From nobody Mon Jun 20 11:12:48 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id ACD1786805D; Mon, 20 Jun 2022 11:12:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LRRns1dKdz3hx2; Mon, 20 Jun 2022 11:12:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655723569; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nOubCK4KyaSXW/NOVUa+bIqZJQ6KVznoflS1mLyopA4=; b=I8MiWYoPPEC0ZoR+3SiKSHOgnilap6RYrwqWo/ujT6jkbBkHVViJ2BkyE/pYa584Ygg7B6 xswyfE0UhFbjJlNdN0IyC6tM9nk5EhgS6oVEsh9Kl8BXyjBYLJ9azlyoxQq7P320PG9WsK AO+bKU5HDFLwNj0Hql42guS/hbPX5ClXxi9/pm6r84GSQW3TCLYsZxNPy+pGOiPKOxW1gt LanG5Ov8oQ3DFZ3SKYSShPGyC2F/cqJ6+yYzZpymbW/DUc0uTMzoJvbvVYHg1O0t/BfdZj G0Lx5iVyEuCZKgCFKI3u2ZqprQRZ4NFicQ6xJRT4JoSXl7fySKLfdwUb/3Owig== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9C3911C587; Mon, 20 Jun 2022 11:12:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 25KBCm62079055; Mon, 20 Jun 2022 11:12:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 25KBCmvg079054; Mon, 20 Jun 2022 11:12:48 GMT (envelope-from git) Date: Mon, 20 Jun 2022 11:12:48 GMT Message-Id: <202206201112.25KBCmvg079054@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Hans Petter Selasky Subject: git: e212dffaae15 - stable/13 - ibcore: Fix use-after-free access in ucma_close() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: hselasky X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: e212dffaae152cbb13f556c663a498ccf61c5889 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655723569; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nOubCK4KyaSXW/NOVUa+bIqZJQ6KVznoflS1mLyopA4=; b=rN3h+xwgsWvb57f52cTx1/t2Isu4rN6pAgzgiSgJ97eqCjlLOQcSble53Tkir9nw5uCFhg mOHnoISBWMDWosj4Ril7RQz4Kx7hffNwWvfwHqSfCWM7vXDCDpStn1V1V0cIyIg5U0c3kE 0svcoTju9Vwc+hHmk0UdgRFhDZwodqhi51I3ReLdctSSEJ3hBKnCBSqmrTkCLMKfTm4kmO pHG7eOlZWZ6g8+X/FRaP/c1bjnUKvH6KzyAWp17Q8gc3rNBD6KS9tOn/l0ehjwkAn9g9As 7NLb/DO2mfifGYSU45MSgH9LYDCkHtnzrKKr9z+UtdGg1wpx4mROOVMkVCK6Tw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655723569; a=rsa-sha256; cv=none; b=cabvTr0EMoZVxBNGU+bnc3V1tvRuHOVEVpCkj3OZN3Yjnjs3v3uXznnUIRv0mTTZ0X6qlZ oBlV15HLHzjTHbqoB4PzO8whwsDAT7MYRzGUY9lDGwBgw+9gFwDEPovACdICX7kOEsfFMk +RpAdSjeRQHmavsgecmud0tWye3UQjPuYqnJKuGvW3v5ajOAh32zuIEAUYOHDyMfilbwRb MShWet9FGDK3/fKFFvaRwqMI/FDG2JH8LJL2GQFnnp33DZsxImmihVknq41K4glW3EZUUx IrYy00+l/ThUwWCHvO7PE9qYy/ABcP1b/BLjv0ImeBbtgLC/oeEUcgFb8TiTIg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by hselasky: URL: https://cgit.FreeBSD.org/src/commit/?id=e212dffaae152cbb13f556c663a498ccf61c5889 commit e212dffaae152cbb13f556c663a498ccf61c5889 Author: Hans Petter Selasky AuthorDate: 2022-06-13 14:55:14 +0000 Commit: Hans Petter Selasky CommitDate: 2022-06-20 11:08:39 +0000 ibcore: Fix use-after-free access in ucma_close() The error in ucma_create_id() left ctx in the list of contexts belong to ucma file descriptor. The attempt to close this file descriptor causes to use-after-free accesses while iterating over such list. Linux commit: ed65a4dc22083e73bac599ded6a262318cad7baf PR: 264650 Sponsored by: NVIDIA Networking (cherry picked from commit 66a0bc2105e43e54abfaa9f48b76c28371fa2d62) --- sys/ofed/drivers/infiniband/core/ib_ucma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/ofed/drivers/infiniband/core/ib_ucma.c b/sys/ofed/drivers/infiniband/core/ib_ucma.c index 878e4d348234..0082c60f0b6c 100644 --- a/sys/ofed/drivers/infiniband/core/ib_ucma.c +++ b/sys/ofed/drivers/infiniband/core/ib_ucma.c @@ -508,6 +508,9 @@ err1: mutex_lock(&mut); idr_remove(&ctx_idr, ctx->id); mutex_unlock(&mut); + mutex_lock(&file->mut); + list_del(&ctx->list); + mutex_unlock(&file->mut); kfree(ctx); return ret; }