linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-26 10:49:33 +00:00

History

Avihai Horon fe454dc31e RDMA/ucma: Fix use-after-free bug in ucma_create_uevent ucma_process_join() allocates struct ucma_multicast mc and frees it if an error occurs during its run. Specifically, if an error occurs in copy_to_user(), a use-after-free might happen in the following scenario: 1. mc struct is allocated. 2. rdma_join_multicast() is called and succeeds. During its run, cma_iboe_join_multicast() enqueues a work that will later use the aforementioned mc struct. 3. copy_to_user() is called and fails. 4. mc struct is deallocated. 5. The work that was enqueued by cma_iboe_join_multicast() is run and calls ucma_create_uevent() which tries to access mc struct (which is freed by now). Fix this bug by cancelling the work enqueued by cma_iboe_join_multicast(). Since cma_work_handler() frees struct cma_work, we don't use it in cma_iboe_join_multicast() so we can safely cancel the work later. The following syzkaller report revealed it: BUG: KASAN: use-after-free in ucma_create_uevent+0x2dd/0x;3f0 drivers/infiniband/core/ucma.c:272 Read of size 8 at addr ffff88810b3ad110 by task kworker/u8:1/108 CPU: 1 PID: 108 Comm: kworker/u8:1 Not tainted 5.10.0-rc6+ #257 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: rdma_cm cma_work_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xbe/0xf9 lib/dump_stack.c:118 print_address_description.constprop.0+0x3e/0×60 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0×37 mm/kasan/report.c:562 ucma_create_uevent+0x2dd/0×3f0 drivers/infiniband/core/ucma.c:272 ucma_event_handler+0xb7/0×3c0 drivers/infiniband/core/ucma.c:349 cma_cm_event_handler+0x5d/0×1c0 drivers/infiniband/core/cma.c:1977 cma_work_handler+0xfa/0×190 drivers/infiniband/core/cma.c:2718 process_one_work+0x54c/0×930 kernel/workqueue.c:2272 worker_thread+0x82/0×830 kernel/workqueue.c:2418 kthread+0x1ca/0×220 kernel/kthread.c:292 ret_from_fork+0x1f/0×30 arch/x86/entry/entry_64.S:296 Allocated by task 359: kasan_save_stack+0x1b/0×40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:461 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:434 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] ucma_process_join+0x16e/0×3f0 drivers/infiniband/core/ucma.c:1453 ucma_join_multicast+0xda/0×140 drivers/infiniband/core/ucma.c:1538 ucma_write+0x1f7/0×280 drivers/infiniband/core/ucma.c:1724 vfs_write fs/read_write.c:603 [inline] vfs_write+0x191/0×4c0 fs/read_write.c:585 ksys_write+0x1a1/0×1e0 fs/read_write.c:658 do_syscall_64+0x2d/0×40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 359: kasan_save_stack+0x1b/0×40 mm/kasan/common.c:48 kasan_set_track+0x1c/0×30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0×30 mm/kasan/generic.c:355 __kasan_slab_free+0x112/0×160 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0xb3/0×3e0 mm/slub.c:4124 ucma_process_join+0x22d/0×3f0 drivers/infiniband/core/ucma.c:1497 ucma_join_multicast+0xda/0×140 drivers/infiniband/core/ucma.c:1538 ucma_write+0x1f7/0×280 drivers/infiniband/core/ucma.c:1724 vfs_write fs/read_write.c:603 [inline] vfs_write+0x191/0×4c0 fs/read_write.c:585 ksys_write+0x1a1/0×1e0 fs/read_write.c:658 do_syscall_64+0x2d/0×40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88810b3ad100 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 16 bytes inside of 192-byte region [ffff88810b3ad100, ffff88810b3ad1c0) Fixes: `b5de0c60cc` ("RDMA/cma: Fix use after free race in roce multicast join") Link: https://lore.kernel.org/r/20210211090517.1278415-1-leon@kernel.org Reported-by: Amit Matityahu <mitm@nvidia.com> Signed-off-by: Avihai Horon <avihaih@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>		2021-02-16 14:42:59 -04:00
..
