Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1150934imm; Wed, 1 Aug 2018 11:02:07 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcawGz1qto8QYOcnoFKjWfEdFJaTESorQrdycyghHdgnXy0e3905dAO7gehASmOPfLddQf/ X-Received: by 2002:a63:66c7:: with SMTP id a190-v6mr25293005pgc.411.1533146527417; Wed, 01 Aug 2018 11:02:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533146527; cv=none; d=google.com; s=arc-20160816; b=nzZkcGbiodmg+TWzvJRbk/WTevjK4N5P6O7G0AKiaBbd83SfWFbabyjcyZicCM4uUi BApBPmY3QpUnfhNeWip9bd5q/QCZ4ft/upruQTAQ4dTwGf4JP3zHcC4FxKzIgzsTgQny dvAQV/yhjyfdnyj3kXkj1SzW5s5UwpgsJ5zATeiBSyTjYRMoDMTPnNeD3lHMQuw5r16P f7Q3AynNrd5ExbFwFp2jHMwuNZ3RTsklHOnsdz9wgNLUYbQ4UrR6aP1L1b1G4aU1PD8h QvjHoa07ODjGdqclDVEA9Cht+pufCI9h1n5BTfCcTVano5C2Cl2HP2bohRmZs8j0SWS+ 82bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=49sX8D79iNIIWLM5+neJInI8CU+hkPEc5PEuHASQL1o=; b=yih+vzzAkBebXFMHVoh5iQ1A+xV4WW7KU6IsBe0QdpxxGpSlKLaV4cCBc4/zl/mWVV SM91ZMt3GszwPxDBOlAqK2/DsNEIu6LeOlFKJOeHqXev8euQdV4NZ8Hmtzl9DUq7mWUI rTXQKokOS1s3ippKWjAR3fW7YvlDb41ehkTOL19FxIU94SVd+EwnhX92m6xCkUjadiem D/aLIDSiquu7UClPPlknCL8L4TRqdEwPn+MQYp3W/aWtQhG1EV/+pgUtPbIPYDTmGnX0 RuESfy+9Oy37M1C+6enB2D2Cq9KxQ1tzPf3y5tmmOmdTb7Os8b5sk6K0y8C4teE0LPtb Yjtw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w5-v6si15008110ply.343.2018.08.01.11.01.53; Wed, 01 Aug 2018 11:02:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732558AbeHATrH (ORCPT + 99 others); Wed, 1 Aug 2018 15:47:07 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:49804 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405895AbeHATIi (ORCPT ); Wed, 1 Aug 2018 15:08:38 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 90CA21372; Wed, 1 Aug 2018 17:13:49 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Noam Rathaus , Cong Wang , Jason Gunthorpe , Sasha Levin Subject: [PATCH 4.14 045/246] infiniband: fix a possible use-after-free bug Date: Wed, 1 Aug 2018 18:49:15 +0200 Message-Id: <20180801165013.869196673@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180801165011.700991984@linuxfoundation.org> References: <20180801165011.700991984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang [ Upstream commit cb2595c1393b4a5211534e6f0a0fbad369e21ad8 ] ucma_process_join() will free the new allocated "mc" struct, if there is any error after that, especially the copy_to_user(). But in parallel, ucma_leave_multicast() could find this "mc" through idr_find() before ucma_process_join() frees it, since it is already published. So "mc" could be used in ucma_leave_multicast() after it is been allocated and freed in ucma_process_join(), since we don't refcnt it. Fix this by separating "publish" from ID allocation, so that we can get an ID first and publish it later after copy_to_user(). Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support") Reported-by: Noam Rathaus Signed-off-by: Cong Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/ucma.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -218,7 +218,7 @@ static struct ucma_multicast* ucma_alloc return NULL; mutex_lock(&mut); - mc->id = idr_alloc(&multicast_idr, mc, 0, 0, GFP_KERNEL); + mc->id = idr_alloc(&multicast_idr, NULL, 0, 0, GFP_KERNEL); mutex_unlock(&mut); if (mc->id < 0) goto error; @@ -1404,6 +1404,10 @@ static ssize_t ucma_process_join(struct goto err3; } + mutex_lock(&mut); + idr_replace(&multicast_idr, mc, mc->id); + mutex_unlock(&mut); + mutex_unlock(&file->mut); ucma_put_ctx(ctx); return 0;