From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+e6aba77967bd72cbc9d6@syzkaller.appspotmail.com,
Leon Romanovsky <leonro@mellanox.com>,
Sean Hefty <sean.hefty@intel.com>,
Doug Ledford <dledford@redhat.com>
Subject: [PATCH 3.18 47/47] RDMA/ucma: Fix access to non-initialized CM_ID object
Date: Fri, 23 Mar 2018 10:55:38 +0100 [thread overview]
Message-ID: <20180323094250.140246043@linuxfoundation.org> (raw)
In-Reply-To: <20180323094248.117679641@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 upstream.
The attempt to join multicast group without ensuring that CMA device
exists will lead to the following crash reported by syzkaller.
[ 64.076794] BUG: KASAN: null-ptr-deref in rdma_join_multicast+0x26e/0x12c0
[ 64.076797] Read of size 8 at addr 00000000000000b0 by task join/691
[ 64.076797]
[ 64.076800] CPU: 1 PID: 691 Comm: join Not tainted 4.16.0-rc1-00219-gb97853b65b93 #23
[ 64.076802] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
[ 64.076803] Call Trace:
[ 64.076809] dump_stack+0x5c/0x77
[ 64.076817] kasan_report+0x163/0x380
[ 64.085859] ? rdma_join_multicast+0x26e/0x12c0
[ 64.086634] rdma_join_multicast+0x26e/0x12c0
[ 64.087370] ? rdma_disconnect+0xf0/0xf0
[ 64.088579] ? __radix_tree_replace+0xc3/0x110
[ 64.089132] ? node_tag_clear+0x81/0xb0
[ 64.089606] ? idr_alloc_u32+0x12e/0x1a0
[ 64.090517] ? __fprop_inc_percpu_max+0x150/0x150
[ 64.091768] ? tracing_record_taskinfo+0x10/0xc0
[ 64.092340] ? idr_alloc+0x76/0xc0
[ 64.092951] ? idr_alloc_u32+0x1a0/0x1a0
[ 64.093632] ? ucma_process_join+0x23d/0x460
[ 64.094510] ucma_process_join+0x23d/0x460
[ 64.095199] ? ucma_migrate_id+0x440/0x440
[ 64.095696] ? futex_wake+0x10b/0x2a0
[ 64.096159] ucma_join_multicast+0x88/0xe0
[ 64.096660] ? ucma_process_join+0x460/0x460
[ 64.097540] ? _copy_from_user+0x5e/0x90
[ 64.098017] ucma_write+0x174/0x1f0
[ 64.098640] ? ucma_resolve_route+0xf0/0xf0
[ 64.099343] ? rb_erase_cached+0x6c7/0x7f0
[ 64.099839] __vfs_write+0xc4/0x350
[ 64.100622] ? perf_syscall_enter+0xe4/0x5f0
[ 64.101335] ? kernel_read+0xa0/0xa0
[ 64.103525] ? perf_sched_cb_inc+0xc0/0xc0
[ 64.105510] ? syscall_exit_register+0x2a0/0x2a0
[ 64.107359] ? __switch_to+0x351/0x640
[ 64.109285] ? fsnotify+0x899/0x8f0
[ 64.111610] ? fsnotify_unmount_inodes+0x170/0x170
[ 64.113876] ? __fsnotify_update_child_dentry_flags+0x30/0x30
[ 64.115813] ? ring_buffer_record_is_on+0xd/0x20
[ 64.117824] ? __fget+0xa8/0xf0
[ 64.119869] vfs_write+0xf7/0x280
[ 64.122001] SyS_write+0xa1/0x120
[ 64.124213] ? SyS_read+0x120/0x120
[ 64.126644] ? SyS_read+0x120/0x120
[ 64.128563] do_syscall_64+0xeb/0x250
[ 64.130732] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 64.132984] RIP: 0033:0x7f5c994ade99
[ 64.135699] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 64.138740] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
[ 64.141056] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
[ 64.143536] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
[ 64.146017] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
[ 64.148608] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
[ 64.151060]
[ 64.153703] Disabling lock debugging due to kernel taint
[ 64.156032] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
[ 64.159066] IP: rdma_join_multicast+0x26e/0x12c0
[ 64.161451] PGD 80000001d0298067 P4D 80000001d0298067 PUD 1dea39067 PMD 0
[ 64.164442] Oops: 0000 [#1] SMP KASAN PTI
[ 64.166817] CPU: 1 PID: 691 Comm: join Tainted: G B 4.16.0-rc1-00219-gb97853b65b93 #23
[ 64.170004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
[ 64.174985] RIP: 0010:rdma_join_multicast+0x26e/0x12c0
[ 64.177246] RSP: 0018:ffff8801c8207860 EFLAGS: 00010282
[ 64.179901] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94789522
[ 64.183344] RDX: 1ffffffff2d50fa5 RSI: 0000000000000297 RDI: 0000000000000297
[ 64.186237] RBP: ffff8801c8207a50 R08: 0000000000000000 R09: ffffed0039040ea7
[ 64.189328] R10: 0000000000000001 R11: ffffed0039040ea6 R12: 0000000000000000
[ 64.192634] R13: 0000000000000000 R14: ffff8801e2022800 R15: ffff8801d4ac2400
[ 64.196105] FS: 00007f5c99b98700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
[ 64.199211] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 64.202046] CR2: 00000000000000b0 CR3: 00000001d1c48004 CR4: 00000000003606a0
[ 64.205032] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 64.208221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 64.211554] Call Trace:
[ 64.213464] ? rdma_disconnect+0xf0/0xf0
[ 64.216124] ? __radix_tree_replace+0xc3/0x110
[ 64.219337] ? node_tag_clear+0x81/0xb0
[ 64.222140] ? idr_alloc_u32+0x12e/0x1a0
[ 64.224422] ? __fprop_inc_percpu_max+0x150/0x150
[ 64.226588] ? tracing_record_taskinfo+0x10/0xc0
[ 64.229763] ? idr_alloc+0x76/0xc0
[ 64.232186] ? idr_alloc_u32+0x1a0/0x1a0
[ 64.234505] ? ucma_process_join+0x23d/0x460
[ 64.237024] ucma_process_join+0x23d/0x460
[ 64.240076] ? ucma_migrate_id+0x440/0x440
[ 64.243284] ? futex_wake+0x10b/0x2a0
[ 64.245302] ucma_join_multicast+0x88/0xe0
[ 64.247783] ? ucma_process_join+0x460/0x460
[ 64.250841] ? _copy_from_user+0x5e/0x90
[ 64.253878] ucma_write+0x174/0x1f0
[ 64.257008] ? ucma_resolve_route+0xf0/0xf0
[ 64.259877] ? rb_erase_cached+0x6c7/0x7f0
[ 64.262746] __vfs_write+0xc4/0x350
[ 64.265537] ? perf_syscall_enter+0xe4/0x5f0
[ 64.267792] ? kernel_read+0xa0/0xa0
[ 64.270358] ? perf_sched_cb_inc+0xc0/0xc0
[ 64.272575] ? syscall_exit_register+0x2a0/0x2a0
[ 64.275367] ? __switch_to+0x351/0x640
[ 64.277700] ? fsnotify+0x899/0x8f0
[ 64.280530] ? fsnotify_unmount_inodes+0x170/0x170
[ 64.283156] ? __fsnotify_update_child_dentry_flags+0x30/0x30
[ 64.286182] ? ring_buffer_record_is_on+0xd/0x20
[ 64.288749] ? __fget+0xa8/0xf0
[ 64.291136] vfs_write+0xf7/0x280
[ 64.292972] SyS_write+0xa1/0x120
[ 64.294965] ? SyS_read+0x120/0x120
[ 64.297474] ? SyS_read+0x120/0x120
[ 64.299751] do_syscall_64+0xeb/0x250
[ 64.301826] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 64.304352] RIP: 0033:0x7f5c994ade99
[ 64.306711] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 64.309577] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
[ 64.312334] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
[ 64.315783] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
[ 64.318365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
[ 64.320980] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
[ 64.323515] Code: e8 e8 79 08 ff 4c 89 ff 45 0f b6 a7 b8 01 00 00 e8 68 7c 08 ff 49 8b 1f 4d 89 e5 49 c1 e4 04 48 8
[ 64.330753] RIP: rdma_join_multicast+0x26e/0x12c0 RSP: ffff8801c8207860
[ 64.332979] CR2: 00000000000000b0
[ 64.335550] ---[ end trace 0c00c17a408849c1 ]---
Reported-by: <syzbot+e6aba77967bd72cbc9d6@syzkaller.appspotmail.com>
Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3350,6 +3350,9 @@ int rdma_join_multicast(struct rdma_cm_i
struct cma_multicast *mc;
int ret;
+ if (!id->device)
+ return -EINVAL;
+
id_priv = container_of(id, struct rdma_id_private, id);
if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) &&
!cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED))
next prev parent reply other threads:[~2018-03-23 9:55 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-23 9:54 [PATCH 3.18 00/47] 3.18.102-stable review Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 01/47] platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 02/47] x86: i8259: export legacy_pic symbol Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 03/47] Input: ar1021_i2c - fix too long name in drivers device table Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 04/47] ACPI/processor: Replace racy task affinity logic Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 05/47] cpufreq/sh: " Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 06/47] genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 07/47] i2c: i2c-scmi: add a MS HID Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 3.18 08/47] net: ipv6: send unsolicited NA on admin up Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 09/47] [media] media/dvb-core: Race condition when writing to CAM Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 10/47] spi: dw: Disable clock after unregistering the host Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 11/47] ath: Fix updating radar flags for coutry code India Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 12/47] scsi: virtio_scsi: Always try to read VPD pages Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 13/47] KVM: PPC: Book3S PR: Exit KVM on failed