All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH rdma-rc 0/2] Two fixes in handling FD object
@ 2020-04-21  8:29 Leon Romanovsky
  2020-04-21  8:29 ` [PATCH rdma-rc 1/2] RDMA/core: Prevent mixed use of FDs between shared ufiles Leon Romanovsky
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Leon Romanovsky @ 2020-04-21  8:29 UTC (permalink / raw)
  To: Doug Ledford, Jason Gunthorpe
  Cc: Leon Romanovsky, linux-kernel, linux-rdma, Yishai Hadas

From: Leon Romanovsky <leonro@mellanox.com>

Hi,

These two patches are fixing two crashes in FD object handling.

Thanks

Leon Romanovsky (2):
  RDMA/core: Prevent mixed use of FDs between shared ufiles
  RDMA/core: Fix overwriting of uobj in case of error

 drivers/infiniband/core/rdma_core.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--
2.25.2


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH rdma-rc 1/2] RDMA/core: Prevent mixed use of FDs between shared ufiles
  2020-04-21  8:29 [PATCH rdma-rc 0/2] Two fixes in handling FD object Leon Romanovsky
@ 2020-04-21  8:29 ` Leon Romanovsky
  2020-04-21  8:29 ` [PATCH rdma-rc 2/2] RDMA/core: Fix overwriting of uobj in case of error Leon Romanovsky
  2020-04-22 18:55 ` [PATCH rdma-rc 0/2] Two fixes in handling FD object Jason Gunthorpe
  2 siblings, 0 replies; 4+ messages in thread
From: Leon Romanovsky @ 2020-04-21  8:29 UTC (permalink / raw)
  To: Doug Ledford, Jason Gunthorpe; +Cc: Leon Romanovsky, linux-rdma, Yishai Hadas

From: Leon Romanovsky <leonro@mellanox.com>

FDs can only be used on the ufile that created them, they cannot be
mixed to other ufiles. We are lacking a check to prevent it.

==================================================================
BUG: KASAN: null-ptr-deref in atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
BUG: KASAN: null-ptr-deref in atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
BUG: KASAN: null-ptr-deref in fput_many+0x1a/0x140 fs/file_table.c:336
Write of size 8 at addr 0000000000000038 by task syz-executor179/284

CPU: 0 PID: 284 Comm: syz-executor179 Not tainted 5.5.0-rc5+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x94/0xce lib/dump_stack.c:118
 __kasan_report+0x18f/0x1b7 mm/kasan/report.c:510
 kasan_report+0xe/0x20 mm/kasan/common.c:639
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
 atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
 atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
 fput_many+0x1a/0x140 fs/file_table.c:336
 rdma_lookup_put_uobject+0x85/0x130 drivers/infiniband/core/rdma_core.c:692
 uobj_put_read include/rdma/uverbs_std_types.h:96 [inline]
 _ib_uverbs_lookup_comp_file drivers/infiniband/core/uverbs_cmd.c:198 [inline]
 create_cq+0x375/0xba0 drivers/infiniband/core/uverbs_cmd.c:1006
 ib_uverbs_create_cq+0x114/0x140 drivers/infiniband/core/uverbs_cmd.c:1089
 ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:769
 __vfs_write+0x7c/0x100 fs/read_write.c:494
 vfs_write+0x168/0x4a0 fs/read_write.c:558
 ksys_write+0xc8/0x200 fs/read_write.c:611
 do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44ef99
Code: 00 b8 00 01 00 00 eb e1 e8 74 1c 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc0b74c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffc0b74c030 RCX: 000000000044ef99
RDX: 0000000000000040 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00007ffc0b74c038 R08: 0000000000401830 R09: 0000000000401830
R10: 00007ffc0b74c038 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000
==================================================================

Fixes: cf8966b3477d ("IB/core: Add support for fd objects")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
---
 drivers/infiniband/core/rdma_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c
index 5128cb16bb48..8f480de5596a 100644
--- a/drivers/infiniband/core/rdma_core.c
+++ b/drivers/infiniband/core/rdma_core.c
@@ -360,7 +360,7 @@ lookup_get_fd_uobject(const struct uverbs_api_object *obj,
 	 * uverbs_uobject_fd_release(), and the caller is expected to ensure
 	 * that release is never done while a call to lookup is possible.
 	 */
-	if (f->f_op != fd_type->fops) {
+	if (f->f_op != fd_type->fops || uobject->ufile != ufile) {
 		fput(f);
 		return ERR_PTR(-EBADF);
 	}
-- 
2.25.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH rdma-rc 2/2] RDMA/core: Fix overwriting of uobj in case of error
  2020-04-21  8:29 [PATCH rdma-rc 0/2] Two fixes in handling FD object Leon Romanovsky
  2020-04-21  8:29 ` [PATCH rdma-rc 1/2] RDMA/core: Prevent mixed use of FDs between shared ufiles Leon Romanovsky
@ 2020-04-21  8:29 ` Leon Romanovsky
  2020-04-22 18:55 ` [PATCH rdma-rc 0/2] Two fixes in handling FD object Jason Gunthorpe
  2 siblings, 0 replies; 4+ messages in thread
From: Leon Romanovsky @ 2020-04-21  8:29 UTC (permalink / raw)
  To: Doug Ledford, Jason Gunthorpe; +Cc: Leon Romanovsky, linux-rdma, Yishai Hadas

From: Leon Romanovsky <leonro@mellanox.com>

In case of failure to get file, the uobj is overwritten and causes to
supply bad pointer as an input to uverbs_uobject_put().

RBP: 00007efe9f6a86bc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 0000000000000bf2 R14: 00000000004cb80a R15: 00000000006fefc0
==================================================================
BUG: KASAN: null-ptr-deref in atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test include/linux/refcount.h:253 [inline]
BUG: KASAN: null-ptr-deref in refcount_dec_and_test include/linux/refcount.h:281 [inline]
BUG: KASAN: null-ptr-deref in kref_put include/linux/kref.h:64 [inline]
BUG: KASAN: null-ptr-deref in uverbs_uobject_put+0x22/0x90 drivers/infiniband/core/rdma_core.c:57
Write of size 4 at addr 0000000000000030 by task syz-executor.4/1691

CPU: 1 PID: 1691 Comm: syz-executor.4 Not tainted 5.6.0 #17
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x94/0xce lib/dump_stack.c:118
 __kasan_report+0x10c/0x190 mm/kasan/report.c:515
 kasan_report+0x32/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x16d/0x1c0 mm/kasan/generic.c:193
 atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline]
 refcount_sub_and_test include/linux/refcount.h:253 [inline]
 refcount_dec_and_test include/linux/refcount.h:281 [inline]
 kref_put include/linux/kref.h:64 [inline]
 uverbs_uobject_put+0x22/0x90 drivers/infiniband/core/rdma_core.c:57
 alloc_begin_fd_uobject+0x1d0/0x250 drivers/infiniband/core/rdma_core.c:486
 rdma_alloc_begin_uobject+0xa8/0xf0 drivers/infiniband/core/rdma_core.c:509
 __uobj_alloc include/rdma/uverbs_std_types.h:117 [inline]
 ib_uverbs_create_comp_channel+0x16d/0x230 drivers/infiniband/core/uverbs_cmd.c:982
 ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:665
 __vfs_write+0x7c/0x100 fs/read_write.c:494
 vfs_write+0x168/0x4a0 fs/read_write.c:558
 ksys_write+0xc8/0x200 fs/read_write.c:611
 do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x466479
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efe9f6a7c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000466479
RDX: 0000000000000018 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007efe9f6a86bc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 0000000000000bf2 R14: 00000000004cb80a R15: 00000000006fefc0
==================================================================

Fixes: 849e149063bd ("RDMA/core: Do not allow alloc_commit to fail")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
---
 drivers/infiniband/core/rdma_core.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c
index 8f480de5596a..2947f4f83561 100644
--- a/drivers/infiniband/core/rdma_core.c
+++ b/drivers/infiniband/core/rdma_core.c
@@ -474,16 +474,15 @@ alloc_begin_fd_uobject(const struct uverbs_api_object *obj,
 	filp = anon_inode_getfile(fd_type->name, fd_type->fops, NULL,
 				  fd_type->flags);
 	if (IS_ERR(filp)) {
+		uverbs_uobject_put(uobj);
 		uobj = ERR_CAST(filp);
-		goto err_uobj;
+		goto err_fd;
 	}
 	uobj->object = filp;
 
 	uobj->id = new_fd;
 	return uobj;
 
-err_uobj:
-	uverbs_uobject_put(uobj);
 err_fd:
 	put_unused_fd(new_fd);
 	return uobj;
-- 
2.25.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH rdma-rc 0/2] Two fixes in handling FD object
  2020-04-21  8:29 [PATCH rdma-rc 0/2] Two fixes in handling FD object Leon Romanovsky
  2020-04-21  8:29 ` [PATCH rdma-rc 1/2] RDMA/core: Prevent mixed use of FDs between shared ufiles Leon Romanovsky
  2020-04-21  8:29 ` [PATCH rdma-rc 2/2] RDMA/core: Fix overwriting of uobj in case of error Leon Romanovsky
@ 2020-04-22 18:55 ` Jason Gunthorpe
  2 siblings, 0 replies; 4+ messages in thread
From: Jason Gunthorpe @ 2020-04-22 18:55 UTC (permalink / raw)
  To: Leon Romanovsky
  Cc: Doug Ledford, Leon Romanovsky, linux-kernel, linux-rdma, Yishai Hadas

On Tue, Apr 21, 2020 at 11:29:27AM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@mellanox.com>
> 
> Hi,
> 
> These two patches are fixing two crashes in FD object handling.
> 
> Thanks
> 
> Leon Romanovsky (2):
>   RDMA/core: Prevent mixed use of FDs between shared ufiles
>   RDMA/core: Fix overwriting of uobj in case of error

Applied to for-rc, thanks

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-22 18:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-21  8:29 [PATCH rdma-rc 0/2] Two fixes in handling FD object Leon Romanovsky
2020-04-21  8:29 ` [PATCH rdma-rc 1/2] RDMA/core: Prevent mixed use of FDs between shared ufiles Leon Romanovsky
2020-04-21  8:29 ` [PATCH rdma-rc 2/2] RDMA/core: Fix overwriting of uobj in case of error Leon Romanovsky
2020-04-22 18:55 ` [PATCH rdma-rc 0/2] Two fixes in handling FD object Jason Gunthorpe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.