iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
183a967ad1
linux/drivers/infiniband/hw/mlx5
History
George Kennedy 2ef422f063 IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF 
In the unlikely event that workqueue allocation fails and returns NULL in
mlx5_mkey_cache_init(), delete the call to
mlx5r_umr_resource_cleanup() (which frees the QP) in
mlx5_ib_stage_post_ib_reg_umr_init().  This will avoid attempted double
free of the same QP when __mlx5_ib_add() does its cleanup.

Resolves a splat:

   Syzkaller reported a UAF in ib_destroy_qp_user

   workqueue: Failed to create a rescuer kthread for wq "mkey_cache": -EINTR
   infiniband mlx5_0: mlx5_mkey_cache_init:981:(pid 1642):
   failed to create work queue
   infiniband mlx5_0: mlx5_ib_stage_post_ib_reg_umr_init:4075:(pid 1642):
   mr cache init failed -12
   ==================================================================
   BUG: KASAN: slab-use-after-free in ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073)
   Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642

   Call Trace:
   <TASK>
   kasan_report (mm/kasan/report.c:590)
   ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073)
   mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198)
   __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4178)
   mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)
   ...
   </TASK>

   Allocated by task 1642:
   __kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1026
   mm/slab_common.c:1039)
   create_qp (./include/linux/slab.h:603 ./include/linux/slab.h:720
   ./include/rdma/ib_verbs.h:2795 drivers/infiniband/core/verbs.c:1209)
   ib_create_qp_kernel (drivers/infiniband/core/verbs.c:1347)
   mlx5r_umr_resource_init (drivers/infiniband/hw/mlx5/umr.c:164)
   mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4070)
   __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168)
   mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)
   ...

   Freed by task 1642:
   __kmem_cache_free (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822)
   ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2112)
   mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198)
   mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4076
   drivers/infiniband/hw/mlx5/main.c:4065)
   __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168)
   mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)
   ...

Fixes: 04876c12c1 ("RDMA/mlx5: Move init and cleanup of UMR to umr.c")
Link: https://lore.kernel.org/r/1698170518-4006-1-git-send-email-george.kennedy@oracle.com
Suggested-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2023-10-31 11:16:05 -03:00
..
ah.c
cmd.c RDMA/mlx5: Use query_special_contexts for mkeys 2023-02-17 16:22:23 -04:00
cmd.h RDMA/mlx5: Use query_special_contexts for mkeys 2023-02-17 16:22:23 -04:00
cong.c IB/mlx5: Extend debug control for CC parameters 2023-02-19 11:50:59 +02:00
counters.c IB/mlx5: Add HW counter called rx_dct_connect 2023-07-31 11:40:32 +03:00
counters.h
cq.c net/mlx5: Allocate completion EQs dynamically 2023-08-07 10:53:52 -07:00
devx.c net/mlx5: Allocate completion EQs dynamically 2023-08-07 10:53:52 -07:00
devx.h RDMA/mlx5: Attach ndescs to mlx5_ib_mkey 2021-10-19 14:42:53 +03:00
dm.c RDMA/mlx5: Support handling of modify-header pattern ICM area 2022-06-13 14:58:01 -07:00
dm.h
doorbell.c net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
fs.c RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation 2023-09-26 12:29:40 +03:00
fs.h RDMA/mlx5: Create an indirect flow table for steering anchor 2023-06-11 11:25:34 +03:00
gsi.c net/mlx5: Lag, expose number of lag ports 2022-05-09 22:54:00 -07:00
ib_rep.c {net/RDMA}/mlx5: introduce lag_for_each_peer 2023-06-07 14:00:42 -07:00
ib_rep.h
ib_virt.c RDMA/mlx5: Delete useless module.h include 2022-01-28 13:03:12 -04:00
Kconfig
macsec.c RDMA/mlx5: Handles RoCE MACsec steering rules addition and deletion 2023-08-20 12:35:24 +03:00
macsec.h RDMA/mlx5: Handles RoCE MACsec steering rules addition and deletion 2023-08-20 12:35:24 +03:00
mad.c IB/mlx5: Expose XDR speed through MAD 2023-09-26 12:38:43 +03:00
main.c IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF 2023-10-31 11:16:05 -03:00
Makefile RDMA/mlx5: Implement MACsec gid addition and deletion 2023-08-20 12:35:24 +03:00
mem.c IB/mlx5: Remove duplicate header inclusion related to ODP 2022-08-23 11:22:13 +03:00
mlx5_ib.h RDMA/mlx5: Remove not-used cache disable flag 2023-10-02 14:32:44 +03:00
mr.c RDMA/mlx5: Fix mkey cache WQ flush 2023-10-31 10:57:49 -03:00
odp.c Merge mlx5-next into rdma.git for-next 2023-02-17 16:24:14 -04:00
qos.c
qp.c IB/mlx5: Fix rdma counter binding for RAW QP 2023-10-15 11:04:01 +03:00
qp.h RDMA/mlx5: Handle DCT QP logic separately from low level QP interface 2023-06-11 11:21:40 +03:00
qpc.c RDMA/mlx5: Return the firmware result upon destroying QP/RQ 2023-06-11 11:21:46 +03:00
restrack.c
restrack.h
srq_cmd.c
srq.c RDMA/mlx5: Use query_special_contexts for mkeys 2023-02-17 16:22:23 -04:00
srq.h
std_types.c
umr.c RDMA/mlx5: Implement mkeys management via LIFO queue 2023-09-26 12:36:18 +03:00
umr.h RDMA/mlx5: Allow relaxed ordering read in VFs and VMs 2023-04-16 13:29:26 +03:00
wr.c RDMA/mlx5: Use query_special_contexts for mkeys 2023-02-17 16:22:23 -04:00
wr.h RDMA/mlx5: Expose wqe posting helpers outside of wr.c 2022-04-25 11:53:00 -03:00