[PATCH rdma-next v1] IB/umad: Fix use-after-free in cdev_put

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Leon Romanovsky <leonro@xxxxxxxxxxxx>

Misplaced kfree causes to the following use-after-free error.

[2018-12-11 22:40:58] BUG: KASAN: use-after-free in cdev_put.part.1+0x40/0x50
[2018-12-11 22:40:58] Read of size 8 at addr ffff8881b8bb6890 by task opensm/9230
[2018-12-11 22:40:58]
[2018-12-11 22:40:58] CPU: 0 PID: 9230 Comm: opensm Tainted: G OE     4.20.0-rc6-for-upstream-dbg-2018-12-11_06-14-26-54 #1
[2018-12-11 22:40:58] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[2018-12-11 22:40:58] Call Trace:
[2018-12-11 22:40:58]  dump_stack+0x9a/0xeb
[2018-12-11 22:40:58]  print_address_description+0xe3/0x2e0
[2018-12-11 22:40:58]  kasan_report+0x16b/0x2f0
[2018-12-11 22:40:58]  ? cdev_put.part.1+0x40/0x50
[2018-12-11 22:40:58]  ? ib_umad_close+0x33b/0x470 [ib_umad]
[2018-12-11 22:40:58]  cdev_put.part.1+0x40/0x50
[2018-12-11 22:40:58]  __fput+0x5fe/0x7a0
[2018-12-11 22:40:58]  task_work_run+0x10d/0x180
[2018-12-11 22:40:58]  do_exit+0x798/0x29d0
[2018-12-11 22:40:58]  ? plist_check_list+0x3c/0x90
[2018-12-11 22:40:58]  ? mm_update_next_owner+0x680/0x680
[2018-12-11 22:40:58]  ? memset+0x1f/0x40
[2018-12-11 22:40:58]  ? __dequeue_signal+0x351/0x6f0
[2018-12-11 22:40:58]  ? dequeue_signal+0x8c/0x4e0
[2018-12-11 22:40:58]  ? check_flags.part.26+0x440/0x440
[2018-12-11 22:40:58]  ? __dequeue_signal+0x6f0/0x6f0
[2018-12-11 22:40:58]  do_group_exit+0xed/0x2b0
[2018-12-11 22:40:58]  get_signal+0x572/0x14d0
[2018-12-11 22:40:58]  ? do_futex+0x5d8/0xef0
[2018-12-11 22:40:58]  do_signal+0x97/0x15f0
[2018-12-11 22:40:58]  ? __pmd_alloc+0x270/0x270
[2018-12-11 22:40:58]  ? check_flags.part.26+0x440/0x440
[2018-12-11 22:40:58]  ? do_mprotect_pkey+0x14a/0x870
[2018-12-11 22:40:58]  ? setup_sigcontext+0x820/0x820
[2018-12-11 22:40:58]  ? __x64_sys_futex+0x254/0x300
[2018-12-11 22:40:58]  ? __do_page_fault+0x295/0xaf0
[2018-12-11 22:40:58]  ? __ia32_sys_futex+0x350/0x350
[2018-12-11 22:40:58]  ? up_read+0x136/0x180
[2018-12-11 22:40:58]  exit_to_usermode_loop+0x9a/0x150
[2018-12-11 22:40:58]  do_syscall_64+0x368/0x410
[2018-12-11 22:40:58]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[2018-12-11 22:40:58] RIP: 0033:0x7f752b10ec3b
[2018-12-11 22:40:58] Code: Bad RIP value.
[2018-12-11 22:40:58] RSP: 002b:00007f7529b01e10 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[2018-12-11 22:40:58] RAX: fffffffffffffe00 RBX: 00007ffd72c323e0 RCX: 00007f752b10ec3b
[2018-12-11 22:40:58] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007ffd72c32408
[2018-12-11 22:40:58] RBP: 00007ffd72c32404 R08: 0000000000000000 R09: 0000000000000000
[2018-12-11 22:40:58] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd72c32408
[2018-12-11 22:40:58] R13: 0000000000000000 R14: 00007ffd72c32410 R15: 000000000000003e
[2018-12-11 22:40:58]
[2018-12-11 22:40:58] Allocated by task 8558:
[2018-12-11 22:40:58]  kasan_kmalloc+0xa0/0xd0
[2018-12-11 22:40:58]  __kmalloc+0x183/0x3f0
[2018-12-11 22:40:58]  ib_umad_add_one+0xcf/0xb30 [ib_umad]
