CVE-2022-48726

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/ucma: Protect mc during concurrent multicast leaves<br /> <br /> Partially revert the commit mentioned in the Fixes line to make sure that<br /> allocation and erasing multicast struct are locked.<br /> <br /> BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]<br /> BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579<br /> Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529<br /> CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> Call Trace:<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247<br /> __kasan_report mm/kasan/report.c:433 [inline]<br /> kasan_report.cold+0x83/0xdf mm/kasan/report.c:450<br /> ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]<br /> ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579<br /> ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614<br /> ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732<br /> vfs_write+0x28e/0xae0 fs/read_write.c:588<br /> ksys_write+0x1ee/0x250 fs/read_write.c:643<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Currently the xarray search can touch a concurrently freeing mc as the<br /> xa_for_each() is not surrounded by any lock. Rather than hold the lock for<br /> a full scan hold it only for the effected items, which is usually an empty<br /> list.