Re: [syzbot] [rdma?] KASAN: slab-use-after-free Read in siw_query_port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2023/05/19 5:21, Fedor Pchelkin wrote:
> On our local Syzkaller instance the bug started to be caught after
> 266e9b3475ba ("RDMA/siw: Remove namespace check from siw_netdev_event()")
> so CC'ing Tetsuo Handa if maybe he would be also interested in the bug.

UAF could not be observed until that commit because hung task was observed
until that commit because syzkaller is testing non init_net namespace.

> This fix seems to be good and perhaps it just made a bigger opportunity
> for the UAF bug to happen. Actually, the C repro was taken from there [2].
> 
> With your suggested solution the UAF is not reproduced. I don't know the
> exact reasons why dev_put() was placed before calling query_port() but the
> context implies that netdev can be freed in that period. And some of
> ->query_port() realizations may touch netdev. So it seems reasonable to
> move ref count put after performing query_port().

Since ib_device_get_netdev() calls dev_hold() on success, I think that
we need to call dev_put() after query_port(). Please send as a formal patch.




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux