From patchwork Wed Sep 12 23:27:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 10598451 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9D808921 for ; Wed, 12 Sep 2018 23:28:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 344552A44F for ; Wed, 12 Sep 2018 23:28:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 24D662A456; Wed, 12 Sep 2018 23:28:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B19DF2A44F for ; Wed, 12 Sep 2018 23:28:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726415AbeIMEer (ORCPT ); Thu, 13 Sep 2018 00:34:47 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:36507 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726317AbeIMEer (ORCPT ); Thu, 13 Sep 2018 00:34:47 -0400 Received: by mail-pg1-f196.google.com with SMTP id d1-v6so1815058pgo.3; Wed, 12 Sep 2018 16:28:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Vs4YyhejtDKH9r2Qa3CKRSMDHO1yV5loU/P6gGYpzSo=; b=lv57VbzSVKZFygcTmKXv51UHq8t92WUQq1mfOBlUnU9Gb72U1zz0jikIsoWmaBk5FV HUgU1yJtdWWucf+ezD5WeYKUjxhF5+DtC/Nih4WTVNsYVK3kG/ANaNZlRszleJ0kuhGV bGozcSNkq+GXqQ/+1hLvw/rwQwYBEPmYvTTb7BSPGIVvqJgAdLEGkp5xpL+uk3jLDqWy TodCKAoqJJNyU1WwkGoat8bgyJw/nbzv6fQ0XlUra9cZiA0SQQn9vvGuGW2iulQr4Ta6 anG/Rv3Mk6qiLQNdhxyp3EIC/vYfFAwKYVvwk5zW5T7IqlB3zE00t9tnEXL0f8vxrcNx 2vsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Vs4YyhejtDKH9r2Qa3CKRSMDHO1yV5loU/P6gGYpzSo=; b=npiHYGjLvSMZtDVvXP3w8qR0nGXyRk3XGXEOsUwACmUD7VuBib2j7oLd4Fv9noaf0n s9WEkIxluD6bhh2VJRbBd5pvYNbUTIZf9YL5QEwaH+9rsDLFYdE8YN5n5h439HMdGYyi 77ZhWB93wC5z5Olw/zgvFQEt3NBlZKEHVozZJFuBas8vNmvvQqzLcNp1YzYDAkehApQr TUpu05Y4yPBszGUWnULPQKrASSJhfcJpeGoFyTs0zbbM/YNnbeQ33ZstUK7b0drBtUeF InvFZ+HPit3qAsmYGpR7K+obti8BpygPqVWJu4wOZneElM8MX3kA48K229Fj9F2EDwuw IIEQ== X-Gm-Message-State: APzg51AIps5g5r2GaYcuxJ56UsY/fB1MN+eIylT2/Yhsu2UpuNoeASeT 1cxrAq4xX9APQsf076hpB0rbg6zT X-Google-Smtp-Source: ANB0VdZk/4x2cd1VWhNZo7EUUcM2+31H8AsQGlfpKgWTLTLm6QGnYHmU1teOnjLfwP5xcA2ywX5DAA== X-Received: by 2002:a62:8913:: with SMTP id v19-v6mr4674738pfd.127.1536794880812; Wed, 12 Sep 2018 16:28:00 -0700 (PDT) Received: from tw-172-25-29-37.office.twttr.net ([8.25.197.25]) by smtp.gmail.com with ESMTPSA id e26-v6sm2858123pfi.70.2018.09.12.16.27.59 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 12 Sep 2018 16:28:00 -0700 (PDT) From: Cong Wang To: linux-kernel@vger.kernel.org Cc: linux-rdma@vger.kernel.org, Cong Wang , Jason Gunthorpe , Doug Ledford , Leon Romanovsky Subject: [PATCH] ucma: fix a use-after-free in ucma_resolve_ip() Date: Wed, 12 Sep 2018 16:27:44 -0700 Message-Id: <20180912232744.12693-1-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.14.4 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP There is a race condition between ucma_close() and ucma_resolve_ip(): CPU0 CPU1 ucma_resolve_ip(): ucma_close(): ctx = ucma_get_ctx(file, cmd.id); list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) { mutex_lock(&mut); idr_remove(&ctx_idr, ctx->id); mutex_unlock(&mut); ... mutex_lock(&mut); if (!ctx->closing) { mutex_unlock(&mut); rdma_destroy_id(ctx->cm_id); ... ucma_free_ctx(ctx); ret = rdma_resolve_addr(); ucma_put_ctx(ctx); Before idr_remove(), ucma_get_ctx() could still find the ctx and after rdma_destroy_id(), rdma_resolve_addr() may still access id_priv pointer. Also, ucma_put_ctx() may use ctx after ucma_free_ctx() too. ucma_close() should call ucma_put_ctx() too which tests the refcnt and waits for the last one releasing it. The similar pattern is already used by ucma_destroy_id(). Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com Cc: Jason Gunthorpe Cc: Doug Ledford Cc: Leon Romanovsky Signed-off-by: Cong Wang Reviewed-by: Leon Romanovsky --- drivers/infiniband/core/ucma.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index 5f437d1570fb..21863ddde63e 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1759,6 +1759,8 @@ static int ucma_close(struct inode *inode, struct file *filp) mutex_lock(&mut); if (!ctx->closing) { mutex_unlock(&mut); + ucma_put_ctx(ctx); + wait_for_completion(&ctx->comp); /* rdma_destroy_id ensures that no event handlers are * inflight for that id before releasing it. */