From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com,
Jason Gunthorpe <jgg@nvidia.com>,
Maor Gottlieb <maorg@nvidia.com>,
Leon Romanovsky <leonro@nvidia.com>
Subject: [PATCH 5.10 26/74] RDMA/ucma: Protect mc during concurrent multicast leaves
Date: Mon, 7 Feb 2022 12:06:24 +0100 [thread overview]
Message-ID: <20220207103758.100071214@linuxfoundation.org> (raw)
In-Reply-To: <20220207103757.232676988@linuxfoundation.org>
From: Leon Romanovsky <leonro@nvidia.com>
commit 36e8169ec973359f671f9ec7213547059cae972e upstream.
Partially revert the commit mentioned in the Fixes line to make sure that
allocation and erasing multicast struct are locked.
BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529
CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614
ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732
vfs_write+0x28e/0xae0 fs/read_write.c:588
ksys_write+0x1ee/0x250 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Currently the xarray search can touch a concurrently freeing mc as the
xa_for_each() is not surrounded by any lock. Rather than hold the lock for
a full scan hold it only for the effected items, which is usually an empty
list.
Fixes: 95fe51096b7a ("RDMA/ucma: Remove mc_list and rely on xarray")
Link: https://lore.kernel.org/r/1cda5fabb1081e8d16e39a48d3a4f8160cea88b8.1642491047.git.leonro@nvidia.com
Reported-by: syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/ucma.c | 34 +++++++++++++++++++++++-----------
1 file changed, 23 insertions(+), 11 deletions(-)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -95,6 +95,7 @@ struct ucma_context {
u64 uid;
struct list_head list;
+ struct list_head mc_list;
struct work_struct close_work;
};
@@ -105,6 +106,7 @@ struct ucma_multicast {
u64 uid;
u8 join_state;
+ struct list_head list;
struct sockaddr_storage addr;
};
@@ -198,6 +200,7 @@ static struct ucma_context *ucma_alloc_c
INIT_WORK(&ctx->close_work, ucma_close_id);
init_completion(&ctx->comp);
+ INIT_LIST_HEAD(&ctx->mc_list);
/* So list_del() will work if we don't do ucma_finish_ctx() */
INIT_LIST_HEAD(&ctx->list);
ctx->file = file;
@@ -484,19 +487,19 @@ err1:
static void ucma_cleanup_multicast(struct ucma_context *ctx)
{
- struct ucma_multicast *mc;
- unsigned long index;
+ struct ucma_multicast *mc, *tmp;
- xa_for_each(&multicast_table, index, mc) {
- if (mc->ctx != ctx)
- continue;
+ xa_lock(&multicast_table);
+ list_for_each_entry_safe(mc, tmp, &ctx->mc_list, list) {
+ list_del(&mc->list);
/*
* At this point mc->ctx->ref is 0 so the mc cannot leave the
* lock on the reader and this is enough serialization
*/
- xa_erase(&multicast_table, index);
+ __xa_erase(&multicast_table, mc->id);
kfree(mc);
}
+ xa_unlock(&multicast_table);
}
static void ucma_cleanup_mc_events(struct ucma_multicast *mc)
@@ -1469,12 +1472,16 @@ static ssize_t ucma_process_join(struct
mc->uid = cmd->uid;
memcpy(&mc->addr, addr, cmd->addr_size);
- if (xa_alloc(&multicast_table, &mc->id, NULL, xa_limit_32b,
+ xa_lock(&multicast_table);
+ if (__xa_alloc(&multicast_table, &mc->id, NULL, xa_limit_32b,
GFP_KERNEL)) {
ret = -ENOMEM;
goto err_free_mc;
}
+ list_add_tail(&mc->list, &ctx->mc_list);
+ xa_unlock(&multicast_table);
+
mutex_lock(&ctx->mutex);
ret = rdma_join_multicast(ctx->cm_id, (struct sockaddr *)&mc->addr,
join_state, mc);
@@ -1500,8 +1507,11 @@ err_leave_multicast:
mutex_unlock(&ctx->mutex);
ucma_cleanup_mc_events(mc);
err_xa_erase:
- xa_erase(&multicast_table, mc->id);
+ xa_lock(&multicast_table);
+ list_del(&mc->list);
+ __xa_erase(&multicast_table, mc->id);
err_free_mc:
+ xa_unlock(&multicast_table);
kfree(mc);
err_put_ctx:
ucma_put_ctx(ctx);
@@ -1569,15 +1579,17 @@ static ssize_t ucma_leave_multicast(stru
mc = ERR_PTR(-EINVAL);
else if (!refcount_inc_not_zero(&mc->ctx->ref))
mc = ERR_PTR(-ENXIO);
- else
- __xa_erase(&multicast_table, mc->id);
- xa_unlock(&multicast_table);
if (IS_ERR(mc)) {
+ xa_unlock(&multicast_table);
ret = PTR_ERR(mc);
goto out;
}
+ list_del(&mc->list);
+ __xa_erase(&multicast_table, mc->id);
+ xa_unlock(&multicast_table);
+
mutex_lock(&mc->ctx->mutex);
rdma_leave_multicast(mc->ctx->cm_id, (struct sockaddr *) &mc->addr);
mutex_unlock(&mc->ctx->mutex);
next prev parent reply other threads:[~2022-02-07 11:37 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-07 11:05 [PATCH 5.10 00/74] 5.10.99-rc1 review Greg Kroah-Hartman
2022-02-07 11:05 ` [PATCH 5.10 01/74] selinux: fix double free of cond_list on error paths Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 02/74] audit: improve audit queue handling when "audit=1" on cmdline Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 03/74] ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 04/74] ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 05/74] ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 06/74] ALSA: usb-audio: Correct quirk for VF0770 Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 07/74] ALSA: hda: Fix UAF of leds class devs at unbinding Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 08/74] ALSA: hda: realtek: Fix race at concurrent COEF updates Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 09/74] ALSA: hda/realtek: Add quirk for ASUS GU603 Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 10/74] ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 11/74] ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset) Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 12/74] ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windows Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 13/74] btrfs: fix deadlock between quota disable and qgroup rescan worker Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 14/74] drm/nouveau: fix off by one in BIOS boundary checking Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 15/74] drm/amd/display: Force link_rate as LINK_RATE_RBR2 for 2018 15" Apple Retina panels Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 16/74] nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 17/74] mm/debug_vm_pgtable: remove pte entry from the page table Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 18/74] mm/pgtable: define pte_index so that preprocessor could recognize it Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 19/74] mm/kmemleak: avoid scanning potential huge holes Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 20/74] block: bio-integrity: Advance seed correctly for larger interval sizes Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 21/74] dma-buf: heaps: Fix potential spectre v1 gadget Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 22/74] IB/hfi1: Fix AIP early init panic Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 23/74] Revert "ASoC: mediatek: Check for error clk pointer" Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 24/74] memcg: charge fs_context and legacy_fs_context Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 25/74] RDMA/cma: Use correct address when leaving multicast group Greg Kroah-Hartman
2022-02-07 11:06 ` Greg Kroah-Hartman [this message]
2022-02-07 11:06 ` [PATCH 5.10 27/74] IB/rdmavt: Validate remote_addr during loopback atomic tests Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 28/74] RDMA/siw: Fix broken RDMA Read Fence/Resume logic Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 29/74] RDMA/mlx4: Dont continue event handler after memory allocation failure Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 30/74] iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 31/74] iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 32/74] spi: bcm-qspi: check for valid cs before applying chip select Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 33/74] spi: mediatek: Avoid NULL pointer crash in interrupt Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 34/74] spi: meson-spicc: add IRQ check in meson_spicc_probe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 35/74] spi: uniphier: fix reference count leak in uniphier_spi_probe() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 36/74] net: ieee802154: hwsim: Ensure proper channel selection at probe time Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 37/74] net: ieee802154: mcr20a: Fix lifs/sifs periods Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 38/74] net: ieee802154: ca8210: Stop leaking skbs Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 39/74] net: ieee802154: Return meaningful error codes from the netlink helpers Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 40/74] net: macsec: Fix offload support for NETDEV_UNREGISTER event Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 41/74] net: macsec: Verify that send_sci is on when setting Tx sci explicitly Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 42/74] net: stmmac: dump gmac4 DMA registers correctly Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 43/74] net: stmmac: ensure PTP time register reads are consistent Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 44/74] drm/i915/overlay: Prevent divide by zero bugs in scaling Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 45/74] ASoC: fsl: Add missing error handling in pcm030_fabric_probe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 46/74] ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 47/74] ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 48/74] ASoC: max9759: fix underflow in speaker_gain_control_put() Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 49/74] pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 50/74] pinctrl: intel: fix unexpected interrupt Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 51/74] pinctrl: bcm2835: Fix a few error paths Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 52/74] scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 53/74] nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 54/74] gve: fix the wrong AdminQ buffer queue index check Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 55/74] bpf: Use VM_MAP instead of VM_ALLOC for ringbuf Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 56/74] selftests/exec: Remove pipe from TEST_GEN_FILES Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 57/74] selftests: futex: Use variable MAKE instead of make Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 58/74] tools/resolve_btfids: Do not print any commands when building silently Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 59/74] rtc: cmos: Evaluate century appropriate Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 60/74] Revert "fbcon: Disable accelerated scrolling" Greg Kroah-Hartman
2022-02-07 11:06 ` [PATCH 5.10 61/74] fbcon: Add option to enable legacy hardware acceleration Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 62/74] perf stat: Fix display of grouped aliased events Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 63/74] perf/x86/intel/pt: Fix crash with stop filters in single-range mode Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 64/74] x86/perf: Default set FREEZE_ON_SMI for all Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 65/74] EDAC/altera: Fix deferred probing Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 66/74] EDAC/xgene: " Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 67/74] ext4: prevent used blocks from being allocated during fast commit replay Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 68/74] ext4: modify the logic of ext4_mb_new_blocks_simple Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 69/74] ext4: fix error handling in ext4_restore_inline_data() Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 70/74] ext4: fix error handling in ext4_fc_record_modified_inode() Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 71/74] ext4: fix incorrect type issue during replay_del_range Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 72/74] net: dsa: mt7530: make NET_DSA_MT7530 select MEDIATEK_GE_PHY Greg Kroah-Hartman
2022-02-09 19:08 ` Pavel Machek
2022-02-07 11:07 ` [PATCH 5.10 73/74] cgroup/cpuset: Fix "suspicious RCU usage" lockdep warning Greg Kroah-Hartman
2022-02-07 11:07 ` [PATCH 5.10 74/74] selftests: nft_concat_range: add test for reload with no element add/del Greg Kroah-Hartman
2022-02-07 17:03 ` [PATCH 5.10 00/74] 5.10.99-rc1 review Pavel Machek
2022-02-07 21:25 ` Shuah Khan
2022-02-07 22:21 ` Guenter Roeck
2022-02-07 23:45 ` Florian Fainelli
2022-02-08 2:45 ` Slade Watkins
2022-02-08 8:02 ` Naresh Kamboju
2022-02-08 14:01 ` Sudip Mukherjee
2022-02-08 20:36 ` Fox Chen
2022-02-09 3:15 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220207103758.100071214@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=leonro@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maorg@nvidia.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox