Patch "RDMA/siw: Fix a use after free in siw_alloc_mr" has been added to the 5.10-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    RDMA/siw: Fix a use after free in siw_alloc_mr

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-siw-fix-a-use-after-free-in-siw_alloc_mr.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 44e801a4038e994371e0f7f36f97c33b08d670ac
Author: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
Date:   Sun Apr 25 18:16:47 2021 -0700

    RDMA/siw: Fix a use after free in siw_alloc_mr
    
    [ Upstream commit 3093ee182f01689b89e9f8797b321603e5de4f63 ]
    
    Our code analyzer reported a UAF.
    
    In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of
    siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via
    kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a
    freed object. After, the execution continue up to the err_out branch of
    siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).
    
    My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {}
    section, to avoid the uaf.
    
    Fixes: 2251334dcac9 ("rdma/siw: application buffer management")
    Link: https://lore.kernel.org/r/20210426011647.3561-1-lyl2019@xxxxxxxxxxxxxxxx
    Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
    Reviewed-by: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/sw/siw/siw_mem.c b/drivers/infiniband/sw/siw/siw_mem.c
index 34a910cf0edb..61c17db70d65 100644
--- a/drivers/infiniband/sw/siw/siw_mem.c
+++ b/drivers/infiniband/sw/siw/siw_mem.c
@@ -106,8 +106,6 @@ int siw_mr_add_mem(struct siw_mr *mr, struct ib_pd *pd, void *mem_obj,
 	mem->perms = rights & IWARP_ACCESS_MASK;
 	kref_init(&mem->ref);
 
-	mr->mem = mem;
-
 	get_random_bytes(&next, 4);
 	next &= 0x00ffffff;
 
@@ -116,6 +114,8 @@ int siw_mr_add_mem(struct siw_mr *mr, struct ib_pd *pd, void *mem_obj,
 		kfree(mem);
 		return -ENOMEM;
 	}
+
+	mr->mem = mem;
 	/* Set the STag index part */
 	mem->stag = id << 8;
 	mr->base_mr.lkey = mr->base_mr.rkey = mem->stag;