Received: by 10.213.65.68 with SMTP id h4csp663141imn; Fri, 6 Apr 2018 06:59:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx48nKGzQ0ygW4D/lCs8+ndOmVAqxsDaMHAy1evhCwG4L7enX1r0FtG2tNl/WZAcuoQdrprZ7 X-Received: by 2002:a17:902:a60d:: with SMTP id u13-v6mr27469985plq.305.1523023183411; Fri, 06 Apr 2018 06:59:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523023183; cv=none; d=google.com; s=arc-20160816; b=dnfrsJpJuhZ3Pkwx+CCswTCc8cfMpbEvTr0fXipocpPy871NuDzp3tAWHQOI9hsUMO gl5mffh/kljXoaXAOrIhQNfHtqi4JBzWdoLkr1Mvc/1iYDE798WpTIVx1gCLDw7Bh2D8 iejbeGcTdRTU4DrUnnqLwyVdjGHaJ6ZFLHXVhjMcXdgQkC/mrat7wD+M8Zm3zbTxPUKD J1pr+qvXJq6U7T6BumsrDtt/JbQMgBi+A4qgY6oG5yKWAr0LCnKywhEmOjFunz85Q1Vv mLUSZZ+iRMKuKcNu5TdNJRdzW3aeLBbE95YKGUlgY78YNaQjn1F0CXNWNf8mIs5bYpxx MdUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=8gHpSrGMddC+tziVTjTF2+xBK6agi3c2k6tx4rnelQE=; b=uXWqnUj1PIWxZJrxjySGVpOHkqIDu/yObCrETSIdXkcpWANE0XhfGrtASVKcnk+qvg oaa1EVw0JQIofzCiBdVLlL2Xq0LpIJxTSALFZeYdi0urdIHOlv8YW4UCGos1kwQtzgBv iwpRKeGL2kPzJlcP0vHbEeAZ1ydqvu1SgYZ7RlvlpWBnpohcqe2r+Uj7xDdpGXoA9YGA wJuVA5dUeqfEFcngG565tcm3IeW1fGJRQ0j5Bor9fTJ8PEU9LpkGJsGoPuRWLq1d9Gbz AoTuyr8C7FnFm/HAFlmPSt16yOcFfH/w7ZO9XiFBbsN2U/XqIjGxCi1cQFcP85X5xxyy cvJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34-v6si8437361pla.319.2018.04.06.06.59.29; Fri, 06 Apr 2018 06:59:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756675AbeDFNnJ (ORCPT + 99 others); Fri, 6 Apr 2018 09:43:09 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:37210 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932827AbeDFNnG (ORCPT ); Fri, 6 Apr 2018 09:43:06 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 30469DB5; Fri, 6 Apr 2018 13:43:05 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+3b4acab09b6463472d0a@syzkaller.appspotmail.com, Jason Gunthorpe Subject: [PATCH 4.15 24/72] RDMA/rdma_cm: Fix use after free race with process_one_req Date: Fri, 6 Apr 2018 15:23:59 +0200 Message-Id: <20180406084351.400796443@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084349.367583460@linuxfoundation.org> References: <20180406084349.367583460@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jason Gunthorpe commit 9137108cc3d64ade13e753108ec611a0daed16a0 upstream. process_one_req() can race with rdma_addr_cancel(): CPU0 CPU1 ==== ==== process_one_work() debug_work_deactivate(work); process_one_req() rdma_addr_cancel() mutex_lock(&lock); set_timeout(&req->work,..); __queue_work() debug_work_activate(work); mutex_unlock(&lock); mutex_lock(&lock); [..] list_del(&req->list); mutex_unlock(&lock); [..] // ODEBUG explodes since the work is still queued. kfree(req); Causing ODEBUG to detect the use after free: ODEBUG: free active (active state 0) object type: work_struct hint: process_one_req+0x0/0x6c0 include/net/dst.h:165 WARNING: CPU: 0 PID: 79 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 lib/debugobjects.c:288 kvm: emulating exchange as write Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 79 Comm: kworker/u4:3 Not tainted 4.16.0-rc6+ #361 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ib_addr process_one_req Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x1f4/0x2b0 lib/bug.c:186 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 fixup_bug arch/x86/kernel/traps.c:247 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986 RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288 RSP: 0000:ffff8801d966f210 EFLAGS: 00010086 RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815acd6e RDX: 0000000000000000 RSI: 1ffff1003b2cddf2 RDI: 0000000000000000 RBP: ffff8801d966f250 R08: 0000000000000000 R09: 1ffff1003b2cddc8 R10: ffffed003b2cde71 R11: ffffffff86f39a98 R12: 0000000000000001 R13: ffffffff86f15540 R14: ffffffff86408700 R15: ffffffff8147c0a0 __debug_check_no_obj_freed lib/debugobjects.c:745 [inline] debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774 kfree+0xc7/0x260 mm/slab.c:3799 process_one_req+0x2e7/0x6c0 drivers/infiniband/core/addr.c:592 process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406 Fixes: 5fff41e1f89d ("IB/core: Fix race condition in resolving IP to MAC") Reported-by: Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/addr.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/infiniband/core/addr.c +++ b/drivers/infiniband/core/addr.c @@ -598,6 +598,15 @@ static void process_one_req(struct work_ list_del(&req->list); mutex_unlock(&lock); + /* + * Although the work will normally have been canceled by the + * workqueue, it can still be requeued as long as it is on the + * req_list, so it could have been requeued before we grabbed &lock. + * We need to cancel it after it is removed from req_list to really be + * sure it is safe to free. + */ + cancel_delayed_work(&req->work); + req->callback(req->status, (struct sockaddr *)&req->src_addr, req->addr, req->context); put_client(req->client);