linux/drivers/infiniband/hw/qedr
Michal Kalderon 0dfbd5ecf2 RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
Private data passed to iwarp_cm_handler is copied for connection request /
response, but ignored otherwise.  If junk is passed, it is stored in the
event and used later in the event processing.

The driver passes an old junk pointer during connection close which leads
to a use-after-free on event processing.  Set private data to NULL for
events that don 't have private data.

  BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
  kernel:
  kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
  kernel: Call Trace:
  kernel: dump_stack+0x8c/0xc0
  kernel: print_address_description.constprop.0+0x1b/0x210
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: __kasan_report.cold+0x1a/0x33
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: kasan_report+0xe/0x20
  kernel: check_memory_region+0x130/0x1a0
  kernel: memcpy+0x20/0x50
  kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
  kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
  kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
  kernel: ? enqueue_timer+0x86/0x140
  kernel: ? _raw_write_lock_irq+0xd0/0xd0
  kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]

Fixes: e411e0587e ("RDMA/qedr: Add iWARP connection management functions")
Link: https://lore.kernel.org/r/20200616093408.17827-1-michal.kalderon@marvell.com
Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2020-06-18 09:44:45 -03:00
..
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
main.c RDMA: Remove 'max_fmr' 2020-06-02 20:32:54 -03:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
qedr_hsi_rdma.h qedr: Add support for kernel mode SRQ's 2018-08-14 16:31:54 -06:00
qedr_iw_cm.c RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 2020-06-18 09:44:45 -03:00
qedr_iw_cm.h RDMA/qedr: Add iWARP connection management functions 2017-08-18 12:27:14 -04:00
qedr_roce_cm.c RDMA: Introduce and use GID attr helper to read RoCE L2 fields 2019-05-03 11:10:02 -03:00
qedr_roce_cm.h RDMA, core and ULPs: Declare ib_post_send() and ib_post_recv() arguments const 2018-07-30 20:09:34 -06:00
qedr.h RDMA: Remove 'max_fmr' 2020-06-02 20:32:54 -03:00
verbs.c RDMA: Remove 'max_map_per_fmr' 2020-06-02 20:32:54 -03:00
verbs.h RDMA: Group create AH arguments in struct 2020-05-02 20:19:53 -03:00