github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
2923948ffe
linux/drivers
History
Leon Romanovsky 2923948ffe RDMA/ucma: Protect mc during concurrent multicast leaves 
commit 36e8169ec9 upstream.

Partially revert the commit mentioned in the Fixes line to make sure that
allocation and erasing multicast struct are locked.

  BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
  BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
  Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529
  CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
   print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
   __kasan_report mm/kasan/report.c:433 [inline]
   kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
   ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
   ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
   ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614
   ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732
   vfs_write+0x28e/0xae0 fs/read_write.c:588
   ksys_write+0x1ee/0x250 fs/read_write.c:643
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Currently the xarray search can touch a concurrently freeing mc as the
xa_for_each() is not surrounded by any lock. Rather than hold the lock for
a full scan hold it only for the effected items, which is usually an empty
list.

Fixes: 95fe51096b ("RDMA/ucma: Remove mc_list and rely on xarray")
Link: https://lore.kernel.org/r/1cda5fabb1081e8d16e39a48d3a4f8160cea88b8.1642491047.git.leonro@nvidia.com
Reported-by: syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-08 18:34:06 +01:00
..
accessibility
acpi ACPI: CPPC: Check present CPUs for determining _CPC is valid 2022-01-27 11:04:51 +01:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:13:31 +01:00
android binder: avoid potential data leakage when copying txn 2022-01-27 11:04:09 +01:00
ata libata: if T_LENGTH is zero, dma direction should be DMA_NONE 2021-12-22 09:32:49 +01:00
atm
auxdisplay auxdisplay: charlcd: checking for pointer reference before dereferencing 2022-01-11 15:35:17 +01:00
base device property: Fix fwnode_graph_devcon_match() fwnode leak 2022-01-27 11:05:10 +01:00
bcma
block floppy: Add max size check for user space request 2022-01-27 11:04:34 +01:00
bluetooth Bluetooth: btusb: Return error code when getting patch status failed 2022-01-27 11:05:22 +01:00
bus bus: mhi: core: Fix race while handling SYS_ERR at power up 2022-01-27 11:02:58 +01:00
cdrom
char tpm: fix NPE on probe for missing device 2022-01-27 11:05:07 +01:00
clk clk: si5341: Fix clock HW provider cleanup 2022-01-27 11:05:31 +01:00
clocksource clocksource/drivers/dw_apb_timer_of: Fix probe failure 2021-12-14 10:57:23 +01:00
comedi comedi: vmk80xx: fix bulk and interrupt message timeouts 2021-11-12 15:05:51 +01:00
connector
counter
cpufreq cpufreq: Fix initialization of min and max frequency QoS requests 2022-01-27 11:04:44 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 19:16:29 +01:00
crypto crypto: octeontx2 - uninitialized variable in kvf_limits_store() 2022-01-27 11:05:30 +01:00
cxl cxl/pmem: Fix reference counting for delayed work 2022-01-27 11:02:58 +01:00
dax
dca
devfreq
dio
dma dmaengine: at_xdmac: Fix at_xdmac_lld struct definition 2022-01-27 11:05:38 +01:00
dma-buf dma-buf: heaps: Fix potential spectre v1 gadget 2022-02-08 18:34:06 +01:00
edac EDAC/synopsys: Use the quirk for version instead of ddr version 2022-01-27 11:04:28 +01:00
eisa
extcon
firewire
firmware efi/libstub: arm64: Fix image check alignment at entry 2022-02-01 17:27:11 +01:00
fpga
fsi
gnss
gpio gpio: idt3243x: Fix IRQ check in idt_gpio_probe 2022-01-27 11:05:31 +01:00
gpu drm/amd/display: Force link_rate as LINK_RATE_RBR2 for 2018 15" Apple Retina panels 2022-02-08 18:34:05 +01:00
greybus
hid HID: vivaldi: fix handling devices not using numbered reports 2022-01-27 11:05:34 +01:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-01-27 11:04:31 +01:00
hv Drivers: hv: balloon: account for vmbus packet header in max_pkt_size 2022-02-01 17:27:11 +01:00
hwmon hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write() 2022-02-01 17:27:12 +01:00
hwspinlock
hwtracing coresight: trbe: Defer the probe on offline CPUs 2021-11-18 19:16:06 +01:00
i2c i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters 2022-01-27 11:05:02 +01:00
i3c
idle
iio iio: trigger: Fix a scheduling whilst atomic issue seen on tsc2046 2022-01-27 11:02:57 +01:00
infiniband RDMA/ucma: Protect mc during concurrent multicast leaves 2022-02-08 18:34:06 +01:00
input Input: zinitix - make sure the IRQ is allocated before it gets enabled 2022-01-11 15:35:19 +01:00
interconnect interconnect: qcom: rpm: Prevent integer overflow in rate 2022-01-27 11:05:00 +01:00
iommu iommu/iova: Fix race between FQ timeout and teardown 2022-01-27 11:04:15 +01:00
ipack
irqchip irqchip/realtek-rtl: Fix off-by-one in routing 2022-02-01 17:27:15 +01:00
isdn mISDN: change function names to avoid conflicts 2022-01-11 15:35:18 +01:00
leds leds: lp55xx: initialise output direction from dts 2022-01-27 11:04:21 +01:00
macintosh
mailbox mailbox: change mailbox-mpfs compatible string 2022-01-27 11:05:05 +01:00
mcb
md dm: properly fix redundant bio-based IO accounting 2022-02-01 17:27:03 +01:00
media media: correct MEDIA_TEST_SUPPORT help text 2022-01-27 11:05:20 +01:00
memory memory: renesas-rpc-if: Return error in case devm_ioremap_resource() fails 2022-01-27 11:03:11 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 19:16:32 +01:00
message
mfd mfd: tps65910: Set PWR_OFF bit during driver probe 2022-01-27 11:05:07 +01:00
misc habanalabs: skip read fw errors if dynamic descriptor invalid 2022-01-27 11:05:04 +01:00
mmc mmc: mtk-sd: Use readl_poll_timeout instead of open-coded polling 2022-01-27 11:04:50 +01:00
most most: fix control-message timeouts 2021-11-18 19:16:08 +01:00
mtd mtd: rawnand: mpc5121: Remove unused variable in ads5121_select_chip() 2022-02-01 17:27:16 +01:00
mux
net e1000e: Handshake with CSME starts from ADL platforms 2022-02-05 12:38:59 +01:00
nfc NFC: st21nfca: Fix memory leak in device probe and remove 2022-01-05 12:42:36 +01:00
ntb
nubus
nvdimm nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned 2021-11-18 19:17:07 +01:00
nvme nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts() 2022-02-08 18:34:05 +01:00
nvmem nvmem: core: set size for sysfs bin file 2022-01-27 11:04:59 +01:00
of of: base: Improve argument length mismatch error 2022-01-27 11:05:19 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 19:17:00 +01:00
parisc parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries 2022-01-27 11:05:28 +01:00
parport
pci PCI: pciehp: Fix infinite loop in IRQ handler upon power fault 2022-02-05 12:38:56 +01:00
pcmcia pcmcia: fix setting of kthread task states 2022-01-27 11:04:02 +01:00
perf perf/arm-cmn: Fix CPU hotplug unregistration 2022-01-27 11:03:36 +01:00
phy phy: mediatek: Fix missing check in mtk_mipi_tx_probe 2022-01-27 11:05:05 +01:00
pinctrl pinctrl/rockchip: fix gpio device creation 2022-01-27 11:05:31 +01:00
platform platform/x86/intel: hid: add quirk to support Surface Go 3 2022-01-16 09:12:45 +01:00
pnp
power power: reset: mt6397: Check for null res pointer 2022-01-27 11:03:49 +01:00
powercap
pps
ps3
ptp net: fix SOF_TIMESTAMPING_BIND_PHC to work with multiple sockets 2022-01-27 11:03:52 +01:00
pwm
rapidio
ras
regulator regulator: qcom_smd: Align probe function with rpmh-regulator 2022-01-27 11:04:54 +01:00
remoteproc remoteproc: imx_rproc: Fix a resource leak in the remove function 2022-01-27 11:05:10 +01:00
reset reset: renesas: Fix Runtime PM usage 2022-01-11 15:35:16 +01:00
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:27:07 +01:00
rtc rtc: pxa: fix null pointer dereference 2022-01-27 11:05:34 +01:00
s390 scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices 2022-02-01 17:27:00 +01:00
sbus
scsi scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() 2022-02-01 17:27:07 +01:00
sh maple: fix wrong return value of maple_bus_init(). 2021-11-25 09:48:31 +01:00
siox
slimbus
soc Revert "ASoC: mediatek: Check for error clk pointer" 2022-02-08 18:34:06 +01:00
soundwire soundwire: bus: stop dereferencing invalid slave pointer 2021-11-18 19:16:54 +01:00
spi spi: stm32-qspi: Update spi registering 2022-02-08 18:34:03 +01:00
spmi
ssb
staging media: atomisp: fix "variable dereferenced before check 'asd'" 2022-01-27 11:04:36 +01:00
target scsi: target: Fix alua_tg_pt_gps_count tracking 2021-11-25 09:48:29 +01:00
tc
tee tee: fix put order in teedev_close_context() 2022-01-27 11:03:12 +01:00
thermal thermal/drivers/imx8mm: Enable ADC when enabling monitor 2022-01-27 11:03:23 +01:00
thunderbolt thunderbolt: Runtime PM activate both ends of the device link 2022-01-27 11:04:36 +01:00
tty tty: Add support for Brainboxes UC cards. 2022-02-01 17:27:03 +01:00
uio
usb usb: dwc3: xilinx: fix uninitialized return value 2022-02-01 17:27:15 +01:00
vdpa vdpa/mlx5: Restore cur_num_vqs in case of failure in change_num_qps() 2022-01-27 11:05:36 +01:00
vfio
vhost vdpa: check that offsets are within bounds 2021-12-22 09:32:36 +01:00
video fbcon: Add option to enable legacy hardware acceleration 2022-02-08 18:34:06 +01:00
virt nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert 2022-01-05 12:42:39 +01:00
virtio virtio_ring: mark ring unused on error 2022-01-27 11:05:35 +01:00
visorbus
vlynq
vme
w1 w1: Misuse of get_user()/put_user() reported by sparse 2022-01-27 11:04:59 +01:00
watchdog ar7: fix kernel builds for compiler test 2021-11-18 19:17:03 +01:00
xen xen/gntdev: fix unmap notification order 2022-01-27 11:05:08 +01:00
zorro
Kconfig firmware: include drivers/firmware/Kconfig unconditionally 2021-10-07 16:51:26 +02:00
Makefile virtio: always enter drivers/virtio/ 2021-12-22 09:32:39 +01:00