:2469
 do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy

KASAN: use-after-free Read in cma_cancel_operation

2018-04-02 Thread syzbot


Hello,

syzbot hit the following crash on upstream commit
86bbbebac1933e6e95e8234c4f7d220c5ddd38bc (Mon Apr 2 18:47:07 2018 +)
Merge branch 'ras-core-for-linus' of  
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=6956235342b7317ec564


So far this crash happened 4 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6621340819783680
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6075521074987008
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6447569127342080
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6801295859785128502

compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6956235342b7317ec...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150  
lib/list_debug.c:54

Read of size 8 at addr 8801d8dc7d20 by task syzkaller468166/4496

CPU: 0 PID: 4496 Comm: syzkaller468166 Not tainted 4.16.0+ #376
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1a7/0x27d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __list_del_entry_valid+0x144/0x150 lib/list_debug.c:54
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 cma_cancel_listens drivers/infiniband/core/cma.c:1569 [inline]
 cma_cancel_operation+0x455/0xd60 drivers/infiniband/core/cma.c:1597
 rdma_destroy_id+0xff/0xda0 drivers/infiniband/core/cma.c:1661
 ucma_close+0x100/0x2f0 drivers/infiniband/core/ucma.c:1735
 __fput+0x327/0x7f0 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1ab/0x280 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1986/0x2700 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x74c/0x16e0 kernel/signal.c:2469
 do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446b09
RSP: 002b:7f2b89150da8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 006e29fc RCX: 00446b09
RDX:  RSI:  RDI: 006e29fc
RBP: 006e29f8 R08:  R09: 
R10:  R11: 0246 R12: 006d635f616d6472
R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0005

Allocated by task 4493:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
 kmem_cache_alloc_trace+0x136/0x740 mm/slab.c:3608
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 rdma_create_id+0xd0/0x640 drivers/infiniband/core/cma.c:787
 ucma_create_id+0x35f/0x920 drivers/infiniband/core/ucma.c:480
 ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1656
 __vfs_write+0xef/0x970 fs/read_write.c:480
 vfs_write+0x189/0x510 fs/read_write.c:544
 SYSC_write fs/read_write.c:589 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:581
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 4496:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
 __cache_free mm/slab.c:3486 [inline]
 kfree+0xd9/0x260 mm/slab.c:3801
 rdma_destroy_id+0x821/0xda0 drivers/infiniband/core/cma.c:1691
 ucma_close+0x100/0x2f0 drivers/infiniband/core/ucma.c:1735
 __fput+0x327/0x7f0 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1ab/0x280 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1986/0x2700 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x74c/0x16e0 kernel/signal.c:2469
 do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Re: KASAN: use-after-free Read in cma_cancel_operation, rdma_listen

Re: KASAN: use-after-free Read in cma_cancel_operation

Re: KASAN: use-after-free Read in cma_cancel_operation

Re: KASAN: use-after-free Read in cma_cancel_operation

Re: KASAN: use-after-free Read in cma_cancel_operation

Re: KASAN: use-after-free Read in cma_cancel_operation

KASAN: use-after-free Read in cma_cancel_operation

KASAN: use-after-free Read in cma_cancel_operation

KASAN: use-after-free Read in cma_cancel_operation

KASAN: use-after-free Read in cma_cancel_operation

15 matches

Site Navigation

Mail list logo

Footer information