linux/drivers/infiniband/core
Cong Wang 5fe23f262e ucma: fix a use-after-free in ucma_resolve_ip()
There is a race condition between ucma_close() and ucma_resolve_ip():

CPU0				CPU1
ucma_resolve_ip():		ucma_close():

ctx = ucma_get_ctx(file, cmd.id);

        list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) {
                mutex_lock(&mut);
                idr_remove(&ctx_idr, ctx->id);
                mutex_unlock(&mut);
		...
                mutex_lock(&mut);
                if (!ctx->closing) {
                        mutex_unlock(&mut);
                        rdma_destroy_id(ctx->cm_id);
		...
                ucma_free_ctx(ctx);

ret = rdma_resolve_addr();
ucma_put_ctx(ctx);

Before idr_remove(), ucma_get_ctx() could still find the ctx
and after rdma_destroy_id(), rdma_resolve_addr() may still
access id_priv pointer. Also, ucma_put_ctx() may use ctx after
ucma_free_ctx() too.

ucma_close() should call ucma_put_ctx() too which tests the
refcnt and waits for the last one releasing it. The similar
pattern is already used by ucma_destroy_id().

Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com
Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>
Cc: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2018-09-13 13:04:13 -04:00
..
addr.c RDMA/core: Constify dst_addr argument 2018-07-30 20:49:04 -06:00
agent.c IB/core: Rename ib_destroy_ah to rdma_destroy_ah 2017-05-01 14:32:43 -04:00
agent.h
cache.c RDMA/core: Remove set-but-not-used variables 2018-07-09 12:11:22 -06:00
cgroup.c IB/core: added support to use rdma cgroup controller 2017-01-10 11:14:27 -05:00
cm_msgs.h IB/cm: Remove unused and erroneous msg sequence encoding 2018-07-09 11:39:28 -06:00
cm.c IB/core: Introduce and use sgid_attr in CM requests 2018-07-26 09:47:47 -06:00
cma_configfs.c IB/cma: use strlcpy() instead of strncpy() 2018-01-15 15:33:21 -07:00
cma_priv.h RDMA/cma: Move rdma_cm_state to cma_priv.h 2018-03-29 13:54:21 -06:00
cma.c RDMA/cma: Protect cma dev list with lock 2018-09-06 13:01:59 -06:00
core_priv.h IB/core: Change filter function return type from int to bool 2018-08-15 13:33:20 -06:00
cq.c RDMA/core: Reduce poll batch for direct cq polling 2018-03-06 20:08:39 -07:00
device.c RDMA/core: Remove {create,destroy}_ah from mandatory verbs 2018-07-30 20:31:09 -06:00
fmr_pool.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
iwcm.c RDMA/netlink: Fix general protection fault 2017-12-07 15:28:07 -05:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Properly mark end of NL messages 2017-09-29 11:32:42 -04:00
iwpm_util.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
iwpm_util.h
mad_priv.h IB/mad: Use IDR for agent IDs 2018-06-18 11:22:54 -06:00
mad_rmpp.c IB/mad: Change slid in RMPP recv from 16 to 32 bits 2017-08-08 14:47:18 -04:00
mad_rmpp.h
mad.c RDMA/core: Simplify ib_post_(send|recv|srq_recv)() calls 2018-07-24 16:06:36 -06:00
Makefile IB/uverbs: Remove struct uverbs_root_spec and all supporting code 2018-08-13 09:17:19 -06:00
mr_pool.c
multicast.c IB: Make ib_init_ah_from_mcmember set sgid_attr 2018-06-25 14:19:56 -06:00
netlink.c RDMA/netlink: Simplify code of autoload modules 2018-01-02 13:36:57 -07:00
nldev.c RDMA/nldev: Return port capability flag for IB only 2018-06-18 11:09:05 -06:00
opa_smi.h
packer.c
rdma_core.c IB/core: Release object lock if destroy failed 2018-09-04 15:07:55 -06:00
rdma_core.h IB/uverbs: Remove struct uverbs_root_spec and all supporting code 2018-08-13 09:17:19 -06:00
restrack.c RDMA/restrack: Change SPDX tag to properly reflect license 2018-06-05 14:04:20 -06:00
roce_gid_mgmt.c IB/core: Change filter function return type from int to bool 2018-08-15 13:33:20 -06:00
rw.c RDMA/core: Simplify ib_post_(send|recv|srq_recv)() calls 2018-07-24 16:06:36 -06:00
sa_query.c RDMA: Validate grh_required when handling AVs 2018-07-10 11:13:04 -06:00
sa.h
security.c IB/core: Use CONFIG_SECURITY_INFINIBAND to compile out security code 2018-05-01 11:16:36 -04:00
smi.c
smi.h
sysfs.c IB/core: Replace ib_query_gid with rdma_get_gid_attr 2018-06-18 11:09:05 -06:00
ucm.c IB/ucm: Fix compiling ucm.c 2018-08-13 20:04:37 -06:00
ucma.c ucma: fix a use-after-free in ucma_resolve_ip() 2018-09-13 13:04:13 -04:00
ud_header.c
umem_odp.c mm, oom: distinguish blockable mode for mmu notifiers 2018-08-22 10:52:44 -07:00
umem.c RDMA/umem: Refactor exit paths in ib_umem_get 2018-07-13 12:15:05 -06:00
user_mad.c IB: Make ib_init_ah_attr_from_wc set sgid_attr 2018-06-25 14:19:56 -06:00
uverbs_cmd.c Linux 4.18 2018-08-16 13:12:00 -06:00
uverbs_ioctl.c IB/uverbs: Do not check for device disassociation during ioctl 2018-08-13 09:17:19 -06:00
uverbs_main.c RDMA/uverbs: Atomically flush and mark closed the comp event queue 2018-09-12 15:43:15 -06:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_counters.c IB/uverbs: Use uverbs_alloc for allocations 2018-08-13 09:16:13 -06:00
uverbs_std_types_cq.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types_dm.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types_flow_action.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types_mr.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types.c IB/uverbs: Remove the ib_uverbs_attr pointer from each attr 2018-08-10 16:06:24 -06:00
uverbs_uapi.c IB/uverbs: Use uverbs_api to unmarshal ioctl commands 2018-08-13 09:17:16 -06:00
uverbs.h IB/uverbs: Remove struct uverbs_root_spec and all supporting code 2018-08-13 09:17:19 -06:00
verbs.c Linux 4.18 2018-08-16 13:12:00 -06:00