On Tue, Jun 16, 2020 at 12:34:08PM +0300, Michal Kalderon wrote:
> Private data passed to iwarp_cm_handler is copied for
> connection request / response, but ignored otherwise.
> If junk is passed, it is stored in the event and used later
> in the event processing.
> Driver passed old junk pointer during connection close
> which lead to a use-after-free on event processing.
> Set private data to NULL for events that don 't have private
> data.
>
> BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
> kernel:
> kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
> kernel: Call Trace:
> kernel: dump_stack+0x8c/0xc0
> kernel: print_address_description.constprop.0+0x1b/0x210
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: __kasan_report.cold+0x1a/0x33
> kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: kasan_report+0xe/0x20
> kernel: check_memory_region+0x130/0x1a0
> kernel: memcpy+0x20/0x50
> kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
> kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
> kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
> kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
> kernel: ? enqueue_timer+0x86/0x140
> kernel: ? _raw_write_lock_irq+0xd0/0xd0
> kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]
>
> Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
> Signed-off-by: Ariel Elior <ariel.elior@xxxxxxxxxxx>
> Signed-off-by: Michal Kalderon <michal.kalderon@xxxxxxxxxxx>
> ---
> drivers/infiniband/hw/qedr/qedr_iw_cm.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
Applied to for-rc, thanks
Jason
