Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp855874pxf; Thu, 11 Mar 2021 17:15:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJyQ+zR2ZLdxNhGdqg94W+jXU14tiu/zS610GLSTY45E9btZoN0E+Hvr3s4juf8yZ7FONmrh X-Received: by 2002:aa7:c1d5:: with SMTP id d21mr11173241edp.167.1615511724757; Thu, 11 Mar 2021 17:15:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615511724; cv=none; d=google.com; s=arc-20160816; b=ve42CSuZXFQyLAhPfW41NKmOsTApnJ/CzSPrhdjtN/WrZWfn7og8wMRP0ZWam93Rom CP5/AzU46yp+sRN1wecwRMv1FXreXdlBzZePBVFv9s4J89Vk/kMT9tiC7vFOoQSo4x4w NdZJUIx6VdvinH/Jgd9Y03YaDID535ORrITfE9Qpxlvq+uD4ceDimDplROVG9uFCe/yp CPjvYuskF5v7y3iyiZ5PSmuB3+0HHDhgf1cH9vi5hXyLLQW9X2RGh3KcyMt0VHT9425z LlhRLfLLBNaOO/RN8vSn7BzVz1wm4axMMsI+SZ2gkapbsLoxSxmlL6jvz01kkPf+kHYG vVWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :dlp-version:dlp-reaction:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=LP2x8h6IwgszFii4LAj7mwqPFkbOcYsqy6laa5av8Bk=; b=FjkajrgYyqVTGNnb3hbALfNjU9lGi5llTGbFDffHpL8sr1IyhqWiBD7t74G+vu53pq lgAtUnBHKU9VZbzHxMAXVoj61GLJVhl1cE8fR5eBRDVP1aaXQzVJD8gjDiDkhJRlW1cW ERrVKXdfQ2d99c5YCAm33r5omlmiZ4asKpb41AdHzQaCTNHc7/aLx9k39sSuxtjgE/HC KjmWvg3U1+V+I44Sqc+jAVKSylUzTjKhRM+ETUeqxC/4z+dPNCZubAZn5H2StIJzazxn Es0KeI9VD8E5kSAypZSjbA/m0urEoacdNyjM//NkCHn2FV3PVoTsK1kKN6ErXM7biSnY uPHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hb30si3002389ejc.218.2021.03.11.17.15.00; Thu, 11 Mar 2021 17:15:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229791AbhCLBOD convert rfc822-to-8bit (ORCPT + 99 others); Thu, 11 Mar 2021 20:14:03 -0500 Received: from mga05.intel.com ([192.55.52.43]:54312 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229606AbhCLBNn (ORCPT ); Thu, 11 Mar 2021 20:13:43 -0500 IronPort-SDR: D4qYg7KlaiOdsva5cU0EkVM/h4kn4dq+cVQwPT9GGsv1ES3Xc+t174UCQcsxTdn1MGgpM+EP25 myIqCDFIan6g== X-IronPort-AV: E=McAfee;i="6000,8403,9920"; a="273806413" X-IronPort-AV: E=Sophos;i="5.81,241,1610438400"; d="scan'208";a="273806413" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2021 17:13:41 -0800 IronPort-SDR: y5dFWgPnOW8K/nJpDOwNpO7r+81l3PahGImtvbYutxCacgLZ7Y5c2knvpnBr/3kPG7B8Jmnjzy YrsRIzLkerdQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,241,1610438400"; d="scan'208";a="589412542" Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by orsmga005.jf.intel.com with ESMTP; 11 Mar 2021 17:13:41 -0800 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 11 Mar 2021 17:13:40 -0800 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 11 Mar 2021 17:13:40 -0800 Received: from fmsmsx612.amr.corp.intel.com ([10.18.126.92]) by fmsmsx612.amr.corp.intel.com ([10.18.126.92]) with mapi id 15.01.2106.013; Thu, 11 Mar 2021 17:13:40 -0800 From: "Saleem, Shiraz" To: Jason Gunthorpe , Lv Yunlong CC: "Latif, Faisal" , "dledford@redhat.com" , "linux-rdma@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH] infiniband/i40iw: Fix a use after free in i40iw_cm_event_handler Thread-Topic: [PATCH] infiniband/i40iw: Fix a use after free in i40iw_cm_event_handler Thread-Index: AQHXFiSqLozaSAmrJEO2QxUkby8zNKp/oHYA//+kHnA= Date: Fri, 12 Mar 2021 01:13:39 +0000 Message-ID: <1fc386d78c044d3da723fe38446edb75@intel.com> References: <20210311031414.5011-1-lyl2019@mail.ustc.edu.cn> <20210311182114.GA2733907@nvidia.com> In-Reply-To: <20210311182114.GA2733907@nvidia.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 x-originating-ip: [10.1.200.100] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > Subject: Re: [PATCH] infiniband/i40iw: Fix a use after free in > i40iw_cm_event_handler > > On Wed, Mar 10, 2021 at 07:14:14PM -0800, Lv Yunlong wrote: > > In the case of I40IW_CM_EVENT_ABORTED, i40iw_event_connect_error() > > could be called to free the event->cm_node. However, event->cm_node > > will be used after and cause use after free. It needs to add flags to > > inform that event->cm_node has been freed. > > > > Signed-off-by: Lv Yunlong > > --- > > drivers/infiniband/hw/i40iw/i40iw_cm.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > This might be OK (though I don't like the free variable), Shiraz?? > How was this reproduced? Do you have some call trace leading up to use after free? The cm_node refcnt is bumped at creation time and once in i40iw_receive_ilq before packet is processed. That should protect the cm_node from disappearing in the event handler in the abort event case. The dec at end of i40iw_receive ilq should be point where the cm_node is freed specifically in the abort case. Shiraz