From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com,
Jason Gunthorpe <jgg@mellanox.com>,
Doug Ledford <dledford@redhat.com>,
Leon Romanovsky <leon@kernel.org>,
Cong Wang <xiyou.wangcong@gmail.com>,
Leon Romanovsky <leonro@mellanox.com>
Subject: [PATCH 4.18 41/44] ucma: fix a use-after-free in ucma_resolve_ip()
Date: Thu, 11 Oct 2018 17:40:19 +0200 [thread overview]
Message-ID: <20181011152454.260889796@linuxfoundation.org> (raw)
In-Reply-To: <20181011152452.571669983@linuxfoundation.org>
4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 5fe23f262e0548ca7f19fb79f89059a60d087d22 upstream.
There is a race condition between ucma_close() and ucma_resolve_ip():
CPU0 CPU1
ucma_resolve_ip(): ucma_close():
ctx = ucma_get_ctx(file, cmd.id);
list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) {
mutex_lock(&mut);
idr_remove(&ctx_idr, ctx->id);
mutex_unlock(&mut);
...
mutex_lock(&mut);
if (!ctx->closing) {
mutex_unlock(&mut);
rdma_destroy_id(ctx->cm_id);
...
ucma_free_ctx(ctx);
ret = rdma_resolve_addr();
ucma_put_ctx(ctx);
Before idr_remove(), ucma_get_ctx() could still find the ctx
and after rdma_destroy_id(), rdma_resolve_addr() may still
access id_priv pointer. Also, ucma_put_ctx() may use ctx after
ucma_free_ctx() too.
ucma_close() should call ucma_put_ctx() too which tests the
refcnt and waits for the last one releasing it. The similar
pattern is already used by ucma_destroy_id().
Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com
Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>
Cc: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/ucma.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1759,6 +1759,8 @@ static int ucma_close(struct inode *inod
mutex_lock(&mut);
if (!ctx->closing) {
mutex_unlock(&mut);
+ ucma_put_ctx(ctx);
+ wait_for_completion(&ctx->comp);
/* rdma_destroy_id ensures that no event handlers are
* inflight for that id before releasing it.
*/
next prev parent reply other threads:[~2018-10-11 15:49 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-11 15:39 [PATCH 4.18 00/44] 4.18.14-stable review Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 01/44] perf/core: Add sanity check to deal with pinned event failure Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 02/44] mm: migration: fix migration of huge PMD shared pages Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 03/44] mm, thp: fix mlocking THP page with migration enabled Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 04/44] mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 05/44] KVM: x86: fix L1TFs MMIO GFN calculation Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 06/44] KVM: VMX: check for existence of secondary exec controls before accessing Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 07/44] blk-mq: I/O and timer unplugs are inverted in blktrace Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 08/44] pstore/ram: Fix failure-path memory leak in ramoops_init Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 09/44] clocksource/drivers/timer-atmel-pit: Properly handle error cases Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 10/44] fbdev/omapfb: fix omapfb_memory_read infoleak Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 11/44] xen-netback: fix input validation in xenvif_set_hash_mapping() Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 12/44] mmc: core: Fix debounce time to use microseconds Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 13/44] mmc: slot-gpio: Fix debounce time to use miliseconds again Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 14/44] mac80211: allocate TXQs for active monitor interfaces Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 15/44] drm/amdgpu: Fix vce work queue was not cancelled when suspend Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 16/44] drm/syncobj: Dont leak fences when WAIT_FOR_SUBMIT is set Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 17/44] drm: fix use-after-free read in drm_mode_create_lease_ioctl() Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 18/44] x86/vdso: Fix asm constraints on vDSO syscall fallbacks Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 19/44] selftests/x86: Add clock_gettime() tests to test_vdso Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 20/44] x86/vdso: Only enable vDSO retpolines when enabled and supported Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.18 21/44] x86/vdso: Fix vDSO syscall fallback asm constraint regression Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 22/44] PCI: Reprogram bridge prefetch registers on resume Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 23/44] mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 24/44] PM / core: Clear the direct_complete flag on errors Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 25/44] dm mpath: fix attached_handler_name leak and dangling hw_handler_name pointer Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 26/44] dm cache metadata: ignore hints array being too small during resize Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 27/44] dm cache: fix resize crash if user doesnt reload cache table Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 28/44] xhci: Add missing CAS workaround for Intel Sunrise Point xHCI Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 29/44] usb: xhci-mtk: resume USB3 roothub first Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 30/44] USB: serial: simple: add Motorola Tetra MTP6550 id Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 31/44] USB: serial: option: improve Quectel EP06 detection Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 32/44] USB: serial: option: add two-endpoints device-id flag Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 33/44] usb: cdc_acm: Do not leak URB buffers Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 34/44] tty: Drop tty->count on tty_reopen() failure Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 35/44] of: unittest: Disable interrupt node tests for old world MAC systems Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 36/44] powerpc: Avoid code patching freed init sections Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 37/44] powerpc/lib: fix book3s/32 boot failure due to code patching Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 38/44] ARC: clone syscall to setp r25 as thread pointer Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 39/44] f2fs: fix invalid memory access Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 40/44] tipc: call start and done ops directly in __tipc_nl_compat_dumpit() Greg Kroah-Hartman
2018-10-11 15:40 ` Greg Kroah-Hartman [this message]
2018-10-11 15:40 ` [PATCH 4.18 42/44] ubifs: Check for name being NULL while mounting Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 43/44] rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.18 44/44] ath10k: fix scan crash due to incorrect length calculation Greg Kroah-Hartman
2018-10-11 22:34 ` [PATCH 4.18 00/44] 4.18.14-stable review Shuah Khan
2018-10-12 4:22 ` Naresh Kamboju
2018-10-12 10:24 ` Greg Kroah-Hartman
2018-10-12 15:43 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181011152454.260889796@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dledford@redhat.com \
--cc=jgg@mellanox.com \
--cc=leon@kernel.org \
--cc=leonro@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).