From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Feras Daoud <ferasda@mellanox.com>,
Leon Romanovsky <leonro@mellanox.com>,
Jason Gunthorpe <jgg@mellanox.com>,
Sasha Levin <sashal@kernel.org>,
linux-rdma@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 20/65] IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start
Date: Sat, 23 Feb 2019 16:05:55 -0500 [thread overview]
Message-ID: <20190223210640.200911-20-sashal@kernel.org> (raw)
In-Reply-To: <20190223210640.200911-1-sashal@kernel.org>
From: Feras Daoud <ferasda@mellanox.com>
[ Upstream commit 6ab4aba00f811a5265acc4d3eb1863bb3ca60562 ]
The following BUG was reported by kasan:
BUG: KASAN: use-after-free in ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
Read of size 80 at addr ffff88034c30bcd0 by task kworker/u16:1/24020
Workqueue: ipoib_wq ipoib_cm_tx_start [ib_ipoib]
Call Trace:
dump_stack+0x9a/0xeb
print_address_description+0xe3/0x2e0
kasan_report+0x18a/0x2e0
? ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
memcpy+0x1f/0x50
ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
? kvm_clock_read+0x1f/0x30
? ipoib_cm_skb_reap+0x610/0x610 [ib_ipoib]
? __lock_is_held+0xc2/0x170
? process_one_work+0x880/0x1960
? process_one_work+0x912/0x1960
process_one_work+0x912/0x1960
? wq_pool_ids_show+0x310/0x310
? lock_acquire+0x145/0x440
worker_thread+0x87/0xbb0
? process_one_work+0x1960/0x1960
kthread+0x314/0x3d0
? kthread_create_worker_on_cpu+0xc0/0xc0
ret_from_fork+0x3a/0x50
Allocated by task 0:
kasan_kmalloc+0xa0/0xd0
kmem_cache_alloc_trace+0x168/0x3e0
path_rec_create+0xa2/0x1f0 [ib_ipoib]
ipoib_start_xmit+0xa98/0x19e0 [ib_ipoib]
dev_hard_start_xmit+0x159/0x8d0
sch_direct_xmit+0x226/0xb40
__dev_queue_xmit+0x1d63/0x2950
neigh_update+0x889/0x1770
arp_process+0xc47/0x21f0
arp_rcv+0x462/0x760
__netif_receive_skb_core+0x1546/0x2da0
netif_receive_skb_internal+0xf2/0x590
napi_gro_receive+0x28e/0x390
ipoib_ib_handle_rx_wc_rss+0x873/0x1b60 [ib_ipoib]
ipoib_rx_poll_rss+0x17d/0x320 [ib_ipoib]
net_rx_action+0x427/0xe30
__do_softirq+0x28e/0xc42
Freed by task 26680:
__kasan_slab_free+0x11d/0x160
kfree+0xf5/0x360
ipoib_flush_paths+0x532/0x9d0 [ib_ipoib]
ipoib_set_mode_rss+0x1ad/0x560 [ib_ipoib]
set_mode+0xc8/0x150 [ib_ipoib]
kernfs_fop_write+0x279/0x440
__vfs_write+0xd8/0x5c0
vfs_write+0x15e/0x470
ksys_write+0xb8/0x180
do_syscall_64+0x9b/0x420
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88034c30bcc8
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
512-byte region [ffff88034c30bcc8, ffff88034c30bec8)
The buggy address belongs to the page:
The following race between change mode and xmit flow is the reason for
this use-after-free:
Change mode Send packet 1 to GID XX Send packet 2 to GID XX
| | |
start | |
| | |
| | |
| Create new path for GID XX |
| and update neigh path |
| | |
| | |
| | |
flush_paths | |
| |
queue_work(cm.start_task) |
| Path for GID XX not found
| create new path
|
|
start_task runs with old
released path
There is no locking to protect the lifetime of the path through the
ipoib_cm_tx struct, so delete it entirely and always use the newly looked
up path under the priv->lock.
