On Thu, Apr 22, 2021 at 01:18:09PM -0300, Jason Gunthorpe wrote:
> On Thu, Apr 22, 2021 at 05:58:18PM +0300, Leon Romanovsky wrote:
> > On Thu, Apr 22, 2021 at 10:02:18AM -0300, Jason Gunthorpe wrote:
> > > On Thu, Apr 22, 2021 at 04:01:20PM +0300, Leon Romanovsky wrote:
> > > > On Thu, Apr 22, 2021 at 09:51:35AM -0300, Jason Gunthorpe wrote:
> > > > > On Thu, Apr 22, 2021 at 03:44:55PM +0300, Shay Drory wrote:
> > > > > > On 4/22/2021 14:28, Jason Gunthorpe wrote:
> > > > > >
> > > > > > > On Sun, Apr 18, 2021 at 04:55:53PM +0300, Leon Romanovsky wrote:
> > > > > > > > From: Shay Drory <shayd@xxxxxxxxxx>
> > > > > > > >
> > > > > > > > rdma_listen() checks if device already attached to rdma_id_priv,
> > > > > > > > based on the response the its decide to what to listen, however
> > > > > > > > this is different when the listeners are canceled.
> > > > > > > >
> > > > > > > > This leads to a mismatch between rdma_listen() and cma_cancel_operation(),
> > > > > > > > and causes to bellow wild-memory-access. Fix it by aligning rdma_listen()
> > > > > > > > according to the cma_cancel_operation().
> > > > > > > So this is happening because the error unwind in rdma_bind_addr() is
> > > > > > > taking the exit path and calling cma_release_dev()?
> > > > > > >
> > > > > > > This allows rdma_listen() to be called with a bogus device pointer
> > > > > > > which precipitates this UAF during destroy.
> > > > > > >
> > > > > > > However, I think rdma_bind_addr() should not allow the bogus device
> > > > > > > pointer to leak out at all, since the ULP could see it. It really is
> > > > > > > invalid to have it present no matter what.
> > > > > > >
> > > > > > > This would make cma_release_dev() and _cma_attach_to_dev()
> > > > > > > symmetrical - what do you think?
> > > > > > >
> > > > > > > diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
> > > > > > > index 2dc302a83014ae..91f6d968b46f65 100644
> > > > > > > +++ b/drivers/infiniband/core/cma.c
> > > > > > > @@ -474,6 +474,7 @@ static void cma_release_dev(struct rdma_id_private *id_priv)
> > > > > > > list_del(&id_priv->list);
> > > > > > > cma_dev_put(id_priv->cma_dev);
> > > > > > > id_priv->cma_dev = NULL;
> > > > > > > + id_priv->id.device = NULL;
> > > > > > > if (id_priv->id.route.addr.dev_addr.sgid_attr) {
> > > > > > > rdma_put_gid_attr(id_priv->id.route.addr.dev_addr.sgid_attr);
> > > > > > > id_priv->id.route.addr.dev_addr.sgid_attr = NULL;
> > > > > >
> > > > > > I try that. this will break restrack_del() since restrack_del() is
> > > > > > using id_priv->id.device and is being called before restrack_del():
> > > > >
> > > > > Oh that is another bug, once cma_release_dev() is called there is no
> > > > > refcount protecting the id.device and any access to it is invalid.
> > > > >
> > > > > The order of rdma_restrack_del should be moved to be ahead of the
> > > > > cma_release_dev, and we also can't have a restrack without a cma_dev
> > > > > in the first place
> > > >
> > > > We have restrack per-cmd_id and not per-cma_dev.
> > >
> > > No, restrack has this:
> > >
> > > dev = res_to_dev(res);
> > > if (WARN_ON(!dev))
> > >
> > > And here dev will be NULL if cma_dev isn't set
> >
> > 127 static struct ib_device *res_to_dev(struct rdma_restrack_entry *res)
> > 128 {
> >
> > <...>
> >
> > 136 case RDMA_RESTRACK_CM_ID:
> > 137 return container_of(res, struct rdma_id_private,
> > 138 res)->id.device;
> > ^^^^^ it is not cma_dev
>
> The invariant is that
>
> priv.id.device == priv.cma_dev->device
>
> (this de-normalization of data exists only to allow priv to be in a
> private header)
>
> If cma_dev == NULL then id.device == NULL as cma_Dev was the thing
> preventing the pointer from being free'd.
Let's see what I can do here.
Thanks
>
> Jason
