> From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
>
> The error in ucma_create_id() left ctx in the list of contexts belong
> to ucma file descriptor. The attempt to close this file descriptor
> causes to use-after-free accesses while iterating over such list.
>
> Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to
> userspace")
> Reported-by: <syzbot+dcfd344365a56fbebd0f@xxxxxxxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
Reviewed-by: Sean Hefty <sean.hefty@xxxxxxxxx>
> ---
> drivers/infiniband/core/ucma.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/infiniband/core/ucma.c
> b/drivers/infiniband/core/ucma.c index 718ed16688a8..07d017fee58f
> 100644
> --- a/drivers/infiniband/core/ucma.c
> +++ b/drivers/infiniband/core/ucma.c
> @@ -497,6 +497,9 @@ static ssize_t ucma_create_id(struct ucma_file
> *file, const char __user *inbuf,
> mutex_lock(&mut);
> idr_remove(&ctx_idr, ctx->id);
> mutex_unlock(&mut);
> + mutex_lock(&file->mut);
> + list_del(&ctx->list);
> + mutex_unlock(&file->mut);
> kfree(ctx);
> return ret;
I think this bug increased the chance of hitting the problem fixed by
https://marc.info/?l=linux-rdma&m=152145488311190&w=2
RDMA/ucma: Ensure that CM_ID exists prior to access it
But there may be another issue here. Between calling rdma_create_id() and copy_to_user() in ucma_create_id(), an application could access the newly allocated ucma_context through another call (by guessing the ctx). If copy_to_user() fails, we'll destroy the context while it is being accessed.
If we delay setting ctx->cm_id until immediately before returning from this call, that should fix the issue. But see my follow up response to my response to the above thread.
- Sean
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
