Patch "RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532" has been added to the 4.19-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-qedr-fix-kasan-use-after-free-in-ucma_event_han.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 566db0deda4a007af16369e8c2122dc040342b6a
Author: Michal Kalderon <michal.kalderon@xxxxxxxxxxx>
Date:   Tue Jun 16 12:34:08 2020 +0300

    RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
    
    [ Upstream commit 0dfbd5ecf28cbcb81674c49d34ee97366db1be44 ]
    
    Private data passed to iwarp_cm_handler is copied for connection request /
    response, but ignored otherwise.  If junk is passed, it is stored in the
    event and used later in the event processing.
    
    The driver passes an old junk pointer during connection close which leads
    to a use-after-free on event processing.  Set private data to NULL for
    events that don 't have private data.
    
      BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
      kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
      kernel:
      kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
      kernel: Call Trace:
      kernel: dump_stack+0x8c/0xc0
      kernel: print_address_description.constprop.0+0x1b/0x210
      kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
      kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
      kernel: __kasan_report.cold+0x1a/0x33
      kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
      kernel: kasan_report+0xe/0x20
      kernel: check_memory_region+0x130/0x1a0
      kernel: memcpy+0x20/0x50
      kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
      kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
      kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
      kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
      kernel: ? enqueue_timer+0x86/0x140
      kernel: ? _raw_write_lock_irq+0xd0/0xd0
      kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]
    
    Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
    Link: https://lore.kernel.org/r/20200616093408.17827-1-michal.kalderon@xxxxxxxxxxx
    Signed-off-by: Ariel Elior <ariel.elior@xxxxxxxxxxx>
    Signed-off-by: Michal Kalderon <michal.kalderon@xxxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
index 93b16237b7677..2566715773675 100644
--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
@@ -128,8 +128,17 @@ qedr_iw_issue_event(void *context,
 	if (params->cm_info) {
 		event.ird = params->cm_info->ird;
 		event.ord = params->cm_info->ord;
-		event.private_data_len = params->cm_info->private_data_len;
-		event.private_data = (void *)params->cm_info->private_data;
+		/* Only connect_request and reply have valid private data
+		 * the rest of the events this may be left overs from
+		 * connection establishment. CONNECT_REQUEST is issued via
+		 * qedr_iw_mpa_request
+		 */
+		if (event_type == IW_CM_EVENT_CONNECT_REPLY) {
+			event.private_data_len =
+				params->cm_info->private_data_len;
+			event.private_data =
+				(void *)params->cm_info->private_data;
+		}
 	}
 
 	if (ep->cm_id)