Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3985713pxb; Mon, 4 Oct 2021 14:27:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxWP+ZjdbJFWlaxUxN8hYH3TJMY6Z5TXk8nD1cFWl6rccmfmcizRFFgA4za68sTNJvlJIi X-Received: by 2002:a17:906:c0cd:: with SMTP id bn13mr20176418ejb.251.1633382873598; Mon, 04 Oct 2021 14:27:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633382873; cv=none; d=google.com; s=arc-20160816; b=G5/8fim2aLQdoDycvLO6HqJgC/O44XIAh23RnH8xHJNingAX2r8gTYTgcFoIaC3pR3 D63J7Ceyu2vTOG5QzxELKd9DwwBv+7NKVe6kOBbrqCropi2yadbx170X5uWg9/KXQd2n nKmkSE22pXt6fTnF+4fuWJ/7bn+ZEc9E8nMpePeJE5/3L0wpIOS29v+o3BfMcJ0NP3Bg 8NS7RDTzvXKcglz0E60c+zgoGPz+CoPliXLa1o/ljqO0ZpagKhw+I38WqdhF3NM0Frak lCfzeAehkGcPONF92b179E09q4iHKEr4DmzkIBXXkNU06dZEVk1u2o0JL04qrE/y9cMZ 6r0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7QmNPWniE02Aa32YxdG7iUQGoKQu2DNXIPpGoE7m0G8=; b=TqUXr65BJS0IdOn6Msu53BQZUxe+R4EU5CQUeuaOtPuoabDJ62+DjQoG9MolRen83k 9NCMIYV6wVOYnHsghGvMR+kUV3Tt2k7eOurynlAhe22vxOqoUEqBl3kTp5hItP++U9dT YoZSDGGdqmrN+uBJCtxwgesxwYwxJ6a8Jt7pb3ndjMp0BY3dvfZjmnO4LgKOu5fMfTDo Li+2C2oXh3b79KwoAQk8Tw6waPh6LR0yeSSxfTxLc7a0FQ/ACTzfTLxEQ1BPRmj7Yd/9 dkkZRIUpG2JGlIScnx4JXNa4jiC9PcYaimCABl0VcYyJeTd6AuPMM5RlN8hcyOECr5qi 4D9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=16YVeMeI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g2si2192406ejt.1.2021.10.04.14.27.29; Mon, 04 Oct 2021 14:27:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=16YVeMeI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238172AbhJDNhM (ORCPT + 99 others); Mon, 4 Oct 2021 09:37:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:47302 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237479AbhJDNfQ (ORCPT ); Mon, 4 Oct 2021 09:35:16 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D32D961BA7; Mon, 4 Oct 2021 13:15:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633353356; bh=bpu1ckal/4m+hGMfx5xAtXUdPJDSYvzVAWrIWpxoXBA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=16YVeMeIb9bCzew2QbX8ZnMvLn2L+5VU7pPhBFbS7C/q6vS2PfNSO/KvDngmweEl6 s0E26+IHNJDuruIa9OOKsi02iwKvayjGeUDShJVd2E/bT2JowoiCMHCmfipp35s94k HrOMzuVJ/x2AyDytU1jf2yHWaAmObmRCwZ63W+T8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+6bb0528b13611047209c@syzkaller.appspotmail.com, Hao Sun , Leon Romanovsky , Jason Gunthorpe Subject: [PATCH 5.14 064/172] RDMA/cma: Do not change route.addr.src_addr.ss_family Date: Mon, 4 Oct 2021 14:51:54 +0200 Message-Id: <20211004125047.055660686@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211004125044.945314266@linuxfoundation.org> References: <20211004125044.945314266@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Gunthorpe commit bc0bdc5afaa740d782fbf936aaeebd65e5c2921d upstream. If the state is not idle then rdma_bind_addr() will immediately fail and no change to global state should happen. For instance if the state is already RDMA_CM_LISTEN then this will corrupt the src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) To view a mangled src_addr, eg with a IPv6 loopback address but an IPv4 family, failing the test. This would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Which is indicating that an rdma_id_private was destroyed without doing cma_cancel_listens(). Instead of trying to re-use the src_addr memory to indirectly create an any address build one explicitly on the stack and bind to that as any other normal flow would do. Link: https://lore.kernel.org/r/0-v1-9fbb33f5e201+2a-cma_listen_jgg@nvidia.com Cc: stable@vger.kernel.org Fixes: 732d41c545bb ("RDMA/cma: Make the locking for automatic state transition more clear") Reported-by: syzbot+6bb0528b13611047209c@syzkaller.appspotmail.com Tested-by: Hao Sun Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/cma.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -3768,9 +3768,13 @@ int rdma_listen(struct rdma_cm_id *id, i int ret; if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_LISTEN)) { + struct sockaddr_in any_in = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_ANY), + }; + /* For a well behaved ULP state will be RDMA_CM_IDLE */ - id->route.addr.src_addr.ss_family = AF_INET; - ret = rdma_bind_addr(id, cma_src_addr(id_priv)); + ret = rdma_bind_addr(id, (struct sockaddr *)&any_in); if (ret) return ret; if (WARN_ON(!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND,