On Tue, Jul 9, 2024 at 8:37 AM Taehee Yoo <ap420073@xxxxxxxxx> wrote: > ... > And I found another bug. > > [ 236.625141] BUG: KASAN: slab-use-after-free in > net_devmem_unbind_dmabuf+0x364/0x440 ... > Reproducer: > ./ncdevmem -f <interface name> -l -p 5201 -v 7 -t 0 -q 2 & > sleep 10 > modprobe -rv bnxt_en > killall ncdevmem > > I think it's a devmemTCP core bug so this issue would be reproduced > with other drivers. > Thanks again for testing Taehee. I haven't looked into reproducing yet but the issue seems obvious from the repro and the trace. What happens is that when we bind an rxq we add it to bound_rxq_list, and then when we unbind we access the rxq in the list, without checking if it's still alive. With your sequence, the rxq is freed before the unbind happens, I think, so we hit a use-after-free. The fix, I think, should be simple, we need to remember to remove the rxq from bound_rxq_list as it is deallocated so there is no access after free. Btw, I have all the rest of the feedback addressed (including netlink introspection) and I was in the process of rebasing and build-testing a new version, to try to get in before net-next closes if at all possible. I don't think I'll be able to fix this particular issue in time, but I should be able to submit a fix targeting the net tree during the merged window, if that's OK. If folks feel this issue is blocking, please let me know so I don't send another version before net-next reopens. -- Thanks, Mina
