linux_dsm_epyc7002

mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-28 11:18:45 +07:00

History

Avihai Horon 60d613b39e RDMA/ucma: Fix use-after-free bug in ucma_create_uevent [ Upstream commit fe454dc31e84f8c14cb8942fcb61666c9f40745b ] ucma_process_join() allocates struct ucma_multicast mc and frees it if an error occurs during its run. Specifically, if an error occurs in copy_to_user(), a use-after-free might happen in the following scenario: 1. mc struct is allocated. 2. rdma_join_multicast() is called and succeeds. During its run, cma_iboe_join_multicast() enqueues a work that will later use the aforementioned mc struct. 3. copy_to_user() is called and fails. 4. mc struct is deallocated. 5. The work that was enqueued by cma_iboe_join_multicast() is run and calls ucma_create_uevent() which tries to access mc struct (which is freed by now). Fix this bug by cancelling the work enqueued by cma_iboe_join_multicast(). Since cma_work_handler() frees struct cma_work, we don't use it in cma_iboe_join_multicast() so we can safely cancel the work later. The following syzkaller report revealed it: BUG: KASAN: use-after-free in ucma_create_uevent+0x2dd/0x;3f0 drivers/infiniband/core/ucma.c:272 Read of size 8 at addr ffff88810b3ad110 by task kworker/u8:1/108 CPU: 1 PID: 108 Comm: kworker/u8:1 Not tainted 5.10.0-rc6+ #257 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: rdma_cm cma_work_handler Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xbe/0xf9 lib/dump_stack.c:118 print_address_description.constprop.0+0x3e/0×60 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0×37 mm/kasan/report.c:562 ucma_create_uevent+0x2dd/0×3f0 drivers/infiniband/core/ucma.c:272 ucma_event_handler+0xb7/0×3c0 drivers/infiniband/core/ucma.c:349 cma_cm_event_handler+0x5d/0×1c0 drivers/infiniband/core/cma.c:1977 cma_work_handler+0xfa/0×190 drivers/infiniband/core/cma.c:2718 process_one_work+0x54c/0×930 kernel/workqueue.c:2272 worker_thread+0x82/0×830 kernel/workqueue.c:2418 kthread+0x1ca/0×220 kernel/kthread.c:292 ret_from_fork+0x1f/0×30 arch/x86/entry/entry_64.S:296 Allocated by task 359: kasan_save_stack+0x1b/0×40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:461 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:434 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] ucma_process_join+0x16e/0×3f0 drivers/infiniband/core/ucma.c:1453 ucma_join_multicast+0xda/0×140 drivers/infiniband/core/ucma.c:1538 ucma_write+0x1f7/0×280 drivers/infiniband/core/ucma.c:1724 vfs_write fs/read_write.c:603 [inline] vfs_write+0x191/0×4c0 fs/read_write.c:585 ksys_write+0x1a1/0×1e0 fs/read_write.c:658 do_syscall_64+0x2d/0×40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 359: kasan_save_stack+0x1b/0×40 mm/kasan/common.c:48 kasan_set_track+0x1c/0×30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0×30 mm/kasan/generic.c:355 __kasan_slab_free+0x112/0×160 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0xb3/0×3e0 mm/slub.c:4124 ucma_process_join+0x22d/0×3f0 drivers/infiniband/core/ucma.c:1497 ucma_join_multicast+0xda/0×140 drivers/infiniband/core/ucma.c:1538 ucma_write+0x1f7/0×280 drivers/infiniband/core/ucma.c:1724 vfs_write fs/read_write.c:603 [inline] vfs_write+0x191/0×4c0 fs/read_write.c:585 ksys_write+0x1a1/0×1e0 fs/read_write.c:658 do_syscall_64+0x2d/0×40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88810b3ad100 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 16 bytes inside of 192-byte region [ffff88810b3ad100, ffff88810b3ad1c0) Fixes: `b5de0c60cc` ("RDMA/cma: Fix use after free race in roce multicast join") Link: https://lore.kernel.org/r/20210211090517.1278415-1-leon@kernel.org Reported-by: Amit Matityahu <mitm@nvidia.com> Signed-off-by: Avihai Horon <avihaih@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2021-03-04 11:38:08 +01:00
..
addr.c	RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel()	2020-09-30 15:29:05 -03:00
agent.c	RDMA: Mark if destroy address handle is in a sleepable context	2018-12-19 16:28:03 -07:00
agent.h
cache.c	RDMA/core: Fix empty gid table for non IB/RoCE devices	2020-12-07 16:32:04 -04:00
cgroup.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288	2019-06-05 17:36:37 +02:00
cm_msgs.h	RDMA/cm: Remove CM message structs	2020-01-25 15:11:37 -04:00
cm_trace.c	RDMA/cm: Replace pr_debug() call sites with tracepoints	2020-08-24 19:41:41 -03:00
cm_trace.h	RDMA/cm: Add tracepoints to track MAD send operations	2020-08-24 19:41:41 -03:00
cm.c	IB/cm: Avoid a loop when device has 255 ports	2021-03-04 11:38:03 +01:00
cma_configfs.c	RDMA/cma: Fix error flow in default_roce_mode_store	2021-01-27 11:55:08 +01:00
cma_priv.h	RDMA/ucma: Extend ucma_connect to receive ECE parameters	2020-05-27 16:05:05 -03:00
cma_trace.c	RDMA/cma: Add trace points in RDMA Connection Manager	2020-01-07 16:10:53 -04:00
cma_trace.h	RDMA/core: Move the rdma_show_ib_cm_event() macro	2020-08-24 16:01:47 -03:00
cma.c	RDMA/ucma: Fix use-after-free bug in ucma_create_uevent	2021-03-04 11:38:08 +01:00
core_priv.h	RDMA/restrack: Improve readability in task name management	2020-09-22 19:47:35 -03:00
counters.c	RDMA/restrack: Improve readability in task name management	2020-09-22 19:47:35 -03:00
cq.c	RDMA/restrack: Improve readability in task name management	2020-09-22 19:47:35 -03:00
device.c	RDMA/core: remove use of dma_virt_ops	2021-01-09 13:46:24 +01:00
ib_core_uverbs.c	RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence	2020-01-25 14:48:33 -04:00
iwcm.c	RDMA/iwcm: Fix iwcm work deallocation	2020-03-04 14:28:25 -04:00
iwcm.h
iwpm_msg.c	RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb"	2019-08-27 13:09:23 -03:00
iwpm_util.c	RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb"	2019-08-27 13:09:23 -03:00
iwpm_util.h	infiniband: fix core/ipwm_util.h kernel-doc warnings	2019-10-22 14:45:31 -03:00
lag.c	RDMA/core: Consider flow label when building skb	2020-05-06 16:51:43 -03:00
mad_priv.h	IB/mad: Change atomics to refcount API	2020-06-24 16:43:45 -03:00
mad_rmpp.c	IB/mad: Delete RMPP_STATE_CANCELING state	2020-06-24 16:43:45 -03:00
mad_rmpp.h
mad.c	RDMA 5.9 merge window pull request	2020-08-06 16:43:36 -07:00
Makefile	RDMA/cm: Replace pr_debug() call sites with tracepoints	2020-08-24 19:41:41 -03:00
mr_pool.c	Linux 5.2-rc6	2019-06-28 21:18:23 -03:00
multicast.c	RDMA: Allow ib_client's to fail when add() is called	2020-05-06 11:57:33 -03:00
netlink.c	IB/core: Avoid deadlock during netlink message handling	2019-10-24 20:49:37 -03:00
nldev.c	RDMA/netlink: Remove CAP_NET_RAW check when dump a raw QP	2020-07-29 15:51:19 -03:00
opa_smi.h	RDMA: Start use ib_device_ops	2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c	RDMA/core: Remove ucontext->closing	2020-09-30 15:27:19 -03:00
rdma_core.h	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
