From patchwork Mon Oct 11 22:08:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1539522 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=HqcH04Y/; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HStH92F1tz9sP7 for ; Tue, 12 Oct 2021 09:08:53 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ma3TQ-0003wZ-6r; Mon, 11 Oct 2021 22:08:44 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ma3TL-0003t1-8C for kernel-team@lists.ubuntu.com; Mon, 11 Oct 2021 22:08:39 +0000 Received: from mussarela.. (unknown [177.9.89.30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 7BC8B40048; Mon, 11 Oct 2021 22:08:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1633990118; bh=ssU32Cj48iP5KJBlonUQB8iqgw8RQY5g5ldDArL+Tq0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=HqcH04Y/1BMHq5WcbvQ4IVejwOe7Jgoe3VS9ax8bgSHIcOJNGCjPlC6DLbNMbdPS6 fpXEI4Hvi9hzABlFQjkQhZlHBPG5PoEJwyjFt2NT9FbshJaWqXbDUi0kTrO/H2zZRU tKoIo6n63EKkcRij93/x5/VacalnkroAMO94A0GHlcCGauE1nsjovsT3gzEYKCHGkT jQZ0ILVWP62gswC1aO3I75TPR+axkMgREzuGAmfwRcvt/uJ9GS/pKNVFQIYAM4zQel cfQGTxojxU5AYOpYasSA38YbK5ZjFhv5RBPnHCkL86+540HJb0KMAtGrfJa1LNjajO SUulFZlIIH9gw== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Focal 2/3] RDMA/ucma: Fix the locking of ctx->file Date: Mon, 11 Oct 2021 19:08:15 -0300 Message-Id: <20211011220819.582548-6-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211011220819.582548-1-cascardo@canonical.com> References: <20211011220819.582548-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Leon Romanovsky , Jason Gunthorpe , Thadeu Lima de Souza Cascardo Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jason Gunthorpe ctx->file is changed under the file->mut lock by ucma_migrate_id(), which is impossible to lock correctly. Instead change ctx->file under the handler_lock and ctx_table lock and revise all places touching ctx->file to use this locking when reading ctx->file. Link: https://lore.kernel.org/r/20200818120526.702120-9-leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe (backported from commit 09e328e47a695b0d346598f5d6593ee598e64885) [cascardo: commit 95fe51096b7adf1d1e7315c49c75e2f75f162584 moved the file locks from ucma_cleanup_mc_events callers to inside it, keep it out of the function] CVE-2020-36385 Signed-off-by: Thadeu Lima de Souza Cascardo --- drivers/infiniband/core/ucma.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index 7ecb094dc7ad..0755a4111d8d 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -545,6 +545,7 @@ static void ucma_cleanup_mc_events(struct ucma_multicast *mc) { struct ucma_event *uevent, *tmp; + rdma_lock_handler(mc->ctx->cm_id); list_for_each_entry_safe(uevent, tmp, &mc->ctx->file->event_list, list) { if (uevent->mc != mc) continue; @@ -552,6 +553,7 @@ static void ucma_cleanup_mc_events(struct ucma_multicast *mc) list_del(&uevent->list); kfree(uevent); } + rdma_unlock_handler(mc->ctx->cm_id); } /* @@ -1548,7 +1550,7 @@ static ssize_t ucma_leave_multicast(struct ucma_file *file, mc = xa_load(&multicast_table, cmd.id); if (!mc) mc = ERR_PTR(-ENOENT); - else if (mc->ctx->file != file) + else if (READ_ONCE(mc->ctx->file) != file) mc = ERR_PTR(-EINVAL); else if (!atomic_inc_not_zero(&mc->ctx->ref)) mc = ERR_PTR(-ENXIO); @@ -1643,6 +1645,7 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, goto file_put; } + rdma_lock_handler(ctx->cm_id); cur_file = ctx->file; if (cur_file == new_file) { mutex_lock(&cur_file->mut); @@ -1671,6 +1674,7 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, &resp, sizeof(resp))) ret = -EFAULT; + rdma_unlock_handler(ctx->cm_id); ucma_put_ctx(ctx); file_put: fdput(f);