lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200304183551.GA7859@ziepe.ca>
Date:   Wed, 4 Mar 2020 14:35:51 -0400
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     Bernard Metzler <bmt@...ich.ibm.com>
Cc:     dledford@...hat.com, kamalheib1@...il.com, krishna2@...lsio.com,
        linux-kernel@...r.kernel.org, linux-rdma@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH for-rc] RDMA/iwcm: Fix iwcm work deallocation

On Mon, Mar 02, 2020 at 07:16:14PM +0100, Bernard Metzler wrote:
> The dealloc_work_entries() function must update the
> work_free_list pointer while freeing its entries, since
> potentially called again on same list. A second iteration
> of the work list caused system crash. This happens, if
> work allocation fails during cma_iw_listen() and
> free_cm_id() tries to free the list again during cleanup.
> 
> Reported-by: syzbot+cb0c054eabfba4342146@...kaller.appspotmail.com
> Signed-off-by: Bernard Metzler <bmt@...ich.ibm.com>
> ---
>  drivers/infiniband/core/iwcm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Applied to for-rc, please include Fixes lines in patches like this, I
added one
 
 diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
> index ade71823370f..da8adadf4755 100644
> --- a/drivers/infiniband/core/iwcm.c
> +++ b/drivers/infiniband/core/iwcm.c
> @@ -159,8 +159,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)
>  {
>  	struct list_head *e, *tmp;
>  
> -	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)
> +	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
> +		list_del(e);
>  		kfree(list_entry(e, struct iwcm_work, free_list));

It would be nice if someone were to fix the use of the list macros in
this file to use the _entry_ versions

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