forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Jason Gunthorpe cde9a4f6d9 RDMA/core: Fix double destruction of uobject 
commit c85f4abe66 upstream.

Fix use after free when user user space request uobject concurrently for
the same object, within the RCU grace period.

In that case, remove_handle_idr_uobject() is called twice and we will have
an extra put on the uobject which cause use after free.  Fix it by leaving
the uobject write locked after it was removed from the idr.

Call to rdma_lookup_put_uobject with UVERBS_LOOKUP_DESTROY instead of
UVERBS_LOOKUP_WRITE will do the work.

  refcount_t: underflow; use-after-free.
  WARNING: CPU: 0 PID: 1381 at lib/refcount.c:28 refcount_warn_saturate+0xfe/0x1a0
  Kernel panic - not syncing: panic_on_warn set ...
  CPU: 0 PID: 1381 Comm: syz-executor.0 Not tainted 5.5.0-rc3 #8
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  Call Trace:
   dump_stack+0x94/0xce
   panic+0x234/0x56f
   __warn+0x1cc/0x1e1
   report_bug+0x200/0x310
   fixup_bug.part.11+0x32/0x80
   do_error_trap+0xd3/0x100
   do_invalid_op+0x31/0x40
   invalid_op+0x1e/0x30
  RIP: 0010:refcount_warn_saturate+0xfe/0x1a0
  Code: 0f 0b eb 9b e8 23 f6 6d ff 80 3d 6c d4 19 03 00 75 8d e8 15 f6 6d ff 48 c7 c7 c0 02 55 bd c6 05 57 d4 19 03 01 e8 a2 58 49 ff <0f> 0b e9 6e ff ff ff e8 f6 f5 6d ff 80 3d 42 d4 19 03 00 0f 85 5c
  RSP: 0018:ffffc90002df7b98 EFLAGS: 00010282
  RAX: 0000000000000000 RBX: ffff88810f6a193c RCX: ffffffffba649009
  RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88811b0283cc
  RBP: 0000000000000003 R08: ffffed10236060e3 R09: ffffed10236060e3
  R10: 0000000000000001 R11: ffffed10236060e2 R12: ffff88810f6a193c
  R13: ffffc90002df7d60 R14: 0000000000000000 R15: ffff888116ae6a08
   uverbs_uobject_put+0xfd/0x140
   __uobj_perform_destroy+0x3d/0x60
   ib_uverbs_close_xrcd+0x148/0x170
   ib_uverbs_write+0xaa5/0xdf0
   __vfs_write+0x7c/0x100
   vfs_write+0x168/0x4a0
   ksys_write+0xc8/0x200
   do_syscall_64+0x9c/0x390
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x465b49
  Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007f759d122c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
  RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 0000000000465b49
  RDX: 000000000000000c RSI: 0000000020000080 RDI: 0000000000000003
  RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f759d1236bc
  R13: 00000000004ca27c R14: 000000000070de40 R15: 00000000ffffffff
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Kernel Offset: 0x39400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Fixes: 7452a3c745 ("IB/uverbs: Allow RDMA_REMOVE_DESTROY to work concurrently with disassociate")
Link: https://lore.kernel.org/r/20200527135534.482279-1-leon@kernel.org
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-03 08:19:43 +02:00
..
