drivers/infiniband/core/cma.c · 061ccb52d23cfa2cf3195546a21c3a87194db5b7 · Kirill Smelkov / linux

RDMA/cma: Set proper port number as index · 061ccb52
Leon Romanovsky authored Apr 02, 2019
Conversion from IDR to XArray missed the fact that idr_alloc() returned
index as a return value, this index was saved in port variable and used as
query index later on. This caused to the following error.

 BUG: KASAN: use-after-free in cma_check_port+0x86a/0xa20 [rdma_cm]
 Read of size 8 at addr ffff888069fde998 by task ucmatose/387
 CPU: 3 PID: 387 Comm: ucmatose Not tainted 5.1.0-rc2+ #253
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
 Call Trace:
  dump_stack+0x7c/0xc0
  print_address_description+0x6c/0x23c
  ? cma_check_port+0x86a/0xa20 [rdma_cm]
  kasan_report.cold.3+0x1c/0x35
  ? cma_check_port+0x86a/0xa20 [rdma_cm]
  ? cma_check_port+0x86a/0xa20 [rdma_cm]
  cma_check_port+0x86a/0xa20 [rdma_cm]
  rdma_bind_addr+0x11bc/0x1b00 [rdma_cm]
  ? find_held_lock+0x33/0x1c0
  ? cma_ndev_work_handler+0x180/0x180 [rdma_cm]
  ? wait_for_completion+0x3d0/0x3d0
  ucma_bind+0x120/0x160 [rdma_ucm]
  ? ucma_resolve_addr+0x1a0/0x1a0 [rdma_ucm]
  ucma_write+0x1f8/0x2b0 [rdma_ucm]
  ? ucma_open+0x260/0x260 [rdma_ucm]
  vfs_write+0x157/0x460
  ksys_write+0xb8/0x170
  ? __ia32_sys_read+0xb0/0xb0
  ? trace_hardirqs_off_caller+0x5b/0x160
  ? do_syscall_64+0x18/0x3c0
  do_syscall_64+0x95/0x3c0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

  Allocated by task 381:
   __kasan_kmalloc.constprop.5+0xc1/0xd0
   cma_alloc_port+0x4d/0x160 [rdma_cm]
   rdma_bind_addr+0x14e7/0x1b00 [rdma_cm]
   ucma_bind+0x120/0x160 [rdma_ucm]
   ucma_write+0x1f8/0x2b0 [rdma_ucm]
   vfs_write+0x157/0x460
   ksys_write+0xb8/0x170
   do_syscall_64+0x95/0x3c0
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

  Freed by task 381:
   __kasan_slab_free+0x12e/0x180
   kfree+0xed/0x290
   rdma_destroy_id+0x6b6/0x9e0 [rdma_cm]
   ucma_close+0x110/0x300 [rdma_ucm]
   __fput+0x25a/0x740
   task_work_run+0x10e/0x190
   do_exit+0x85e/0x29e0
   do_group_exit+0xf0/0x2e0
   get_signal+0x2e0/0x17e0
   do_signal+0x94/0x1570
   exit_to_usermode_loop+0xfa/0x130
   do_syscall_64+0x327/0x3c0
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

Reported-by: <syzbot+2e3e485d5697ea610460@syzkaller.appspotmail.com>
Reported-by: Ran Rozenstein <ranro@mellanox.com>
Fixes: 63826753 ("cma: Convert portspace IDRs to XArray")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
061ccb52
cma.c 122 KB
Replace cma.c
