CVE-2022-48925

In the Linux kernel, the following vulnerability has been resolved:

RDMA/cma: Do not change route.addr.src_addr outside state checks

If the state is not idle then resolvepreparesrc() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address.

For instance if the state is already RDMACMLISTEN then this will corrupt the srcaddr and would cause the test in cmacancel_operation():

       if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)

Which would manifest as this trace from syzkaller:

BUG: KASAN: use-after-free in _listaddvalid+0x93/0xa0 lib/listdebug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204

CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: _dumpstack lib/dumpstack.c:79 [inline] dumpstack+0x141/0x1d7 lib/dumpstack.c:120 printaddressdescription.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 _kasanreport mm/kasan/report.c:399 [inline] kasanreport.cold+0x7c/0xd8 mm/kasan/report.c:416 _listaddvalid+0x93/0xa0 lib/listdebug.c:26 _listadd include/linux/list.h:67 [inline] listaddtail include/linux/list.h:100 [inline] cmalistenonall drivers/infiniband/core/cma.c:2557 [inline] rdmalisten+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucmalisten+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucmawrite+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfswrite+0x28e/0xa30 fs/readwrite.c:603 ksyswrite+0x1ee/0x250 fs/readwrite.c:658 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x44/0xae

This is indicating that an rdmaidprivate was destroyed without doing cmacancellistens().

Instead of trying to re-use the srcaddr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdmabindaddr() will copy it over the srcaddr once it knows the state is valid.

This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.srcaddr.ssfamily")