linux

mirror of https://github.com/torvalds/linux.git synced 2024-12-26 12:52:30 +00:00

History

Yishai Hadas e9eec6a55c IB/mlx5: Fix use-after-free error while accessing ev_file pointer Call to uverbs_close_fd() releases file pointer to 'ev_file' and mlx5_ib_dev is going to be inaccessible. Cache pointer prior cleaning resources to solve the KASAN warning below. BUG: KASAN: use-after-free in devx_async_event_close+0x391/0x480 [mlx5_ib] Read of size 8 at addr ffff888301e3cec0 by task devx_direct_tes/4631 CPU: 1 PID: 4631 Comm: devx_direct_tes Tainted: G OE 5.3.0-rc1-for-upstream-dbg-2019-07-26_01-19-56-93 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014 Call Trace: dump_stack+0x9a/0xeb print_address_description+0x1e2/0x400 ? devx_async_event_close+0x391/0x480 [mlx5_ib] __kasan_report+0x15c/0x1df ? devx_async_event_close+0x391/0x480 [mlx5_ib] kasan_report+0xe/0x20 devx_async_event_close+0x391/0x480 [mlx5_ib] __fput+0x26a/0x7b0 task_work_run+0x10d/0x180 exit_to_usermode_loop+0x137/0x160 do_syscall_64+0x3c7/0x490 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f5df907d664 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 80 00 00 00 00 8b 05 6a cd 20 00 48 63 ff 85 c0 75 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 f3 c3 66 90 48 83 ec 18 48 89 7c 24 08 e8 RSP: 002b:00007ffd353cb958 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 000056017a88c348 RCX: 00007f5df907d664 RDX: 00007f5df969d400 RSI: 00007f5de8f1ec90 RDI: 0000000000000006 RBP: 00007f5df9681dc0 R08: 00007f5de8736410 R09: 000056017a9d2dd0 R10: 000000000000000b R11: 0000000000000246 R12: 00007f5de899d7d0 R13: 00007f5df96c4248 R14: 00007f5de8f1ecb0 R15: 000056017ae41308 Allocated by task 4631: save_stack+0x19/0x80 kasan_kmalloc.constprop.3+0xa0/0xd0 alloc_uobj+0x71/0x230 [ib_uverbs] alloc_begin_fd_uobject+0x2e/0xc0 [ib_uverbs] rdma_alloc_begin_uobject+0x96/0x140 [ib_uverbs] ib_uverbs_run_method+0xdf0/0x1940 [ib_uverbs] ib_uverbs_cmd_verbs+0x57e/0xdb0 [ib_uverbs] ib_uverbs_ioctl+0x177/0x260 [ib_uverbs] do_vfs_ioctl+0x18f/0x1010 ksys_ioctl+0x70/0x80 __x64_sys_ioctl+0x6f/0xb0 do_syscall_64+0x95/0x490 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4631: save_stack+0x19/0x80 __kasan_slab_free+0x11d/0x160 slab_free_freelist_hook+0x67/0x1a0 kfree+0xb9/0x2a0 uverbs_close_fd+0x118/0x1c0 [ib_uverbs] devx_async_event_close+0x28a/0x480 [mlx5_ib] __fput+0x26a/0x7b0 task_work_run+0x10d/0x180 exit_to_usermode_loop+0x137/0x160 do_syscall_64+0x3c7/0x490 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888301e3cda8 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 280 bytes inside of 512-byte region [ffff888301e3cda8, ffff888301e3cfa8) The buggy address belongs to the page: page:ffffea000c078e00 refcount:1 mapcount:0 mapping:ffff888352811300 index:0x0 compound_mapcount: 0 flags: 0x2fffff80010200(slab\|head) raw: 002fffff80010200 ffffea000d152608 ffffea000c077808 ffff888352811300 raw: 0000000000000000 0000000000250025 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888301e3cd80: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb ffff888301e3ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888301e3ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888301e3cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888301e3cf80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc Disabling lock debugging due to kernel taint Cc: <stable@vger.kernel.org> # 5.2 Fixes: `7597385371` ("IB/mlx5: Enable subscription for device events over DEVX") Signed-off-by: Yishai Hadas <yishaih@mellanox.com> Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> Link: https://lore.kernel.org/r/20190808081538.28772-1-leon@kernel.org Signed-off-by: Doug Ledford <dledford@redhat.com>		2019-08-12 10:46:30 -04:00
..