addr.c	RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel()	2020-09-30 15:29:05 -03:00
agent.c
agent.h
cache.c	RDMA/core/cache: Fix some misspellings, missing and superfluous param descriptions	2021-01-19 20:33:40 -04:00
cgroup.c
cm.c	IB/cm: Avoid a loop when device has 255 ports	2021-02-02 15:10:31 -04:00
cm_msgs.h	RDMA/cm: Remove CM message structs	2020-01-25 15:11:37 -04:00
cm_trace.c	RDMA/cm: Replace pr_debug() call sites with tracepoints	2020-08-24 19:41:41 -03:00
cm_trace.h	RDMA/cm: Add tracepoints to track MAD send operations	2020-08-24 19:41:41 -03:00
cma.c	RDMA/ucma: Fix use-after-free bug in ucma_create_uevent	2021-02-16 14:42:59 -04:00
cma_configfs.c	Merge branch 'devx_set_get' into rdma.git for-next	2021-01-19 10:55:19 -04:00
cma_priv.h	RDMA/ucma: Extend ucma_connect to receive ECE parameters	2020-05-27 16:05:05 -03:00
cma_trace.c	RDMA/cma: Add trace points in RDMA Connection Manager	2020-01-07 16:10:53 -04:00
cma_trace.h	RDMA/core: Move the rdma_show_ib_cm_event() macro	2020-08-24 16:01:47 -03:00
core_priv.h	RDMA/core: Clean up cq pool mechanism	2020-12-10 15:05:17 -04:00
counters.c	RDMA/core/counters: Demote non-conformant kernel-doc headers	2021-01-19 20:33:44 -04:00
cq.c	RDMA/core: Clean up cq pool mechanism	2020-12-10 15:05:17 -04:00
device.c	RDMA/core: Fix kernel doc warnings for ib_port_immutable_read()	2021-02-16 14:42:58 -04:00
ib_core_uverbs.c	RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence	2020-01-25 14:48:33 -04:00
iwcm.c	RDMA/iwcm: Fix iwcm work deallocation	2020-03-04 14:28:25 -04:00
iwcm.h
iwpm_msg.c	RDMA/core/iwpm_msg: Add proper descriptions for 'skb' param	2021-01-19 20:33:44 -04:00
iwpm_util.c	RDMA/core/iwpm_util: Fix some param description misspellings	2021-01-19 20:33:44 -04:00
iwpm_util.h	IB: Fix kernel-doc markups	2020-12-07 15:45:00 -04:00
lag.c	RDMA/core: Consider flow label when building skb	2020-05-06 16:51:43 -03:00
mad.c	RDMA 5.9 merge window pull request	2020-08-06 16:43:36 -07:00
mad_priv.h	IB/mad: Change atomics to refcount API	2020-06-24 16:43:45 -03:00
mad_rmpp.c	IB/mad: Delete RMPP_STATE_CANCELING state	2020-06-24 16:43:45 -03:00
mad_rmpp.h
Makefile	RDMA/umem: Support importing dma-buf as user memory region	2021-01-20 16:07:52 -04:00
mr_pool.c	Linux 5.2-rc6	2019-06-28 21:18:23 -03:00
multicast.c	RDMA/core/multicast: Provide description for 'ib_init_ah_from_mcmember()'s 'rec' param	2021-01-19 20:33:42 -04:00
netlink.c	IB/core: Avoid deadlock during netlink message handling	2019-10-24 20:49:37 -03:00
nldev.c	RDMA/nldev: Return an error message on failure to turn auto mode	2021-01-18 16:02:14 -04:00
opa_smi.h
packer.c
rdma_core.c	RDMA/uverbs: Allow drivers to create a new HW object during rereg_mr	2020-12-07 14:06:23 -04:00
rdma_core.h	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
restrack.c	RDMA/core/restrack: Fix kernel-doc formatting issue	2021-01-19 20:33:43 -04:00
restrack.h	RDMA/restrack: Improve readability in task name management	2020-09-22 19:47:35 -03:00
roce_gid_mgmt.c	RDMA/core/roce_gid_mgmt: Fix misnaming of 'rdma_roce_rescan_device()'s param 'ib_dev'	2021-01-19 20:33:41 -04:00
rw.c	RDMA: Use kzalloc for allocating only one thing	2021-01-07 16:47:53 -04:00
sa.h
sa_query.c	RDMA/ipoib: Remove racy Subnet Manager sendonly join checks	2021-02-16 14:42:58 -04:00
security.c	RDMA/core: Ensure security pkey modify is not lost	2020-03-24 19:53:25 -03:00
smi.c
smi.h
sysfs.c	IB/core: Add support for NDR link speed	2020-11-02 15:48:56 -04:00
trace.c	RDMA/core: Clean up tracepoint headers	2020-07-06 14:54:46 -03:00
ucma.c	RDMA/ucma: Do not miss ctx destruction steps in some cases	2021-01-06 17:15:15 -04:00
ud_header.c	RDMA/core: Use sizeof_field() helper	2020-05-27 13:46:05 -03:00
umem.c	RDMA/umem: Support importing dma-buf as user memory region	2021-01-20 16:07:52 -04:00
umem_dmabuf.c	RDMA/umem: Support importing dma-buf as user memory region	2021-01-20 16:07:52 -04:00
umem_odp.c	IB/core: Enable ODP sync without faulting	2020-10-01 16:44:05 -03:00
user_mad.c	IB/umad: Return EPOLLERR in case of when device disassociated	2021-01-28 15:27:09 -04:00
uverbs.h	IB/uverbs: Extend CQ to get its own asynchronous event FD	2020-05-21 20:34:53 -03:00
uverbs_cmd.c	RDMA/uverbs: Don't set rcq for a QP if qp_type is IB_QPT_XRC_INI	2021-01-21 10:26:15 -04:00
uverbs_ioctl.c	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
uverbs_main.c	RDMA: Convert sysfs device * show functions to use sysfs_emit()	2020-10-26 19:53:21 -03:00
uverbs_marshall.c
uverbs_std_types.c	RDMA/core: Make FD destroy callback void	2020-11-12 12:32:17 -04:00
uverbs_std_types_async_fd.c	RDMA/core: Make FD destroy callback void	2020-11-12 12:32:17 -04:00
uverbs_std_types_counters.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types_cq.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types_device.c	RDMA/uverbs: Fix incorrect variable type	2020-12-10 15:05:17 -04:00
uverbs_std_types_dm.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types_flow_action.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types_mr.c	RDMA/uverbs: Add uverbs command for dma-buf based MR registration	2021-01-20 16:07:52 -04:00
uverbs_std_types_qp.c	RDMA/restrack: Support all QP types	2020-11-27 11:38:46 -04:00
uverbs_std_types_srq.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types_wq.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_uapi.c	RDMA/core Remove uverbs_ex_cmd_mask	2020-10-26 19:27:59 -03:00
verbs.c	IB/core: Use valid port number to check link layer	2021-02-02 19:25:51 -04:00