Re: [PATCH rdma-next 2/3] RDMA/core: Fix check of device in rdma_listen()

Leon Romanovsky <leon@xxxxxxxxxx> · Thu, 22 Apr 2021 16:01:20 +0300

On Thu, Apr 22, 2021 at 09:51:35AM -0300, Jason Gunthorpe wrote:
> On Thu, Apr 22, 2021 at 03:44:55PM +0300, Shay Drory wrote:
> > On 4/22/2021 14:28, Jason Gunthorpe wrote:
> > 
> > > On Sun, Apr 18, 2021 at 04:55:53PM +0300, Leon Romanovsky wrote:
> > > > From: Shay Drory <shayd@xxxxxxxxxx>
> > > > 
> > > > rdma_listen() checks if device already attached to rdma_id_priv,
> > > > based on the response the its decide to what to listen, however
> > > > this is different when the listeners are canceled.
> > > > 
> > > > This leads to a mismatch between rdma_listen() and cma_cancel_operation(),
> > > > and causes to bellow wild-memory-access. Fix it by aligning rdma_listen()
> > > > according to the cma_cancel_operation().
> > > So this is happening because the error unwind in rdma_bind_addr() is
> > > taking the exit path and calling cma_release_dev()?
> > > 
> > > This allows rdma_listen() to be called with a bogus device pointer
> > > which precipitates this UAF during destroy.
> > > 
> > > However, I think rdma_bind_addr() should not allow the bogus device
> > > pointer to leak out at all, since the ULP could see it. It really is
> > > invalid to have it present no matter what.
> > > 
> > > This would make cma_release_dev() and _cma_attach_to_dev()
> > > symmetrical - what do you think?
> > > 
> > > diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
> > > index 2dc302a83014ae..91f6d968b46f65 100644
> > > +++ b/drivers/infiniband/core/cma.c
> > > @@ -474,6 +474,7 @@ static void cma_release_dev(struct rdma_id_private *id_priv)
> > >   	list_del(&id_priv->list);
> > >   	cma_dev_put(id_priv->cma_dev);
> > >   	id_priv->cma_dev = NULL;
> > > +	id_priv->id.device = NULL;
> > >   	if (id_priv->id.route.addr.dev_addr.sgid_attr) {
> > >   		rdma_put_gid_attr(id_priv->id.route.addr.dev_addr.sgid_attr);
> > >   		id_priv->id.route.addr.dev_addr.sgid_attr = NULL;
> > 
> > I try that. this will break restrack_del() since restrack_del() is
> > using id_priv->id.device and is being called before restrack_del():
> 
> Oh that is another bug, once cma_release_dev() is called there is no
> refcount protecting the id.device and any access to it is invalid.
> 
> The order of rdma_restrack_del should be moved to be ahead of the
> cma_release_dev, and we also can't have a restrack without a cma_dev
> in the first place

We have restrack per-cmd_id and not per-cma_dev.

> 
> Jason