accessibility
acpi	drivers/acpi/scan.c: document why we don't need the device_hotplug_lock	2019-08-03 07:02:01 -07:00
amba	Driver Core and debugfs changes for 5.3-rc1	2019-07-12 12:24:03 -07:00
android	binder: prevent transactions to context manager from its own process.	2019-07-24 11:02:28 +02:00
ata	ata: libahci: do not complain in case of deferred probe	2019-07-31 08:51:17 -06:00
atm	atm: idt77252: Remove call to memset after dma_alloc_coherent	2019-07-15 11:06:27 -07:00
auxdisplay	It's been a relatively busy cycle for docs:	2019-07-09 12:34:26 -07:00
base	Char/Misc driver fixes for 5.3-rc2	2019-07-28 10:26:10 -07:00
bcma
block	nbd: replace kill_bdev() with __invalidate_device() again	2019-07-31 08:51:56 -06:00
bluetooth	Bluetooth: hci_uart: check for missing tty operations	2019-07-31 13:17:33 -07:00
bus	ARM: SoC-related driver updates	2019-07-19 17:13:56 -07:00
cdrom
char	tpm: tpm_ibm_vtpm: Fix unallocated banks	2019-08-05 00:55:00 +03:00
clk	clk: renesas: cpg-mssr: Fix reset control race condition	2019-07-22 15:04:54 -07:00
clocksource	clocksource/drivers/npcm: Fix misuse of GENMASK macro	2019-07-10 11:05:26 +02:00
connector	connector: remove redundant input callback from cn_dev	2019-07-21 13:31:14 -07:00
counter	Staging / IIO driver update for 5.3-rc1	2019-07-11 15:36:02 -07:00
cpufreq	cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()	2019-07-23 09:49:10 +02:00
cpuidle	Merge branch 'pm-cpufreq'	2019-07-18 09:49:30 +02:00
crypto	Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6	2019-07-19 12:23:37 -07:00
dax	Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2019-07-19 10:42:02 -07:00
dca
devfreq
dio
dma	dmaengine updates for v5.3-rc1	2019-07-17 09:55:43 -07:00
dma-buf	Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2019-07-19 10:42:02 -07:00
edac
eisa
extcon
firewire	firewire: mark expected switch fall-throughs	2019-07-25 20:09:37 -05:00
firmware	Merge branch 'for-linus-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/ibft	2019-07-26 09:43:43 -07:00
fpga	fpga-manager: altera-ps-spi: Fix build error	2019-07-24 11:29:41 +02:00
fsi
gnss
gpio	gpiolib: Preserve desc->flags when setting state	2019-07-29 00:57:39 +02:00
gpu	drm-fixes for 5.3-rc3, take 2	2019-08-02 18:53:51 -07:00
hid	Linux 5.2	2019-07-15 09:42:32 -07:00
hsi
hv	proc/sysctl: add shared variables for range check	2019-07-18 17:08:07 -07:00
hwmon	hwmon: (nct6775) Fix register address and added missed tolerance for nct6106	2019-07-21 19:18:45 -07:00
hwspinlock	hwspinlock: add the 'in_atomic' API	2019-06-29 21:08:14 -07:00
hwtracing	coresight: Make the coresight_device_fwnode_match declaration's fwnode parameter const	2019-07-12 14:42:05 -07:00
i2c	i2c: s3c2410: Mark expected switch fall-through	2019-08-01 22:24:16 +02:00
i3c	* Drop support for 10-bit I2C addresses	2019-07-09 09:04:31 -07:00
ide	It's been a relatively busy cycle for docs:	2019-07-09 12:34:26 -07:00
idle
iio	Driver Core and debugfs changes for 5.3-rc1	2019-07-12 12:24:03 -07:00
infiniband	IB/mlx5: Fix use-after-free error while accessing ev_file pointer	2019-08-12 10:46:30 -04:00
input	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input	2019-07-20 12:22:30 -07:00
interconnect
iommu	virtio, vhost: bugfixes	2019-07-29 11:34:12 -07:00
ipack	TTY / Serial driver updates for 5.3-rc1	2019-07-11 15:38:21 -07:00
irqchip	irqchip fixes for 5.3	2019-08-01 20:21:00 +02:00
isdn	ISDN: hfcsusb: checking idx of ep configuration	2019-07-15 11:10:31 -07:00
leds	LED updates for 5.3-rc1	2019-07-09 08:59:39 -07:00
lightnvm
macintosh	drivers/macintosh/smu.c: Mark expected switch fall-through	2019-07-31 21:44:45 +10:00
mailbox	- stm32: race fix by adding a spinlock	2019-07-14 16:36:51 -07:00
mcb
md	dm table: fix various whitespace issues with recent DAX code	2019-07-30 18:59:24 -04:00
media	media updates for v5.3-rc1	2019-07-22 09:01:47 -07:00
memory	Kbuild updates for v5.3 (2nd)	2019-07-20 09:34:55 -07:00
