Re: [PATCH rdma-next 2/3] RDMA/core: Fix check of device in rdma_listen()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 22, 2021 at 03:44:55PM +0300, Shay Drory wrote:
> On 4/22/2021 14:28, Jason Gunthorpe wrote:
> 
> > On Sun, Apr 18, 2021 at 04:55:53PM +0300, Leon Romanovsky wrote:
> > > From: Shay Drory <shayd@xxxxxxxxxx>
> > > 
> > > rdma_listen() checks if device already attached to rdma_id_priv,
> > > based on the response the its decide to what to listen, however
> > > this is different when the listeners are canceled.
> > > 
> > > This leads to a mismatch between rdma_listen() and cma_cancel_operation(),
> > > and causes to bellow wild-memory-access. Fix it by aligning rdma_listen()
> > > according to the cma_cancel_operation().
> > So this is happening because the error unwind in rdma_bind_addr() is
> > taking the exit path and calling cma_release_dev()?
> > 
> > This allows rdma_listen() to be called with a bogus device pointer
> > which precipitates this UAF during destroy.
> > 
> > However, I think rdma_bind_addr() should not allow the bogus device
> > pointer to leak out at all, since the ULP could see it. It really is
> > invalid to have it present no matter what.
> > 
> > This would make cma_release_dev() and _cma_attach_to_dev()
> > symmetrical - what do you think?
> > 
> > diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
> > index 2dc302a83014ae..91f6d968b46f65 100644
> > +++ b/drivers/infiniband/core/cma.c
> > @@ -474,6 +474,7 @@ static void cma_release_dev(struct rdma_id_private *id_priv)
> >   	list_del(&id_priv->list);
> >   	cma_dev_put(id_priv->cma_dev);
> >   	id_priv->cma_dev = NULL;
> > +	id_priv->id.device = NULL;
> >   	if (id_priv->id.route.addr.dev_addr.sgid_attr) {
> >   		rdma_put_gid_attr(id_priv->id.route.addr.dev_addr.sgid_attr);
> >   		id_priv->id.route.addr.dev_addr.sgid_attr = NULL;
> 
> I try that. this will break restrack_del() since restrack_del() is
> using id_priv->id.device and is being called before restrack_del():

Oh that is another bug, once cma_release_dev() is called there is no
refcount protecting the id.device and any access to it is invalid.

The order of rdma_restrack_del should be moved to be ahead of the
cma_release_dev, and we also can't have a restrack without a cma_dev
in the first place

Jason



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux