On Thu, Aug 23, 2018 at 04:39:29PM +0000, Parav Pandit wrote: > > > > From: Jason Gunthorpe <j...@ziepe.ca> > > Sent: Thursday, August 23, 2018 9:55 AM > > To: Eric Biggers <ebigg...@kernel.org> > > Cc: Doug Ledford <dledf...@redhat.com>; linux-r...@vger.kernel.org; > > dasaratharaman.chandramo...@intel.com; Leon Romanovsky > > <leo...@mellanox.com>; linux-kernel@vger.kernel.org; Mark Bloch > > <ma...@mellanox.com>; Moni Shoua <mo...@mellanox.com>; Parav Pandit > > <pa...@mellanox.com>; syzkaller-b...@googlegroups.com; syzbot > > <syzbot+29ee8f76017ce6cf0...@syzkaller.appspotmail.com> > > Subject: Re: [RDMA bug] KASAN: use-after-free Read in __list_del_entry_valid > > (4) > > > > On Wed, Aug 22, 2018 at 11:16:31PM -0700, Eric Biggers wrote: > > > Hello RDMA / InfiniBand maintainers, > > > > > > This is an RDMA bug and it still occurs on Linus' tree as of today > > > (commit 815f0ddb346c1960). > > > > > > I've also simplified the reproducer for it; see below after the original > > > report. > > > Apparently it involves a race between RDMA_USER_CM_CMD_RESOLVE_IP > > and > > > RDMA_USER_CM_CMD_LISTEN. > > > > That is an amazing reproducer! > > > > I have a feeling this is the same cause as all the other syzkaller bugs in > > this code: > > lack of any sane locking at all :\ > > > > We've talked about chucking a big lock around this whole thing, but nobody > > has > > done it yet.. It isn't so simple. > > > > I had some code in which reduces three locks (handler_lock, > qp_mutex, id_lock) to single mutex to protect the cm_id and protects > every exported symbol of rdmacm which works on cm_id. But not ready > enough to post it as patch yet. Lot of tests required before I get > there and some refactor too before that.
That does sound promising.. Jason
