diff mbox series

RDMA/rxe: Fix double-free in __rxe_cleanup() when MR allocate failed

Message ID 20221118111826.3558230-1-zhangxiaoxu5@huawei.com (mailing list archive)
State Rejected
Headers show
Series RDMA/rxe: Fix double-free in __rxe_cleanup() when MR allocate failed | expand

Commit Message

Zhang Xiaoxu Nov. 18, 2022, 11:18 a.m. UTC
There is a double free when mount.cifs over rdma with MR allocate failed:

  BUG: KASAN: double-free in __rxe_cleanup+0x101/0x1d0 [rdma_rxe]
  Free of addr ffff88817f8f0a20 by task mount.cifs/28201CPU: 1 PID: 28201 Comm: mount.cifs Not tainted 6.1.0-rc5+ #84
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
  Call Trace:
   dump_stack_lvl+0x34/0x44
   print_report+0x171/0x472
   kasan_report_invalid_free+0x84/0xf0
   ____kasan_slab_free+0x166/0x1b0
   __kmem_cache_free+0xc8/0x330
   __rxe_cleanup+0x101/0x1d0 [rdma_rxe]
   rxe_alloc_mr+0x88/0x90 [rdma_rxe]
   ib_alloc_mr+0x5a/0x1d0
   _smbd_get_connection+0x1c0f/0x21a0
   smbd_get_connection+0x21/0x40
   cifs_get_tcp_session+0x8ef/0xda0
   mount_get_conns+0x60/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

  Allocated by task 28201:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   __kasan_kmalloc+0x7a/0x90
   __kmalloc+0x5f/0x150
   rxe_mr_alloc+0x5d/0x240 [rdma_rxe]
   rxe_mr_init_fast+0xfd/0x180 [rdma_rxe]
   rxe_alloc_mr+0x64/0x90 [rdma_rxe]
   ib_alloc_mr+0x5a/0x1d0
   _smbd_get_connection+0x1c0f/0x21a0
   smbd_get_connection+0x21/0x40
   cifs_get_tcp_session+0x8ef/0xda0
   mount_get_conns+0x60/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

  Freed by task 28201:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   kasan_save_free_info+0x2a/0x40
   ____kasan_slab_free+0x143/0x1b0
   __kmem_cache_free+0xc8/0x330
   rxe_mr_alloc+0x16d/0x240 [rdma_rxe]
   rxe_mr_init_fast+0xfd/0x180 [rdma_rxe]
   rxe_alloc_mr+0x64/0x90 [rdma_rxe]
   ib_alloc_mr+0x5a/0x1d0
   _smbd_get_connection+0x1c0f/0x21a0
   smbd_get_connection+0x21/0x40
   cifs_get_tcp_session+0x8ef/0xda0
   mount_get_conns+0x60/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

When allocate MR failed, the MRs and the array already freed,
but in the cleanup process, free them again.

Let's set the MRs array to NULL when MRs allocate failed to
avoid cleanup process free them again.

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
---
 drivers/infiniband/sw/rxe/rxe_mr.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Zhijian Li (Fujitsu) Nov. 19, 2022, 1:35 a.m. UTC | #1
Xiaoxu

thanks for this fix, it's duplicated with
https://lore.kernel.org/lkml/6a3ba62e-6116-7f09-b314-d6823671aaa9@fujitsu.com/T/

