| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Jun 2021 23:20:51 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: dledford@...hat.com, jgg@...pe.ca, leon@...nel.org,
shayd@...dia.com
Cc: linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org,
Pavel Skripkin <paskripkin@...il.com>, stable@...r.kernel.org
Subject: [PATCH] infiniband: core: fix memory leak
My local syzbot instance hit memory leak in
copy_process(). The problem was in unputted task
struct in _destroy_id().
Simple reproducer:
int main(void)
{
struct rdma_ucm_cmd_hdr *hdr;
struct rdma_ucm_create_id *cmd_id;
char cmd[sizeof(*hdr) + sizeof(*cmd_id)] = {0};
int fd;
hdr = (struct rdma_ucm_cmd_hdr *)cmd;
cmd_id = (struct rdma_ucm_create_id *) (cmd + sizeof(*hdr));
hdr->cmd = 0;
hdr->in = 0x18;
hdr->out = 0xfa00;
cmd_id->uid = 0x3;
cmd_id->response = 0x0;
cmd_id->ps = 0x106;
fd = open("/dev/infiniband/rdma_cm", O_WRONLY);
write(fd, cmd, sizeof(cmd));
}
Ftrace log:
ucma_open();
ucma_write() {
ucma_create_id() {
ucma_alloc_ctx();
rdma_create_user_id() {
rdma_restrack_new();
rdma_restrack_set_name() {
rdma_restrack_attach_task.part.0(); <--- task_struct getted
}
}
ucma_destroy_private_ctx() {
ucma_put_ctx();
rdma_destroy_id() {
_destroy_id() <--- id_priv freed
}
}
}
}
ucma_close();
>From previous log it's easy to undertand that
_destroy_id() is the last place, where task_struct
can be putted, because at the end of this function
id_priv is freed.
With this patch applied, above reproducer doesn't hit memory
leak anymore.
Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager")
Cc: <stable@...r.kernel.org>
Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
---
drivers/infiniband/core/cma.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index ab148a696c0c..2760352261b3 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -1874,6 +1874,7 @@ static void _destroy_id(struct rdma_id_private *id_priv,
kfree(id_priv->id.route.path_rec);
+ rdma_restrack_put(&id_priv->res);
put_net(id_priv->id.route.addr.dev_addr.net);
kfree(id_priv);
}
--
2.31.1
Powered by blists - more mailing lists