accessibility
acpi nfit: Add Hyper-V NVDIMM DSM command set to white list 2020-05-27 17:37:39 +02:00
amba
android binder: take read mode of mmap_sem in binder_alloc_free_page() 2020-05-02 17:25:48 +02:00
ata libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set 2020-04-17 10:48:52 +02:00
atm fore200e: Fix incorrect checks of NULL pointer dereference 2020-02-24 08:34:42 +01:00
auxdisplay
base component: Silence bind error on -EPROBE_DEFER 2020-05-27 17:37:33 +02:00
bcma bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA 2020-01-27 14:51:09 +01:00
block virtio-blk: handle block_device_operations callbacks after hot unplug 2020-05-20 08:18:33 +02:00
bluetooth Bluetooth: btusb: fix PM leak in error case of setup 2020-01-09 10:19:04 +01:00
bus bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads 2020-04-17 10:48:37 +02:00
cdrom cdrom: respect device capabilities during opening action 2020-01-04 19:13:12 +01:00
char tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() 2020-04-29 16:31:29 +02:00
clk clk: Unlink clock if failed to prepare or enable 2020-05-20 08:18:52 +02:00
clocksource clocksource/drivers/bcm2835_timer: Fix memory leak of timer 2020-02-24 08:34:37 +01:00
connector
cpufreq cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once 2020-05-20 08:18:40 +02:00
cpuidle cpuidle: Do not unset the driver if it is there already 2019-12-17 20:35:00 +01:00
crypto crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static 2020-04-29 16:31:07 +02:00
dax
dca
devfreq Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" 2020-03-05 16:42:18 +01:00
dio
dma dmaengine: owl: Use correct lock in owl_dma_get_pchan() 2020-05-27 17:37:38 +02:00
dma-buf dma-buf: Fix memory leak in sync_file_merge() 2019-12-21 10:57:38 +01:00
edac EDAC/amd64: Set grain per DIMM 2020-03-11 14:14:45 +01:00
eisa
extcon extcon: axp288: Add wakeup support 2020-04-13 10:45:03 +02:00
firewire net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:19:09 +01:00
firmware efi/x86: Ignore the memory attributes table on i386 2020-04-17 10:48:41 +02:00
fmc
fpga
fsi fsi: sbefifo: Don't fail operations when in SBE IPL state 2020-01-27 14:51:00 +01:00
gnss
gpio gpio: exar: Fix bad handling for ida_simple_get error path 2020-06-03 08:19:35 +02:00
gpu drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance. 2020-05-27 17:37:38 +02:00
hid HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock 2020-05-27 17:37:34 +02:00
hsi
hv x86/Hyper-V: Report crash data in die() when panic_on_oops is set 2020-04-23 10:30:17 +02:00
hwmon hwmon: (da9052) Synchronize access with mfd 2020-05-20 08:18:44 +02:00
hwspinlock
hwtracing intel_th: pci: Add Elkhart Lake CPU support 2020-03-25 08:06:11 +01:00
i2c i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' 2020-05-27 17:37:30 +02:00
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:34:49 +01:00
idle
iio iio: adc: stm32-dfsdm: fix device used to request dma 2020-05-27 17:37:45 +02:00
infiniband RDMA/core: Fix double destruction of uobject 2020-06-03 08:19:43 +02:00
input Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() 2020-06-03 08:19:33 +02:00
iommu iommu: Fix reference count leak in iommu_group_alloc. 2020-06-03 08:19:41 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:37:43 +02:00
irqchip irqchip/mbigen: Free msi_desc on device teardown 2020-04-23 10:30:13 +02:00
isdn staging: gigaset: add endpoint-type sanity check 2019-12-17 20:34:33 +01:00
leds leds: pca963x: Fix open-drain initialization 2020-02-24 08:34:35 +01:00
lightnvm lightnvm: pblk: fix lock order in pblk_rb_tear_down_check 2020-01-27 14:50:45 +01:00
macintosh macintosh: windfarm: fix MODINFO regression 2020-03-18 07:14:21 +01:00
mailbox mailbox: qcom-apcs: fix max_register value 2020-01-27 14:51:14 +01:00
mcb
md dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath 2020-05-06 08:13:29 +02:00
media media: fdp1: Fix R-Car M3-N naming in debug message 2020-05-27 17:37:40 +02:00
memory memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20 2020-01-27 14:50:13 +01:00
memstick
message scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-23 08:21:28 +01:00
mfd mfd: intel-lpss: Use devm_ioremap_uc for MMIO 2020-05-10 10:30:11 +02:00
