LKML Archive on
help / color / mirror / Atom feed
From: Jason Gunthorpe <>
To: Dmitry Vyukov <>
Cc: syzbot <>,,,,,,
	Aleksandr Nogikh <>
Subject: Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)
Date: Thu, 16 Sep 2021 13:02:24 -0300	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Thu, Sep 16, 2021 at 04:45:27PM +0200, Dmitry Vyukov wrote:

> It looks like a very hard to trigger race (few crashes, no reproducer,
> but KASAN reports look sensible). That's probably the reason syzkaller
> can't create a reproducer.
> From the log it looks like it was triggered by one of these programs
> below. But I tried to reproduce manually and had no success.
> We are currently doing some improvements to race triggering code in
> syzkaller, and may try to use this as a litmus test to see if
> syzkaller will do any better:

I would suggest to look at this:

Which I think should be completely deterministic, just do the RDMA_CM
ops in the right order, but syzbot didn't find a reproducer.

The "healer" fork did however:

> Answering your question re what was running concurrently with what.
> Each of the syscalls in these programs can run up to 2 times and
> ultimately any of these calls can race with any. Potentially syzkaller
> can predict values kernel will return (e.g. id's) before kernel
> actually returned them. I guess this does not restrict search area for
> the bug a lot...

Well, it does help if it is only those system calls

And I think I can discount the workqueue as a problem as I'd expect a
kasn hit on the 'req' allocation if the workqueue was malfunctioning -
thus I must conclude we are not calling work cancelation for some


  parent reply	other threads:[~2021-09-16 16:02 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-15 12:41 syzbot
2021-09-15 19:36 ` Jason Gunthorpe
2021-09-16  7:43   ` Dmitry Vyukov
2021-09-16 13:04     ` Jason Gunthorpe
2021-09-16 14:45       ` Dmitry Vyukov
2021-09-16 14:47         ` Dmitry Vyukov
2021-09-16 14:55           ` Dmitry Vyukov
2021-09-16 15:08             ` Jason Gunthorpe
2021-09-16 15:17               ` Dmitry Vyukov
2021-09-16 16:02         ` Jason Gunthorpe [this message]
2021-09-16 16:28         ` Jason Gunthorpe
2021-09-20  8:13           ` Dmitry Vyukov
     [not found]           ` <>
2021-10-05 12:23             ` Jason Gunthorpe
     [not found]             ` <>
2021-10-06 11:41               ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \
    --subject='Re: [syzbot] KASAN: use-after-free Read in addr_handler (4)' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).