From: Jakub Kicinski <kuba@kernel.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Eric Dumazet <edumazet@google.com>,
syzbot <syzbot+c2775460db0e1c70018e@syzkaller.appspotmail.com>,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
davem@davemloft.net, linux-kernel@vger.kernel.org,
pabeni@redhat.com, wireguard@lists.zx2c4.com, jann@thejh.net
Subject: Re: [syzbot] [wireguard?] KASAN: slab-use-after-free Write in enqueue_timer
Date: Tue, 23 May 2023 09:47:36 -0700 [thread overview]
Message-ID: <20230523094736.3a9f6f8c@kernel.org> (raw)
In-Reply-To: <CAHmME9obRJPrjiJE95JZug0r6NUwrwwWib+=LO4jiQf-y2m+Vg@mail.gmail.com>
On Tue, 23 May 2023 18:42:53 +0200 Jason A. Donenfeld wrote:
> > It should, no idea why it isn't. Looking thru the code now I don't see
> > any obvious gaps where timer object is on a list but not active :S
> > There's no way to get a vmcore from syzbot, right? :)
> >
> > Also I thought the shutdown leads to a warning when someone tries to
> > schedule the dead timer but in fact add_timer() just exits cleanly.
> > So the shutdown won't help us find the culprit :(
>
> Worth noting that it could also be caused by adding to a dead timer
> anywhere in priv_data of another netdev, not just the sole timer_list
> in net_device.
Oh, I thought you zero'ed in on the watchdog based on offsets.
Still, object debug should track all timers in the slab and complain
on the free path.
next prev parent reply other threads:[~2023-05-23 16:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-30 18:01 syzbot
2023-05-23 15:46 ` Jason A. Donenfeld
2023-05-23 16:05 ` Jakub Kicinski
2023-05-23 16:12 ` Eric Dumazet
2023-05-23 16:41 ` Jakub Kicinski
2023-05-23 16:42 ` Jason A. Donenfeld
2023-05-23 16:47 ` Jakub Kicinski [this message]
2023-05-23 17:01 ` Jason A. Donenfeld
2023-05-23 17:05 ` Eric Dumazet
2023-05-23 17:07 ` Eric Dumazet
2023-05-24 8:24 ` Dmitry Vyukov
2023-05-24 15:33 ` Jakub Kicinski
2023-05-24 15:39 ` Jakub Kicinski
2023-05-23 16:14 ` Jason A. Donenfeld
2023-05-23 16:46 ` Jakub Kicinski
2023-05-23 16:47 ` Jason A. Donenfeld
2023-05-23 17:16 ` Jason A. Donenfeld
2023-05-23 17:28 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230523094736.3a9f6f8c@kernel.org \
--to=kuba@kernel.org \
--cc=Jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jann@thejh.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+c2775460db0e1c70018e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).