From: Jason Gunthorpe <jgg@ziepe.ca>
To: Michal Kalderon <michal.kalderon@marvell.com>
Cc: dledford@redhat.com, ariel.elior@marvell.com, linux-rdma@vger.kernel.org
Subject: Re: [PATCH rdma] RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
Date: Thu, 18 Jun 2020 09:47:13 -0300 [thread overview]
Message-ID: <20200618124713.GD2392687@ziepe.ca> (raw)
In-Reply-To: <20200616093408.17827-1-michal.kalderon@marvell.com>
On Tue, Jun 16, 2020 at 12:34:08PM +0300, Michal Kalderon wrote:
> Private data passed to iwarp_cm_handler is copied for
> connection request / response, but ignored otherwise.
> If junk is passed, it is stored in the event and used later
> in the event processing.
> Driver passed old junk pointer during connection close
> which lead to a use-after-free on event processing.
> Set private data to NULL for events that don 't have private
> data.
>
> BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
> kernel:
> kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
> kernel: Call Trace:
> kernel: dump_stack+0x8c/0xc0
> kernel: print_address_description.constprop.0+0x1b/0x210
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: __kasan_report.cold+0x1a/0x33
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: kasan_report+0xe/0x20
> kernel: check_memory_region+0x130/0x1a0
> kernel: memcpy+0x20/0x50
> kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
> kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
> kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
> kernel: ? enqueue_timer+0x86/0x140
> kernel: ? _raw_write_lock_irq+0xd0/0xd0
> kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]
>
> Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
> Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
> Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
> ---
> drivers/infiniband/hw/qedr/qedr_iw_cm.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
Applied to for-rc, thanks
Jason
prev parent reply other threads:[~2020-06-18 12:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 9:34 [PATCH rdma] RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 Michal Kalderon
2020-06-18 12:47 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618124713.GD2392687@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=ariel.elior@marvell.com \
--cc=dledford@redhat.com \
--cc=linux-rdma@vger.kernel.org \
--cc=michal.kalderon@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).