restrack.c	RDMA/restrack: Don't treat as an error allocation ID wrapping	2021-01-19 18:27:31 +01:00
restrack.h	RDMA/restrack: Improve readability in task name management	2020-09-22 19:47:35 -03:00
roce_gid_mgmt.c	net: core: introduce struct netdev_nested_priv for nested interface infrastructure	2020-09-28 15:00:15 -07:00
rw.c	RDMA/core: remove use of dma_virt_ops	2021-01-09 13:46:24 +01:00
sa_query.c	IB/sa: Resolv use-after-free in ib_nl_make_request()	2020-07-02 16:05:12 -03:00
sa.h	RDMA/core: Annotate timeout as unsigned long	2018-10-16 13:34:01 -04:00
security.c	RDMA/core: Ensure security pkey modify is not lost	2020-03-24 19:53:25 -03:00
smi.c
smi.h	RDMA: Start use ib_device_ops	2018-12-12 07:40:16 -07:00
sysfs.c	RDMA/core: Change rdma_get_gid_attr returned error code	2020-10-01 21:20:11 -03:00
trace.c	RDMA/core: Clean up tracepoint headers	2020-07-06 14:54:46 -03:00
ucma.c	RDMA/ucma: Do not miss ctx destruction steps in some cases	2021-01-27 11:55:05 +01:00
ud_header.c	RDMA/core: Use sizeof_field() helper	2020-05-27 13:46:05 -03:00
umem_odp.c	IB/core: Enable ODP sync without faulting	2020-10-01 16:44:05 -03:00
umem.c	RDMA/umem: Avoid undefined behavior of rounddown_pow_of_two()	2021-01-27 11:55:08 +01:00
user_mad.c	IB/umad: Return EPOLLERR in case of when device disassociated	2021-03-04 11:38:01 +01:00
uverbs_cmd.c	RDMA/core: Align write and ioctl checks of QP types	2020-09-29 13:11:06 -03:00
uverbs_ioctl.c	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
uverbs_main.c	RDMA 5.10 pull request	2020-10-17 11:18:18 -07:00
uverbs_marshall.c	IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *'	2018-06-25 14:19:57 -06:00
uverbs_std_types_async_fd.c	RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj	2020-05-12 17:02:25 -03:00
uverbs_std_types_counters.c	RDMA: Make counters destroy symmetrical	2020-09-09 14:14:29 -03:00
uverbs_std_types_cq.c	RDMA/restrack: Improve readability in task name management	2020-09-22 19:47:35 -03:00
uverbs_std_types_device.c	RDMA/uverbs: Fix incorrect variable type	2020-12-30 11:53:47 +01:00
uverbs_std_types_dm.c	IB: When attrs.udata/ufile is available use that instead of uobject	2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c	IB: When attrs.udata/ufile is available use that instead of uobject	2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c	RDMA/core: Track device memory MRs	2020-12-30 11:53:24 +01:00
uverbs_std_types_qp.c	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
uverbs_std_types_srq.c	IB/uverbs: Introduce create/destroy SRQ commands over ioctl	2020-05-21 20:39:35 -03:00
uverbs_std_types_wq.c	RDMA: Restore ability to return error for destroy WQ	2020-09-09 14:14:29 -03:00
uverbs_std_types.c	RDMA: Convert RWQ table logic to ib_core allocation scheme	2020-09-17 14:04:33 -03:00
uverbs_uapi.c	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
uverbs.h	IB/uverbs: Extend CQ to get its own asynchronous event FD	2020-05-21 20:34:53 -03:00
verbs.c	RDMA/core: Fix error return in _ib_modify_qp()	2020-12-30 11:52:58 +01:00