misc mei: release me_cl object reference 2020-05-27 17:37:43 +02:00
mmc mmc: core: Fix recursive locking issue in CQE recovery path 2020-06-03 08:19:42 +02:00
mtd ubi: Fix seq_file usage in detailed_erase_block_info debugfs file 2020-05-27 17:37:30 +02:00
mux
net net: freescale: select CONFIG_FIXED_PHY where needed 2020-06-03 08:19:30 +02:00
nfc NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() 2020-04-02 15:28:12 +02:00
ntb ntb_hw_switchtec: potential shift wrapping bug in switchtec_ntb_init_sndev() 2020-01-27 14:50:55 +01:00
nubus
nvdimm libnvdimm/btt: Fix LBA masking during 'free list' population 2020-05-27 17:37:39 +02:00
nvme nvme: fix deadlock caused by ANA update wrong locking 2020-04-29 16:31:12 +02:00
nvmem nvmem: imx-ocotp: Change TIMING calculation to u-boot algorithm 2020-01-27 14:50:58 +01:00
of of: overlay: kmemleak in dup_and_fixup_symbol_prop() 2020-04-23 10:30:14 +02:00
opp OPP: Fix missing debugfs supply directory for OPPs 2020-01-27 14:50:04 +01:00
oprofile
parisc
parport parport: load lowlevel driver if ports not found 2019-12-31 16:36:01 +01:00
pci PCI: Move Apex Edge TPU class quirk to fix BAR assignment 2020-05-02 17:25:52 +02:00
pcmcia
perf drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer 2020-03-25 08:06:07 +01:00
phy phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval 2020-03-11 14:15:10 +01:00
pinctrl pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler 2020-05-20 08:18:41 +02:00
platform platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA 2020-05-27 17:37:35 +02:00
pnp
power power: supply: axp288_fuel_gauge: Broaden vendor check for Intel Compute Sticks. 2020-04-23 10:30:22 +02:00
powercap
pps
ps3
ptp ptp: free ptp device pin descriptors properly 2020-01-23 08:21:35 +01:00
pwm pwm: bcm2835: Dynamically allocate base 2020-04-29 16:31:14 +02:00
rapidio rapidio: fix an error in get_user_pages_fast() error handling 2020-05-27 17:37:43 +02:00
ras
regulator regulator: rk808: Lower log level on optional GPIOs being not available 2020-02-24 08:34:40 +01:00
remoteproc remoteproc: Fix wrong rvring index computation 2020-05-02 17:25:47 +02:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:34:44 +01:00
rpmsg rpmsg: glink: Remove chunk size word align warning 2020-04-13 10:45:16 +02:00
rtc rtc: 88pm860x: fix possible race condition 2020-04-23 10:30:18 +02:00
s390 s390/cio: avoid duplicated 'ADD' uevents 2020-04-29 16:31:13 +02:00
sbus
scsi scsi: ibmvscsi: Fix WARN_ON during event pool release 2020-05-27 17:37:33 +02:00
sfi
sh
siox
slimbus slimbus: ngd: Fix build error on x86 2019-12-13 08:51:54 +01:00
sn
soc soc: imx: gpc: fix power up sequencing 2020-04-23 10:30:17 +02:00
soundwire soundwire: intel: fix PDI/stream mapping for Bulk 2019-12-31 16:35:55 +01:00
spi spi/zynqmp: remove entry that causes a cs glitch 2020-03-25 08:06:06 +01:00
spmi
ssb
staging staging: greybus: Fix uninitialized scalar variable 2020-05-27 17:37:42 +02:00
target scsi: target/iblock: fix WRITE SAME zeroing 2020-05-06 08:13:31 +02:00
tc
tee tee: optee: Fix compilation issue with nommu 2020-02-05 14:43:50 +00:00
thermal thermal: brcmstb_thermal: Do not use DT coefficients 2020-03-05 16:42:22 +01:00
thunderbolt thunderbolt: Drop duplicated get_switch_at_route() 2020-05-27 17:37:40 +02:00
tty tty: serial: qcom_geni_serial: Fix wrap around of TX buffer 2020-05-27 17:37:41 +02:00
uio uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() 2020-02-24 08:34:37 +01:00
usb usb: gadget: legacy: fix redundant initialization warnings 2020-06-03 08:19:29 +02:00
uwb
vfio vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() 2020-05-06 08:13:31 +02:00
vhost vhost/vsock: fix packet delivery order to monitoring devices 2020-05-27 17:37:32 +02:00
video fbdev: potential information leak in do_fb_ioctl() 2020-04-23 10:30:22 +02:00
virt
virtio virtio_balloon: prevent pfn array overflow 2020-02-24 08:34:54 +01:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:34:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:34:47 +01:00
w1
watchdog watchdog: reset last_hw_keepalive time at start 2020-04-29 16:31:09 +02:00
xen xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status 2020-05-02 17:25:58 +02:00
zorro
Kconfig
Makefile