[2018-12-11 22:40:58]  ib_register_client+0x74/0x190 [ib_core]
[2018-12-11 22:40:58]  0xffffffffa0ae00a5
[2018-12-11 22:40:58]  do_one_initcall+0xa3/0x487
[2018-12-11 22:40:58]  do_init_module+0x1b2/0x59c
[2018-12-11 22:40:58]  load_module+0x4191/0x5f70
[2018-12-11 22:40:58]  __do_sys_finit_module+0x192/0x1c0
[2018-12-11 22:40:58]  do_syscall_64+0x95/0x410
[2018-12-11 22:40:58]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[2018-12-11 22:40:58]
[2018-12-11 22:40:58] Freed by task 9230:
[2018-12-11 22:40:58]  __kasan_slab_free+0x11d/0x160
[2018-12-11 22:40:58]  kfree+0xf5/0x2f0
[2018-12-11 22:40:58]  ib_umad_close+0x33b/0x470 [ib_umad]
[2018-12-11 22:40:58]  __fput+0x24f/0x7a0
[2018-12-11 22:40:58]  task_work_run+0x10d/0x180
[2018-12-11 22:40:58]  do_exit+0x798/0x29d0
[2018-12-11 22:40:58]  do_group_exit+0xed/0x2b0
[2018-12-11 22:40:58]  get_signal+0x572/0x14d0
[2018-12-11 22:40:58]  do_signal+0x97/0x15f0
[2018-12-11 22:40:58]  exit_to_usermode_loop+0x9a/0x150
[2018-12-11 22:40:58]  do_syscall_64+0x368/0x410
[2018-12-11 22:40:58]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[2018-12-11 22:40:58]
[2018-12-11 22:40:58] The buggy address belongs to the object at ffff8881b8bb6848
[2018-12-11 22:40:58]  which belongs to the cache kmalloc-4k of size 4096
[2018-12-11 22:40:58] The buggy address is located 72 bytes inside of
[2018-12-11 22:40:58]  4096-byte region [ffff8881b8bb6848, ffff8881b8bb7848)
[2018-12-11 22:40:58] The buggy address belongs to the page:
[2018-12-11 22:40:58] page:ffffea0006e2ec00 count:1 mapcount:0 mapping:ffff8882e9c0e6c0 index:0x0 compound_mapcount: 0
[2018-12-11 22:40:58] flags: 0x2fffff80010200(slab|head)
[2018-12-11 22:40:58] raw: 002fffff80010200 ffffea0007b77c08 ffffea000b94b408 ffff8882e9c0e6c0
[2018-12-11 22:40:58] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[2018-12-11 22:40:58] page dumped because: kasan: bad access detected
[2018-12-11 22:40:58]
[2018-12-11 22:40:58] Memory state around the buggy address:
[2018-12-11 22:40:58]  ffff8881b8bb6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[2018-12-11 22:40:58]  ffff8881b8bb6800: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
[2018-12-11 22:40:58] >ffff8881b8bb6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[2018-12-11 22:40:58]                          ^
[2018-12-11 22:40:58]  ffff8881b8bb6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[2018-12-11 22:40:58]  ffff8881b8bb6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[2018-12-11 22:40:58]

Fixes: e9dd5daf884c ("IB/umad: Refactor code to use cdev_device_add()")
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
---
Changelog v0->v1:
 * Set upstream SHA1 in Fixes
---
 drivers/infiniband/core/user_mad.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index 1a90012b5542..6929796e35e6 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -1031,8 +1031,8 @@ static int ib_umad_close(struct inode *inode, struct file *filp)

 	mutex_unlock(&file->port->file_mutex);

-	kfree(file);
 	ib_umad_dev_put(dev);
+	kfree(file);
 	return 0;
 }

--
2.19.1




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux