[PATCH AUTOSEL 4.18 18/58] ucma: fix a use-after-free in ucma_resolve_ip()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
	Jason Gunthorpe <jgg@mellanox.com>,
	Doug Ledford <dledford@redhat.com>,
	Leon Romanovsky <leon@kernel.org>,
	Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 18/58] ucma: fix a use-after-free in ucma_resolve_ip()
Date: Mon,  8 Oct 2018 11:24:43 -0400	[thread overview]
Message-ID: <20181008152523.70705-18-sashal@kernel.org> (raw)
In-Reply-To: <20181008152523.70705-1-sashal@kernel.org>

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 5fe23f262e0548ca7f19fb79f89059a60d087d22 ]

There is a race condition between ucma_close() and ucma_resolve_ip():

CPU0				CPU1
ucma_resolve_ip():		ucma_close():

ctx = ucma_get_ctx(file, cmd.id);

        list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) {
                mutex_lock(&mut);
                idr_remove(&ctx_idr, ctx->id);
                mutex_unlock(&mut);
		...
                mutex_lock(&mut);
                if (!ctx->closing) {
                        mutex_unlock(&mut);
                        rdma_destroy_id(ctx->cm_id);
		...
                ucma_free_ctx(ctx);

ret = rdma_resolve_addr();
ucma_put_ctx(ctx);

Before idr_remove(), ucma_get_ctx() could still find the ctx
and after rdma_destroy_id(), rdma_resolve_addr() may still
access id_priv pointer. Also, ucma_put_ctx() may use ctx after
ucma_free_ctx() too.

ucma_close() should call ucma_put_ctx() too which tests the
refcnt and waits for the last one releasing it. The similar
pattern is already used by ucma_destroy_id().

Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com
Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>
Cc: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/infiniband/core/ucma.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index ec8fb289621f..e8edad9b2744 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1753,6 +1753,8 @@ static int ucma_close(struct inode *inode, struct file *filp)
 		mutex_lock(&mut);
 		if (!ctx->closing) {
 			mutex_unlock(&mut);
+			ucma_put_ctx(ctx);
+			wait_for_completion(&ctx->comp);
 			/* rdma_destroy_id ensures that no event handlers are
 			 * inflight for that id before releasing it.
 			 */
-- 
2.17.1

next prev parent reply	other threads:[~2018-10-08 22:37 UTC|newest]

Thread overview: 76+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-08 15:24 [PATCH AUTOSEL 4.18 01/58] soundwire: Fix duplicate stream state assignment Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 02/58] soundwire: Fix incorrect exit after configuring stream Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 03/58] soundwire: Fix acquiring bus lock twice during master release Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 04/58] media: af9035: prevent buffer overflow on write Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 05/58] spi: gpio: Fix copy-and-paste error Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 06/58] batman-adv: Avoid probe ELP information leak Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 07/58] batman-adv: Fix segfault when writing to throughput_override Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 08/58] batman-adv: Fix segfault when writing to sysfs elp_interval Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 09/58] batman-adv: Prevent duplicated gateway_node entry Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 10/58] batman-adv: Prevent duplicated nc_node entry Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 11/58] batman-adv: Prevent duplicated softif_vlan entry Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 12/58] batman-adv: Prevent duplicated global TT entry Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 13/58] batman-adv: Prevent duplicated tvlv handler Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 14/58] batman-adv: fix backbone_gw refcount on queue_work() failure Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 15/58] batman-adv: fix hardif_neigh " Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 16/58] cxgb4: fix abort_req_rss6 struct Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 17/58] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs Sasha Levin
2018-10-08 15:24 ` Sasha Levin [this message]
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 19/58] scsi: ibmvscsis: Fix a stringop-overflow warning Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 20/58] scsi: ibmvscsis: Ensure partition name is properly NUL terminated Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 21/58] net/mlx5: Check for SQ and not RQ state when modifying hairpin SQ Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 22/58] intel_th: pci: Add Ice Lake PCH support Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 23/58] Input: atakbd - fix Atari keymap Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 24/58] Input: atakbd - fix Atari CapsLock behaviour Sasha Levin
2018-10-08 17:11   ` Dmitry Torokhov
2018-10-08 19:09     ` Michael Schmitz
2018-10-08 19:20       ` Dmitry Torokhov
2018-10-09 22:05         ` Michael Schmitz
2018-10-10  6:59           ` Geert Uytterhoeven
2018-10-10 23:38             ` Michael Schmitz
2018-10-10 14:29         ` Sasha Levin
2018-10-10 17:02           ` Dmitry Torokhov
2018-10-10 18:11             ` Sasha Levin
2018-10-10 18:28               ` Greg KH
2018-10-10 18:40                 ` Dmitry Torokhov
2018-10-10 18:49                   ` Sasha Levin
2018-10-10 18:58                     ` Dmitry Torokhov
2018-10-10 19:02                       ` Sasha Levin
2018-10-10 18:36               ` Dmitry Torokhov
2018-10-10 19:00                 ` Sasha Levin
2018-10-10 19:04             ` Geert Uytterhoeven
2018-10-12  0:03               ` Dmitry Torokhov
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 25/58] net: stmmac: Rework coalesce timer and fix multi-queue races Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 26/58] net: stmmac: Fixup the tail addr setting in xmit path Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 27/58] selftests: pmtu: properly redirect stderr to /dev/null Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 28/58] net: emac: fix fixed-link setup for the RTL8363SB switch Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 29/58] ravb: do not write 1 to reserved bits Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 30/58] net/smc: fix non-blocking connect problem Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 31/58] net/smc: fix sizeof to int comparison Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 32/58] net: mvpp2: fix a txq_done race condition Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 33/58] sfp: fix oops with ethtool -m Sasha Levin
2018-10-08 15:24 ` [PATCH AUTOSEL 4.18 34/58] qed: Fix populating the invalid stag value in multi function mode Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 35/58] qed: Do not add VLAN 0 tag to untagged frames in multi-function mode Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 36/58] bnxt_en: don't try to offload VLAN 'modify' action Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 37/58] PCI: dwc: Fix scheduling while atomic issues Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 38/58] RDMA/uverbs: Fix validity check for modify QP Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 39/58] scsi: lpfc: Synchronize access to remoteport via rport Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 40/58] drm: mali-dp: Call drm_crtc_vblank_reset on device init Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 41/58] net: mscc: fix the frame extraction into the skb Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 42/58] scsi: ipr: System hung while dlpar adding primary ipr adapter back Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 43/58] scsi: sd: don't crash the host on invalid commands Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 44/58] bpf: sockmap only allow ESTABLISHED sock state Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 45/58] bpf: sockmap, fix transition through disconnect without close Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 46/58] bpf: test_maps, only support ESTABLISHED socks Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 47/58] net/mlx4: Use cpumask_available for eq->affinity_mask Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 48/58] clocksource/drivers/fttmr010: Fix set_next_event handler Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 49/58] net: aquantia: memory corruption on jumbo frames Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 50/58] RDMA/bnxt_re: Fix system crash during RDMA resource initialization Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 51/58] RISC-V: include linux/ftrace.h in asm-prototypes.h Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 52/58] iommu/rockchip: Free irqs in shutdown handler Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 53/58] pinctrl/amd: poll InterruptEnable bits in amd_gpio_irq_set_type Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 54/58] powerpc/tm: Fix userspace r13 corruption Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 55/58] powerpc/tm: Avoid possible userspace r1 corruption on reclaim Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 56/58] powerpc/numa: Use associativity if VPHN hcall is successful Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 57/58] iommu/amd: Return devid as alias for ACPI HID devices Sasha Levin
2018-10-08 15:25 ` [PATCH AUTOSEL 4.18 58/58] x86/boot: Fix kexec booting failure in the SEV bit detection code Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ec8fb289621 dfblob:e8edad9b274 )
 OR (
bs:"[PATCH AUTOSEL 4.18 18/58] ucma: fix a use-after-free in ucma_resolve_ip()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181008152523.70705-18-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=alexander.levin@microsoft.com \
    --cc=dledford@redhat.com \
    --cc=jgg@mellanox.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).