lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1669099673-12213-1-git-send-email-wangyufen@huawei.com>
Date:   Tue, 22 Nov 2022 14:47:53 +0800
From:   Wang Yufen <wangyufen@...wei.com>
To:     <jgg@...pe.ca>, <leon@...nel.org>, <markzhang@...dia.com>,
        <haakon.bugge@...cle.com>, <mbloch@...dia.com>
CC:     <sean.hefty@...el.com>, <rolandd@...co.com>,
        <linux-rdma@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        Wang Yufen <wangyufen@...wei.com>
Subject: [PATCH] infiniband: cma: fix the dev refcnt leak

Syzbot report the following issue:
  infiniband syj1: RDMA CMA: cma_listen_on_dev, error -98
  unregister_netdevice: waiting for vlan0 to become free. Usage count = 2

The causes are as follows:

rdma_listen()
  rdma_bind_addr()
    cma_acquire_dev_by_src_ip()
      cma_attach_to_dev()
        _cma_attach_to_dev()
          cma_dev_get()

  cma_check_port()
  <--The return value is -98, goto err

err:
<-- The error handling here is missing the operation of cma_release_dev.

To fix, add cma_release_dev to error handing.

Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager")
Reported-by: syzbot+5e70d01ee8985ae62a3b@...kaller.appspotmail.com
Signed-off-by: Wang Yufen <wangyufen@...wei.com>
---
 drivers/infiniband/core/cma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 26d1772..3a50a8e 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -4049,6 +4049,9 @@ int rdma_listen(struct rdma_cm_id *id, int backlog)
 	return 0;
 err:
 	id_priv->backlog = 0;
+	if (id_priv->cma_dev)
+		cma_release_dev(id_priv);
+
 	/*
 	 * All the failure paths that lead here will not allow the req_handler's
 	 * to have run.
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