From nobody Sun Jun 14 03:57:31 2026
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FF091C5D44
	for <linux-kernel@vger.kernel.org>; Sun,  3 May 2026 10:51:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777805500; cv=none;
 b=LZJ9x2UwOTX/T0h3zYflWe1Z4IAlvanE6/CCZ+CsFxG2gsteUhg7x9/E/9ETnVD9fp1d6ev3xyQngJ5ucm9an5Q4vBTHGIqfWQxZ73wYz0vg30sXXZTGfUrr3MOaswXZOc/j6am5OhCaGHkrk4WZtXeKWqTNwwGAx06bxjR/JnM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777805500; c=relaxed/simple;
	bh=ebQ5pJnjeVOOmyegc8sE30bbLmSEDfksjekArMGx3Xo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=RHWbvRZBzLWfVt7jTsbhMrNBogvyg68jVQHvPnAbOHwsgTY89rdmLH4DGKuxH8/T1inp0FRqkt9GfQoVUDj7C5X9YaOAAXgnZVRyiSmEnxS7J7/+ZMCdhTxgyrf3yqh5pblSTMEPXbp7/c3DJ4Um7Jr4FQTKsci/zbYtF+K9Xj0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=qc5833WV; arc=none smtp.client-ip=209.85.210.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="qc5833WV"
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-834da62e52dso1505455b3a.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 03 May 2026 03:51:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777805498; x=1778410298;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=/NvlMTCImyNEl4xNArV1+Dv1U/3HZRUjh14CvseZ8Po=;
        b=qc5833WV4CgWI2+/zwcGE1qT6uiEi9G7ORkm8BV85tSY3P9GRz4eP7U2Cv45m5NSTk
         0hkHQ5cYL9dQ0aErjUSovwh8+UUAfEW4hK/cTMzRQtLPLTOP+n+D2kHg4IVjiZYacazZ
         /OSwzw+ZIdxn95HXtrwnLX+kpDLQGuFVEnUdVv57IuCtDQ8FY6Y93OhIUfys6qugg8of
         /3jZe5AW0i9MJC6e98QgiPap1LdtSi0heTrvqIjpnxkobJRaAO4fnpFAY6bvfwHAHqkM
         MXvWlW4Axb/7kDMGymXFNLjHrAlTopov1ayNw/HV4p8ckX9Z9F2eP42RaQOWsjyylJcM
         wlDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777805498; x=1778410298;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/NvlMTCImyNEl4xNArV1+Dv1U/3HZRUjh14CvseZ8Po=;
        b=MIp+ZNNN7TUIYwYCLyQxS0Qw4jPmOwp7ospJu+LUel9rJ1qdrPSKmclmnOsAcuT+dN
         P1q6Lh847H8QEQOW4a+GSJL5WC3OfaiouOXLTpqSDH7ix1HKXJOBq8Ncdcpt/+aduDAD
         kJ34EU35Kb+r2m/xFYhCdSIA3WYuWiQG5fSyGAUYYfP3DesQB7/09XFRMTlrt6kXclxc
         X9MpYdjVTtw+PdrhtXcZnVpRv6ucjSGhIxa4VSc3sJB1NeYOtFFEobu2PYtf10JEfFyH
         4Aa2tVzCikf+v61jxIA+9uQ9SroUKrKg58kdfCBRtBCRgMxVFJoV/CO0TbwPbWxzCot8
         /Znw==
X-Forwarded-Encrypted: i=1;
 AFNElJ/J21ktYe9msQiDgKn+mS1TtWd2whjoLTKR0TA+Gj+42b+itRgY21ypojByBgV3OVfrYXcjuh+l8WPEq3I=@vger.kernel.org
X-Gm-Message-State: AOJu0YyxbXATIp1KguRPBcxMnH5qUD0PP+g3/VwOwdTaZvXxDSnrssnw
	SevunIetMtSNdtc0PkTPtfwZyaPOGpstI42oPYoROGeYmNb5z6ma+/N6
X-Gm-Gg: AeBDieu5jqaZGEZNvj1zBjr3HWn9oKX8I64m8j8aPLwD57xN8ke1sFXB0/NtNmNubfZ
	BoHmXLBtGGHX7kGM+YJniW4VUc5gW6G9f9Aa9R7kR086f3Nhgoz20oBrSU3kVNFn6hFh8nSTjBE
	rHcTIfevw1OR98vssiKHRsi5c1oHY2O1Uy6gSRXpgmXihw67dWyOjIBuRXzR6twRBUfywHp5n9j
	nLWNGfS/WJXCF9NlvFWt9JxVP3LG6HxaDbjQSMXvCI5f7/QqNM8UFdE2T3faagMjxAgfwAN78Ja
	civ8MMN7StKTDr7GXMu/+MH+nYuV0OGpmP68ANE1+KJ/BidnHSY6pgQkDuhKt+34l+ZCEogoI1i
	m8PZum4q9F1wjn6dygdADLcZrzWdatgmqjSADF6+xFV8UTwUPP4Hh5Kbw+3xo7+0DkmZ1Ce7ueO
	ag+GT3ZcqI1TxSbwjxibwBftOrb4wGg/chySZSu3jXG/irhCknMIBA/fk=
X-Received: by 2002:a05:6a00:802:b0:836:bff4:fa5c with SMTP id
 d2e1a72fcca58-836bff50279mr589688b3a.45.1777805498396;
        Sun, 03 May 2026 03:51:38 -0700 (PDT)
Received: from acer-nitro-anv15-41.. ([115.99.189.233])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-8353f8b0228sm2840114b3a.15.2026.05.03.03.51.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 03 May 2026 03:51:37 -0700 (PDT)
From: "shaikh.kamal" <shaikhkamal2012@gmail.com>
To: "shaikh.kamal" <shaikhkamal2012@gmail.com>,
	Roland Dreier <rolandd@cisco.com>,
	linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: skhan@linuxfoundation.org,
	me@brighamcampbell.com,
	syzbot+a6ffe86390c8a6afc818@syzkaller.appspotmail.com
Subject: [PATCH] RDMA/ucma: Fix use-after-free in ucma_create_uevent
Date: Sun,  3 May 2026 16:21:25 +0530
Message-ID: <20260503105125.16368-1-shaikhkamal2012@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ucma_create_uevent() dereferences event->param.ud.private_data
as a struct ucma_multicast for multicast events. However,
this pointer may refer to memory that has already been freed,
leading to a use-after-free.

Fix this by avoiding dereferencing private_data for multicast
events and instead using ctx for uid and id, which has a
well-defined lifetime.

Tested by running the reproducer under KASAN with slub_debug
enabled for several hours with no crashes observed.

Reported-by: syzbot+a6ffe86390c8a6afc818@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Da6ffe86390c8a6afc818
Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support")

Signed-off-by: shaikh.kamal <shaikhkamal2012@gmail.com>
---
 drivers/infiniband/core/ucma.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 6e700b974033..8eef10352af7 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -270,10 +270,12 @@ static struct ucma_event *ucma_create_uevent(struct u=
cma_context *ctx,
 	switch (event->event) {
 	case RDMA_CM_EVENT_MULTICAST_JOIN:
 	case RDMA_CM_EVENT_MULTICAST_ERROR:
-		uevent->mc =3D (struct ucma_multicast *)
-			     event->param.ud.private_data;
-		uevent->resp.uid =3D uevent->mc->uid;
-		uevent->resp.id =3D uevent->mc->id;
+		/*
+		 * event->param.ud.private_data may point to a ucma_multicast
+		 * that has already been freed, so use ctx instead.
+		 */
+		uevent->resp.uid =3D ctx->uid;
+		uevent->resp.id =3D ctx->id;
 		break;
 	default:
 		uevent->resp.uid =3D ctx->uid;
--=20
2.43.0