github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
75c610212b
linux/drivers
History
Leon Romanovsky 75c610212b RDMA/ucma: Protect mc during concurrent multicast leaves 
commit 36e8169ec9 upstream.

Partially revert the commit mentioned in the Fixes line to make sure that
allocation and erasing multicast struct are locked.

  BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
  BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
  Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529
  CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
   print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
   __kasan_report mm/kasan/report.c:433 [inline]
   kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
   ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
   ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
   ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614
   ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732
   vfs_write+0x28e/0xae0 fs/read_write.c:588
   ksys_write+0x1ee/0x250 fs/read_write.c:643
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Currently the xarray search can touch a concurrently freeing mc as the
xa_for_each() is not surrounded by any lock. Rather than hold the lock for
a full scan hold it only for the effected items, which is usually an empty
list.

Fixes: 95fe51096b ("RDMA/ucma: Remove mc_list and rely on xarray")
Link: https://lore.kernel.org/r/1cda5fabb1081e8d16e39a48d3a4f8160cea88b8.1642491047.git.leonro@nvidia.com
Reported-by: syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-08 18:30:36 +01:00
..
accessibility
acpi ACPI: battery: Add the ThinkPad "Not Charging" quirk 2022-01-27 10:54:19 +01:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:10:09 +01:00
android binder: fix handling of error during copy 2022-01-27 10:54:06 +01:00
ata libata: if T_LENGTH is zero, dma direction should be DMA_NONE 2021-12-22 09:30:58 +01:00
atm
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 14:04:24 +01:00
base device property: Fix fwnode_graph_devcon_match() fwnode leak 2022-01-27 10:54:25 +01:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-15 09:50:45 +02:00
block floppy: Add max size check for user space request 2022-01-27 10:54:14 +01:00
bluetooth Bluetooth: vhci: Set HCI_QUIRK_VALID_LE_STATES 2022-01-27 10:54:18 +01:00
bus Revert "drivers: bus: simple-pm-bus: Add support for probing simple bus only devices" 2022-02-05 12:37:55 +01:00
cdrom
char tpm: fix NPE on probe for missing device 2022-01-27 10:54:24 +01:00
clk clk: si5341: Fix clock HW provider cleanup 2022-01-27 10:54:31 +01:00
clocksource clocksource/drivers/timer-ti-dm: Select TIMER_OF 2021-11-18 14:04:09 +01:00
connector
counter counter: stm32-lptimer-cnt: remove iio counter abi 2022-01-27 10:54:08 +01:00
cpufreq cpufreq: Fix initialization of min and max frequency QoS requests 2022-01-27 10:54:17 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 14:04:05 +01:00
crypto crypto: caam - replace this_cpu_ptr with raw_cpu_ptr 2022-01-27 10:54:24 +01:00
dax
dca
devfreq
dio
dma dmaengine: at_xdmac: Fix at_xdmac_lld struct definition 2022-01-27 10:54:34 +01:00
dma-buf dma-buf: heaps: Fix potential spectre v1 gadget 2022-02-08 18:30:36 +01:00
edac EDAC/synopsys: Use the quirk for version instead of ddr version 2022-01-27 10:54:11 +01:00
eisa
extcon
firewire
firmware efi/libstub: arm64: Fix image check alignment at entry 2022-02-01 17:25:46 +01:00
fpga fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() 2021-09-30 10:11:04 +02:00
fsi
gnss
gpio gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock 2022-01-27 10:54:15 +01:00
gpu drm/amd/display: Force link_rate as LINK_RATE_RBR2 for 2018 15" Apple Retina panels 2022-02-08 18:30:35 +01:00
greybus
hid HID: vivaldi: fix handling devices not using numbered reports 2022-01-27 10:54:33 +01:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-01-27 10:54:12 +01:00
hv hyperv/vmbus: include linux/bitops.h 2021-11-18 14:03:42 +01:00
hwmon hwmon: (lm90) Mark alert as broken for MAX6654 2022-02-01 17:25:46 +01:00
hwspinlock
hwtracing coresight: cti: Correct the parameter for pm_runtime_put 2021-11-18 14:03:51 +01:00
i2c i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters 2022-01-27 10:54:23 +01:00
i3c
ide
idle
iio iio: adc: ti-adc081c: Partial revert of removal of ACPI IDs 2022-01-27 10:53:43 +01:00
infiniband RDMA/ucma: Protect mc during concurrent multicast leaves 2022-02-08 18:30:36 +01:00
input Input: zinitix - make sure the IRQ is allocated before it gets enabled 2022-01-11 15:25:02 +01:00
interconnect treewide: Change list_sort to use const pointers 2021-09-30 10:11:04 +02:00
iommu iommu/iova: Fix race between FQ timeout and teardown 2022-01-27 10:54:08 +01:00
ipack ipack: ipoctal: fix module reference leak 2021-10-06 15:56:01 +02:00
irqchip irqchip/gic-v4: Disable redistributors' view of the VPE table at boot time 2022-01-27 10:54:23 +01:00
isdn mISDN: change function names to avoid conflicts 2022-01-11 15:25:02 +01:00
