From patchwork Mon Oct 11 22:08:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1539525 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=d0JEUQNP; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HStHM0K3zz9sP7 for ; Tue, 12 Oct 2021 09:09:03 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ma3Tb-000450-HS; Mon, 11 Oct 2021 22:08:55 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ma3TS-0003xy-2R for kernel-team@lists.ubuntu.com; Mon, 11 Oct 2021 22:08:46 +0000 Received: from mussarela.. (unknown [177.9.89.30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 6A0C23F0B8; Mon, 11 Oct 2021 22:08:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1633990124; bh=kSXOAfTsJvVVIfd08ibbxTrIj2j8vfm3Dcz4OCLGKlQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=d0JEUQNPjlZZdx3PoIceDS7nuNJ2Lsky+Dr4Wqn2NF7MLucOJ+eP7ZCMQfH7dtYku +uIw9GgoMVzNPz1+uB5LOaNy50aA1I0yoEr0bX06yT70jHmTqyYf3TVQkst92kJjlp bAovxRnf0I/TbLRm17tmIPCurkwQ8oH7vS6jL6FmCkZNgXAr+xv1CrE8uF3iUKyRyj weV8nEM+yt86yjwnbYYzGuQkFw+W4/keFbRDjWqCwqJ4Ns05LABRMc7vUc8AvQOT4z ZuB0KZ2Pkp2VLN3mOA35fobabJ3o+/wKzC77SeAfY3/yuxYZZeVdIjKH5gqMjccnae IvuajK5ct7PoA== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU hwe-5.8 2/3] RDMA/ucma: Fix the locking of ctx->file Date: Mon, 11 Oct 2021 19:08:18 -0300 Message-Id: <20211011220819.582548-9-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211011220819.582548-1-cascardo@canonical.com> References: <20211011220819.582548-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Leon Romanovsky , Jason Gunthorpe , Thadeu Lima de Souza Cascardo Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jason Gunthorpe ctx->file is changed under the file->mut lock by ucma_migrate_id(), which is impossible to lock correctly. Instead change ctx->file under the handler_lock and ctx_table lock and revise all places touching ctx->file to use this locking when reading ctx->file. Link: https://lore.kernel.org/r/20200818120526.702120-9-leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe (backported from commit 09e328e47a695b0d346598f5d6593ee598e64885) [cascardo: commit 95fe51096b7adf1d1e7315c49c75e2f75f162584 moved the file locks from ucma_cleanup_mc_events callers to inside it, keep it out of the function] CVE-2020-36385 Signed-off-by: Thadeu Lima de Souza Cascardo --- drivers/infiniband/core/ucma.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index ae3a1c6fa397..f4480e60074b 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -550,6 +550,7 @@ static void ucma_cleanup_mc_events(struct ucma_multicast *mc) { struct ucma_event *uevent, *tmp; + rdma_lock_handler(mc->ctx->cm_id); list_for_each_entry_safe(uevent, tmp, &mc->ctx->file->event_list, list) { if (uevent->mc != mc) continue; @@ -557,6 +558,7 @@ static void ucma_cleanup_mc_events(struct ucma_multicast *mc) list_del(&uevent->list); kfree(uevent); } + rdma_unlock_handler(mc->ctx->cm_id); } /* @@ -1587,7 +1589,7 @@ static ssize_t ucma_leave_multicast(struct ucma_file *file, mc = xa_load(&multicast_table, cmd.id); if (!mc) mc = ERR_PTR(-ENOENT); - else if (mc->ctx->file != file) + else if (READ_ONCE(mc->ctx->file) != file) mc = ERR_PTR(-EINVAL); else if (!refcount_inc_not_zero(&mc->ctx->ref)) mc = ERR_PTR(-ENXIO); @@ -1682,6 +1684,7 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, goto file_put; } + rdma_lock_handler(ctx->cm_id); cur_file = ctx->file; if (cur_file == new_file) { mutex_lock(&cur_file->mut); @@ -1710,6 +1713,7 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, &resp, sizeof(resp))) ret = -EFAULT; + rdma_unlock_handler(ctx->cm_id); ucma_put_ctx(ctx); file_put: fdput(f);