asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/drivers/infiniband/hw
History
Michal Kalderon 51a544f05b RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 
[ Upstream commit 0dfbd5ecf28cbcb81674c49d34ee97366db1be44 ]

Private data passed to iwarp_cm_handler is copied for connection request /
response, but ignored otherwise.  If junk is passed, it is stored in the
event and used later in the event processing.

The driver passes an old junk pointer during connection close which leads
to a use-after-free on event processing.  Set private data to NULL for
events that don 't have private data.

  BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
  kernel:
  kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
  kernel: Call Trace:
  kernel: dump_stack+0x8c/0xc0
  kernel: print_address_description.constprop.0+0x1b/0x210
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: __kasan_report.cold+0x1a/0x33
  kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: kasan_report+0xe/0x20
  kernel: check_memory_region+0x130/0x1a0
  kernel: memcpy+0x20/0x50
  kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
  kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
  kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
  kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
  kernel: ? enqueue_timer+0x86/0x140
  kernel: ? _raw_write_lock_irq+0xd0/0xd0
  kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]

Fixes: e411e0587e ("RDMA/qedr: Add iWARP connection management functions")
Link: https://lore.kernel.org/r/20200616093408.17827-1-michal.kalderon@marvell.com
Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-06-30 23:17:11 -04:00
..
bnxt_re RDMA/bnxt_re: Add missing spin lock initialization 2020-01-27 14:49:59 +01:00
cxgb3 RDMA/providers: Remove pointless functions 2018-07-30 20:31:54 -06:00
cxgb4 RDMA/iw_cxgb4: cleanup device debugfs entries on ULD remove 2020-06-25 15:32:59 +02:00
hfi1 IB/hfi1: Fix memory leaks in sysfs registration and unregistration 2020-04-13 10:45:11 +02:00
hns RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver 2020-01-27 14:51:04 +01:00
i40iw IB/i40iw: Remove bogus call to netdev_master_upper_dev_get() 2020-06-03 08:19:30 +02:00
mlx4 IB/mlx4: Test return value of calls to ib_get_cached_pkey 2020-05-20 08:18:44 +02:00
mlx5 RDMA/mlx5: Add init2init as a modify command 2020-06-25 15:32:50 +02:00
mthca IB/mthca: Fix error return code in __mthca_init_one() 2019-11-24 08:20:01 +01:00
nes RDMA/providers: Remove pointless functions 2018-07-30 20:31:54 -06:00
ocrdma RDMA/ocrdma: Fix out of bounds index check in query pkey 2020-01-27 14:50:12 +01:00
qedr RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 2020-06-30 23:17:11 -04:00
qib IB/qib: Call kobject_put() when kobject_init_and_add() fails 2020-06-03 08:19:36 +02:00
usnic IB/usnic: Fix out of bounds index check in query pkey 2020-01-27 14:50:11 +01:00
vmw_pvrdma RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() 2020-06-03 08:19:37 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00