1. 12 Aug, 2019 2 commits
    • Dan Carpenter's avatar
      RDMA/siw: Fix a memory leak in siw_init_cpulist() · 17c19287
      Dan Carpenter authored
      The error handling code doesn't free siw_cpu_info.tx_valid_cpus[0].  The
      first iteration through the loop is a no-op so this is sort of an off
      by one bug.  Also Bernard pointed out that we can remove the NULL
      assignment and simplify the code a bit.
      
      Fixes: bdcf26bf ("rdma/siw: network and RDMA core interface")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarBernard Metzler <bmt@zurich.ibm.com>
      Reviewed-by: default avatarBernard Metzler <bmt@zurich.ibm.com>
      Link: https://lore.kernel.org/r/20190809140904.GB3552@mwandaSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      17c19287
    • Yishai Hadas's avatar
      IB/mlx5: Fix use-after-free error while accessing ev_file pointer · e9eec6a5
      Yishai Hadas authored
      Call to uverbs_close_fd() releases file pointer to 'ev_file' and
      mlx5_ib_dev is going to be inaccessible. Cache pointer prior cleaning
      resources to solve the KASAN warning below.
      
      BUG: KASAN: use-after-free in devx_async_event_close+0x391/0x480 [mlx5_ib]
      Read of size 8 at addr ffff888301e3cec0 by task devx_direct_tes/4631
      CPU: 1 PID: 4631 Comm: devx_direct_tes Tainted: G OE 5.3.0-rc1-for-upstream-dbg-2019-07-26_01-19-56-93 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014
      Call Trace:
      dump_stack+0x9a/0xeb
      print_address_description+0x1e2/0x400
      ? devx_async_event_close+0x391/0x480 [mlx5_ib]
      __kasan_report+0x15c/0x1df
      ? devx_async_event_close+0x391/0x480 [mlx5_ib]
      kasan_report+0xe/0x20
      devx_async_event_close+0x391/0x480 [mlx5_ib]
      __fput+0x26a/0x7b0
      task_work_run+0x10d/0x180
      exit_to_usermode_loop+0x137/0x160
      do_syscall_64+0x3c7/0x490
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f5df907d664
      Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f
      80 00 00 00 00 8b 05 6a cd 20 00 48 63 ff 85 c0 75 13 b8
      03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 f3 c3 66 90
      48 83 ec 18 48 89 7c 24 08 e8
      RSP: 002b:00007ffd353cb958 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
      RAX: 0000000000000000 RBX: 000056017a88c348 RCX: 00007f5df907d664
      RDX: 00007f5df969d400 RSI: 00007f5de8f1ec90 RDI: 0000000000000006
      RBP: 00007f5df9681dc0 R08: 00007f5de8736410 R09: 000056017a9d2dd0
      R10: 000000000000000b R11: 0000000000000246 R12: 00007f5de899d7d0
      R13: 00007f5df96c4248 R14: 00007f5de8f1ecb0 R15: 000056017ae41308
      
      Allocated by task 4631:
      save_stack+0x19/0x80
      kasan_kmalloc.constprop.3+0xa0/0xd0
      alloc_uobj+0x71/0x230 [ib_uverbs]
      alloc_begin_fd_uobject+0x2e/0xc0 [ib_uverbs]
      rdma_alloc_begin_uobject+0x96/0x140 [ib_uverbs]
      ib_uverbs_run_method+0xdf0/0x1940 [ib_uverbs]
      ib_uverbs_cmd_verbs+0x57e/0xdb0 [ib_uverbs]
      ib_uverbs_ioctl+0x177/0x260 [ib_uverbs]
      do_vfs_ioctl+0x18f/0x1010
      ksys_ioctl+0x70/0x80
      __x64_sys_ioctl+0x6f/0xb0
      do_syscall_64+0x95/0x490
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 4631:
      save_stack+0x19/0x80
      __kasan_slab_free+0x11d/0x160
      slab_free_freelist_hook+0x67/0x1a0
      kfree+0xb9/0x2a0
      uverbs_close_fd+0x118/0x1c0 [ib_uverbs]
      devx_async_event_close+0x28a/0x480 [mlx5_ib]
      __fput+0x26a/0x7b0
      task_work_run+0x10d/0x180
      exit_to_usermode_loop+0x137/0x160
      do_syscall_64+0x3c7/0x490
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff888301e3cda8
      which belongs to the cache kmalloc-512 of size 512
      The buggy address is located 280 bytes inside of 512-byte region
      [ffff888301e3cda8, ffff888301e3cfa8)
      The buggy address belongs to the page:
      page:ffffea000c078e00 refcount:1 mapcount:0
      mapping:ffff888352811300 index:0x0 compound_mapcount: 0
      flags: 0x2fffff80010200(slab|head)
      raw: 002fffff80010200 ffffea000d152608 ffffea000c077808 ffff888352811300
      raw: 0000000000000000 0000000000250025 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
      ffff888301e3cd80: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb
      ffff888301e3ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff888301e3ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff888301e3cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff888301e3cf80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
      Disabling lock debugging due to kernel taint
      
      Cc: <stable@vger.kernel.org> # 5.2
      Fixes: 75973853 ("IB/mlx5: Enable subscription for device events over DEVX")
      Signed-off-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Link: https://lore.kernel.org/r/20190808081538.28772-1-leon@kernel.orgSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      e9eec6a5
  2. 07 Aug, 2019 3 commits
  3. 05 Aug, 2019 1 commit
  4. 04 Aug, 2019 10 commits
  5. 03 Aug, 2019 24 commits