mapping Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 14/47] tcp: remove poll() flakes with FastOpen Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 15/47] e1000e: fix timing for 82579 Gigabit Ethernet controller Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 16/47] ALSA: hda - Fix headset microphone detection for ASUS N551 and N751 Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 17/47] IB/ipoib: Update broadcast object if PKey value was changed in index 0 Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 18/47] HSI: ssi_protocol: double free in ssip_pn_xmit() Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 19/47] Fix driver usage of 128B WQEs when WQ_CREATE is V1 Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 20/47] mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR() Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 21/47] wan: pc300too: abort path on failure Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 22/47] qlcnic: fix unchecked return value Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 23/47] scsi: mac_esp: Replace bogus memory barrier with spinlock Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 24/47] rndis_wlan: add return value validation Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 25/47] Btrfs: send, fix file hole not being preserved due to inline extent Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 26/47] mac80211: dont parse encrypted management frames in ieee80211_frame_acked Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 27/47] mfd: palmas: Reset the POWERHOLD mux during power off Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 28/47] ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 29/47] ipmi/watchdog: fix wdog hang on panic waiting for ipmi response Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 30/47] bnx2x: Align RX buffers Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 31/47] power: supply: pda_power: move from timer to delayed_work Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 32/47] md/raid10: skip spare disk as first disk Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 33/47] ia64: fix module loading for gcc-5.4 Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 34/47] video: fbdev: udlfb: Fix buffer on stack Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 35/47] sm501fb: dont return zero on failure path in sm501fb_start() Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 36/47] cifs: small underflow in cnvrtDosUnixTm() Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 37/47] drm/msm: fix leak in failed get_pages Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 38/47] media: bt8xx: Fix err bt878_probe() Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 39/47] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 40/47] mmc: avoid removing non-removable hosts during suspend Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 41/47] IB/ipoib: Avoid memory leak if the SA returns a different DGID Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 42/47] RDMA/cma: Use correct size when writing netlink stats Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 43/47] vgacon: Set VGA struct resource types Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 44/47] drm/omap: DMM: Check for DMM readiness after successful transaction commit Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 45/47] pinctrl: Really force states during suspend/resume Greg Kroah-Hartman
2018-03-23 9:55 ` [PATCH 3.18 46/47] clk: si5351: Rename internal plls to avoid name collisions Greg Kroah-Hartman
2018-03-23 9:55 ` Greg Kroah-Hartman [this message]
2018-03-23 14:00 ` [PATCH 3.18 00/47] 3.18.102-stable review kernelci.org bot
2018-03-23 20:43 ` Shuah Khan
2018-03-24 7:46 ` Greg Kroah-Hartman
2018-03-24 0:07 ` Guenter Roeck
2018-03-24 9:40 ` Harsh Shandilya
2018-03-24 10:05 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180323094250.140246043@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dledford@redhat.com \
--cc=leonro@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sean.hefty@intel.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+e6aba77967bd72cbc9d6@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).