Thanks
Zhijian


On 18/11/2022 19:18, Zhang Xiaoxu wrote:
> There is a double free when mount.cifs over rdma with MR allocate failed:
> 
>    BUG: KASAN: double-free in __rxe_cleanup+0x101/0x1d0 [rdma_rxe]
>    Free of addr ffff88817f8f0a20 by task mount.cifs/28201CPU: 1 PID: 28201 Comm: mount.cifs Not tainted 6.1.0-rc5+ #84
>    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
>    Call Trace:
>     dump_stack_lvl+0x34/0x44
>     print_report+0x171/0x472
>     kasan_report_invalid_free+0x84/0xf0
>     ____kasan_slab_free+0x166/0x1b0
>     __kmem_cache_free+0xc8/0x330
>     __rxe_cleanup+0x101/0x1d0 [rdma_rxe]
>     rxe_alloc_mr+0x88/0x90 [rdma_rxe]
>     ib_alloc_mr+0x5a/0x1d0
>     _smbd_get_connection+0x1c0f/0x21a0
>     smbd_get_connection+0x21/0x40
>     cifs_get_tcp_session+0x8ef/0xda0
>     mount_get_conns+0x60/0x750
>     cifs_mount+0x103/0xd00
>     cifs_smb3_do_mount+0x1dd/0xcb0
>     smb3_get_tree+0x1d5/0x300
>     vfs_get_tree+0x41/0xf0
>     path_mount+0x9b3/0xdd0
>     __x64_sys_mount+0x190/0x1d0
>     do_syscall_64+0x35/0x80
>     entry_SYSCALL_64_after_hwframe+0x46/0xb0
> 
>    Allocated by task 28201:
>     kasan_save_stack+0x1e/0x40
>     kasan_set_track+0x21/0x30
>     __kasan_kmalloc+0x7a/0x90
>     __kmalloc+0x5f/0x150
>     rxe_mr_alloc+0x5d/0x240 [rdma_rxe]
>     rxe_mr_init_fast+0xfd/0x180 [rdma_rxe]
>     rxe_alloc_mr+0x64/0x90 [rdma_rxe]
>     ib_alloc_mr+0x5a/0x1d0
>     _smbd_get_connection+0x1c0f/0x21a0
>     smbd_get_connection+0x21/0x40
>     cifs_get_tcp_session+0x8ef/0xda0
>     mount_get_conns+0x60/0x750
>     cifs_mount+0x103/0xd00
>     cifs_smb3_do_mount+0x1dd/0xcb0
>     smb3_get_tree+0x1d5/0x300
>     vfs_get_tree+0x41/0xf0
>     path_mount+0x9b3/0xdd0
>     __x64_sys_mount+0x190/0x1d0
>     do_syscall_64+0x35/0x80
>     entry_SYSCALL_64_after_hwframe+0x46/0xb0
> 
>    Freed by task 28201:
>     kasan_save_stack+0x1e/0x40
>     kasan_set_track+0x21/0x30
>     kasan_save_free_info+0x2a/0x40
>     ____kasan_slab_free+0x143/0x1b0
>     __kmem_cache_free+0xc8/0x330
>     rxe_mr_alloc+0x16d/0x240 [rdma_rxe]
>     rxe_mr_init_fast+0xfd/0x180 [rdma_rxe]
>     rxe_alloc_mr+0x64/0x90 [rdma_rxe]
>     ib_alloc_mr+0x5a/0x1d0
>     _smbd_get_connection+0x1c0f/0x21a0
>     smbd_get_connection+0x21/0x40
>     cifs_get_tcp_session+0x8ef/0xda0
>     mount_get_conns+0x60/0x750
>     cifs_mount+0x103/0xd00
>     cifs_smb3_do_mount+0x1dd/0xcb0
>     smb3_get_tree+0x1d5/0x300
>     vfs_get_tree+0x41/0xf0
>     path_mount+0x9b3/0xdd0
>     __x64_sys_mount+0x190/0x1d0
>     do_syscall_64+0x35/0x80
>     entry_SYSCALL_64_after_hwframe+0x46/0xb0
> 
> When allocate MR failed, the MRs and the array already freed,
> but in the cleanup process, free them again.
> 
> Let's set the MRs array to NULL when MRs allocate failed to
> avoid cleanup process free them again.
> 
> Fixes: 8700e3e7c485 ("Soft RoCE driver")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> ---
>   drivers/infiniband/sw/rxe/rxe_mr.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
> index 502e9ada99b3..82dd14654686 100644
> --- a/drivers/infiniband/sw/rxe/rxe_mr.c
> +++ b/drivers/infiniband/sw/rxe/rxe_mr.c
> @@ -99,6 +99,7 @@ static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf)
>   		kfree(mr->map[i]);
>   
>   	kfree(mr->map);
> +	mr->map = NULL;
>   err1:
>   	return -ENOMEM;
>   }
diff mbox series

Patch

diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
index 502e9ada99b3..82dd14654686 100644
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
@@ -99,6 +99,7 @@  static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf)
 		kfree(mr->map[i]);
 
 	kfree(mr->map);
+	mr->map = NULL;
 err1:
 	return -ENOMEM;
 }