On Tue, Jul 9, 2024 at 8:37 AM Taehee Yoo ap420073@gmail.com wrote:
...
And I found another bug.
[ 236.625141] BUG: KASAN: slab-use-after-free in net_devmem_unbind_dmabuf+0x364/0x440
...
Reproducer: ./ncdevmem -f <interface name> -l -p 5201 -v 7 -t 0 -q 2 & sleep 10 modprobe -rv bnxt_en killall ncdevmem
I think it's a devmemTCP core bug so this issue would be reproduced with other drivers.
Thanks again for testing Taehee. I haven't looked into reproducing yet but the issue seems obvious from the repro and the trace. What happens is that when we bind an rxq we add it to bound_rxq_list, and then when we unbind we access the rxq in the list, without checking if it's still alive. With your sequence, the rxq is freed before the unbind happens, I think, so we hit a use-after-free.
The fix, I think, should be simple, we need to remember to remove the rxq from bound_rxq_list as it is deallocated so there is no access after free.
Btw, I have all the rest of the feedback addressed (including netlink introspection) and I was in the process of rebasing and build-testing a new version, to try to get in before net-next closes if at all possible. I don't think I'll be able to fix this particular issue in time, but I should be able to submit a fix targeting the net tree during the merged window, if that's OK. If folks feel this issue is blocking, please let me know so I don't send another version before net-next reopens.