From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jason Gunthorpe <jgg@mellanox.com>,
Leon Romanovsky <leonro@mellanox.com>
Subject: [PATCH 4.19 19/37] RDMA/core: Prevent mixed use of FDs between shared ufiles
Date: Mon, 4 May 2020 19:57:32 +0200 [thread overview]
Message-ID: <20200504165450.411778103@linuxfoundation.org> (raw)
In-Reply-To: <20200504165448.264746645@linuxfoundation.org>
From: Leon Romanovsky <leonro@mellanox.com>
commit 0fb00941dc63990a10951146df216fc7b0e20bc2 upstream.
FDs can only be used on the ufile that created them, they cannot be mixed
to other ufiles. We are lacking a check to prevent it.
BUG: KASAN: null-ptr-deref in atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
BUG: KASAN: null-ptr-deref in atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
BUG: KASAN: null-ptr-deref in fput_many+0x1a/0x140 fs/file_table.c:336
Write of size 8 at addr 0000000000000038 by task syz-executor179/284
CPU: 0 PID: 284 Comm: syz-executor179 Not tainted 5.5.0-rc5+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x94/0xce lib/dump_stack.c:118
__kasan_report+0x18f/0x1b7 mm/kasan/report.c:510
kasan_report+0xe/0x20 mm/kasan/common.c:639
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
fput_many+0x1a/0x140 fs/file_table.c:336
rdma_lookup_put_uobject+0x85/0x130 drivers/infiniband/core/rdma_core.c:692
uobj_put_read include/rdma/uverbs_std_types.h:96 [inline]
_ib_uverbs_lookup_comp_file drivers/infiniband/core/uverbs_cmd.c:198 [inline]
create_cq+0x375/0xba0 drivers/infiniband/core/uverbs_cmd.c:1006
ib_uverbs_create_cq+0x114/0x140 drivers/infiniband/core/uverbs_cmd.c:1089
ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:769
__vfs_write+0x7c/0x100 fs/read_write.c:494
vfs_write+0x168/0x4a0 fs/read_write.c:558
ksys_write+0xc8/0x200 fs/read_write.c:611
do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44ef99
Code: 00 b8 00 01 00 00 eb e1 e8 74 1c 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc0b74c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffc0b74c030 RCX: 000000000044ef99
RDX: 0000000000000040 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00007ffc0b74c038 R08: 0000000000401830 R09: 0000000000401830
R10: 00007ffc0b74c038 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000
Fixes: cf8966b3477d ("IB/core: Add support for fd objects")
Link: https://lore.kernel.org/r/20200421082929.311931-2-leon@kernel.org
Suggested-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/rdma_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/core/rdma_core.c
+++ b/drivers/infiniband/core/rdma_core.c
@@ -381,7 +381,7 @@ lookup_get_fd_uobject(const struct uverb
* and the caller is expected to ensure that uverbs_close_fd is never
* done while a call top lookup is possible.
*/
- if (f->f_op != fd_type->fops) {
+ if (f->f_op != fd_type->fops || uobject->ufile != ufile) {
fput(f);
return ERR_PTR(-EBADF);
}
next prev parent reply other threads:[~2020-05-04 18:02 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-04 17:57 [PATCH 4.19 00/37] 4.19.121-rc1 review Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 01/37] drm/edid: Fix off-by-one in DispID DTD pixel clock Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 02/37] drm/qxl: qxl_release leak in qxl_draw_dirty_fb() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 03/37] drm/qxl: qxl_release leak in qxl_hw_surface_alloc() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 04/37] drm/qxl: qxl_release use after free Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 05/37] btrfs: fix block group leak when removing fails Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 06/37] ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 07/37] ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 08/37] ALSA: hda/hdmi: fix without unlocked before return Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 09/37] ALSA: pcm: oss: Place the plugin buffer overflow checks correctly Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 10/37] PM: ACPI: Output correct message on target power state Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 11/37] PM: hibernate: Freeze kernel threads in software_resume() Greg Kroah-Hartman
2020-05-05 12:09 ` Pavel Machek
2020-05-05 16:57 ` Dexuan Cui
2020-05-04 17:57 ` [PATCH 4.19 12/37] dm verity fec: fix hash block number in verity_fec_decode Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 13/37] dm writecache: fix data corruption when reloading the target Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 14/37] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 15/37] scsi: qla2xxx: set UNLOADING before waiting for session deletion Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 16/37] scsi: qla2xxx: check UNLOADING before posting async work Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 17/37] RDMA/mlx5: Set GRH fields in query QP on RoCE Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 18/37] RDMA/mlx4: Initialize ib_spec on the stack Greg Kroah-Hartman
2020-05-04 17:57 ` Greg Kroah-Hartman [this message]
2020-05-04 17:57 ` [PATCH 4.19 20/37] RDMA/core: Fix race between destroy and release FD object Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 21/37] vfio: avoid possible overflow in vfio_iommu_type1_pin_pages Greg Kroah-Hartman
2020-05-05 12:17 ` Pavel Machek
2020-05-04 17:57 ` [PATCH 4.19 22/37] vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 23/37] iommu/qcom: Fix local_base status check Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 24/37] scsi: target/iblock: fix WRITE SAME zeroing Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 25/37] iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 26/37] ALSA: opti9xx: shut up gcc-10 range warning Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 27/37] nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 28/37] dmaengine: dmatest: Fix iteration non-stop logic Greg Kroah-Hartman
2020-05-05 12:31 ` Pavel Machek
2020-05-05 12:51 ` Andy Shevchenko
2020-05-05 12:58 ` Pavel Machek
2020-05-05 13:19 ` Andy Shevchenko
2020-05-05 13:37 ` Pavel Machek
2020-05-05 14:05 ` Andy Shevchenko
2020-05-05 14:53 ` Pavel Machek
2020-05-05 15:32 ` Sasha Levin
2020-05-05 15:57 ` Pavel Machek
2020-05-05 21:37 ` Andy Shevchenko
2020-05-04 17:57 ` [PATCH 4.19 29/37] selinux: properly handle multiple messages in selinux_netlink_send() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 30/37] btrfs: fix partial loss of prealloc extent past i_size after fsync Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 31/37] btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 32/37] mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 33/37] mmc: sdhci-xenon: fix annoying 1.8V regulator warning Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 34/37] mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 35/37] mmc: sdhci-msm: Enable host capabilities pertains to R1b response Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 36/37] mmc: meson-mx-sdio: Set MMC_CAP_WAIT_WHILE_BUSY Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 37/37] mmc: meson-mx-sdio: remove the broken ->card_busy() op Greg Kroah-Hartman
2020-05-05 7:42 ` [PATCH 4.19 00/37] 4.19.121-rc1 review Chris Paterson
2020-05-05 9:17 ` Greg Kroah-Hartman
[not found] ` <20200504165448.264746645-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-05-05 8:37 ` Jon Hunter
2020-05-05 8:37 ` Jon Hunter
2020-05-05 15:24 ` Naresh Kamboju
2020-05-05 15:50 ` shuah
2020-05-05 16:02 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200504165450.411778103@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jgg@mellanox.com \
--cc=leonro@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.