memstick	MMC core:	2019-07-11 18:11:21 -07:00
message	SCSI misc on 20190709	2019-07-11 15:14:01 -07:00
mfd	- Core Frameworks	2019-07-15 20:18:40 -07:00
misc	at24 fixes for v5.3-rc3	2019-08-01 14:05:17 +02:00
mmc	mmc: mmc_spi: Enable stable writes	2019-07-22 15:31:00 +02:00
mtd	NAND:	2019-08-04 16:37:08 -07:00
mux
net	Wimplicit-fallthrough patches for 5.3-rc2	2019-07-27 11:04:18 -07:00
nfc	nfc: st-nci: remove redundant assignment to variable r	2019-07-02 12:00:50 -07:00
ntb	New feature to add support for NTB virtual MSI interrupts, the ability	2019-07-21 09:46:59 -07:00
nubus
nvdimm	libnvdimm fixes v5.3-rc2	2019-07-27 08:25:51 -07:00
nvme	Revert "nvme-pci: don't create a read hctx mapping without read queues"	2019-07-23 17:47:02 +02:00
nvmem	Driver Core and debugfs changes for 5.3-rc1	2019-07-12 12:24:03 -07:00
of	virtio, vhost: fixes, features, performance	2019-07-17 11:26:09 -07:00
opp	pci-v5.3-changes	2019-07-15 20:44:49 -07:00
oprofile	vfs: Convert oprofilefs to use the new mount API	2019-07-04 22:01:59 -04:00
parisc
parport	It's been a relatively busy cycle for docs:	2019-07-09 12:34:26 -07:00
pci	New feature to add support for NTB virtual MSI interrupts, the ability	2019-07-21 09:46:59 -07:00
pcmcia	It's been a relatively busy cycle for docs:	2019-07-09 12:34:26 -07:00
perf	drivers/perf: arm_pmu: Fix failure path in PM notifier	2019-07-29 11:43:48 +01:00
phy	phy: for 5.3	2019-07-01 15:04:59 +02:00
pinctrl	This is the bulk of pin control changes for the v5.3 kernel	2019-07-13 15:02:27 -07:00
platform	platform/x86: pcengines-apuv2: use KEY_RESTART for front button	2019-07-29 18:24:59 +03:00
pnp	docs: driver-api: add a series of orphaned documents	2019-07-15 11:03:02 -03:00
power	power supply and reset changes for the v5.3 series	2019-07-15 21:06:15 -07:00
powercap	powercap: Invoke powercap_init() and rapl_init() earlier	2019-07-22 11:23:00 +02:00
pps	drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl	2019-07-16 19:23:24 -07:00
ps3
ptp
pwm	pwm: Changes for v5.3-rc1	2019-07-09 08:57:45 -07:00
rapidio	Merge branch 'akpm' (patches from Andrew)	2019-07-17 08:58:04 -07:00
ras
regulator	- Core Frameworks	2019-07-15 20:18:40 -07:00
remoteproc	remoteproc updates for v5.3	2019-07-17 11:44:41 -07:00
reset	ARM: SoC-related driver updates	2019-07-19 17:13:56 -07:00
rpmsg
rtc	RTC for 5.3	2019-07-17 10:03:50 -07:00
s390	s390 updates for 5.3-rc3	2019-08-02 15:13:27 -07:00
sbus
scsi	SCSI fixes on 20190802	2019-08-02 14:46:33 -07:00
sfi
sh
siox
slimbus
sn
soc	Merge branch 'pdf_fixes_v1' of https://git.linuxtv.org/mchehab/experimental into mauro	2019-07-22 13:51:20 -06:00
soundwire	soundwire updates for v5.3-rc1	2019-07-05 08:15:08 +02:00
spi	Driver Core and debugfs changes for 5.3-rc1	2019-07-12 12:24:03 -07:00
spmi
ssb
staging	docs conversion for v5.3-rc1	2019-07-16 12:21:41 -07:00
target	scsi: target: cxgbit: add support for IEEE_8021QAZ_APP_SEL_STREAM selector	2019-07-22 17:04:20 -04:00
tc
tee
thermal	int340X/processor_thermal_device: Fix proc_thermal_rapl_remove()	2019-07-23 09:36:07 +02:00
thunderbolt	Driver Core and debugfs changes for 5.3-rc1	2019-07-12 12:24:03 -07:00
tty	TTY fixes for 5.3-rc2	2019-07-28 10:18:33 -07:00
uio
usb	xhci: Fix crash if scatter gather is used with Immediate Data Transfer (IDT).	2019-07-25 11:26:42 +02:00
uwb
vfio	VFIO updates for v5.3-rc1	2019-07-17 11:23:13 -07:00
vhost	vhost: disable metadata prefetch optimization	2019-07-26 07:49:29 -04:00
video	- New Functionality	2019-07-16 09:25:04 -07:00
virt
virtio	Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2019-07-19 10:42:02 -07:00
visorbus
vlynq
vme
w1	docs: driver-api: add a series of orphaned documents	2019-07-15 11:03:02 -03:00
watchdog	watchdog: digicolor_wdt: Remove unused variable in dc_wdt_probe	2019-07-15 08:49:11 +02:00
xen	xen: fixes for 5.3-rc3	2019-08-02 15:26:48 -07:00
zorro
Kconfig
Makefile