leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0dfbd5ecf2
linux/drivers/infiniband/hw
History
Michal Kalderon 0dfbd5ecf2 RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 
Private data passed to iwarp_cm_handler is copied for connection request /
response, but ignored otherwise.  If junk is passed, it is stored in the
event and used later in the event processing.

The driver passes an old junk pointer during connection close which leads
to a use-after-free on event processing.  Set private data to NULL for
events that don 't have private data.

  BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
  kernel:
  kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
  kernel: Call Trace:
  kernel: dump_stack+0x8c/0xc0
  kernel: print_address_description.constprop.0+0x1b/0x210
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: __kasan_report.cold+0x1a/0x33
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: kasan_report+0xe/0x20
  kernel: check_memory_region+0x130/0x1a0
  kernel: memcpy+0x20/0x50
  kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
  kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
  kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
  kernel: ? enqueue_timer+0x86/0x140
  kernel: ? _raw_write_lock_irq+0xd0/0xd0
  kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]

Fixes: e411e0587e ("RDMA/qedr: Add iWARP connection management functions")
Link: https://lore.kernel.org/r/20200616093408.17827-1-michal.kalderon@marvell.com
Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2020-06-18 09:44:45 -03:00
..
bnxt_re treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
cxgb4 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
efa RDMA/efa: Set maximum pkeys device attribute 2020-06-18 09:41:07 -03:00
hfi1 RDMA/hfi1: Fix trivial mis-spelling of 'descriptor' 2020-06-15 15:56:54 -03:00
hns treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
i40iw treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mlx4 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mlx5 RDMA/mlx5: Fix -Wformat warning in check_ucmd_data() 2020-06-15 15:39:36 -03:00
mthca treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ocrdma treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
qedr RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 2020-06-18 09:44:45 -03:00
qib treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
usnic treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vmw_pvrdma treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile RDMA/iw_cxgb3: Remove the iw_cxgb3 module from kernel 2019-10-04 15:08:59 -03:00