linux/include/rdma
Jason Gunthorpe c85f4abe66 RDMA/core: Fix double destruction of uobject
Fix use after free when user user space request uobject concurrently for
the same object, within the RCU grace period.

In that case, remove_handle_idr_uobject() is called twice and we will have
an extra put on the uobject which cause use after free.  Fix it by leaving
the uobject write locked after it was removed from the idr.

Call to rdma_lookup_put_uobject with UVERBS_LOOKUP_DESTROY instead of
UVERBS_LOOKUP_WRITE will do the work.

  refcount_t: underflow; use-after-free.
  WARNING: CPU: 0 PID: 1381 at lib/refcount.c:28 refcount_warn_saturate+0xfe/0x1a0
  Kernel panic - not syncing: panic_on_warn set ...
  CPU: 0 PID: 1381 Comm: syz-executor.0 Not tainted 5.5.0-rc3 #8
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  Call Trace:
   dump_stack+0x94/0xce
   panic+0x234/0x56f
   __warn+0x1cc/0x1e1
   report_bug+0x200/0x310
   fixup_bug.part.11+0x32/0x80
   do_error_trap+0xd3/0x100
   do_invalid_op+0x31/0x40
   invalid_op+0x1e/0x30
  RIP: 0010:refcount_warn_saturate+0xfe/0x1a0
  Code: 0f 0b eb 9b e8 23 f6 6d ff 80 3d 6c d4 19 03 00 75 8d e8 15 f6 6d ff 48 c7 c7 c0 02 55 bd c6 05 57 d4 19 03 01 e8 a2 58 49 ff <0f> 0b e9 6e ff ff ff e8 f6 f5 6d ff 80 3d 42 d4 19 03 00 0f 85 5c
  RSP: 0018:ffffc90002df7b98 EFLAGS: 00010282
  RAX: 0000000000000000 RBX: ffff88810f6a193c RCX: ffffffffba649009
  RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88811b0283cc
  RBP: 0000000000000003 R08: ffffed10236060e3 R09: ffffed10236060e3
  R10: 0000000000000001 R11: ffffed10236060e2 R12: ffff88810f6a193c
  R13: ffffc90002df7d60 R14: 0000000000000000 R15: ffff888116ae6a08
   uverbs_uobject_put+0xfd/0x140
   __uobj_perform_destroy+0x3d/0x60
   ib_uverbs_close_xrcd+0x148/0x170
   ib_uverbs_write+0xaa5/0xdf0
   __vfs_write+0x7c/0x100
   vfs_write+0x168/0x4a0
   ksys_write+0xc8/0x200
   do_syscall_64+0x9c/0x390
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x465b49
  Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007f759d122c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
  RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 0000000000465b49
  RDX: 000000000000000c RSI: 0000000020000080 RDI: 0000000000000003
  RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f759d1236bc
  R13: 00000000004ca27c R14: 000000000070de40 R15: 00000000ffffffff
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Kernel Offset: 0x39400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Fixes: 7452a3c745 ("IB/uverbs: Allow RDMA_REMOVE_DESTROY to work concurrently with disassociate")
Link: https://lore.kernel.org/r/20200527135534.482279-1-leon@kernel.org
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2020-05-27 14:22:57 -03:00
..
ib_addr.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
ib_cache.h RDMA/core: Add helper function to retrieve driver gid context from gid attr 2020-02-19 16:54:25 -04:00
ib_cm.h RDMA/cm: Delete not implemented CM peer to peer communication 2020-03-13 10:46:53 -03:00
ib_fmr_pool.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
ib_hdrs.h IB/hfi1: Build TID RDMA WRITE request 2019-02-05 18:07:43 -05:00
ib_mad.h RDMA/mad: Delete never implemented functions 2019-11-06 15:14:23 -04:00
ib_marshall.h IB/core: Convert ah_attr from OPA to IB when copying to user 2017-08-08 14:47:18 -04:00
ib_pack.h IB/core: Fix calculation of maximum RoCE MTU 2017-10-18 12:11:36 -04:00
ib_pma.h IB/core: Display extended counter set if available 2015-12-23 15:58:30 -05:00
ib_sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
ib_smi.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
ib_umem_odp.h IB: Allow calls to ib_umem_get from kernel ULPs 2020-01-16 16:14:28 +02:00
ib_umem.h IB: Allow calls to ib_umem_get from kernel ULPs 2020-01-16 16:14:28 +02:00
ib_verbs.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
ib.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
iba.h RDMA/cm: Add SET/GET implementations to hide IBA wire format 2020-01-25 15:05:59 -04:00
ibta_vol1_c12.h RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
iw_cm.h RDMA: Get rid of iw_cm_verbs 2019-05-03 10:56:56 -03:00
iw_portmap.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
mr_pool.h Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
opa_addr.h include/rdma/opa_addr.h: Fix an endianness issue 2018-07-03 14:11:34 -06:00
opa_port_info.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
opa_smi.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
opa_vnic.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
rdma_cm_ib.h RDMA/{cma, ucma}: Simplify and rename rdma_set_ib_paths 2018-01-10 22:00:33 -07:00
rdma_cm.h IB/cma: Define option to set ack timeout and pack tos_set 2019-02-08 16:14:21 -07:00
rdma_counter.h RDMA/core: Make rdma_counter.h compile stand alone 2019-07-09 09:44:47 -03:00
rdma_netlink.h RDMA/core: Support netlink commands in non init_net net namespaces 2019-07-25 14:12:41 -03:00
rdma_vt.h IB/{rdmavt, hfi1, qib}: Add a counter for credit waits 2019-09-13 16:59:55 -03:00
rdmavt_cq.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
rdmavt_mr.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
rdmavt_qp.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
restrack.h RDMA/nldev: Provide MR statistics 2019-10-22 15:33:31 -03:00
rw.h Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
signature.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
tid_rdma_defs.h IB/hfi1: Build TID RDMA WRITE request 2019-02-05 18:07:43 -05:00
uverbs_ioctl.h IB/mlx5: Expose UAR object and its alloc/destroy commands 2020-03-27 12:59:04 -03:00
uverbs_named_ioctl.h RDMA/core: Make the entire API tree static 2020-01-30 16:28:52 -04:00
uverbs_std_types.h RDMA/core: Fix double destruction of uobject 2020-05-27 14:22:57 -03:00
uverbs_types.h RDMA/core: Remove the ufile arg from rdma_alloc_begin_uobject 2020-01-13 16:20:16 -04:00