leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
061ccb52d2
linux/drivers/infiniband/core
History
Leon Romanovsky 061ccb52d2 RDMA/cma: Set proper port number as index 
Conversion from IDR to XArray missed the fact that idr_alloc() returned
index as a return value, this index was saved in port variable and used as
query index later on. This caused to the following error.

 BUG: KASAN: use-after-free in cma_check_port+0x86a/0xa20 [rdma_cm]
 Read of size 8 at addr ffff888069fde998 by task ucmatose/387
 CPU: 3 PID: 387 Comm: ucmatose Not tainted 5.1.0-rc2+ #253
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
 Call Trace:
  dump_stack+0x7c/0xc0
  print_address_description+0x6c/0x23c
  ? cma_check_port+0x86a/0xa20 [rdma_cm]
  kasan_report.cold.3+0x1c/0x35
  ? cma_check_port+0x86a/0xa20 [rdma_cm]
  ? cma_check_port+0x86a/0xa20 [rdma_cm]
  cma_check_port+0x86a/0xa20 [rdma_cm]
  rdma_bind_addr+0x11bc/0x1b00 [rdma_cm]
  ? find_held_lock+0x33/0x1c0
  ? cma_ndev_work_handler+0x180/0x180 [rdma_cm]
  ? wait_for_completion+0x3d0/0x3d0
  ucma_bind+0x120/0x160 [rdma_ucm]
  ? ucma_resolve_addr+0x1a0/0x1a0 [rdma_ucm]
  ucma_write+0x1f8/0x2b0 [rdma_ucm]
  ? ucma_open+0x260/0x260 [rdma_ucm]
  vfs_write+0x157/0x460
  ksys_write+0xb8/0x170
  ? __ia32_sys_read+0xb0/0xb0
  ? trace_hardirqs_off_caller+0x5b/0x160
  ? do_syscall_64+0x18/0x3c0
  do_syscall_64+0x95/0x3c0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

  Allocated by task 381:
   __kasan_kmalloc.constprop.5+0xc1/0xd0
   cma_alloc_port+0x4d/0x160 [rdma_cm]
   rdma_bind_addr+0x14e7/0x1b00 [rdma_cm]
   ucma_bind+0x120/0x160 [rdma_ucm]
   ucma_write+0x1f8/0x2b0 [rdma_ucm]
   vfs_write+0x157/0x460
   ksys_write+0xb8/0x170
   do_syscall_64+0x95/0x3c0
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

  Freed by task 381:
   __kasan_slab_free+0x12e/0x180
   kfree+0xed/0x290
   rdma_destroy_id+0x6b6/0x9e0 [rdma_cm]
   ucma_close+0x110/0x300 [rdma_ucm]
   __fput+0x25a/0x740
   task_work_run+0x10e/0x190
   do_exit+0x85e/0x29e0
   do_group_exit+0xf0/0x2e0
   get_signal+0x2e0/0x17e0
   do_signal+0x94/0x1570
   exit_to_usermode_loop+0xfa/0x130
   do_syscall_64+0x327/0x3c0
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

Reported-by: <syzbot+2e3e485d5697ea610460@syzkaller.appspotmail.com>
Reported-by: Ran Rozenstein <ranro@mellanox.com>
Fixes: 638267537a ("cma: Convert portspace IDRs to XArray")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2019-04-03 15:20:32 -03:00
..
addr.c RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h
cache.c RDMA/device: Add ib_device_set_netdev() as an alternative to get_netdev 2019-02-19 20:52:18 -07:00
cgroup.c IB/core: Simplify rdma cgroup registration 2019-01-18 13:43:10 -07:00
cm_msgs.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
cm.c RDMA/cm: Convert local_id_table to XArray 2019-03-26 11:44:22 -03:00
cma_configfs.c RDMA/cma: Move cma module specific functions to cma_priv.h 2018-11-22 11:57:33 -07:00
cma_priv.h IB/cma: Define option to set ack timeout and pack tos_set 2019-02-08 16:14:21 -07:00
cma.c RDMA/cma: Set proper port number as index 2019-04-03 15:20:32 -03:00
core_priv.h RDMA/core: Add command to set ib_core device net namspace sharing mode 2019-03-28 14:52:02 -03:00
cq.c IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00
device.c RDMA/core: Add command to set ib_core device net namspace sharing mode 2019-03-28 14:52:02 -03:00
fmr_pool.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
iwcm.c RDMA/iwcm: Fix string truncation error 2019-02-19 20:52:19 -07:00
iwcm.h iw_cm: free cm_id resources on the last deref 2016-08-02 13:15:18 -04:00
iwpm_msg.c RDMA/iwpm: move kdoc comments to functions 2019-02-05 15:40:41 -07:00
iwpm_util.c RDMA/iwpm: Remove set but not used variable 'msg_seq' 2019-02-14 14:47:39 -07:00
iwpm_util.h RDMA/IWPM: Support no port mapping requirements 2019-02-04 16:26:02 -07:00
mad_priv.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
mad_rmpp.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad_rmpp.h
mad.c IB/MAD: Add SMP details to MAD tracing 2019-03-27 15:52:01 -03:00
Makefile IB/{core,uverbs}: Move ib_umem_xxx functions from ib_core to ib_uverbs 2019-01-10 17:06:44 -07:00
mr_pool.c
multicast.c IB: Make ib_init_ah_from_mcmember set sgid_attr 2018-06-25 14:19:56 -06:00
netlink.c RDMA/cma: Remove CM_ID statistics provided by rdma-cm module 2019-02-05 15:30:33 -07:00
nldev.c RDMA/core: Add command to set ib_core device net namspace sharing mode 2019-03-28 14:52:02 -03:00
opa_smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c IB: Pass uverbs_attr_bundle down uobject destroy path 2019-04-01 14:55:36 -03:00
rdma_core.h IB: Pass uverbs_attr_bundle down uobject destroy path 2019-04-01 14:55:36 -03:00
restrack.c XArray updates for 5.1-rc1 2019-03-11 20:06:18 -07:00
restrack.h RDMA/restrack: Prepare restrack_root to addition of extra fields per-type 2019-02-19 10:13:38 -07:00
roce_gid_mgmt.c IB/core: Fix oops in netdev_next_upper_dev_rcu() 2018-12-12 12:14:49 -05:00
rw.c IB/core: Remove ib_sg_dma_address() and ib_sg_dma_len() 2019-02-04 14:34:07 -07:00
sa_query.c ib core: Convert query_idr to XArray 2019-03-26 11:47:05 -03:00
sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
security.c RDMA/device: Consolidate ib_device per_port data into one place 2019-02-19 10:13:39 -07:00
smi.c
smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
sysfs.c RDMA/core: Support core port attributes in non init_net 2019-03-28 14:52:02 -03:00
ucm.c ucm: Convert ctx_id_table to XArray 2019-03-26 11:50:29 -03:00
ucma.c IB/cma: Define option to set ack timeout and pack tos_set 2019-02-08 16:14:21 -07:00
ud_header.c
umem_odp.c IB/core: Ensure an invalidate_range callback on ODP MR 2019-03-26 16:39:40 -03:00
umem.c IB/core: Ensure an invalidate_range callback on ODP MR 2019-03-26 16:39:40 -03:00
user_mad.c RDMA: Check net namespace access for uverbs, umad, cma and nldev 2019-03-28 14:52:02 -03:00
uverbs_cmd.c IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00
uverbs_ioctl.c IB: Pass uverbs_attr_bundle down uobject destroy path 2019-04-01 14:55:36 -03:00
uverbs_main.c RDMA: Check net namespace access for uverbs, umad, cma and nldev 2019-03-28 14:52:02 -03:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_counters.c IB: Pass uverbs_attr_bundle down uobject destroy path 2019-04-01 14:55:36 -03:00
uverbs_std_types_cq.c IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00
uverbs_std_types_device.c IB/uverbs: Fix ioctl query port to consider device disassociation 2019-01-25 11:58:06 -07:00
uverbs_std_types_dm.c IB: Pass uverbs_attr_bundle down ib_x destroy path 2019-04-01 14:57:35 -03:00
uverbs_std_types_flow_action.c IB: Pass uverbs_attr_bundle down uobject destroy path 2019-04-01 14:55:36 -03:00
uverbs_std_types_mr.c IB: Pass uverbs_attr_bundle down ib_x destroy path 2019-04-01 14:57:35 -03:00
uverbs_std_types.c IB: Remove 'uobject->context' dependency in object destroy APIs 2019-04-01 14:59:35 -03:00
uverbs_uapi.c IB/mlx5: Introduce MLX5_IB_OBJECT_DEVX_ASYNC_CMD_FD 2019-01-29 13:32:43 -07:00
uverbs.h IB: Remove 'uobject->context' dependency in object destroy APIs 2019-04-01 14:59:35 -03:00
verbs.c IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00