| Message ID | 20230603004620.906089-1-shinichiro.kawasaki@wdc.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | RDMA/cma: prevent rdma id destroy during cma_iw_handler | expand |
On Sat, Jun 03, 2023 at 09:46:20AM +0900, Shin'ichiro Kawasaki wrote: > When rdma_destroy_id() and cma_iw_handler() race, struct rdma_id_private > *id_priv can be destroyed during cma_iw_handler call. This causes "BUG: > KASAN: slab-use-after-free" at mutex_lock() in cma_iw_handler(). > To prevent the destroy of id_priv, keep its reference count by calling > cma_id_get() and cma_id_put() at start and end of cma_iw_handler(). Please add relevant kernel panic to commit message. > > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> > Cc: stable@vger.kernel.org Add Fixes line when you are fixing bug. > --- > The BUG KASAN was observed with blktests at test cases nvme/030 or nvme/031, > using SIW transport [1]. To reproduce it, it is required to repeat the test > cases from 30 to 50 times on my test system. > > [1] https://lore.kernel.org/linux-block/rsmmxrchy6voi5qhl4irss5sprna3f5owkqtvybxglcv2pnylm@xmrnpfu3tfpe/ > > drivers/infiniband/core/cma.c | 3 +++ > 1 file changed, 3 insertions(+) The fix looks correct to me. Thanks
Thanks for the comments. On Jun 11, 2023 / 16:37, Leon Romanovsky wrote: > On Sat, Jun 03, 2023 at 09:46:20AM +0900, Shin'ichiro Kawasaki wrote: > > When rdma_destroy_id() and cma_iw_handler() race, struct rdma_id_private > > *id_priv can be destroyed during cma_iw_handler call. This causes "BUG: > > KASAN: slab-use-after-free" at mutex_lock() in cma_iw_handler(). > > To prevent the destroy of id_priv, keep its reference count by calling > > cma_id_get() and cma_id_put() at start and end of cma_iw_handler(). > > Please add relevant kernel panic to commit message. Sure, will do in v2. > > > > > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> > > Cc: stable@vger.kernel.org > > Add Fixes line when you are fixing bug. I see. I checked commit logs of drivers/infinibad/core/cma.c. It looks the issue has been existing since the commit de910bd92137 ("RDMA/cma: Simplify locking needed for serialization of callbacks") in 2008, which modified the method to guard id_priv. I'll add the Fixes tag with this commit. > > > --- > > The BUG KASAN was observed with blktests at test cases nvme/030 or nvme/031, > > using SIW transport [1]. To reproduce it, it is required to repeat the test > > cases from 30 to 50 times on my test system. > > > > [1] https://lore.kernel.org/linux-block/rsmmxrchy6voi5qhl4irss5sprna3f5owkqtvybxglcv2pnylm@xmrnpfu3tfpe/ > > > > drivers/infiniband/core/cma.c | 3 +++ > > 1 file changed, 3 insertions(+) > > The fix looks correct to me. > > Thanks
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index 93a1c48d0c32..c5267d9bb184 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -2477,6 +2477,7 @@ static int cma_iw_handler(struct iw_cm_id *iw_id, struct iw_cm_event *iw_event) struct sockaddr *laddr = (struct sockaddr *)&iw_event->local_addr; struct sockaddr *raddr = (struct sockaddr *)&iw_event->remote_addr; + cma_id_get(id_priv); mutex_lock(&id_priv->handler_mutex); if (READ_ONCE(id_priv->state) != RDMA_CM_CONNECT) goto out; @@ -2524,12 +2525,14 @@ static int cma_iw_handler(struct iw_cm_id *iw_id, struct iw_cm_event *iw_event) if (ret) { /* Destroy the CM ID by returning a non-zero value. */ id_priv->cm_id.iw = NULL; + cma_id_put(id_priv); destroy_id_handler_unlock(id_priv); return ret; } out: mutex_unlock(&id_priv->handler_mutex); + cma_id_put(id_priv); return ret; }
When rdma_destroy_id() and cma_iw_handler() race, struct rdma_id_private *id_priv can be destroyed during cma_iw_handler call. This causes "BUG: KASAN: slab-use-after-free" at mutex_lock() in cma_iw_handler(). To prevent the destroy of id_priv, keep its reference count by calling cma_id_get() and cma_id_put() at start and end of cma_iw_handler(). Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> Cc: stable@vger.kernel.org --- The BUG KASAN was observed with blktests at test cases nvme/030 or nvme/031, using SIW transport [1]. To reproduce it, it is required to repeat the test cases from 30 to 50 times on my test system. [1] https://lore.kernel.org/linux-block/rsmmxrchy6voi5qhl4irss5sprna3f5owkqtvybxglcv2pnylm@xmrnpfu3tfpe/ drivers/infiniband/core/cma.c | 3 +++ 1 file changed, 3 insertions(+)