Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp27388imm; Fri, 21 Sep 2018 17:22:08 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZAWVAiv/LlESiphBxvqfr9Y914ZCW1GdR6KDyI4dVtFr0XdRXIrx7NfHLNRm0kvTpI7crF X-Received: by 2002:a62:d94:: with SMTP id 20-v6mr144068pfn.202.1537575728049; Fri, 21 Sep 2018 17:22:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575728; cv=none; d=google.com; s=arc-20160816; b=oRJiV6PMWMRvVAjaNs8PKEUyRM87EtjibiFPcVOeUamYPS6ektORmFAX4RSy2LyRao cV1vLQXuqjzg9nS7jLkJU4wDwn+NdItN+/D38MGE8qumotdPBTPY1z3nhZ0EepBW4zrr Oso9PRti4euOjKTTGyhih9Nqs2f5dLCuwuBTNQHSCd+ULyGkydmFkAl2wePqAtnZeTD7 NJEqCN17TUcKDOvMo+adr2Q+OZF3B+S4MHQ6qvvF3/wsR3dvMwsc/AFjsxsPwQCENWit L3bSlmVBCdYpfRDBUW+CBANgfpb3dcbX3xcHqjPLYiFZvMhGFVHSgQX5MQwYxcTLylc0 THWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=V9GKRGGSVpdIXA3R0RjFafc08LQNphhF0telCpwlRmI=; b=TmD7iQPO3qCrW+okarCQeXKit772XKbUxy5PG4ln66HXKkGWYQ708KXfyWNMOn4dpR E1x1ymOQfpTesXTStp27tdEWCfXCO2FaxhDnX/6KWjzaj+8y1jA6ez7DJMngwZHgtw34 mtQoQ18pzCTv7/jYY9CGV3YlZOCvRYForHuFd/c1q238bDZKrZlBLZaLQmw2xLPflW9X 3Tc0YIMePBww52GBIDg5AALd5kW86rISl2BO0B0VbLRP/FdM4mmwsw5jVmuqIEv2o93A sGDm8+uR7eWClbiXW4GsLwpW7V1tIEWrezGRip4DYOE8RElGA5fs1+3sKA4xcf5tsY83 ENhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g5-v6si4696515pgf.565.2018.09.21.17.21.52; Fri, 21 Sep 2018 17:22:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391810AbeIVGMZ (ORCPT + 99 others); Sat, 22 Sep 2018 02:12:25 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44291 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391930AbeIVGKt (ORCPT ); Sat, 22 Sep 2018 02:10:49 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vdy-0008BQ-7C; Sat, 22 Sep 2018 01:19:30 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdo-0000su-Fx; Sat, 22 Sep 2018 01:19:20 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Noam Rathaus" , "Cong Wang" , "Jason Gunthorpe" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 40/63] infiniband: fix a possible use-after-free bug In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang commit cb2595c1393b4a5211534e6f0a0fbad369e21ad8 upstream. ucma_process_join() will free the new allocated "mc" struct, if there is any error after that, especially the copy_to_user(). But in parallel, ucma_leave_multicast() could find this "mc" through idr_find() before ucma_process_join() frees it, since it is already published. So "mc" could be used in ucma_leave_multicast() after it is been allocated and freed in ucma_process_join(), since we don't refcnt it. Fix this by separating "publish" from ID allocation, so that we can get an ID first and publish it later after copy_to_user(). Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support") Reported-by: Noam Rathaus Signed-off-by: Cong Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Ben Hutchings --- drivers/infiniband/core/ucma.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -180,7 +180,7 @@ static struct ucma_multicast* ucma_alloc return NULL; mutex_lock(&mut); - mc->id = idr_alloc(&multicast_idr, mc, 0, 0, GFP_KERNEL); + mc->id = idr_alloc(&multicast_idr, NULL, 0, 0, GFP_KERNEL); mutex_unlock(&mut); if (mc->id < 0) goto error; @@ -1285,6 +1285,10 @@ static ssize_t ucma_process_join(struct goto err3; } + mutex_lock(&mut); + idr_replace(&multicast_idr, mc, mc->id); + mutex_unlock(&mut); + mutex_unlock(&file->mut); ucma_put_ctx(ctx); return 0;