[PATCH AUTOSEL 4.4 3/9] ucma: fix a use-after-free in ucma_resolve_ip()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
	Jason Gunthorpe <jgg@mellanox.com>,
	Doug Ledford <dledford@redhat.com>,
	Leon Romanovsky <leon@kernel.org>,
	Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.4 3/9] ucma: fix a use-after-free in ucma_resolve_ip()
Date: Mon,  8 Oct 2018 11:27:28 -0400	[thread overview]
Message-ID: <20181008152734.70962-3-sashal@kernel.org> (raw)
In-Reply-To: <20181008152734.70962-1-sashal@kernel.org>

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 5fe23f262e0548ca7f19fb79f89059a60d087d22 ]

There is a race condition between ucma_close() and ucma_resolve_ip():

CPU0				CPU1
ucma_resolve_ip():		ucma_close():

ctx = ucma_get_ctx(file, cmd.id);

        list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) {
                mutex_lock(&mut);
                idr_remove(&ctx_idr, ctx->id);
                mutex_unlock(&mut);
		...
                mutex_lock(&mut);
                if (!ctx->closing) {
                        mutex_unlock(&mut);
                        rdma_destroy_id(ctx->cm_id);
		...
                ucma_free_ctx(ctx);

ret = rdma_resolve_addr();
ucma_put_ctx(ctx);

Before idr_remove(), ucma_get_ctx() could still find the ctx
and after rdma_destroy_id(), rdma_resolve_addr() may still
access id_priv pointer. Also, ucma_put_ctx() may use ctx after
ucma_free_ctx() too.

ucma_close() should call ucma_put_ctx() too which tests the
refcnt and waits for the last one releasing it. The similar
pattern is already used by ucma_destroy_id().

Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com
Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>
Cc: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/infiniband/core/ucma.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 55aa8d3d752f..cc78fb6e371d 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1703,6 +1703,8 @@ static int ucma_close(struct inode *inode, struct file *filp)
 		mutex_lock(&mut);
 		if (!ctx->closing) {
 			mutex_unlock(&mut);
+			ucma_put_ctx(ctx);
+			wait_for_completion(&ctx->comp);
 			/* rdma_destroy_id ensures that no event handlers are
 			 * inflight for that id before releasing it.
 			 */
-- 
2.17.1

next prev parent reply	other threads:[~2018-10-08 15:27 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-08 15:27 [PATCH AUTOSEL 4.4 1/9] media: af9035: prevent buffer overflow on write Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 4.4 2/9] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs Sasha Levin
2018-10-08 15:27 ` Sasha Levin [this message]
2018-10-08 15:27 ` [PATCH AUTOSEL 4.4 4/9] Input: atakbd - fix Atari keymap Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 4.4 5/9] Input: atakbd - fix Atari CapsLock behaviour Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 4.4 6/9] net/mlx4: Use cpumask_available for eq->affinity_mask Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 4.4 7/9] RISC-V: include linux/ftrace.h in asm-prototypes.h Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 4.4 8/9] powerpc/tm: Fix userspace r13 corruption Sasha Levin
2018-10-08 15:27 ` [PATCH AUTOSEL 4.4 9/9] powerpc/tm: Avoid possible userspace r1 corruption on reclaim Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:55aa8d3d752 dfblob:cc78fb6e371 )
 OR (
bs:"[PATCH AUTOSEL 4.4 3/9] ucma: fix a use-after-free in ucma_resolve_ip()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181008152734.70962-3-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=alexander.levin@microsoft.com \
    --cc=dledford@redhat.com \
    --cc=jgg@mellanox.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox