[for-rc] RDMA/iwcm: Fix iwcm work deallocation

Message ID	20200302181614.17042-1-bmt@zurich.ibm.com (mailing list archive)
State	Mainlined
Commit	810dbc69087b08fd53e1cdd6c709f385bc2921ad
Delegated to:	Jason Gunthorpe
Headers	show Return-Path: <SRS0=cH6f=4T=vger.kernel.org=linux-rdma-owner@kernel.org> Gateway: Authorized Use Only! Violators will be prosecuted for <linux-rdma@vger.kernel.org> from <bmt@zurich.ibm.com>; Mon, 2 Mar 2020 18:16:20 -0000 Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 2 Mar 2020 18:16:17 -0000 From: Bernard Metzler <bmt@zurich.ibm.com> To: jgg@ziepe.ca, dledford@redhat.com, kamalheib1@gmail.com, krishna2@chelsio.com, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, syzkaller-bugs@googlegroups.com Cc: Bernard Metzler <bmt@zurich.ibm.com> Subject: [PATCH for-rc] RDMA/iwcm: Fix iwcm work deallocation Date: Mon, 2 Mar 2020 19:16:14 +0100 Message-Id: <20200302181614.17042-1-bmt@zurich.ibm.com> Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk
Series	[for-rc] RDMA/iwcm: Fix iwcm work deallocation \| expand [for-rc] RDMA/iwcm: Fix iwcm work deallocation

Message ID

20200302181614.17042-1-bmt@zurich.ibm.com (mailing list archive)

State

Mainlined

Commit

810dbc69087b08fd53e1cdd6c709f385bc2921ad

Delegated to:

Jason Gunthorpe

Headers

show

Return-Path: <SRS0=cH6f=4T=vger.kernel.org=linux-rdma-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 817C4109A
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Mon,  2 Mar 2020 18:16:39 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 69BB420836
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Mon,  2 Mar 2020 18:16:39 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727202AbgCBSQi (ORCPT
        <rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
        Mon, 2 Mar 2020 13:16:38 -0500
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:62800 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726451AbgCBSQi (ORCPT
        <rfc822;linux-rdma@vger.kernel.org>); Mon, 2 Mar 2020 13:16:38 -0500
Received: from pps.filterd (m0098417.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
 022IGZXI105654
        for <linux-rdma@vger.kernel.org>; Mon, 2 Mar 2020 13:16:37 -0500
Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2yfmqa488n-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-rdma@vger.kernel.org>; Mon, 02 Mar 2020 13:16:36 -0500
Received: from localhost
        by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
 Only! Violators will be prosecuted
        for <linux-rdma@vger.kernel.org> from <bmt@zurich.ibm.com>;
        Mon, 2 Mar 2020 18:16:20 -0000
Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197)
        by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway:
 Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Mon, 2 Mar 2020 18:16:17 -0000
Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com
 [9.149.105.59])
        by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with
 ESMTP id 022IGG8N58392724
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
 verify=OK);
        Mon, 2 Mar 2020 18:16:16 GMT
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id B1BD2A4053;
        Mon,  2 Mar 2020 18:16:16 +0000 (GMT)
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 5A67BA4051;
        Mon,  2 Mar 2020 18:16:16 +0000 (GMT)
Received: from spoke.zurich.ibm.com (unknown [9.4.69.152])
        by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Mon,  2 Mar 2020 18:16:16 +0000 (GMT)
From: Bernard Metzler <bmt@zurich.ibm.com>
To: jgg@ziepe.ca, dledford@redhat.com, kamalheib1@gmail.com,
        krishna2@chelsio.com, linux-kernel@vger.kernel.org,
        linux-rdma@vger.kernel.org, syzkaller-bugs@googlegroups.com
Cc: Bernard Metzler <bmt@zurich.ibm.com>
Subject: [PATCH for-rc] RDMA/iwcm: Fix iwcm work deallocation
Date: Mon,  2 Mar 2020 19:16:14 +0100
X-Mailer: git-send-email 2.17.2
X-TM-AS-GCONF: 00
x-cbid: 20030218-0012-0000-0000-0000038C5F85
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 20030218-0013-0000-0000-000021C91379
Message-Id: <20200302181614.17042-1-bmt@zurich.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,18.0.572
 definitions=2020-03-02_07:2020-03-02,2020-03-02 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 malwarescore=0 mlxscore=0
 spamscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=2 bulkscore=0
 mlxlogscore=917 phishscore=0 adultscore=0 priorityscore=1501
 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2001150001 definitions=main-2003020119
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org

Series

[for-rc] RDMA/iwcm: Fix iwcm work deallocation | expand

Commit Message

Bernard Metzler March 2, 2020, 6:16 p.m. UTC

The dealloc_work_entries() function must update the
work_free_list pointer while freeing its entries, since
potentially called again on same list. A second iteration
of the work list caused system crash. This happens, if
work allocation fails during cma_iw_listen() and
free_cm_id() tries to free the list again during cleanup.

Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
---
 drivers/infiniband/core/iwcm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Jason Gunthorpe March 4, 2020, 6:35 p.m. UTC | #1

On Mon, Mar 02, 2020 at 07:16:14PM +0100, Bernard Metzler wrote:
> The dealloc_work_entries() function must update the
> work_free_list pointer while freeing its entries, since
> potentially called again on same list. A second iteration
> of the work list caused system crash. This happens, if
> work allocation fails during cma_iw_listen() and
> free_cm_id() tries to free the list again during cleanup.
> 
> Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com
> Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
> ---
>  drivers/infiniband/core/iwcm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Applied to for-rc, please include Fixes lines in patches like this, I
added one
 
 diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
> index ade71823370f..da8adadf4755 100644
> --- a/drivers/infiniband/core/iwcm.c
> +++ b/drivers/infiniband/core/iwcm.c
> @@ -159,8 +159,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)
>  {
>  	struct list_head *e, *tmp;
>  
> -	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)
> +	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
> +		list_del(e);
>  		kfree(list_entry(e, struct iwcm_work, free_list));

It would be nice if someone were to fix the use of the list macros in
this file to use the _entry_ versions

Jason

diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
index ade71823370f..da8adadf4755 100644
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -159,8 +159,10 @@  static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)
 {
 	struct list_head *e, *tmp;
 
-	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)
+	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
+		list_del(e);
 		kfree(list_entry(e, struct iwcm_work, free_list));
+	}
 }
 
 static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)

[for-rc] RDMA/iwcm: Fix iwcm work deallocation

Commit Message

Comments

Patch