Patch "RDMA/core: Don't access cm_id after its destruction" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 May 2021 16:07:08 -0400

This is a note to let you know that I've just added the patch titled

    RDMA/core: Don't access cm_id after its destruction

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-core-don-t-access-cm_id-after-its-destruction.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7fbaeb1944edbef2d0417948168608f8ae6e2cf8
Author: Shay Drory <shayd@xxxxxxxxxx>
Date:   Tue May 11 08:48:28 2021 +0300

    RDMA/core: Don't access cm_id after its destruction
    
    [ Upstream commit 889d916b6f8a48b8c9489fffcad3b78eedd01a51 ]
    
    restrack should only be attached to a cm_id while the ID has a valid
    device pointer. It is set up when the device is first loaded, but not
    cleared when the device is removed. There is also two copies of the device
    pointer, one private and one in the public API, and these were left out of
    sync.
    
    Make everything go to NULL together and manipulate restrack right around
    the device assignments.
    
    Found by syzcaller:
    BUG: KASAN: wild-memory-access in __list_del include/linux/list.h:112 [inline]
    BUG: KASAN: wild-memory-access in __list_del_entry include/linux/list.h:135 [inline]
    BUG: KASAN: wild-memory-access in list_del include/linux/list.h:146 [inline]
    BUG: KASAN: wild-memory-access in cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline]
    BUG: KASAN: wild-memory-access in cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline]
    BUG: KASAN: wild-memory-access in cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783
    Write of size 8 at addr dead000000000108 by task syz-executor716/334
    
    CPU: 0 PID: 334 Comm: syz-executor716 Not tainted 5.11.0+ #271
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Call Trace:
     __dump_stack lib/dump_stack.c:79 [inline]
     dump_stack+0xbe/0xf9 lib/dump_stack.c:120
     __kasan_report mm/kasan/report.c:400 [inline]
     kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413
     __list_del include/linux/list.h:112 [inline]
     __list_del_entry include/linux/list.h:135 [inline]
     list_del include/linux/list.h:146 [inline]
     cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline]
     cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline]
     cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783
     _destroy_id+0x29/0x460 drivers/infiniband/core/cma.c:1862
     ucma_close_id+0x36/0x50 drivers/infiniband/core/ucma.c:185
     ucma_destroy_private_ctx+0x58d/0x5b0 drivers/infiniband/core/ucma.c:576
     ucma_close+0x91/0xd0 drivers/infiniband/core/ucma.c:1797
     __fput+0x169/0x540 fs/file_table.c:280
     task_work_run+0xb7/0x100 kernel/task_work.c:140
     exit_task_work include/linux/task_work.h:30 [inline]
     do_exit+0x7da/0x17f0 kernel/exit.c:825
     do_group_exit+0x9e/0x190 kernel/exit.c:922
     __do_sys_exit_group kernel/exit.c:933 [inline]
     __se_sys_exit_group kernel/exit.c:931 [inline]
     __x64_sys_exit_group+0x2d/0x30 kernel/exit.c:931
     do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 255d0c14b375 ("RDMA/cma: rdma_bind_addr() leaks a cma_dev reference count")
    Link: https://lore.kernel.org/r/3352ee288fe34f2b44220457a29bfc0548686363.1620711734.git.leonro@xxxxxxxxxx
    Signed-off-by: Shay Drory <shayd@xxxxxxxxxx>
    Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index ecac62a7b59e..92428990f0cc 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -530,6 +530,7 @@ static void cma_release_dev(struct rdma_id_private *id_priv)
 	list_del(&id_priv->list);
 	cma_deref_dev(id_priv->cma_dev);
 	id_priv->cma_dev = NULL;
+	id_priv->id.device = NULL;
 	if (id_priv->id.route.addr.dev_addr.sgid_attr) {
 		rdma_put_gid_attr(id_priv->id.route.addr.dev_addr.sgid_attr);
 		id_priv->id.route.addr.dev_addr.sgid_attr = NULL;
@@ -1871,6 +1872,7 @@ void rdma_destroy_id(struct rdma_cm_id *id)
 				iw_destroy_cm_id(id_priv->cm_id.iw);
 		}
 		cma_leave_mc_groups(id_priv);
+		rdma_restrack_del(&id_priv->res);
 		cma_release_dev(id_priv);
 	}
 
@@ -3580,7 +3582,7 @@ int rdma_listen(struct rdma_cm_id *id, int backlog)
 	}
 
 	id_priv->backlog = backlog;
-	if (id->device) {
+	if (id_priv->cma_dev) {
 		if (rdma_cap_ib_cm(id->device, 1)) {
 			ret = cma_ib_listen(id_priv);
 			if (ret)






