From: Guoqing Jiang <guoqing.jiang@linux.dev>
To: Chuck Lever III <chuck.lever@oracle.com>, Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>,
"pchelkin@ispras.ru" <pchelkin@ispras.ru>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
bmt@zurich.ibm.com
Subject: Re: [PATCH for-rc] RDMA/core: Call dev_put after query_port in iw_query_port
Date: Mon, 22 May 2023 10:34:05 +0800 [thread overview]
Message-ID: <bf9718c1-521b-ef4f-5ba4-7c1e79a570d4@linux.dev> (raw)
In-Reply-To: <3B612246-D6B1-4977-B254-B2AC437BDC1A@oracle.com>
On 5/19/23 22:05, Chuck Lever III wrote:
>
>> On May 19, 2023, at 10:03 AM, Jason Gunthorpe <jgg@ziepe.ca> wrote:
>>
>> On Fri, May 19, 2023 at 11:11:19AM +0800, Guoqing Jiang wrote:
>>> There is a UAF report by syzbot.
>>>
>>> BUG: KASAN: slab-use-after-free in siw_query_port+0x37b/0x3e0 drivers/infiniband/sw/siw/siw_verbs.c:177
>>> Read of size 4 at addr ffff888034efa0e8 by task kworker/1:4/24211
>>>
>>> CPU: 1 PID: 24211 Comm: kworker/1:4 Not tainted 6.4.0-rc1-syzkaller-00012-g16a8829130ca #0
>>> Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
>>> Workqueue: infiniband ib_cache_event_task
>>> Call Trace:
>>> <TASK>
>>> __dump_stack lib/dump_stack.c:88 [inline]
>>> dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
>>> print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
>>> print_report mm/kasan/report.c:462 [inline]
>>> kasan_report+0x11c/0x130 mm/kasan/report.c:572
>>> siw_query_port+0x37b/0x3e0 drivers/infiniband/sw/siw/siw_verbs.c:177
>>> iw_query_port drivers/infiniband/core/device.c:2049 [inline]
>>> ib_query_port drivers/infiniband/core/device.c:2090 [inline]
>>> ib_query_port+0x3c4/0x8f0 drivers/infiniband/core/device.c:2082
>>> ib_cache_update.part.0+0xcf/0x920 drivers/infiniband/core/cache.c:1487
>>> ib_cache_update drivers/infiniband/core/cache.c:1561 [inline]
>>> ib_cache_event_task+0x1b1/0x270 drivers/infiniband/core/cache.c:1561
>>> process_one_work+0x99a/0x15e0 kernel/workqueue.c:2405
>>> worker_thread+0x67d/0x10c0 kernel/workqueue.c:2552
>>> kthread+0x344/0x440 kernel/kthread.c:379
>>> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>>> </TASK>
>>>
>>> It happened because netdev could be freed if the last reference
>>> is released, but drivers still dereference netdev in query_port.
>>> So let's guard query_port with dev_hold and dev_put.
>>>
>>> Reported-by: syzbot+79f283f1f4ccc6e8b624@syzkaller.appspotmail.com
>>> Closes: https://lore.kernel.org/lkml/0000000000001f992805fb79ce97@google.com/
>>> Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
>>> ---
>>> I guess another option could be call ib_device_get_netdev to get
>>> netdev in siw_query_port instead of dereference netdev directly.
>>> If so, then other drivers (irdma_query_port and ocrdma_query_port)
>>> may need to make relevant change as well.
>> Something is wrong in siw if it is UAF'ing it's own memory:
>>
>> attr->max_mtu = ib_mtu_int_to_enum(sdev->netdev->mtu);
>>
>> It needs to protect sedv->netdev somehow on its own.
> Note that netdev is actually the underlying device. An siw device
> doesn't have its own. But maybe it should.
I go through siw code a bit, and can't find relevant protection in siw.
Let me cc Bernard.
Thanks,
Guoqing
prev parent reply other threads:[~2023-05-22 2:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-19 3:11 [PATCH for-rc] RDMA/core: Call dev_put after query_port in iw_query_port Guoqing Jiang
2023-05-19 14:03 ` Jason Gunthorpe
2023-05-19 14:05 ` Chuck Lever III
2023-05-22 2:34 ` Guoqing Jiang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bf9718c1-521b-ef4f-5ba4-7c1e79a570d4@linux.dev \
--to=guoqing.jiang@linux.dev \
--cc=bmt@zurich.ibm.com \
--cc=chuck.lever@oracle.com \
--cc=jgg@ziepe.ca \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=pchelkin@ispras.ru \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.