linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH rdma] RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
@ 2020-06-16  9:34 Michal Kalderon
  2020-06-18 12:47 ` Jason Gunthorpe
  0 siblings, 1 reply; 2+ messages in thread
From: Michal Kalderon @ 2020-06-16  9:34 UTC (permalink / raw)
  To: jgg, dledford, ariel.elior, michal.kalderon; +Cc: linux-rdma

Private data passed to iwarp_cm_handler is copied for
connection request / response, but ignored otherwise.
If junk is passed, it is stored in the event and used later
in the event processing.
Driver passed old junk pointer during connection close
which lead to a use-after-free on event processing.
Set private data to NULL for events that don 't have private
data.

BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
kernel:
kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
kernel: Call Trace:
kernel: dump_stack+0x8c/0xc0
kernel: print_address_description.constprop.0+0x1b/0x210
kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: __kasan_report.cold+0x1a/0x33
kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: kasan_report+0xe/0x20
kernel: check_memory_region+0x130/0x1a0
kernel: memcpy+0x20/0x50
kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
kernel: ? enqueue_timer+0x86/0x140
kernel: ? _raw_write_lock_irq+0xd0/0xd0
kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]

Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
---
 drivers/infiniband/hw/qedr/qedr_iw_cm.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
index 792eecd206b6..97fc7dd353b0 100644
--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
@@ -150,8 +150,17 @@ qedr_iw_issue_event(void *context,
 	if (params->cm_info) {
 		event.ird = params->cm_info->ird;
 		event.ord = params->cm_info->ord;
-		event.private_data_len = params->cm_info->private_data_len;
-		event.private_data = (void *)params->cm_info->private_data;
+		/* Only connect_request and reply have valid private data
+		 * the rest of the events this may be left overs from
+		 * connection establishment. CONNECT_REQUEST is issued via
+		 * qedr_iw_mpa_request
+		 */
+		if (event_type == IW_CM_EVENT_CONNECT_REPLY) {
+			event.private_data_len =
+				params->cm_info->private_data_len;
+			event.private_data =
+				(void *)params->cm_info->private_data;
+		}
 	}
 
 	if (ep->cm_id)
-- 
2.14.5


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH rdma] RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
  2020-06-16  9:34 [PATCH rdma] RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 Michal Kalderon
@ 2020-06-18 12:47 ` Jason Gunthorpe
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2020-06-18 12:47 UTC (permalink / raw)
  To: Michal Kalderon; +Cc: dledford, ariel.elior, linux-rdma

On Tue, Jun 16, 2020 at 12:34:08PM +0300, Michal Kalderon wrote:
> Private data passed to iwarp_cm_handler is copied for
> connection request / response, but ignored otherwise.
> If junk is passed, it is stored in the event and used later
> in the event processing.
> Driver passed old junk pointer during connection close
> which lead to a use-after-free on event processing.
> Set private data to NULL for events that don 't have private
> data.
> 
> BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
> kernel:
> kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
> kernel: Call Trace:
> kernel: dump_stack+0x8c/0xc0
> kernel: print_address_description.constprop.0+0x1b/0x210
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: __kasan_report.cold+0x1a/0x33
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: kasan_report+0xe/0x20
> kernel: check_memory_region+0x130/0x1a0
> kernel: memcpy+0x20/0x50
> kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
> kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
> kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
> kernel: ? enqueue_timer+0x86/0x140
> kernel: ? _raw_write_lock_irq+0xd0/0xd0
> kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]
> 
> Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
> Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
> Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
> ---
>  drivers/infiniband/hw/qedr/qedr_iw_cm.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)

Applied to for-rc, thanks

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-06-18 12:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16  9:34 [PATCH rdma] RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 Michal Kalderon
2020-06-18 12:47 ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).