Fixes: 546481c2816e ("IB/ipoib: Fix memory corruption in ipoib cm mode connect flow")
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Reviewed-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/ipoib/ipoib.h | 1 -
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 +--
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h
index 1abe3c62f106d..b22d02c9de90f 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -248,7 +248,6 @@ struct ipoib_cm_tx {
struct list_head list;
struct net_device *dev;
struct ipoib_neigh *neigh;
- struct ipoib_path *path;
struct ipoib_tx_buf *tx_ring;
unsigned int tx_head;
unsigned int tx_tail;
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
index 0428e01e8f691..aa9dcfc36cd35 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1312,7 +1312,6 @@ struct ipoib_cm_tx *ipoib_cm_create_tx(struct net_device *dev, struct ipoib_path
neigh->cm = tx;
tx->neigh = neigh;
- tx->path = path;
tx->dev = dev;
list_add(&tx->list, &priv->cm.start_list);
set_bit(IPOIB_FLAG_INITIALIZED, &tx->flags);
@@ -1371,7 +1370,7 @@ static void ipoib_cm_tx_start(struct work_struct *work)
neigh->daddr + QPN_AND_OPTIONS_OFFSET);
goto free_neigh;
}
- memcpy(&pathrec, &p->path->pathrec, sizeof(pathrec));
+ memcpy(&pathrec, &path->pathrec, sizeof(pathrec));
spin_unlock_irqrestore(&priv->lock, flags);
netif_tx_unlock_bh(dev);
--
2.19.1
next prev parent reply other threads:[~2019-02-23 21:07 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-23 21:05 [PATCH AUTOSEL 4.19 01/65] vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 02/65] xfrm: refine validation of template and selector families Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 03/65] xfrm: Make set-mark default behavior backward compatible Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 04/65] netfilter: nft_compat: use refcnt_t type for nft_xt reference count Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 05/65] netfilter: nft_compat: make lists per netns Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 06/65] perf script: Fix crash with printing mixed trace point and other events Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 07/65] perf core: Fix perf_proc_update_handler() bug Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 08/65] perf tools: Handle TOPOLOGY headers with no CPU Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 09/65] perf script: Fix crash when processing recorded stat data Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 10/65] IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 11/65] iommu/amd: Call free_iova_fast with pfn in map_sg Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 12/65] iommu/amd: Unmap all mapped pages in error path of map_sg Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 13/65] riscv: fixup max_low_pfn with PFN_DOWN Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 14/65] ipvs: Fix signed integer overflow when setsockopt timeout Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 15/65] iommu/amd: Fix IOMMU page flush when detach device from a domain Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 16/65] clk: ti: Fix error handling in ti_clk_parse_divider_data() Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 17/65] clk: qcom: gcc: Use active only source for CPUSS clocks Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 18/65] xtensa: SMP: fix ccount_timer_shutdown Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 19/65] riscv: Adjust mmap base address at a third of task size Sasha Levin
2019-02-23 21:05 ` Sasha Levin [this message]
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 21/65] selftests: cpu-hotplug: fix case where CPUs offline > CPUs present Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 22/65] xtensa: SMP: fix secondary CPU initialization Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 23/65] xtensa: smp_lx200_defconfig: fix vectors clash Sasha Levin
2019-02-23 21:05 ` [PATCH AUTOSEL 4.19 24/65] xtensa: SMP: mark each possible CPU as present Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 25/65] iomap: get/put the page in iomap_page_create/release() Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 26/65] iomap: fix a use after free in iomap_dio_rw Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 27/65] xtensa: SMP: limit number of possible CPUs by NR_CPUS Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 28/65] net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 29/65] net: hns: Fix for missing of_node_put() after of_parse_phandle() Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 30/65] net: hns: Restart autoneg need return failed when autoneg off Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 31/65] net: hns: Fix wrong read accesses via Clause 45 MDIO protocol Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 32/65] net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 33/65] netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 34/65] netfilter: nfnetlink_osf: add missing fmatch check Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 35/65] gpio: vf610: Mask all GPIO interrupts Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 36/65] selftests: net: use LDLIBS instead of LDFLAGS Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 37/65] selftests: timers: " Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 38/65] nfs: Fix NULL pointer dereference of dev_name Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 39/65] qed: Fix bug in tx promiscuous mode settings Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 40/65] qed: Fix LACP pdu drops for VFs Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 41/65] qed: Fix VF probe failure while FLR Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 42/65] qed: Fix system crash in ll2 xmit Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 43/65] qed: Fix stack out of bounds bug Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 44/65] scsi: libfc: free skb when receiving invalid flogi resp Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 45/65] scsi: scsi_debug: fix write_same with virtual_gb problem Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 46/65] scsi: bnx2fc: Fix error handling in probe() Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 47/65] scsi: 53c700: pass correct "dev" to dma_alloc_attrs() Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 48/65] platform/x86: Fix unmet dependency warning for ACPI_CMPC Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 49/65] platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 50/65] net: macb: Apply RXUBR workaround only to versions with errata Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 51/65] x86/boot/compressed/64: Set EFER.LME=1 in 32-bit trampoline before returning to long mode Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 52/65] cifs: fix computation for MAX_SMB2_HDR_SIZE Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 53/65] blk-mq: fix a hung issue when fsync Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 54/65] x86/microcode/amd: Don't falsely trick the late loading mechanism Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 55/65] arm64: kprobe: Always blacklist the KVM world-switch code Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 56/65] apparmor: Fix aa_label_build() error handling for failed merges Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 57/65] x86/kexec: Don't setup EFI info if EFI runtime is not enabled Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 58/65] proc: fix /proc/net/* after setns(2) Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 59/65] x86_64: increase stack size for KASAN_EXTRA Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 60/65] mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 61/65] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 62/65] lib/test_kmod.c: potential double free in error handling Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 63/65] fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 64/65] autofs: drop dentry reference only when it is never used Sasha Levin
2019-02-23 21:06 ` [PATCH AUTOSEL 4.19 65/65] autofs: fix error return in autofs_fill_super() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190223210640.200911-20-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ferasda@mellanox.com \
--cc=jgg@mellanox.com \
--cc=leonro@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox