On Tue, Feb 18, 2020 at 08:27:17PM +0800, Hillf Danton wrote: > Check if rdma is being reclaimed before listening on device while > reclaimer is waiting for rdma to become quiesce. This is the usual syzkaller bug in rdma_cm The test causes rdma_resolve_addr() and rdma_listen() to run concurrently. There is no sane locking, so in turn this causes invariants to become violated, in particular, in rdma_listen() we can have !id->device but also !cma_any_addr(cma_src_addr(id_priv). This causes cma_listen_on_all() to wrongly be called and because the invariant is screwed up cma_cancel_listens() doesn't undo it. Thus we fail to list_del id_priv->list from the listen_any_list and the next manipulation of the list gets a use-after on the list member which was now freed. The fix is the same as all the others, add some kind of locking instead of all this defective cma_comp_exch() thing.. Jason