leds leds: trigger: audio: Add an activate callback to ensure the initial brightness is set 2021-09-15 09:50:36 +02:00
lightnvm
macintosh
mailbox soc: mediatek: cmdq: add address shift in jump 2021-09-18 13:40:16 +02:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-30 10:11:00 +02:00
md dm: fix alloc_dax error handling in alloc_dev 2022-01-27 10:54:22 +01:00
media media: venus: core: Drop second v4l2 device unregister 2022-02-01 17:25:38 +01:00
memory memory: renesas-rpc-if: Return error in case devm_ioremap_resource() fails 2022-01-27 10:53:48 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 14:04:07 +01:00
message
mfd mfd: atmel-flexcom: Use .resume_noirq 2022-01-27 10:53:51 +01:00
misc misc: lattice-ecp3-config: Fix task hung when firmware load failed 2022-01-27 10:54:08 +01:00
mmc mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO 2022-01-27 10:54:16 +01:00
most most: fix control-message timeouts 2021-11-18 14:03:51 +01:00
mtd mtd: rawnand: mpc5121: Remove unused variable in ads5121_select_chip() 2022-02-01 17:25:48 +01:00
mux
net net: amd-xgbe: Fix skb data length underflow 2022-02-05 12:37:56 +01:00
nfc NFC: st21nfca: Fix memory leak in device probe and remove 2022-01-05 12:40:31 +01:00
ntb NTB: perf: Fix an error code in perf_setup_inbuf() 2021-09-22 12:28:02 +02:00
nubus
nvdimm libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind 2021-09-18 13:40:36 +02:00
nvme nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts() 2022-02-08 18:30:35 +01:00
nvmem nvmem: core: set size for sysfs bin file 2022-01-27 10:54:22 +01:00
of of: base: Improve argument length mismatch error 2022-01-27 10:54:28 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 14:04:22 +01:00
oprofile
parisc parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries 2022-01-27 10:54:31 +01:00
parport parport: remove non-zero check on count 2021-09-18 13:40:34 +02:00
pci PCI: pciehp: Fix infinite loop in IRQ handler upon power fault 2022-02-05 12:37:54 +01:00
pcmcia pcmcia: fix setting of kthread task states 2022-01-27 10:54:03 +01:00
perf
phy phy: uniphier-usb3ss: fix unintended writing zeros to PHY register 2022-01-27 10:54:08 +01:00
pinctrl pinctrl: mediatek: fix global-out-of-bounds issue 2021-12-29 12:26:07 +01:00
platform platform/x86: apple-gmux: use resource_size() with res 2022-01-05 12:40:29 +01:00
pnp
power power: reset: mt6397: Check for null res pointer 2022-01-27 10:54:00 +01:00
powercap
pps
ps3
ptp ptp_pch: Load module automatically if ID matches 2021-10-13 10:04:27 +02:00
pwm pwm: stm32-lp: Don't modify HW state in .remove() callback 2021-09-26 14:09:01 +02:00
rapidio
ras
regulator regulator: qcom_smd: Align probe function with rpmh-regulator 2022-01-27 10:54:20 +01:00
remoteproc remoteproc: qcom: pil_info: Don't memcpy_toio more than is provided 2022-01-20 09:17:50 +01:00
reset reset: socfpga: add empty driver allowing consumers to probe 2021-11-18 14:03:42 +01:00
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:25:43 +01:00
rtc rtc: pxa: fix null pointer dereference 2022-01-27 10:54:33 +01:00
s390 scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices 2022-02-01 17:25:39 +01:00
sbus
scsi scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() 2022-02-01 17:25:43 +01:00
sfi
sh maple: fix wrong return value of maple_bus_init(). 2021-11-26 10:39:12 +01:00
siox
slimbus slimbus: ngd: reset dma setup during runtime pm 2021-08-26 08:35:55 -04:00
soc Revert "ASoC: mediatek: Check for error clk pointer" 2022-02-08 18:30:36 +01:00
soundwire soundwire: debugfs: use controller id and link_id for debugfs 2021-11-18 14:04:16 +01:00
spi spi: uniphier: Fix a bug that doesn't point to private data correctly 2022-01-27 10:54:24 +01:00
spmi
ssb
staging media: atomisp: handle errors at sh_css_create_isp_params() 2022-01-27 10:54:11 +01:00
target scsi: target: Fix alua_tg_pt_gps_count tracking 2021-11-26 10:39:11 +01:00
tc
tee tee: fix put order in teedev_close_context() 2022-01-27 10:53:49 +01:00
thermal thermal/drivers/imx8mm: Enable ADC when enabling monitor 2022-01-27 10:53:52 +01:00
thunderbolt thunderbolt: Runtime PM activate both ends of the device link 2022-01-27 10:54:14 +01:00
tty tty: Add support for Brainboxes UC cards. 2022-02-01 17:25:40 +01:00
uio
usb ucsi_ccg: Check DEV_INT bit only when starting CCG4 2022-02-01 17:25:41 +01:00
vdpa vdpa/mlx5: Fix wrong configuration of virtio_version_1_0 2022-01-27 10:54:33 +01:00
vfio vfio: Use config not menuconfig for VFIO_NOIOMMU 2021-09-18 13:40:12 +02:00
vhost vdpa: check that offsets are within bounds 2021-12-22 09:30:51 +01:00
video video: hyperv_fb: Fix validation of screen resolution 2022-02-01 17:25:46 +01:00
virt
virtio virtio_ring: mark ring unused on error 2022-01-27 10:54:33 +01:00
visorbus
vlynq
vme
w1 w1: Misuse of get_user()/put_user() reported by sparse 2022-01-27 10:54:22 +01:00
watchdog ar7: fix kernel builds for compiler test 2021-11-18 14:04:24 +01:00
xen xen/gntdev: fix unmap notification order 2022-01-27 10:54:24 +01:00
zorro
Kconfig
Makefile